--- sssd-2.2.2.orig/.copr/Makefile +++ sssd-2.2.2/.copr/Makefile @@ -0,0 +1,3 @@ +srpm: + dnf -y install git rpm-build dnf-plugins-core libldb-devel + ./contrib/fedora/make_srpm.sh --output $(outdir) --- sssd-2.2.2.orig/.git-commit-template +++ sssd-2.2.2/.git-commit-template @@ -0,0 +1,9 @@ +COMPONENT: Subject + +Explanation + +Resolves: +https://pagure.io/SSSD/sssd/issue/XXXX + +# Try to keep the subject line within 52 chars ----| +# Also please try to not exceed 72 characters of length for the body --| --- sssd-2.2.2.orig/.travis.yml +++ sssd-2.2.2/.travis.yml @@ -0,0 +1,26 @@ +language: c +compiler: gcc +sudo: required +dist: trusty + +services: + - docker + +addons: + apt: + packages: + - bash + - tar + - bzip2 + +env: + global: + # The next declaration is the encrypted COVERITY_SCAN_TOKEN, created + # via the "travis encrypt" command using the project repo's public key + - secure: "gD4XB/tAquGTUFGvQ4+a+K9EbemQtyZs0Py+r7+HAEQ7h/B+fwwRX1h5bGzMUjyCUJ88u28wdRZ0TNxIiEVXuSi/0Ia9BOvdS9YurXdpZc7ha1OpYnJd1tYwxGrgozKW9qXB3R6XZmlcxVGzIHF3fwK9a1p+rNDUihWhasqeAPFFI3IhQhwDIIxO3paRGvHHO0UNlw0+lpgsiQLYIYFWYjHqq2voZ1UlV4Ga7LSP1Yh8F38hDSMk7ykSLedsV1kqxh3zky8p5fLSbDRI1y7PLNBYD63LagUCEk1o3nF+hF0l3nRfEApFJKUhBfccgNc2mdXbBdDxDCnwiArbTXQNxI2Iml85UJ/I5/CS3uE437A3H7ZdvL51w2592JGNMEwq9pxGK3vxcN8g/Yn2Xoo1F2KTVHBexT44LEnS0ADRj5K8AfDsyIUz/rB9+N05k5WXtqcDWblpC5gfD0nk3WQnpmc8hjeI2B9RTFTa3ydA4I5wfABkGfNARH39RxK10d+b176U8x3z05p/PgyraAYKi2kFpA3ha5fw9o1CIqcd5OpUcIWrIo5+FG8hYgtcIG+65PSOHz6gGVZkpZyR4vqIuHIfw4jdi68d6LfoophdhjuFSDTuwgXXGQNjdaYQSpeoZ5Gm9hvHbasabqIBpOfDo/Yjq6up20byvmDaGtoeojI=" + +before_install: + - ./.travis/travis-docker-build.sh + +script: + - docker run -e COVERITY_SCAN_TOKEN=$COVERITY_SCAN_TOKEN --rm sssd/sssd --- sssd-2.2.2.orig/.travis/travis-docker-build.sh +++ sssd-2.2.2/.travis/travis-docker-build.sh @@ -0,0 +1,15 @@ +#!/bin/bash + +set -e + +# Create an archive of the current checkout +TARBALL=`mktemp -p . tarball-XXXXXX.tar.bz2` +git ls-files |xargs tar cfj $TARBALL .git + +sudo docker build -f Dockerfile.deps -t sssd/sssd-deps . + +sudo docker build -t sssd/sssd --build-arg TARBALL=$TARBALL . + +rm -f $TARBALL + +exit 0 --- sssd-2.2.2.orig/.travis/travis-tasks.sh +++ sssd-2.2.2/.travis/travis-tasks.sh @@ -0,0 +1,27 @@ +#!/bin/bash + +#Exit on failures +set -e + +pushd /builddir/ + +# We have to define the _Float* types as those are not defined by coverity and as result +# the codes linking agains those (pretty much anything linking against stdlib.h and math.h) +# won't be covered. +echo "#define _Float128 long double" > /tmp/coverity.h +echo "#define _Float64x long double" >> /tmp/coverity.h +echo "#define _Float64 double" >> /tmp/coverity.h +echo "#define _Float32x double" >> /tmp/coverity.h +echo "#define _Float32 float" >> /tmp/coverity.h + +# The coverity scan script returns an error despite succeeding... + CFLAGS="${CFLAGS:- -include /tmp/coverity.h}" \ + TRAVIS_BRANCH="${TRAVIS_BRANCH:-master}" \ + COVERITY_SCAN_PROJECT_NAME="${COVERITY_SCAN_PROJECT_NAME:-SSSD/sssd}" \ + COVERITY_SCAN_NOTIFICATION_EMAIL="${COVERITY_SCAN_NOTIFICATION_EMAIL:-sssd-maint@redhat.com}" \ + COVERITY_SCAN_BUILD_COMMAND_PREPEND="${COVERITY_SCAN_BUILD_COMMAND_PREPEND:-source contrib/fedora/bashrc_sssd && reconfig}" \ + COVERITY_SCAN_BUILD_COMMAND="${COVERITY_SCAN_BUILD_COMMAND:-make all check TESTS= }" \ + COVERITY_SCAN_BRANCH_PATTERN=${COVERITY_SCAN_BRANCH_PATTERN:-master} \ + /usr/bin/travisci_build_coverity_scan.sh ||: + +popd #builddir --- sssd-2.2.2.orig/.tx/config +++ sssd-2.2.2/.tx/config @@ -0,0 +1,13 @@ +[main] +host = https://www.transifex.com + +[sssd.master-po-sssd-pot] +file_filter = po/.po +source_file = po/sssd.pot +source_lang = en + +[sssd.sssd-docspot_1] +file_filter = src/man/po/.po +source_file = src/man/po/sssd-docs.pot +source_lang = en + --- sssd-2.2.2.orig/Dockerfile +++ sssd-2.2.2/Dockerfile @@ -0,0 +1,11 @@ +FROM sssd/sssd-deps + +MAINTAINER SSSD Maintainers + +ARG TARBALL + +RUN echo -n | openssl s_client -connect scan.coverity.com:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | sudo tee -a /etc/ssl/certs/ca- && curl -s https://scan.coverity.com/scripts/travisci_build_coverity_scan.sh -o /usr/bin/travisci_build_coverity_scan.sh && chmod a+x /usr/bin/travisci_build_coverity_scan.sh + +ADD $TARBALL /builddir/ + +ENTRYPOINT /builddir/.travis/travis-tasks.sh --- sssd-2.2.2.orig/Dockerfile.deps +++ sssd-2.2.2/Dockerfile.deps @@ -0,0 +1,12 @@ +FROM fedora:latest + +MAINTAINER SSSD Maintainers + +ARG TARBALL + +RUN dnf -y install git openssl sudo curl wget ruby rubygems "rubygem(json)" wget rpm-build dnf-plugins-core libldb-devel && \ + git clone --depth=50 --branch=master https://github.com/SSSD/sssd.git /tmp/sssd && \ + cd /tmp/sssd && \ + ./contrib/fedora/make_srpm.sh && \ + dnf builddep -y rpmbuild/SRPMS/sssd-*.src.rpm && \ + dnf -y clean all --- sssd-2.2.2.orig/Jenkinsfile +++ sssd-2.2.2/Jenkinsfile @@ -0,0 +1,284 @@ +/** + * SSSD CI. + * + * This class hold SSSD CI settings and defines several helper methods + * that helps reducing code duplication. Unfortunately, it does not + * seem to be possible to run those methods directly from the pipeline + * as CI.MethodName() as it produces 'Expected a symbol' error therefore + * functions outside this class scope must be defined as well. These functions + * can be then called directly from the pipeline. + */ +class CI { + /** + * Absolute path to directory that holds the workspace on Jenkins slave. + */ + public static String BaseDir = '/home/fedora' + + /** + * Github status context name that is visible in pull request statuses. + */ + public static String GHContext = 'sssd-ci' + + /** + * URL that will be opened when user clicks on 'details' on 'sssd-ci' status. + */ + public static String GHUrl = 'https://pagure.io/SSSD/sssd' + + /** + * URL that will be opened when user clicks on 'details' on specific + * build status (e.g. sssd-ci/fedora28). + */ + public static String AWS = 'https://s3.eu-central-1.amazonaws.com/sssd-ci' + + /** + * Path to SSSD Test Suite on Jenkins slave. + */ + public static String SuiteDir = this.BaseDir + '/sssd-test-suite' + + /** + * Path to SSSD CI tools on Jenkins slave. + */ + public static String CIDir = this.BaseDir + '/sssd-ci' + + /** + * Workaround for https://issues.jenkins-ci.org/browse/JENKINS-39203 + * + * At this moment if one stage in parallel block fails, failure branch in + * post block is run in all stages even though they might have been successful. + * + * We remember result of test stages in this variable so we can correctly + * report a success or error even if one of the stages that are run in + * parallel failed. + */ + public static def Results = [:] + public static def RebaseResults = [:] + + /** + * Mark build as successfull. + */ + public static def BuildSuccessful(build) { + this.Results[build] = "success" + } + + /** + * Return true if the build was successful. + */ + public static def IsBuildSuccessful(build) { + return this.Results[build] == "success" + } + + /** + * Mark build as successfully rebased. + */ + public static def RebaseSuccessful(build) { + this.RebaseResults[build] = "success" + } + + /** + * Return true if the rebase was successful. + */ + public static def IsRebaseSuccessful(build) { + return this.RebaseResults[build] == "success" + } + + /** + * Send commit status to Github for sssd-ci context. + */ + public static def Notify(ctx, status, message) { + ctx.githubNotify status: status, + context: this.GHContext, + description: message, + targetUrl: this.GHUrl + } + + /** + * Send commit status to Github for specific build (e.g. sssd-ci/fedora28). + */ + public static def NotifyBuild(ctx, status, message) { + ctx.githubNotify status: status, + context: String.format('%s/%s', this.GHContext, ctx.env.TEST_SYSTEM), + description: message, + targetUrl: String.format( + '%s/%s/%s/%s/index.html', + this.AWS, + ctx.env.BRANCH_NAME, + ctx.env.BUILD_ID, + ctx.env.TEST_SYSTEM + ) + } + + public static def Rebase(ctx) { + if (!ctx.env.CHANGE_TARGET) { + this.RebaseSuccessful(ctx.env.TEST_SYSTEM) + return + } + + ctx.echo String.format('Rebasing on %s', ctx.env.CHANGE_TARGET) + + ctx.sh String.format( + 'git -C %s fetch --no-tags --progress origin +refs/heads/%s:refs/remotes/origin/%s', + "${ctx.env.WORKSPACE}/sssd", + ctx.env.CHANGE_TARGET, + ctx.env.CHANGE_TARGET + ) + + // Remove left overs from previous rebase if there are any + ctx.sh String.format( + 'git -C %s rebase --abort || :', + "${ctx.env.WORKSPACE}/sssd" + ) + + // Just to be sure + ctx.sh String.format( + 'rm -fr "%s/.git/rebase-apply" || :', + "${ctx.env.WORKSPACE}/sssd" + ) + + ctx.sh String.format( + 'git -C %s rebase origin/%s', + "${ctx.env.WORKSPACE}/sssd", + ctx.env.CHANGE_TARGET + ) + + this.RebaseSuccessful(ctx.env.TEST_SYSTEM) + } + + /** + * Run tests. TEST_SYSTEM environment variable must be defined. + */ + public static def RunTests(ctx) { + ctx.echo "Running on ${ctx.env.NODE_NAME}" + this.NotifyBuild(ctx, 'PENDING', 'Build is in progress.') + this.Rebase(ctx) + + ctx.echo String.format( + 'Executing tests, started at %s', + (new Date()).format('dd. MM. yyyy HH:mm:ss') + ) + + ctx.sh String.format( + '%s/sssd-test-suite -c "%s" run --sssd "%s" --artifacts "%s" --update --prune', + "${this.SuiteDir}", + "${this.BaseDir}/configs/${ctx.env.TEST_SYSTEM}.json", + "${ctx.env.WORKSPACE}/sssd", + "${ctx.env.WORKSPACE}/artifacts/${ctx.env.TEST_SYSTEM}" + ) + + ctx.echo String.format( + 'Finished at %s', + (new Date()).format('dd. MM. yyyy HH:mm:ss') + ) + + this.BuildSuccessful(ctx.env.TEST_SYSTEM) + } + + /** + * Archive artifacts and notify Github about build result. + */ + public static def WhenCompleted(ctx) { + if (!this.IsRebaseSuccessful(ctx.env.TEST_SYSTEM)) { + ctx.echo "Unable to rebase on target branch." + this.NotifyBuild(ctx, 'FAILURE', 'Unable to rebase on target branch.') + return + } + + ctx.archiveArtifacts artifacts: "artifacts/**", allowEmptyArchive: true + ctx.sh String.format( + '%s/sssd-ci archive --name "%s" --system "%s" --artifacts "%s"', + "${this.CIDir}", + "${ctx.env.BRANCH_NAME}/${ctx.env.BUILD_ID}", + ctx.env.TEST_SYSTEM, + "${ctx.env.WORKSPACE}/artifacts/${ctx.env.TEST_SYSTEM}" + ) + ctx.sh "rm -fr ${ctx.env.WORKSPACE}/artifacts/${ctx.env.TEST_SYSTEM}" + + if (this.IsBuildSuccessful(ctx.env.TEST_SYSTEM)) { + this.NotifyBuild(ctx, 'SUCCESS', 'Success.') + return + } + + this.NotifyBuild(ctx, 'FAILURE', 'Build failed.') + } + + /** + * Notify Github that the build was aborted. + */ + public static def WhenAborted(ctx) { + this.NotifyBuild(ctx, 'ERROR', 'Aborted.') + } +} + +/** + * CI class methods cannot be called directly from the pipeline as it + * yield 'Expected a symbol' error for some reason. This is a workaround + * for this issue. + */ +def CI_RunTests() { CI.RunTests(this) } +def CI_Post() { CI.WhenCompleted(this) } +def CI_Aborted() { CI.WhenAborted(this) } +def CI_Notify(status, message) { CI.Notify(this, status, message) } + +pipeline { + agent none + options { + checkoutToSubdirectory('sssd') + } + stages { + stage('Prepare') { + steps { + CI_Notify('PENDING', 'Running tests.') + } + } + stage('Run Tests') { + parallel { + stage('Test on Fedora 28') { + agent {label "sssd-ci"} + environment { TEST_SYSTEM = "fedora28" } + steps { CI_RunTests() } + post { + always { CI_Post() } + aborted { CI_Aborted() } + } + } + stage('Test on Fedora 29') { + agent {label "sssd-ci"} + environment { TEST_SYSTEM = "fedora29" } + steps { CI_RunTests() } + post { + always { CI_Post() } + aborted { CI_Aborted() } + } + } + stage('Test on Fedora 30') { + agent {label "sssd-ci"} + environment { TEST_SYSTEM = "fedora30" } + steps { CI_RunTests() } + post { + always { CI_Post() } + aborted { CI_Aborted() } + } + } + stage('Test on Fedora Rawhide') { + agent {label "sssd-ci"} + environment { TEST_SYSTEM = "fedora-rawhide" } + steps { CI_RunTests() } + post { + always { CI_Post() } + aborted { CI_Aborted() } + } + } + } + } + } + post { + failure { + CI_Notify('FAILURE', 'Some tests failed.') + } + aborted { + CI_Notify('ERROR', 'Builds were aborted.') + } + success { + CI_Notify('SUCCESS', 'All tests succeeded.') + } + } +} --- sssd-2.2.2.orig/README.md +++ sssd-2.2.2/README.md @@ -0,0 +1,52 @@ +# SSSD - System Security Services Daemon + +## Introduction +SSSD provides a set of daemons to manage access to remote directories and +authentication mechanisms such as LDAP, Kerberos or FreeIPA. It provides +an NSS and PAM interface toward the system and a pluggable backend system +to connect to multiple different account sources. + +More information about SSSD can be found on its project page - +https://pagure.io/SSSD/sssd/ + +## Downloading SSSD +SSSD is shipped as a binary package by most Linux distributions. If you +want to obtain the latest source files, please navigate to the +[Releases folder on pagure](https://releases.pagure.org/SSSD/sssd/) + +## Releases +SSSD maintains two release streams - stable and LTM. Releases designated as +LTM are long-term maintenance releases and will see bugfixes and security +patches for a longer time than other releases. + +The list of all releases is maintained together with [SSSD documentation](https://docs.pagure.org/SSSD.sssd/users/releases.html) + +## Building and installation from source +Please see the [our developer documentation](https://docs.pagure.org/SSSD.sssd/developers/) + +## Documentation +The most up-to-date documentation can be found at https://docs.pagure.org/SSSD.sssd/ + +Its source code is hosted at https://pagure.io/SSSD/docs + +## Submitting bugs +Please file an issue in the [SSSD pagure instance](https://pagure.io/SSSD/sssd/issues). +Make sure to follow the [guide on reporting SSSD bugs](https://docs.pagure.org/SSSD.sssd/users/reporting_bugs.html) + +## Licensing +Please see the file called COPYING. + +## Social networks +We maintain our presence on [Twitter](https://twitter.com/SysSecSvcDaemon) +and [Google plus](https://plus.google.com/114204339376082660377) + +## Contacts +There are several ways to contact us: + +* the sssd-devel mailing list: [Development of the System Security Services Daemon]( + https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org/) +* the sssd-users mailing list: [End-user discussions about the System Security Services Daemon]( + https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org/) +* the #sssd and #freeipa IRC channels on freenode: + * irc://irc.freenode.net/sssd + * irc://irc.freenode.net/freeipa --- sssd-2.2.2.orig/Vagrantfile +++ sssd-2.2.2/Vagrantfile @@ -0,0 +1,77 @@ +# -*- mode: ruby -*- +# vi: set ft=ruby : + +# Fedora blog on creating Vagrant files: +# http://fedoramagazine.org/running-vagrant-fedora-22/ + +# All Vagrant configuration is done below. The "2" in Vagrant.configure +# configures the configuration version (we support older styles for +# backwards compatibility). Please don't change it unless you know what +# you're doing. +Vagrant.configure(2) do |config| + # The most common configuration options are documented and commented below. + # For a complete reference, please see the online documentation at + # https://docs.vagrantup.com. + + # Every Vagrant development environment requires a box. You can search for + # boxes at https://atlas.hashicorp.com/search. + config.vm.box = "fedora-22" + config.vm.box_url = "http://download.fedoraproject.org/pub/fedora/linux/releases/22/Cloud/x86_64/Images/Fedora-Cloud-Base-Vagrant-22-20150521.x86_64.vagrant-libvirt.box" + + # Disable automatic box update checking. If you disable this, then + # boxes will only be checked for updates when the user runs + # `vagrant box outdated`. This is not recommended. + # config.vm.box_check_update = false + + # Create a forwarded port mapping which allows access to a specific port + # within the machine from a port on the host machine. In the example below, + # accessing "localhost:8080" will access port 80 on the guest machine. + # config.vm.network "forwarded_port", guest: 80, host: 8080 + + # Create a private network, which allows host-only access to the machine + # using a specific IP. + # config.vm.network "private_network", ip: "192.168.33.10" + + # Create a public network, which generally matched to bridged network. + # Bridged networks make the machine appear as another physical device on + # your network. + # config.vm.network "public_network" + + # Share an additional folder to the guest VM. The first argument is + # the path on the host to the actual folder. The second argument is + # the path on the guest to mount the folder. And the optional third + # argument is a set of non-required options. + # config.vm.synced_folder "../data", "/vagrant_data" + + # Provider-specific configuration so you can fine-tune various + # backing providers for Vagrant. These expose provider-specific options. + # Example for VirtualBox: + # + # config.vm.provider "virtualbox" do |vb| + # # Display the VirtualBox GUI when booting the machine + # vb.gui = true + # + # # Customize the amount of memory on the VM: + # vb.memory = "1024" + # end + # + # View the documentation for the provider you are using for more + # information on available options. + + # Define a Vagrant Push strategy for pushing to Atlas. Other push strategies + # such as FTP and Heroku are also available. See the documentation at + # https://docs.vagrantup.com/v2/push/atlas.html for more information. + # config.push.define "atlas" do |push| + # push.app = "YOUR_ATLAS_USERNAME/YOUR_APPLICATION_NAME" + # end + + # Enable provisioning with a shell script. Additional provisioners such as + # Puppet, Chef, Ansible, Salt, and Docker are also available. Please see the + # documentation for more information about their specific syntax and use. + # config.vm.provision "shell", inline: <<-SHELL + # sudo apt-get update + # sudo apt-get install -y apache2 + # SHELL + + config.vm.provision :shell, path: "contrib/vagrant/bootstrap.sh" +end --- sssd-2.2.2.orig/contrib/gdb/sssd_gdb_plugin.py +++ sssd-2.2.2/contrib/gdb/sssd_gdb_plugin.py @@ -0,0 +1,202 @@ +# SSSD and LDB debugging plugins +# +# Activate them by putting: +# source /path/to/this/file.py +# to your .gdbinit file +# +# To bypass the pretty printer and print the raw values, use the "/r" option: +# print /r foobar +import gdb + + +def gdb_printer_decorator(fn): + gdb.pretty_printers.append(fn) + return fn + + +def indent_string(s, indent): + return '\n'.join(["%s%s" % ("\t" * indent, part) + for part in s.split('\n')]) + + +class StringPrinter(object): + "Shared code between different string-printing classes" + def __init__(self, val): + self.val = val + + def to_string(self): + return self.as_string() + + +class LdbDnPrinter(StringPrinter): + " print an ldb dn " + + def as_string(self, indent=0): + ret = "{ <%s>\tlinearized:%s }" % (self.val.type, + self.val['linearized']) + return indent_string(ret, indent) + + +class LdbValPrinter(StringPrinter): + " print a ldb value" + + def as_string(self, indent=0): + ret = "data = %(data)s, length = %(length)s" % self.val + return indent_string("{ <%s>\t%s }" % (self.val.type, ret), indent) + + +class LdbMessageElementPrinter(StringPrinter): + " print a ldb message element " + + def as_string(self, indent=0): + ret = "flags = %(flags)s, name = %(name)s, " \ + "num_values = %(num_values)s" % self.val + try: + nvals = int(self.val['num_values']) + except ValueError: + return "num_values is not numeric?" + + for i in range(nvals): + ldbval = LdbValPrinter(self.val['values'][i]) + ret += "\n%s" % (ldbval.as_string(indent+1)) + + return indent_string("{ <%s>\t%s }" % (self.val.type, ret), indent) + + +class LdbMessagePrinter(StringPrinter): + " print a ldb message " + + def as_string(self, indent=0): + try: + nels = int(self.val['num_elements']) + except ValueError: + return "num_elements is not numeric?" + + dn = LdbDnPrinter(self.val['dn']) + dn_str = dn.as_string(indent) + ret = "num_elements:\t%s\ndn:\t%s\nelements:\t" % (nels, dn_str) + + for i in range(nels): + el = LdbMessageElementPrinter(self.val['elements'][i]) + ret += "\n%s" % (el.as_string(indent+1)) + + return indent_string("{ <%s>\n%s }" % (self.val.type, ret), indent) + + +class LdbResultPrinter(StringPrinter): + " print a ldb message element " + + def as_string(self, indent=0): + ret = "count = %(count)s, extended = %(extended)s, " \ + "controls = %(controls)s, refs = %(refs)s" % self.val + try: + count = int(self.val['count']) + except ValueError: + ret += 'Count is not numeric value?' + return ret + + for i in range(count): + msg = LdbMessagePrinter(self.val['msgs'][i]) + ret += "\n%s" % (msg.as_string(indent+1)) + + return indent_string("{ <%s>\t%s }" % (self.val.type, ret), indent) + + +class SysdbAttrsPrinter(StringPrinter): + " print a struct sysdb attrs " + + def as_string(self, indent=0): + ret = "num = %(num)s" % self.val + + try: + num = int(self.val['num']) + except ValueError: + ret += 'num is not numeric value?' + return ret + + for i in range(num): + el = LdbMessageElementPrinter(self.val['a'][i]) + ret += "\n%s" % (el.as_string(indent+1)) + + return indent_string("{ <%s>\t%s }" % (self.val.type, ret), indent) + + +# --- +# --- register pretty printers --- +# --- +@gdb_printer_decorator +def ldb_val_element_printer(val): + if str(val.type) == 'struct ldb_dn': + return LdbDnPrinter(val) + return None + + +@gdb_printer_decorator +def ldb_val_element_printer(val): + if str(val.type) == 'struct ldb_val': + return LdbValPrinter(val) + return None + + +@gdb_printer_decorator +def ldb_message_element_printer(val): + if str(val.type) == 'struct ldb_message_element': + return LdbMessageElementPrinter(val) + return None + + +@gdb_printer_decorator +def ldb_message_printer(val): + if str(val.type) == 'struct ldb_message': + return LdbMessagePrinter(val) + return None + + +@gdb_printer_decorator +def ldb_result_printer(val): + if str(val.type) == 'struct ldb_result': + return LdbResultPrinter(val) + return None + + +@gdb_printer_decorator +def sysdb_attrs_printer(val): + if str(val.type) == 'struct sysdb_attrs': + return SysdbAttrsPrinter(val) + return None + + +# --- +# --- set a breakpoint at the tevent_req finish fn --- +# --- +class TeventBreak(gdb.Command): + """Break at the tevent finish location """ + + def __init__(self): + super(TeventBreak, self).__init__("tbr", gdb.COMMAND_BREAKPOINTS) + + def invoke(self, arg, from_tty): + req = gdb.parse_and_eval(arg) + if not hasattr(req, 'type'): + print('cannot determine the type of the variable') + return + if str(req.type) != 'struct tevent_req *': + print('wrong attribute - must be a tevent_req pointer') + return + + try: + fn = req['async']['fn'] + except KeyError: + print("No async function defined?") + return + + try: + fnaddr = str(fn).split()[0].strip() + except IndexError: + print("Cannot get function address") + return + + b = gdb.Breakpoint("*%s" % fnaddr) + + +TeventBreak() --- sssd-2.2.2.orig/contrib/gdbinit +++ sssd-2.2.2/contrib/gdbinit @@ -0,0 +1,2 @@ +# When attaching to an SSSD process, cancel the watchdog +p teardown_watchdog() --- sssd-2.2.2.orig/contrib/git/pre-push +++ sssd-2.2.2/contrib/git/pre-push @@ -0,0 +1,73 @@ +#!/usr/bin/env python + +# A git pre-push hook that declines commits that don't contain a Reviewed-By: +# tag. The tag must be present on the beginning of the line. To activate, copy +# to $GIT_DIR/hooks/pre-push and make sure the executable flag is on. + +# The commit message should also be based on .git-commit-template, although +# that is just best practice and not enforced + +import sys +import re +import subprocess + + +def get_all_commits(ref_from, ref_to): + args = ['git', 'rev-list', '{:s}..{:s}'.format(ref_from, ref_to)] + p = subprocess.Popen(args, stdout=subprocess.PIPE, stderr=subprocess.PIPE) + out, err = p.communicate() + return [commit.strip() for commit in out.decode('UTF-8').split('\n') if commit != ''] + + +def commit_message(commit_hash): + args = ['git', 'cat-file', 'commit', commit_hash] + p = subprocess.Popen(args, stdout=subprocess.PIPE, stderr=subprocess.PIPE) + out, err = p.communicate() + return out.decode('UTF-8') + + +def commit_has_rb(commit): + msg = commit_message(commit) + for l in msg.split('\n'): + has_rb = re.search('^Reviewed-by:', l) + if has_rb: + return True + + return False + + +def report_commit(commit_hash): + print("Commit {:s} does not have Reviewed-By!".format(commit_hash)) + print("Full message:\n======") + print("{:s}".format(commit_message(commit_hash))) + print("======") + + +# man 5 githooks says: +# Information about what is to be pushed is provided on the hook's +# standard input with lines of the form: +# SP SP SP LF +def check_push(hook_input): + ref_to = hook_input.split()[1][:6] + ref_from = hook_input.split()[3][:6] + commit_list = get_all_commits(ref_from, ref_to) + + no_rb_list = [] + for commit in commit_list: + if not commit_has_rb(commit): + no_rb_list.append(commit) + + return no_rb_list + +# Don't warn when pushing to personal repositories, only origin +remote = sys.argv[1] +if remote != 'origin': + sys.exit(0) + +for hook_input in sys.stdin.readlines(): + no_rb_list = check_push(hook_input) + + if len(no_rb_list) > 0: + for offender in no_rb_list: + report_commit(offender) + sys.exit(1) --- sssd-2.2.2.orig/contrib/suse/sssd.spec.in +++ sssd-2.2.2/contrib/suse/sssd.spec.in @@ -0,0 +1,301 @@ +%{!?python_sitearch: %global python_sitearch %(%{__python} -c "from distutils.sysconfig import *; import sys; sys.stdout.write(get_python_lib(1))")} +%{!?python_sitelib: %global python_sitelib %(%{__python} -c "from distutils.sysconfig import *; import sys; sys.stdout.write(get_python_lib())")} + +Name: @PACKAGE_NAME@ +Version: @PACKAGE_VERSION@ +Release: 0@PRERELEASE_VERSION@%{?dist} +Group: Applications/System +Summary: System Security Services Daemon +# The entire source code is GPLv3+ except replace/ which is LGPLv3+ +License: GPLv3+ and LGPLv3+ +URL: https://pagure.io/SSSD/sssd/ +Source0: %{name}-%{version}.tar.gz +BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) + +%global dhash_version 0.4.0 + +### Patches ### + +### Dependencies ### + +Requires: libldb0 >= 0.9.3 +Requires: libtdb1 >= 1.1.3 +Requires: sssd-client = %{version}-%{release} +Requires: libdhash = %{dhash_version}-%{release} +Requires: cyrus-sasl-gssapi +Requires(post): python +Requires(preun): aaa_base procps filesystem +Requires(postun): /sbin/service + +%global servicename sssd +%global sssdstatedir %{_localstatedir}/lib/sss +%global dbpath %{sssdstatedir}/db +%global pipepath %{sssdstatedir}/pipes +%global pubconfpath %{sssdstatedir}/pubconf + +### Build Dependencies ### + +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: libtool +BuildRequires: m4 +BuildRequires: popt-devel +BuildRequires: libtalloc-devel +BuildRequires: libtevent0-devel +BuildRequires: libtdb1-devel +BuildRequires: libldb0-devel +BuildRequires: libcares-devel +BuildRequires: dbus-1-devel +BuildRequires: dbus-1 +BuildRequires: openldap2-devel +BuildRequires: pam-devel +BuildRequires: mozilla-nss-devel +BuildRequires: mozilla-nspr-devel +BuildRequires: pcre-devel +BuildRequires: libxslt +BuildRequires: libxml2 +BuildRequires: docbook-xsl-stylesheets +BuildRequires: krb5-devel +BuildRequires: python-devel + + +%description +Provides a set of daemons to manage access to remote directories and +authentication mechanisms. It provides an NSS and PAM interface toward +the system and a pluggable backend system to connect to multiple different +account sources. It is also the basis to provide client auditing and policy +services for projects like FreeIPA. + +%package client +Summary: SSSD Client libraries for NSS and PAM +Group: Applications/System + +%description client +Provides the libraries needed by the PAM and NSS stacks to connect to the SSSD +service. + +%package -n libdhash +Summary: Dynamic hash table +Group: Development/Libraries +Version: %{dhash_version} +License: LGPLv3+ + +%description -n libdhash +A hash table which will dynamically resize to achieve optimal storage & access +time properties + +%package -n libdhash-devel +Summary: Development files for libdhash +Group: Development/Libraries +Version: %{dhash_version} +Requires: libdhash = %{dhash_version}-%{release} +License: LGPLv3+ + +%description -n libdhash-devel +A hash table which will dynamically resize to achieve optimal storage & access +time properties + + +%prep +%setup -q + +%build +%configure \ + --without-tests \ + --with-db-path=%{dbpath} \ + --with-pipe-path=%{pipepath} \ + --with-pubconf-path=%{pubconfpath} \ + --with-init-dir=%{_initrddir} \ + --enable-nsslibdir=/%{_lib} \ + --without-selinux \ + --without-semanage \ + --with-os=suse \ + --disable-static + +make %{?_smp_mflags} + +%install +rm -rf $RPM_BUILD_ROOT + +make install DESTDIR=$RPM_BUILD_ROOT + +# Remove the example files from the output directory +# We will copy them directly from the source directory +# for packaging +rm -f \ + $RPM_BUILD_ROOT/usr/share/doc/dhash/README \ + $RPM_BUILD_ROOT/usr/share/doc/dhash/examples/dhash_example.c \ + $RPM_BUILD_ROOT/usr/share/doc/dhash/examples/dhash_test.c + +# Prepare language files +/usr/lib/rpm/find-lang.sh $RPM_BUILD_ROOT sss_daemon +/usr/lib/rpm/find-lang.sh $RPM_BUILD_ROOT sss_client + +# Copy default sssd.conf file +mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/sssd +install -m600 server/examples/sssd.conf $RPM_BUILD_ROOT%{_sysconfdir}/sssd/sssd.conf +install -m400 server/config/etc/sssd.api.conf $RPM_BUILD_ROOT%{_sysconfdir}/sssd/sssd.api.conf +install -m400 server/config/etc/sssd.api.d/* $RPM_BUILD_ROOT%{_sysconfdir}/sssd/sssd.api.d/ + +# Remove .la files created by libtool +rm -f \ + $RPM_BUILD_ROOT/%{_lib}/libnss_sss.la \ + $RPM_BUILD_ROOT/%{_lib}/security/pam_sss.la \ + $RPM_BUILD_ROOT/%{_libdir}/libdhash.la \ + $RPM_BUILD_ROOT/%{_libdir}/ldb/memberof.la \ + $RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_ldap.la \ + $RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_proxy.la \ + $RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_krb5.la \ + $RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_ipa.la \ + $RPM_BUILD_ROOT/%{_libdir}/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.la \ + $RPM_BUILD_ROOT/%{python_sitearch}/pysss.la + +if test -e $RPM_BUILD_ROOT/%{_libdir}/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so +then + # Apppend this file to the sss_daemon.lang + # Older versions of rpmbuild can only handle one -f option + echo %{_libdir}/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so >> sss_daemon.lang +fi +for file in `ls $RPM_BUILD_ROOT/%{python_sitelib}/*.egg-info 2> /dev/null` +do + echo %{python_sitelib}/`basename $file` >> sss_daemon.lang +done + +%clean +rm -rf $RPM_BUILD_ROOT + +%files -f sss_daemon.lang +%defattr(-,root,root,-) +%doc COPYING +%{_initrddir}/%{name} +%{_sbindir}/sssd +%{_sbindir}/sss_useradd +%{_sbindir}/sss_userdel +%{_sbindir}/sss_usermod +%{_sbindir}/sss_groupadd +%{_sbindir}/sss_groupdel +%{_sbindir}/sss_groupmod +%{_sbindir}/sss_groupshow +%{_sbindir}/sss_debuglevel +%{_libexecdir}/%{servicename}/ +%{_libdir}/%{name}/ +%{_libdir}/ldb/memberof.so +%dir %{sssdstatedir} +%attr(700,root,root) %dir %{dbpath} +%attr(755,root,root) %dir %{pipepath} +%attr(755,root,root) %dir %{pubconfpath} +%attr(700,root,root) %dir %{pipepath}/private +%attr(750,root,root) %dir %{_var}/log/%{name} +%attr(700,root,root) %dir %{_sysconfdir}/sssd +%config(noreplace) %{_sysconfdir}/sssd/sssd.conf +%config %{_sysconfdir}/sssd/sssd.api.conf +%attr(700,root,root) %dir %{_sysconfdir}/sssd/sssd.api.d +%config %{_sysconfdir}/sssd/sssd.api.d/ +%{_mandir}/man5/sssd.conf.5* +%{_mandir}/man5/sssd-ipa.5* +%{_mandir}/man5/sssd-krb5.5* +%{_mandir}/man5/sssd-ldap.5* +%{_mandir}/man8/sssd.8* +%{_mandir}/man8/sss_groupadd.8* +%{_mandir}/man8/sss_groupdel.8* +%{_mandir}/man8/sss_groupmod.8* +%{_mandir}/man8/sss_groupshow.8* +%{_mandir}/man8/sss_useradd.8* +%{_mandir}/man8/sss_userdel.8* +%{_mandir}/man8/sss_usermod.8* +%{_mandir}/man8/sss_debuglevel.8* +%{_mandir}/man8/sssd_krb5_locator_plugin.8* +%{python_sitearch}/pysss.so +%{python_sitelib}/*.py* + + +%files client -f sss_client.lang +%defattr(-,root,root,-) +/%{_lib}/libnss_sss.so.2 +/%{_lib}/security/pam_sss.so +%{_mandir}/man8/pam_sss.8* + +%files -n libdhash +%defattr(-,root,root,-) +%doc common/dhash/COPYING +%doc common/dhash/COPYING.LESSER +%{_libdir}/libdhash.so.1 +%{_libdir}/libdhash.so.1.0.0 + +%files -n libdhash-devel +%defattr(-,root,root,-) +%{_includedir}/dhash.h +%{_libdir}/libdhash.so +%{_libdir}/pkgconfig/dhash.pc +%doc common/dhash/README +%doc common/dhash/examples + +%post +/sbin/ldconfig +/sbin/chkconfig --add %{servicename} +if [ $1 -ge 2 ] ; then +# a one-time upgrade from confdb v1 to v2, only if upgrading + python %{_libexecdir}/%{servicename}/upgrade_config.py +fi + +%preun +if [ $1 = 0 ]; then + /sbin/service %{servicename} stop 2>&1 > /dev/null + /sbin/chkconfig --del %{servicename} +fi + +%postun +/sbin/ldconfig +if [ $1 -ge 1 ] ; then + /sbin/service %{servicename} condrestart 2>&1 > /dev/null +fi + +%post client -p /sbin/ldconfig + +%postun client -p /sbin/ldconfig + +%post -n libdhash -p /sbin/ldconfig + +%postun -n libdhash -p /sbin/ldconfig + +%changelog +* Mon Sep 28 2009 Sumit Bose - 0.6.0-0 +- New upstream release 0.6.0 + +* Fri Sep 25 2009 Simo Sorce - 0.5.0-1 +- Split package into server and clients components +- Convert to new config file format + +* Wed Sep 02 2009 Stephen Gallagher - 0.5.0-0 +- New upstream release 0.5.0 + +* Mon May 18 2009 Stephen Gallagher - 0.4.0-1 +- Convert build system to automake + +* Mon Apr 20 2009 Jakub Hrozek - 0.3.2-1 +- bugfix release 0.3.2 + +* Mon Apr 13 2009 Simo Sorce - 0.3.1-1 +- bugfix release + +* Sun Apr 12 2009 Stephen Gallagher - 0.3.0-2 +- Remove InfoPipe from RPM build + +* Sun Apr 12 2009 Stephen Gallagher - 0.3.0-1 +- Convert to using /etc/sssd/sssd.conf for configuration + +* Tue Mar 10 2009 Simo Sorce - 0.2.1-1 +- Bump up to version 0.2.1 + +* Fri Mar 06 2009 Jakub Hrozek - 0.1.0-4 +- fixed items found during review +- added initscript + +* Thu Mar 05 2009 Sumit Bose - 0.1.0-3 +- added sss_client + +* Mon Feb 23 2009 Jakub Hrozek - 0.1.0-2 +- Small cleanup and fixes in the spec file + +* Thu Feb 12 2009 Stephen Gallagher - 0.1.0-1 +- Initial release (based on version 0.1.0 upstream code) --- sssd-2.2.2.orig/contrib/test-suite/README.md +++ sssd-2.2.2/contrib/test-suite/README.md @@ -0,0 +1,23 @@ +# SSSD Test Suite + +SSSD Test Suite is set of test that are being run automatically as part of Pull Request CI. + +## Steps to run the tests manually on local machine + +You need to clone and configure `sssd-test-suite` project to run these test manually on your local machine. + +1. Checkout `https://github.com/SSSD/sssd-test-suite` +2. Configure and setup SSSD test suite per instructions located at project readme. +3. Make sssd-test-suite use already provisioned boxes (either manually created or maintained by SSSD team at https://app.vagrantup.com/sssd-vagrant). +4. Run the tests with `sssd-test-suite` command line interface + +```bash +$ git clone https://github.com/SSSD/sssd-test-suite +$ cd sssd-test-suite +$ cp ./configs/sssd-f30.json ./config.json +$ ./sssd-test-suite run --sssd $path-to-sssd --artifacts /tmp/sssd-artifacts +``` + +See [sssd-test-suite documentation](https://github.com/SSSD/sssd-test-suite/blob/master/readme.md) for more information. +See [running the tests documentation](https://github.com/SSSD/sssd-test-suite/blob/master/docs/running-tests.md) for more information about the process. + --- sssd-2.2.2.orig/contrib/test-suite/test-suite.yml +++ sssd-2.2.2/contrib/test-suite/test-suite.yml @@ -0,0 +1,11 @@ +- name: Integration Tests + machines: + - client + tasks: + - name: Running ./contrib/ci/run + shell: ./contrib/ci/run --moderate --no-deps + artifacts: + - ci-*.log + - ci-build-debug/ci-*.log + - ci-build-debug/test-suite.log + timeout: 6 hours --- sssd-2.2.2.orig/contrib/vagrant/bootstrap.sh +++ sssd-2.2.2/contrib/vagrant/bootstrap.sh @@ -0,0 +1,21 @@ +#!/bin/bash -x + +sed -e "s/@PACKAGE_NAME@/sssd/" \ + -e "s/@PRERELEASE_VERSION@//" \ + -e "s/@PACKAGE_VERSION@/0/" \ + /vagrant/contrib/sssd.spec.in > /vagrant/contrib/sssd_vagrant.spec + +dnf clean metadata +dnf install -y @buildsys-build realmd sssd adcli polkit oddjob-mkhomedir +dnf builddep -y /vagrant/contrib/sssd_vagrant.spec + +source /usr/share/doc/git/contrib/completion/git-prompt.sh + +cat << EOF >> /home/vagrant/.bashrc +source /usr/share/doc/git/contrib/completion/git-prompt.sh +export GIT_PS1_SHOWDIRTYSTATE=1 +export PS1='[\u@\h:\W\$(__git_ps1 " (%s)")]\$\[\e[0m\] ' + +. /vagrant/contrib/fedora/bashrc_sssd + +EOF --- sssd-2.2.2.orig/debian/README.source +++ sssd-2.2.2/debian/README.source @@ -0,0 +1,58 @@ +This package uses quilt to manage all modifications to the upstream +source. Changes are stored in the source package as diffs in +debian/patches and applied during the build. + +To configure quilt to use debian/patches instead of patches, you want +either to export QUILT_PATCHES=debian/patches in your environment +or use this snippet in your ~/.quiltrc: + + for where in ./ ../ ../../ ../../../ ../../../../ ../../../../../; do + if [ -e ${where}debian/rules -a -d ${where}debian/patches ]; then + export QUILT_PATCHES=debian/patches + break + fi + done + +To get the fully patched source after unpacking the source package, cd to +the root level of the source package and run: + + quilt push -a + +The last patch listed in debian/patches/series will become the current +patch. + +To add a new set of changes, first run quilt push -a, and then run: + + quilt new + +where is a descriptive name for the patch, used as the filename in +debian/patches. Then, for every file that will be modified by this patch, +run: + + quilt add + +before editing those files. You must tell quilt with quilt add what files +will be part of the patch before making changes or quilt will not work +properly. After editing the files, run: + + quilt refresh + +to save the results as a patch. + +Alternately, if you already have an external patch and you just want to +add it to the build system, run quilt push -a and then: + + quilt import -P /path/to/patch + quilt push -a + +(add -p 0 to quilt import if needed). as above is the filename to +use in debian/patches. The last quilt push -a will apply the patch to +make sure it works properly. + +To remove an existing patch from the list of patches that will be applied, +run: + + quilt delete + +You may need to run quilt pop -a to unapply patches first before running +this command. --- sssd-2.2.2.orig/debian/apparmor-profile +++ sssd-2.2.2/debian/apparmor-profile @@ -0,0 +1,53 @@ +#include + +/usr/sbin/sssd { + #include + #include + #include + #include + + capability chown, + capability dac_override, + capability dac_read_search, + capability setgid, + capability setuid, + capability sys_admin, + capability sys_nice, + capability sys_resource, + + @{PROC} r, + @{PROC}/[0-9]*/net/psched r, + @{PROC}/[0-9]*/status r, + + /etc/krb5.keytab k, + /etc/ldap/ldap.conf r, + /etc/libnl-3/classid r, + /etc/localtime r, + /etc/shells r, + /etc/sssd/sssd.conf r, + + /usr/lib/@{multiarch}/ldb/modules/ldb/* m, + /usr/lib/@{multiarch}/samba/ldb/* m, + /usr/lib/@{multiarch}/sssd/* rix, + /usr/sbin/sssd rmix, + + /tmp/{,.}krb5cc_* rwk, + + /var/lib/sss/* rw, + /var/lib/sss/db/* rwk, + /var/lib/sss/gpo_cache/* rw, + /var/lib/sss/mc/* rw, + /var/lib/sss/pipes/* rw, + /var/lib/sss/pipes/private/* rw, + /var/lib/sss/pubconf/* rw, + /var/lib/sss/pubconf/krb5.include.d/ r, + /var/lib/sss/pubconf/krb5.include.d/* rw, + /var/log/sssd/* rw, + /var/tmp/host_* rw, + + /{,var/}run/sssd.pid rw, + /{,var/}run/systemd/notify w, + + # Site-specific additions and overrides. See local/README for details. + #include +} --- sssd-2.2.2.orig/debian/changelog +++ sssd-2.2.2/debian/changelog @@ -0,0 +1,989 @@ +sssd (2.2.2-1build1) focal; urgency=medium + + * No-change rebuild to build with python3.8. + + -- Matthias Klose Sat, 25 Jan 2020 06:12:11 +0000 + +sssd (2.2.2-1) unstable; urgency=medium + + * New upstream release. + * default-to-socket-activated-services.diff: Don't enable any + services when run without a conffile. + * fix-have-systemd.diff: Dropped, upstream. + * default-to-socket-activated-services.diff: Refreshed. + * signing-key: Add key from Michal Židek. + * Get rid of all old pre/postinst file removal fluff, since that's all + obsolete by now. + * Drop python2 support. (Closes: #938566) + + -- Timo Aaltonen Wed, 18 Sep 2019 15:27:44 +0300 + +sssd (2.2.0-4) unstable; urgency=medium + + [ Sam Morris ] + * fix-have-systemd.patch: correct detection of systemd.pc + (Closes: #932080) + * default-to-socket-activated-services.diff: rely on socket activation + to spawn nss and pam responders + + -- Timo Aaltonen Fri, 19 Jul 2019 18:15:41 +0300 + +sssd (2.2.0-3) unstable; urgency=medium + + * common/ipa/krb5-common/proxy.postinst: Use libexec path. (Closes: + #931859) + + -- Timo Aaltonen Fri, 12 Jul 2019 10:01:06 +0300 + +sssd (2.2.0-2) unstable; urgency=medium + + * rules: Override dh_installman, let dh_install handle installing + manpages too. + + -- Timo Aaltonen Thu, 11 Jul 2019 00:53:36 +0300 + +sssd (2.2.0-1) unstable; urgency=medium + + * New upstream release. + * control: Bump policy to 4.4.0. + * control, compat, rules: Bump debhelper to 12. + * *.install: Updated, some files moved to /usr/libexec. + + -- Timo Aaltonen Wed, 10 Jul 2019 10:14:09 +0300 + +sssd (2.1.0-1) experimental; urgency=medium + + * New upstream release. + * sssd-tools.install: Local domain support is deprecated and not + built by default anymore, so drop the files. + * control, sssd-common.install: Secrets responder is dropped, deprecated. + * control: Add ldap-utils to build-depends, tests need it. + * sssd-common.install: Add new internal libs for iface/sbus. + * fix-whitespace-test.diff: Fix ignoring the debian dir. + * rules: Update the clean target. + + -- Timo Aaltonen Mon, 27 May 2019 13:55:38 +0300 + +sssd (1.16.4-1~exp1) experimental; urgency=medium + + [ Timo Aaltonen ] + * New upstream release. (LP: #1572908) + * Drop patches, all upstream. + * Enable systemd responders. (Closes: #925026, #923882) + + [ Dominik George ] + * Acknowledge NMU. + * Add myself to Uploaders. + + -- Timo Aaltonen Wed, 03 Apr 2019 09:56:33 +0300 + +sssd (1.16.3-3.1) unstable; urgency=high + + * Non-maintainer upload. + * Fix copy_ccache test broken by recent krb5 changes. (Closes: #921761) + * Fix PAC responder build with krb5 1.17. (Closes: #923125) + + -- Dominik George Sun, 24 Feb 2019 11:05:55 +0100 + +sssd (1.16.3-3) unstable; urgency=medium + + * fix-curl-ftbfs.diff: Fix build with current curl. (Closes: #913403) + * Rebuild with python3.7. (Closes: #915199, #915168) + + -- Timo Aaltonen Sun, 02 Dec 2018 11:16:57 +0200 + +sssd (1.16.3-2) unstable; urgency=medium + + [ Jeremy Bicha ] + * Don't require libgdm-dev on s390x or non-Linux architectures + (Closes: #913030) + + [ Andreas Hasenack ] + * d/t/{ldap-user-group-ldap-auth,control,login.exp,util,common-tests}: add + LDAP DEP8 test + * d/t/{util,login.exp,ldap-user-group-krb5-auth,control}: add krb5 DEP8 test + + -- Timo Aaltonen Tue, 06 Nov 2018 16:55:34 +0200 + +sssd (1.16.3-1) unstable; urgency=medium + + * New upstream release. + * control: Add python-sss to sssd-tools depends. (Closes: #905220) + * libsss-sudo: Add sss entry to nsswitch only on initial install. + (Closes: #903917) + * control: Update list address. + * disable-tests.diff: Dropped, all tests pass on a proper buildd setup + which should have /etc/{hosts,networks} populated. + + -- Timo Aaltonen Wed, 22 Aug 2018 16:34:01 +0300 + +sssd (1.16.2-1) unstable; urgency=medium + + * New upstream release. (LP: #1778554) + * control: Enable tests, add check and libcmocka-dev to build-depends. + * rules: Use samba idmap version 6. + * disable-tests.diff: Disable three tests that are known to fail in + sbuild. + * control: Drop obsolete build-depends. + * control: Update VCS urls. + * control: Drop specifying python versions. + * control: Change priority to optional. + * libsss-sudo.post*: Don't call ldconfig. + + -- Timo Aaltonen Wed, 27 Jun 2018 14:07:55 +0300 + +sssd (1.16.1-1) unstable; urgency=medium + + * New upstream release. + * common.dirs, common.postinst: Add dir for secrets with correct + permissions. (Closes: #892315) + * common: Add support for Fleet Commander, create deskprofile dir with + correct permissions. + * control: Add libgdm-dev to build-depends to support multiple + certificates. + * control, rules, common.install: Add support for systemtap. + * control: Bump policy to 4.1.3, no changes. + + -- Timo Aaltonen Tue, 13 Mar 2018 11:25:00 +0200 + +sssd (1.16.0-5) unstable; urgency=medium + + * rules: Disable files domain, it's not useful in Debian. (Closes: + #888207) + + -- Timo Aaltonen Fri, 26 Jan 2018 10:42:17 +0200 + +sssd (1.16.0-4) unstable; urgency=medium + + * Revert installing responder service/socket files again. + (Closes: #886483) + + -- Timo Aaltonen Mon, 22 Jan 2018 16:50:14 +0200 + +sssd (1.16.0-3) unstable; urgency=medium + + * Install responder service and socket files again. + + -- Timo Aaltonen Thu, 04 Jan 2018 09:55:41 +0200 + +sssd (1.16.0-2) unstable; urgency=medium + + * Enable default config. (Closes: #858968) + * Enable files domain. + + -- Timo Aaltonen Mon, 25 Dec 2017 21:38:26 +0200 + +sssd (1.16.0-1) unstable; urgency=medium + + * New upstream release. + * sysdb-sanitize-search-filter-input.diff: Dropped, upstream. + * sssd-common.install: Add sssd-session-recording.5. + * control: Depend on python3 pkgs by default. (Closes: #883178) + + -- Timo Aaltonen Wed, 20 Dec 2017 11:58:50 +0200 + +sssd (1.15.3-3) unstable; urgency=medium + + * Rebuild against new libldb. (Closes: #880013) + + -- Timo Aaltonen Sun, 29 Oct 2017 09:13:42 +0200 + +sssd (1.15.3-2) unstable; urgency=medium + + * control: Fix libipa-hbac-dev short description. + * generate-config: Update the config template. (Closes: #872787) + * sysdb-sanitize-search-filter-input.diff: Fix CVE-2017-12173. + (Closes: #877885) + + -- Timo Aaltonen Thu, 12 Oct 2017 08:24:51 +0300 + +sssd (1.15.3-1) unstable; urgency=medium + + * New upstream release. + * apparmor-profile: Add chown capability, allow one to notify systemd. + * control: Add libcurl4-gnutls-dev and uuid-dev to build depends. + * Add libsss-certmap{0,-dev} packages. + * Add sssd-kcm. + * rules: Migrate to dh_missing. + * control: Bump policy to 4.0.0, no changes. + * compat, control, rules: Bump debhelper compat to 10, drop --parallel + as it's the default now. + + -- Timo Aaltonen Sat, 29 Jul 2017 11:50:41 +0300 + +sssd (1.15.2-1) unstable; urgency=medium + + * New upstream release. + * control: Demote adcli to sssd-ad suggests. + * rules, common.install: Fix sssd_krb5_locator_plugin install path. + (LP: #1664566) + * control, copyright, watch: Update upstream URLs. + * common.install: Add libsss_files and socket activation helper. + + -- Timo Aaltonen Mon, 20 Mar 2017 15:17:19 +0200 + +sssd (1.15.0-3) unstable; urgency=medium + + * rules, install: Remove responder service and socket files for now, the + sockets weren't supposed to be enabled anyway and can cause issues. + (Closes: #854048) + + -- Timo Aaltonen Sat, 04 Feb 2017 18:34:06 +0200 + +sssd (1.15.0-2) unstable; urgency=medium + + * import-daemon-opts.diff, sssd.default: Drop the patch modifying sssd + service file, and revert the daemon options for sysvinit. + /etc/default/sssd is now only for the initscript (Closes: #852719) + + -- Timo Aaltonen Thu, 26 Jan 2017 21:29:58 +0200 + +sssd (1.15.0-1) unstable; urgency=medium + + * New upstream release. (Closes: #852450) (LP: #1566508) + * Drop upstreamed patches. + * sssd-common.sssd.default, import-daemon-opts.diff: Change default + daemon options to match current upstream. + * sssd-dbus.install: Drop libsss_config, which was removed. + * sssd-{ad,common,dbus}.install: Add systemd service and socket files + for pac, sudo, ssh, autofs, pam, nss and ifp responders. + + -- Timo Aaltonen Wed, 25 Jan 2017 22:46:02 +0200 + +sssd (1.14.2-2.1) unstable; urgency=low + + * Non-maintainer upload with maintainer approval. + * ldap-blocking.diff: Fix ldaps connections by removing NON_BLOCKING from + socket options (Closes: 849756). Patch from upstream pull request #67. + + -- Petter Reinholdtsen Tue, 24 Jan 2017 22:26:17 +0000 + +sssd (1.14.2-2) unstable; urgency=medium + + * fix-prefix-substitution.diff: Fix IFP service file path substitution. + (LP: #1652629) + + -- Timo Aaltonen Tue, 17 Jan 2017 16:39:14 +0200 + +sssd (1.14.2-1) unstable; urgency=medium + + * New upstream release. + * control: Add adcli to sssd-ad Recommends. (LP: #1590471) + * accept-krb5-1.15.diff: Allow building PAC responder with MIT krb5 + 1.15. (Closes: #843385) + * common.install: Add sssd-secrets manpage. + + -- Timo Aaltonen Wed, 16 Nov 2016 10:47:15 +0200 + +sssd (1.14.1-1) unstable; urgency=medium + + * New upstream release. + * ipa-terminate-if-view-name-fails.diff, + gpo-add-unity-to-ad-gpo-map-interactive.diff: + Dropped, upstream. + * sssd-common.dirs: Add etc/sssd/conf.d for config snippets. + * control: Add libhttp-parser-dev and libjansson-dev to build-deps. + * sssd-tools.install: Add sssctl. + * sssd-common.install: Add sssd-secrets and winbind idmap plugin. + * Drop the upstart job, it was only shipped on Ubuntu which has + switched to systemd. + * rules, default, import-daemon-opts.diff: Import daemon options from + default/sssd also with systemd. (LP: #1587395) + * rules: Don't install a default config file. + + -- Timo Aaltonen Wed, 05 Oct 2016 14:20:37 +0300 + +sssd (1.13.4-3) unstable; urgency=medium + + * common: Add /var/lib/sss/gpo_cache. (LP: #1579092) + * gpo-add-unity-to-ad-gpo-map-interactive.diff: Allow logging in from + unity lockscreen. (LP: #1578415) + + -- Timo Aaltonen Tue, 10 May 2016 10:39:46 +0300 + +sssd (1.13.4-2) unstable; urgency=medium + + * ipa-terminate-if-view-name-fails.diff: Fix support for older IPA + servers. (LP: #1572582) + + -- Timo Aaltonen Wed, 20 Apr 2016 16:55:24 +0300 + +sssd (1.13.4-1) unstable; urgency=medium + + * New upstream release. + * apparmor-profile: Fixed and tidied. + + -- Timo Aaltonen Wed, 30 Mar 2016 19:31:33 +0300 + +sssd (1.13.3-1) unstable; urgency=medium + + * New upstream release. + + -- Timo Aaltonen Thu, 17 Dec 2015 13:27:11 +0200 + +sssd (1.13.2-1) unstable; urgency=medium + + * New upstream release. + * patches: Removed fix-obsolete-target.diff, fix-python-modules.diff, + both upstream now. + + -- Timo Aaltonen Thu, 03 Dec 2015 21:14:29 +0200 + +sssd (1.13.1-2) unstable; urgency=medium + + * apparmor: Fix access to krb5.include.d. (LP: #1489378) + * {krb5-common,proxy}.postinst: Chmod the correct files. (Closes: + #801537, #801538) + + -- Timo Aaltonen Tue, 13 Oct 2015 16:55:47 +0300 + +sssd (1.13.1-1) unstable; urgency=medium + + * New upstream release. + * {common,ipa,krb5,proxy}.postinst: Create a sssd system user & group, + and migrate various bits to their ownership. + * Add sssd-dbus to libsss-simpleifp0 Depends. + * ipa: Add /var/lib/sss/keytabs. + * common: Add PEM/DER conversion library. + * Add support for python3 modules. + * tools: Add sss_override. + * common: Add p11_child. + * ad: Drop libsss_ad_common, it was for tests only and not shipped + anymore. + * common: Move libsss_krb5_common here from sssd-krb5-common to satisfy + libsss_ldap_common depending on it. + * libsystemd.diff: Dropped, fixed upstream. + * fix-python-modules.diff: Don't add symlinks to python modules, + rename the built modules instead. + * rules, postinst: Avoid running dpkg-architecture in postinst and + instead mangle them in post-dh_installdeb. + * common: Add depends on adduser. + + -- Timo Aaltonen Sat, 03 Oct 2015 08:38:29 +0300 + +sssd (1.12.5-3) unstable; urgency=medium + + * sssd-common.postinst: Drop removing the old logrotate file, handle + it in sssd.maintscript instead. (Closes: #794332) + + -- Timo Aaltonen Tue, 08 Sep 2015 22:47:08 +0300 + +sssd (1.12.5-2) unstable; urgency=medium + + * sssd-common.postinst: Remove duplicate logrotate file on update. + (LP: #1249772) + * control, libsystemd.diff: Transition to libsystemd, thanks Michael + Biebl! (Closes: #791909) + + -- Timo Aaltonen Tue, 21 Jul 2015 15:04:25 +0300 + +sssd (1.12.5-1) unstable; urgency=medium + + * New upstream release. + * Let uscan verify upstream tarballs. + * control: Bump policy to 3.9.6, no changes. + + -- Timo Aaltonen Fri, 12 Jun 2015 22:36:52 +0300 + +sssd (1.12.4-1) experimental; urgency=medium + + * New upstream release. + * apparmor-profile: Updated. (LP: #1421110) + * control: Add new build-depends; cifs-utils, libaugeas-dev, + libnfsidmap-dev, libsmbclient-dev, systemd. + * control, .install: Add libwbclient-sssd{,-dev}. + * control, .install: Add libsss-simpleifp{0,-dev}. + * fix-automake-compat.diff, fix-catchchild.diff: Dropped, upstream. + * rules: Use max-parallel=1 for dh_auto_install. + * sssd-common.install: Add files for NFS v4 client. + * sssd-ad.install: Add new files. + * sssd-ipa.install: Add selinux_child. + * sssd-dbus: Add libsss_config.so. + * sssd-common: Add cifs idmap plugin, semanage library and krb5 + localauth plugin. + * rules: Add a placeholder to not modify permissions of + {krb5,ldap,selinux}_child. + * control: Add libsystemd-login-dev to build-depends. + * control: Add libnss-wrapper and libuid-wrapper to build-depends. + * rules: Use automake native verbosity for tests, and bump + CK_TIMEOUT_MULTIPLIER. + + -- Timo Aaltonen Thu, 09 Apr 2015 23:56:01 +0300 + +sssd (1.11.7-3) unstable; urgency=medium + + * libsss-sudo.postrm: Delete sudoers line from nsswitch.conf, if only + files source left. (Closes: #749722) + * libsss-sudo.postinst: Fix comments. + * libsss-sudo.postinst: Check nsswitch sudoers entry unconditionally, + so that it is added on upgrade too if missing. + + -- Timo Aaltonen Fri, 16 Jan 2015 13:53:22 +0200 + +sssd (1.11.7-2) unstable; urgency=medium + + * default, upstart.in: Upstream ticket #2312 is fixed now, so drop the + workaround to run the daemon in the foreground. (Closes: #760353) + * fix-automake-compat.diff: Added an upstream commit to fix configure + with new automake. + * fix-catchchild.diff: Fix build failure with samba 4.1.13, bump + samba-dev build-dependency to match. + + -- Timo Aaltonen Thu, 30 Oct 2014 14:49:05 +0200 + +sssd (1.11.7-1) unstable; urgency=medium + + * New upstream release. + * sssd-common.install, sssd-dbus.install: Add new sss_signal helper + and the dbus service using it. + * fix-obsolete-target.diff: Drop syslog.target from the service file. + * libnss-sss.post*: Add sss entry to shadow and services on + nsswitch.conf. (Closes: #761173) + + -- Timo Aaltonen Wed, 24 Sep 2014 07:08:04 +0300 + +sssd (1.11.6-1) unstable; urgency=medium + + * New upstream release. + * control: Update my email. + * control: Update vcs urls. + * libnss-sss.postrm: Check DPKG_MAINTSCRIPT_PACKAGE_REFCOUNT before + removing sss entry from nsswitch.conf. (Closes: #748671) + * libpam-sss.prerm: Check DPKG_MAINTSCRIPT_PACKAGE_REFCOUNT before + running pam-auth-update --remove. + * control: Mark libkeyutils-dev, libselinux-dev, libsemanage-dev, + libnl*-dev build-deps as linux-any, as a preliminary step to build + on kfreebsd-*. + * Run wrap-and-sort. + * sssd-dbus: Add a new subpackage for the D-Bus responder. + * control: Demote libsasl2-modules-ldap to Suggests for sssd-ldap. + * generate-config: Bring it back for convenience, but don't run it on + postinst. + * sssd-common.postinst: Remove obsolete config upgrade. + + -- Timo Aaltonen Tue, 19 Aug 2014 09:15:13 +0300 + +sssd (1.11.5.1-2) unstable; urgency=medium + + * control: Drop libcmocka-dev and check from build-depends again so + that the package will build on every arch. Test failures will be + fixed in a future upload. + + -- Timo Aaltonen Thu, 14 Aug 2014 02:22:57 +0300 + +sssd (1.11.5.1-1) unstable; urgency=medium + + [ Stéphane Graber ] + * Fix upstart job to provide a proper stdin for sssd. + * Update defaults to always pass -i. + + [ Timo Aaltonen ] + * New upstream release. (Closes: #745664) + * control: Bump libkrb5-dev build-dependency to 1.12 due to the OTP + features. + + -- Timo Aaltonen Fri, 09 May 2014 14:50:12 +0300 + +sssd (1.11.5-1) unstable; urgency=medium + + * New upstream bugfix release. (Closes: #729982) + * upstart: Run the daemon in foreground and drop expect fork from the + job, should fix issues with upstart getting confused when a backend + fails to start. + + -- Timo Aaltonen Tue, 08 Apr 2014 23:39:20 +0300 + +sssd (1.11.4-1) unstable; urgency=low + + * New upstream release. + * control, rules: Add libcmocka-dev and re-add check to build-depends. + Override dh_auto_test so that it shows the test error log if they fail. + * rules: Fix the manpage date handling with a bigger hammer, and + enable it for all manpages not just pam_sss.8. (Closes: #734083) + * Drop an obsolete lintian override from libsss-sudo. + + -- Timo Aaltonen Fri, 21 Mar 2014 13:28:38 +0200 + +sssd (1.11.3-1) unstable; urgency=low + + * New upstream release. + * control: Update policy to 3.9.5, no changes. + + -- Timo Aaltonen Fri, 03 Jan 2014 00:01:29 +0200 + +sssd (1.11.2-1) unstable; urgency=low + + * New upstream release. + * rules, sssd-common.install: Use the correct path for the systemd + service file. + * control: Build depend on libpam0g-dev | libpam-dev. + + -- Timo Aaltonen Tue, 19 Nov 2013 15:22:27 +0200 + +sssd (1.11.1-1) unstable; urgency=low + + * New upstream release. + * sssd-common.postinst, generate-config: Don't create a config on install, + drop generate-config. (Closes: #717587) + * sssd-common.postrm: Remove /etc/apparmor.d too, if empty. + * control, rules, sssd-common.install: Install the systemd service + file provided by upstream. + * control: Drop M-A: foreign from sssd-* and add back to sssd instead. + * control: Don't hardcode 'multiarch-support'. + * control: Drop unnecessary multiarch declarations. + * control: Drop obsolete Breaks/Conflicts. + * rules: Enable parallel build. + * control: Add libltdl-dev to build-depends. + * control: Prepare for new unified samba package, adjust build- + dependencies. Thanks, Ivo De Decker! (Closes: #725992) + + -- Timo Aaltonen Tue, 06 Aug 2013 17:04:28 +0300 + +sssd (1.10.0-1) unstable; urgency=low + + [ Timo Aaltonen ] + * New upstream release (Closes: #693054, #705357, #711101) + * Update the packaging for the new version, thanks Esko Järnfors! + - Add libsss-idmap0, libsss-idmap-dev packages + - Add sssd Depends on libsss-idmap0 + - Add /var/lib/sss/mc directory for the new mmap cache + * Split authentication providers to separate packages and make sssd + a metapackage. + * control: Drop libunistring-dev from build-depends and add libglib2.0-dev + for unicode support. + * sssd-*.install: Install new manpages. + * python-sss.install: py-files got moved under SSSDConfig. + * control, rules: Use default build flags, bump dpkg-dev build-dep to + 1.16.1~. + * rules: Install the apparmor profile with -m644. + * python-sss: Add pysss_murmur.so. + * rules, control, sssd-ad-common.install: PAC responder support. + - Add libndr-dev, libndr-standard-dev, libsamba-util-dev, samba4-dev, + libdcerpc-dev to build-depends + - Add -I/usr/include/samba-4.0 to CFLAGS + * control: Mark sssd-common as Multi-Arch: foreign. + * watch: Add a comment about the upstream git tree. + * Replace perl snippet from libnss-sss.post* with sed, drop perl from + Depends. (Closes: #686237) + * compat: Bump compat to 9. + * rules: Set DEB_HOST_MULTIARCH, drop --libdir and remnants of cdbs. + * sssd-common.install: Install the support binaries under the multiarch path. + * rules,sssd-common.postinst: Move generate-config to /usr/share/sssd. + * rules, sssd-common.install: Use the correct install path for the + krb5_locator plugin. + * libnss-sss.postinst: SSSD doesn't handle shadow maps, so don't pretend + that it would. + * libsss-sudo*, control: Remove the soname from the library, move .so to + the libsss-sudo, drop -dev package. + * rules: Pass --datadir, so the path in autogenerated python files is + correctly substituted. (LP: #1079938) + * sssd-krb5-common.dirs: Add krb5 include dir. + * fix-cve-2013-0219*.diff, -0220.diff: Dropped, included upstream. + * libsss-sudo.postrm: Run ldconfig on remove/purge. + * apparmor-profile: Fix the profile to use the multiarch path for it's + helper location (LP: #1175317). + * Add packaging for libsss-nss-idmap0, libsss-nss-idmap-dev, + python-libsss-nss-idmap. + * watch: Updated to work with alpha/beta releases. + * control: Migrate to libnl-3 now that it's supported. (Closes: #688174) + * sssd-common.{preinst,postrm}: Install the apparmor profile in force-complain + mode on install, and remove the profile directory on purge (if empty). Also + migrate from previous setup which installed it as disabled. + (Closes: #676140) + * control: Bump policy to 3.9.4, no changes. + * control: Add libpam-pwquality (>= 1.2.2-1) to libpam-sss depends, which + makes the password stack work in all cases. (LP: #1159983) + * control: Drop check from build-depends for now, to work around a linking bug + in check (#712140) that makes the tests fail on (at least) i386. + + [ Stéphane Graber ] + * Add postinst/postrm script for libsss-sudo. Those will add a "sudoers" + entry to /etc/nsswitch.conf upon first installation of the package and + will then take care of adding/removing sss from the stack as required. + * Set CK_DEFAULT_TIMEOUT to 30 so that slower buildds (armhf at least) can + run the tests without hitting the default 4s timeout. + + -- Timo Aaltonen Fri, 05 Jul 2013 14:53:06 +0300 + +sssd (1.8.4-2) unstable; urgency=low + + * fix-cve-2013-0219-1.diff, fix-cve-2013-0219-2.diff, + fix-cve-2013-0220.diff: Upstream commits from the stable tree to fix + recent CVE reports. (Closes: #698871) + + -- Timo Aaltonen Wed, 27 Feb 2013 23:38:28 +0200 + +sssd (1.8.4-1) unstable; urgency=low + + * New upstream bugfix release 1.8.2. + - Several fixes to case-insensitive domain functions + - Fix for GSSAPI binds when the keytab contains unrelated + principals + - Fixed several segfaults + - Workarounds added for LDAP servers with unreadable RootDSE + - SSH knownhostproxy will no longer enter an infinite loop + preventing login + - The provided SYSV init script now starts SSSD earlier at startup + and stops it later during shutdown + - Assorted minor fixes for issues discovered by static analysis + tools + * New upstream bugfix release 1.8.3. + - Numerous manpage and translation updates + - LDAP: Handle situations where the RootDSE isn't available anonymously + - LDAP: Fix regression for users using non-standard LDAP attributes for + user information + * New upstream bugfix release 1.8.4. (LP: #981125, #985031) + - Fix a bug causing AD servers not to fail over properly when the KDC + on the primary server is down + - Fix an endianness bug on big-endian systems when looking up services + - Fix a segfault dealing with nested groups (LP: #981125) + - Make the nowait cache updates work for netgroups + - Fix a regression that broke domains with use_fully_qualified_names = True + (LP: #985031) + * control: Move the dependency of libsasl2-modules-gssapi-mit to + Recommends. + * control: sssd works with Heimdal gssapi modules too, add + libsasl2-modules-gssapi-mit as an option for the Recommends. + (LP: #966146) + * libpam-sss.pam-auth-update: + - Drop the dependency to 128, since pam_sss should always be below + pam_unix. (LP: #957486) + - Drop 'use_authtok' from the password stack, since it only works when + pam_cracklib is installed. This will allow password changes on the + default install. + * sssd.postrm: Try to remove /etc/sssd only if it exists. + (Closes: #666226) + * Add disabled by default Apparmor profile (LP: #933342) + - debian/sssd.upstart.in: load the profile during pre-start + - add debian/apparmor-profile, install to /etc/apparmor.d + - debian/rules: use dh_apparmor to install profile before sssd is + restarted + - debian/control: sssd Suggests apparmor (>= 2.3) + - debian/control: Add dh-apparmor to build-depends + - debian/sssd.preinst: disable profile on clean install or upgrades + from earlier than when we shipped the profile + * rules: Mangle the date stamp on pam_sss.8 so that the compressed file is + identical across all archs. (Closes: #670019) + * control: Add build-depends on libnl-dev to enable Netlink support. + * control: Add build-depends on libkeyutil-dev to enable support for + kernel keyring manipulation. + * sssd.logrotate: Rotate logs weekly, keep four previous rotations. + (Closes: #672984) + * sssd.upstart.in: Delete an invisible control character from the pre-start + script. (LP: #1003845) + + -- Timo Aaltonen Fri, 01 Jun 2012 11:43:42 +0300 + +sssd (1.8.1-1) unstable; urgency=low + + * New maintainer, Debian SSSD Team. (Closes: #660985) + + [ Timo Aaltonen ] + * New upstream release (1.8.1) (Closes: #647980, #624194, #639965) + - Support for the service map in NSS + - Support for setting default SELinux user context from FreeIPA + - Support for retrieving SSH user and host keys from LDAP (Experimental) + - Support for caching autofs LDAP requests (Experimental) + - Support for caching SUDO rules (Experimental) + * Update build-deps: + - Add libunistring-dev, libdhash-dev, libcollection-dev and + libini-config-dev. + - Add check for unit tests. + - Drop cvs and python-central. + - Migrate to dh, drop cdbs build-dep, add quilt, dh-autoreconf and + autopoint to build-deps. + * Add new packages: + - libipa-hbac0, libipa-hbac-dev, libsss-sudo0, libsss-sudo-dev, + and python-libipa-hbac. + - Split sssd-tools: add Breaks/Replaces sssd (<< 1.8.0~beta3-1) and + add to sssd Suggests + * Drop patch to ensure LDAP authentication never accept a zero + length password, which is now included upstream. + * sssd.upstart.ubuntu: + - Don't start before net-device-up. (LP: 812943) + - Source /etc/default/sssd. (LP: 812943) + * sssd.default: Added a file to include the sssd daemon defaults, + currently has '-D -f'. + * sssd.init: Drop separate OPTIONS, '-D' comes from /etc/default/sssd + now.. + * rules: Install the Python API files to /usr/share/sssd, as discussed + with upstream. (LP: 859611) + * fix-python-api-path.dpatch: Use the new location for the API files. + (LP: 859611) + * libpam-sss.pam-auth-update: + - Add 'forward_pass' to auth stack to fix ecryptfs mounts. (LP: 826643) + - Add pam_localuser.so to account stack to allow local users to log in. + (LP: 860488) + * control: sssd now Recommends libpam-sss and libnss-sss, since sssd is + mostly useless without them. (LP: 767337) + * control, compat: Bump debhelper build-dep and compat level to 8. + * Switch patch-system to quilt. + * Do not install a working config file by default. The local domain + definition was broken (upstream #1014). The daemon will need to be + configured by other means before it's usable. + * Add support for Multi-Arch (Closes: #634123). + * Remove unnecessary libnss-sss.links. + * libnss-sss.overrides: Add an override for + "package-name-doesnt-match-sonames". + * Determine the used init system during build, add lsb-release to + build-deps. Default to sysvinit, use upstart if Ubuntu. + * sssd.upstart.in: Test if the config file exists, and exit if not. + * Fail gracefully if invoke-rc.d returns an error on postinst/prerm, like + when the daemon fails to start when there is no config file. + * sssd.init.in: Check that /etc/default/sssd is a real file before sourcing + it (Closes: #587895). + * control: Add libsasl2-modules-gssapi-mit and libsasl2-modules-ldap to + Recommends for sssd. + * rules: Move the rule for purging .la files before dh_install + (Closes: #633206). + * sssd.install: Fix the wildcard for plugins to include .so symlinks. + * rules: Add configure flags + - Disable RPATH + - Disable building static libs + - Enable ssh user and host key retrieval, autofs request + and sudo rules caching. The respective packages need to add support + for these to be useful. + * Drop fix-python-api-path.patch, included upstream. + * sssd.examples: Install the renamed example config. + * rules: Drop special handling of the sssd.api.d, upstream uses + the proper path now. + * rules: Add --fail-missing to dh_install. + * sssd.install: Add new files. + * libpam-sss.install, control: Move pam_sss.8 to the correct package, + add Breaks/Replaces. + * rules: Remove some files we don't want to install, to make dh_install + happy. + * rules: Clean po/*.gmo, po/stamp-po and *.pyc. + * Install lintian overrides using dh_lintian. + * {sssd,libnss-sss}.lintian-overrides: Update. + * Move libsasl2-modules-gssapi to sssd Depends to make sure it gets + installed, as it's needed in most cases. + * control: Update maintainer address and repo location. + * control: Bump the Standards-Version to 3.9.3, no changes. + * control: Bump the debhelper build-dep to 9. + * control: Add ${misc:Depends} to libipa-hbac*, libsss-sudo*. + * control, rules: Migrate to dh_python2 (Closes: #617071). + * control: Add myself to uploaders. + + [ Petter Reinholdtsen ] + * New upstream version 1.2.4: + - Resolves long-standing issues related to group processing with + RFC2307bis LDAP servers. + - Fixed bugs in RFC2307bis group memberships related to initgroups + (Closes: #595564). + - Fix tight-loop bug on systems with older OpenLDAP client + libraries (such as Red Hat Enterprise Linux 5) + * New Upstream Version 1.2.3: + - Resolves CVE-2010-2940. + * New Upstream Version 1.2.2: + - The LDAP provider no longer requires access to the LDAP + RootDSE. If it is unavailable, we will continue on with our best + guess. + - The LDAP provider will now log issues with TLS and GSSAPI to the + syslog. + - Significant performance improvement when performing initgroups + on users who are members of large groups in LDAP. + - The sss_client will now reconnect properly to the SSSD if the + daemon is restarted. + * This resolves an issue causing GDM to crash when logging out + of a user after the SSSD had been restarted. + * Correct package description for python-sss (Closes: #596215). + * Update Standards-Version from 3.8.4 to 3.9.1. No changes needed. + + [ Stéphane Graber ] + * Fix prerm invoke_failure hook to simply return as empty functions + are invalid shell syntax. + + -- Timo Aaltonen Thu, 22 Mar 2012 13:28:27 +0200 + +sssd (1.2.1-4.4) unstable; urgency=low + + * Non-maintainer upload. + * Fix FTBFS with -Werror=format-security. Thanks Philippe De Swert for patch. + (Closes: #643806). + + -- Hector Oron Sun, 19 Feb 2012 19:33:04 +0000 + +sssd (1.2.1-4.3) unstable; urgency=medium + + * Non-maintainer upload. + * Adjust install path to consider GNU triplet (Closes: #640626). + + -- Luca Falavigna Tue, 20 Sep 2011 20:02:34 +0200 + +sssd (1.2.1-4.2) unstable; urgency=low + + * Non-maintainer upload. + * debian/sssd.install + - updated location for ldb modules; Closes: #618159 + + -- Sandro Tosi Fri, 03 Jun 2011 23:53:59 +0200 + +sssd (1.2.1-4.1) unstable; urgency=medium + + * Non-maintainer upload by the Security Team + * Fix CVE-2010-4341 (Closes: #610032) + + -- Moritz Muehlenhoff Tue, 25 Jan 2011 22:09:21 +0100 + +sssd (1.2.1-4) unstable; urgency=low + + * Add patch from Stephen Gallagher to ensure LDAP authentication + never accept a zero length password (Closes: #594413). Solves + CVE-2010-2940. + + -- Petter Reinholdtsen Wed, 25 Aug 2010 22:33:40 +0200 + +sssd (1.2.1-3) unstable; urgency=low + + [ Petter Reinholdtsen ] + * Look for /etc/default/sssd, not /etc/defaults/sssd in init.d + script (Closes: #588252). + * Make sssd.conf generation more robust, and make sure missing SRV + records are ignored and not handled as host names. + * Add code in generate-config to look up Kerberos realm using + _kerberos TXT record in DNS if it exist. + * Recommend bind9-host used by generate-config for SRV and TXT + lookups. + + [ Morten Werner Forsbring ] + * Check if /etc/default/sssd is a file and executable, not a directory, + before sourcing in init-script. Thanks to lintian. + + -- Morten Werner Forsbring Thu, 12 Aug 2010 16:31:14 +0200 + +sssd (1.2.1-2) unstable; urgency=low + + * Make sure init.d script sources /etc/default/sssd (Closes: #588252). + * Drop /etc/default/sssd from package, to avoid conffile question + from dpkg during upgrades. + * Make sure to only remove obsolete sssd conffiles on upgrades, not + on first time installation. + * Add new script generate-config and call it from the sssd postinst + during first time installation to try to generate the sssd.conf + file dynamically for LDAP and Kerberos using DNS entries, and fall + back to the static example configuration if this fail. + * Let sssd suggest libnss-sss and libpam-sss, to make those + installing sssd aware of the other packages. + * Add netgroup to nsswitch.conf entries added at first time + installation, to make sure those installing now get working + netgroups when sssd get netgroup support + * Let sssd recommend ldap-utils as ldapsearch is used for generating + the configuration. + + -- Petter Reinholdtsen Fri, 06 Aug 2010 23:44:26 +0200 + +sssd (1.2.1-1) unstable; urgency=low + + [ Petter Reinholdtsen ] + * Move calls to pam-auth-update from the package scripts in sssd to + libpam-sss, and correct prerm call to remove the correct pam config. + Add versioned dependency on libpam-runtime to make sure + pam-auth-update is available. + * Add code to the postinst and postrm of libnss-sss to update + passwd, group and shadow entries in /etc/nsswitch.conf. + * Make sure init.d/sssd start after $named, to ensure it can look up + in DNS also when the DNS server is on the local machine. + + [ Morten Werner Forsbring ] + * New upstream release. + + -- Morten Werner Forsbring Thu, 24 Jun 2010 14:16:30 +0200 + +sssd (1.2.0-1) unstable; urgency=low + + [ Petter Reinholdtsen ] + * New upstream release. + - Add libsemanage1-dev as build dependency, as it is now required. + - Drop python-build-with-deb-layout.dpatch, now handled upstream. + - Adjust provide-default-working-sssd-config-file.dpatch to + work with new package source layout and config file content. + - Adjust build rules to cope with server/ changing to src/ in the + source tarball. + - Add --enable-krb5-locator-plugin to keep building the plugin. + * Change the pam-auth-update configuration to make the session + script optional instead of sufficient, to make sure the other + session modules are executed too. + * Change initial pam password entry from requisite to sufficient, + to make sure local users can have their password set even if + sssd is enabled. + * Rename pam-configs/sssd to pam-configs/sss, to have a name that + is consistent with the package name libpam-sss. + * Add VCS links to the GIT repository. + * Move configuration API documentation from /etc/sssd/ to + /usr/share/doc/sssd/. It is not configuration and do not belong + in /etc/. + * Drop autoconf, automake, libtool, m4 and autotools-dev from + build-depends. There is no need to regenerate the build files any + more. + + [ Morten Werner Forsbring ] + * Add dnsutils as build-dependency. + + -- Morten Werner Forsbring Tue, 01 Jun 2010 20:41:59 +0200 + +sssd (1.0.5-1) unstable; urgency=low + + * Initial upload based on package from Ubuntu (Closes: #579593). + * Update standards-version from 3.8.3 to 3.8.4. No changes needed. + * Add init.d script and rename sssd.upstart to sssd.upstart.ubuntu + to make sure init.d script is installed instead of upstart job. + * Add draft pam-auth-update configuration based on proposals in + Launcepad bug #557398. + * Update address to FSF in copyright file. Thanks lintian. + * Set section for python-sss to python after advice from lintian. + * Rewrite python-build-with-deb-layout.dpatch to patch Makefile.in + instead of Makefile.am, to avoid having to run autoreconf. + * Make sssd depend on python for its upgrade script. + * Extend clean rule to remove generated file server/config/.files. + * Make sure sssd.api.conf is installed into the sssd package, and + put it in /etc/sssd/sssd.api.conf. Fixes typo in Ubuntu package. + + -- Petter Reinholdtsen Wed, 05 May 2010 21:53:29 +0200 + +sssd (1.0.5-0ubuntu1) lucid; urgency=low + + * New upstream bugfix release. (LP: #510290) + * sssd.dirs: Add /var/lib/sss/pubconf (LP: #557394) + + -- Timo Aaltonen Fri, 16 Apr 2010 11:37:16 +0300 + +sssd (1.0.2-0ubuntu2) lucid; urgency=low + + * No change rebuild due to libldb downgrade + + -- Scott Kitterman Fri, 02 Apr 2010 17:48:19 -0400 + +sssd (1.0.2-0ubuntu1) lucid; urgency=low + + * New upstream release (LP: #473262): + - python API for managing sssd daemon configuration and + native SSSD users. + - support for asynchronous cache refreshes. + - support password changing in LDAP and Kerberos providers. + - support for server failover. + * debian/control: + - update tdb build dependency to use libtdb-dev. + - add libselinux1-dev and libsasl2-dev build dependencies. + * debian/sssd.upstart: replace init script with an upstart job. + * Turn sssd.conf into a configuration file. + * Create sssd log directory. + + -- Mathias Gug Tue, 19 Jan 2010 15:17:13 -0500 + +sssd (0.5.0-0ubuntu2) karmic; urgency=low + + * debian/libnss-sss.overrides, debian/sssd.overrides: + + Fix linitian errors and warnings (LP: #425697): + sssd ships an nss library - these are false-positives. + * debian/fix-dbus-watch.dpatch: Update dbus-patch to final + upstream version. + * debian/fix-proxy-segfault.dpatch: Fix proxy enumeration. + + -- Mathias Gug Wed, 09 Sep 2009 20:21:04 -0400 + +sssd (0.5.0-0ubuntu1) karmic; urgency=low + + * Initial release. + + -- Mathias Gug Mon, 24 Aug 2009 16:35:11 -0400 --- sssd-2.2.2.orig/debian/compat +++ sssd-2.2.2/debian/compat @@ -0,0 +1 @@ +12 --- sssd-2.2.2.orig/debian/control +++ sssd-2.2.2/debian/control @@ -0,0 +1,436 @@ +Source: sssd +Section: utils +Priority: optional +Maintainer: Debian SSSD Team +Uploaders: Timo Aaltonen , + Dominik George +Build-Depends: + autopoint, + check, + cifs-utils, + debhelper (>= 12), + dh-apparmor, + dh-python, + dnsutils, + docbook-xml, + docbook-xsl, + dpkg-dev (>= 1.16.1~), + krb5-config, + ldap-utils, + libaugeas-dev, + libc-ares-dev, + libcmocka-dev [amd64 armhf i386], + libcollection-dev, + libdbus-1-dev, + libdhash-dev, + libgdm-dev [!s390x !kfreebsd-any !hurd-any], + libglib2.0-dev, + libini-config-dev, + libjansson-dev, + libkeyutils-dev [linux-any], + libkrb5-dev (>= 1.12), + libldap2-dev, + libldb-dev, + libltdl-dev, + libnfsidmap-dev, + libnl-3-dev [linux-any], + libnl-route-3-dev [linux-any], + libnspr4-dev, + libnss-wrapper, + libnss3-dev, + libpam0g-dev | libpam-dev, + libpcre3-dev, + libpopt-dev, + libsasl2-dev, + libselinux1-dev [linux-any], + libsemanage1-dev [linux-any], + libsmbclient-dev, + libsystemd-dev [linux-any], + libtalloc-dev, + libtdb-dev, + libtevent-dev, + libuid-wrapper, + libxml2-utils, + lsb-release, + python3-dev, + python3-setuptools, + quilt, + samba-dev (>= 2:4.1.13), + systemd, + systemtap-sdt-dev, + uuid-dev, + xml-core, + xsltproc +Standards-Version: 4.4.0 +Vcs-Git: https://salsa.debian.org/sssd-team/sssd.git +Vcs-Browser: https://salsa.debian.org/sssd-team/sssd +Homepage: https://pagure.io/SSSD/sssd/ + +Package: sssd +Section: metapackages +Architecture: any +Multi-Arch: foreign +Pre-Depends: ${misc:Pre-Depends} +Depends: + python3-sss (= ${binary:Version}), + sssd-ad (= ${binary:Version}), + sssd-common (= ${binary:Version}), + sssd-ipa (= ${binary:Version}), + sssd-krb5 (= ${binary:Version}), + sssd-ldap (= ${binary:Version}), + sssd-proxy (= ${binary:Version}), + ${misc:Depends} +Description: System Security Services Daemon -- metapackage + Provides a set of daemons to manage access to remote directories and + authentication mechanisms. It provides an NSS and PAM interface toward + the system and a pluggable backend system to connect to multiple different + account sources. It is also the basis to provide client auditing and policy + services for projects like FreeIPA. + . + This package is a metapackage which installs the daemon and existing + authentication back ends. + +Package: sssd-common +Architecture: any +Depends: + python3, + python3-sss, + ${misc:Depends}, + ${shlibs:Depends}, + adduser, +Recommends: + bind9-host, + libnss-sss, + libpam-sss, + libsss-sudo +Suggests: + apparmor, + sssd-tools +Breaks: sssd (<< 1.10.0~beta2-1), + sssd-krb5-common (<< 1.13.1-1), +Replaces: sssd (<< 1.10.0~beta2-1), + sssd-krb5-common (<< 1.13.1-1), +Description: System Security Services Daemon -- common files + Provides a set of daemons to manage access to remote directories and + authentication mechanisms. It provides an NSS and PAM interface toward + the system and a pluggable backend system to connect to multiple different + account sources. It is also the basis to provide client auditing and policy + services for projects like FreeIPA. + . + This package provides the daemon and other common files needed by the + authentication back ends. + +Package: sssd-ad +Architecture: any +Depends: + libsss-idmap0 (= ${binary:Version}), + sssd-ad-common (= ${binary:Version}), + sssd-common (= ${binary:Version}), + sssd-krb5-common (= ${binary:Version}), + ${misc:Depends}, + ${shlibs:Depends} +Suggests: + adcli, +Breaks: sssd (<< 1.10.0~beta2-1) +Replaces: sssd (<< 1.10.0~beta2-1) +Description: System Security Services Daemon -- Active Directory back end + Provides the Active Directory back end that the SSSD can utilize to fetch + identity data from and authenticate against an Active Directory server. + +Package: sssd-ad-common +Architecture: any +Depends: sssd-common (= ${binary:Version}), ${misc:Depends}, ${shlibs:Depends} +Breaks: sssd (<< 1.10.0~beta2-1) +Replaces: sssd (<< 1.10.0~beta2-1) +Description: System Security Services Daemon -- PAC responder + Provides the PAC responder that the AD and IPA backends can use for + fetching additional attributes from the kerberos ticket. + +Package: sssd-dbus +Architecture: any +Depends: sssd-common (= ${binary:Version}), ${misc:Depends}, ${shlibs:Depends} +Description: System Security Services Daemon -- D-Bus responder + Provides the D-Bus responder called InfoPipe, that allows the information + from the SSSD to be transmitted over the system bus. + +Package: sssd-ipa +Architecture: any +Depends: + libipa-hbac0 (= ${binary:Version}), + libsss-idmap0 (= ${binary:Version}), + sssd-ad-common (= ${binary:Version}), + sssd-common (= ${binary:Version}), + sssd-krb5-common (= ${binary:Version}), + ${misc:Depends}, + ${shlibs:Depends} +Breaks: sssd (<< 1.10.0~beta2-1) +Replaces: sssd (<< 1.10.0~beta2-1) +Description: System Security Services Daemon -- IPA back end + Provides the IPA back end that the SSSD can utilize to fetch identity data + from and authenticate against an IPA server. + +Package: sssd-kcm +Architecture: any +Depends: + sssd-common (= ${binary:Version}), + ${misc:Depends}, + ${shlibs:Depends} +Description: System Security Services Daemon -- Kerberos KCM server implementation + Provides an implementation of a Kerberos KCM server. Use this package if + you want to use the KCM: Kerberos credentials cache. + +Package: sssd-krb5 +Architecture: any +Depends: + sssd-common (= ${binary:Version}), + sssd-krb5-common (= ${binary:Version}), + ${misc:Depends}, + ${shlibs:Depends} +Breaks: sssd (<< 1.10.0~beta2-1) +Replaces: sssd (<< 1.10.0~beta2-1) +Description: System Security Services Daemon -- Kerberos back end + Provides the Kerberos back end that the SSSD can utilize authenticate + against a Kerberos server. + +Package: sssd-krb5-common +Architecture: any +Depends: sssd-common (= ${binary:Version}), ${misc:Depends}, ${shlibs:Depends} +Recommends: libsasl2-modules-gssapi-mit | libsasl2-modules-gssapi-heimdal +Breaks: sssd (<< 1.10.0~beta2-1) +Replaces: sssd (<< 1.10.0~beta2-1) +Description: System Security Services Daemon -- Kerberos helpers + Provides helper processes that the LDAP and Kerberos back ends can use for + Kerberos user or host authentication. + +Package: sssd-ldap +Architecture: any +Depends: + libsss-idmap0 (= ${binary:Version}), + sssd-common (= ${binary:Version}), + sssd-krb5-common (= ${binary:Version}), + ${misc:Depends}, + ${shlibs:Depends} +Recommends: ldap-utils +Suggests: libsasl2-modules-ldap +Breaks: sssd (<< 1.10.0~beta2-1) +Replaces: sssd (<< 1.10.0~beta2-1) +Description: System Security Services Daemon -- LDAP back end + Provides the LDAP back end that the SSSD can utilize to fetch identity data + from and authenticate against an LDAP server. + +Package: sssd-proxy +Architecture: any +Depends: sssd-common (= ${binary:Version}), ${misc:Depends}, ${shlibs:Depends} +Breaks: sssd (<< 1.10.0~beta2-1) +Replaces: sssd (<< 1.10.0~beta2-1) +Description: System Security Services Daemon -- proxy back end + Provides the proxy back end which can be used to wrap an existing NSS and/or + PAM modules to leverage SSSD caching. + +Package: sssd-tools +Architecture: any +Depends: + python3, + python3-sss, + sssd-common (= ${binary:Version}), + ${misc:Depends}, + ${shlibs:Depends} +Description: System Security Services Daemon -- tools + Provides a set of daemons to manage access to remote directories and + authentication mechanisms. It provides an NSS and PAM interface toward + the system and a pluggable backend system to connect to multiple different + account sources. It is also the basis to provide client auditing and policy + services for projects like FreeIPA. + . + This package provides tools to manage users, groups and nested groups when + using the local id provider. + +Package: libnss-sss +Architecture: any +Depends: ${misc:Depends}, ${shlibs:Depends} +Pre-Depends: ${misc:Pre-Depends} +Recommends: sssd +Multi-Arch: same +Description: Nss library for the System Security Services Daemon + Provides a set of daemons to manage access to remote directories and + authentication mechanisms. It provides an NSS and PAM interface toward + the system and a pluggable backend system to connect to multiple different + account sources. It is also the basis to provide client auditing and policy + services for projects like FreeIPA. + . + This package provide the nss library to connect to the sssd daemon. + +Package: libpam-sss +Architecture: any +Depends: + libpam-pwquality (>= 1.2.2-1), + libpam-runtime (>= 1.0.1-6), + ${misc:Depends}, + ${shlibs:Depends} +Recommends: sssd +Multi-Arch: same +Description: Pam module for the System Security Services Daemon + Provides a set of daemons to manage access to remote directories and + authentication mechanisms. It provides an NSS and PAM interface toward + the system and a pluggable backend system to connect to multiple different + account sources. It is also the basis to provide client auditing and policy + services for projects like FreeIPA. + . + This package provide the pam module to connect to the sssd daemon. + +Package: libipa-hbac0 +Section: libs +Architecture: any +Depends: ${misc:Depends}, ${shlibs:Depends} +Description: FreeIPA HBAC Evaluator library + Utility library to validate FreeIPA HBAC rules for authorization requests. + +Package: libipa-hbac-dev +Section: libdevel +Architecture: any +Depends: libipa-hbac0 (= ${binary:Version}), ${misc:Depends} +Description: FreeIPA HBAC Evaluator library -- development files + Utility library to validate FreeIPA HBAC rules for authorization requests. + . + This package contains header files and symlinks to develop programs which will + use the libipa-hbac library. + +Package: libsss-certmap0 +Section: libs +Architecture: any +Depends: ${misc:Depends}, ${shlibs:Depends}, +Description: Certificate mapping library for SSSD + Library to map certificates to users based on rules. + +Package: libsss-certmap-dev +Section: libdevel +Architecture: any +Depends: libsss-certmap0 (= ${binary:Version}), ${misc:Depends} +Description: Certificate mapping library for SSSD -- development files + Utility library to map certificates to users based on rules. + . + This package contains header files and symlinks to develop programs which will + use the libsss-certmap library. + +Package: libsss-idmap0 +Section: libs +Architecture: any +Depends: ${misc:Depends}, ${shlibs:Depends} +Description: ID mapping library for SSSD + Utility library to convert SIDs to Unix uids and gids. + +Package: libsss-idmap-dev +Section: libdevel +Architecture: any +Depends: libsss-idmap0 (= ${binary:Version}), ${misc:Depends} +Description: ID mapping library for SSSD -- development files + Utility library to convert SIDs to Unix uids and gids. + . + This package contains header files and symlinks to develop programs which will + use the libsss-idmap library. + +Package: libsss-nss-idmap0 +Section: libs +Architecture: any +Depends: ${misc:Depends}, ${shlibs:Depends} +Description: SID based lookups library for SSSD + Utility library for SID based lookups. + +Package: libsss-nss-idmap-dev +Section: libdevel +Architecture: any +Depends: libsss-nss-idmap0 (= ${binary:Version}), ${misc:Depends} +Description: SID based lookups library for SSSD -- development files + Utility library for SID based lookups. + . + This package contains header files and symlinks to develop programs which will + use the libsss-nss-idmap library. + +Package: libsss-sudo +Section: libs +Architecture: any +Depends: ${misc:Depends}, ${shlibs:Depends} +Replaces: libsss-sudo-dev (<= 1.9.3) +Description: Communicator library for sudo + Utility library to allow communication between sudo and SSSD for caching + sudo rules by SSSD. + +Package: libsss-simpleifp0 +Section: libs +Architecture: any +Depends: ${misc:Depends}, ${shlibs:Depends}, + sssd-dbus (= ${binary:Version}), +Description: SSSD D-Bus responder helper library + Provides library that simplifies D-Bus API for the SSSD InfoPipe responder. + +Package: libsss-simpleifp-dev +Section: libdevel +Architecture: any +Depends: libsss-simpleifp0 (= ${binary:Version}), ${misc:Depends} +Description: SSSD D-Bus responder helper library -- development files + Provides library that simplifies D-Bus API for the SSSD InfoPipe responder. + . + This package contains header files and symlinks to develop programs which will + use the libsss-simpleifp0 library. + +Package: libwbclient-sssd +Section: libs +Architecture: any +Depends: ${misc:Depends}, ${shlibs:Depends} +Description: SSSD libwbclient implementation + The SSSD libwbclient implementation. + +Package: libwbclient-sssd-dev +Section: libdevel +Architecture: any +Depends: libwbclient-sssd (= ${binary:Version}), ${misc:Depends}, +Description: SSSD libwbclient implementation -- development files + The SSSD libwbclient implementation. + . + This package contains header files and symlinks to develop programs which will + use the libwbclient-sssd library. + +Package: python3-libipa-hbac +Section: python +Architecture: any +Depends: + libipa-hbac0 (= ${binary:Version}), + ${misc:Depends}, + ${python3:Depends}, + ${shlibs:Depends} +Description: Python3 bindings for the FreeIPA HBAC Evaluator library + The libipa_hbac-python contains the bindings so that libipa_hbac can be + used by Python applications. + . + This package installs the library for Python 3. + +Package: python3-libsss-nss-idmap +Section: python +Architecture: any +Depends: + libsss-nss-idmap0 (= ${binary:Version}), + ${misc:Depends}, + ${python3:Depends}, + ${shlibs:Depends} +Description: Python3 bindings for the SID lookups library + This package contains the bindings for libnss_sss_idmap to be used by + Python applications. + . + This package installs the library for Python 3. + +Package: python3-sss +Section: python +Architecture: any +Depends: ${misc:Depends}, ${python3:Depends}, ${shlibs:Depends} +Provides: ${python3:Provides} +Recommends: sssd +Description: Python3 module for the System Security Services Daemon + Provides a set of daemons to manage access to remote directories and + authentication mechanisms. It provides an NSS and PAM interface toward + the system and a pluggable backend system to connect to multiple different + account sources. It is also the basis to provide client auditing and policy + services for projects like FreeIPA. + . + This package provide a module to access the configuration of the sssd daemon. + . + This package installs the library for Python 3. --- sssd-2.2.2.orig/debian/copyright +++ sssd-2.2.2/debian/copyright @@ -0,0 +1,222 @@ +This package was debianized by Mathias Gug on +Wed, 05 Aug 2009 08:58:56 +0100. + +It was downloaded from https://pagure.io/SSSD/sssd/ + +Upstream Authors: + Dmitri Pal + Jakub Hrozek + Simo Sorce + Stephen Gallagher + Sumit Bose + +Copyright: + + Copyright (C) Red Hat 2008, 2009 + + Copyright (C) Dmitri Pal 2009 + Copyright (C) Jakub Hrozek 2009 + Copyright (C) Simo Sorce 2007, 2008, 2009 + Copyright (C) Stephen Gallagher 2008,2009 + Copyright (C) Sumit Bose 2009 + + Copyright (C) Andrew Bartlett 2002 + Copyright (C) Andrew Tridgell 1992-2006 + Copyright (C) James J Myers 2003 + Copyright (C) Jelmer Vernooij 2002, 2006, 2007 + Copyright (C) Jeremy Allison 1998-2002, 2007 + Copyright (C) Martin Pool 2002 + Copyright (C) Michael Adam 2008 + Copyright (C) Tim Potter 2000 + Copyright (c) 1997 Kungliga Tekniska Högskolan + + Copyright (c) 1996-2005, The PostgreSQL Global Development Group + Copyright (c) 1994, The Regents of the University of California + Copyright (c) 1996-2007, PostgreSQL Global Development Group + Copyright (C) 1996-2001 Internet Software Consortium. + + +License: + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . + +The Debian packaging is Copyright (C) Canonical Ltd 2009 and is licensed under +the GPL-3 or later, see `/usr/share/common-licenses/GPL-3'. + +======================== +replace/repdir_getdents.c +replace/test/testsuite.c +replace/test/main.c +replace/getpass.c +replace/replace.c +replace/socketpair.c +replace/inet_ntoa.c +replace/strptime.c +replace/inet_aton.c +replace/dlfcn.c +replace/repdir_getdirentries.c +common/collection/* +common/ini/* +======================== +License: LGPL3 or later - see `/usr/share/common-licenses/LGPL-3'. + + This library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 3 of the License, or (at your option) any later version. + + This library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with this library; if not, see . + + +=================== +sss_client/group.c +sss_client/common.c +sss_client/passwd.c +=================== +License: LGPL (v2.1 or later) + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU Lesser General Public License as + published by the Free Software Foundation; either version 2.1 of the + License, or (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with this program; if not, write to the Free Software + Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, + USA. + + +===================== +replace/getaddrinfo.c +replace/getaddrinfo.h +===================== + + Permission to use, copy, modify, and distribute this software and its + documentation for any purpose, without fee, and without a written agreement + is hereby granted, provided that the above copyright notice and this paragraph + and the following two paragraphs appear in all copies. + + IN NO EVENT SHALL THE UNIVERSITY OF CALIFORNIA BE LIABLE TO ANY PARTY FOR + DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES, INCLUDING + LOST PROFITS, ARISING OUT OF THE USE OF THIS SOFTWARE AND ITS DOCUMENTATION, + EVEN IF THE UNIVERSITY OF CALIFORNIA HAS BEEN ADVISED OF THE POSSIBILITY OF + SUCH DAMAGE. + + THE UNIVERSITY OF CALIFORNIA SPECIFICALLY DISCLAIMS ANY WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE. THE SOFTWARE PROVIDED HEREUNDER IS + ON AN "AS IS" BASIS, AND THE UNIVERSITY OF CALIFORNIA HAS NO OBLIGATIONS + TO PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS. + +=================== +replace/inet_pton.c +replace/inet_ntop.c +=================== +License: ISC + + Permission to use, copy, modify, and distribute this software for any + purpose with or without fee is hereby granted, provided that the above + copyright notice and this permission notice appear in all copies. + + THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM + DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL + IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL + INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, + INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING + FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, + NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION + WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + +================ +replace/timegm.c +================ +License: BSD (3 clause) + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + 3. Neither the name of the Institute nor the names of its contributors + may be used to endorse or promote products derived from this software + without specific prior written permission. + + THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + SUCH DAMAGE. + +================== +replace/snprintf.c +================== + + This code is based on code written by Patrick Powell (papowell@astart.com) + It may be used for any purpose as long as this notice remains intact + on all source code distributions + +=========================== +sss_client/sss_cli.h +sss_client/protos.h +sss_client/sss_pam_macros.h +sss_client/sss_errno.h +=========================== + + You can used this header file in any way you see fit provided copyright + notices are preserved. + +============================= +server/resolv/ares/ares_dns.h +============================= + + * Permission to use, copy, modify, and distribute this + * software and its documentation for any purpose and without + * fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright + * notice and this permission notice appear in supporting + * documentation, and that the name of M.I.T. not be used in + * advertising or publicity pertaining to distribution of the + * software without specific, written prior permission. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" + * without express or implied warranty. + +============================= +server/util/nss_sha512crypt.c +============================= + + Released into the Public Domain by Ulrich Drepper . --- sssd-2.2.2.orig/debian/generate-config +++ sssd-2.2.2/debian/generate-config @@ -0,0 +1,135 @@ +#!/bin/sh + +# Generate sssd.conf setup dynamically based on autodetectet LDAP +# and Kerberos server. + +set -e + +# See if we can find an LDAP server. Prefer ldap.domain, but also +# accept SRV records if no ldap.domain server is found. +lookup_ldap_uri() { + domain="$1" + if ping -c2 ldap.$domain > /dev/null 2>&1; then + echo ldap://ldap.$domain + else + host=$(host -N 2 -t SRV _ldap._tcp.$domain | grep -v NXDOMAIN | awk '{print $NF}' | head -1) + if [ "$host" ] ; then + echo ldap://$host | sed 's/\.$//' + fi + fi +} + +lookup_ldap_base() { + ldapuri="$1" + defaultcontext="$(ldapsearch -LLL -H "$ldapuri" -x -b '' -s base defaultNamingContext 2>/dev/null | awk '/^defaultNamingContext: / { print $2}')" + if [ -z "$defaultcontext" ] ; then + # If there are several contexts, pick the first one with + # posixAccount or posixGroup objects in it. + for context in $(ldapsearch -LLL -H "$ldapuri" -x -b '' \ + -s base namingContexts 2>/dev/null | \ + awk '/^namingContexts: / { print $2}') ; do + if ldapsearch -LLL -H $ldapuri -x -b "$context" -s sub -z 1 \ + '(|(objectClass=posixAccount)(objectclass=posixGroup))' 2>&1 | \ + egrep -q '^dn:|^Administrative limit exceeded' ; then + echo $context + return + fi + done + fi + echo $defaultcontext +} + +lookup_kerberos_server() { + domain="$1" + if ping -c2 kerberos.$domain > /dev/null 2>&1; then + echo kerberos.$domain + else + host=$(host -t SRV _kerberos._tcp.$domain | grep -v NXDOMAIN | awk '{print $NF}'|head -1) + if [ "$host" ] ; then + echo $host | sed 's/\.$//' + fi + fi +} + +lookup_kerberos_realm() { + domain="$1" + realm=$(host -t txt _kerberos.$domain | grep -v NXDOMAIN | awk '{print $NF}'|head -1|tr -d '"') + if [ -z "$realm" ] ; then + realm=$(echo $domain | tr a-z A-Z) + fi + echo $realm +} + + +generate_config() { + if [ "$1" ] ; then + domain=$1 + else + domain="$(hostname -d)" + fi + kerberosrealm=$(lookup_kerberos_realm $domain) + ldapuri=$(lookup_ldap_uri "$domain") + if [ -z "$ldapuri" ]; then + # autodetection failed + return + fi + + ldapbase="$(lookup_ldap_base "$ldapuri")" + if [ -z "$ldapbase" ]; then + # autodetection failed + return + fi + kerberosserver=$(lookup_kerberos_server "$domain") + +cat <&2 + exit 1 + ;; +esac --- sssd-2.2.2.orig/debian/libpam-sss.install +++ sssd-2.2.2/debian/libpam-sss.install @@ -0,0 +1,2 @@ +lib/*/security/pam_sss.so +usr/share/man/man8/pam_sss.8* --- sssd-2.2.2.orig/debian/libpam-sss.pam-auth-update +++ sssd-2.2.2/debian/libpam-sss.pam-auth-update @@ -0,0 +1,22 @@ +Name: SSS authentication +Default: yes +Priority: 128 + +Auth-Type: Primary +Auth: + [success=end default=ignore] pam_sss.so use_first_pass +Auth-Initial: + [success=end default=ignore] pam_sss.so forward_pass +Account-Type: Additional +Account: + sufficient pam_localuser.so + [default=bad success=ok user_unknown=ignore] pam_sss.so +Session-Type: Additional +Session-Interactive-Only: yes +Session: + optional pam_sss.so +Password-Type: Primary +Password: + sufficient pam_sss.so use_authtok +Password-Initial: + sufficient pam_sss.so --- sssd-2.2.2.orig/debian/libpam-sss.postinst +++ sssd-2.2.2/debian/libpam-sss.postinst @@ -0,0 +1,40 @@ +#!/bin/sh +# postinst script for sssd +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * `configure' +# * `abort-upgrade' +# * `abort-remove' `in-favour' +# +# * `abort-remove' +# * `abort-deconfigure' `in-favour' +# `removing' +# +# for details, see http://www.debian.org/doc/debian-policy/ or +# the debian-policy package + + +case "$1" in + configure) + pam-auth-update --package + ;; + + abort-upgrade|abort-remove|abort-deconfigure) + ;; + + *) + echo "postinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 --- sssd-2.2.2.orig/debian/libpam-sss.prerm +++ sssd-2.2.2/debian/libpam-sss.prerm @@ -0,0 +1,8 @@ +#! /bin/sh -e + + +if [ "$1" = remove ] && [ "${DPKG_MAINTSCRIPT_PACKAGE_REFCOUNT:-1}" = 1 ]; then + pam-auth-update --package --remove sss +fi + +#DEBHELPER# --- sssd-2.2.2.orig/debian/libsss-certmap-dev.install +++ sssd-2.2.2/debian/libsss-certmap-dev.install @@ -0,0 +1,3 @@ +usr/include/sss_certmap.h +usr/lib/*/libsss_certmap.so +usr/lib/*/pkgconfig/sss_certmap.pc --- sssd-2.2.2.orig/debian/libsss-certmap0.install +++ sssd-2.2.2/debian/libsss-certmap0.install @@ -0,0 +1,2 @@ +usr/lib/*/libsss_certmap.so.* +usr/share/man/man5/sss-certmap.5 --- sssd-2.2.2.orig/debian/libsss-idmap-dev.install +++ sssd-2.2.2/debian/libsss-idmap-dev.install @@ -0,0 +1,3 @@ +usr/include/sss_idmap.h +usr/lib/*/libsss_idmap.so +usr/lib/*/pkgconfig/sss_idmap.pc --- sssd-2.2.2.orig/debian/libsss-idmap0.install +++ sssd-2.2.2/debian/libsss-idmap0.install @@ -0,0 +1 @@ +usr/lib/*/libsss_idmap.so.* --- sssd-2.2.2.orig/debian/libsss-nss-idmap-dev.install +++ sssd-2.2.2/debian/libsss-nss-idmap-dev.install @@ -0,0 +1,3 @@ +usr/include/sss_nss_idmap.h +usr/lib/*/libsss_nss_idmap.so +usr/lib/*/pkgconfig/sss_nss_idmap.pc --- sssd-2.2.2.orig/debian/libsss-nss-idmap0.install +++ sssd-2.2.2/debian/libsss-nss-idmap0.install @@ -0,0 +1 @@ +usr/lib/*/libsss_nss_idmap.so.* --- sssd-2.2.2.orig/debian/libsss-simpleifp-dev.install +++ sssd-2.2.2/debian/libsss-simpleifp-dev.install @@ -0,0 +1,4 @@ +usr/include/sss_sifp* +usr/lib/*/libsss_simpleifp.so +usr/lib/*/pkgconfig/sss_simpleifp.pc + --- sssd-2.2.2.orig/debian/libsss-simpleifp0.install +++ sssd-2.2.2/debian/libsss-simpleifp0.install @@ -0,0 +1,2 @@ +usr/lib/*/libsss_simpleifp.so.* + --- sssd-2.2.2.orig/debian/libsss-sudo.install +++ sssd-2.2.2/debian/libsss-sudo.install @@ -0,0 +1 @@ +usr/lib/*/libsss_sudo.so --- sssd-2.2.2.orig/debian/libsss-sudo.lintian-overrides +++ sssd-2.2.2/debian/libsss-sudo.lintian-overrides @@ -0,0 +1 @@ +shlib-without-versioned-soname usr/lib/*/libsss_sudo.so libsss_sudo.so --- sssd-2.2.2.orig/debian/libsss-sudo.postinst +++ sssd-2.2.2/debian/libsss-sudo.postinst @@ -0,0 +1,40 @@ +#!/bin/sh + +set -e + +#DEBHELPER# + +# This code was taken from libnss-myhostname, which got it from nss-mdns: + +log() { + echo "$*" +} + +# try to insert sss entries to the sudoers line in /etc/nsswitch.conf to +# automatically enable libsss-sudo support; do not change the configuration +# if the lines already references some sss lookups +insert_nss_entry() { + log "Checking NSS setup..." + # abort if /etc/nsswitch.conf does not exist + if ! [ -e /etc/nsswitch.conf ]; then + log "Could not find /etc/nsswitch.conf." + return + fi + + if grep -q ^sudoers /etc/nsswitch.conf; then + # append 'sss' to the end of the line if it's not found already + sed -i --regexp-extended ' + /^(sudoers):/ { + /\bsss\b/! s/$/ sss/ + } + ' /etc/nsswitch.conf + else + echo "sudoers: files sss" >> /etc/nsswitch.conf + fi +} + +if [ "$1" = configure ] && [ -z "$2" ]; then + insert_nss_entry +fi + +exit 0 --- sssd-2.2.2.orig/debian/libsss-sudo.postrm +++ sssd-2.2.2/debian/libsss-sudo.postrm @@ -0,0 +1,43 @@ +#!/bin/sh +set -e + +#DEBHELPER# + +# This code was taken from libnss-myhostname, which got it from nss-mdns: + +log() { + echo "$*" +} + +remove_nss_entry() { + log "Checking NSS setup..." + # abort if /etc/nsswitch.conf does not exist + if ! [ -e /etc/nsswitch.conf ]; then + log "Could not find /etc/nsswitch.conf." + return + fi + sed -i --regexp-extended ' + /^(sudoers):/ { + s/\bsss\b//g + s/[[:space:]]+$// + } + ' /etc/nsswitch.conf + + # delete sudoers line if only default entry left" + if ! [ -z "grep \"^sudoers: files$\" /etc/nsswitch.conf" ]; then + sed -i /^sudoers:/d /etc/nsswitch.conf + fi +} + +case "$1" in + remove|purge) + remove_nss_entry + ;; + upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) + ;; + + *) + echo "postrm called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac --- sssd-2.2.2.orig/debian/libsss-sudo.triggers +++ sssd-2.2.2/debian/libsss-sudo.triggers @@ -0,0 +1 @@ +activate-noawait ldconfig --- sssd-2.2.2.orig/debian/libwbclient-sssd-dev.install +++ sssd-2.2.2/debian/libwbclient-sssd-dev.install @@ -0,0 +1,3 @@ +usr/include/wbclient_sssd.h +usr/lib/*/pkgconfig/wbclient_sssd.pc +usr/lib/*/sssd/modules/libwbclient.so --- sssd-2.2.2.orig/debian/libwbclient-sssd.install +++ sssd-2.2.2/debian/libwbclient-sssd.install @@ -0,0 +1,2 @@ +usr/lib/*/sssd/modules/libwbclient.so.* + --- sssd-2.2.2.orig/debian/patches/default-to-socket-activated-services.diff +++ sssd-2.2.2/debian/patches/default-to-socket-activated-services.diff @@ -0,0 +1,20 @@ +--- a/src/examples/sssd.conf ++++ b/src/examples/sssd.conf +@@ -1,5 +1,4 @@ + [sssd] +-services = nss, pam + domains = shadowutils + + [nss] +--- a/src/confdb/confdb_setup.c ++++ b/src/confdb/confdb_setup.c +@@ -137,8 +137,7 @@ static int confdb_ldif_from_ini_file(TAL + char timestr[21]; + int version; + char fallback_cfg[] = +- "[sssd]\n" +- "services = nss\n"; ++ "[sssd]\n"; + + /* Open config file */ + ret = sss_ini_config_file_open(init_data, config_file); --- sssd-2.2.2.orig/debian/patches/fix-whitespace-test.diff +++ sssd-2.2.2/debian/patches/fix-whitespace-test.diff @@ -0,0 +1,22 @@ +diff --git a/src/tests/whitespace_test b/src/tests/whitespace_test +index f055ed4c2..fa95494be 100755 +--- a/src/tests/whitespace_test ++++ b/src/tests/whitespace_test +@@ -4,7 +4,7 @@ set -e -u -o pipefail + + # An AWK regex matching tracked file paths to be excluded from the search. + # Example: '.*\.po|README' +-PATH_EXCLUDE_REGEX='.*\.po|.*\.patch|.*\.diff|\/debian\/.*' ++PATH_EXCLUDE_REGEX='.*\.po|.*\.patch|.*\.diff|debian\/.*' + + export GIT_DIR="$ABS_TOP_SRCDIR/.git" + export GIT_WORK_TREE="$ABS_TOP_SRCDIR" +@@ -16,7 +16,7 @@ fi + + { + # Look for lines with trailing whitespace in all files tracked by Git +- git grep -n -I '\s\+$' -- "$(git rev-parse --show-toplevel)" || ++ git grep --full-name -n -I '\s\+$' -- "$(git rev-parse --show-toplevel)" || + # Don't fail if no such lines were found anywhere + [[ $? == 1 ]] + } | --- sssd-2.2.2.orig/debian/patches/series +++ sssd-2.2.2/debian/patches/series @@ -0,0 +1,2 @@ +fix-whitespace-test.diff +default-to-socket-activated-services.diff --- sssd-2.2.2.orig/debian/python3-libipa-hbac.install +++ sssd-2.2.2/debian/python3-libipa-hbac.install @@ -0,0 +1 @@ +usr/lib/python3*/site-packages/pyhbac.so --- sssd-2.2.2.orig/debian/python3-libsss-nss-idmap.install +++ sssd-2.2.2/debian/python3-libsss-nss-idmap.install @@ -0,0 +1 @@ +usr/lib/python3*/site-packages/pysss_nss_idmap.so --- sssd-2.2.2.orig/debian/python3-sss.install +++ sssd-2.2.2/debian/python3-sss.install @@ -0,0 +1,3 @@ +usr/lib/python3*/dist-packages/SSSDConfig/*.py +usr/lib/python3*/site-packages/pysss.so +usr/lib/python3*/site-packages/pysss_murmur.so --- sssd-2.2.2.orig/debian/rules +++ sssd-2.2.2/debian/rules @@ -0,0 +1,104 @@ +#!/usr/bin/make -f +%: + dh $@ --with quilt,autoreconf,python3 \ + --builddirectory=build + +DPKG_EXPORT_BUILDFLAGS = 1 +include /usr/share/dpkg/buildflags.mk + +CFLAGS = $(shell dpkg-buildflags --get CFLAGS) +CFLAGS += -I/usr/include/samba-4.0 + +export CK_DEFAULT_TIMEOUT=30 + +DEB_HOST_MULTIARCH ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH) + +APIDOCDIR = /usr/share/sssd +DISTRIBUTION = $(shell lsb_release -i | sed 's/.*:\t//') +INIT = init +PKGDATE = $(shell dpkg-parsechangelog | \ + awk -F" " '/^Date/ { print $$4 "/" $$3 "/" $$5 }' | \ + sed 's/Jan/01/;s/Feb/02/;s/Mar/03/;s/Apr/04/;s/May/05/;s/Jun/06/;s/Jul/07/;s/Aug/08/;s/Sep/09/;s/Oct/10/;s/Nov/11/;s/Dec/12/;s/\//\\\//g') +CURDATE = $(shell date +%m/%d/%Y | sed 's/\//\\\//g') +export CK_VERBOSITY=verbose + +override_dh_auto_configure: + dh_auto_configure -- --enable-krb5-locator-plugin \ + --datadir=/usr/share/ \ + --with-environment-file=/etc/default/sssd \ + --with-ldb-lib-dir=/usr/lib/$(DEB_HOST_MULTIARCH)/ldb/modules/ldb \ + --with-krb5-plugin-path=/usr/lib/$(DEB_HOST_MULTIARCH)/krb5/plugins/libkrb5 \ + --enable-nsslibdir=/lib/$(DEB_HOST_MULTIARCH) \ + --enable-pammoddir=/lib/$(DEB_HOST_MULTIARCH)/security \ + --enable-systemtap \ + --disable-static \ + --disable-rpath \ + --with-autofs \ + --with-ssh \ + --with-initscript=systemd \ + --with-systemdunitdir=/lib/systemd/system \ + --disable-files-domain \ + --with-smb-idmap-interface-version=6 \ + --without-python2-bindings \ + --with-sudo + +override_dh_auto_test: + export CK_TIMEOUT_MULTIPLIER=10 + dh_auto_test -- VERBOSE=yes + unset CK_TIMEOUT_MULTIPLIER + +override_dh_auto_install: + dh_auto_install --max-parallel=1 + +override_dh_fixperms: + dh_fixperms -Xkrb5_child -Xldap_child -Xselinux_child + +override_dh_install: + install -D -m755 $(CURDIR)/debian/generate-config \ + $(CURDIR)/debian/tmp/usr/share/sssd/generate-config + + mkdir -p $(CURDIR)/debian/libpam-sss/usr/share/pam-configs + install -m644 debian/libpam-sss.pam-auth-update \ + $(CURDIR)/debian/libpam-sss/usr/share/pam-configs/sss + install -m644 -D $(CURDIR)/debian/apparmor-profile \ + $(CURDIR)/debian/sssd-common/etc/apparmor.d/usr.sbin.sssd + + cat $(CURDIR)/debian/sssd-common.sssd.$(INIT).in > $(CURDIR)/debian/sssd-common.sssd.$(INIT) + + # remove files we don't want to install + find $(CURDIR)/debian/tmp/ -name '*.la' -exec rm '{}' ';' + find $(CURDIR)/debian/tmp/ -name '*.pyc' -exec rm '{}' ';' + find $(CURDIR)/debian/tmp/ -name '*.egg-info' -exec rm '{}' ';' + rm -f $(CURDIR)/debian/tmp/etc/rc.d/init.d/sssd + + # match nn/nn/nnnn, replace with the date from changelog + sed -i 's/[0-1][0-9]\/[0-3][0-9]\/[0-9][0-9][0-9][0-9]/${PKGDATE}/g' $(CURDIR)/debian/tmp/usr/share/man/man*/* + + # change the shebang + sed -i -e 's:/usr/bin/python:/usr/bin/python3:' $(CURDIR)/debian/tmp/usr/sbin/sss_obfuscate + + dh_install + +override_dh_installman: + +override_dh_missing: + dh_missing --fail-missing + +override_dh_installinit: + dh_apparmor -psssd-common --profile-name=usr.sbin.sssd + dh_installinit --name sssd --error-handler=invoke_failure + +override_dh_installdeb: + dh_installdeb + for pkg in sssd-common sssd-ipa sssd-krb5-common sssd-proxy; do \ + sed -i 's/@TRIPLET@/${DEB_HOST_MULTIARCH}/' \ + $(CURDIR)/debian/$$pkg/DEBIAN/postinst; \ + done + +override_dh_auto_clean: + dh_auto_clean + rm -f $(CURDIR)/debian/sssd-common.$(INIT) + rm -f $(CURDIR)/po/*.gmo + rm -f $(CURDIR)/src/config/*.pyc + rm -f $(CURDIR)/po/stamp-po + rm -f $(CURDIR)/src/sbus/codegen/__pycache__/*.pyc --- sssd-2.2.2.orig/debian/source/format +++ sssd-2.2.2/debian/source/format @@ -0,0 +1 @@ +1.0 --- sssd-2.2.2.orig/debian/sssd-ad-common.install +++ sssd-2.2.2/debian/sssd-ad-common.install @@ -0,0 +1,3 @@ +lib/systemd/system/sssd-pac.service +lib/systemd/system/sssd-pac.socket +usr/libexec/sssd/sssd_pac --- sssd-2.2.2.orig/debian/sssd-ad.install +++ sssd-2.2.2/debian/sssd-ad.install @@ -0,0 +1,3 @@ +usr/libexec/sssd/gpo_child +usr/lib/*/sssd/libsss_ad.so +usr/share/man/man5/sssd-ad.5* --- sssd-2.2.2.orig/debian/sssd-common.dirs +++ sssd-2.2.2/debian/sssd-common.dirs @@ -0,0 +1,12 @@ +etc/sssd +etc/sssd/conf.d +var/lib/sss +var/lib/sss/db +var/lib/sss/deskprofile +var/lib/sss/gpo_cache +var/lib/sss/mc +var/lib/sss/pipes +var/lib/sss/pipes/private +var/lib/sss/pubconf +var/lib/sss/secrets +var/log/sssd --- sssd-2.2.2.orig/debian/sssd-common.docs +++ sssd-2.2.2/debian/sssd-common.docs @@ -0,0 +1 @@ +BUILD.txt --- sssd-2.2.2.orig/debian/sssd-common.examples +++ sssd-2.2.2/debian/sssd-common.examples @@ -0,0 +1 @@ +src/examples/sssd-example.conf --- sssd-2.2.2.orig/debian/sssd-common.install +++ sssd-2.2.2/debian/sssd-common.install @@ -0,0 +1,66 @@ +etc/pam.d/sssd-shadowutils +lib/systemd/system/sssd.service +lib/systemd/system/sssd-sudo.service +lib/systemd/system/sssd-sudo.socket +lib/systemd/system/sssd-ssh.service +lib/systemd/system/sssd-ssh.socket +lib/systemd/system/sssd-autofs.service +lib/systemd/system/sssd-autofs.socket +lib/systemd/system/sssd-pam.service +lib/systemd/system/sssd-pam.socket +lib/systemd/system/sssd-pam-priv.socket +lib/systemd/system/sssd-nss.service +lib/systemd/system/sssd-nss.socket +usr/bin/sss_ssh_authorizedkeys +usr/bin/sss_ssh_knownhostsproxy +usr/lib/*/cifs-utils/cifs_idmap_sss.so +usr/lib/*/krb5/plugins/authdata/sssd_pac_plugin.so +usr/lib/*/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so +usr/lib/*/ldb/modules/ldb/memberof.so +usr/lib/*/libnfsidmap/sss.so +usr/lib/*/samba/idmap/sss.so +usr/lib/*/sssd/conf/sssd.conf +usr/lib/*/sssd/libifp_iface.so +usr/lib/*/sssd/libifp_iface_sync.so +usr/lib/*/sssd/libsss_cert.so +usr/lib/*/sssd/libsss_child.so +usr/lib/*/sssd/libsss_crypt.so +usr/lib/*/sssd/libsss_debug.so +usr/lib/*/sssd/libsss_files.so +usr/lib/*/sssd/libsss_iface.so +usr/lib/*/sssd/libsss_iface_sync.so +usr/lib/*/sssd/libsss_krb5_common.so +usr/lib/*/sssd/libsss_ldap_common.so +usr/lib/*/sssd/libsss_sbus.so +usr/lib/*/sssd/libsss_sbus_sync.so +usr/lib/*/sssd/libsss_secrets.so +usr/lib/*/sssd/libsss_semanage.so +usr/lib/*/sssd/libsss_simple.so +usr/lib/*/sssd/libsss_util.so +usr/lib/*/sssd/modules/libsss_autofs.so +usr/lib/*/sssd/modules/sssd_krb5_localauth_plugin.so +usr/libexec/sssd/p11_child +usr/libexec/sssd/sss_signal +usr/libexec/sssd/sssd_autofs +usr/libexec/sssd/sssd_be +usr/libexec/sssd/sssd_check_socket_activated_responders +usr/libexec/sssd/sssd_nss +usr/libexec/sssd/sssd_pam +usr/libexec/sssd/sssd_ssh +usr/libexec/sssd/sssd_sudo +usr/sbin/sssd +usr/share/locale/*/LC_MESSAGES/* +usr/share/man/man1/sss_ssh_authorizedkeys.1* +usr/share/man/man1/sss_ssh_knownhostsproxy.1* +usr/share/man/man5/sss_rpcidmapd.5* +usr/share/man/man5/sssd-files.5* +usr/share/man/man5/sssd-session-recording.5* +usr/share/man/man5/sssd-simple.5* +usr/share/man/man5/sssd-sudo.5* +usr/share/man/man5/sssd-systemtap.5* +usr/share/man/man5/sssd.conf.5* +usr/share/man/man8/idmap_sss.8* +usr/share/man/man8/sssd.8* +usr/share/man/man8/sssd_krb5_locator_plugin.8* +usr/share/sssd/* +usr/share/systemtap --- sssd-2.2.2.orig/debian/sssd-common.lintian-overrides +++ sssd-2.2.2/debian/sssd-common.lintian-overrides @@ -0,0 +1 @@ +manpage-has-errors-from-man usr/share/man/man5/sssd-ldap.5.* --- sssd-2.2.2.orig/debian/sssd-common.logrotate +++ sssd-2.2.2/debian/sssd-common.logrotate @@ -0,0 +1,11 @@ +/var/log/sssd/*.log { + rotate 4 + weekly + missingok + notifempty + compress + delaycompress + postrotate + kill -HUP `cat /var/run/sssd.pid` > /dev/null 2>&1 || true + endscript +} --- sssd-2.2.2.orig/debian/sssd-common.manpages +++ sssd-2.2.2/debian/sssd-common.manpages @@ -0,0 +1 @@ +usr/share/man/man*/* --- sssd-2.2.2.orig/debian/sssd-common.postinst +++ sssd-2.2.2/debian/sssd-common.postinst @@ -0,0 +1,78 @@ +#!/bin/sh +# postinst script for sssd +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * `configure' +# * `abort-upgrade' +# * `abort-remove' `in-favour' +# +# * `abort-remove' +# * `abort-deconfigure' `in-favour' +# `removing' +# +# for details, see http://www.debian.org/doc/debian-policy/ or +# the debian-policy package + +OUT=/dev/null +HOME=/var/lib/sss +LIBDIR=/usr/libexec/sssd + +case "$1" in + configure) + if ! getent passwd sssd > $OUT; then + echo "Creating SSSD system user & group..." + adduser --quiet --system --home $HOME \ + --disabled-password --group \ + --gecos "SSSD system user" \ + sssd > $OUT + fi + chown sssd:sssd \ + $HOME/db \ + $HOME/gpo_cache \ + $HOME/mc \ + $HOME/pipes \ + $HOME/pipes/private \ + $HOME/pubconf \ + $HOME/secrets \ + /etc/sssd \ + /var/log/sssd + chown root:sssd $LIBDIR/p11_child + + chmod 4754 $LIBDIR/p11_child + chmod 755 $HOME/gpo_cache $HOME/mc $HOME/pipes $HOME/pubconf + chmod 751 $HOME/deskprofile + chmod 750 /var/log/sssd + chmod 711 /etc/sssd + chmod 700 $HOME/db $HOME/pipes/private $HOME/secrets + if [ -f /etc/sssd/sssd.conf ]; then + chown root:root /etc/sssd/sssd.conf + chmod 0600 /etc/sssd/sssd.conf + fi + ;; + + abort-upgrade|abort-remove|abort-deconfigure) + ;; + + *) + echo "postinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +invoke_failure() { + # invoke-rc.d failed, likely because of a missing sssd.conf + if [ ! -s /etc/sssd/sssd.conf ]; then + echo "... because /etc/sssd/sssd.conf is not available yet" + fi +} + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 --- sssd-2.2.2.orig/debian/sssd-common.postrm +++ sssd-2.2.2/debian/sssd-common.postrm @@ -0,0 +1,53 @@ +#!/bin/sh +# postrm script for sssd +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * `remove' +# * `purge' +# * `upgrade' +# * `failed-upgrade' +# * `abort-install' +# * `abort-install' +# * `abort-upgrade' +# * `disappear' +# +# for details, see http://www.debian.org/doc/debian-policy/ or +# the debian-policy package + + +case "$1" in + purge) + rm -f /etc/sssd/sssd.conf + if [ -d /etc/sssd ]; then + rmdir --ignore-fail-on-non-empty /etc/sssd/ + fi + rm -rf /var/log/sssd/ + if getent group dirsrv > /dev/null; then + deluser --system sssd + fi + ;; + remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) + ;; + + *) + echo "postrm called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +# work around buggy dh_apparmor which doesn't do this for us +if [ "$1" = "purge" ]; then + rmdir /etc/apparmor.d/force-complain 2>/dev/null || true + rmdir /etc/apparmor.d 2>/dev/null || true +fi + +exit 0 --- sssd-2.2.2.orig/debian/sssd-common.preinst +++ sssd-2.2.2/debian/sssd-common.preinst @@ -0,0 +1,22 @@ +#!/bin/sh + +set -e + +APP_PROFILE="usr.sbin.sssd" +APP_CONFFILE="/etc/apparmor.d/$APP_PROFILE" +APP_COMPLAIN="/etc/apparmor.d/force-complain/$APP_PROFILE" + +inst_complain_profile() { + # Create a symlink to the yet-to-be-unpacked profile + mkdir -p `dirname $APP_COMPLAIN` 2>/dev/null || true + ln -sf $APP_CONFFILE $APP_COMPLAIN +} + +case "$1" in +install) + # Force the AppArmor profile to complain mode on install + inst_complain_profile + ;; +esac + +#DEBHELPER# --- sssd-2.2.2.orig/debian/sssd-common.prerm +++ sssd-2.2.2/debian/sssd-common.prerm @@ -0,0 +1,9 @@ +#! /bin/sh -e + +invoke_failure() { + # invoke-rc.d failed + return +} + +#DEBHELPER# + --- sssd-2.2.2.orig/debian/sssd-common.sssd.default +++ sssd-2.2.2/debian/sssd-common.sssd.default @@ -0,0 +1,5 @@ +# Defaults for sssd, installed at /etc/default/sssd by the maintainer scripts +# This is only used for /etc/init.d/sssd + +# Additional options that are passed to the Daemon. +DAEMON_OPTS="-D -f" --- sssd-2.2.2.orig/debian/sssd-common.sssd.init.in +++ sssd-2.2.2/debian/sssd-common.sssd.init.in @@ -0,0 +1,86 @@ +#!/bin/sh +### BEGIN INIT INFO +# Provides: sssd +# Required-Start: $remote_fs $syslog +# Required-Stop: $remote_fs $syslog +# Should-Start: $named +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: System Security Services Daemon +# Description: Provides a set of daemons to manage access to +# remote directories and authentication +# mechanisms. It provides an NSS and PAM interface +# toward the system and a pluggable backend system +# to connect to multiple different account sources. +### END INIT INFO +# start on filesystem +# stop on runlevel [06] + +DESCRIPTION="System Security Services Daemon" +PATH=/bin:/usr/bin:/sbin:/usr/sbin +NAME=sssd +DAEMON_OPTS="" +DAEMON=/usr/sbin/$NAME +PIDFILE=/var/run/$NAME.pid + +# Load the VERBOSE setting and other rcS variables +. /lib/init/vars.sh + +# Define LSB log_* functions. +# Depend on lsb-base (>= 3.2-14) to ensure that this file is present +# and status_of_proc is working. +. /lib/lsb/init-functions + +if [ -f /etc/default/sssd ] ; then + . /etc/default/sssd +fi + +initdmain() { + case "$1" in + start) + [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESCRIPTION" "$NAME" + start_daemon -p $PIDFILE $DAEMON $DAEMON_OPTS + RC=$? + case "$RC" in + 0) + [ "$VERBOSE" != no ] && log_end_msg $RC + ;; + *) + # Report error also when VERBOSE=no + log_daemon_msg "Starting $DESCRIPTION" "$NAME" + log_end_msg $RC + ;; + esac + ;; + stop) + [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESCRIPTION" "$NAME" + killproc -p $PIDFILE $DAEMON + RC=$? + case "$RC" in + 0) + [ "$VERBOSE" != no ] && log_end_msg $RC + ;; + *) + # Report error also when VERBOSE=no + log_daemon_msg "Stopping $DESCRIPTION" "$NAME" + log_end_msg $RC + ;; + esac + ;; + force-reload|restart) + $0 stop + $0 start + ;; + status) + status_of_proc -p $PIDFILE $DAEMON $NAME && exit 0 || exit $? + ;; + *) + echo "Usage: /etc/init.d/$NAME {start|stop|restart|force-reload|status}" + exit 1 + ;; + esac +} + +initdmain $@ + +exit 0 --- sssd-2.2.2.orig/debian/sssd-dbus.install +++ sssd-2.2.2/debian/sssd-dbus.install @@ -0,0 +1,5 @@ +etc/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf +lib/systemd/system/sssd-ifp.service +usr/libexec/sssd/sssd_ifp +usr/share/dbus-1/system-services/org.freedesktop.sssd.infopipe.service +usr/share/man/man5/sssd-ifp.5 --- sssd-2.2.2.orig/debian/sssd-ipa.dirs +++ sssd-2.2.2/debian/sssd-ipa.dirs @@ -0,0 +1 @@ +var/lib/sss/keytabs --- sssd-2.2.2.orig/debian/sssd-ipa.install +++ sssd-2.2.2/debian/sssd-ipa.install @@ -0,0 +1,3 @@ +usr/lib/*/sssd/libsss_ipa.so +usr/libexec/sssd/selinux_child +usr/share/man/man5/sssd-ipa.5* --- sssd-2.2.2.orig/debian/sssd-ipa.postinst +++ sssd-2.2.2/debian/sssd-ipa.postinst @@ -0,0 +1,16 @@ +#!/bin/sh +set -e + +LIBDIR=/usr/libexec/sssd + +case "$1" in + configure) + chown root:sssd $LIBDIR/selinux_child + chmod 4754 $LIBDIR/selinux_child + chown sssd:sssd /var/lib/sss/keytabs + chmod 700 /var/lib/sss/keytabs + ;; +esac + +#DEBHELPER# + --- sssd-2.2.2.orig/debian/sssd-kcm.install +++ sssd-2.2.2/debian/sssd-kcm.install @@ -0,0 +1,5 @@ +lib/systemd/system/sssd-kcm.service +lib/systemd/system/sssd-kcm.socket +usr/libexec/sssd/sssd_kcm +usr/share/sssd-kcm/kcm_default_ccache +usr/share/man/man8/sssd-kcm.8 --- sssd-2.2.2.orig/debian/sssd-krb5-common.dirs +++ sssd-2.2.2/debian/sssd-krb5-common.dirs @@ -0,0 +1,2 @@ +var/lib/sss/pubconf/krb5.include.d + --- sssd-2.2.2.orig/debian/sssd-krb5-common.install +++ sssd-2.2.2/debian/sssd-krb5-common.install @@ -0,0 +1,2 @@ +usr/libexec/sssd/krb5_child +usr/libexec/sssd/ldap_child --- sssd-2.2.2.orig/debian/sssd-krb5-common.postinst +++ sssd-2.2.2/debian/sssd-krb5-common.postinst @@ -0,0 +1,14 @@ +#!/bin/sh +set -e + +LIBDIR=/usr/libexec/sssd + +case "$1" in + configure) + chown root:sssd $LIBDIR/krb5_child $LIBDIR/ldap_child + chmod 4754 $LIBDIR/krb5_child $LIBDIR/ldap_child + ;; +esac + +#DEBHELPER# + --- sssd-2.2.2.orig/debian/sssd-krb5.install +++ sssd-2.2.2/debian/sssd-krb5.install @@ -0,0 +1,2 @@ +usr/lib/*/sssd/libsss_krb5.so +usr/share/man/man5/sssd-krb5.5* --- sssd-2.2.2.orig/debian/sssd-ldap.install +++ sssd-2.2.2/debian/sssd-ldap.install @@ -0,0 +1,2 @@ +usr/lib/*/sssd/libsss_ldap.so +usr/share/man/man5/sssd-ldap.5* --- sssd-2.2.2.orig/debian/sssd-proxy.install +++ sssd-2.2.2/debian/sssd-proxy.install @@ -0,0 +1,2 @@ +usr/lib/*/sssd/libsss_proxy.so +usr/libexec/sssd/proxy_child --- sssd-2.2.2.orig/debian/sssd-proxy.postinst +++ sssd-2.2.2/debian/sssd-proxy.postinst @@ -0,0 +1,13 @@ +#!/bin/sh +set -e + +LIBDIR=/usr/libexec/sssd + +case "$1" in + configure) + chown root:sssd $LIBDIR/proxy_child + chmod 4754 $LIBDIR/proxy_child + ;; +esac + +#DEBHELPER# --- sssd-2.2.2.orig/debian/sssd-tools.install +++ sssd-2.2.2/debian/sssd-tools.install @@ -0,0 +1,12 @@ +usr/sbin/sss_cache +usr/sbin/sss_debuglevel +usr/sbin/sss_obfuscate +usr/sbin/sss_override +usr/sbin/sss_seed +usr/sbin/sssctl +usr/share/man/man8/sss_cache.8* +usr/share/man/man8/sss_debuglevel.8* +usr/share/man/man8/sss_obfuscate.8* +usr/share/man/man8/sss_override.8* +usr/share/man/man8/sss_seed.8* +usr/share/man/man8/sssctl.8* --- sssd-2.2.2.orig/debian/tests/common-tests +++ sssd-2.2.2/debian/tests/common-tests @@ -0,0 +1,28 @@ +#!/bin/sh + +run_common_tests() { + echo "Assert local user databases do not have our LDAP test data" + check_local_user "${ldap_user}" + check_local_group "${ldap_user}" + check_local_group "${ldap_group}" + + echo "The LDAP user is known to the system via getent" + check_getent_user "${ldap_user}" + + echo "The LDAP user's private group is known to the system via getent" + check_getent_group "${ldap_user}" + + echo "The LDAP group ${ldap_group} is known to the system via getent" + check_getent_group "${ldap_group}" + + echo "The id(1) command can resolve the group membership of the LDAP user" + #$ id -Gn testuser1 + #testuser1 ldapusers + output=$(id -Gn ${ldap_user}) + # XXX couldn't find a better way to make this comparison using just /bin/sh + if [ "${output}" != "${ldap_user} ${ldap_group}" ]; then + if [ "${output}" != "${ldap_group} ${ldap_user}" ]; then + die "Output doesn't match expected group membership: ${output}" + fi + fi +} --- sssd-2.2.2.orig/debian/tests/control +++ sssd-2.2.2/debian/tests/control @@ -0,0 +1,7 @@ +Tests: ldap-user-group-ldap-auth +Depends: @, slapd, ldap-utils, openssl, expect, lsb-release +Restrictions: isolation-container, needs-root, allow-stderr + +Tests: ldap-user-group-krb5-auth +Depends: @, slapd, ldap-utils, openssl, expect, lsb-release, krb5-user, krb5-admin-server, krb5-kdc +Restrictions: isolation-container, needs-root, allow-stderr --- sssd-2.2.2.orig/debian/tests/ldap-user-group-krb5-auth +++ sssd-2.2.2/debian/tests/ldap-user-group-krb5-auth @@ -0,0 +1,35 @@ +#!/bin/sh + +set -ex + +. debian/tests/util +. debian/tests/common-tests + +mydomain="example.com" +myhostname="ldap.${mydomain}" +mysuffix="dc=example,dc=com" +myrealm="EXAMPLE.COM" +admin_dn="cn=admin,${mysuffix}" +admin_pw="secret" +ldap_user="testuser1" +ldap_user_pw="testuser1secret" +kerberos_principal_pw="testuser1kerberos" +ldap_group="ldapusers" + +adjust_hostname "${myhostname}" +reconfigure_slapd +generate_certs "${myhostname}" +enable_ldap_ssl +populate_ldap_rfc2307 +create_realm "${myrealm}" "${myhostname}" +create_krb_principal "${ldap_user}" "${kerberos_principal_pw}" +configure_sssd_ldap_rfc2307_krb5_auth +enable_pam_mkhomedir + +# tests begin here +run_common_tests + +# login works with the kerneros password +echo "The Kerberos principal can login on a terminal" +kdestroy > /dev/null 2>&1 || /bin/true +/usr/bin/expect -f debian/tests/login.exp "${ldap_user}" "${kerberos_principal_pw}" "${ldap_user}"@"${myrealm}" --- sssd-2.2.2.orig/debian/tests/ldap-user-group-ldap-auth +++ sssd-2.2.2/debian/tests/ldap-user-group-ldap-auth @@ -0,0 +1,29 @@ +#!/bin/sh + +set -ex + +. debian/tests/util +. debian/tests/common-tests + +mydomain="example.com" +myhostname="ldap.${mydomain}" +mysuffix="dc=example,dc=com" +admin_dn="cn=admin,${mysuffix}" +admin_pw="secret" +ldap_user="testuser1" +ldap_user_pw="testuser1secret" +ldap_group="ldapusers" + +adjust_hostname "${myhostname}" +reconfigure_slapd +generate_certs "${myhostname}" +enable_ldap_ssl +populate_ldap_rfc2307 +configure_sssd_ldap_rfc2307 +enable_pam_mkhomedir + +# tests begin here +run_common_tests + +echo "The LDAP user can login on a terminal" +/usr/bin/expect -f debian/tests/login.exp "${ldap_user}" "${ldap_user_pw}" --- sssd-2.2.2.orig/debian/tests/login.exp +++ sssd-2.2.2/debian/tests/login.exp @@ -0,0 +1,74 @@ +#!/usr/bin/expect + +set timeout 10 +set user [lindex $argv 0] +set password [lindex $argv 1] +set principal [lindex $argv 2] + +set distribution [exec "lsb_release" "-is"] + +if { $distribution == "Ubuntu" } { + set welcome "Welcome to" +} elseif { $distribution == "Debian" } { + set welcome "Debian GNU/Linux comes" +} else { + puts "Unsupported linux distribution $distribution" + exit 1 +} + +spawn login +expect "login:" +send "$user\r" +expect "Password:" +send "$password\r" +expect { + timeout + { + puts "Expect error: timeout after password\r\r" + exit 1 + } + "Login incorrect" + { + puts "Expect error: incorrect credentials\r\r" + exit 1 + } + "$welcome" +} +expect { + timeout + { + puts "Expect error: timeout waiting for prompt\r\r" + exit 1 + } + "$ " +} +send "id -un\r" +expect { + timeout + { + puts "Expect error: timeout waiting for 'id' result\r\r" + exit 1 + } + "$user" +} +expect { + timeout + { + puts "Expect error: timeout waiting for prompt\r\r" + exit 1 + } + "$ " +} +if { $principal != "" } { + send "klist\r" + expect { + timeout + { + puts "Expect error: timeout waiting for klist output\r\r" + exit 1 + } + "Default principal: $principal" + } +} +send "logout\r" +exit 0 --- sssd-2.2.2.orig/debian/tests/util +++ sssd-2.2.2/debian/tests/util @@ -0,0 +1,259 @@ +#!/bin/sh + +reconfigure_slapd() { + debconf-set-selections << EOF +slapd slapd/domain string ${mydomain} +slapd shared/organization string ${mydomain} +slapd slapd/password1 password ${admin_pw} +slapd slapd/password2 password ${admin_pw} +EOF + rm -rf /var/backups/*slapd* /var/backups/unknown*ldapdb + dpkg-reconfigure -fnoninteractive -pcritical slapd +} + +die() { + echo "ERROR" + echo "$@" + exit 1 +} + +enable_pam_mkhomedir() { + if ! grep -qE "^session.*pam_mkhomedir\.so" /etc/pam.d/common-session; then + echo "session optional pam_mkhomedir.so" >> /etc/pam.d/common-session + fi +} + +adjust_hostname() { + local myhostname="$1" + + echo "${myhostname}" > /etc/hostname + hostname "${myhostname}" + if ! grep -qE "${myhostname}" /etc/hosts; then + # just so it's resolvable + echo "127.0.1.10 ${myhostname}" >> /etc/hosts + fi +} + +generate_certs() { + local cn="$1" + local cert="/etc/ldap/server.pem" + local key="/etc/ldap/server.key" + local cnf="/etc/ldap/openssl.cnf" + + cat > "$cnf" < /etc/ldap/ldap.conf < /etc/sssd/sssd.conf < /etc/sssd/sssd.conf < /etc/krb5kdc/kdc.conf < /etc/krb5.conf < /etc/krb5kdc/kadm5.acl + + # create the realm + kdb5_util create -s -P secretpassword + + # restart services + systemctl restart krb5-kdc.service krb5-admin-server.service +} + +create_krb_principal() { + local principal="$1" + local password="$2" + + kadmin.local -q "addprinc -pw ${password} ${principal}" +} + --- sssd-2.2.2.orig/debian/upstream/signing-key.asc +++ sssd-2.2.2/debian/upstream/signing-key.asc @@ -0,0 +1,70 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: SKS 1.1.3 + +mQGiBEXDdfURBACLDLdnY7LeLJ7fh3HQWojKuMtJGV3tmTRtt58XnEf/FPJae0MUXQDAKJM7 +MDYf0yDNT6Nq6WMQDAIHznFdGRTTSaD97kMeYO11i60FfZ9nM88XJCv0R+OiWh8d7ChCG6ri +v/AUeNtg++casIQNB8xK9HKLFBS1e+q3b+rXTS9crwCg7FWXqZoZrm4lPlBZQltfhzdmvn8D +/3CyvgtW5hwr7w+ScQcYnBxdVCtMPSEo541Ealjgq9Knn4sE9lnGjtG4RCYMT2Sideognk9A +h5nWOGynwta6cluCEqlF6ORJPKpAeqG1a2zpn3iSPbUiyRF+udta9sbwL0hsJTcPTGzvDZO/ +XtMoHSSyPi/Xum6R+jwISv7nTMQpA/0efY/Gy/SZrulBgQqKBMbaW2phvgRThph4n31IYrlS +B6tAqN0G7VL6AFcsiOJZPhu0TNqEOSYE6Mh5/YBwRPnrKMHZYXiKOeUrfjvURVq+l5dTX7KN +tbnCrhS+Rlgq1uin5L7g8QbAKMns32Mo1MxB5aN0YUL5pTbJuWL0Sb2Kb7QhSmFrdWIgSHJv +emVrIDxqaHJvemVrQHJlZGhhdC5jb20+iEYEEBECAAYFAkoAZ+EACgkQeiVVYja6o6PaUgCc +C1uIdzSouXkz/Hpc8WIq5bbdMCkAoIi6PtlzQuiCQgzN39VcFzIdnUfuiEYEEBECAAYFAkoA +aA0ACgkQWAkQHAJrbG8paQCgle0IkEHUEpBG3T+despZYg2KaIwAnRRsCazy6CeJfOuP0IVG +Y8FKWedYiEYEEBECAAYFAkoAcQUACgkQGliNByGNTpdfzgCfVdjXUF5AXkDJ78q2N9biKECo +GTEAoJWdxJJAI6kE54tSCay6LkqU49etiEgEEBECAAkFAkoAZiECBwAACgkQUDGHpI6P4rpH +YgCWJtMmuHsk2/znWsUfqALeXL3LXQCgpmRUJbjVee51ja2KSLRqslUZZ1KIXwQTEQIAIAUC +RcN19QIbAwYLCQgHAwIEFQIIAwQWAgMBAh4BAheAAAoJEB7Gq3Uy57wlIcEAoKNgX8eyFiQn +ylJlOKUs7TJsxY4XAJiU6oXuJwZUMVPjZbcKiot+BqMKiQIcBBABAgAGBQJKAGrfAAoJEKqM +a5A1GvYd/CsP/1eHH2Ogbp9ycbPBc7pO5iLwBDPE81a4SMXqLcs0VS4Ps5d4gpjGo6CilNb6 +gi5GTK4gmpQqFHYmzRSacO5aYnwSeueGYpI+jMxDeQcbabwA9oquOhckYuQ4tM6Cmnwdiym4 +0RsIA+8zEnZuzQywUD7h/b1xRjoEeLAe24UPdF0qMypChdF0EGXhosaapmxhXe31F/qqa2uH +LUpECwJb417y9aVxDxtq4tnWh3kjpFMrLkX8NA2qMkBO9csI0lRVkDu+Ofs0V7yc3MjART2k +azYI7VkpVbqRc4QHnzfD3MLR2sgycEc5HQzJZYhe84AYATz8bqwptJlDi2pfEx11rHpVeGGN +/I2hjitsARsNUIopYyNdXpbwCk4xv2U+uZzGpgzpt/siU4t1oKHc+P2gJ5xrazRan3gEd6QF +XrWHq1+sdV4pUFM2R3UZt8z8NquRposHPn9ldNEpxNVkjbTZiY6D+f3yIUa43z6f4B2gWSuI +Gq2ayIVGSKaf+hxzFa9sFsMJ1VeGsYt9g3zxnWRFEJRup0/VasVCqkMan0YoXOJB5+R2Ie73 +WWfoLlv2KozPDL91D1sXhxschxHHnQ8ro3Nl80s+yCNINhBK3+UUZsE/THlU7KQvq2j8dy85 +frWvjPylNddJsXGRzBVTu629Gkhm3glVMPrfi5CEZkuRC4FOiQIcBBABAgAGBQJNsBsGAAoJ +EK184QA5M3MO9bMP/R4d3Xvhx65ayuLTehyoi0CAdaCU6wbxvO922rzSu57i0JY2Ef14ZXF2 +2RDrkAPgbw6S+wF8GRT4NKvfYaVx9oYunvD1OTa5EfEjG2KvJrKOsOKUCD7yQxKXGhP7K8sc +AiuZk4rCgfX9+O4RpqRdl1/EqCEBzUZaU79RN/KLqapddtF0H4tyLWpWSyrQs8PjGRJmeh3J +7RuD7ZYC4XRtvpx3IDqn6+RCQFhb/EpGX7EwxbKgapmpD+9W2vqLHbM655w6/hc68J4bnE80 +DnZKc659HuNvRGitzS7ShbI+8h5TUHcxsEsQCnfKkrkfdQo79878IKBmlJKC1WqUBZbbvdIT +fVToL9dtShHiNoy4jVuxUoizEAXEIjdi52MHhAY5I6wWyrDOV9Ftg9ZLwa6MbH31EKUbRMmP +75y0ID4RQCINqP7HMu5vlHRBKAKC1Tf3DqRZJIU61v4A3WR6IMGNXaoVFbQwB6YXsOkJPiN1 +vgrqo42Z+rNRFFkCj341RJO2KNpjeUdeKVSyDmEb22wiRLEgXnmk902uOJN1HFcj7/JjlXGR +R24Zu0C97B+HNdlmWVnxJx/aNx2zkGnjdAjMLy1bosMJSPyAJVWnKU3TmrsB4raPeawbk8OS +mwzRCiIl9VDlBjaDK4E4+0I05/BNMWvsEMOeGeJdKU/OhWYPnoBWuQINBEXDdgAQCAC6qjQX +EfVe106L+pbq/61Z2pgcuP9/RWiqPVxulL5w4M1NpfX9d/gme/q+biU4bmAiSoPV7lQKkbmk +Mm8ySuljSVhGvlEagLb20dlhd8QFUSR2G5TtlNJBFqiK0rlNLCM6Ploq8VIcSMysJZwZJRqM +QJCREfBlvccrbCqoFasmOOM+2P7lxCD6wqntmnrFTeJmUyhV91iL/MZ6e6YKnlIybwJlnmBy +w1mGMi2RPDDkr/83orPjWgxjIeWCHTb0kPQsc+Appw/cp4QQPNIMTH9JIQXjMP8R8sMd6GBr ++fRmKw2bF3G578EjYubuqoY0O1X6prXukgnp899p9tIAphq3AAQLB/9K4yRk3fpQOyg6fTqo +itiLkkGyzew5+F4kSepQgQ7QkKnJv5+qKx2qhMkzQbmAWkK+5k4AKnPNW/RaOGUwjI+X/tS4 +/gpgjosaoABGo3GwdPsU3FPRS/pBHx8Y9CpV0UsUF3roQEv0+c63dENjC0mUP1ww1Q2nNYRe +MndEKTSVkXZ6WOk+W7Q6vnc66KiaaeGZyaPFHmC8x/ikupRGERnZTTKVGJOJMiTRjIgBKwOc +B/QEKUVfPiLipIPqMmWgqitELsy7zvGLUMbgwv4VgL/Z3ncjw6ocFGG01S38Zty2GwcPEWrm +JWk3HAMBfW+vrk9a/3ym9MycmaMgOF+DAkx0iEkEGBECAAkFAkXDdgACGwwACgkQHsardTLn +vCWU5wCgqQcHeUMVaVQ1xIt1EJDF+wILLvMAn0YtJTYbQdH6FBUyLY42isSL8TJM +=+iK5 +-----END PGP PUBLIC KEY BLOCK----- +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQENBFmtFkYBCAChY0X55Q+SUoPPMxTZAs3RMIt0Ljxe61thEl8M1uqY5REZhCJR +CSECM+/cWNPcSINFkAy+SBndORpk/FARplZExkuB/ySkLsm/q2wey0uLIlQl00Lg +zpF2n4maN19TKA3RZVZutkO0NiKrelZ41XZFQEnR/h7QLZ/Rp6RYhDo+C2KUYg1U +hbDMicxgQ+x+HrYdut7v6ESxCZtapnMtAfQI/+keusb18sJG+XuK8gUDNuVQSZkx +BHEPVTFD3C3XBxRVI4V7F1H475GCi/HmzydfxZ1KgiGYOrslp0hDfbzYP5NzbLfo +sDFhafuTr4ShkbCdkrAOADTo5Mmt+mmQquW7ABEBAAG0K01pY2hhbCDFvWlkZWsg +KHJoX3dvcmspIDxtemlkZWtAcmVkaGF0LmNvbT6JAT0EEwEIACcFAlmtFkYCGwMF +CQHhM4AFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AACgkQuogAD+Y5gnKHfwf9G9e1 +8jQZDkHrVzAQdz+TNW+4Iu0P45vPhjaG23CbpMj4JHcH5V1Cz4uOFw95K04x2Kho +lnVmCLWbqXUG7zzNpQt1xEAt/c41h2zzS4KN3tKjb41otwzc//8nkTloA2LATavg +iT+HX8z12o/GgE/CoyhErdIOemZfr544RIl1B3/RHMmie60CGUiQ1UkTr7FBodyd +xzGWXUUlLcPEoAf3ZiSANcwwVgVcX//xeAnC1MPs0jBJgvJpuBbTEkL8LLzo4YTf +lNT4kC9HBjnF40CC20Zm/JQ6jPRYpLfwmB6zvo6uAGXeCGbzI8SuHS4P38DunprJ +ksA8i38pWZ/R1kHo7w== +=02ao +-----END PGP PUBLIC KEY BLOCK----- --- sssd-2.2.2.orig/debian/watch +++ sssd-2.2.2/debian/watch @@ -0,0 +1,4 @@ +#git=git://pagure.io/SSSD/sssd.git +version=3 +opts="uversionmangle=s/alpha/~alpha/;s/beta/~beta/,pgpsigurlmangle=s/$/.asc/" \ +https://releases.pagure.org/SSSD/sssd/sssd-(.*)\.tar\.gz --- sssd-2.2.2.orig/po/cs.po +++ sssd-2.2.2/po/cs.po @@ -0,0 +1,2955 @@ +# Zdenek , 2017. #zanata +# Pavel Borecki , 2018. #zanata +# Pavel Borecki , 2019. #zanata +msgid "" +msgstr "" +"Project-Id-Version: PACKAGE VERSION\n" +"Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" +"POT-Creation-Date: 2019-08-15 02:07+0200\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"PO-Revision-Date: 2019-08-31 07:00+0000\n" +"Last-Translator: Pavel Borecki \n" +"Language-Team: Czech\n" +"Language: cs\n" +"X-Generator: Zanata 4.6.2\n" +"Plural-Forms: nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2\n" + +#: src/config/SSSDConfig/__init__.py.in:43 +#: src/config/SSSDConfig/__init__.py.in:44 +msgid "Set the verbosity of the debug logging" +msgstr "Nastavit úroveň podrobnosti zaznamenávání ladících informací" + +#: src/config/SSSDConfig/__init__.py.in:45 +msgid "Include timestamps in debug logs" +msgstr "Zahrnout do ladících záznam časové značky" + +#: src/config/SSSDConfig/__init__.py.in:46 +msgid "Include microseconds in timestamps in debug logs" +msgstr "Zahrnout do časových značek v ladících záznamech mikrosekundy" + +#: src/config/SSSDConfig/__init__.py.in:47 +msgid "Write debug messages to logfiles" +msgstr "Zapisovat ladící zprávy do záznamů událostí" + +#: src/config/SSSDConfig/__init__.py.in:48 +msgid "Watchdog timeout before restarting service" +msgstr "Časová prodleva resetátoru (watchdog) před restartováním služby " + +#: src/config/SSSDConfig/__init__.py.in:49 +msgid "Command to start service" +msgstr "Příkaz pro spouštění služy" + +#: src/config/SSSDConfig/__init__.py.in:50 +msgid "Number of times to attempt connection to Data Providers" +msgstr "Počet pokusů o připojení k poskytovatelům dat" + +#: src/config/SSSDConfig/__init__.py.in:51 +msgid "The number of file descriptors that may be opened by this responder" +msgstr "Počet popisovačů souborů, které mohou tímto odpovídačem být otevřeny" + +#: src/config/SSSDConfig/__init__.py.in:52 +msgid "Idle time before automatic disconnection of a client" +msgstr "Doba nečinnosti, po které dojde k automatickému odpojení klienta" + +#: src/config/SSSDConfig/__init__.py.in:53 +msgid "Idle time before automatic shutdown of the responder" +msgstr "Doba nečinnosti, po které dojde k vypnutí odpovídače" + +#: src/config/SSSDConfig/__init__.py.in:54 +msgid "Always query all the caches before querying the Data Providers" +msgstr "" +"Vždy dotazovat všechny vyrovnávací paměti před dotazováním poskytovatelů " +"údajů" + +#: src/config/SSSDConfig/__init__.py.in:57 +msgid "SSSD Services to start" +msgstr "SSSD služby které spustit" + +#: src/config/SSSDConfig/__init__.py.in:58 +msgid "SSSD Domains to start" +msgstr "SSSD domény které spustit" + +#: src/config/SSSDConfig/__init__.py.in:59 +msgid "Timeout for messages sent over the SBUS" +msgstr "Časový limit pro zprávy posílané přes SBUS" + +#: src/config/SSSDConfig/__init__.py.in:60 +#: src/config/SSSDConfig/__init__.py.in:201 +msgid "Regex to parse username and domain" +msgstr "Regulární výraz pro zpracování uživatelského jména a domény" + +#: src/config/SSSDConfig/__init__.py.in:61 +#: src/config/SSSDConfig/__init__.py.in:200 +msgid "Printf-compatible format for displaying fully-qualified names" +msgstr "Formát kompatibilní s printf pro zobrazování úplných názvů" + +#: src/config/SSSDConfig/__init__.py.in:62 +msgid "" +"Directory on the filesystem where SSSD should store Kerberos replay cache " +"files." +msgstr "" +"Složka na souborovém systému kde by SSSD mělo ukládat soubory pro kerberos " +"replay." + +#: src/config/SSSDConfig/__init__.py.in:63 +msgid "Domain to add to names without a domain component." +msgstr "Doména kterou přidat k názvům bez doménové části." + +#: src/config/SSSDConfig/__init__.py.in:64 +msgid "The user to drop privileges to" +msgstr "Uživatel na kterého se stáhnout z oprávnění" + +#: src/config/SSSDConfig/__init__.py.in:65 +msgid "Tune certificate verification" +msgstr "Vyladit ověřování certifikátu" + +#: src/config/SSSDConfig/__init__.py.in:66 +msgid "All spaces in group or user names will be replaced with this character" +msgstr "" +"Všechny mezery v názvech skupin a uživatelských jménech budou nahrazeny " +"tímto znakem" + +#: src/config/SSSDConfig/__init__.py.in:67 +msgid "Tune sssd to honor or ignore netlink state changes" +msgstr "Vyladit sssd aby respektovalo nebo ignorovalo změny stavu netlink" + +#: src/config/SSSDConfig/__init__.py.in:68 +msgid "Enable or disable the implicit files domain" +msgstr "Zapnout nebo vypnout implicitní doménu soubory" + +#: src/config/SSSDConfig/__init__.py.in:69 +msgid "A specific order of the domains to be looked up" +msgstr "Konkrétní pořadí domén ve které je hledat" + +#: src/config/SSSDConfig/__init__.py.in:72 +msgid "Enumeration cache timeout length (seconds)" +msgstr "Délka časového limitu mezipaměti vyčíslování (v sekundách)" + +#: src/config/SSSDConfig/__init__.py.in:73 +msgid "Entry cache background update timeout length (seconds)" +msgstr "" +"Délka časového limitu aktualizace mezipaměti položek na pozadí (v sekundách)" + +#: src/config/SSSDConfig/__init__.py.in:74 +#: src/config/SSSDConfig/__init__.py.in:116 +msgid "Negative cache timeout length (seconds)" +msgstr "Délka časového limitu záporné mezipaměti (v sekundách)" + +#: src/config/SSSDConfig/__init__.py.in:75 +msgid "Files negative cache timeout length (seconds)" +msgstr "Délka (v sekundách) časového limitu negativní mezipaměti souborů" + +#: src/config/SSSDConfig/__init__.py.in:76 +msgid "Users that SSSD should explicitly ignore" +msgstr "Uživatelé, které by SSSD mělo výslovně ignorovat" + +#: src/config/SSSDConfig/__init__.py.in:77 +msgid "Groups that SSSD should explicitly ignore" +msgstr "Skupiny, které by SSSD mělo výslovně ignorovat" + +#: src/config/SSSDConfig/__init__.py.in:78 +msgid "Should filtered users appear in groups" +msgstr "Mají se filtrovaní uživatelé objevovat ve skupinách" + +#: src/config/SSSDConfig/__init__.py.in:79 +msgid "The value of the password field the NSS provider should return" +msgstr "Hodnota kolonky hesla kterou by poskytovatel NSS měl vrátit" + +#: src/config/SSSDConfig/__init__.py.in:80 +msgid "Override homedir value from the identity provider with this value" +msgstr "" +"Přepsat hodnotu homedir (domovská složka), obdrženou z poskytovatele " +"identit, touto hodnotou" + +#: src/config/SSSDConfig/__init__.py.in:81 +msgid "" +"Substitute empty homedir value from the identity provider with this value" +msgstr "" +"Nahradit prázdnou hodnotu homedir z poskytovatele identit touto hodnotou" + +#: src/config/SSSDConfig/__init__.py.in:82 +msgid "Override shell value from the identity provider with this value" +msgstr "" +"Přepsat hodnotu shell, obdrženou z poskytovatele identit, touto hodnotou" + +#: src/config/SSSDConfig/__init__.py.in:83 +msgid "The list of shells users are allowed to log in with" +msgstr "" +"Seznam uživatelů s přístupem do shellu, kterým je umožněno se přihlásit " +"pomocí" + +#: src/config/SSSDConfig/__init__.py.in:84 +msgid "" +"The list of shells that will be vetoed, and replaced with the fallback shell" +msgstr "Seznam shellů, které budou vetovány a nahrazeny náhradním" + +#: src/config/SSSDConfig/__init__.py.in:85 +msgid "" +"If a shell stored in central directory is allowed but not available, use " +"this fallback" +msgstr "" +"Pokud shell uložený v centrálním adresáři je dovolen ale není k dispozici, " +"použít tuto náhradu" + +#: src/config/SSSDConfig/__init__.py.in:86 +msgid "Shell to use if the provider does not list one" +msgstr "Shell který použít pokud poskytovatel žádný neuvádí" + +#: src/config/SSSDConfig/__init__.py.in:87 +msgid "How long will be in-memory cache records valid" +msgstr "Jak dlouho budou záznamy mezipaměti v paměti platné" + +#: src/config/SSSDConfig/__init__.py.in:88 +msgid "List of user attributes the NSS responder is allowed to publish" +msgstr "Seznam atributů uživatelů, které je NSS dovoleno zveřejnit" + +#: src/config/SSSDConfig/__init__.py.in:91 +msgid "How long to allow cached logins between online logins (days)" +msgstr "" +"Po jak dlouho umožnit přihlášení vůči mezipaměti do přihlášení při připojení " +"(dny)" + +#: src/config/SSSDConfig/__init__.py.in:92 +msgid "How many failed logins attempts are allowed when offline" +msgstr "Kolik nezdařených pokusů o přihlášení je dovoleno bez připojení" + +#: src/config/SSSDConfig/__init__.py.in:93 +msgid "" +"How long (minutes) to deny login after offline_failed_login_attempts has " +"been reached" +msgstr "" +"Jak dlouho (v minutách) odpírat přihlášení po dosažení " +"offline_failed_login_attempts" + +#: src/config/SSSDConfig/__init__.py.in:94 +msgid "What kind of messages are displayed to the user during authentication" +msgstr "Jaký druh zpráv je zobrazován při ověřování uživatele" + +#: src/config/SSSDConfig/__init__.py.in:95 +msgid "Filter PAM responses sent to the pam_sss" +msgstr "Filtrovat PAM odpovědi poslané pam_sss" + +#: src/config/SSSDConfig/__init__.py.in:96 +msgid "How many seconds to keep identity information cached for PAM requests" +msgstr "" +"Kolik sekund si ponechávat informace o identitě v mezipaměti pro PAM " +"požadavky" + +#: src/config/SSSDConfig/__init__.py.in:97 +msgid "How many days before password expiration a warning should be displayed" +msgstr "Kolik dnů před skončením platnosti hesla má být zobrazováno varování" + +#: src/config/SSSDConfig/__init__.py.in:98 +msgid "List of trusted uids or user's name" +msgstr "Seznam důvěryhodných identifikátorů uživatelů nebo uživatelských jmen" + +#: src/config/SSSDConfig/__init__.py.in:99 +msgid "List of domains accessible even for untrusted users." +msgstr "Seznam domén přístupných i nedůvěryhodným uživatelům." + +#: src/config/SSSDConfig/__init__.py.in:100 +msgid "Message printed when user account is expired." +msgstr "Zpráva vypsaná když platnost uživatelského účtu skončila." + +#: src/config/SSSDConfig/__init__.py.in:101 +msgid "Message printed when user account is locked." +msgstr "Zpráva vypisovaná když je účet uživatele uzamčen." + +#: src/config/SSSDConfig/__init__.py.in:102 +msgid "Allow certificate based/Smartcard authentication." +msgstr "Umožnit ověřování založené na certifikátu/Smartcard" + +#: src/config/SSSDConfig/__init__.py.in:103 +msgid "Path to certificate database with PKCS#11 modules." +msgstr "Popis umístění databáze certifikátů s PKCS#11 moduly." + +#: src/config/SSSDConfig/__init__.py.in:104 +msgid "How many seconds will pam_sss wait for p11_child to finish" +msgstr "Kolik sekund bude pam_sss čekat na dokončení p11_child" + +#: src/config/SSSDConfig/__init__.py.in:105 +msgid "Which PAM services are permitted to contact application domains" +msgstr "Kterým PAM službám je umožněno kontaktovat aplikační domény" + +#: src/config/SSSDConfig/__init__.py.in:106 +msgid "Allowed services for using smartcards" +msgstr "Aplikace které je možné použít se SmartCard kartami" + +#: src/config/SSSDConfig/__init__.py.in:107 +msgid "Additional timeout to wait for a card if requested" +msgstr "Dodatečný časový limit po který čekat pokud je vyžádána karta" + +#: src/config/SSSDConfig/__init__.py.in:108 +msgid "" +"PKCS#11 URI to restrict the selection of devices for Smartcard " +"authentication" +msgstr "" +"PKCS#11 URI pro omezení výběru zařízení pro ověřování pomocí Smartcard" + +#: src/config/SSSDConfig/__init__.py.in:111 +msgid "Whether to evaluate the time-based attributes in sudo rules" +msgstr "Zda vyhodnocovat na času založené atributy v pravidlech sudo" + +#: src/config/SSSDConfig/__init__.py.in:112 +msgid "If true, SSSD will switch back to lower-wins ordering logic" +msgstr "Pokud je zapnuto, SSSD přepne zpět na logiku řazení nižší vyhrává" + +#: src/config/SSSDConfig/__init__.py.in:113 +msgid "" +"Maximum number of rules that can be refreshed at once. If this is exceeded, " +"full refresh is performed." +msgstr "" +"Nejvyšší umožněný počet pravidel, aktualizovaných naráz. Pokud je toto " +"překročeno, je provedena úplná aktualizace." + +#: src/config/SSSDConfig/__init__.py.in:119 +msgid "Whether to hash host names and addresses in the known_hosts file" +msgstr "Zda v souboru known_hosts vytvářet otisk názvů strojů a adres" + +#: src/config/SSSDConfig/__init__.py.in:120 +msgid "" +"How many seconds to keep a host in the known_hosts file after its host keys " +"were requested" +msgstr "" +"Kolik sekund ponechávat stroj v souboru known_hosts poté, co byly vyžádány " +"klíče stroje" + +#: src/config/SSSDConfig/__init__.py.in:121 +msgid "Path to storage of trusted CA certificates" +msgstr "Popis umístění úložiště certifikátů důvěryhodných cert. autorit" + +#: src/config/SSSDConfig/__init__.py.in:124 +msgid "List of UIDs or user names allowed to access the PAC responder" +msgstr "" +"Seznam UID nebo uživatelských jmen, kterým je umožněn přístup k PAC " +"odpovídači" + +#: src/config/SSSDConfig/__init__.py.in:125 +msgid "How long the PAC data is considered valid" +msgstr "Po jak dlouho jsou PAC data považována za platná" + +#: src/config/SSSDConfig/__init__.py.in:128 +msgid "List of UIDs or user names allowed to access the InfoPipe responder" +msgstr "" +"Seznam UID identifikátorů nebo uživatelských jmen, kterým je umožněn přístup " +"k InfoPipe odpovídači" + +#: src/config/SSSDConfig/__init__.py.in:129 +msgid "List of user attributes the InfoPipe is allowed to publish" +msgstr "Seznam atributů uživatele, které InfoPipe bude moci zveřejnit" + +#: src/config/SSSDConfig/__init__.py.in:132 +msgid "The provider where the secrets will be stored in" +msgstr "Poskytovatel, ve kterém budou tajemství ukládána" + +#: src/config/SSSDConfig/__init__.py.in:133 +msgid "The maximum allowed number of nested containers" +msgstr "Nejvyšší umožněný počet vnořených kontejnerů" + +#: src/config/SSSDConfig/__init__.py.in:134 +msgid "The maximum number of secrets that can be stored" +msgstr "Nejvyšší umožněný počet tajemství, která mohou být uložena" + +#: src/config/SSSDConfig/__init__.py.in:135 +msgid "The maximum number of secrets that can be stored per UID" +msgstr "Maximální počet tajemství, která je možné uložit pro jednotlivá UID" + +#: src/config/SSSDConfig/__init__.py.in:136 +msgid "The maximum payload size of a secret in kilobytes" +msgstr "Nejvyšší umožněná velikost nákladu tajemství (v kilobajtech)" + +#: src/config/SSSDConfig/__init__.py.in:138 +msgid "The URL Custodia server is listening on" +msgstr "URL adresa na které Custodia server očekává spojení" + +#: src/config/SSSDConfig/__init__.py.in:139 +msgid "The method to use when authenticating to a Custodia server" +msgstr "Metoda kterou použít při ověřování se vůči Custodia serveru" + +#: src/config/SSSDConfig/__init__.py.in:140 +msgid "" +"The name of the headers that will be added into a HTTP request with the " +"value defined in auth_header_value" +msgstr "" +"Název hlaviček které budou přidány do HTTP požadavku s hodnotou definovanou " +"v auth_header_value" + +#: src/config/SSSDConfig/__init__.py.in:141 +msgid "The value sssd-secrets would use for auth_header_name" +msgstr "Hodnota kterou by sssd-secrets použilo pro auth_header_name" + +#: src/config/SSSDConfig/__init__.py.in:142 +msgid "" +"The list of the headers to forward to the Custodia server together with the " +"request" +msgstr "" +"Seznam hlaviček které přeposlat Custodia serveru společně s požadavkem" + +#: src/config/SSSDConfig/__init__.py.in:143 +msgid "" +"The username to use when authenticating to a Custodia server using " +"basic_auth" +msgstr "" +"Uživatelské jméno které použít při ověřování se vůči Custodia serveru pomocí " +"basic_auth" + +#: src/config/SSSDConfig/__init__.py.in:144 +msgid "" +"The password to use when authenticating to a Custodia server using " +"basic_auth" +msgstr "" +"Heslo které použít při ověřování se vůči Custodia serveru pomocí basic_auth" + +#: src/config/SSSDConfig/__init__.py.in:145 +msgid "" +"If true peer's certificate is verified if proxy_url uses https protocol" +msgstr "" +"Pokud je zapnuto, certifikát protějšku je ověřen pokud proxy_url používá " +"https protokol" + +#: src/config/SSSDConfig/__init__.py.in:146 +msgid "" +"If false peer's certificate may contain different hostname than proxy_url " +"when https protocol is used" +msgstr "" +"Pokud není nastaveno, certifikát protějšku může obsahovat rozdílný název " +"stroje než proxy_url když je použit https protokol" + +#: src/config/SSSDConfig/__init__.py.in:147 +msgid "Path to directory where certificate authority certificates are stored" +msgstr "" +"Popis umístění složky ve které jsou uchovávány certifikáty cert. autority" + +#: src/config/SSSDConfig/__init__.py.in:148 +msgid "Path to file containing server's CA certificate" +msgstr "" +"Popis umístění souboru obsahujícího certifikát certif. autority serveru" + +#: src/config/SSSDConfig/__init__.py.in:149 +msgid "Path to file containing client's certificate" +msgstr "Popis umístění souboru obsahujícího klientský certifikát" + +#: src/config/SSSDConfig/__init__.py.in:150 +msgid "Path to file containing client's private key" +msgstr "Popis umístění souboru obsahujícího soukromý klíč klienta" + +#: src/config/SSSDConfig/__init__.py.in:153 +msgid "Identity provider" +msgstr "Poskytovatel identity" + +#: src/config/SSSDConfig/__init__.py.in:154 +msgid "Authentication provider" +msgstr "Poskytovatel ověřování" + +#: src/config/SSSDConfig/__init__.py.in:155 +msgid "Access control provider" +msgstr "Poskytovatel řízení přístupu" + +#: src/config/SSSDConfig/__init__.py.in:156 +msgid "Password change provider" +msgstr "Poskytovatel změny hesel" + +#: src/config/SSSDConfig/__init__.py.in:157 +msgid "SUDO provider" +msgstr "Poskytovatel SUDO" + +#: src/config/SSSDConfig/__init__.py.in:158 +msgid "Autofs provider" +msgstr "Poskytovatel autofs" + +#: src/config/SSSDConfig/__init__.py.in:159 +msgid "Host identity provider" +msgstr "Poskytovatel identity strojů" + +#: src/config/SSSDConfig/__init__.py.in:160 +msgid "SELinux provider" +msgstr "Poskytovatel SELinux" + +#: src/config/SSSDConfig/__init__.py.in:161 +msgid "Session management provider" +msgstr "Poskytovatel správy sezení" + +#: src/config/SSSDConfig/__init__.py.in:164 +msgid "Whether the domain is usable by the OS or by applications" +msgstr "Zda je doména použitelná pro operační systém nebo aplikace" + +#: src/config/SSSDConfig/__init__.py.in:165 +msgid "Minimum user ID" +msgstr "Nejnižší identif. uživatele" + +#: src/config/SSSDConfig/__init__.py.in:166 +msgid "Maximum user ID" +msgstr "Nejvyšší identif. uživatele" + +#: src/config/SSSDConfig/__init__.py.in:167 +msgid "Enable enumerating all users/groups" +msgstr "Zapnout vyčíslování všech uživatelů/skupin" + +#: src/config/SSSDConfig/__init__.py.in:168 +msgid "Cache credentials for offline login" +msgstr "" +"Ukládat přihlašovací údaje do mezipaměti pro přihlašování se bez připojení" + +#: src/config/SSSDConfig/__init__.py.in:169 +msgid "Display users/groups in fully-qualified form" +msgstr "Zobrazovat uživatele/skupiny v úplné podobě" + +#: src/config/SSSDConfig/__init__.py.in:170 +msgid "Don't include group members in group lookups" +msgstr "Nezahrnovat členy skupiny do hledání skupiny" + +#: src/config/SSSDConfig/__init__.py.in:171 +#: src/config/SSSDConfig/__init__.py.in:180 +#: src/config/SSSDConfig/__init__.py.in:181 +#: src/config/SSSDConfig/__init__.py.in:182 +#: src/config/SSSDConfig/__init__.py.in:183 +#: src/config/SSSDConfig/__init__.py.in:184 +#: src/config/SSSDConfig/__init__.py.in:185 +msgid "Entry cache timeout length (seconds)" +msgstr "Délka časového limitu položky (v sekundách)" + +#: src/config/SSSDConfig/__init__.py.in:172 +msgid "" +"Restrict or prefer a specific address family when performing DNS lookups" +msgstr "" +"Omezit nebo upřednostnit konkrétní generaci adres při provádění DNS hledání" + +#: src/config/SSSDConfig/__init__.py.in:173 +msgid "How long to keep cached entries after last successful login (days)" +msgstr "" +"Jak dlouho si ponechávat položky v mezipaměti po posledním úspěšném " +"přihlášení (dny)" + +#: src/config/SSSDConfig/__init__.py.in:174 +msgid "" +"How long should SSSD talk to single DNS server before trying next server " +"(miliseconds)" +msgstr "" +"Jak dlouho se má SSSD pokoušet komunikovat s jedním DNS serverem, než " +"vyzkouší další server (v milisekundách)" + +#: src/config/SSSDConfig/__init__.py.in:175 +msgid "How long should keep trying to resolve single DNS query (seconds)" +msgstr "Jak dlouho se pokoušet přeložit jeden DNS dotaz (sekundy)" + +#: src/config/SSSDConfig/__init__.py.in:176 +msgid "How long to wait for replies from DNS when resolving servers (seconds)" +msgstr "Jak dlouho čekat na odpovědi z DNS při překládání serverů (sekundy)" + +#: src/config/SSSDConfig/__init__.py.in:177 +msgid "The domain part of service discovery DNS query" +msgstr "Doménová část DNS dotazu pro objevování služby" + +#: src/config/SSSDConfig/__init__.py.in:178 +msgid "Override GID value from the identity provider with this value" +msgstr "Přebít hodnotu GID z poskytovatele identit touto hodnotou" + +#: src/config/SSSDConfig/__init__.py.in:179 +msgid "Treat usernames as case sensitive" +msgstr "U uživatelských jmen rozlišovat velká a malá písmena" + +#: src/config/SSSDConfig/__init__.py.in:186 +msgid "How often should expired entries be refreshed in background" +msgstr "" +"Jak často mají být položky, kterým skončila platnost, na pozadí obnovovány" + +#: src/config/SSSDConfig/__init__.py.in:187 +msgid "Whether to automatically update the client's DNS entry" +msgstr "Zda automaticky aktualizovat DNS položku klienta" + +#: src/config/SSSDConfig/__init__.py.in:188 +#: src/config/SSSDConfig/__init__.py.in:210 +msgid "The TTL to apply to the client's DNS entry after updating it" +msgstr "TTL které uplatnit na DNS položku klienta po její aktualizaci" + +#: src/config/SSSDConfig/__init__.py.in:189 +#: src/config/SSSDConfig/__init__.py.in:211 +msgid "The interface whose IP should be used for dynamic DNS updates" +msgstr "Rozhraní, kterého IP adresu použít pro dynamickou aktualizaci DNS" + +#: src/config/SSSDConfig/__init__.py.in:190 +msgid "How often to periodically update the client's DNS entry" +msgstr "Jak často pravidelně aktualizovat DNS záznam klienta" + +#: src/config/SSSDConfig/__init__.py.in:191 +msgid "Whether the provider should explicitly update the PTR record as well" +msgstr "" +"Zda má poskytovatel výslovně aktualizovat také záznam pro zpětný překlad " +"(PTR)" + +#: src/config/SSSDConfig/__init__.py.in:192 +msgid "Whether the nsupdate utility should default to using TCP" +msgstr "Zda má nástroj nsupdate jako výchozí používat protokol TCP" + +#: src/config/SSSDConfig/__init__.py.in:193 +msgid "What kind of authentication should be used to perform the DNS update" +msgstr "Jaký druh ověřování by měl být použit při provádění aktualizace DNS" + +#: src/config/SSSDConfig/__init__.py.in:194 +msgid "Override the DNS server used to perform the DNS update" +msgstr "Přepsat DNS server použité pro provedení DNS aktualizace" + +#: src/config/SSSDConfig/__init__.py.in:195 +msgid "Control enumeration of trusted domains" +msgstr "Řídí vyčíslování důvěryhodných domén" + +#: src/config/SSSDConfig/__init__.py.in:196 +msgid "How often should subdomains list be refreshed" +msgstr "Jak často má být znovu načítán seznam dílčích domén" + +#: src/config/SSSDConfig/__init__.py.in:197 +msgid "List of options that should be inherited into a subdomain" +msgstr "Seznam voleb které by měly být převzaté do dílčí domény" + +#: src/config/SSSDConfig/__init__.py.in:198 +msgid "Default subdomain homedir value" +msgstr "Výchozí hodnota homedir dílčí domény" + +#: src/config/SSSDConfig/__init__.py.in:199 +msgid "How long can cached credentials be used for cached authentication" +msgstr "" +"Po jak dlouho mohou být přihlašovací údaje, uložené v mezipaměti, pro " +"ověřování" + +#: src/config/SSSDConfig/__init__.py.in:202 +msgid "Whether to automatically create private groups for users" +msgstr "Zda uživatelům automaticky vytvářet soukromé skupiny" + +#: src/config/SSSDConfig/__init__.py.in:205 +msgid "IPA domain" +msgstr "IPA doména" + +#: src/config/SSSDConfig/__init__.py.in:206 +msgid "IPA server address" +msgstr "Adresa IPA serveru" + +#: src/config/SSSDConfig/__init__.py.in:207 +msgid "Address of backup IPA server" +msgstr "Adresa záložního IPA serveru" + +#: src/config/SSSDConfig/__init__.py.in:208 +msgid "IPA client hostname" +msgstr "Název stroje klienta IPA" + +#: src/config/SSSDConfig/__init__.py.in:209 +msgid "Whether to automatically update the client's DNS entry in FreeIPA" +msgstr "Zda automaticky aktualizovat DNS položku klienta ve FreeIPA" + +#: src/config/SSSDConfig/__init__.py.in:212 +msgid "Search base for HBAC related objects" +msgstr "Základ hledání pro objekty, související s HBAC" + +#: src/config/SSSDConfig/__init__.py.in:213 +msgid "" +"The amount of time between lookups of the HBAC rules against the IPA server" +msgstr "Množství času mezi vyhledáváními HBAC pravidel vůči IPA serveru" + +#: src/config/SSSDConfig/__init__.py.in:214 +msgid "" +"The amount of time in seconds between lookups of the SELinux maps against " +"the IPA server" +msgstr "" +"Množství času (v sekundách) mezi vyhledáváními SELinux map vůči IPA serveru" + +#: src/config/SSSDConfig/__init__.py.in:215 +msgid "If set to false, host argument given by PAM will be ignored" +msgstr "Pokud je vypnuto, argument stroje daný PAM bude ignorován" + +#: src/config/SSSDConfig/__init__.py.in:216 +msgid "The automounter location this IPA client is using" +msgstr "Umístění automounter, které tento IPA klient používá" + +#: src/config/SSSDConfig/__init__.py.in:217 +msgid "Search base for object containing info about IPA domain" +msgstr "Základ hledání pro objekt obsahující informace o IPA doméně" + +#: src/config/SSSDConfig/__init__.py.in:218 +msgid "Search base for objects containing info about ID ranges" +msgstr "" +"Základ hledání pro objekty obsahující informace o rozsazích identifikátorů" + +#: src/config/SSSDConfig/__init__.py.in:219 +#: src/config/SSSDConfig/__init__.py.in:237 +msgid "Enable DNS sites - location based service discovery" +msgstr "Zapnout DNS sites – na umístění založené objevování služby" + +#: src/config/SSSDConfig/__init__.py.in:220 +msgid "Search base for view containers" +msgstr "Základ hledání pro zobrazení kontejnerů" + +#: src/config/SSSDConfig/__init__.py.in:221 +msgid "Objectclass for view containers" +msgstr "Objektová třída pro zobrazení kontejnerů" + +#: src/config/SSSDConfig/__init__.py.in:222 +msgid "Attribute with the name of the view" +msgstr "Atribut obsahující název pohledu" + +#: src/config/SSSDConfig/__init__.py.in:223 +msgid "Objectclass for override objects" +msgstr "Objektová třída pro přepsání objektů" + +#: src/config/SSSDConfig/__init__.py.in:224 +msgid "Attribute with the reference to the original object" +msgstr "Atribut obsahující odkaz na původní objekt" + +#: src/config/SSSDConfig/__init__.py.in:225 +msgid "Objectclass for user override objects" +msgstr "Objektová třída pro uživatelské přepsání objektů" + +#: src/config/SSSDConfig/__init__.py.in:226 +msgid "Objectclass for group override objects" +msgstr "Objektová třída pro objekty přepsání skupiny" + +#: src/config/SSSDConfig/__init__.py.in:227 +msgid "Search base for Desktop Profile related objects" +msgstr "Základ hledání pro objekty související s desktopovým profilem" + +#: src/config/SSSDConfig/__init__.py.in:228 +msgid "" +"The amount of time in seconds between lookups of the Desktop Profile rules " +"against the IPA server" +msgstr "" +"Doba (v sekundách) mezi hledáními pravidel desktopového projektu vůči IPA " +"serveru" + +#: src/config/SSSDConfig/__init__.py.in:229 +msgid "" +"The amount of time in minutes between lookups of Desktop Profiles rules " +"against the IPA server when the last request did not find any rule" +msgstr "" +"Množství času (v minutách) mezi vyhledáními pravidel desktopových profilů " +"vůči IPA serveru když poslední požadavek nenašel žádné pravidlo" + +#: src/config/SSSDConfig/__init__.py.in:232 +msgid "Active Directory domain" +msgstr "Doména Active Directory" + +#: src/config/SSSDConfig/__init__.py.in:233 +msgid "Enabled Active Directory domains" +msgstr "Zapnout domény Active Directory" + +#: src/config/SSSDConfig/__init__.py.in:234 +msgid "Active Directory server address" +msgstr "Adresa serveru s Active Directory" + +#: src/config/SSSDConfig/__init__.py.in:235 +msgid "Active Directory backup server address" +msgstr "Adresa záložního serveru s Active Directory" + +#: src/config/SSSDConfig/__init__.py.in:236 +msgid "Active Directory client hostname" +msgstr "Název stroje klienta Active Directory" + +#: src/config/SSSDConfig/__init__.py.in:238 +#: src/config/SSSDConfig/__init__.py.in:423 +msgid "LDAP filter to determine access privileges" +msgstr "LDAP filtr pro zjišťování přístupových oprávnění" + +#: src/config/SSSDConfig/__init__.py.in:239 +msgid "Whether to use the Global Catalog for lookups" +msgstr "Zda pro hledání používat globální katalog" + +#: src/config/SSSDConfig/__init__.py.in:240 +msgid "Operation mode for GPO-based access control" +msgstr "Režim fungování pro řízení přístupu založené na GPO objektech" + +#: src/config/SSSDConfig/__init__.py.in:241 +msgid "" +"The amount of time between lookups of the GPO policy files against the AD " +"server" +msgstr "Množství času mezi vyhledáními souborů GPO zásad vůči AD serveru" + +#: src/config/SSSDConfig/__init__.py.in:242 +msgid "" +"PAM service names that map to the GPO (Deny)InteractiveLogonRight policy " +"settings" +msgstr "" +"Názvy PAM služby, která mapuje na (Deny)InteractiveLogonRight nastavení " +"zásady" + +#: src/config/SSSDConfig/__init__.py.in:243 +msgid "" +"PAM service names that map to the GPO (Deny)RemoteInteractiveLogonRight " +"policy settings" +msgstr "" +"Názvy PAM služby, která mapuje GPO (Deny)RemoteInteractiveLogonRight " +"nastavení zásady" + +#: src/config/SSSDConfig/__init__.py.in:244 +msgid "" +"PAM service names that map to the GPO (Deny)NetworkLogonRight policy " +"settings" +msgstr "" +"Názvy PAM služby, která mapuje GPO (Deny)NetworkLogonRight nastavení zásady" + +#: src/config/SSSDConfig/__init__.py.in:245 +msgid "" +"PAM service names that map to the GPO (Deny)BatchLogonRight policy settings" +msgstr "" +"PNázvy PAM služby, která mapuje GPO (Deny)BatchLogonRight nastavení zásady" + +#: src/config/SSSDConfig/__init__.py.in:246 +msgid "" +"PAM service names that map to the GPO (Deny)ServiceLogonRight policy " +"settings" +msgstr "" +"Názvy PAM služby, která mapuje GPO (Deny)ServiceLogonRight nastavení zásady" + +#: src/config/SSSDConfig/__init__.py.in:247 +msgid "PAM service names for which GPO-based access is always granted" +msgstr "" +"Názvy PAM služby, pro které je přístup založený na GPO objektech vždy udělen" + +#: src/config/SSSDConfig/__init__.py.in:248 +msgid "PAM service names for which GPO-based access is always denied" +msgstr "" +"Názvy PAM služby, pro které je přístup založený na GPO objektech vždy " +"odepřen" + +#: src/config/SSSDConfig/__init__.py.in:249 +msgid "" +"Default logon right (or permit/deny) to use for unmapped PAM service names" +msgstr "" +"Výchozí přihlasovací oprávnění (nebo permit/deny), které použít pro názvy " +"nenamapovaných PAM služeb" + +#: src/config/SSSDConfig/__init__.py.in:250 +msgid "a particular site to be used by the client" +msgstr "konkrétní místo kterou použít klientem" + +#: src/config/SSSDConfig/__init__.py.in:251 +msgid "" +"Maximum age in days before the machine account password should be renewed" +msgstr "" +"Nejvyšší umožněné stáří (ve dnech) než by mělo být obnoveno heslo účtu " +"stroje" + +#: src/config/SSSDConfig/__init__.py.in:252 +msgid "Option for tuning the machine account renewal task" +msgstr "Volba pro vyladění úlohy obnovování účtu stroje" + +#: src/config/SSSDConfig/__init__.py.in:255 +#: src/config/SSSDConfig/__init__.py.in:256 +msgid "Kerberos server address" +msgstr "Adresa kerberos serveru" + +#: src/config/SSSDConfig/__init__.py.in:257 +msgid "Kerberos backup server address" +msgstr "Adresa záložního kerberos serveru" + +#: src/config/SSSDConfig/__init__.py.in:258 +msgid "Kerberos realm" +msgstr "Kerberos oblast" + +#: src/config/SSSDConfig/__init__.py.in:259 +msgid "Authentication timeout" +msgstr "Časový limit ověřování" + +#: src/config/SSSDConfig/__init__.py.in:260 +msgid "Whether to create kdcinfo files" +msgstr "Zda vytvářet kdcinfo souborů" + +#: src/config/SSSDConfig/__init__.py.in:261 +msgid "Where to drop krb5 config snippets" +msgstr "Kam odkládat útržky nastavení krb5" + +#: src/config/SSSDConfig/__init__.py.in:264 +msgid "Directory to store credential caches" +msgstr "Složka ve které ukládat mezipaměť přihlašovacích údajů" + +#: src/config/SSSDConfig/__init__.py.in:265 +msgid "Location of the user's credential cache" +msgstr "Umístění mezipaměti přihlašovacích údajů uživatele" + +#: src/config/SSSDConfig/__init__.py.in:266 +msgid "Location of the keytab to validate credentials" +msgstr "" +"Umístění uložených přihlašovacích údajů pro ověřování ověřovacích údajů" + +#: src/config/SSSDConfig/__init__.py.in:267 +msgid "Enable credential validation" +msgstr "Zapnout ověřování přihlašovacích údajů" + +#: src/config/SSSDConfig/__init__.py.in:268 +msgid "Store password if offline for later online authentication" +msgstr "Ukládat heslo pokud bez připojení pro pozdější ověření při připojení" + +#: src/config/SSSDConfig/__init__.py.in:269 +msgid "Renewable lifetime of the TGT" +msgstr "Obnovovatelná životnost TGT lístku" + +#: src/config/SSSDConfig/__init__.py.in:270 +msgid "Lifetime of the TGT" +msgstr "Životnost TGT lístku" + +#: src/config/SSSDConfig/__init__.py.in:271 +msgid "Time between two checks for renewal" +msgstr "Doba mezi dvěma kontrolami pro obnovu" + +#: src/config/SSSDConfig/__init__.py.in:272 +msgid "Enables FAST" +msgstr "Zapíná FAST" + +#: src/config/SSSDConfig/__init__.py.in:273 +msgid "Selects the principal to use for FAST" +msgstr "Vybírá principal pro použití pro FAST" + +#: src/config/SSSDConfig/__init__.py.in:274 +msgid "Enables principal canonicalization" +msgstr "Zapíná kanonizaci principalu" + +#: src/config/SSSDConfig/__init__.py.in:275 +msgid "Enables enterprise principals" +msgstr "Zapíná podnikové principaly" + +#: src/config/SSSDConfig/__init__.py.in:276 +msgid "A mapping from user names to Kerberos principal names" +msgstr "Mapování z uživatelských jmen na názvy kerberos principal" + +#: src/config/SSSDConfig/__init__.py.in:279 +#: src/config/SSSDConfig/__init__.py.in:280 +msgid "Server where the change password service is running if not on the KDC" +msgstr "" +"Server na kterém je spuštěná služba pro změnu hesla, pokud to není KDC" + +#: src/config/SSSDConfig/__init__.py.in:283 +msgid "ldap_uri, The URI of the LDAP server" +msgstr "ldap_uri, URI adresa LDAP serveru" + +#: src/config/SSSDConfig/__init__.py.in:284 +msgid "ldap_backup_uri, The URI of the LDAP server" +msgstr "ldap_backup_uri, URI adresa LDAP serveru" + +#: src/config/SSSDConfig/__init__.py.in:285 +msgid "The default base DN" +msgstr "Výchozí základ rozlišeného názvu" + +#: src/config/SSSDConfig/__init__.py.in:286 +msgid "The Schema Type in use on the LDAP server, rfc2307" +msgstr "Typ schématu používaný na LDAP serveru, dle normy rfc2307" + +#: src/config/SSSDConfig/__init__.py.in:287 +msgid "Mode used to change user password" +msgstr "Režim použitý pro změnu hesla uživatele" + +#: src/config/SSSDConfig/__init__.py.in:288 +msgid "The default bind DN" +msgstr "Výchozí spojovací rozlišený název" + +#: src/config/SSSDConfig/__init__.py.in:289 +msgid "The type of the authentication token of the default bind DN" +msgstr "Typ ověřovacího tokenu výchozího spojovacího rozlišeného názvu" + +#: src/config/SSSDConfig/__init__.py.in:290 +msgid "The authentication token of the default bind DN" +msgstr "ověřovací token výchozího spojovacího rozlišeného názvu" + +#: src/config/SSSDConfig/__init__.py.in:291 +msgid "Length of time to attempt connection" +msgstr "Doba po kterou se pokoušet o připojení" + +#: src/config/SSSDConfig/__init__.py.in:292 +msgid "Length of time to attempt synchronous LDAP operations" +msgstr "Doba po kterou se pokoušet o synchronní LDAP operace" + +#: src/config/SSSDConfig/__init__.py.in:293 +msgid "Length of time between attempts to reconnect while offline" +msgstr "Doba mezi pokusy o opětovné připojení když bez připojení" + +#: src/config/SSSDConfig/__init__.py.in:294 +msgid "Use only the upper case for realm names" +msgstr "Pro názvy oblastí (realm) používat pouze velká písmena" + +#: src/config/SSSDConfig/__init__.py.in:295 +msgid "File that contains CA certificates" +msgstr "Soubor obsahující certifikáty cert. autorit" + +#: src/config/SSSDConfig/__init__.py.in:296 +msgid "Path to CA certificate directory" +msgstr "Popis umístění složky s certifikáty cert. autority" + +#: src/config/SSSDConfig/__init__.py.in:297 +msgid "File that contains the client certificate" +msgstr "Soubor obsahující klientský certifikát" + +#: src/config/SSSDConfig/__init__.py.in:298 +msgid "File that contains the client key" +msgstr "Soubor který obsahuje klientský klíč" + +#: src/config/SSSDConfig/__init__.py.in:299 +msgid "List of possible ciphers suites" +msgstr "Seznam možných šifrovacích algoritmů" + +#: src/config/SSSDConfig/__init__.py.in:300 +msgid "Require TLS certificate verification" +msgstr "Vyžadovat ověření TSL certifikátem" + +#: src/config/SSSDConfig/__init__.py.in:301 +msgid "Specify the sasl mechanism to use" +msgstr "Určete sasl mechanizmus, který použít" + +#: src/config/SSSDConfig/__init__.py.in:302 +msgid "Specify the sasl authorization id to use" +msgstr "Zadejte identifikátor sasl ověřování které použít" + +#: src/config/SSSDConfig/__init__.py.in:303 +msgid "Specify the sasl authorization realm to use" +msgstr "Zadejte oblast (realm) sasl ověřování kterou použít" + +#: src/config/SSSDConfig/__init__.py.in:304 +msgid "Specify the minimal SSF for LDAP sasl authorization" +msgstr "Zadejte minimální SSF pro LDAP sasl ověřování" + +#: src/config/SSSDConfig/__init__.py.in:305 +msgid "Kerberos service keytab" +msgstr "Uložené přihlašovací údaje (keytab) služby kerberos" + +#: src/config/SSSDConfig/__init__.py.in:306 +msgid "Use Kerberos auth for LDAP connection" +msgstr "Použít pro LDAP spojení kerberos" + +#: src/config/SSSDConfig/__init__.py.in:307 +msgid "Follow LDAP referrals" +msgstr "Následovat LDAP odkazy" + +#: src/config/SSSDConfig/__init__.py.in:308 +msgid "Lifetime of TGT for LDAP connection" +msgstr "Životnost TGT lístku pro LDAP spojení" + +#: src/config/SSSDConfig/__init__.py.in:309 +msgid "How to dereference aliases" +msgstr "Jak rušit odkazování alternativních jmen" + +#: src/config/SSSDConfig/__init__.py.in:310 +msgid "Service name for DNS service lookups" +msgstr "Název služby pro hledání služby pomocí DNS" + +#: src/config/SSSDConfig/__init__.py.in:311 +msgid "The number of records to retrieve in a single LDAP query" +msgstr "Počet záznamů které získávat v rámci jediného LDAP dotazu" + +#: src/config/SSSDConfig/__init__.py.in:312 +msgid "The number of members that must be missing to trigger a full deref" +msgstr "Počet členů který je třeba aby chyběli, aby bylo spuštěno plné deref" + +#: src/config/SSSDConfig/__init__.py.in:313 +msgid "" +"Whether the LDAP library should perform a reverse lookup to canonicalize the " +"host name during a SASL bind" +msgstr "" +"Zda LDAP knihovna má provádět zpětný překlad pro kanonizaci názvu stroje při " +"SASL spojení" + +#: src/config/SSSDConfig/__init__.py.in:315 +msgid "entryUSN attribute" +msgstr "atribut entryUSN" + +#: src/config/SSSDConfig/__init__.py.in:316 +msgid "lastUSN attribute" +msgstr "atribut lastUSN" + +#: src/config/SSSDConfig/__init__.py.in:318 +msgid "" +"How long to retain a connection to the LDAP server before disconnecting" +msgstr "Jak dlouho ponechat spojení s LDAP serverem před odpojením" + +#: src/config/SSSDConfig/__init__.py.in:320 +msgid "Disable the LDAP paging control" +msgstr "Vypnut řízení LDAP stránkování" + +#: src/config/SSSDConfig/__init__.py.in:321 +msgid "Disable Active Directory range retrieval" +msgstr "Vypnout získávání rozsahu Active Directory" + +#: src/config/SSSDConfig/__init__.py.in:324 +msgid "Length of time to wait for a search request" +msgstr "Délka času po kterou čekat na požadavek hledání" + +#: src/config/SSSDConfig/__init__.py.in:325 +msgid "Length of time to wait for a enumeration request" +msgstr "Délka času po kterou čekat na požadavek vyčíslení" + +#: src/config/SSSDConfig/__init__.py.in:326 +msgid "Length of time between enumeration updates" +msgstr "Délka času po kterou čekat na aktualizace vyčíslení" + +#: src/config/SSSDConfig/__init__.py.in:327 +msgid "Length of time between cache cleanups" +msgstr "Délka času po kterou čekat mezi vyčištěními mezipaměti" + +#: src/config/SSSDConfig/__init__.py.in:328 +msgid "Require TLS for ID lookups" +msgstr "Vyžadovat pro vyhledání identifikátorů TLS šifrování" + +#: src/config/SSSDConfig/__init__.py.in:329 +msgid "Use ID-mapping of objectSID instead of pre-set IDs" +msgstr "" +"Použít mapování identifikátorů objectSID namísto přednastavených " +"identifikátorů" + +#: src/config/SSSDConfig/__init__.py.in:330 +msgid "Base DN for user lookups" +msgstr "Základ rozliš. názvu pro vyhledávání uživatelů" + +#: src/config/SSSDConfig/__init__.py.in:331 +msgid "Scope of user lookups" +msgstr "Rozsah vyhledávání uživatelů" + +#: src/config/SSSDConfig/__init__.py.in:332 +msgid "Filter for user lookups" +msgstr "Filtr pro vyhledávání uživatelů" + +#: src/config/SSSDConfig/__init__.py.in:333 +msgid "Objectclass for users" +msgstr "Objektová třída pro uživatele" + +#: src/config/SSSDConfig/__init__.py.in:334 +msgid "Username attribute" +msgstr "Atribut uživatelské jméno" + +#: src/config/SSSDConfig/__init__.py.in:336 +msgid "UID attribute" +msgstr "atribut UID" + +#: src/config/SSSDConfig/__init__.py.in:337 +msgid "Primary GID attribute" +msgstr "atribut hlavní GID" + +#: src/config/SSSDConfig/__init__.py.in:338 +msgid "GECOS attribute" +msgstr "atribut GECOS" + +#: src/config/SSSDConfig/__init__.py.in:339 +msgid "Home directory attribute" +msgstr "Atribut domovská složka" + +#: src/config/SSSDConfig/__init__.py.in:340 +msgid "Shell attribute" +msgstr "Atribut shell" + +#: src/config/SSSDConfig/__init__.py.in:341 +msgid "UUID attribute" +msgstr "Atribut obsahující UUID" + +#: src/config/SSSDConfig/__init__.py.in:342 +#: src/config/SSSDConfig/__init__.py.in:384 +msgid "objectSID attribute" +msgstr "Atribut obsahující objectSID" + +#: src/config/SSSDConfig/__init__.py.in:343 +msgid "Active Directory primary group attribute for ID-mapping" +msgstr "Hlavní atribut skupiny z Active Directory pro mapování identifikátoru" + +#: src/config/SSSDConfig/__init__.py.in:344 +msgid "User principal attribute (for Kerberos)" +msgstr "Atribut obsahující principal uživatele (pro kerberos)" + +# auto translated by TM merge from project: Cockpit, version: rhel-7.4, DocId: cockpit +#: src/config/SSSDConfig/__init__.py.in:345 +msgid "Full Name" +msgstr "Celé jméno" + +#: src/config/SSSDConfig/__init__.py.in:346 +msgid "memberOf attribute" +msgstr "atribut memberOf (členem)" + +#: src/config/SSSDConfig/__init__.py.in:347 +msgid "Modification time attribute" +msgstr "atribut okamžik změny" + +#: src/config/SSSDConfig/__init__.py.in:349 +msgid "shadowLastChange attribute" +msgstr "atribut obsahující shadowLastChange" + +#: src/config/SSSDConfig/__init__.py.in:350 +msgid "shadowMin attribute" +msgstr "atribut shadowMin" + +#: src/config/SSSDConfig/__init__.py.in:351 +msgid "shadowMax attribute" +msgstr "atribut shadowMax" + +#: src/config/SSSDConfig/__init__.py.in:352 +msgid "shadowWarning attribute" +msgstr "atribut shadowWarning" + +#: src/config/SSSDConfig/__init__.py.in:353 +msgid "shadowInactive attribute" +msgstr "atribut shadowInactive" + +#: src/config/SSSDConfig/__init__.py.in:354 +msgid "shadowExpire attribute" +msgstr "atribut shadowExpire" + +#: src/config/SSSDConfig/__init__.py.in:355 +msgid "shadowFlag attribute" +msgstr "atribut shadowFlag" + +#: src/config/SSSDConfig/__init__.py.in:356 +msgid "Attribute listing authorized PAM services" +msgstr "Atribut vypisující pověřené PAM služby" + +#: src/config/SSSDConfig/__init__.py.in:357 +msgid "Attribute listing authorized server hosts" +msgstr "Atribut vypisující hostitele – pověřené servery" + +#: src/config/SSSDConfig/__init__.py.in:358 +msgid "Attribute listing authorized server rhosts" +msgstr "Atribut vypisující vzdálené hostitele – pověřené servery" + +#: src/config/SSSDConfig/__init__.py.in:359 +msgid "krbLastPwdChange attribute" +msgstr "atribut krbLastPwdChange" + +#: src/config/SSSDConfig/__init__.py.in:360 +msgid "krbPasswordExpiration attribute" +msgstr "atribut krbPasswordExpiration" + +#: src/config/SSSDConfig/__init__.py.in:361 +msgid "Attribute indicating that server side password policies are active" +msgstr "Atribut indikující že zásady ohledně hesel na straně serveru" + +#: src/config/SSSDConfig/__init__.py.in:362 +msgid "accountExpires attribute of AD" +msgstr "AD atribut accountExpires (platnost účtu končí)" + +#: src/config/SSSDConfig/__init__.py.in:363 +msgid "userAccountControl attribute of AD" +msgstr "AD atribut userAccountControl" + +#: src/config/SSSDConfig/__init__.py.in:364 +msgid "nsAccountLock attribute" +msgstr "atribut nsAccountLock" + +#: src/config/SSSDConfig/__init__.py.in:365 +msgid "loginDisabled attribute of NDS" +msgstr "NDS atribut loginDisabled" + +#: src/config/SSSDConfig/__init__.py.in:366 +msgid "loginExpirationTime attribute of NDS" +msgstr "NDS atribut loginExpirationTime" + +#: src/config/SSSDConfig/__init__.py.in:367 +msgid "loginAllowedTimeMap attribute of NDS" +msgstr "NDS atribut loginAllowedTimeMap" + +#: src/config/SSSDConfig/__init__.py.in:368 +msgid "SSH public key attribute" +msgstr "Atribut veřejná část ssh klíče" + +#: src/config/SSSDConfig/__init__.py.in:369 +msgid "attribute listing allowed authentication types for a user" +msgstr "atribut vypisující typy umožněných ověřování pro uživatele" + +#: src/config/SSSDConfig/__init__.py.in:370 +msgid "attribute containing the X509 certificate of the user" +msgstr "atribut obsahující X509 certifikát uživatele" + +#: src/config/SSSDConfig/__init__.py.in:371 +msgid "attribute containing the email address of the user" +msgstr "atribut obsahující e-mailovou adresu uživatele" + +#: src/config/SSSDConfig/__init__.py.in:373 +msgid "A list of extra attributes to download along with the user entry" +msgstr "Seznam dalších atributů, které stáhnout společně s položkou uživatele" + +#: src/config/SSSDConfig/__init__.py.in:375 +msgid "Base DN for group lookups" +msgstr "Základ rozliš. názvu pro vyhledávání skupin" + +#: src/config/SSSDConfig/__init__.py.in:378 +msgid "Objectclass for groups" +msgstr "Objektová třída pro skupiny" + +#: src/config/SSSDConfig/__init__.py.in:379 +msgid "Group name" +msgstr "Název skupiny" + +#: src/config/SSSDConfig/__init__.py.in:380 +msgid "Group password" +msgstr "Heslo skupiny" + +#: src/config/SSSDConfig/__init__.py.in:381 +msgid "GID attribute" +msgstr "Atribut GID" + +#: src/config/SSSDConfig/__init__.py.in:382 +msgid "Group member attribute" +msgstr "Atribut člen skupin" + +#: src/config/SSSDConfig/__init__.py.in:383 +msgid "Group UUID attribute" +msgstr "atribut UUID skupiny" + +#: src/config/SSSDConfig/__init__.py.in:385 +msgid "Modification time attribute for groups" +msgstr "Atribut okamžik úpravy pro skupiny" + +#: src/config/SSSDConfig/__init__.py.in:386 +msgid "Type of the group and other flags" +msgstr "Typ skupiny a ostatní příznaky" + +#: src/config/SSSDConfig/__init__.py.in:387 +msgid "The LDAP group external member attribute" +msgstr "Atribut externí člen LDAP skupiny" + +#: src/config/SSSDConfig/__init__.py.in:389 +msgid "Maximum nesting level SSSD will follow" +msgstr "Do kolikáté úrovně vnoření bude SSSD následovat" + +#: src/config/SSSDConfig/__init__.py.in:391 +msgid "Base DN for netgroup lookups" +msgstr "Základ rozlišeného názvu pro vyhledávání negroup" + +#: src/config/SSSDConfig/__init__.py.in:392 +msgid "Objectclass for netgroups" +msgstr "Objektová třída pro netgroup" + +#: src/config/SSSDConfig/__init__.py.in:393 +msgid "Netgroup name" +msgstr "Negroup název" + +#: src/config/SSSDConfig/__init__.py.in:394 +msgid "Netgroups members attribute" +msgstr "Atribut členové negroup" + +#: src/config/SSSDConfig/__init__.py.in:395 +msgid "Netgroup triple attribute" +msgstr "Atribut trojitý netgroup" + +#: src/config/SSSDConfig/__init__.py.in:396 +msgid "Modification time attribute for netgroups" +msgstr "Atribut okamžik změny pro netgroup" + +#: src/config/SSSDConfig/__init__.py.in:398 +msgid "Base DN for service lookups" +msgstr "Základ rozliš. názvu pro hledání služeb" + +#: src/config/SSSDConfig/__init__.py.in:399 +msgid "Objectclass for services" +msgstr "Objektová třída pro služby" + +#: src/config/SSSDConfig/__init__.py.in:400 +msgid "Service name attribute" +msgstr "Atribut název služby" + +#: src/config/SSSDConfig/__init__.py.in:401 +msgid "Service port attribute" +msgstr "Atribut port služby" + +#: src/config/SSSDConfig/__init__.py.in:402 +msgid "Service protocol attribute" +msgstr "Atribut protokol služby" + +#: src/config/SSSDConfig/__init__.py.in:405 +msgid "Lower bound for ID-mapping" +msgstr "Spodní spojení pro mapování identifikátorů" + +#: src/config/SSSDConfig/__init__.py.in:406 +msgid "Upper bound for ID-mapping" +msgstr "Horní spojení pro mapování identifikátorů" + +#: src/config/SSSDConfig/__init__.py.in:407 +msgid "Number of IDs for each slice when ID-mapping" +msgstr "Počet identifikátorů pro každý plátek při mapování identifikátorů" + +#: src/config/SSSDConfig/__init__.py.in:408 +msgid "Use autorid-compatible algorithm for ID-mapping" +msgstr "Použít pro mapování identifikátorů algoritmus kompatibilní s autorid" + +#: src/config/SSSDConfig/__init__.py.in:409 +msgid "Name of the default domain for ID-mapping" +msgstr "Název výchozí domény pro mapování identifikátorů" + +#: src/config/SSSDConfig/__init__.py.in:410 +msgid "SID of the default domain for ID-mapping" +msgstr "SID výchozí domény pro mapování identifikátorů" + +#: src/config/SSSDConfig/__init__.py.in:411 +msgid "Number of secondary slices" +msgstr "Počet sekundárních plátků" + +#: src/config/SSSDConfig/__init__.py.in:413 +msgid "Whether to use Token-Groups" +msgstr "Zda používat skupiny tokenu" + +#: src/config/SSSDConfig/__init__.py.in:414 +msgid "Set lower boundary for allowed IDs from the LDAP server" +msgstr "Nastavit spodní hranici pro umožněné identifikátory z LDAP serveru" + +#: src/config/SSSDConfig/__init__.py.in:415 +msgid "Set upper boundary for allowed IDs from the LDAP server" +msgstr "Nastavit horní hranici pro umožněné identifikátory z LDAP serveru" + +#: src/config/SSSDConfig/__init__.py.in:416 +msgid "DN for ppolicy queries" +msgstr "Rozlišený název pro ppolicy dotazy" + +#: src/config/SSSDConfig/__init__.py.in:417 +msgid "How many maximum entries to fetch during a wildcard request" +msgstr "Kolik nejvýše položek získat při požadavku se zástupnými znaky" + +#: src/config/SSSDConfig/__init__.py.in:420 +msgid "Policy to evaluate the password expiration" +msgstr "Pravidlo pro vyhodnocení skončení platnosti hesla" + +#: src/config/SSSDConfig/__init__.py.in:424 +msgid "Which attributes shall be used to evaluate if an account is expired" +msgstr "" +"Jaké atributy mají být použity pro vyhodnocování zda platnost účtu skončila" + +#: src/config/SSSDConfig/__init__.py.in:425 +msgid "Which rules should be used to evaluate access control" +msgstr "Která pravidla by měla být použita pro vyhodnocení řízení přístupu" + +#: src/config/SSSDConfig/__init__.py.in:428 +msgid "URI of an LDAP server where password changes are allowed" +msgstr "URI adresa LDAP serveru na kterém je dovoleno provádět změny hesel" + +#: src/config/SSSDConfig/__init__.py.in:429 +msgid "URI of a backup LDAP server where password changes are allowed" +msgstr "URI záložního LDAP serveru, na kterém je možné měnit hesla" + +#: src/config/SSSDConfig/__init__.py.in:430 +msgid "DNS service name for LDAP password change server" +msgstr "Název DNS služby pro LDAP server změny hesel" + +#: src/config/SSSDConfig/__init__.py.in:431 +msgid "" +"Whether to update the ldap_user_shadow_last_change attribute after a " +"password change" +msgstr "Zda aktualizovat atribut ldap_user_shadow_last_change po změně hesla" + +#: src/config/SSSDConfig/__init__.py.in:434 +msgid "Base DN for sudo rules lookups" +msgstr "Základ rozliš. názvu pro vyhledávání sudo pravidel" + +#: src/config/SSSDConfig/__init__.py.in:435 +msgid "Automatic full refresh period" +msgstr "Perioda automatického úplného znovunačtení" + +#: src/config/SSSDConfig/__init__.py.in:436 +msgid "Automatic smart refresh period" +msgstr "Perioda chytrého automatického znovunačtení" + +#: src/config/SSSDConfig/__init__.py.in:437 +msgid "Whether to filter rules by hostname, IP addresses and network" +msgstr "Zda filtrovat pravidla podle názvů strojů, IP adres a sítě" + +#: src/config/SSSDConfig/__init__.py.in:438 +msgid "" +"Hostnames and/or fully qualified domain names of this machine to filter sudo " +"rules" +msgstr "" +"Názvy strojů a/nebo úplné doménové názvy tohoto stroje pro filtrování sudo " +"pravidel" + +#: src/config/SSSDConfig/__init__.py.in:439 +msgid "IPv4 or IPv6 addresses or network of this machine to filter sudo rules" +msgstr "" +"IPv4 nebo IPv6 adresy nebo sítě tohoto stroje pro filtrování sudo pravidel" + +#: src/config/SSSDConfig/__init__.py.in:440 +msgid "Whether to include rules that contains netgroup in host attribute" +msgstr "" +"Zda zahrnout pravidla která obsahují v atributu stroj síťovou skupinu " +"(netgroup)" + +#: src/config/SSSDConfig/__init__.py.in:441 +msgid "" +"Whether to include rules that contains regular expression in host attribute" +msgstr "" +"Zda zahrnout pravidla, která obsahují v atributu stroj regulární výraz" + +#: src/config/SSSDConfig/__init__.py.in:442 +msgid "Object class for sudo rules" +msgstr "Objektová třída pro sudo pravidla" + +#: src/config/SSSDConfig/__init__.py.in:443 +msgid "Sudo rule name" +msgstr "Název sudo pravidla" + +#: src/config/SSSDConfig/__init__.py.in:444 +msgid "Sudo rule command attribute" +msgstr "Atribut příkaz sudo pravidla" + +#: src/config/SSSDConfig/__init__.py.in:445 +msgid "Sudo rule host attribute" +msgstr "Atribut stroj sudo pravidla" + +#: src/config/SSSDConfig/__init__.py.in:446 +msgid "Sudo rule user attribute" +msgstr "Atribut uživatel sudo pravidla" + +#: src/config/SSSDConfig/__init__.py.in:447 +msgid "Sudo rule option attribute" +msgstr "Atribut volba sudo pravidla" + +#: src/config/SSSDConfig/__init__.py.in:448 +msgid "Sudo rule runas attribute" +msgstr "Atribut runas (spustit jako) sudo pravidla" + +#: src/config/SSSDConfig/__init__.py.in:449 +msgid "Sudo rule runasuser attribute" +msgstr "Atribut runasuser (spusť jako uživatel) sudo pravidla" + +#: src/config/SSSDConfig/__init__.py.in:450 +msgid "Sudo rule runasgroup attribute" +msgstr "Atribut runasgroup (spusť jako skupina) sudo pravidla" + +#: src/config/SSSDConfig/__init__.py.in:451 +msgid "Sudo rule notbefore attribute" +msgstr "Atribut notbefore (ne před) sudo pravidla" + +#: src/config/SSSDConfig/__init__.py.in:452 +msgid "Sudo rule notafter attribute" +msgstr "Atribut notafter (ne po) sudo pravidla" + +#: src/config/SSSDConfig/__init__.py.in:453 +msgid "Sudo rule order attribute" +msgstr "Atribut order (pořadí) sudo pravidla" + +#: src/config/SSSDConfig/__init__.py.in:456 +msgid "Object class for automounter maps" +msgstr "Objektová třída pro mapy automounter" + +#: src/config/SSSDConfig/__init__.py.in:457 +msgid "Automounter map name attribute" +msgstr "Atribut automounter název mapy" + +#: src/config/SSSDConfig/__init__.py.in:458 +msgid "Object class for automounter map entries" +msgstr "Objektová třída pro položky mapy automounteru" + +#: src/config/SSSDConfig/__init__.py.in:459 +msgid "Automounter map entry key attribute" +msgstr "Atribut klíč položky mapy automounteru" + +#: src/config/SSSDConfig/__init__.py.in:460 +msgid "Automounter map entry value attribute" +msgstr "Atribut hodnoty položky mapy automounter" + +#: src/config/SSSDConfig/__init__.py.in:461 +msgid "Base DN for automounter map lookups" +msgstr "Základ rozlišeného názvu pro vyhledávání map automounter" + +#: src/config/SSSDConfig/__init__.py.in:464 +msgid "Comma separated list of allowed users" +msgstr "Čárkou oddělovaný seznam uživatelů, kterým je umožněn přístup" + +#: src/config/SSSDConfig/__init__.py.in:465 +msgid "Comma separated list of prohibited users" +msgstr "Čárkou oddělovaný seznam uživatelů, kterým je odepřen přístup" + +#: src/config/SSSDConfig/__init__.py.in:468 +msgid "Default shell, /bin/bash" +msgstr "Výchozí shell, /bin/bash" + +#: src/config/SSSDConfig/__init__.py.in:469 +msgid "Base for home directories" +msgstr "Základ pro domovské složky" + +#: src/config/SSSDConfig/__init__.py.in:472 +msgid "The number of preforked proxy children." +msgstr "Počet předrozvětvených dílčích procesů proxy." + +#: src/config/SSSDConfig/__init__.py.in:475 +msgid "The name of the NSS library to use" +msgstr "Název NSS knihovny, kterou použít" + +#: src/config/SSSDConfig/__init__.py.in:476 +msgid "Whether to look up canonical group name from cache if possible" +msgstr "" +"Zda vyhledávat kanonický název skupiny z mezipaměti, pokud je to možné" + +#: src/config/SSSDConfig/__init__.py.in:479 +msgid "PAM stack to use" +msgstr "PAM vrstvy, které použít" + +#: src/config/SSSDConfig/__init__.py.in:482 +msgid "Path of passwd file sources." +msgstr "Popis umístění souborových zdrojů passwd" + +#: src/config/SSSDConfig/__init__.py.in:483 +msgid "Path of group file sources." +msgstr "Popis umístění souborových zdrojů group" + +#: src/monitor/monitor.c:2332 +msgid "Become a daemon (default)" +msgstr "Přejít v proces služby (výchozí)" + +#: src/monitor/monitor.c:2334 +msgid "Run interactive (not a daemon)" +msgstr "Spustit interaktivně (ne jako proces služby)" + +#: src/monitor/monitor.c:2337 +msgid "Disable netlink interface" +msgstr "Vypnout netlink rozhraní" + +#: src/monitor/monitor.c:2339 src/tools/sssctl/sssctl_logs.c:311 +msgid "Specify a non-default config file" +msgstr "Zadat nevýchozí soubor s nastaveními" + +#: src/monitor/monitor.c:2341 +msgid "Refresh the configuration database, then exit" +msgstr "Znovu načíst databázi s nastaveními, pak skončit" + +#: src/monitor/monitor.c:2344 +msgid "Similar to --genconf, but only refreshes the given section" +msgstr "Podobné s --genconf, ale znovu načte pouze danou sekci" + +#: src/monitor/monitor.c:2347 +msgid "Print version number and exit" +msgstr "Vypsat " + +#: src/monitor/monitor.c:2491 +msgid "SSSD is already running\n" +msgstr "SSSD už je spuštěné" + +#: src/providers/krb5/krb5_child.c:3232 src/providers/ldap/ldap_child.c:605 +msgid "Debug level" +msgstr "Úroveň podrobností ladících zpráv" + +#: src/providers/krb5/krb5_child.c:3234 src/providers/ldap/ldap_child.c:607 +msgid "Add debug timestamps" +msgstr "Přidat do ladících informací časové značky" + +#: src/providers/krb5/krb5_child.c:3236 src/providers/ldap/ldap_child.c:609 +msgid "Show timestamps with microseconds" +msgstr "Zobrazovat časové značky s mikrosekundami" + +#: src/providers/krb5/krb5_child.c:3238 src/providers/ldap/ldap_child.c:611 +msgid "An open file descriptor for the debug logs" +msgstr "Otevřený popisovač souboru pro záznam ladících informací" + +#: src/providers/krb5/krb5_child.c:3241 src/providers/ldap/ldap_child.c:613 +msgid "Send the debug output to stderr directly." +msgstr "Poslat ladící výstup přímo na standardní chybový výstup." + +#: src/providers/krb5/krb5_child.c:3244 +msgid "The user to create FAST ccache as" +msgstr "Uživatel pod kterým vytvořit FAST ccache" + +#: src/providers/krb5/krb5_child.c:3246 +msgid "The group to create FAST ccache as" +msgstr "Skupina pod kterou vytvořit FAST ccache" + +#: src/providers/krb5/krb5_child.c:3248 +msgid "Kerberos realm to use" +msgstr "Kerberos oblast (realm) kterou použít" + +#: src/providers/krb5/krb5_child.c:3250 +msgid "Requested lifetime of the ticket" +msgstr "Požadovaná životnost lístku" + +#: src/providers/krb5/krb5_child.c:3252 +msgid "Requested renewable lifetime of the ticket" +msgstr "Požadovaná obnovitelná životnosti lístku" + +#: src/providers/krb5/krb5_child.c:3254 +msgid "FAST options ('never', 'try', 'demand')" +msgstr "FAST volby („never“, „try“, „demand“)" + +#: src/providers/krb5/krb5_child.c:3257 +msgid "Specifies the server principal to use for FAST" +msgstr "Určuje principal serveru které použít pro FAST" + +#: src/providers/krb5/krb5_child.c:3259 +msgid "Requests canonicalization of the principal name" +msgstr "Požaduje kanonizaci názvu principalu" + +#: src/providers/krb5/krb5_child.c:3261 +msgid "Use custom version of krb5_get_init_creds_password" +msgstr "Použít uživatelsky určenou verzi krb5_get_init_creds_password" + +#: src/providers/data_provider_be.c:674 +msgid "Domain of the information provider (mandatory)" +msgstr "Doména poskytovatele informace (povinné)" + +#: src/sss_client/common.c:1084 +msgid "Privileged socket has wrong ownership or permissions." +msgstr "Privilegovaný soket má nesprávné vlastnictví nebo oprávnění." + +#: src/sss_client/common.c:1087 +msgid "Public socket has wrong ownership or permissions." +msgstr "Veřejný soket má chybné vlastnictví nebo oprávnění." + +#: src/sss_client/common.c:1090 +msgid "Unexpected format of the server credential message." +msgstr "Neočekávaný formát zprávy o pověřeních serveru." + +#: src/sss_client/common.c:1093 +msgid "SSSD is not run by root." +msgstr "SSSD není spouštěno správcem." + +#: src/sss_client/common.c:1096 +msgid "SSSD socket does not exist." +msgstr "SSSD soket neexistuje." + +#: src/sss_client/common.c:1099 +msgid "Cannot get stat of SSSD socket." +msgstr "Nedaří se získat stav SSSD soketu." + +#: src/sss_client/common.c:1104 +msgid "An error occurred, but no description can be found." +msgstr "Došlo k chybě, ale nedaří se najít popis." + +#: src/sss_client/common.c:1110 +msgid "Unexpected error while looking for an error description" +msgstr "Neočekávaná chyba při hledání popisu chyby" + +#: src/sss_client/pam_sss.c:67 +msgid "Permission denied. " +msgstr "Přístup odepřen." + +#: src/sss_client/pam_sss.c:68 src/sss_client/pam_sss.c:777 +#: src/sss_client/pam_sss.c:788 +msgid "Server message: " +msgstr "Zpráva ze serveru:" + +# auto translated by TM merge from project: FreeIPA, version: ipa-4-5, DocId: po/ipa +#: src/sss_client/pam_sss.c:295 +msgid "Passwords do not match" +msgstr "Zadání hesla se neshodují" + +#: src/sss_client/pam_sss.c:483 +msgid "Password reset by root is not supported." +msgstr "Reset hesla správcem není podporován." + +#: src/sss_client/pam_sss.c:524 +msgid "Authenticated with cached credentials" +msgstr "Přihlášeni přihlašovacími údaji z mezipaměti" + +#: src/sss_client/pam_sss.c:525 +msgid ", your cached password will expire at: " +msgstr ", platnost mezipaměti skončí v:" + +#: src/sss_client/pam_sss.c:555 +#, c-format +msgid "Your password has expired. You have %1$d grace login(s) remaining." +msgstr "Platnost vašeho hesla skončila. Zbývá vám %1$d přihlášení." + +#: src/sss_client/pam_sss.c:601 +#, c-format +msgid "Your password will expire in %1$d %2$s." +msgstr "Platnost vašeho hesla skončí v %1$d %2$s." + +#: src/sss_client/pam_sss.c:650 +msgid "Authentication is denied until: " +msgstr "Ověření odepřeno do:" + +#: src/sss_client/pam_sss.c:671 +msgid "System is offline, password change not possible" +msgstr "Systém není dostupný, změna hesla není možná" + +#: src/sss_client/pam_sss.c:686 +msgid "" +"After changing the OTP password, you need to log out and back in order to " +"acquire a ticket" +msgstr "" +"Po změně OTP hesla, je třeba se odhlásit/přihlásit aby byl získán lístek" + +#: src/sss_client/pam_sss.c:774 src/sss_client/pam_sss.c:787 +msgid "Password change failed. " +msgstr "Změna hesla se nezdařila." + +#: src/sss_client/pam_sss.c:1977 +msgid "New Password: " +msgstr "Nové heslo:" + +#: src/sss_client/pam_sss.c:1978 +msgid "Reenter new Password: " +msgstr "Zopakování nového hesla:" + +#: src/sss_client/pam_sss.c:2139 src/sss_client/pam_sss.c:2142 +msgid "First Factor: " +msgstr "Hlavní faktor:" + +#: src/sss_client/pam_sss.c:2140 src/sss_client/pam_sss.c:2303 +msgid "Second Factor (optional): " +msgstr "Druhý faktor (volitelné):" + +#: src/sss_client/pam_sss.c:2143 src/sss_client/pam_sss.c:2306 +msgid "Second Factor: " +msgstr "Druhý faktor:" + +# auto translated by TM merge from project: anaconda, version: f25, DocId: main +#: src/sss_client/pam_sss.c:2158 +msgid "Password: " +msgstr "Heslo: " + +#: src/sss_client/pam_sss.c:2302 src/sss_client/pam_sss.c:2305 +msgid "First Factor (Current Password): " +msgstr "Hlavní faktor (stávající heslo):" + +#: src/sss_client/pam_sss.c:2309 +msgid "Current Password: " +msgstr "Stávající heslo:" + +#: src/sss_client/pam_sss.c:2664 +msgid "Password expired. Change your password now." +msgstr "Platnost hesla skončila. Změňte si ho." + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:41 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:204 src/tools/sss_useradd.c:48 +#: src/tools/sss_groupadd.c:41 src/tools/sss_groupdel.c:44 +#: src/tools/sss_groupmod.c:42 src/tools/sss_groupshow.c:668 +#: src/tools/sss_userdel.c:134 src/tools/sss_usermod.c:47 +#: src/tools/sss_cache.c:704 +msgid "The debug level to run with" +msgstr "Úroveň ladících informací, se kterou spustit" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:43 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:208 +msgid "The SSSD domain to use" +msgstr "SSSD doména, kterou použít" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:57 src/tools/sss_useradd.c:74 +#: src/tools/sss_groupadd.c:59 src/tools/sss_groupdel.c:54 +#: src/tools/sss_groupmod.c:66 src/tools/sss_groupshow.c:680 +#: src/tools/sss_userdel.c:152 src/tools/sss_usermod.c:79 +#: src/tools/sss_cache.c:750 +msgid "Error setting the locale\n" +msgstr "Chyba při nastavování místního a jazykového nastavení\n" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:64 +msgid "Not enough memory\n" +msgstr "Nedostatek paměti\n" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:83 +msgid "User not specified\n" +msgstr "Uživatel nezadán\n" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:97 +msgid "Error looking up public keys\n" +msgstr "Chyba při hledání veřejných klíčů\n" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:206 +msgid "The port to use to connect to the host" +msgstr "Port který použít pro připojení se k hostiteli" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:210 +msgid "Print the host ssh public keys" +msgstr "Vypsat veřejné ssh klíče stroje" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:252 +msgid "Invalid port\n" +msgstr "Neplatný port\n" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:257 +msgid "Host not specified\n" +msgstr "Stroj neurčen\n" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:263 +msgid "The path to the proxy command must be absolute\n" +msgstr "Je třeba, aby popis umístění příkazu proxy byl úplný\n" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:342 +#, c-format +msgid "sss_ssh_knownhostsproxy: Could not resolve hostname %s\n" +msgstr "sss_ssh_knownhostsproxy: Nedaří se přeložit název stroje %s\n" + +#: src/tools/sss_useradd.c:49 src/tools/sss_usermod.c:48 +msgid "The UID of the user" +msgstr "UID uživatele" + +#: src/tools/sss_useradd.c:50 src/tools/sss_usermod.c:50 +msgid "The comment string" +msgstr "Řetězec komentáře" + +#: src/tools/sss_useradd.c:51 src/tools/sss_usermod.c:51 +msgid "Home directory" +msgstr "Domovská složka" + +#: src/tools/sss_useradd.c:52 src/tools/sss_usermod.c:52 +msgid "Login shell" +msgstr "Přihlašovací shell" + +# auto translated by TM merge from project: Cockpit, version: rhel-7.4, DocId: cockpit +#: src/tools/sss_useradd.c:53 +msgid "Groups" +msgstr "Skupiny" + +#: src/tools/sss_useradd.c:54 +msgid "Create user's directory if it does not exist" +msgstr "Vytvořit složku uživatele (pokud neexistuje)" + +#: src/tools/sss_useradd.c:55 +msgid "Never create user's directory, overrides config" +msgstr "Nikdy nevytvářet složku uživatele, přebije nastavení" + +#: src/tools/sss_useradd.c:56 +msgid "Specify an alternative skeleton directory" +msgstr "Zadejte alternativní složku skeleton" + +#: src/tools/sss_useradd.c:57 src/tools/sss_usermod.c:60 +msgid "The SELinux user for user's login" +msgstr "SELinux uživatel pro přihlášení uživatele" + +#: src/tools/sss_useradd.c:87 src/tools/sss_groupmod.c:79 +#: src/tools/sss_usermod.c:92 +msgid "Specify group to add to\n" +msgstr "Zadejte skupinu do které přidat\n" + +#: src/tools/sss_useradd.c:111 +msgid "Specify user to add\n" +msgstr "Zadejte uživatele kterého přidat\n" + +#: src/tools/sss_useradd.c:121 src/tools/sss_groupadd.c:86 +#: src/tools/sss_groupdel.c:80 src/tools/sss_groupmod.c:113 +#: src/tools/sss_groupshow.c:714 src/tools/sss_userdel.c:198 +#: src/tools/sss_usermod.c:162 +msgid "Error initializing the tools - no local domain\n" +msgstr "Chyba při inicializaci nástrojů – žádná místní doména\n" + +#: src/tools/sss_useradd.c:123 src/tools/sss_groupadd.c:88 +#: src/tools/sss_groupdel.c:82 src/tools/sss_groupmod.c:115 +#: src/tools/sss_groupshow.c:716 src/tools/sss_userdel.c:200 +#: src/tools/sss_usermod.c:164 +msgid "Error initializing the tools\n" +msgstr "Chyba při inicializaci nástrojů\n" + +#: src/tools/sss_useradd.c:132 src/tools/sss_groupadd.c:97 +#: src/tools/sss_groupdel.c:91 src/tools/sss_groupmod.c:123 +#: src/tools/sss_groupshow.c:725 src/tools/sss_userdel.c:209 +#: src/tools/sss_usermod.c:173 +msgid "Invalid domain specified in FQDN\n" +msgstr "V FQDN zadána neplatná doména\n" + +#: src/tools/sss_useradd.c:142 src/tools/sss_groupmod.c:144 +#: src/tools/sss_groupmod.c:173 src/tools/sss_usermod.c:197 +#: src/tools/sss_usermod.c:226 +msgid "Internal error while parsing parameters\n" +msgstr "Vnitřní chyba při zpracovávání parametrů\n" + +#: src/tools/sss_useradd.c:151 src/tools/sss_usermod.c:206 +#: src/tools/sss_usermod.c:235 +msgid "Groups must be in the same domain as user\n" +msgstr "Je třeba, aby skupiny byly ve stejné doméně, jako uživatel\n" + +#: src/tools/sss_useradd.c:159 +#, c-format +msgid "Cannot find group %1$s in local domain\n" +msgstr "Skupinu %1$s se nedaří nalézt v místní doméně\n" + +#: src/tools/sss_useradd.c:174 src/tools/sss_userdel.c:219 +msgid "Cannot set default values\n" +msgstr "Nedaří se nastavit výchozí hodnoty\n" + +#: src/tools/sss_useradd.c:181 src/tools/sss_usermod.c:187 +msgid "The selected UID is outside the allowed range\n" +msgstr "Vybrané UID je mimo dovolený rozsah\n" + +#: src/tools/sss_useradd.c:210 src/tools/sss_usermod.c:305 +msgid "Cannot set SELinux login context\n" +msgstr "Nedaří se nastavit SELinux přihlašovací kontext\n" + +#: src/tools/sss_useradd.c:224 +msgid "Cannot get info about the user\n" +msgstr "Nedaří se získat informace o uživateli\n" + +#: src/tools/sss_useradd.c:236 +msgid "User's home directory already exists, not copying data from skeldir\n" +msgstr "" +"Domovská složka uživatele už existuje, data z té vzorové (skeldir) proto " +"nekopírována\n" + +#: src/tools/sss_useradd.c:239 +#, c-format +msgid "Cannot create user's home directory: %1$s\n" +msgstr "Domovskou složku uživatele se nedaří vytvořit: %1$s\n" +"\n" + +#: src/tools/sss_useradd.c:250 +#, c-format +msgid "Cannot create user's mail spool: %1$s\n" +msgstr "Nedaří se vytvořit e-mailovou schránku uživatele: %1$s\n" + +#: src/tools/sss_useradd.c:270 +msgid "Could not allocate ID for the user - domain full?\n" +msgstr "Nedaří se přiřadit identifikátor pro uživatele – doména je plná?\n" + +#: src/tools/sss_useradd.c:274 +msgid "A user or group with the same name or ID already exists\n" +msgstr "" +"Uživatel nebo skupina se stejným jménem/názvem nebo identifikátorem už " +"existuje\n" + +#: src/tools/sss_useradd.c:280 +msgid "Transaction error. Could not add user.\n" +msgstr "Chyba transakce. Nedaří se přidat uživatele.\n" + +#: src/tools/sss_groupadd.c:43 src/tools/sss_groupmod.c:48 +msgid "The GID of the group" +msgstr "GID identifikátor skupiny" + +#: src/tools/sss_groupadd.c:76 +msgid "Specify group to add\n" +msgstr "Zadejte skupinu kterou přidat\n" + +#: src/tools/sss_groupadd.c:106 src/tools/sss_groupmod.c:198 +msgid "The selected GID is outside the allowed range\n" +msgstr "Zvolený identifikátor skupiny je mimo dovolený rozsah\n" + +#: src/tools/sss_groupadd.c:143 +msgid "Could not allocate ID for the group - domain full?\n" +msgstr "Nedaří se přiřadit identifikátor pro skupinu – doména je plná?\n" + +#: src/tools/sss_groupadd.c:147 +msgid "A group with the same name or GID already exists\n" +msgstr "Skupina se stejným jménem/názvem nebo identifikátorem už existuje\n" + +#: src/tools/sss_groupadd.c:153 +msgid "Transaction error. Could not add group.\n" +msgstr "Chyba transakce. Skupinu se nedaří přidat.\n" + +#: src/tools/sss_groupdel.c:70 +msgid "Specify group to delete\n" +msgstr "Zadejte skupinu, kterou smazat\n" + +#: src/tools/sss_groupdel.c:104 +#, c-format +msgid "Group %1$s is outside the defined ID range for domain\n" +msgstr "Identifikátor skupiny %1$s se nachází mimo určený rozsah pro doménu\n" + +#: src/tools/sss_groupdel.c:119 src/tools/sss_groupmod.c:225 +#: src/tools/sss_groupmod.c:232 src/tools/sss_groupmod.c:239 +#: src/tools/sss_userdel.c:295 src/tools/sss_usermod.c:282 +#: src/tools/sss_usermod.c:289 src/tools/sss_usermod.c:296 +#, c-format +msgid "NSS request failed (%1$d). Entry might remain in memory cache.\n" +msgstr "" +"NSS požadavek se nezdařil (%1$d). Položka mohla zůstat v mezipaměti v paměti." +"\n" + +#: src/tools/sss_groupdel.c:132 +msgid "" +"No such group in local domain. Removing groups only allowed in local domain." +"\n" +msgstr "" +"V místní doméně taková skupina neexistuje. Odebírání skupin je umožněno " +"pouze v místní doméně.\n" + +#: src/tools/sss_groupdel.c:137 +msgid "Internal error. Could not remove group.\n" +msgstr "Vnitřní chyba. Skupinu se nedaří odstranit.\n" + +#: src/tools/sss_groupmod.c:44 +msgid "Groups to add this group to" +msgstr "Skupiny do kterou tuto skupinu přidat" + +#: src/tools/sss_groupmod.c:46 +msgid "Groups to remove this group from" +msgstr "Skupiny, ze kterých tuto skupinu odebrat" + +#: src/tools/sss_groupmod.c:87 src/tools/sss_usermod.c:100 +msgid "Specify group to remove from\n" +msgstr "Zadejte skupinu, ze které odebrat\n" + +#: src/tools/sss_groupmod.c:101 +msgid "Specify group to modify\n" +msgstr "Zadejte skupinu pro úpravu\n" + +#: src/tools/sss_groupmod.c:130 +msgid "" +"Cannot find group in local domain, modifying groups is allowed only in local " +"domain\n" +msgstr "" +"Skupinu se nedaří najít v místní doméně, upravování skupin je dovoleno pouze " +"v místní doméně\n" + +#: src/tools/sss_groupmod.c:153 src/tools/sss_groupmod.c:182 +msgid "Member groups must be in the same domain as parent group\n" +msgstr "" +"Je třeba, aby skupiny, které mají být členy, se nacházely ve stejné doméně, " +"jako skupina, které mají být členy\n" + +#: src/tools/sss_groupmod.c:161 src/tools/sss_groupmod.c:190 +#: src/tools/sss_usermod.c:214 src/tools/sss_usermod.c:243 +#, c-format +msgid "" +"Cannot find group %1$s in local domain, only groups in local domain are " +"allowed\n" +msgstr "" +"Skupinu %1$s se nedaří najít v místní doméně, jsou dovoleny pouze skupiny z " +"místní domény\n" +"\n" + +#: src/tools/sss_groupmod.c:257 +msgid "Could not modify group - check if member group names are correct\n" +msgstr "" +"Skupinu se nedaří změnit – zkontrolujte, zda jsou názvy členských skupin " +"správné\n" + +#: src/tools/sss_groupmod.c:261 +msgid "Could not modify group - check if groupname is correct\n" +msgstr "Skupinu se nedaří upravit – zkontrolujte, že je její název správně\n" + +#: src/tools/sss_groupmod.c:265 +msgid "Transaction error. Could not modify group.\n" +msgstr "Chyba transakce. Skupinu se nedaří změnit.\n" + +#: src/tools/sss_groupshow.c:615 +#, c-format +msgid "%1$s%2$sGroup: %3$s\n" +msgstr "%1$s%2$sskupina: %3$s\n" + +#: src/tools/sss_groupshow.c:616 +msgid "Magic Private " +msgstr "Magické soukromé" + +#: src/tools/sss_groupshow.c:618 +#, c-format +msgid "%1$sGID number: %2$d\n" +msgstr "%1$sGID číslo: %2$d\n" + +#: src/tools/sss_groupshow.c:620 +#, c-format +msgid "%1$sMember users: " +msgstr "%1$sčlenové uživatelé: " + +#: src/tools/sss_groupshow.c:627 +#, c-format +msgid "\n" +"%1$sIs a member of: " +msgstr "\n" +"%1$sJe členem: " + +#: src/tools/sss_groupshow.c:634 +#, c-format +msgid "\n" +"%1$sMember groups: " +msgstr "\n" +"%1$sČlenské skupiny: " + +#: src/tools/sss_groupshow.c:670 +msgid "Print indirect group members recursively" +msgstr "Vypsat nepřímé členy skupiny rekurzivně" + +#: src/tools/sss_groupshow.c:704 +msgid "Specify group to show\n" +msgstr "Zadejte skupinu, kterou zobrazit\n" + +#: src/tools/sss_groupshow.c:744 +msgid "" +"No such group in local domain. Printing groups only allowed in local domain." +"\n" +msgstr "" +"V místní doméně se taková skupina nenachází. Vypisování skupin je dovolené " +"pouze v místní doméně.\n" + +#: src/tools/sss_groupshow.c:749 +msgid "Internal error. Could not print group.\n" +msgstr "Vnitřní chyby. Skupinu se nedaří vypsat.\n" + +#: src/tools/sss_userdel.c:136 +msgid "Remove home directory and mail spool" +msgstr "Odebrat domovskou složku a e-mailovou schránku" + +#: src/tools/sss_userdel.c:138 +msgid "Do not remove home directory and mail spool" +msgstr "Neodebrat domovskou složku a e-mailovou schránku" + +#: src/tools/sss_userdel.c:140 +msgid "Force removal of files not owned by the user" +msgstr "Vynutit odebrání souborů, nevlastněných uživatelem" + +#: src/tools/sss_userdel.c:142 +msgid "Kill users' processes before removing him" +msgstr "" +"Před jeho odebráním, vynutit ukončení všech procesů, spuštěných jak uživatel" + +#: src/tools/sss_userdel.c:188 +msgid "Specify user to delete\n" +msgstr "Zadejte uživatele, kterého smazat\n" + +#: src/tools/sss_userdel.c:234 +#, c-format +msgid "User %1$s is outside the defined ID range for domain\n" +msgstr "" +"Uživatel %1$s se nachází mimo určený rozsah idenfifikátorů pro doménu\n" + +#: src/tools/sss_userdel.c:259 +msgid "Cannot reset SELinux login context\n" +msgstr "Nedaří se resetovat SELinux přihlašovací kontext\n" + +#: src/tools/sss_userdel.c:271 +#, c-format +msgid "WARNING: The user (uid %1$lu) was still logged in when deleted.\n" +msgstr "VAROVÁNÍ: uživatel (uid %1$lu) byl při mazání stále přihlášen.\n" + +#: src/tools/sss_userdel.c:276 +msgid "Cannot determine if the user was logged in on this platform" +msgstr "Nedaří se zjistit zda uživatel byl přihlášen na této platformě." + +#: src/tools/sss_userdel.c:281 +msgid "Error while checking if the user was logged in\n" +msgstr "Chyba při zjišťování zda byl uživatel přihlášen\n" + +#: src/tools/sss_userdel.c:288 +#, c-format +msgid "The post-delete command failed: %1$s\n" +msgstr "Příkaz po smazání se nezdařil: %1$s\n" + +#: src/tools/sss_userdel.c:308 +msgid "Not removing home dir - not owned by user\n" +msgstr "Neodebírá se domovská složka – nevlastněno uživatelem\n" + +#: src/tools/sss_userdel.c:310 +#, c-format +msgid "Cannot remove homedir: %1$s\n" +msgstr "Nedaří se odebrat domovskou složku: %1$s\n" + +#: src/tools/sss_userdel.c:324 +msgid "" +"No such user in local domain. Removing users only allowed in local domain.\n" +msgstr "" +"V místní doméně žádný takový uživatel neexistuje. Odebírání uživatelů je " +"dovoleno pouze v místní doméně.\n" + +#: src/tools/sss_userdel.c:329 +msgid "Internal error. Could not remove user.\n" +msgstr "Vnitřní chyba. Uživatele se nedaří odebrat.\n" + +#: src/tools/sss_usermod.c:49 +msgid "The GID of the user" +msgstr "GID identifikátor uživatele" + +#: src/tools/sss_usermod.c:53 +msgid "Groups to add this user to" +msgstr "Skupiny do kterých tohoto uživatele přidat" + +#: src/tools/sss_usermod.c:54 +msgid "Groups to remove this user from" +msgstr "Skupiny, ze kterých tohoto uživatele odebrat" + +#: src/tools/sss_usermod.c:55 +msgid "Lock the account" +msgstr "Uzamknout účet" + +#: src/tools/sss_usermod.c:56 +msgid "Unlock the account" +msgstr "Odemknout účet" + +#: src/tools/sss_usermod.c:57 +msgid "Add an attribute/value pair. The format is attrname=value." +msgstr "Přidat dvojici atribut a hodnota. Formát je nazevatributu=hodnota." + +#: src/tools/sss_usermod.c:58 +msgid "Delete an attribute/value pair. The format is attrname=value." +msgstr "Smazat dvojici atribut a hodnota. Formát je nazevatributu=hodnota." + +#: src/tools/sss_usermod.c:59 +msgid "" +"Set an attribute to a name/value pair. The format is attrname=value. For " +"multi-valued attributes, the command replaces the values already present" +msgstr "" +"Nastavit atribut na dvojici název/hodnota. Formát je nazevatributu=hodnota. " +"Pro atributy s vícero hodnotami, příkaz nahrazuje už přítomné hodnoty" + +#: src/tools/sss_usermod.c:117 src/tools/sss_usermod.c:126 +#: src/tools/sss_usermod.c:135 +msgid "Specify the attribute name/value pair(s)\n" +msgstr "Zadejte dvojice název/hodnota atributu\n" + +#: src/tools/sss_usermod.c:152 +msgid "Specify user to modify\n" +msgstr "Zadejte uživatele, kterého změnit\n" + +#: src/tools/sss_usermod.c:180 +msgid "" +"Cannot find user in local domain, modifying users is allowed only in local " +"domain\n" +msgstr "" +"Uživatele se nedaří v místní doméně nedaří najít, úprava uživatelů je " +"dovolena pouze v místní doméně\n" + +#: src/tools/sss_usermod.c:322 +msgid "Could not modify user - check if group names are correct\n" +msgstr "Uživatele se nedaří změnit – ověřte, že jsou názvy skupin správně\n" + +#: src/tools/sss_usermod.c:326 +msgid "Could not modify user - user already member of groups?\n" +msgstr "Uživatele se nedaří změnit – uživatel už je členem skupin?\n" + +#: src/tools/sss_usermod.c:330 +msgid "Transaction error. Could not modify user.\n" +msgstr "Chyba transakce. Uživatele se nedaří změnit.\n" + +#: src/tools/sss_cache.c:245 +msgid "No cache object matched the specified search\n" +msgstr "Žádný z objektů v mezipaměti se neshoduje se zadaným hledáním\n" + +#: src/tools/sss_cache.c:536 +#, c-format +msgid "Couldn't invalidate %1$s\n" +msgstr "Nedaří se zneplatnit %1$s\n" + +#: src/tools/sss_cache.c:543 +#, c-format +msgid "Couldn't invalidate %1$s %2$s\n" +msgstr "Nedaří se zneplatnit %1$s %2$s\n" + +#: src/tools/sss_cache.c:706 +msgid "Invalidate all cached entries" +msgstr "Zneplatnit veškeré položky v mezipaměti" + +#: src/tools/sss_cache.c:708 +msgid "Invalidate particular user" +msgstr "Zneplatnit konkrétního uživatele" + +#: src/tools/sss_cache.c:710 +msgid "Invalidate all users" +msgstr "Zneplatnit všechny uživatele" + +#: src/tools/sss_cache.c:712 +msgid "Invalidate particular group" +msgstr "Zneplatnit konkrétní skupinu" + +#: src/tools/sss_cache.c:714 +msgid "Invalidate all groups" +msgstr "Zneplatnit všechny skupiny" + +#: src/tools/sss_cache.c:716 +msgid "Invalidate particular netgroup" +msgstr "Zneplatnit konkrétní síťovou skupinu" + +#: src/tools/sss_cache.c:718 +msgid "Invalidate all netgroups" +msgstr "Zneplatnit veškeré síťové skupiny" + +#: src/tools/sss_cache.c:720 +msgid "Invalidate particular service" +msgstr "Zneplatnit konkrétní službu" + +#: src/tools/sss_cache.c:722 +msgid "Invalidate all services" +msgstr "Zneplatnit všechny služby" + +#: src/tools/sss_cache.c:725 +msgid "Invalidate particular autofs map" +msgstr "Zneplatnit konkrétní autofs mapu" + +#: src/tools/sss_cache.c:727 +msgid "Invalidate all autofs maps" +msgstr "Zneplatnit veškeré autofs mapy" + +#: src/tools/sss_cache.c:731 +msgid "Invalidate particular SSH host" +msgstr "Zneplatnit konkrétního SSH hostitele" + +#: src/tools/sss_cache.c:733 +msgid "Invalidate all SSH hosts" +msgstr "Zneplatnit veškeré SSH hostitele" + +#: src/tools/sss_cache.c:737 +msgid "Invalidate particular sudo rule" +msgstr "Zneplatnit konkrétní sudo pravidlo" + +#: src/tools/sss_cache.c:739 +msgid "Invalidate all cached sudo rules" +msgstr "Zneplatnit veškerá sudo pravidla v mezipaměti" + +#: src/tools/sss_cache.c:742 +msgid "Only invalidate entries from a particular domain" +msgstr "Zneplatnit pouze položky z konkrétní domény" + +#: src/tools/sss_cache.c:796 +msgid "" +"Unexpected argument(s) provided, options that invalidate a single object " +"only accept a single provided argument.\n" +msgstr "" +"Poskytnuty neočekávané argumenty, volby které zneplatňují jediný objekt " +"přijímají pouze jediný zadaný argument.\n" + +#: src/tools/sss_cache.c:806 +msgid "Please select at least one object to invalidate\n" +msgstr "Vyberte alespoň jeden objekt, který zneplatnit\n" + +#: src/tools/sss_cache.c:889 +#, c-format +msgid "" +"Could not open domain %1$s. If the domain is a subdomain (trusted domain), " +"use fully qualified name instead of --domain/-d parameter.\n" +msgstr "" +"Nedaří se otevřít doménu %1$s. Pokud je domény dílčí doménou (důvěryhodná " +"doména), použijte úplný název namísto parametru --domain/-d." + +#: src/tools/sss_cache.c:894 +msgid "Could not open available domains\n" +msgstr "Nedaří se otevřít které domény jsou k dispozici\n" + +#: src/tools/tools_util.c:202 +#, c-format +msgid "Name '%1$s' does not seem to be FQDN ('%2$s = TRUE' is set)\n" +msgstr "Název „%1$s“ se nezdá být FQDN (je nastaveno „%2$s = TRUE“)\n" + +#: src/tools/tools_util.c:309 +msgid "Out of memory\n" +msgstr "Došla paměť\n" + +#: src/tools/tools_util.h:40 +#, c-format +msgid "%1$s must be run as root\n" +msgstr "%1$s je třeba spustit s právy správce systému (root)\n" + +# auto translated by TM merge from project: Cockpit, version: rhel-7.4, DocId: cockpit +#: src/tools/sssctl/sssctl.c:35 +msgid "yes" +msgstr "ano" + +#: src/tools/sssctl/sssctl.c:37 +msgid "no" +msgstr "ne" + +# auto translated by TM merge from project: firewalld, version: master, DocId: po/firewalld +#: src/tools/sssctl/sssctl.c:39 +msgid "error" +msgstr "chyba" + +#: src/tools/sssctl/sssctl.c:42 +msgid "Invalid result." +msgstr "Neplatný výsledek." + +#: src/tools/sssctl/sssctl.c:78 +#, c-format +msgid "Unable to read user input\n" +msgstr "Nedaří se číst vstup od uživatele\n" + +#: src/tools/sssctl/sssctl.c:91 +#, c-format +msgid "Invalid input, please provide either '%s' or '%s'.\n" +msgstr "Neplatný vstup, zadejte buď „%s“ nebo „%s“.\n" + +#: src/tools/sssctl/sssctl.c:109 src/tools/sssctl/sssctl.c:114 +#, c-format +msgid "Error while executing external command\n" +msgstr "Chyba při vykonávání externího příkazu\n" + +#: src/tools/sssctl/sssctl.c:156 +msgid "SSSD needs to be running. Start SSSD now?" +msgstr "Je třeba, aby bylo SSSD spuštěné. Spustit ho nyní?" + +#: src/tools/sssctl/sssctl.c:195 +msgid "SSSD must not be running. Stop SSSD now?" +msgstr "Je třeba, aby bylo SSSD zastavené. Zastavit ho nyní?" + +#: src/tools/sssctl/sssctl.c:231 +msgid "SSSD needs to be restarted. Restart SSSD now?" +msgstr "Je třeba, aby bylo SSSD restartováno. Restartovat ho nyní?" + +#: src/tools/sssctl/sssctl_cache.c:31 +#, c-format +msgid " %s is not present in cache.\n" +msgstr "%s se nenachází v mezipaměti.\n" + +# auto translated by TM merge from project: libosinfo, version: master, DocId: libosinfo +#: src/tools/sssctl/sssctl_cache.c:33 +msgid "Name" +msgstr "Název" + +#: src/tools/sssctl/sssctl_cache.c:34 +msgid "Cache entry creation date" +msgstr "Datum vytvoření položky v mezipaměti" + +#: src/tools/sssctl/sssctl_cache.c:35 +msgid "Cache entry last update time" +msgstr "Okamžik poslední aktualizace položky mezipaměti" + +#: src/tools/sssctl/sssctl_cache.c:36 +msgid "Cache entry expiration time" +msgstr "Okamžik skončení platnosti položky mezipaměti" + +#: src/tools/sssctl/sssctl_cache.c:37 +msgid "Cached in InfoPipe" +msgstr "Uloženo v mezipaměti v InfoPipe" + +#: src/tools/sssctl/sssctl_cache.c:522 +#, c-format +msgid "Error: Unable to get object [%d]: %s\n" +msgstr "Chyba: nedaří se získat objekt [%d]: %s\n" + +#: src/tools/sssctl/sssctl_cache.c:538 +#, c-format +msgid "%s: Unable to read value [%d]: %s\n" +msgstr "%s: nedaří se načíst hodnotu [%d]: %s\n" + +#: src/tools/sssctl/sssctl_cache.c:566 +msgid "Specify name." +msgstr "Zadejte jméno." + +#: src/tools/sssctl/sssctl_cache.c:576 +#, c-format +msgid "Unable to parse name %s.\n" +msgstr "Nedaří se zpracovat název %s.\n" + +#: src/tools/sssctl/sssctl_cache.c:602 src/tools/sssctl/sssctl_cache.c:649 +msgid "Search by SID" +msgstr "Hledat podle SID identifikátoru" + +#: src/tools/sssctl/sssctl_cache.c:603 +msgid "Search by user ID" +msgstr "Hledat podle identif. uživatele" + +#: src/tools/sssctl/sssctl_cache.c:612 +msgid "Initgroups expiration time" +msgstr "Okamžik skončení platnosti initgroups" + +#: src/tools/sssctl/sssctl_cache.c:650 +msgid "Search by group ID" +msgstr "Hledat podle identif. skupiny" + +#: src/tools/sssctl/sssctl_config.c:67 +#, c-format +msgid "" +"File %1$s does not exist. SSSD will use default configuration with files " +"provider.\n" +msgstr "" +"Soubor %1$s neexistuje. SSSD použije výchozí nastavení s poskytovatelem " +"files (soubory).\n" + +#: src/tools/sssctl/sssctl_config.c:81 +#, c-format +msgid "" +"File ownership and permissions check failed. Expected root:root and 0600.\n" +msgstr "" +"Kontrola vlastnictví a oprávnění souboru se nezdařila. Očekáváno root:root a " +"0600.\n" + +#: src/tools/sssctl/sssctl_config.c:104 +#, c-format +msgid "Issues identified by validators: %zu\n" +msgstr "Problémy identifikované ověřovači: %zu\n" + +#: src/tools/sssctl/sssctl_config.c:114 +#, c-format +msgid "Messages generated during configuration merging: %zu\n" +msgstr "Zprávy vytvořené při slučování nastavení: %zu\n" + +#: src/tools/sssctl/sssctl_config.c:127 +#, c-format +msgid "Used configuration snippet files: %u\n" +msgstr "Použité soubory s útržky nastavení: %u\n" + +#: src/tools/sssctl/sssctl_data.c:89 +#, c-format +msgid "Unable to create backup directory [%d]: %s" +msgstr "Nedaří se vytvořit složku zálohy [%d]: %s" + +#: src/tools/sssctl/sssctl_data.c:95 +msgid "SSSD backup of local data already exists, override?" +msgstr "SSSD záloha místních dat už existuje, přepsat?" + +#: src/tools/sssctl/sssctl_data.c:111 +#, c-format +msgid "Unable to export user overrides\n" +msgstr "Nedaří se exportovat uživatelské přebití\n" + +#: src/tools/sssctl/sssctl_data.c:118 +#, c-format +msgid "Unable to export group overrides\n" +msgstr "Nedaří se exportovat přebití skupin\n" + +#: src/tools/sssctl/sssctl_data.c:134 src/tools/sssctl/sssctl_data.c:217 +msgid "Override existing backup" +msgstr "Přepsat existující zálohu" + +#: src/tools/sssctl/sssctl_data.c:164 +#, c-format +msgid "Unable to import user overrides\n" +msgstr "Nedaří se importovat přebití uživatelů\n" + +#: src/tools/sssctl/sssctl_data.c:173 +#, c-format +msgid "Unable to import group overrides\n" +msgstr "Nedaří se importovat přebití skupin\n" + +#: src/tools/sssctl/sssctl_data.c:194 src/tools/sssctl/sssctl_domains.c:82 +#: src/tools/sssctl/sssctl_domains.c:315 +msgid "Start SSSD if it is not running" +msgstr "Pokud není, spustit proces služby sssd" + +#: src/tools/sssctl/sssctl_data.c:195 +msgid "Restart SSSD after data import" +msgstr "Po importu dat restartovat sssd" + +#: src/tools/sssctl/sssctl_data.c:218 +msgid "Create clean cache files and import local data" +msgstr "Vytvořit prázdné soubory mezipaměti a importovat místní data" + +#: src/tools/sssctl/sssctl_data.c:219 +msgid "Stop SSSD before removing the cache" +msgstr "Před odebráním mezipaměti zastavit sssd" + +#: src/tools/sssctl/sssctl_data.c:220 +msgid "Start SSSD when the cache is removed" +msgstr "Při odebrání mezipaměti zastavit sssd" + +#: src/tools/sssctl/sssctl_data.c:235 +#, c-format +msgid "Creating backup of local data...\n" +msgstr "Vytváření zálohy místních dat…\n" + +#: src/tools/sssctl/sssctl_data.c:238 +#, c-format +msgid "Unable to create backup of local data, can not remove the cache.\n" +msgstr "Nedaří se vytvořit zálohu místních dat, nedaří se odebrat mezipaměť.\n" + +#: src/tools/sssctl/sssctl_data.c:243 +#, c-format +msgid "Removing cache files...\n" +msgstr "Odebírání souborů mezipaměti…\n" + +#: src/tools/sssctl/sssctl_data.c:246 +#, c-format +msgid "Unable to remove cache files\n" +msgstr "Nedaří se odebrat soubory mezipaměti\n" + +#: src/tools/sssctl/sssctl_data.c:251 +#, c-format +msgid "Restoring local data...\n" +msgstr "Obnovování místních dat…\n" + +#: src/tools/sssctl/sssctl_domains.c:83 +msgid "Show domain list including primary or trusted domain type" +msgstr "Zobrazit seznam domén včetně typu hlavní nebo důvěryhodná doména" + +#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:354 +#: src/tools/sssctl/sssctl_user_checks.c:95 +#, c-format +msgid "Unable to connect to system bus!\n" +msgstr "Nedaří se připojit ke sběrnici systému!\n" + +#: src/tools/sssctl/sssctl_domains.c:167 +#, c-format +msgid "Online status: %s\n" +msgstr "Online stav: %s\n" + +#: src/tools/sssctl/sssctl_domains.c:167 +msgid "Online" +msgstr "Online" + +#: src/tools/sssctl/sssctl_domains.c:167 +msgid "Offline" +msgstr "Offline" + +#: src/tools/sssctl/sssctl_domains.c:212 +#, c-format +msgid "Active servers:\n" +msgstr "Aktivní servery:\n" + +#: src/tools/sssctl/sssctl_domains.c:223 +msgid "not connected" +msgstr "nepřipojeno" + +#: src/tools/sssctl/sssctl_domains.c:260 +#, c-format +msgid "Discovered %s servers:\n" +msgstr "Objeveno %s serverů:\n" + +#: src/tools/sssctl/sssctl_domains.c:272 +msgid "None so far.\n" +msgstr "Zatím žádné.\n" + +#: src/tools/sssctl/sssctl_domains.c:312 +msgid "Show online status" +msgstr "Zobrazit stav online" + +#: src/tools/sssctl/sssctl_domains.c:313 +msgid "Show information about active server" +msgstr "Zobrazit informace o aktivním serveru" + +#: src/tools/sssctl/sssctl_domains.c:314 +msgid "Show list of discovered servers" +msgstr "Zobrazit seznam objevených serverů" + +#: src/tools/sssctl/sssctl_domains.c:320 +msgid "Specify domain name." +msgstr "Zadejte název domény." + +# auto translated by TM merge from project: FreeIPA, version: ipa-4-5, DocId: po/ipa +#: src/tools/sssctl/sssctl_domains.c:342 +#, c-format +msgid "Out of memory!\n" +msgstr "Nedostatek paměti!\n" + +#: src/tools/sssctl/sssctl_domains.c:362 src/tools/sssctl/sssctl_domains.c:372 +#, c-format +msgid "Unable to get online status\n" +msgstr "Nedaří se zjistit stav online\n" + +#: src/tools/sssctl/sssctl_domains.c:382 +#, c-format +msgid "Unable to get server list\n" +msgstr "Nedaří se získat seznam serverů\n" + +#: src/tools/sssctl/sssctl_logs.c:47 +msgid "\n" +msgstr "\n" + +#: src/tools/sssctl/sssctl_logs.c:237 +msgid "Delete log files instead of truncating" +msgstr "Namísto zkrácení soubory se záznamem událostí smazat" + +#: src/tools/sssctl/sssctl_logs.c:248 +#, c-format +msgid "Deleting log files...\n" +msgstr "Mazání souborů se záznamem událostí…\n" + +#: src/tools/sssctl/sssctl_logs.c:251 +#, c-format +msgid "Unable to remove log files\n" +msgstr "Nedaří se odebrat soubory se záznamem událostí\n" + +#: src/tools/sssctl/sssctl_logs.c:257 +#, c-format +msgid "Truncating log files...\n" +msgstr "Zkracování souborů…\n" + +#: src/tools/sssctl/sssctl_logs.c:260 +#, c-format +msgid "Unable to truncate log files\n" +msgstr "Nedaří se zkrátit soubory se záznamem událostí\n" + +#: src/tools/sssctl/sssctl_logs.c:286 +#, c-format +msgid "Out of memory!" +msgstr "Došla paměť!" + +#: src/tools/sssctl/sssctl_logs.c:289 +#, c-format +msgid "Archiving log files into %s...\n" +msgstr "Archivují se soubory se záznamem událostí do %s…\n" + +#: src/tools/sssctl/sssctl_logs.c:292 +#, c-format +msgid "Unable to archive log files\n" +msgstr "Nedaří se archivovat soubory se záznamem událostí\n" + +#: src/tools/sssctl/sssctl_logs.c:317 +msgid "Specify debug level you want to set" +msgstr "Zadejte stupeň podrobností ladících informací, který chcete nastavit" + +#: src/tools/sssctl/sssctl_user_checks.c:117 +#, c-format +msgid "SSSD InfoPipe user lookup result:\n" +msgstr "Výsledek SSSD InfoPipe uživatel:\n" + +#: src/tools/sssctl/sssctl_user_checks.c:167 +#, c-format +msgid "dlopen failed with [%s].\n" +msgstr "dlopen se nezdařilo s [%s].\n" + +#: src/tools/sssctl/sssctl_user_checks.c:174 +#, c-format +msgid "dlsym failed with [%s].\n" +msgstr "dlsym se nezdařilo s [%s].\n" + +#: src/tools/sssctl/sssctl_user_checks.c:182 +#, c-format +msgid "malloc failed.\n" +msgstr "malloc se nezdařilo.\n" + +#: src/tools/sssctl/sssctl_user_checks.c:189 +#, c-format +msgid "sss_getpwnam_r failed with [%d].\n" +msgstr "sss_getpwnam_r se nezdařilo s [%d].\n" + +#: src/tools/sssctl/sssctl_user_checks.c:194 +#, c-format +msgid "SSSD nss user lookup result:\n" +msgstr "Výsledek SSSD nss hledání uživatele:\n" + +#: src/tools/sssctl/sssctl_user_checks.c:195 +#, c-format +msgid " - user name: %s\n" +msgstr " ‒ uživatelské jméno: %s\n" + +#: src/tools/sssctl/sssctl_user_checks.c:196 +#, c-format +msgid " - user id: %d\n" +msgstr " - identif. uživatele: %d\n" + +#: src/tools/sssctl/sssctl_user_checks.c:197 +#, c-format +msgid " - group id: %d\n" +msgstr " - identif. skupiny: %d\n" + +#: src/tools/sssctl/sssctl_user_checks.c:198 +#, c-format +msgid " - gecos: %s\n" +msgstr " - gecos: %s\n" + +#: src/tools/sssctl/sssctl_user_checks.c:199 +#, c-format +msgid " - home directory: %s\n" +msgstr " - domovská složka: %s\n" + +#: src/tools/sssctl/sssctl_user_checks.c:200 +#, c-format +msgid " - shell: %s\n" +"\n" +msgstr " - shell: %s\n" +"\n" + +#: src/tools/sssctl/sssctl_user_checks.c:232 +msgid "PAM action [auth|acct|setc|chau|open|clos], default: " +msgstr "PAM akce [auth|acct|setc|chau|open|clos], výchozí: " + +#: src/tools/sssctl/sssctl_user_checks.c:235 +msgid "PAM service, default: " +msgstr "PAM služba, výchozí: " + +#: src/tools/sssctl/sssctl_user_checks.c:240 +msgid "Specify user name." +msgstr "Zadejte uživatelské jméno." + +#: src/tools/sssctl/sssctl_user_checks.c:247 +#, c-format +msgid "user: %s\n" +"action: %s\n" +"service: %s\n" +"\n" +msgstr "uživatel: %s\n" +"akce: %s\n" +"služba: %s\n" +"\n" + +#: src/tools/sssctl/sssctl_user_checks.c:253 +#, c-format +msgid "User name lookup with [%s] failed.\n" +msgstr "Vyhledání uživatelského jména s [%s] se nezdařilo.\n" + +#: src/tools/sssctl/sssctl_user_checks.c:258 +#, c-format +msgid "InfoPipe User lookup with [%s] failed.\n" +msgstr "InfoPipe vyhledání uživatele s [%s] se nezdařilo.\n" + +#: src/tools/sssctl/sssctl_user_checks.c:265 +#, c-format +msgid "pam_start failed: %s\n" +msgstr "pam_start se nezdařilo: %s\n" + +#: src/tools/sssctl/sssctl_user_checks.c:270 +#, c-format +msgid "testing pam_authenticate\n" +"\n" +msgstr "zkoušení pam_authenticate\n" +"\n" +"\n" + +#: src/tools/sssctl/sssctl_user_checks.c:274 +#, c-format +msgid "pam_get_item failed: %s\n" +msgstr "pam_get_item se nezdařilo: %s\n" + +#: src/tools/sssctl/sssctl_user_checks.c:278 +#, c-format +msgid "pam_authenticate for user [%s]: %s\n" +"\n" +msgstr "pam_authenticate pro uživatele [%s]: %s\n" +"\n" + +#: src/tools/sssctl/sssctl_user_checks.c:281 +#, c-format +msgid "testing pam_chauthtok\n" +"\n" +msgstr "zkoušení pam_chauthtok\n" +"\n" + +#: src/tools/sssctl/sssctl_user_checks.c:283 +#, c-format +msgid "pam_chauthtok: %s\n" +"\n" +msgstr "pam_chauthtok: %s\n" +"\n" + +#: src/tools/sssctl/sssctl_user_checks.c:285 +#, c-format +msgid "testing pam_acct_mgmt\n" +"\n" +msgstr "zkoušení pam_acct_mgmt\n" +"\n" + +#: src/tools/sssctl/sssctl_user_checks.c:287 +#, c-format +msgid "pam_acct_mgmt: %s\n" +"\n" +msgstr "pam_acct_mgmt: %s\n" +"\n" + +#: src/tools/sssctl/sssctl_user_checks.c:289 +#, c-format +msgid "testing pam_setcred\n" +"\n" +msgstr "zkoušení pam_setcred\n" +"\n" + +#: src/tools/sssctl/sssctl_user_checks.c:291 +#, c-format +msgid "pam_setcred: [%s]\n" +"\n" +msgstr "pam_setcred: [%s]\n" +"\n" + +#: src/tools/sssctl/sssctl_user_checks.c:293 +#, c-format +msgid "testing pam_open_session\n" +"\n" +msgstr "zkoušení pam_open_session\n" +"\n" + +#: src/tools/sssctl/sssctl_user_checks.c:295 +#, c-format +msgid "pam_open_session: %s\n" +"\n" +msgstr "pam_open_session: %s\n" +"\n" + +#: src/tools/sssctl/sssctl_user_checks.c:297 +#, c-format +msgid "testing pam_close_session\n" +"\n" +msgstr "zkoušení pam_close_session\n" +"\n" + +#: src/tools/sssctl/sssctl_user_checks.c:299 +#, c-format +msgid "pam_close_session: %s\n" +"\n" +msgstr "pam_close_session: %s\n" +"\n" + +#: src/tools/sssctl/sssctl_user_checks.c:302 +#, c-format +msgid "unknown action\n" +msgstr "neznámá akce\n" + +#: src/tools/sssctl/sssctl_user_checks.c:305 +#, c-format +msgid "PAM Environment:\n" +msgstr "PAM prostředí:\n" + +#: src/tools/sssctl/sssctl_user_checks.c:313 +#, c-format +msgid " - no env -\n" +msgstr " - žádné prostředí -\n" + +#: src/util/util.h:82 +msgid "The user ID to run the server as" +msgstr "Identifikátor uživatele (UID) pod kterým server spustit" + +#: src/util/util.h:84 +msgid "The group ID to run the server as" +msgstr "Identifikátor uživatele (GID) pod kterým server spustit" + +#: src/util/util.h:92 +msgid "Informs that the responder has been socket-activated" +msgstr "Informuje, že odpovídač byl aktivován soketem" + +#: src/util/util.h:94 +msgid "Informs that the responder has been dbus-activated" +msgstr "Informuje, že odpovídač byl aktivován přes dbus" --- sssd-2.2.2.orig/scripts/release.sh +++ sssd-2.2.2/scripts/release.sh @@ -0,0 +1,29 @@ +#!/bin/bash + +function config() +{ + autoreconf -i -f || return $? + ./configure +} + +SAVED_PWD=$PWD +version=`grep '\[VERSION_NUMBER], \[.*\]' version.m4 |grep '[0-9]\+\.[0-9]\+\.[0-9]\+' -o` +tag=$(echo ${version} | tr "." "_") + +trap "cd $SAVED_PWD; rm -rf sssd-${version} sssd-${version}.tar" EXIT + +git archive --format=tar --prefix=sssd-${version}/ sssd-${tag} > sssd-${version}.tar +if [ $? -ne 0 ]; then + echo "Cannot perform git-archive, check if tag $tag is present in git tree" + exit 1 +fi +tar xf sssd-${version}.tar + +pushd sssd-${version} +config || exit 1 +make dist-gzip || exit 1 # also builds docs +popd + +mv sssd-${version}/sssd-${version}.tar.gz . +gpg --detach-sign --armor sssd-${version}.tar.gz + --- sssd-2.2.2.orig/src/man/po/LINGUAS +++ sssd-2.2.2/src/man/po/LINGUAS @@ -0,0 +1,2 @@ +ca +cs --- sssd-2.2.2.orig/src/providers/data_provider/dp_pam_data.h +++ sssd-2.2.2/src/providers/data_provider/dp_pam_data.h @@ -0,0 +1,94 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef _DP_PAM_DATA_H_ +#define _DP_PAM_DATA_H_ + +#include "config.h" +#include +#include +#ifdef USE_KEYRING +#include +#include +#endif + +#include "util/debug.h" +#include "util/authtok.h" + +#define DEBUG_PAM_DATA(level, pd) do { \ + if (DEBUG_IS_SET(level)) pam_print_data(level, pd); \ +} while(0) + +struct response_data { + int32_t type; + int32_t len; + uint8_t *data; + bool do_not_send_to_client; + struct response_data *next; +}; + +struct pam_data { + int cmd; + char *domain; + char *user; + char *service; + char *tty; + char *ruser; + char *rhost; + char **requested_domains; + struct sss_auth_token *authtok; + struct sss_auth_token *newauthtok; + uint32_t cli_pid; + char *logon_name; + + int pam_status; + int response_delay; + struct response_data *resp_list; + + bool offline_auth; + bool last_auth_saved; + int priv; + int account_locked; + +#ifdef USE_KEYRING + key_serial_t key_serial; +#endif +}; + +/** + * @brief Create new zero initialized struct pam_data. + * + * @param mem_ctx A memory context use to allocate the internal data + * @return A pointer to new struct pam_data + * NULL on error + * + * NOTE: This function should be the only way, how to create new empty + * struct pam_data, because this function automatically initialize sub + * structures and set destructor to created object. + */ +struct pam_data *create_pam_data(TALLOC_CTX *mem_ctx); +errno_t copy_pam_data(TALLOC_CTX *mem_ctx, struct pam_data *old_pd, + struct pam_data **new_pd); +void pam_print_data(int l, struct pam_data *pd); +int pam_add_response(struct pam_data *pd, + enum response_type type, + int len, const uint8_t *data); + +#endif /* _DP_PAM_DATA_H_ */ --- sssd-2.2.2.orig/src/providers/data_provider/dp_sbus.c +++ sssd-2.2.2/src/providers/data_provider/dp_sbus.c @@ -0,0 +1,46 @@ +/* + SSSD + + Data Provider Helpers + + Copyright (C) Stephen Gallagher 2009 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "config.h" +#include +#include + +#include "confdb/confdb.h" +#include "sbus/sssd_dbus.h" +#include "providers/data_provider.h" + +int dp_get_sbus_address(TALLOC_CTX *mem_ctx, + char **address, const char *domain_name) +{ + char *default_address; + + *address = NULL; + default_address = talloc_asprintf(mem_ctx, "unix:path=%s/%s_%s", + PIPE_PATH, DATA_PROVIDER_PIPE, + domain_name); + if (default_address == NULL) { + return ENOMEM; + } + + *address = default_address; + return EOK; +} + --- sssd-2.2.2.orig/src/tests/intg/.config/screenrc +++ sssd-2.2.2/src/tests/intg/.config/screenrc @@ -0,0 +1,23 @@ +autodetach on +defscrollback 1024 +startup_message off +nethack on +vbell off +vbell_msg " -- Bell,Bell!! -- " +multiuser off +msgminwait 0 +msgwait 10 + +defutf8 on +defencoding utf8 + +hardstatus string '%{gk}[ %{G}%H %{g}][%= %{wk}%?%-Lw%?%{=b kR}(%{W}%n*%f %t%?(%u)%?%{=b kR})%{= kw}%?%+Lw%?%?%= %{g}]%{=b C}[ %d/%m %c ]%{W}' +hardstatus alwayslastline + +setenv LD_LIBRARY_PATH "$_LD_LIBRARY_PATH" +setenv LD_PRELOAD "$_LD_PRELOAD" + +screen -t / 0 sh -c 'cd $ROOT_DIR; exec "${SHELL:-sh}"' +screen -t /etc 1 sh -c 'cd $ROOT_DIR/etc; exec "${SHELL:-sh}"' +screen -t sssd_cache 3 sh -c 'cd $ROOT_DIR/var/lib/sss/db; exec "${SHELL:-sh}"' +screen -t sssd_log 2 sh -c 'cd $ROOT_DIR/var/log/sssd; exec "${SHELL:-sh}"' --- sssd-2.2.2.orig/src/tests/intg/data/ssh_schema.ldif +++ sssd-2.2.2/src/tests/intg/data/ssh_schema.ldif @@ -0,0 +1,11 @@ +dn: cn=openssh-lpk,cn=schema,cn=config +objectClass: olcSchemaConfig +cn: openssh-lpk +olcAttributeTypes: ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey' + DESC 'MANDATORY: OpenSSH Public key' + EQUALITY octetStringMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) +olcObjectClasses: ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY + DESC 'MANDATORY: OpenSSH LPK objectclass' + MAY ( sshPublicKey $ uid ) + ) --- sssd-2.2.2.orig/src/tests/intg/test_sss_cache.py +++ sssd-2.2.2/src/tests/intg/test_sss_cache.py @@ -0,0 +1,67 @@ +# +# SSSD files domain tests +# +# Copyright (c) 2019 Red Hat, Inc. +# Author: Lukas Slebodnik +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +import subprocess + + +def test_missing_domains(): + # Utilities in shadow-utils call sss_cache but it might fail in case + # sssd has never been started on such host. + ret = subprocess.call(["sss_cache", "-U"]) + assert ret == 0 + + ret = subprocess.call(["sss_cache", "-G"]) + assert ret == 0 + + ret = subprocess.call(["sss_cache", "-E"]) + assert ret == 0 + + +def test_nothing_cache(): + # Ensure we do not fail in case there are not any entries to invalidate + ret = subprocess.call(["sssd", "--genconf"]) + assert ret == 0 + + ret = subprocess.call(["sss_cache", "-U"]) + assert ret == 0 + + ret = subprocess.call(["sss_cache", "-G"]) + assert ret == 0 + + ret = subprocess.call(["sss_cache", "-E"]) + assert ret == 0 + + +def test_invalidate_missing_specific_entry(): + # Ensure we will fail when invalidating missing specific entry + ret = subprocess.call(["sssd", "--genconf"]) + assert ret == 0 + + ret = subprocess.call(["sss_cache", "-u", "non-existing"]) + assert ret == 2 + + ret = subprocess.call(["sss_cache", "-d", "non-existing", "-u", "dummy"]) + assert ret == 2 + + ret = subprocess.call(["sss_cache", "-g", "non-existing"]) + assert ret == 2 + + ret = subprocess.call(["sss_cache", "-d", "non-existing", "-g", "dummy"]) + assert ret == 2 --- sssd-2.2.2.orig/src/tests/multihost/basic/test_ldap.py +++ sssd-2.2.2/src/tests/multihost/basic/test_ldap.py @@ -0,0 +1,142 @@ +""" SSSD LDAP provider tests """ + +import re +import time +from sssd.testlib.common.utils import SSHClient +import pytest +import textwrap +try: + import ConfigParser +except ImportError: + import configparser as ConfigParser + +UNINDENT_RE = re.compile("^ +", re.MULTILINE) + + +def expect_chpass_script(current_pass, new_pass): + return textwrap.dedent("""\ + set timeout 15 + spawn passwd + expect "Changing password for user puser." + expect "Current Password:" + send "{current_pass}\r" + expect "New password:" + send "{new_pass}\r" + expect "Retype new password:" + send "{new_pass}\r" + expect "passwd: all authentication tokens updated successfully" + expect EOF + """).format(**locals()) + + +def run_expect_script(multihost, ssh_conn, expect_string): + expect_file = '/tmp/expect_multihost' + try: + multihost.master[0].run_command('rm -f ' + expect_file) + multihost.master[0].put_file_contents(expect_file, expect_string) + ssh_conn.execute_cmd('expect -f ' + expect_file) + except Exception as err: + raise err + finally: + multihost.master[0].run_command('rm -f ' + expect_file) + + +def chpass(multihost, ssh_conn, current_pass, new_pass): + script = expect_chpass_script(current_pass, new_pass) + run_expect_script(multihost, ssh_conn, script) + + +@pytest.fixture +def set_ldap_auth_provider(session_multihost, request): + """ Set entry cache sudo timeout in sssd.conf """ + bkup_sssd = 'cp -f /etc/sssd/sssd.conf /etc/sssd/sssd.conf.orig' + session_multihost.master[0].run_command(bkup_sssd) + session_multihost.master[0].transport.get_file('/etc/sssd/sssd.conf', + '/tmp/sssd.conf') + sssdconfig = ConfigParser.ConfigParser() + sssdconfig.read('/tmp/sssd.conf') + domain_section = "%s/%s" % ('domain', 'EXAMPLE.TEST') + if domain_section in sssdconfig.sections(): + sssdconfig.set(domain_section, 'auth_provider', 'ldap') + sssdconfig.set(domain_section, + 'ldap_auth_disable_tls_never_use_in_production', + 'true') + with open('/tmp/sssd.conf', "w") as sssconf: + sssdconfig.write(sssconf) + session_multihost.master[0].transport.put_file('/tmp/sssd.conf', + '/etc/sssd/sssd.conf') + session_multihost.master[0].service_sssd('restart') + + def restore_sssd(): + """ Restore sssd.conf """ + restore_sssd = 'cp -f /etc/sssd/sssd.conf.orig /etc/sssd/sssd.conf' + session_multihost.master[0].run_command(restore_sssd) + session_multihost.master[0].service_sssd('restart') + request.addfinalizer(restore_sssd) + + +@pytest.fixture +def set_ldap_pwmodify_mode_ldap_modify(session_multihost, request): + """ Set entry cache sudo timeout in sssd.conf """ + bkup_sssd = 'cp -f /etc/sssd/sssd.conf /etc/sssd/sssd.conf.orig' + session_multihost.master[0].run_command(bkup_sssd) + session_multihost.master[0].transport.get_file('/etc/sssd/sssd.conf', + '/tmp/sssd.conf') + sssdconfig = ConfigParser.ConfigParser() + sssdconfig.read('/tmp/sssd.conf') + domain_section = "%s/%s" % ('domain', 'EXAMPLE.TEST') + if domain_section in sssdconfig.sections(): + sssdconfig.set(domain_section, 'ldap_pwmodify_mode', 'ldap_modify') + with open('/tmp/sssd.conf', "w") as sssconf: + sssdconfig.write(sssconf) + session_multihost.master[0].transport.put_file('/tmp/sssd.conf', + '/etc/sssd/sssd.conf') + session_multihost.master[0].service_sssd('restart') + + def restore_sssd(): + """ Restore sssd.conf """ + restore_sssd = 'cp -f /etc/sssd/sssd.conf.orig /etc/sssd/sssd.conf' + session_multihost.master[0].run_command(restore_sssd) + session_multihost.master[0].service_sssd('restart') + request.addfinalizer(restore_sssd) + + +class TestLDAPChpass(object): + """ Test changing LDAP password """ + + def _change_test_reset_password(self, multihost): + try: + ssh = SSHClient(multihost.master[0].sys_hostname, + username='foo1', password='Secret123') + except paramiko.ssh_exception.AuthenticationException: + pytest.fail("Authentication Failed as user %s" % ('foo1')) + + expect_script = chpass(multihost, ssh, 'Secret123', 'Secret1234') + ssh.close() + + # Try logging in with the new password + try: + ssh = SSHClient(multihost.master[0].sys_hostname, + username='foo1', password='Secret1234') + except paramiko.ssh_exception.AuthenticationException: + pytest.fail("Authentication Failed as user %s" % ('foo1')) + + # Clean up and change the password back + expect_script = chpass(multihost, ssh, 'Secret1234', 'Secret123') + ssh.close() + + def test_ldap_chpass_extop(self, multihost): + """ + @Title: chpass: Test password change using the default extended + operation + """ + self._change_test_reset_password(multihost) + + def test_ldap_chpass_modify(self, + multihost, + set_ldap_auth_provider, + set_ldap_pwmodify_mode_ldap_modify): + """ + @Title: chpass: Test password change using LDAP modify + """ + self._change_test_reset_password(multihost) --- sssd-2.2.2.orig/src/tests/python/MANIFEST.in +++ sssd-2.2.2/src/tests/python/MANIFEST.in @@ -0,0 +1,3 @@ +include README.rst +recursive-include sssd/testlib/etc/ * +recursive-include docs * --- sssd-2.2.2.orig/src/tests/python/README.rst +++ sssd-2.2.2/src/tests/python/README.rst @@ -0,0 +1,4 @@ +sssd_qe_tests +============= + +`sssd.testlib` is a library containing shared functions to automate `System Services Security Daemon (SSSD)` using pytest framework. --- sssd-2.2.2.orig/src/tests/python/docs/Install.rst +++ sssd-2.2.2/src/tests/python/docs/Install.rst @@ -0,0 +1,47 @@ +Install +======= +* sssd.testlib is a python library which contains shared functions to be used with + py.test to automate System Services Security Daemon (SSSD). + +Dependencies +------------ +sssd.testlib requires the following packages: + +1. python-paramiko +2. python-pytest-multihost +3. PyYAML +4. pytest + +RHEL7 +----- +To install above dependencies on RHEL7.4 get the: + +* python-paramiko package (available at Extras repo) + +* `pytest-multihost copr repo(epel7) `_ file:: + + $ wget -O /etc/yum.repos.d/pytest-multihost.repo \ + https://copr.fedorainfracloud.org/coprs/mrniranjan/python-pytest-multihost/repo/epel-7/mrniranjan-python-pytest-multihost-epel-7.repo + $ yum install python-pytest-multihost + +* `sssd-testlib copr repo(epel7) `_ file:: + + $ wget -O /etc/yum.repos.d/sssd-testlib.repo \ + https://copr.fedorainfracloud.org/coprs/mrniranjan/sssd-testlib/repo/epel-7/mrniranjan-sssd-testlib-epel-7.repo + $ yum install sssd-testlib + +Fedora +------ +To install the above dependencies on Fedora get the: + +* `pytest-multihost copr repo(F26) `_ file:: + + $ wget -O /etc/yum.repos.d/pytest-multihost.repo \ + https://copr.fedorainfracloud.org/coprs/mrniranjan/python-pytest-multihost/repo/fedora-24/mrniranjan-python-pytest-multihost-fedora-24.repo + $ dnf install python-pytest-multihost + +* `sssd-testlib copr repo(f26) `_ file:: + + $ wget -O /etc/yum.repos.d/sssd-testlib.repo \ + https://copr.fedorainfracloud.org/coprs/mrniranjan/sssd-testlib/repo/fedora-24/mrniranjan-sssd-testlib-fedora-24.repo + $ dnf install sssd-testlib --- sssd-2.2.2.orig/src/tests/python/docs/Makefile +++ sssd-2.2.2/src/tests/python/docs/Makefile @@ -0,0 +1,188 @@ +SPHINXOPTS = +SPHINXBUILD = sphinx-build +PAPER = +BUILDDIR = docs + +# User-friendly check for sphinx-build +ifeq ($(shell which $(SPHINXBUILD) >/dev/null 2>&1; echo $$?), 1) +$(error The '$(SPHINXBUILD)' command was not found. Make sure you have Sphinx installed, then set the SPHINXBUILD environment variable to point to the full path of the '$(SPHINXBUILD)' executable. Alternatively you can add the directory with the executable to your PATH. If you don't have Sphinx installed, grab it from http://sphinx-doc.org/) +endif + +# Internal variables. +PAPEROPT_a4 = -D latex_paper_size=a4 +PAPEROPT_letter = -D latex_paper_size=letter +ALLSPHINXOPTS = -d $(BUILDDIR)/doctrees $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) . +# the i18n builder cannot share the environment and doctrees with the others +I18NSPHINXOPTS = $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) . + +.PHONY: help clean html dirhtml singlehtml pickle json htmlhelp qthelp devhelp epub latex latexpdf text man changes linkcheck doctest coverage gettext + +help: + @echo "Please use \`make ' where is one of" + @echo " html to make standalone HTML files" + @echo " dirhtml to make HTML files named index.html in directories" + @echo " singlehtml to make a single large HTML file" + @echo " pickle to make pickle files" + @echo " json to make JSON files" + @echo " htmlhelp to make HTML files and a HTML help project" + @echo " qthelp to make HTML files and a qthelp project" + @echo " applehelp to make an Apple Help Book" + @echo " devhelp to make HTML files and a Devhelp project" + @echo " epub to make an epub" + @echo " latex to make LaTeX files, you can set PAPER=a4 or PAPER=letter" + @echo " latexpdf to make LaTeX files and run them through pdflatex" + @echo " latexpdfja to make LaTeX files and run them through platex/dvipdfmx" + @echo " text to make text files" + @echo " man to make manual pages" + @echo " texinfo to make Texinfo files" + @echo " info to make Texinfo files and run them through makeinfo" + @echo " gettext to make PO message catalogs" + @echo " changes to make an overview of all changed/added/deprecated items" + @echo " xml to make Docutils-native XML files" + @echo " pseudoxml to make pseudoxml-XML files for display purposes" + @echo " linkcheck to check all external links for integrity" + @echo " doctest to run all doctests embedded in the documentation (if enabled)" + @echo " coverage to run coverage check of the documentation (if enabled)" + +clean: + rm -rf $(BUILDDIR)/* + +html: + $(SPHINXBUILD) -b html $(ALLSPHINXOPTS) $(BUILDDIR)/html + @echo + @echo "Build finished. The HTML pages are in $(BUILDDIR)/html." + +dirhtml: + $(SPHINXBUILD) -b dirhtml $(ALLSPHINXOPTS) $(BUILDDIR)/dirhtml + @echo + @echo "Build finished. The HTML pages are in $(BUILDDIR)/dirhtml." + +singlehtml: + $(SPHINXBUILD) -b singlehtml $(ALLSPHINXOPTS) $(BUILDDIR)/singlehtml + @echo + @echo "Build finished. The HTML page is in $(BUILDDIR)/singlehtml." + +pickle: + $(SPHINXBUILD) -b pickle $(ALLSPHINXOPTS) $(BUILDDIR)/pickle + @echo + @echo "Build finished; now you can process the pickle files." + +json: + $(SPHINXBUILD) -b json $(ALLSPHINXOPTS) $(BUILDDIR)/json + @echo + @echo "Build finished; now you can process the JSON files." + +htmlhelp: + $(SPHINXBUILD) -b htmlhelp $(ALLSPHINXOPTS) $(BUILDDIR)/htmlhelp + @echo + @echo "Build finished; now you can run HTML Help Workshop with the" \ + ".hhp project file in $(BUILDDIR)/htmlhelp." + +qthelp: + $(SPHINXBUILD) -b qthelp $(ALLSPHINXOPTS) $(BUILDDIR)/qthelp + @echo + @echo "Build finished; now you can run "qcollectiongenerator" with the" \ + ".qhcp project file in $(BUILDDIR)/qthelp, like this:" + @echo "# qcollectiongenerator $(BUILDDIR)/qthelp/Nexus.qhcp" + @echo "To view the help file:" + @echo "# assistant -collectionFile $(BUILDDIR)/qthelp/Nexus.qhc" + +applehelp: + $(SPHINXBUILD) -b applehelp $(ALLSPHINXOPTS) $(BUILDDIR)/applehelp + @echo + @echo "Build finished. The help book is in $(BUILDDIR)/applehelp." + @echo "N.B. You won't be able to view it unless you put it in" \ + "~/Library/Documentation/Help or install it in your application" \ + "bundle." + +devhelp: + $(SPHINXBUILD) -b devhelp $(ALLSPHINXOPTS) $(BUILDDIR)/devhelp + @echo + @echo "Build finished." + @echo "To view the help file:" + @echo "# mkdir -p $$HOME/.local/share/devhelp/Nexus" + @echo "# ln -s $(BUILDDIR)/devhelp $$HOME/.local/share/devhelp/Nexus" + @echo "# devhelp" + +epub: + $(SPHINXBUILD) -b epub $(ALLSPHINXOPTS) $(BUILDDIR)/epub + @echo + @echo "Build finished. The epub file is in $(BUILDDIR)/epub." + +latex: + $(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex + @echo + @echo "Build finished; the LaTeX files are in $(BUILDDIR)/latex." + @echo "Run \`make' in that directory to run these through (pdf)latex" \ + "(use \`make latexpdf' here to do that automatically)." + +latexpdf: + $(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex + @echo "Running LaTeX files through pdflatex..." + $(MAKE) -C $(BUILDDIR)/latex all-pdf + @echo "pdflatex finished; the PDF files are in $(BUILDDIR)/latex." + +latexpdfja: + $(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex + @echo "Running LaTeX files through platex and dvipdfmx..." + $(MAKE) -C $(BUILDDIR)/latex all-pdf-ja + @echo "pdflatex finished; the PDF files are in $(BUILDDIR)/latex." + +text: + $(SPHINXBUILD) -b text $(ALLSPHINXOPTS) $(BUILDDIR)/text + @echo + @echo "Build finished. The text files are in $(BUILDDIR)/text." + +man: + $(SPHINXBUILD) -b man $(ALLSPHINXOPTS) $(BUILDDIR)/man + @echo + @echo "Build finished. The manual pages are in $(BUILDDIR)/man." + +texinfo: + $(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo + @echo + @echo "Build finished. The Texinfo files are in $(BUILDDIR)/texinfo." + @echo "Run \`make' in that directory to run these through makeinfo" \ + "(use \`make info' here to do that automatically)." + +info: + $(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo + @echo "Running Texinfo files through makeinfo..." + make -C $(BUILDDIR)/texinfo info + @echo "makeinfo finished; the Info files are in $(BUILDDIR)/texinfo." + +gettext: + $(SPHINXBUILD) -b gettext $(I18NSPHINXOPTS) $(BUILDDIR)/locale + @echo + @echo "Build finished. The message catalogs are in $(BUILDDIR)/locale." + +changes: + $(SPHINXBUILD) -b changes $(ALLSPHINXOPTS) $(BUILDDIR)/changes + @echo + @echo "The overview file is in $(BUILDDIR)/changes." + +linkcheck: + $(SPHINXBUILD) -b linkcheck $(ALLSPHINXOPTS) $(BUILDDIR)/linkcheck + @echo + @echo "Link check complete; look for any errors in the above output " \ + "or in $(BUILDDIR)/linkcheck/output.txt." + +doctest: + $(SPHINXBUILD) -b doctest $(ALLSPHINXOPTS) $(BUILDDIR)/doctest + @echo "Testing of doctests in the sources finished, look at the " \ + "results in $(BUILDDIR)/doctest/output.txt." + +coverage: + $(SPHINXBUILD) -b coverage $(ALLSPHINXOPTS) $(BUILDDIR)/coverage + @echo "Testing of coverage in the sources finished, look at the " \ + "results in $(BUILDDIR)/coverage/python.txt." + +xml: + $(SPHINXBUILD) -b xml $(ALLSPHINXOPTS) $(BUILDDIR)/xml + @echo + @echo "Build finished. The XML files are in $(BUILDDIR)/xml." + +pseudoxml: + $(SPHINXBUILD) -b pseudoxml $(ALLSPHINXOPTS) $(BUILDDIR)/pseudoxml + @echo + @echo "Build finished. The pseudo-XML files are in $(BUILDDIR)/pseudoxml." --- sssd-2.2.2.orig/src/tests/python/docs/MultihostPlugin.rst +++ sssd-2.2.2/src/tests/python/docs/MultihostPlugin.rst @@ -0,0 +1,27 @@ +pytest multihost plugin doc +=========================== + +pytest_multihost.config +----------------------- +.. automodule:: pytest_multihost.config + :members: + +pytest_multihost.plugin +----------------------- +.. automodule:: pytest_multihost.plugin + :members: + +pytest_multihost.transport +-------------------------- +.. automodule:: pytest_multihost.transport + :members: + +pytest_multihost.util +--------------------- +.. automodule:: pytest_multihost.util + :members: + +pytest_multihost.host +--------------------- +.. automodule:: pytest_multihost.host + :members: --- sssd-2.2.2.orig/src/tests/python/docs/conf.py +++ sssd-2.2.2/src/tests/python/docs/conf.py @@ -0,0 +1,315 @@ +# -*- coding: utf-8 -*- +# +# sssd-qe tests documentation build configuration file, created by +# sphinx-quickstart on Thu Apr 2 23:33:29 2015. +# +# This file is execfile()d with the current directory set to its +# containing dir. +# +# Note that not all possible configuration values are present in this +# autogenerated file. +# +# All configuration values have a default; values that are commented out +# serve to show the default. + +import sys +import os +import shlex + +# If extensions (or modules to document with autodoc) are in another directory, +# add these directories to sys.path here. If the directory is relative to the +# documentation root, use os.path.abspath to make it absolute, like shown here. +# sys.path.insert(0, os.path.abspath('.')) + +# -- General configuration ------------------------------------------------ + +# If your documentation needs a minimal Sphinx version, state it here. +# needs_sphinx = '1.0' + +# Add any Sphinx extension module names here, as strings. They can be +# extensions coming with Sphinx (named 'sphinx.ext.*') or your custom +# ones. + + +def skip(app, what, name, obj, skip, options): + if name == "__init__": + return False + return skip + + +def setup(app): + app.connect("autodoc-skip-member", skip) + + +# extensions = [ +# 'sphinx.ext.todo', +# 'sphinx.ext.viewcode', +# 'sphinx.ext.autodoc', +# 'numpydoc', +# 'sphinx.ext.autosummary', +# ] +extensions = [ + 'sphinx.ext.autodoc', + 'sphinx.ext.mathjax', + 'sphinx.ext.viewcode', + 'numpydoc', + 'sphinx.ext.autosummary', + 'sphinx.ext.doctest', + 'sphinx.ext.inheritance_diagram'] + + +autoclass_content = 'both' + +# Add any paths that contain templates here, relative to this directory. +templates_path = ['_templates'] + +# The suffix(es) of source filenames. +# You can specify multiple suffix as a list of string: +# source_suffix = ['.rst', '.md'] +source_suffix = '.rst' +numpydoc_show_class_members = False +# The encoding of source files. +# source_encoding = 'utf-8-sig' + +# The master toctree document. +master_doc = 'index' + +# General information about the project. +project = u'sssd-qe-tests' +copyright = u'2015, Red Hat' +author = u'SSSD QE' + +# The version info for the project you're documenting, acts as replacement for +# |version| and |release|, also used in various other places throughout the +# built documents. +# +# The short X.Y version. +version = '0.1' +# The full version, including alpha/beta/rc tags. +release = '1' + +# The language for content autogenerated by Sphinx. Refer to documentation +# for a list of supported languages. +# +# This is also used if you do content translation via gettext catalogs. +# Usually you set "language" from the command line for these cases. +language = None + +# There are two options for replacing |today|: either, you set today to some +# non-false value, then it is used: +# today = '' +# Else, today_fmt is used as the format for a strftime call. +# today_fmt = '%B %d, %Y' + +# List of patterns, relative to source directory, that match files and +# directories to ignore when looking for source files. +exclude_patterns = ['_build'] + +# The reST default role (used for this markup: `text`) to use for all +# documents. +# default_role = None + +# If true, '()' will be appended to :func: etc. cross-reference text. +# add_function_parentheses = True + +# If true, the current module name will be prepended to all description +# unit titles (such as .. function::). +# add_module_names = True + +# If true, sectionauthor and moduleauthor directives will be shown in the +# output. They are ignored by default. +# show_authors = False + +# The name of the Pygments (syntax highlighting) style to use. +pygments_style = 'sphinx' + +# A list of ignored prefixes for module index sorting. +# modindex_common_prefix = [] + +# If true, keep warnings as "system message" paragraphs in the built documents. +# keep_warnings = False + +# If true, `todo` and `todoList` produce output, else they produce nothing. +todo_include_todos = True + + +# -- Options for HTML output ---------------------------------------------- + +# The theme to use for HTML and HTML Help pages. See the documentation for +# a list of builtin themes. +# html_theme = 'flask' +# html_theme = 'sphinx_rtd_theme' +html_theme = 'classic' + +# Theme options are theme-specific and customize the look and feel of a theme +# further. For a list of options available for each theme, see the +# documentation. +# html_theme_options = {} + +# Add any paths that contain custom themes here, relative to this directory. +# html_theme_path = [] + +# The name for this set of Sphinx documents. If None, it defaults to +# " v documentation". +# html_title = None + +# A shorter title for the navigation bar. Default is the same as html_title. +# html_short_title = None + +# The name of an image file (relative to this directory) to place at the top +# of the sidebar. +# html_logo = None + +# The name of an image file (within the static path) to use as favicon of the +# docs. This file should be a Windows icon file (.ico) being 16x16 or 32x32 +# pixels large. +# html_favicon = None + +# Add any paths that contain custom static files (such as style sheets) here, +# relative to this directory. They are copied after the builtin static files, +# so a file named "default.css" will overwrite the builtin "default.css". +# html_static_path = ['_static'] + +# Add any extra paths that contain custom files (such as robots.txt or +# .htaccess) here, relative to this directory. These files are copied +# directly to the root of the documentation. +# html_extra_path = [] + +# If not '', a 'Last updated on:' timestamp is inserted at every page bottom, +# using the given strftime format. +# html_last_updated_fmt = '%b %d, %Y' + +# If true, SmartyPants will be used to convert quotes and dashes to +# typographically correct entities. +# html_use_smartypants = True + +# Custom sidebar templates, maps document names to template names. +# html_sidebars = {} + +# Additional templates that should be rendered to pages, maps page names to +# template names. +# html_additional_pages = {} + +# If false, no module index is generated. +# html_domain_indices = True + +# If false, no index is generated. +# html_use_index = True + +# If true, the index is split into individual pages for each letter. +# html_split_index = False + +# If true, links to the reST sources are added to the pages. +# html_show_sourcelink = True + +# If true, "Created using Sphinx" is shown in the HTML footer. Default is True. +# html_show_sphinx = True + +# If true, "(C) Copyright ..." is shown in the HTML footer. Default is True. +# html_show_copyright = True + +# If true, an OpenSearch description file will be output, and all pages will +# contain a tag referring to it. The value of this option must be the +# base URL from which the finished HTML is served. +# html_use_opensearch = '' + +# This is the file name suffix for HTML files (e.g. ".xhtml"). +# html_file_suffix = None + +# Language to be used for generating the HTML full-text search index. +# Sphinx supports the following languages: +# 'da', 'de', 'en', 'es', 'fi', 'fr', 'hu', 'it', 'ja' +# 'nl', 'no', 'pt', 'ro', 'ru', 'sv', 'tr' +# html_search_language = 'en' + +# A dictionary with options for the search language support, empty by default. +# Now only 'ja' uses this config value +# html_search_options = {'type': 'default'} + +# The name of a javascript file (relative to the configuration directory) that +# implements a search results scorer. If empty, the default will be used. +# html_search_scorer = 'scorer.js' + +# Output file base name for HTML help builder. +htmlhelp_basename = 'sssd-testsdoc' + +# -- Options for LaTeX output --------------------------------------------- + +latex_elements = { + # The paper size ('letterpaper' or 'a4paper'). + # 'papersize': 'letterpaper', + + # The font size ('10pt', '11pt' or '12pt'). + # 'pointsize': '10pt', + + # Additional stuff for the LaTeX preamble. + # 'preamble': '', + + # Latex figure (float) alignment + # 'figure_align': 'htbp', +} + +# Grouping the document tree into LaTeX files. List of tuples +# (source start file, target name, title, +# author, documentclass [howto, manual, or own class]). +latex_documents = [ + (master_doc, 'sssd-qe-tests.tex', u'sssd-qe-tests Documentation', + u'SSSD QE', 'manual'), +] + +# The name of an image file (relative to this directory) to place at the top of +# the title page. +# latex_logo = None + +# For "manual" documents, if this is true, then toplevel headings are parts, +# not chapters. +# latex_use_parts = False + +# If true, show page references after internal links. +# latex_show_pagerefs = False + +# If true, show URL addresses after external links. +# latex_show_urls = False + +# Documents to append as an appendix to all manuals. +# latex_appendices = [] + +# If false, no module index is generated. +# latex_domain_indices = True + + +# -- Options for manual page output --------------------------------------- + +# One entry per manual page. List of tuples +# (source start file, name, description, authors, manual section). +# man_pages = [ +# (master_doc, 'nexus', u'sssd-qe-tests Documentation', +# [author], 1) +# ] + +# If true, show URL addresses after external links. +# man_show_urls = False + + +# -- Options for Texinfo output ------------------------------------------- + +# Grouping the document tree into Texinfo files. List of tuples +# (source start file, target name, title, author, +# dir menu entry, description, category) +texinfo_documents = [ + (master_doc, 'sssd-qe-tests', u'sssd-qe-tests Documentation', + author, 'sssd-qe-tests', 'One line description of project.', + 'Miscellaneous'), +] + +# Documents to append as an appendix to all manuals. +# texinfo_appendices = [] + +# If false, no module index is generated. +# texinfo_domain_indices = True + +# How to display URL addresses: 'footnote', 'no', or 'inline'. +# texinfo_show_urls = 'footnote' + +# If true, do not generate a @detailmenu in the "Top" node's menu. +# texinfo_no_detailmenu = False --- sssd-2.2.2.orig/src/tests/python/docs/ds_389.rst +++ sssd-2.2.2/src/tests/python/docs/ds_389.rst @@ -0,0 +1,456 @@ +Examples of using libdirsrv module from sssd.testlib.common +=========================================================== +* sssd-testlib provides module libdirsrv which creates/removes directory server instances. + + +Design +------ +* libdirsrv module consists of 2 classes the base class DirSrv and wrapper class DirSrvWrap. + +* DirSrv class consists of methods to create DS config file, setup Directory Server, enable SSL + in Directory server and remove DS instances. This class is very generic and all the details like + instance name, hostname, suffix, LDAP and TLS ports should be provided. + +* DirSrvWrap is a wrapper class of DirSrv, it sets up some default values like LDAP and TLS ports, + suffix, set SELinux label ldap_t on LDAP and TLS ports etc. + +* The wrapper class allows to create multiple instances without worrying about what ports to be used + for each instance. Port for unencrypted LDAP ports are chosen from the below list: + `[389, 1389, 2389, 3389, 4389, 30389, 31389, 32389, 33389, 34389, 35389, 36389, 37389, 38389, 39389]` + + and TLS ports are chosen from below list: + `[636, 1636, 2636, 3636, 4636, 30636, 31636, 32636, 33636, 34636, 35636, 36636, 37636, 38636, 39636]` + +* Though ports can be passed manually but user must verify if those ports are available. + +* The default suffix is 'dc=example,dc=org' + +* To enable SSL for a Directory Server instance a directory containing the CA and server certs (created on the + host with DS instance) should be passed. To create these certs, PkiTools module can be used. PkiTools has + method `createselfsignedcerts` which creates self-signed certs (CA and server-cert for each host). These + certs are copied to host on which Directory server instance should be created + and `setup_certs` method of DirSrv class adds these certs to NSS DB of that + specific instance and enables TLS on Directory Server. + +* below are some of the examples of setting up DS instance in pytest + +Example-1: Setup DS instance on single host +------------------------------------------- +* create a multihost config file mhc.yaml as below:: + + root_password: 'redhat' + domains: + - name: example.test + type: sssd + hosts: + - name: client1 + external_hostname: client1.example.test + ip: 192.168.122.60 + role: client + +* create a conftest.py to specify namespace hook:: + + from sssd.testlib.common.qe_class import session_multihost + from sssd.testlib.common.libdirsrv import DirSrvWrap + import pytest + + def pytest_namespace(): + return {'num_masters': 0, 'num_ad':0, 'num_atomic': 0, + 'num_replicas': 0, 'num_clients':1, 'num_others': 0} + +* add a fixture specified as below in conftest.py:: + + @pytest.fixture(scope="class") + def setup_ldap(session_multihost): + ds_obj = DirSrvWrap(session_multihost.client[0]) + return ds_obj + +* session_multihost is the session fixture which gets activated when + py.test is run with --multihost-config=mhc.yaml parameter. This + parameter connects to systems mentioned in mhc.yaml using paramiko + module and the session of each host is available through roles + defined in multihost config file. In the above example client[0] is + the multihost handle for host `client1.example.test` + +* Importing the DirSrvWrap module we are creating instance of + DirSrvWrap by passing the multihost session handle of client[0] to + the DirSrvWrap object. + +* the fixture created by 389_ds is of scope class which can be called in a test file as below:: + + class TestCase(object): + + def test1(self, session_multihost, setup_ldap): + setup_ldap.create_ds_instance('example1') + setup_ldap.remove_ds_instance('example1') + + def test2(self, session_multihost): + pass + + def test3(self, session_multihost): + pass + +Example-2: Setup DS instance with SSL on single host: +----------------------------------------------------- +* create a multihost config file mhc.yaml as below:: + + root_password: 'redhat' + domains: + - name: example.test + type: sssd + hosts: + - name: client1.example.test + external_hostname: client1.example.test + ip: 10.65.223.160 + role: client + +* create a conftest.py to specify namespace hook:: + + from sssd.testlib.common.qe_class import session_multihost + from sssd.testlib.common.libdirsrv import DirSrvWrap + import pytest + + def pytest_namespace(): + return {'num_masters': 0, 'num_ad':0, 'num_atomic': 0, + 'num_replicas': 0, 'num_clients':1, 'num_others': 0} + +* create a fixture to create CA and server-cert for each host in conftest.py:: + + from sssd.testlib.common.exceptions import PkiLibException + from sssd.testlib.common.utils import PkiTools + + @pytest.fixture(scope="class") + def nssdir(session_multihost, request): + serverList = [session_multihost.client[0].sys_hostname] + pki_inst = PkiTools() + try: + certdb = pki_inst.createselfsignedcerts(serverList) + except PkiLibException as err: + return (err.msg, err.rval) + else: + return certdb + +* add another fixture to create an instance of `DirSrvWrap` passing the certdb + returned from above fixture:: + + @pytest.fixture(scope="class") + def setup_ldap(session_multihost, nssdir): + ds_obj = DirSrvWrap(session_multihost.client[0], ssl=True, ssldb=nssdir) + return ds_obj + +* call the fixture setup_ldap from the test functions as below:: + + class TestCase(object): + + def test1(self, session_multihost, setup_ldap): + setup_ldap.create_ds_instance('example1') + setup_ldap.remove_ds_instance('example1') + + def test2(self): + pass + + def test3(self): + pass + +* to override the default suffix:: + + class TestCase(object): + + def test1(self, session_multihost, setup_ldap): + setup_ldap.create_ds_instance('example1', 'dc=abc,dc=test') + setup_ldap.remove_ds_instance('example1') + + def test2(self): + pass + + def test3(self): + pass + +Example-3: Setup DS instance on multiple hosts(2) +------------------------------------------------- +* create a multihost config file mhc.yaml as below:: + + root_password: 'redhat' + domains: + - name: example.test + type: sssd + hosts: + - name: client1.example.test + external_hostname: client1.example.test + ip: 10.65.223.160 + role: client + - name: master1.example.test + external_hostname: master1.example.test + ip: 10.65.223.161 + role: master + +* create a conftest.py to specify namespace hook:: + + from sssd.testlib.common.qe_class import session_multihost + from sssd.testlib.common.libdirsrv import DirSrvWrap + import pytest + + def pytest_namespace(): + return {'num_masters': 1, 'num_ad':0, 'num_atomic': 0, + 'num_replicas': 0, 'num_clients':1, 'num_others': 0} + +* create a fixture to create CA and server-cert for each host in conftest.py:: + + from sssd.testlib.common.exceptions import PkiLibException + from sssd.testlib.common.utils import PkiTools + + @pytest.fixture(scope="class") + def nssdir(session_multihost, request): + serverList = [session_multihost.client[0].sys_hostname, + session_multihost.master[0].sys.hostname] + pki_inst = PkiTools() + try: + certdb = pki_inst.createselfsignedcerts(serverList) + except PkiLibException as err: + return (err.msg, err.rval) + else: + return certdb + +* add another fixture to create an instance of `DirSrvWrap` passing the certdb + returned from above fixture:: + + @pytest.fixture(scope="class") + def setup_ldap(session_multihost, nssdir): + client_ds_obj = DirSrvWrap(session_multihost.client[0], ssl=True, + ssldb=nssdir) + master_ds_obj = DirSrvWrap(session_multihost.master[0], ssl=True, + ssldb=nssdir) + return (client_ds_obj, master_ds_obj) + + +* call the fixture setup_ldap from the test functions as below:: + + class TestCase(object): + + def test1(self, session_multihost, setup_ldap): + client_ds_obj = setup_ldap[0] + master_ds_obj = setup_ldap[1] + client_ds_obj.create_ds_instance('example1') + master_ds_obj.create_ds_instance('example1') + client_ds_obj.remove_ds_instance('example1') + master_ds_obj.remove_ds_instance('example1') + + def test2(self): + pass + + def test3(self): + pass + +Example-4: Creating and removing DS instance using setup/teardown methods +------------------------------------------------------------------------- +* create a multihost config file mhc.yaml as below:: + + root_password: 'redhat' + domains: + - name: example.test + type: sssd + hosts: + - name: client1.example.test + external_hostname: client1.example.test + ip: 10.65.223.160 + role: client + - name: master1.example.test + external_hostname: master1.example.test + ip: 10.65.223.161 + role: master + +* create a conftest.py to specify namespace hook:: + + from sssd.testlib.common.qe_class import session_multihost + from sssd.testlib.common.libdirsrv import DirSrvWrap + import pytest + + def pytest_namespace(): + return {'num_masters': 1, 'num_ad':0, 'num_atomic': 0, + 'num_replicas': 0, 'num_clients':1, 'num_others': 0} + +* Create a fixture of scope class to have setup and teardown methods in class + and these functions are run before and after tests are executed. In our test + class we define a **setup_class** method which will be run before our tests run + where we do all our setup required for tests and also define **class_teardown** + method at the end in **Testclass** which will teardown all the setup done in + **class_setup**. To these functions we pass our fixtures setup_ldap:: + + @pytest.fixture(scope="class") + def multihost(session_multihost, setup_ldap, request): + if hasattr(request.cls(), 'class_setup'): + request.cls().class_setup(session_multihost, setup_ldap) + request.addfinalizer(lambda:request.cls().class_teardown(session_multihost, setup_ldap)) + return session_multihost + +* create a fixture to create a CA and server-cert for each host in conftest.py:: + + from sssd.testlib.common.exceptions import PkiLibException + from sssd.testlib.common.utils import PkiTools + + @pytest.fixture(scope="class") + def nssdir(session_multihost, request): + serverList = [session_multihost.client[0].sys_hostname, + session_multihost.master[0].sys_hostname] + pki_inst = PkiTools() + try: + certdb = pki_inst.createselfsignedcerts(serverList) + except PkiLibException as err: + return (err.msg, err.rval) + else: + return certdb + +* add another fixture to create an instance of `DirSrvWrap` passing the certdb + returned from above fixture:: + + @pytest.fixture(scope="class") + def setup_ldap(session_multihost, nssdir): + client_ds_obj = DirSrvWrap(session_multihost.client[0], ssl=True, + ssldb=nssdir) + master_ds_obj = DirSrvWrap(session_multihost.master[0], ssl=True, + ssldb=nssdir) + return (client_ds_obj, master_ds_obj) + + +* call the fixture setup_ldap from the test functions as below:: + + class TestCase(object): + + def class_setup(self, multihost, setup_ldap): + client_ds_obj = setup_ldap[0] + master_ds_obj = setup_ldap[1] + client_ds_obj.create_ds_instance('example1') + master_ds_obj.create_ds_instance('example1') + + def test1(self): + pass + + def test2(self): + pass + + def class_teardown(self, multihost, setup_ldap): + client_ds_obj = setup_ldap[0] + master_ds_obj = setup_ldap[1] + client_ds_obj.remove_ds_instance('example1') + master_ds_obj.remove_ds_instance('example1') + +Example-5: Creating and add POSIX Users and Groups +-------------------------------------------------- +* create a multihost config file mhc.yaml as below:: + + root_password: 'redhat' + domains: + - name: example.test + type: sssd + hosts: + - name: master1.example.test + external_hostname: master1.example.test + ip: 10.65.223.161 + role: master + +* create a conftest.py to specify namespace hook:: + + from sssd.testlib.common.qe_class import session_multihost + from sssd.testlib.common.libdirsrv import DirSrvWrap + import pytest + + def pytest_namespace(): + return {'num_masters': 1, 'num_ad':0, 'num_atomic': 0, + 'num_replicas': 0, 'num_clients':0, 'num_others': 0} + +* Create a fixture of scope class to have setup and teardown methods in class + and these functions are run before and after tests are executed. In our test + class we define a **setup_class** method which will be run before our tests run + where we do all our setup required for tests and also define **class_teardown** + method at the end in **Testclass** which will teardown all the setup done in + **class_setup**. To these functions we pass our fixtures setup_ldap:: + + @pytest.fixture(scope="class") + def multihost(session_multihost, setup_ldap, request): + if hasattr(request.cls(), 'class_setup'): + request.cls().class_setup(session_multihost, setup_ldap, create_posix_usersgroups) + request.addfinalizer(lambda:request.cls().class_teardown(session_multihost)) + return session_multihost + +* create a fixture to create CA and server-cert for each host in conftest.py:: + + from sssd.testlib.common.exceptions import PkiLibException + from sssd.testlib.common.utils import PkiTools + + @pytest.fixture(scope="class") + def nssdir(session_multihost, request): + serverList = [session_multihost.master[0].sys_hostname] + pki_inst = PkiTools() + try: + certdb = pki_inst.createselfsignedcerts(serverList) + except PkiLibException as err: + return (err.msg, err.rval) + else: + return certdb + +* Add another fixture to create an instance of `DirSrvWrap` passing the certdb + returned from above fixture. With autouse=True, one doesn't have to + explicitly state the fixture in the test functions:: + + @pytest.fixture(scope="class", autouse=True) + def setup_ldap(session_multihost, nssdir): + ds_inst = DirSrvWrap(session_multihost.master[0], ssl=True, + ssldb=nssdir) + ds_inst.create_ds_instance('example1', 'dc=example,dc=test') + + def remove_ldap(): + ds_inst.remove_ds_instance('example1') + request.addfinalizer(remove_ldap) + +* Create another fixture to create posix users/groups here we create 10 users + with dn uid=foo{1..10},ou=People,dc=example,dc=test, and a group called + ldapusers, where all the foo{1..10} are members of that group. The method + use for adding all the members to a group is we first add one user to the + group while creating the group and then use ldap modify method to add other + users to the group:: + + @pytest.fixture(scope='class') + def create_posix_usersgroups(session_multihost): + ldap_uri = 'ldap://%s' % (session_multihost.master[0].sys_hostname) + ds_rootdn = 'cn=Directory Manager' + ds_rootpw = 'Secret123' + ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw) + for i in range(10): + user_info = {'cn': 'foo%d' % i + 'uid': 'foo%d' % i, + 'uidNumber': '1458310%d' % i, + 'gidNumber': '14564100'} + ldap_inst.posix_user("ou=People", "dc=example,dc=test", + user_info): + # we first add one user the group + memberdn = 'uid=%s,ou=People,dc=example,dc=test' % ('foo0') + group_info = {'cn': 'ldapusers', + 'gidNumber': '14564100', + 'uniqueMember': memberdn} + try: + ldap_inst.posix_group("ou=Groups", "dc=example,dc=test", + group_info) + except Exception: + assert False + # now add other to the group + for i in range(1, 11): + user_dn = 'uid=foo%d,ou=People,dc=example,dc=test' % i + add_member = [(ldap.MOD_ADD, 'uniqueMember',user_dn)] + (ret, return_value) = ldap_inst.modify_ldap(group_dn, add_member) + assert ret == 'Success' + + +* call the fixture setup_ldap from the test functions as below:: + + class TestCase(object): + def class_setup(multihost, setup_ldap, create_posix_usersgroups) + print("Configuring LDAP and add posix users") + + def test1(self): + pass + + def test2(self): + pass + + def class_teardown(multihost) + print("teardown setup") --- sssd-2.2.2.orig/src/tests/python/docs/examples.rst +++ sssd-2.2.2/src/tests/python/docs/examples.rst @@ -0,0 +1,392 @@ +Examples of using Multihost Plugin with Fixture for SSSD +======================================================== +* pytest multihost plugin uses paramiko/OpenSSHTransport to connect to hosts and provides methods to + run commands and copy files. + +Namespace hook +-------------- +* With pytest multihost plugin we define the hosts under which the actual commands will be + running in a YAML/JSON file. This file is then read by multihost plugin. Each of the + host specified in the YAML file have a role, username/password, IP address. + +* pytest multihost provides modules and functions which takes the description of hosts in the + YAML file, connect to the hosts and provides some common functions to run commands, copy/get + files etc. The main modules provided by multihost plugin are config, domain, host. To use + these modules we have to subclass them and change their behaviour to suite our needs. + +* For SSSD QE we created subclasses of the config, domain and host functions to suite our needs and + expanded them. This is available through + `qe_class.py `_. + +* qe_class.py also provides a global fixture called session_multihost which provides a session + scope fixture. This fixture can read the YAML file and provide a global multihost fixture + to all the tests. This fixture assumes that the YAML file has hosts defined with any of these roles: + + - master + - client + - ad + - atomic + - others + +* Hosts in the above roles are read and a list is created for hosts in each role and provided using the generator (yield) feature of python. All this is exported in the pytest namespace and can be accessed in the individual tests using namespace hook + +* Below are the examples of using namespace hook: + + - Single host: + + * create a multihost config file mhc.yaml as below:: + + root_password: 'redhat' + domains: + - name: example.test + type: sssd + hosts: + - name: client1 + external_hostname: client1.example.test + ip: 10.65.223.16 + role: client + + * since we have 1 host with role client we can create a namespace hook in conftest.py + to access the host as a list + + * create a conftest.py as below:: + + def pytest_namespace(): + return { 'num_masters': 0, 'num_ad':0, 'num_atomic': 0, 'num_replicas': 0, 'num_clients':1, 'num_others': 0} + + * in the actual testcase it can be accessed as below:: + + from sssd.testlib.common.qe_class import session_multihost + class TestCase: + def test1(self, session_multihost): + session_multihost.client[0]. + + * client[0] is the handle for the client1 system defined in the mhc.yaml + + - Multiple hosts of same role: + + * create a multihost config file as below:: + + root_password: 'redhat' + domains: + - name: example.test + type: sssd + hosts: + - name: client1 + external_hostname: client1.example.test + ip: 10.65.223.16 + role: client + - name: client2 + external_hostname: client2.example.test + ip: 10.65.223.17 + role: client + + * since we have 2 hosts with role client we can create a namespace hook in conftest.py + to access the hosts as a list + + * create a conftest.py as below:: + + def pytest_namespace(): + return { 'num_masters': 0, 'num_ad':0, 'num_atomic': 0, 'num_replicas': 0, 'num_clients':2, 'num_others': 0} + + * in the actual testcase it can be accessed as below:: + + from sssd.testlib.common.qe_class import session_multihost + class TestCase: + def test1(self, session_multihost): + session_multihost.client[0]. + session_multihost.client[1]. + + * client[0] is the handle for the client1 system defined in mhc.yaml + * client[1] is the handle for the client2 system defined in mhc.yaml + + - Multiple hosts of different roles: + + * create a multihost config file where we have 2 clients and 1 server:: + + root_password: 'redhat' + domains: + - name: example.test + type: sssd + hosts: + - name: client1 + external_hostname: client1.example.test + ip: 10.65.223.16 + role: client + - name: client2 + external_hostname: client2.example.test + ip: 10.65.223.17 + role: client + - name: server1 + external_hostname: master1.example.test + ip: 10.65.223.18 + role: master + + * since we have 2 hosts with role client and 1 host with role master we can create a namespace hook in conftest.py to access the hosts as a list + + * create a conftest.py as below:: + + def pytest_namespace(): + return { 'num_masters': 1, 'num_ad':0, 'num_atomic': 0, 'num_replicas': 0, 'num_clients':2, 'num_others': 0} + + * in the actual testcase it can be accessed as below:: + + from sssd.testlib.common.qe_class import session_multihost + class TestCase: + def test1(session_multihost): + session_multihost.client[0]. + session_multihost.client[1]. + def test2(session_multihost): + session_multihost.master[0]. + +Example-1: Single host tests +---------------------------- +* create a multihost config file mhc.yaml with 1 host as below:: + + root_password: 'redhat' + domains: + - name: example.test + type: sssd + hosts: + - name: client1 + external_hostname: client1.example.test + ip: 10.65.223.16 + role: client + +* create a file called conftest.py with below contents:: + + def pytest_namespace(): + return { 'num_masters': 0, 'num_ad':0, 'num_atomic': 0, 'num_replicas': 0, 'num_clients':1, 'num_others':0 } + +* create file called test1.py which contains testcases:: + + from sssd.testlib.common.qe_class import session_multihost + class TestCase: + def test1(self, session_multihost): + session_multihost.client[0].run_command(['ls', '-l']) + +* running the test:: + + $ py.test --multihost-config=mhc.yaml test1.py -s -v + +Example-2: Multiple hosts tests +------------------------------- +* create a multihost config file mhc.yaml with 2 hosts with roles master and client:: + + root_password: 'redhat' + domains: + - name: example.test + type: sssd + hosts: + - name: client1 + external_hostname: client1.example.test + ip: 10.65.223.16 + role: client + - name: master1 + external_hostname: master1.example.test + ip: 10.65.223.35 + role: master + +* create a file called conftest.py with below contents:: + + def pytest_namespace(): + return { 'num_masters': 1, 'num_ad':0, 'num_atomic': 0, 'num_replicas': 0, 'num_clients':1, 'num_others':0 } + +* create file called test1.py which contains testcases:: + + from sssd.testlib.common.qe_class import session_multihost + class TestCase: + def test1(self, session_multihost): + session_multihost.client[0].run_command(['ls', '-l']) + + def test2(self, session_multihost): + session_multihost.master[0].run_command(['ls', '-l']) + +* running the test:: + + $ py.test --multihost-config=mhc.yaml test1.py -s -v + +Example-3: Multiple hosts test with setup and teardown +------------------------------------------------------ +* create a multihost config file mhc.yaml with 2 hosts with roles master and client:: + + root_password: 'redhat' + domains: + - name: example.test + type: sssd + hosts: + - name: client1 + external_hostname: client1.example.test + ip: 10.65.223.16 + role: client + - name: master1 + external_hostname: master1.example.test + ip: 10.65.223.35 + role: master + +* create a file called conftest.py with below contents:: + + from sssd.testlib.common.qe_class import session_multihost + def pytest_namespace(): + return { 'num_masters': 1, 'num_ad':0, 'num_atomic': 0, 'num_replicas': 0, 'num_clients':1, 'num_others':0 } + + @pytest.fixture(scope="class") + def multihost(session_multihost, request): + if hasattr(request.cls(), 'class_setup'): + request.cls().class_setup(session_multihost) + request.addfinalizer(lambda: request.cls().class_teardown(session_multihost)) + return session_multihost + +* create file called test1.py which contains testcases:: + + class TestCase: + def class_setup(self, session_multihost): + cmd = session_multihost.client[0].run_command(['useradd', 'foobar']) + assert cmd.returncode == 0 + + def test1(self, session_multihost): + session_multihost.client[0].run_command(['id', 'foobar']) + + def class_teardown(self, session_multihost): + session_multihost.master[0].run_command(['userdel', 'foobar']) + +* running the test:: + + $ py.test --multihost-config=mhc.yaml test1.py -s -v + +Example-4: Copying files to hosts using multihost plugin +-------------------------------------------------------- +* scenario: Create an sssd.conf file with specific configuration parameters. We create a local file on the + system from which we are running py.test command (jslave/laptop/testsystem) and copy it + to the actual hosts using transport.put_file method + +* create test1.py with below contents:: + + import ConfigParser + + class TestCase: + def class_setup(self, session_multihost): + sssdconfig = ConfigParser.RawConfigParser() + sssdconfig.optionxform = str + sssdconfig.add_section('sssd') + sssdconfig.set("sssd", "config_file_version", '2') + sssdconfig.set("sssd", "domains", 'example.com') + sssdconfig.set("sssd", "services", "nss, pam") + domain_section = '%s/%s' % ('domain', 'example.com') + sssdconfig.add_section(domain_section) + sssdconfig.set(domain_section, "id_provider", "ad") + sssdconfig.set(domain_section, "auth_provider", "ad") + sssdconfig.set(domain_section, "access_provider", "ad") + sssdconfig.set(domain_section, "fallback_homedir", "/home/%d/%u") + sssdconfig.set(domain_section, "use_fully_qualified_names", "True") + sssdconfig.set(domain_section, "ad_maximum_machine_account_password_age", "1") + sssdconfig.set(domain_section, "ad_machine_account_password_renewal_opts", "300:15") + sssdconfig.set(domain_section, "debug_level", "9") + sssdconfig.set(domain_section, "enumerate", "True") + temp_file = '/tmp/sssd.conf' + with open(temp_file, 'wb') as fd: + sssdconfig.write(fd) + session_multihost.client[0].transport.put_file(temp_file, '/etc/sssd/sssd.conf') + session_multihost.client[0].run_command(['chmod', '600', '/etc/sssd/sssd.conf'], + set_env=False, raiseonerr=False) + +Example-5: Creating a fixture and calling a fixture +--------------------------------------------------- +* scenario: We want to configure sssd.conf before our test runs. we can create a + function which configures sssd.conf and we call this function before our test runs + +* create a file called conftest.py with below contents:: + + from sssd.testlib.common.qe_class import session_multihost + import ConfigParser + def pytest_namespace(): + return { 'num_masters': 1, 'num_ad':0, 'num_atomic': 0, 'num_replicas': 0, 'num_clients':1, 'num_others':0 } + + @pytest.fixture(scope="class") + def multihost(session_multihost, request): + if hasattr(request.cls(), 'class_setup'): + request.cls().class_setup(session_multihost) + request.addfinalizer(lambda: request.cls().class_teardown(session_multihost)) + return session_multihost + + @pytest.fixture(scope="class") + def config_sssd(session_multihost, request): + sssdconfig = ConfigParser.RawConfigParser() + sssdconfig.optionxform = str + sssdconfig.add_section('sssd') + sssdconfig.set("sssd", "config_file_version", '2') + sssdconfig.set("sssd", "domains", 'example.com') + sssdconfig.set("sssd", "services", "nss, pam") + domain_section = '%s/%s' % ('domain', 'example.com') + sssdconfig.add_section(domain_section) + sssdconfig.set(domain_section, "id_provider", "ad") + sssdconfig.set(domain_section, "auth_provider", "ad") + sssdconfig.set(domain_section, "fallback_homedir", "/home/%d/%u") + sssdconfig.set(domain_section, "use_fully_qualified_names", "True") + sssdconfig.set(domain_section, "debug_level", "9") + sssdconfig.set(domain_section, "enumerate", "True") + temp_file = '/tmp/sssd.conf' + with open(temp_file, 'wb') as fd: + sssdconfig.write(fd) + session_multihost.client[0].transport.put_file(temp_file, '/etc/sssd/sssd.conf') + +* create a file test1.py with below contents:: + + class Testcase: + def class_setup(self, multihost, config_sssd): + cmd = session_multihost.client[0].run_command(['service', 'sssd', 'restart']) + assert cmd.returncode == 0 + + def test1(self, multihost): + print("I am in test1") + + def class_teardown(self, multihost): + cmd = session_multihost.client[0].run_command(['service', 'sssd', 'stop']) + assert cmd.returncode == 0 + +Example-6: Connecting to Windows system and running AD specific commands +------------------------------------------------------------------------ +* scenario: If the test requirement requires running any specific native commands on + windows which cannot be fulfilled by adcli. + + Note: Connecting to Windows using multihost plugin requires ssh be running on Windows system. + For this multihost plugin has been tested only with OpenSSH provided using CYGWIN. So before + using multihost plugin please install CYGWIN and OpenSSH package. Configure OpenSSH on Windows + and make sure its firewall is allowing ssh port. + +* create a multihost config file mhc.yaml with 2 hosts with roles master and client:: + + root_password: 'redhat' + domains: + - name: example.test + type: sssd + hosts: + - name: client1 + external_hostname: client1.example.test + ip: 10.65.223.16 + role: client + - name: srv1 + external_hostname: srv1.example.test + ip: 10.65.223.35 + role: ad + username: Administrator + password: Secret123 + +* create a file called conftest.py with below contents:: + + def pytest_namespace(): + return { 'num_masters': 0, 'num_ad':1, 'num_atomic': 0, 'num_replicas': 0, 'num_clients':1, 'num_others':0 } + +* create file called test1.py which contains testcases:: + + from sssd.testlib.common.qe_class import session_multihost + class TestCase: + def test1(self, session_multihost): + session_multihost.client[0].run_command(['ls', '-l']) + + def test2(self, session_multihost): + session_multihost.ad[0].run_command(['date']) + +* Running the test:: + + $ py.test --multihost-config=mhc.yaml test1.py -s -v --- sssd-2.2.2.orig/src/tests/python/docs/index.rst +++ sssd-2.2.2/src/tests/python/docs/index.rst @@ -0,0 +1,39 @@ +.. SSSD QE Test documentation master file, created by + sphinx-quickstart on Wed Sep 02 18:52:16 2015. + You can adapt this file completely to your liking, but it should at least + contain the root `toctree` directive. + +SSSD QE pytest framework Documentation +=========================================== + +SSSD QE PyTest provides a framework `sssd.testlib` which contains shared functions and libraries to be used to write tests in pytest framework for +System Services Security Daemon. + + +Contents: + +.. toctree:: + :maxdepth: 3 + + Install + running + layout + examples + ds_389 + krb5 + kcm + sssd-testlib + MultihostPlugin + + + +Additional Information +====================== +.. [#] `Python Pytest Multihost plugin `_. + +Indices and tables +================== + +* :ref:`genindex` +* :ref:`modindex` +* :ref:`search` --- sssd-2.2.2.orig/src/tests/python/docs/kcm.rst +++ sssd-2.2.2/src/tests/python/docs/kcm.rst @@ -0,0 +1,253 @@ +Examples of testing KCM +======================= + + +Design +------ +* For testing KCM ccache, minimal requirements is to have a Kerberos + server. sssd-testlib provides `libkrb5` module to setup Kerberos server. + +* `sssd-testlib` now contains `utils` module which now contains functions to + enable `sssd-kcm` + +* Below are some of the examples of using it in pytest + + +Example1: Using single host to test sssd-kcm +-------------------------------------------- +* create a single host running Directory Server, krb5 server and configure + client to authenticate to LDAP and Kerberos server using SSSD and enable KCM + + * create a multihost config file mhc.yaml as below:: + + root_password: 'redhat' + domains: + - name: testrealm.test + type: sssd + hosts: + - name: idm1.example.test + external_hostname: idm1.example.test + role: master + + * create a conftest.py to specify namespace hook:: + + from sssd.testlib.common.qe_class import session_multihost, + from sssd.testlib.common.qe_class import create_testdir + import pytest + + def pytest_namespace(): + return { 'num_masters': 0, 'num_ad':0, 'num_atomic': 0, + num_replicas': 0, 'num_clients':1, 'num_others': 0} + + * create fixture to run Authconfig to authenticate to SSSD:: + + @pytest.fixture(scope="session") + def config_authconfig(session_multihost, request): + """ Run authconfig to configure Kerberos and + SSSD auth on remote host + """ + authconfig = RedHatAuthConfig(session_multihost.master[0]) + session_multihost.master[0].log.info("Take backup of current authconfig") + authconfig.backup('/root/authconfig_backup') + krbrealm = 'EXAMPLE.TEST' + kerberos_server = session_multihost.master[0].sys_hostname + authconfig.enable("sssd") + authconfig.enable("sssdauth") + authconfig.add_parameter("krb5kdc", kerberos_server) + authconfig.add_parameter("krb5adminserver", kerberos_server) + authconfig.add_parameter("krb5realm", krbrealm) + authconfig.execute() + + def restore_authconfig(): + """ Restore authconfig """ + authconfig.restore('/root/authconfig_backup') + + request.addfinalizer(restore_authconfig) + + * add a fixture to configure Directory Server:: + + from sssd.testlib.common.libdirsrv import DirSrvWrap + from sssd.testlib.common.utils import sssdTools, PkiTools + from sssd.testlib.common.exceptions import PkiLibException + + @pytest.fixture(scope=session) + def setup_ldap(session_multihost, request): + serverList = [session_multihost.master[0].sys_hostname] + pki_inst = PkiTools() + try: + certdb = pki_inst.createselfsignedcerts(serverList) + except PkiLibException as err: + return (err.msg, err.rval) + else: + ds_obj = DirSrvWrap(session_multihost.master[0], ssl=True, + ssldb=certdb) + ds_obj.create_ds_instance('example1', 'dc=example,dc=test') + + def remove_ldap(): + ds_obj.remove_ds_instance('example1') + request.addfinalizer(remove_ldap) + + * add a fixture to configure Kerberos server:: + + @pytest.fixture(scope='class') + def setup_kerberos(session_multihost, request): + tools = sssdTools(session_multihost.master[0]) + tools.config_etckrb5('EXAMPLE.TEST') + krb = krb5srv(session_multihost.master[0], 'EXAMPLE.TEST') + krb.krb_setup_new() + + def remove_kerberos(): + krb.destroy_krb5serer() + request.addfinalizer(remove_kerberos) + + * add a fixture to setup SSSD conf:: + + @pytest.fixture(scope='class', autouse=True) + def setup_sssd(session_multihost, request): + domain_section = 'domain/EXAMPLE.TEST' + ldap_uri = 'ldap://%s' % + (session_multihost.master[0].sys_hostname) + krb5_server = session_multihost.master[0].sys_hostname + cacert_loc = '/etc/openldap/cacerts/cacert.pem' + sssdConfig = ConfigParser.SafeConfigParser() + sssdConfig.optionxform = str + sssdConfig.add_section('sssd') + sssdConfig.set('sssd', 'domains', 'EXAMPLE.TEST') + sssdConfig.set('sssd', 'config_file_version', '2') + sssdConfig.set('sssd', 'services', 'nss, pam, ifp') + sssdConfig.add_section(domain_section) + sssdConfig.set(domain_section, 'enumerate', 'false') + sssdConfig.set(domain_section, 'id_provider', 'ldap') + sssdConfig.set(domain_section, 'ldap_uri', ldap_uri) + sssdConfig.set(domain_section, 'ldap_search_base', + 'dc=example,dc=test') + sssdConfig.set(domain_section, 'ldap_tls_cacert', cacert_loc) + sssdConfig.set(domain_section, 'auth_provider', 'krb5') + sssdConfig.set(domain_section, 'krb5_server', krb5_server) + sssdConfig.set(domain_section, 'krb5_kpasswd', krb5_server) + sssdConfig.set(domain_section, 'krb5_realm', 'EXAMPLE.TEST') + sssdConfig.set(domain_section, 'debug_level', '9') + temp_fd, temp_file_path = tempfile.mkstemp(suffix='conf', + prefix='sssd') + with open(temp_file_path, "wb") as outfile: + sssdConfig.write(outfile) + session_multihost.master[0].run_command(['cp', '-f', + paths.SSSD_CONF, + '%s.orig' % + paths.SSSD_CONF]) + session_multihost.master[0].transport.put_file(temp_file_path, + paths.SSSD_CONF) + + os.close(temp_fd) + try: + session_multihost.master[0].service_sssd('restart') + except Exception: + journalctl_cmd = "journalctl -x -n 50 --no-pager" + session_multihost.master[0].run_command(journalctl_cmd) + assert False + + * add fixture to create some POSIX users and also create Kerberos users with + same names:: + + @pytest.fixture(scope='class', autouse=True) + def create_posix_usersgroups(session_multihost): + ldap_uri = 'ldap://%s' % (session_multihost.master[0].sys_hostname) + ds_rootdn = 'cn=Directory Manager' + ds_rootpw = 'Secret123' + ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw) + krb = krb5srv(session_multihost.master[0], 'EXAMPLE.TEST') + for i in range(10): + user_info = {'cn': 'foo%d' % i, + 'uid': 'foo%d' % i, + 'uidNumber': '1458310%d' % i, + 'gidNumber': '14564100'} + if ldap_inst.posix_user("ou=People", "dc=example,dc=test", user_info): + krb.add_principal('foo%d' % i, 'user', 'Secret123') + else: + print("Unable to add ldap User %s" % (user_info)) + assert False + memberdn = 'uid=%s,ou=People,dc=example,dc=test' % ('foo0') + group_info = {'cn': 'ldapusers', + 'gidNumber': '14564100', + 'uniqueMember': memberdn} + try: + ldap_inst.posix_group("ou=Groups", "dc=example,dc=test", group_info) + except Exception: + assert False + group_dn = 'cn=ldapusers,ou=Groups,dc=example,dc=test' + for i in range(1, 11): + user_dn = 'uid=foo%d,ou=People,dc=example,dc=test' % i + add_member = [(ldap.MOD_ADD, 'uniqueMember',user_dn)] + (ret, return_value) = ldap_inst.modify_ldap(group_dn, add_member) + assert ret == 'Success' + + * create a session fixture which calls config_authconfig, setup_ldap, + setup_kerberos:: + + @pytest.fixture(scope="session", autouse=True) + def setup_session(request, session_multihost, + config_authconfig, + setup_ldap, + setup_kerberos): + print("\n............Session Setup...............") + def teardown(): + print("\n............Session teardown...............") + request.addfinalizer(teardown) + + * create a test suite file called test1.py, to test KCM as user, or + to check if the Kerberos user can ssh to the system, we can use + `SSHClient` module from `sssd.testlib.common.utils` module:: + + from sssd.testlib.common.utils import SSHClient + from sssd.testlib.common.uilts import sssdTools + + class TestBasicSSSD: + + def test_kcm_sock(self, multihost): + tools = sssdTools(session_multihost.master[0]) + tools.enable_kcm() + multihost.master[0].run_command(['systemctl', 'start', + 'sssd-kcm']) + kcm_sock_link = '/var/run/.heim_org.h5l.kcm-socket' + cmd = multihost.master[0].run_command(['ls', '-l', kcm_sock_link], + raiseonerr=False) + assert cmd.returncode == 0 + + def test_ssh_user_login(self, multihost): + """ Check ssh login as LDAP user with Kerberos credentials """ + ssh = SSHClient(multihost.master[0].sys_hostname, + username='foo1', password='Secret123') + assert ssh.connstatus + ssh.close() + + def test_kinit(self, multihost): + """ Run kinit after user login """ + ssh = SSHClient(multihost.master[0].sys_hostname, + username='foo2', password='Secret123') + assert ssh.connstatus + (stdout, stderr, exit_status) = ssh.execute_cmd(args='kinit', + stdin='Secret123') + assert exit_status == 0 + (stdout, stderr, exit_status) = ssh.execute_cmd('klist') + for line in stdout.readlines(): + print(line) + assert exit_status == 0 + ssh.close() + + def test_kinit_kcm(self, multihost): + """ Run kinit with KRB5CCNAME=KCM: """ + ssh = SSHClient(multihost.master[0].sys_hostname, + username='foo3', password='Secret123') + assert ssh.connstatus + (out, err, status) = ssh.execute_cmd('KRB5CCNAME=KCM:; kinit', + stdin='Secret123') + assert status == 0 + (out, err, status) = ssh.execute_cmd('KRB5CCNAME=KCM:; klist') + for line in stdout.readlines(): + if 'Ticket cache: KCM:14583103' in str(line.strip()): + assert True + break + else: + assert False + assert exit_status == 0 + ssh.close() --- sssd-2.2.2.orig/src/tests/python/docs/krb5.rst +++ sssd-2.2.2/src/tests/python/docs/krb5.rst @@ -0,0 +1,75 @@ +Examples of using libkrb5 module from sssd.testlib.common +========================================================= +* sssd-testlib provides module libkrb5 which creates a Kerberos server instance + + +Design +------ +* libkb5 module consists of class krb5Srv + +* krb5srv class consists of methods to create a Kerberos server + +* below are some of the examples of setting up a Kerberos server on RHEL7 + +Example-1: Setup a Kerberos instance on a single host +----------------------------------------------------- +* create a multihost config file mhc.yaml as below:: + + root_password: 'redhat' + domains: + - name: example.test + type: sssd + hosts: + - name: server1 + external_hostname: server1.example.test + ip: 192.168.122.60 + role: master + +* create a conftest.py to specify namespace hook:: + + from sssd.testlib.common.qe_class import session_multihost + from sssd.testlib.common.libkb5 import krb5srv + import pytest + + def pytest_namespace(): + return {'num_masters': 1, 'num_ad':0, 'num_atomic': 0, + 'num_replicas': 0, 'num_clients':1, 'num_others': 0} + +* add a fixture specified below in conftest.py:: + + import subprocess + + @pytest.fixture(scope="class") + def setup_krb5(session_multihost): + tools = sssdTools(session_multihost.master[0]) + tools.config_etckrb5('EXAMPLE.TEST') + krb = krb5srv(session_multihost[0]. 'EXAMPLE.TEST') + try: + krb.krb_setup_new() + except subprocess.CalledProcessError: + print("fail to setup Kerberos") + assert False + +* session_multihost is the session fixture which gets activated when + py.test is run with --multihost-config=mhc.yaml parameter. This + parameter connects to systems mentioned in mhc.yaml using paramiko + module and this session of each host is available through roles + defined in multihost config file. In the above example client[0] is + the multihost handle for host `server1.example.test` + +* importing the krb5srv module we are creating instance of + krb5srv by passing the multihost session handle of master[0] to + the krb5srv object + +* the fixture created by setup_krb5 is of scope class which can be called in a test file as below:: + + class TestCase(object): + + def test1(self, session_multihost, setup_krb5): + print("This is test1") + + def test2(self, session_multihost): + pass + + def test3(self, session_multihost): + pass --- sssd-2.2.2.orig/src/tests/python/docs/layout.rst +++ sssd-2.2.2/src/tests/python/docs/layout.rst @@ -0,0 +1,13 @@ +layout +====== +This doc provides the layout of SSSD pytest framework and test suites directory. + +module +------ +* sssd.testlib + + This is the main top directory under which there are subdirectories containing various shared functions required to write tests using pytest + +* sssd.testlib/common + + This directory contains shared functions which are generic in nature --- sssd-2.2.2.orig/src/tests/python/docs/running.rst +++ sssd-2.2.2/src/tests/python/docs/running.rst @@ -0,0 +1,112 @@ +running +======= +* Running Tests + +Prerequisites +------------- +* pytest-multihost-plugin + + To execute tests with multiple tests, pytest-multihost plugin is required. + Refer to Install section for installing the plugin. + +* SSSD pytest framework + + SSSD pytest framework is mostly set of shared functions that is used in test cases for common tasks like authconfig, setting up DS, Kerberos, IPA, etc. + sssd-testlib is the module provided by the framework. + +Getting Started +--------------- +* Functional Tests mostly written for SSSD require multiple hosts. Each of the hosts take a particular role. Below are the predefined roles used: + + - master: Node on which we have Directory Server/OpenLDAP Server/krb5 Server/IPA Server is running + - replica: Node on which is replica of Directory/OpenLDAP Server/krb5 server + - client: Node on which sssd-client is configured + - ad: Node on which Microsoft Active Directory is running + - atomic: Atomic host Node + +config +------ +* To run multihosts tests using pytest, we have to define the infrastructure containing RHEL and Windows systems in a file. Check Example config file:: + + root_password: 'redhat' + test_dir: '/root/multihost' + windows_test_dir: '/home/administrator' + domains: + - name: testrealm.test + type: sssd + hosts: + - name: hostname1 + ip: 192.168.122.1 + role: master + - name: hostname2 + ip: 192.168.122.2 + role: replica + - name: hostname3: + ip: 192.168.122.3 + role: client + - name: hostname4: + ip: 192.168.122.4 + role: ad + username: Administrator + password: Secret123 + +Brief description of the above lines: + + **root_password** is the root password of the systems, it's better to have common password of the RHEL systems that you would like to connect. + Instead of password, you can use ssh keys, in which the parameter is **ssh_key_filename: ~/.ssh/id_rsa** + + **test_dir** directory to store test-specific data in, defaults to **/root/multihost_tests** + + **windows_test_dir** Directory to store test-specific data on Windows hosts, defaults to **/home/Administrator** + + **Domains** is a list of domains under which the hosts that will run the commands reside. Domains are a way of classifying hosts. + + **name(under Domains)** is the name of the domain, can be any name (resolvable/non-resolvable) + + **type(under Domains)** is the type of hosts, a string specifying the type of the domain ('default' by default) + + **hosts(under Domains)** is a placeholder for list of hosts + + **name(under hosts)** is a hostname to which multihost needs to connect, can be a short name in which case the FQDN will be formed by combining name and domain + name specified under domains. + + **ip** is the IP address of the system + + **role** is the role that the host will be taking, like master/slave/replica/ad/atomic + + **username** (optional) each host can have its specific username to connect to. For example for connecting to Windows systems we use username 'Administrator' + + **password** password to connect to + +Executing Tests +--------------- +* To execute existing tests clone sssd-qe-tests repo and run py.test against any specific test suite directory. + + - On RHEL7.2:: + + $ git clone git://git.app.eng.bos.redhat.com/sssd-qe-tests.git + $ cd sssd-qe-tests/pytest + $ py.test --multihost-config= + +* Before executing any tests, it's required to create a config file as specified in `config` section. + + - Executing test suite:: + + $ cd sssd-qe-tests/pytest/ + $ py.test --junit-xml=/tmp/junit.xml \ + --multihost-config=mh_cfg.yaml \ + -v + + - Executing Individual Test sub-suite (module):: + + $ cd sssd-qe-tests/pytest/ + $ py.test --junit-xml=/tmp/junit.xml \ + --multihost-config=mh_cfg.yaml \ + -v + + - Executing individual Test cases:: + + $ cd sssd-qe-tests/pytest/ + $ py.test --junit.xml=/tmp/junit.xml \ + --multihosts-config=mh_cfg.yaml \ + -v /.py:::: --- sssd-2.2.2.orig/src/tests/python/docs/sssd-testlib.rst +++ sssd-2.2.2/src/tests/python/docs/sssd-testlib.rst @@ -0,0 +1,32 @@ +sssd test library doc +====================== + +sssd.testlib.common.qe_class +---------------------------- +.. automodule:: sssd.testlib.common.qe_class + :members: + +sssd.testlib.common.authconfig +------------------------------ +.. automodule:: sssd.testlib.common.authconfig + :members: + +sssd.testlib.common.utils +-------------------------- +.. automodule:: sssd.testlib.common.utils + :members: + +sssd.testlib.common.libdirsrv +----------------------------- +.. automodule:: sssd.testlib.common.libdirsrv + :members: + +sssd.testlib.common.libkrb5 +--------------------------- +.. automodule:: sssd.testlib.common.libkrb5 + :members: + +pytest_multihost +---------------- +.. automodule:: pytest_multihost + :members: --- sssd-2.2.2.orig/src/tests/python/setup.py +++ sssd-2.2.2/src/tests/python/setup.py @@ -0,0 +1,37 @@ +#!/usr/bin/python +# +# Copyright (C) 2016 sssd-qe contributors. +# +from setuptools import setup + +REQUIRES = [ + 'paramiko', + 'PyYAML', + 'pytest_multihost', + 'pytest'] + +with open('README.rst', 'r') as f: + README = f.read() + +setup_args = dict( + name='sssd.testlib', + version='0.1-11', + description='System Services Security Daemon python test suite', + long_description=README, + author=u'SSSD QE Team', + url='http://git.app.eng.bos.redhat.com/git/sssd-qe-tests.git/', + packages=[ + 'sssd', + 'sssd.testlib', + 'sssd.testlib.common', + ], + package_data={'': ['LICENSE']}, + install_requires=REQUIRES, + license='GNU GPL v3.0', + classifiers=( + 'Programming Language :: Python', + 'Programming Language :: Python :: 2.7', + ), +) +if __name__ == '__main__': + setup(**setup_args) --- sssd-2.2.2.orig/src/tests/python/sssd-testlib.spec +++ sssd-2.2.2/src/tests/python/sssd-testlib.spec @@ -0,0 +1,144 @@ +%if 0%{?rhel} && 0%{?rhel} >= 8 +%global with_python3 1 +%else +%{!?__python2: %global __python2 /usr/bin/python2} +%{!?python2_sitelib2: %global python2_sitelib %(%{__python2} -c "from distutils.sysconfig import get_python_lib; print (get_python_lib())")} +%endif +%if 0%{?fedora} >= 27 +%global with_python3 1 +%endif + +%define name sssd-testlib +%define owner sssd-qe +%define project sssd-testlib +%define version 0.1 +%define release 11 +%define srcname sssd-testlib + +Name: %{name} +Version: %{version} +Release: %{release}%{?dist} +Summary: System Services Security Daemon (SSSD) PyTest Framework +License: GPLv3+ +Source0: %{name}.tar.gz + +BuildArch: noarch +%if 0%{?with_python3} +BuildRequires: python3-devel +%else +%if 0%{?fedora} +BuildRequires: python2-devel +%else +BuildRequires: python-devel +%endif +%endif + +%if 0%{?fedora} +Requires: python3-paramiko +Requires: freeipa-python +Requires: python3-pytest-multihost >= 1.1 +Requires: python3-PyYAML +Requires: python3-pytest +Requires: python-dns +Requires: python-krbV +Requires: python-nss +%else +Requires: python-paramiko +Requires: python-pytest-multihost >= 1.1 +Requires: PyYAML +Requires: pytest +Requires: python-ldap +Requires: openldap-clients +Requires: python-dns +Requires: python-krbV +Requires: python-nss +%else +%if 0%{?rhel} +Requires: ipa-python +%endif +%endif + +%description +A python framework for System Services Security Daemon (SSSD) PyTest Framework. + +%prep +%setup -qn %{project} + +%if 0%{?with_python3} +echo %{py3dir} +rm -rf %{py3dir} +cp -a . %{py3dir} +%endif + +%build +%{__python2} setup.py build +%if 0%{?with_python3} +pushd %{py3dir} +%{__python3} setup.py build +popd +%endif + +%install +%{__python2} setup.py install -O1 --skip-build --root %{buildroot} +%if 0%{?with_python3} +%py_byte_compile %{__python2} %{buildroot}%{python_sitelib}/%{srcname} +%else +%{__python2} -m compileall %{buildroot}%{python_sitelib}/%{srcname} +%endif + +%if 0%{?with_python3} +pushd %{py3dir} +%{__python3} setup.py install --skip-build --root %{buildroot} +%py_byte_compile %{__python3} %{buildroot}%{python3_sitelib}/%{srcname} +popd +%endif + +mkdir -p %{buildroot}/etc/sssd_testlib +install -m 644 sssd/testlib/etc/* %{buildroot}/etc/sssd_testlib/ + +%files +%doc README.rst docs/* +%config /etc/sssd_testlib +%if 0%{?fedora} +%{python2_sitelib}/* +%endif +%if 0%{?with_python3} +%{python3_sitelib}/* +%else: +%{python2_sitelib}/* +%endif + +%changelog +* Fri Jul 7 2017 Niranjan MR - 0.1-11 +- pylint fixes +* Sat Apr 19 2017 Niranjan MR - 0.1-10 +- Add functions to create POSIX users/groups +- Add libkrb5 module to create kerberos server +- Use paramiko to test ssh logins for non-root users +- Update documentation +* Tue Mar 14 2017 Niranjan MR - 0.1-9 +- Use adcli with realm to join system to Windows AD +* Mon Feb 20 2017 Niranjan MR - 0.1-8 +- Fix indetation issues with qe_class.py +* Fri Feb 17 2017 Niranjan MR - 0.1-7 +- pep8 fixes to sssd.testlib.common +- updated docs on setting up DS instances using multihost +* Wed Nov 30 2016 Niranjan MR - 0.1-6 +- Add functions related to configuring Directory Server, +- Add functions related to adding, removing, modifying AD users, + and adding UNIX attributes to Windows AD Users +* Fri Oct 21 2016 Niranjan MR - 0.1-5 +- Add functions to connect AD and move common fixtures + as sssdTools module in common +* Sat Sep 10 2016 Niranjan MR - 0.1-4 +- Add Run time requirement to have pytest-multihost >= 1.1 +- Modify spec file to be built on fedora/rhel +- When using fedora 24 and above use python3 +* Wed Aug 24 2016 Niranjan MR - 0.1-3 +- Add functions to start/stop/restart sssd based on RHEL versions +- Use systemctl instead of service command for systemd based versions +* Fri Jul 15 2016 Niranjan MR - 0.1-2 +- Modified qe_class.py to make Windows AD details to be in separate domain +- Added ipa-python as a Runtime dependency +* Thu Jun 30 2016 Niranjan MR - 0.1-1 +- initial version- --- sssd-2.2.2.orig/src/tests/python/sssd/testlib/common/authconfig.py +++ sssd-2.2.2/src/tests/python/sssd/testlib/common/authconfig.py @@ -0,0 +1,145 @@ +# Authors: Simo Sorce +# Alexander Bokovoy +# Tomas Babej +# +# Copyright (C) 2007-2014 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +""" Authconfig Module """ +from __future__ import print_function +from subprocess import CalledProcessError +import os + +FILES_TO_NOT_BACKUP = ['passwd', 'group', 'shadow', 'gshadow'] + + +class RedHatAuthConfig(object): + """ + AuthConfig class implements a system-independent interface to configure + system authentication resources. In Red Hat systems this is done with + authconfig(8) utility. + + AuthConfig class is nothing more than a tool to gather configuration + options and execute their processing. These options are then converted by + an actual implementation to a series of system calls to appropriate + utilities performing real configuration. + + If you need to re-use existing AuthConfig instance for multiple runs, + make sure to call 'AuthConfig.reset()' between the runs. + """ + + def __init__(self, host): + """ Initialize host + :param str host: hostname + """ + self.host = host + self.parameters = {} + + def enable(self, option): + """ + Option to be passed to authconfig + :param str option: authconfig options + """ + self.parameters[option] = True + return self + + def disable(self, option): + """ + Disable options + :param str option: authconfig options + """ + self.parameters[option] = False + return self + + def add_option(self, option): + """ + Add option + :param str option: authconfig options + """ + self.parameters[option] = None + return self + + def add_parameter(self, option, value): + """ + Add parameters + :param str option: authconfig options + :param str values: values + """ + self.parameters[option] = [value] + return self + + def reset(self): + """ + Reset to the default + """ + self.parameters = {} + return self + + def build_args(self): + """ + Build argument list from options provided + """ + args = [] + print("parameters passed: ", self.parameters) + for (option, value) in self.parameters.items(): + if type(value) is bool: + if value: + args.append("--enable%s" % (option)) + else: + args.append("--disable%s" % (option)) + elif type(value) in (tuple, list): + args.append("--%s" % (option)) + args.append("%s" % (value[0])) + elif value is None: + args.append("--%s" % (option)) + else: + args.append("--%s%s" % (option, value)) + return args + + def execute(self, update=True): + """ Execute authconfig command """ + if update: + self.add_option("update") + + args = self.build_args() + auth_cmd = ['/usr/sbin/authconfig'] + args + cmd = self.host.run_command(auth_cmd, set_env=False, raiseonerr=False) + if cmd.returncode != 0: + raise Exception("Failed to run Authconfig") + + def backup(self, path): + """ Backup existing authconfig options + :param str path: path where existing files are backed + """ + cmd = self.host.run_command(['/usr/sbin/authconfig', '--savebackup', + path], set_env=False, raiseonerr=False) + if cmd.returncode != 0: + raise Exception("Unable to save backup") + # do not backup these files since we don't want to mess with + # users/groups during restore. Authconfig doesn't seem to mind about + # having them deleted from backup dir + files_to_remove = [os.path.join(path, f) for f in FILES_TO_NOT_BACKUP] + for filename in files_to_remove: + try: + self.host.run_command(['rm', '-f', filename], set_env=False) + except CalledProcessError: + pass + + def restore(self, path): + """ Restore from backup + :param str path: backup path + """ + self.host.run_command(["/usr/sbin/authconfig", "--restorebackup", + path], set_env=False, raiseonerr=False) --- sssd-2.2.2.orig/src/tests/python/sssd/testlib/common/exceptions.py +++ sssd-2.2.2/src/tests/python/sssd/testlib/common/exceptions.py @@ -0,0 +1,62 @@ +""" + Provide Exceptions for py.test framework +""" + + +class StandardException(Exception): + """ Overrides Exception class """ + + def __init__(self, msg=None, rval=1): + if msg is None: + msg = 'Error' + self.msg = msg + self.rval = rval + super(StandardException, self).__init__(self.msg) + + def __str__(self): + return "{} ({})".format(self.msg, self.rval) + + +class InvalidInput(StandardException): + """ + Override StandardException used mainly when invalid input is passed + """ + + +class DirSrvException(StandardException): + """ + Override StandardException, This exception is to be used for + Directory Server related Errors + """ + + +class PkiLibException(StandardException): + """ + Override StandardException, + This exception is to be used for PKI/SSL related Errors + """ + + +class OSException(StandardException): + """ + Override StandardException, This exception is to be used for + Operating system errors. + """ + + +class LdapException(StandardException): + """ + Override StandardException, This exception is to be used for LDAP Errors + """ + + +class RPMException(StandardException): + """ + Override StandardException, This exception is to be used for RPM Errors + """ + + +class SSSDException(StandardException): + """ + Override StandardException, This exception is to be used for SSSD Errors + """ --- sssd-2.2.2.orig/src/tests/python/sssd/testlib/common/libdirsrv.py +++ sssd-2.2.2/src/tests/python/sssd/testlib/common/libdirsrv.py @@ -0,0 +1,594 @@ +"""This module contains methods to create Directory Server Instance.""" +from __future__ import print_function +import os +try: + import ConfigParser +except ImportError: + import configparser as ConfigParser +import tempfile +import subprocess +import socket +import time +import ldap +from sssd.testlib.common.exceptions import DirSrvException +from sssd.testlib.common.exceptions import LdapException +from sssd.testlib.common.utils import LdapOperations + +DS_USER = 'nobody' +DS_GROUP = 'nobody' +DS_ADMIN = 'admin' +DS_ROOTDN = 'CN=Directory Manager' + + +class DirSrv(object): + """Base class to setup DS Instances + + For setting up Directory Server, enabling TLS, and + removing of Directory Server instance. + """ + + # pylint: disable=too-many-instance-attributes + def __init__(self, **kwargs): + """Initialize name, suffix, host, ports, Directory Manager password.""" + self.instance_name = kwargs.get('name') + self.dsinstance_host = kwargs.get('host') + self.dsinstance_suffix = kwargs.get('suffix') + self.multihost = kwargs.get('multihost') + self.dsrootdn_pwd = kwargs.get('root_dn_password') + self.dsldap_port = kwargs.get('ldap_port', None) + self.dstls_port = kwargs.get('ldap_tls_port', None) + self.dsrootdn = DS_ROOTDN + self.ds_inst_name = 'slapd-%s' % self.instance_name + self.dsrootdir = '/etc/dirsrv' + self.dsinst_path = os.path.join(self.dsrootdir, self.ds_inst_name) + + def __str__(self): + return "%s.%s('%r')" % (self.__module__, self.__class__.__name__, + self.__dict__) + + def __repr__(self): + return '%s(%s, %r)' % (self.__module__, self.__class__.__name__, + self.__dict__) + + def create_config(self): + """create config file for setup-ds.pl to setup DS instances. + + Args: + param1 (None): + + Returns: + str: Returns path of the config file + + Exceptions: + None + """ + config = ConfigParser.RawConfigParser() + config.optionxform = str + config.add_section('General') + config.set('General', 'FullMachineName', self.dsinstance_host) + config.set('General', 'SuiteSpotUserID', DS_USER) + config.set('General', 'SuiteSpotGroup', DS_GROUP) + config.set('General', 'ConfigDirectoryAdminID', DS_ADMIN) + config.add_section('slapd') + config.set('slapd', 'ServerIdentifier', self.instance_name) + config.set('slapd', 'ServerPort', self.dsldap_port) + config.set('slapd', 'Suffix', self.dsinstance_suffix) + config.set('slapd', 'RootDN', self.dsrootdn) + config.set('slapd', 'RootDNPwd', self.dsrootdn_pwd) + + (ds_config, ds_config_file_path) = tempfile.mkstemp(suffix='cfg') + os.close(ds_config) + with open(ds_config_file_path, "w") as outfile: + config.write(outfile) + return ds_config_file_path + + def setup_ds(self, ds_cfg_file): + """create DS instance by running setup-ds.pl. + + Args: + ds_config_file (str): ds_config_file: Configuration File path + + Returns: + bool: True if setup-ds.pl ran successfully else False + + Exceptions: + subprocess.CalledProcessError: + """ + self.multihost.transport.put_file(ds_cfg_file, '/tmp/test.cfg') + setup_args = ['setup-ds.pl', '--silent', + '--file=/tmp/test.cfg', '--debug'] + try: + self.multihost.run_command(setup_args) + except subprocess.CalledProcessError: + raise + else: + os.remove(ds_cfg_file) + return True + + def remove_ds(self, inst_name=None): + """Remove Directory Server instance + + Args: + inst_name (str): DS Instance name + + Returns: + None + + Exceptions: + subprocess.CalledProcessError + """ + if inst_name is None: + inst_name = self.ds_inst_name + remove_args = ['remove-ds.pl', '-i', inst_name, '-d'] + try: + self.multihost.run_command(remove_args) + except subprocess.CalledProcessError: + raise + + def _copy_pkcs12(self, ssl_dir): + """ Copy the pkcs12 files from ssl_dir to + DS instance directory """ + + nss_db_files = ['ca.p12', 'server.p12', 'pin.txt', 'pwfile'] + for db_file in nss_db_files: + source = os.path.join(ssl_dir, db_file) + destination = os.path.join(self.dsinst_path, db_file) + self.multihost.transport.put_file(source, destination) + for db_file in nss_db_files: + ls_cmd = 'ls %s/%s' % (self.dsinst_path, db_file) + cmd = self.multihost.run_command(ls_cmd) + if cmd.returncode != 0: + return False + return True + + def _import_certs(self, pkcs12_path, pwfile): + """ Import the certs from pkcs12 """ + pk12_cmd = 'pk12util -i %s -d %s -k %s'\ + ' -w %s' % (pkcs12_path, self.dsinst_path, pwfile, pwfile) + cmd = self.multihost.run_command(pk12_cmd) + if cmd.returncode == 0: + return True + + def _set_dsperms(self, file_path): + """ Set DSUSER permissions on files """ + change_ownership = ['chown', DS_USER, file_path] + change_group = ['chgrp', DS_GROUP, file_path] + chmod_file = ['chmod', '600', file_path] + try: + self.multihost.run_command(change_ownership) + except subprocess.CalledProcessError: + raise DirSrvException( + 'fail to user change ownership of pin.txt fail') + try: + self.multihost.run_command(change_group) + except subprocess.CalledProcessError: + raise DirSrvException( + 'fail to change group ownership of pin.txt file') + try: + self.multihost.run_command(chmod_file) + except subprocess.CalledProcessError: + raise DirSrvException('fail to change permissions of pin.txt file') + + def setup_certs(self, ssl_dir): + """copy CA and Server certs to all DS instances. + + Args: + ssl_dir (str): NSS Directory containing CA and Server-Certs + + Returns: + bool: True if files are copied + + Exceptions: + DirSrvException + """ + # We stop directory server before we copy files. This is required + # because it's seen that at times, if ns-slapd process is reading + # the db files, copying of files is successful but not all data + # is written causing the files to go corrupt. + stop_ds = ['systemctl', 'stop', 'dirsrv@%s' % (self.instance_name)] + try: + self.multihost.run_command(stop_ds) + except subprocess.CalledProcessError: + raise DirSrvException("Unable to stop Directory Server instance") + else: + self.multihost.log.info('DS instance stopped successfully') + self._copy_pkcs12(ssl_dir) + cacert_file_path = '%s/cacert.pem' % ('/etc/openldap/cacerts') + target_pin_file = os.path.join(self.dsinst_path, 'pin.txt') + pwfile = os.path.join(self.dsinst_path, 'pwfile') + ca_p12 = os.path.join(self.dsinst_path, 'ca.p12') + server_p12 = os.path.join(self.dsinst_path, 'server.p12') + # recreate the database + certutil_cmd = 'certutil -N -d %s -f %s' % (self.dsinst_path, pwfile) + self.multihost.run_command(certutil_cmd) + create_cert_dir = 'mkdir -p /etc/openldap/cacerts' + # recreate the database + self.multihost.run_command(create_cert_dir) + pkcs12_file = [ca_p12, server_p12] + for pkcs_file in pkcs12_file: + if not self._import_certs(pkcs_file, pwfile): + raise DirSrvException("importing certificates failed") + set_trust_cmd = 'certutil -M -d %s -n "ExampleCA"'\ + ' -t "CTu,u,u" -f %s' % (self.dsinst_path, pwfile) + self.multihost.run_command(create_cert_dir) + self.multihost.run_command(set_trust_cmd) + self.multihost.transport.put_file(os.path.join( + ssl_dir, 'cacert.pem'), cacert_file_path) + try: + self._set_dsperms(target_pin_file) + except DirSrvException: + raise + start_ds = ['systemctl', 'start', 'dirsrv@%s' % (self.instance_name)] + try: + self.multihost.run_command(start_ds) + except subprocess.CalledProcessError: + raise DirSrvException('Could not Start DS Instance') + else: + self.multihost.log.info('DS instance started successfully') + + def enable_ssl(self, binduri, tls_port): + """sets TLS Port and enabled TLS on Directory Server. + + Args: + binduri (str): LDAP uri to bind with + tls_port (str): TLS port to be setup + + Returns: + bool: True if successfully setup TLS port + + Exceptions: + LdapException + """ + ldap_obj = LdapOperations(uri=binduri, binddn=self.dsrootdn, + bindpw=self.dsrootdn_pwd) + # Enable TLS + mod_dn1 = 'cn=encryption,cn=config' + add_tls = [(ldap.MOD_ADD, 'nsTLS1', [b'on'])] + (ret, return_value) = ldap_obj.modify_ldap(mod_dn1, add_tls) + if not return_value: + raise LdapException('fail to enable TLS, Error:%s' % (ret)) + else: + print('Enabled nsTLS1=on') + mod_dn2 = 'cn=RSA,cn=encryption,cn=config' + mod_security = [(ldap.MOD_REPLACE, 'nsSSLPersonalitySSL', + [b'Server-Cert-%s' % + ((self.dsinstance_host.encode()))])] + (ret, return_value) = ldap_obj.modify_ldap(mod_dn2, mod_security) + if not return_value: + raise LdapException('fail to set Server-Cert nick:%s' % (ret)) + else: + print('Enabled Server-Cert nick') + + # Enable security + mod_dn3 = 'cn=config' + enable_security = [(ldap.MOD_REPLACE, 'nsslapd-security', [b'on'])] + (ret, return_value) = ldap_obj.modify_ldap(mod_dn3, enable_security) + if not return_value: + raise LdapException( + 'fail to enable nsslapd-security, Error:%s' % (ret)) + else: + print('Enabled nsslapd-security') + + # set the appropriate TLS port + mod_dn4 = 'cn=config' + enable_ssl_port = [(ldap.MOD_REPLACE, 'nsslapd-securePort', + str(tls_port).encode())] + (ret, return_value) = ldap_obj.modify_ldap(mod_dn4, enable_ssl_port) + if not return_value: + raise LdapException( + 'fail to set nsslapd-securePort, Error:%s' % (ret)) + else: + print('Enabled nsslapd-securePort=%r' % tls_port) + + +class DirSrvWrap(object): + """This is a wrapper class for DirSrv. + + This is a wrapper class of DirSrv class which validates + all the inputs sent to Dirsrv object. Specifies ports for + LDAP and TLS ports, specifies default suffix. + """ + # pylint: disable=too-many-instance-attributes + def __init__(self, multihost_obj, ssl=None, ssldb=None): + """ + Create a DirSrv object for a specific Host. Specify the ports, + instance details to the Dirsrv object + + Args: + multihost_obj (obj): Multihost object + ssl (bool): set True to enable SSL else none/False + ssldb (str): Directory containing CA and server certs + """ + self.ds_used_ports = {} + self.dirsrv_info = {} + self.dirsrv_obj = None + self.ds_instance_name = None + self.multihost = multihost_obj + self.ds_instance_host = self.multihost.sys_hostname + self.ds_instance_suffix = None + self.ds_rootdn_pwd = None + self.ds_ldap_port = None + self.ds_tls_port = None + self.ssl = ssl + if self.ssl: + self.ssl_dir = ssldb + + def __iter__(self): + """ iter values of each instance """ + return self.dirsrv_info.itervalues() + + def __getitem__(self, key): + """ Return values of each instance """ + return self.dirsrv_info[key] + + def _set_options(self, + instance_name, + instance_suffix, + root_dn_pwd, + ldap_port, + tls_port): + """set Default values. + + Args: + instance_name (str): DS Instance Name + instance_suffix (str): DS Instance Suffix + root_dn_pwd (str): Directory Manager password + ldap_port (str): LDAP port + tls_port (str): TLS Port + + Returns: + A tuple containing 'Success', 0 or Failed Message and 1 + for failure to setup ports + + Exceptions: + None + """ + self.ds_instance_name = instance_name + if instance_suffix: + self.ds_instance_suffix = instance_suffix + else: + self.ds_instance_suffix = 'dc=example,dc=org' + + if root_dn_pwd: + self.ds_rootdn_pwd = root_dn_pwd + else: + self.ds_rootdn_pwd = 'Secret123' + # Get ports + try: + self.ds_ldap_port, self.ds_tls_port = self._set_ports( + ldap_port, tls_port) + except IndexError: + return "No more ports available", 1 + else: + self.ds_used_ports[self.ds_instance_name] = [ + self.ds_ldap_port, self.ds_tls_port] + + # validate instance + try: + self._validate_options() + except DirSrvException as err: + return err.msg, err.rval + else: + return "Success", 0 + + def _set_ports(self, u_port, e_port): + """return ports required to setup DS Instance. + + Idea behind this is when a directory server instance needs + to be created we need ports for LDAP and SSL ports. + 1. check if LDAP port and SSL port is given + 1.1 If given, verify if the ports are available(not used) + 1.1.1 Bind that port to ldap_port_t using semanage command + 1.1.2 Use the ports and add it to the self.UsedPorts list + 1.2 else raise exception + 2. If LDAP port and SSL port is not given + 2.1 Check if the ports are available(not used) + 2.1.1 Bind the port to ldap_port_t using semanage command + 2.1.2 Use the ports and add it to self.ds_used_ports list + + Args: + u_port (str): unencrypted LDAP port + e_port (str): Encrypted port to be used for TLS + + Returns: + sorted_available_ports[0] (list): LDAP and TLS ports + """ + ds_ports = [389, 1389, 2389, 3389, 4389, 30389, 31389, 32389, 33389, + 34389, 35389, 36389, 37389, 38389, 39389] + tls_ports = [636, 1636, 2636, 3636, 4636, 30636, 31636, 32636, 33636, + 34636, 35636, 36636, 37636, 38636, 39636] + + if u_port is None and e_port is None: + for ldap_port, ldaps_port in zip(ds_ports, tls_ports): + if (self._check_remote_port(ldap_port) or + self._check_remote_port(ldaps_port)): + pass + else: + return ldap_port, ldaps_port + else: + list_a = [] + for ports in self.ds_used_ports.values(): + list_a.append(ports) + + list_b = [] + for l_port, s_port in zip(ds_ports, tls_ports): + list_b.append((l_port, s_port)) + + if len(set(list_a)) > len(set(list_b)): + available_ports = set(list_a) - set(list_b) + else: + available_ports = set(list_b) - set(list_a) + sorted_available_ports = sorted(available_ports) + return sorted_available_ports[0] + + def _check_remote_port(self, port): + """check if the port on the remote host is free. + + Args: + port (int): check if port is available + + Returns: + bool: True if port is free else False. + """ + sock_obj = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + sock_obj.settimeout(1) + try: + sock_obj.connect((self.ds_instance_host, port)) + except socket.error as err: + print("fail to connect to port %s due to error %r" % (port, + err.errno)) + return False + else: + sock_obj.close() + return True + + def _validate_options(self): + """verify if the instance directory already exists. + + Args: + None + + Returns: + None + + Exceptions: + DirSrvException: if instance directory already exists + """ + check_instance = ['/usr/bin/ls', '/etc/dirsrv/slapd-%s' % + self.ds_instance_name] + output = self.multihost.run_command(check_instance, raiseonerr=False) + if output.returncode == 0: + raise DirSrvException('%s Instance already exists' % + self.ds_instance_name) + + def create_ds_instance(self, + inst_name, + inst_suffix=None, + root_dn_pwd=None, + ldap_port=None, + tls_port=None): + """create Directory server instance. + + Args: + inst_name (str): Instance Name + inst_suffix (str): Instance suffix + root_dn_pwd (str): Directory Manager password + ldap_port (str): LDAP port to be used + tls_port (str): TLS port to be used + + Returns: + result (str) and return code (str): Result containing message and + return code containing 0 or 1 (1 indicating failure) + + Exceptions: + DirSrvException: if DS instance could not be created. + """ + result, return_code = self._set_options(inst_name, + inst_suffix, + root_dn_pwd, + ldap_port, + tls_port) + if return_code == 0: + self.dirsrv_obj = DirSrv(name=self.ds_instance_name, + host=self.ds_instance_host, + suffix=self.ds_instance_suffix, + multihost=self.multihost, + root_dn_password=self.ds_rootdn_pwd, + ldap_port=self.ds_ldap_port, + tls_port=self.ds_tls_port) + cfg_file = self.dirsrv_obj.create_config() + try: + self.dirsrv_obj.setup_ds(cfg_file) + except subprocess.CalledProcessError: + raise DirSrvException('fail to DS config file to setup') + self.dirsrv_info[self.ds_instance_name] = self.dirsrv_obj.__dict__ + if self.ssl: + try: + self.dirsrv_obj.setup_certs(self.ssl_dir) + except DirSrvException as err: + return err.msg, err.rval + else: + (result, return_code) = self.enablessl() + return result, return_code + else: + raise DirSrvException('fail to setup Directory Server instance') + + def enablessl(self): + """Enable SSL/TLS on instance. + + Enable by adding TLS port to ldap_port_t SELinux label and restart + Directory Server. + + Args: + None + + Returns: + Tuple: Success, 0 or Error, 1 + + Exceptions: + None: + """ + # add TLS port to ldap_port_t SELinux label + + add_tls_port = ['semanage', 'port', '-a', '-t', + 'ldap_port_t', '-p', 'tcp', str(self.ds_tls_port)] + + restart_ds = ['systemctl', 'restart', 'dirsrv@%s' % + self.ds_instance_name] + if self.ds_tls_port != 636: + try: + self.multihost.run_command(add_tls_port) + except subprocess.CalledProcessError: + return "Unable to set tls_port as ldap_port_t", 1 + else: + self.multihost.log.info('Added %s port to ldap_port_t' % + self.ds_tls_port) + try: + self.dirsrv_obj.enable_ssl('ldap://%s:%r' % (self.ds_instance_host, + self.ds_ldap_port), + self.ds_tls_port) + except LdapException: + return "Error", 1 + + try: + self.multihost.run_command(restart_ds) + except subprocess.CalledProcessError: + return "Error", 1 + else: + self.multihost.log.info('DS instance restarted successfully') + # sleep for 10 seconds + time.sleep(10) + tail_cmd = ['tail', '-n', '100', + '/var/log/dirsrv/slapd-%s/errors' % self. + ds_instance_name] + output = self.multihost.run_command(tail_cmd, raiseonerr=False) + if output.returncode != 0: + return "Error", 1 + else: + return "Success", 0 + + def remove_ds_instance(self, instance_name): + """remove Directory server instance. + + Args: + instance_name (str): Instance Name + + Returns: + bool: True if successfully removed + + Exceptions: + DirSrvException: if DS instance cannot be removed + """ + ret = self.dirsrv_info[instance_name] + if ret['instance_name'] == instance_name: + ds_inst_name = ret['ds_inst_name'] + try: + self.dirsrv_obj.remove_ds(ds_inst_name) + except subprocess.CalledProcessError: + raise DirSrvException('Could not remove DS Instance', + ds_inst_name) + else: + del self.ds_used_ports[instance_name] + return True + else: + raise DirSrvException('%s Instance not found' % instance_name) --- sssd-2.2.2.orig/src/tests/python/sssd/testlib/common/libkrb5.py +++ sssd-2.2.2/src/tests/python/sssd/testlib/common/libkrb5.py @@ -0,0 +1,217 @@ +from __future__ import print_function + +try: + import ConfigParser +except ImportError: + import configparser as ConfigParser +import tempfile +import os +import subprocess + + +class krb5srv(object): + """ Base class to setup MIT Kerberos server + Default Kerberos Server realm is "EXAMPLE.TEST" + Default Admin password is "Secret123" + """ + + def __init__(self, multihost, krb_realm=None): + """ Initialize realm, host, ports, Kerberos admin password """ + if krb_realm is None: + self.krb_realm = 'EXAMPLE.TEST' + else: + self.krb_realm = krb_realm.upper() + self.multihost = multihost + self.kdc_port = '88' + self.kadmin_port = '749' + self.admin_password = 'Secret123' + self.krb5_kdc_data_dir = '/var/kerberos/krb5kdc' + self.krb5_kdc_sysconfig = '/etc/sysconfig/krb5kdc' + self.krb5_log_file = '/var/log/krb5kdc.log' + self.admin_keytab = '%s/kadm5.keytab' % (self.krb5_kdc_data_dir) + self.kadmin_log_file = '/var/log/kadmind.log' + self.enc_type = ['aes256-cts:normal', 'aes128-cts:normal', + 'des3-hmac-sha1:normal', 'arcfour-hmac:normal', + 'camellia256-cts:normal', 'camellia128-cts:normal', + 'des-hmac-sha1:normal', 'des-cbc-md5:normal', + 'des-cbc-crc:normal'] + self.krb_acl_file = '%s/kadm5.acl' % (self.krb5_kdc_data_dir) + self.admin_keytab = '%s/kadm5.keytab' % (self.krb5_kdc_data_dir) + self.supported_enctypes = ' '.join(self.enc_type) + self.kdc_conf = '%s/kdc.conf' % (self.krb5_kdc_data_dir) + + def _config_krb5kdc(self): + """ Configure kdc.conf and kadm5.acl + :param: None + :return str: Return Kerberos kdc.conf file path + """ + realm_def = """ { + acl_file = %s + admin_keytab = %s + supported_enctypes = %s + } """ % (self.krb_acl_file, + self.admin_keytab, + self.supported_enctypes) + config = ConfigParser.RawConfigParser() + config.optionxform = str + config.add_section('kdcdefaults') + config.set('kdcdefaults', 'kdc_ports', self.kdc_port) + config.set('kdcdefaults', 'kdc_tcp_ports', self.kdc_port) + config.add_section('logging') + config.set('logging', 'kdc', 'FILE:%s' % (self.krb5_log_file)) + config.set('logging', 'admin_server', 'File:%s' % + (self.kadmin_log_file)) + config.add_section('realms') + config.set('realms', self.krb_realm, realm_def) + + (krb_config, krb_config_path) = tempfile.mkstemp(suffix='cfg') + os.close(krb_config) + with open(krb_config_path, "w") as outfile: + config.write(outfile) + return krb_config_path + + def _krb_acl_config(self): + """ Create ACL file + :param: None + :return: Config file path + """ + acl = "*/%s@%s *" % ('admin', self.krb_realm) + (acl_config, acl_config_path) = tempfile.mkstemp(suffix='cfg') + os.close(acl_config) + with open(acl_config_path, "w") as outfile: + outfile.write(acl) + return acl_config_path + + def krb_setup_new(self): + """ Setup new Kerberos REALM + :param: None + :return: None + :Exception: Raises subprocess.CalledProcessError + """ + krb_config_path = self._config_krb5kdc() + acl_file = self._krb_acl_config() + self.multihost.transport.put_file(krb_config_path, self.kdc_conf) + self.multihost.transport.put_file(acl_file, self.krb_acl_file) + kdb5_util_create = ['kdb5_util', 'create', '-W', '-r', + self.krb_realm, '-s', '-P', '""'] + + try: + self.multihost.run_command(kdb5_util_create) + except subprocess.CalledProcessError: + raise + + try: + self.add_principal(p_type='admin', + password=self.admin_password, + service='admin', + service_name='admin') + except subprocess.CalledProcessError: + raise + else: + self.multihost.log.info("created REALM %s" % (self.krb_realm)) + + try: + self.add_principal(p_type=None, service='host', + service_name=self.multihost.sys_hostname) + except subprocess.CalledProcessError: + raise + else: + self.multihost.log.info("host principal added") + + try: + self.multihost.run_command(['kadmin.local', '-r', self.krb_realm, + '-q', "ktadd host/%s" % + (self.multihost.sys_hostname)]) + except subprocess.CalledProcessError: + raise + try: + self.multihost.run_command(['kadmin.local', '-r', self.krb_realm, + '-q', "ktadd -k %s kadmin/admin" % + (self.admin_keytab)]) + except subprocess.CalledProcessError: + raise + + try: + self.multihost.run_command(['kadmin.local', '-r', self.krb_realm, + '-q', "ktadd -k %s kadmin/changepw" % + (self.admin_keytab)]) + except subprocess.CalledProcessError: + raise + + try: + self.multihost.run_command(['systemctl', 'start', 'krb5kdc']) + except subprocess.CalledProcessError: + raise + else: + self.multihost.log.info("krb5kdc service start successful") + try: + self.multihost.run_command(['systemctl', 'start', 'kadmin']) + except subprocess.CalledProcessError: + raise + else: + self.multihost.log.info("kadmin service started successfully") + + def add_principal(self, principal=None, + p_type='user', + password=None, + service=None, + service_name=None): + """ Add server/user principals to Kerberos server + :param str principal: principal name (foobar) + :param str p_type: principal type (user/admin/None) + :param str password: password ('Secret123') + :param str service: service principal (host/http/nfs) + :param str service_name: Hostname where service is run + :return bool: True if principal is added + :Exception: Raise subprocess.CalledProcessError + """ + # Todo: Need to check if a principal already exists before adding. + if service is None: + service = 'host' + + if p_type == 'user': + add_principal = "add_principal -clearpolicy"\ + " -pw %s %s@%s" % (password, principal, + self.krb_realm) + kadmin_local_cmd = ['kadmin.local', '-r', + self.krb_realm, '-q', add_principal] + elif p_type == 'admin': + add_principal = "add_principal -clearpolicy"\ + " -pw %s %s/%s" % (password, service, 'admin') + kadmin_local_cmd = ['kadmin.local', '-r', self.krb_realm, + '-q', add_principal] + else: + add_principal = "add_principal -clearpolicy"\ + " -randkey %s/%s" % (service, service_name) + kadmin_local_cmd = ['kadmin.local', '-r', self.krb_realm, + '-q', add_principal] + try: + self.multihost.run_command(kadmin_local_cmd) + except subprocess.CalledProcessError: + raise + else: + return True + + def destroy_krb5server(self): + """ Destroy Kerberos database + :param: None + :Exception: subprocess.CalledProcessError + """ + # stop the Kerberos server + for service in ('krb5kdc', 'kadmin'): + stop_cmd = 'systemctl stop %s' % service + try: + self.multihost.run_command(stop_cmd) + except subprocess.CalledProcessError: + raise + else: + self.multihost.log.info("stopped %s service ") + + # destroy Kerberos database + try: + self.multihost.run_command(['kdb5_util', 'destroy', '-f', + self.krb_realm]) + except subprocess.CalledProcessError: + raise + else: + self.multihost.log.info("Removed krb realm %s" % self.krb_realm) --- sssd-2.2.2.orig/src/tests/python/sssd/testlib/common/qe_class.py +++ sssd-2.2.2/src/tests/python/sssd/testlib/common/qe_class.py @@ -0,0 +1,347 @@ +from pytest_multihost import make_multihost_fixture +import pytest_multihost.config +import pytest_multihost.host +import logging +import pytest +import time +from .exceptions import SSSDException + + +class QeConfig(pytest_multihost.config.Config): + """QeConfig subclass of multihost plugin to extend functionality.""" + + extra_init_args = {'directory_manager', 'directory_password', + 'rootdn', 'rootdn_pwd'} + + def __init__(self, **kwargs): + self.log = self.get_logger('%s.%s' % (__name__, type(self).__name__)) + pytest_multihost.config.Config.__init__(self, **kwargs) + + def get_domain_class(self): + """return custom domain class. + + This is needed to fully extend the config for custom + multihost plugin extensions. + + Args: + None + + Returns: + None + """ + return QeDomain + + def get_logger(self, name): + """Override get_logger to set logging level. + + Args: + name (str): Name of the logger + + Returns: + log (obj): Logger object + """ + log = logging.getLogger(name) + log.propagate = False + if not log.handlers: + # set log Level + log.setLevel(logging.DEBUG) + handler = logging.StreamHandler() + handler.setLevel(logging.DEBUG) + # set formatter + formatter = logging.Formatter( + '%(asctime)s - %(name)s - %(levelname)s - %(message)s') + handler.setFormatter(formatter) + log.addHandler(handler) + return log + + +class QeBaseHost(pytest_multihost.host.BaseHost): + """QeBaseHost subclass of multihost plugin BaseHost class.""" + pass + + +class QeHost(QeBaseHost): + """QeHost subclass of multihost plugin host class. + + This extends functionality of the host class for SSSD QE purposes. + Here we add support functions that will be very widely used across + tests and must be run on any or all hosts in the environment. + """ + + @property + def sys_hostname(self): + """Get system hostname + + Args: + None + + Returns: + str: System hostname + """ + cmd = self.run_command(['hostname'], raiseonerr=False) + return cmd.stdout_text.strip() + + @property + def distro(self): + """ Get contents of /etc/redhat-release + + :param None: + :return str: contents of /etc/redhat-release + """ + cmd = self.run_command(['cat', '/etc/redhat-release'], + raiseonerr=False) + if cmd.returncode != 0: + distro = 'Unknown Distro' + else: + distro = cmd.stdout_text.strip() + return distro + + def service_sssd(self, action): + """ Start/stop/restart sssd service based on RHEL Version + + :param str action: Action to be performed (start/stop/restart) + :return: str Return code of the systemctl/service command + :Exception Raises exception + """ + if 'Fedora' in self.distro: + cmd = self.run_command(['systemctl', action, 'sssd'], + raiseonerr=False) + if cmd.returncode == 0: + time.sleep(10) + return cmd.returncode + else: + raise SSSDException('Unable to %s sssd' % action, 1) + elif '7.' or '8.' in self.distro.split()[6]: + cmd = self.run_command(['systemctl', action, 'sssd'], + raiseonerr=False) + if cmd.returncode == 0: + time.sleep(10) + return cmd.returncode + else: + raise SSSDException('Unable to %s sssd' % action, 1) + elif '6.' in self.distro.split()[6]: + cmd = self.run_command(['service', 'sssd', action], + raiseonerr=False) + if cmd.returncode == 0: + time.sleep(10) + return cmd.returncode + else: + raise SSSDException('Unable to %s sssd' % action, 1) + elif 'Atomic' in self.distro.split(): + cmd = self.run_command(['systemctl', action, 'sssd'], + raiseonerr=False) + if cmd.returncode == 0: + time.sleep(10) + return cmd.returncode + else: + raise SSSDException('Unable to %s sssd' % action, 1) + + def yum_install(self, package): + """ Install packages through yum + + :param str package: Name of the package to be installed + :return str: Returncode of the yum command + :Exception: None + """ + cmd = self.run_command(['yum', '-y', 'install', package], + raiseonerr=False) + return cmd.returncode + + def dnf_install(self, package): + """ Install packages through dnf + + :param str package: Name of the package to be installed + :return str: Returncode of the dnf command + :Exception: None + """ + cmd = self.run_command(['dnf', '-y', 'install', package], + raiseonerr=False) + return cmd.returncode + + def yum_uninstall(self, package): + """ Uninstall packages through yum + :param str package: Name of the package to be uninstalled + :return str: Return code of the yum remove command + :Exception: None + """ + + cmd = self.run_command(['yum', '-y', 'remove', package], + raiseonerr=False) + return cmd.returncode + + def dnf_uninstall(self, package): + """ Uninstall packages through dnf + :param str package: Name of the package to be uninstalled + :return str: Return code of the dnf remove command + :Exception: None + """ + + cmd = self.run_command(['dnf', '-y', 'remove', package], + raiseonerr=False) + return cmd.returncode + + +class QeWinHost(QeBaseHost, pytest_multihost.host.WinHost): + """ Windows Host class + + Subclass of pytest_multihost.host.WinHost, QeBaseHost + Functions defined provide extra attributes when using Windows AD + + Attributes: + domainname (str): Return domainname of the AD Machine + realm (str): Return AD realm in upper case + """ + + @property + def domainname(self): + """ Return Domain name """ + cmd = self.run_command(['domainname'], set_env=False, raiseonerr=False) + return cmd.stdout_text.strip() + + @property + def realm(self): + """ Return AD Realm """ + cmd = self.run_command(['domainname'], set_env=False, raiseonerr=False) + return cmd.stdout_text.strip().upper() + + @property + def domain_basedn_entry(self): + """ Return base DN Entry of the """ + cmd = self.run_command(['domainname'], set_env=False, raiseonerr=False) + domain_list = ['DC=' + string for string in cmd.stdout_text.strip(). + split('.')] + list1 = map(str, domain_list) + domain_base_dn = ','.join(list1) + return domain_base_dn + + def _get_client_dn_entry(self, client): + """ Return DN entry of client computer in AD """ + cmd = self.run_command(['dsquery', 'computer', '-name', str(client)], + set_env=False, raiseonerr=False) + output = cmd.stdout_text.strip() + return output + + def _get_user_dn_entry(self, user): + """ Return DN entry of client computer in AD """ + cmd = self.run_command(['dsquery', 'user', '-name', user], + set_env=False, raiseonerr=False) + output = cmd.stdout_text.strip() + return output + + +class QeDomain(pytest_multihost.config.Domain): + """ QeDomain subclass of multihost plugin domain class. """ + def __init__(self, config, name, domain_type): + """ + Subclass of pytest_multihost.config.Domain + + :param obj config: config config + :param str name: Name + :param str domain_type: + + :return None: + """ + self.type = str(domain_type) + self.config = config + self.name = str(name) + self.hosts = [] + + host_classes = {'default': QeHost, 'windows': QeWinHost} + + +@pytest.yield_fixture(scope="session", autouse=True) +def session_multihost(request): + """Multihost plugin fixture for session scope""" + if pytest.num_ad > 0: + mh = make_multihost_fixture(request, descriptions=[ + { + 'type': 'sssd', + 'hosts': + { + 'master': pytest.num_masters, + 'atomic': pytest.num_atomic, + 'replica': pytest.num_replicas, + 'client': pytest.num_clients, + 'other': pytest.num_others, + } + }, + { + 'type': 'ad', + 'hosts': + { + 'ad': pytest.num_ad, + }, + }, + ], config_class=QeConfig,) + else: + mh = make_multihost_fixture(request, descriptions=[ + { + 'type': 'sssd', + 'hosts': + { + 'master': pytest.num_masters, + 'atomic': pytest.num_atomic, + 'replica': pytest.num_replicas, + 'client': pytest.num_clients, + 'other': pytest.num_others, + } + }, + ], config_class=QeConfig,) + mh.domain = mh.config.domains[0] + mh.master = mh.domain.hosts_by_role('master') + mh.atomic = mh.domain.hosts_by_role('atomic') + mh.replica = mh.domain.hosts_by_role('replica') + mh.client = mh.domain.hosts_by_role('client') + mh.others = mh.domain.hosts_by_role('other') + + if pytest.num_ad > 0: + mh.domain_ad = mh.config.domains[1] + mh.ad = mh.domain_ad.hosts_by_role('ad') + + yield mh + + +@pytest.fixture(scope='session', autouse=True) +def create_testdir(session_multihost, request): + config_dir_cmd = "mkdir -p %s" % (session_multihost.config.test_dir) + env_file_cmd = "touch %s/env.sh" % (session_multihost.config.test_dir) + rm_config_cmd = "rm -rf %s" % (session_multihost.config.test_dir) + + for i in range(len(session_multihost.atomic)): + session_multihost.atomic[i].run_command(config_dir_cmd) + session_multihost.atomic[i].run_command(env_file_cmd) + + for i in range(len(session_multihost.client)): + session_multihost.client[i].run_command(config_dir_cmd) + session_multihost.client[i].run_command(env_file_cmd) + + for i in range(len(session_multihost.master)): + session_multihost.master[i].run_command(config_dir_cmd) + session_multihost.master[i].run_command(env_file_cmd) + + for i in range(len(session_multihost.others)): + session_multihost.others[i].run_command(config_dir_cmd) + session_multihost.others[i].run_command(env_file_cmd) + + for i in range(len(session_multihost.replica)): + session_multihost.replica[i].run_command(config_dir_cmd) + session_multihost.replica[i].run_command(env_file_cmd) + + def remove_test_dir(): + + for i in range(len(session_multihost.atomic)): + session_multihost.atomic[i].run_command(rm_config_cmd) + + for i in range(len(session_multihost.client)): + session_multihost.client[i].run_command(rm_config_cmd) + + for i in range(len(session_multihost.master)): + session_multihost.master[i].run_command(rm_config_cmd) + + for i in range(len(session_multihost.others)): + session_multihost.others[i].run_command(rm_config_cmd) + + for i in range(len(session_multihost.replica)): + session_multihost.replica[i].run_command(rm_config_cmd) + + request.addfinalizer(remove_test_dir) --- sssd-2.2.2.orig/src/tests/python/sssd/testlib/common/utils.py +++ sssd-2.2.2/src/tests/python/sssd/testlib/common/utils.py @@ -0,0 +1,1056 @@ +""" This module defines classes regarding sssd tools, +AD Operations and LDAP Operations""" + +from __future__ import print_function +import os +import tempfile +import subprocess +import array +import random +import socket +import shlex +try: + import ConfigParser +except ImportError: + import configparser as ConfigParser +from subprocess import CalledProcessError +try: + from StringIO import StringIO +except ImportError: + from io import StringIO +import ldap +import ldif +import paramiko +from ldap import modlist +from .authconfig import RedHatAuthConfig +from .exceptions import PkiLibException +from .exceptions import LdapException +from .exceptions import SSSDException + + +PARAMIKO_VERSION = (int(paramiko.__version__.split('.')[0]), + int(paramiko.__version__.split('.')[1])) + + +class sssdTools(object): + """ Collection of assorted functions which is used in fixtures + + Attributes: + Host(obj: `Multihost object type`): Multihost Object + authbackup(str): Backup directory of authconfig + """ + def __init__(self, Host): + self.multihost = Host + self.authbackup = "/root/authconfig_backup" + + def update_resolv_conf(self, ip_addr): + """ Update /etc/resolv.conf with Windows AD IP address + + :param str ip_addr: IP Address to be added in resolv.conf + :return: None + """ + self.multihost.log.info("Taking backup of /etc/resolv.conf") + bkup_cmd = 'cp -f /etc/resolv.conf /etc/resolv.conf.bkup' + self.multihost.run_command(bkup_cmd, raiseonerr=False) + self.multihost.log.info("/etc/resolv.conf successfully backed up") + self.multihost.log.info("Add ip addr %s in resolv.conf" % ip_addr) + nameserver = 'nameserver %s\n' % ip_addr + resolv_conf = self.multihost.get_file_contents('/etc/resolv.conf') + if isinstance(resolv_conf, bytes): + contents = resolv_conf.decode('utf-8') + else: + contents = resolv_conf + contents = nameserver + contents.replace(nameserver, '') + self.multihost.put_file_contents('/etc/resolv.conf', contents) + + def config_authconfig(self, hostname, domainname): + """ Run authconfig to configure Kerberos and SSSD auth on remote host + + :param str hostname: Hostname of server(AD) to + which client is configured to auth + :param domainname: domain name of IPA/AD + :return: None + :Exceptions: None + """ + authconfig = RedHatAuthConfig(self.multihost) + self.multihost.log.info("Take backup of current authconfig") + authconfig.backup(self.authbackup) + self.multihost.run_command(['domainname'], raiseonerr=False) + authconfig.enable("sssd") + authconfig.enable("sssdauth") + authconfig.add_parameter("krb5kdc", hostname) + authconfig.add_parameter("krb5adminserver", hostname) + authconfig.add_parameter("krb5realm", domainname.upper()) + authconfig.execute() + + def restore_authconfig(self): + """ Restore the default authconfig """ + authconfig = RedHatAuthConfig(self.multihost) + authconfig.restore(self.authbackup) + + def config_smb_net_ads_join(self, domainname): + """ Configure smb.conf as Domain Member to Windows AD + :param str domainname: domain name of AD/IPA + :return: None + :Exception: None + """ + workgroup_name = domainname.strip().split('.')[0].upper() + realm = domainname.strip().upper() + sambaconfig = ConfigParser.RawConfigParser() + sambaconfig.optionxform = str + sambaconfig.add_section('global') + sambaconfig.set("global", "workgroup", workgroup_name) + sambaconfig.set("global", "security", "ads") + sambaconfig.set("global", "realm", realm) + sambaconfig.set("global", "kerberos method", "secrets and keytab") + sambaconfig.set("global", "client signing", "yes") + sambaconfig.set("global", "client use spnego", "yes") + tmp_fd, tmp_file_path = tempfile.mkstemp(suffix='conf', prefix='smb') + with open(tmp_file_path, "w") as outfile: + sambaconfig.write(outfile) + self.multihost.transport.put_file(tmp_file_path, '/etc/samba/smb.conf') + os.close(tmp_fd) + + def realm_join(self, domainname, admin_password, + client_software='sssd', + server_software='active-directory', + membership_software='adcli'): + """ Join system to AD/IPA Domain using realmOA + :param str domainname: domain name of AD/IPA + :param str admin_password: Administrator password required to join + :param str client_software: client software to be used (sssd/samba) + :param str server_software: server software (active-directory/ipa) + :param str membership_software: membership software (samba/adcli) + :Exception: Raises SSSDException + """ + + cmd = self.multihost.run_command(['realm', 'join', domainname, + '--client-software=%s' % + (client_software), + '--server-software=%s' % + (server_software), + '--membership-software=%s' % + (membership_software), '-v'], + stdin_text=admin_password, + raiseonerr=False) + + if cmd.returncode != 0: + raise SSSDException("Error: %s" % cmd.stderr_text) + + def realm_leave(self, domainname): + """ Leave system from AD/IPA Domain + + :param str domainname: domain name of AD/IPA + :return bool: True if successfully dis-joined to AD/IPA + else raises Exception + :Exception: Raises SSSDException + """ + + cmd = self.multihost.run_command(['realm', 'leave', + domainname, '-v'], + raiseonerr=False) + if cmd.returncode != 0: + raise SSSDException("Error: %s", cmd.stderr_text) + + def export_nfs_fs(self, path_list, nfs_client): + """ Add local file systems directories to /etc/exports + + Todo: We are not checking if the directories added + to /etc/exports already exist. + + :param str path_list: list of directories to be created + :param str nfs_client: hostname/ip-address of nfs client + :return bool: True if successfully added values in /etc/exports + :Exception: Raises exception(builtin) if not successfully added + """ + self.multihost.transport.get_file('/etc/exports', '/tmp/exports') + for local_dir in path_list: + cmd = self.multihost.run_command(['mkdir', '-p', local_dir], + raiseonerr=False) + if cmd.returncode != 0: + raise SSSDException("fail to create %s directory" % local_dir) + exp_share = '{}{}{}{}'.format(local_dir, ' ', nfs_client, + '(rw,sync,fsid=0)') + + with open('/tmp/exports', "a+") as outfile: + outfile.write(exp_share + "\n") + self.multihost.transport.put_file('/tmp/exports', '/etc/exports') + return True + + def remove_sss_cache(self, cache_path): + """ Remove the sssd cache + :param str cache_path: The relative path of cache + :return bool: True if deletion and mkdir is successful + :Exception: Raises exception(builtin) + """ + cmd = self.multihost.run_command(['ls', cache_path], raiseonerr=False) + if cmd.returncode == 0: + db_list = cmd.stdout_text.split() + # for index in range(len(db_list)): + for index in enumerate(db_list): + # sss_db = db_list[index] + sss_db = index[1] + relative_path = '{}/{}'.format(cache_path, sss_db) + rm_file = self.multihost.run_command(['rm', '-f', + relative_path], + raiseonerr=False) + if rm_file.returncode != 0: + raise SSSDException("Error: %s", cmd.stderr_text) + else: + print("Successfully deleted %s" % (relative_path)) + else: + raise SSSDException('%s path not found' % cache_path) + return True + + def domain_from_suffix(self, suffix): + """ Domain name from the suffix + :param suffix: The suffix of 389 RHDS instance + :return: domain name in upper case + :Exception: Raises exception(builtin) + """ + if suffix is None: + raise Exception("Error: suffix should be passed") + else: + l1 = suffix.split("dc=") + elist = [] + for i in l1: + d1 = i.strip(',') + elist.append(d1) + str1 = '.'.join(elist) + l_domain = str1.lstrip('.') + u_domain = l_domain.upper() + return u_domain + + def delete_sssd_domain_log(self, domainname): + """ Remove the sssd domain log + + :param str cache_path: domain name from default configuration file + :return bool: True if deletion is successful + :Exception: Raises exception(builtin) + """ + path = ("/var/log/sssd/sssd_%s.log" % domainname) + cmd = self.multihost.run_command(['rm', '-rf', path], raiseonerr=False) + if cmd.returncode != 0: + raise SSSDException("Error: %s", cmd.stderr_text) + else: + return True + + def get_ad_user_info(self, username, ad_host): + """ Get the ad user information through 'net ads dn' command + + :param str username: The name of ad user + :param str ad_host: Host of active directory + :return bool: True is command is successful + :return: output of command + :Exception: Raises exception(builtin) + """ + user_dn = "CN=%s,CN=Users,%s" % (username, ad_host.domain_basedn_entry) + cmd = self.multihost.run_command(['net', 'ads', 'dn', user_dn], + raiseonerr=False) + if cmd.returncode != 0: + raise SSSDException("Error: %s", cmd.stderr_text) + else: + return(True, cmd.stdout_text) + + def auth_from_client(self, username, password): + """ ssh to user from client environment + :param str username: The name of user + :param str password: Login password of user + :return: exit status + if timeout the return status is 0 + if user successfully login then return status is 3 + if not then return status is 10 + """ + expect_script = 'spawn ssh -o NumberOfPasswordPrompts=1 ' \ + '-o StrictHostKeyChecking=no '\ + '-o UserKnownHostsFile=/dev/null ' \ + '-l ' + username + ' localhost whoami' + '\n' + expect_script += 'expect "*assword: "\n' + expect_script += 'send "' + password + '\r"\n' + expect_script += 'sleep 30 \n' + expect_script += 'expect {\n' + expect_script += '\ttimeout { set result_code 0 }\n' + expect_script += '\t"' + username + '" { set result_code 3 }\n' + expect_script += '\teof {}\n' + expect_script += '\t"Permission denied " { set result_code 10 }\n' + expect_script += '}\n' + expect_script += 'exit $result_code\n' + print(expect_script) + randtag = ''.join(random.choice('ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789') + for _ in range(10)) + exp_file = "/tmp/qe_pytest_expect_file" + randtag + self.multihost.put_file_contents(exp_file, expect_script) + print(("remote side expect script filename: %s") % exp_file) + + # Next run expect + cmd = self.multihost.run_command(['expect', '-f', exp_file], + raiseonerr=False) + print("----expect output start----") + print(cmd.stdout_text) + print(cmd.stderr_text) + print("----expect output end----") + return cmd.returncode + + def config_etckrb5(self, realm, krb5_server=None): + """ Configure /etc/krb5.conf with realm specified + :param str realm: Kerberos realm + :param krb5_server: kerberos server + :return: None + :Exception: Raise exception(builtin) + """ + if krb5_server is None: + krb5_server = self.multihost.sys_hostname + if realm is None: + raise SSSDException("Error: realm should be passed") + else: + realm_def = ("{\n" + "kdc = %s\n" + "admin_server = %s\n" + "}") % (krb5_server, krb5_server) + krb5config = ConfigParser.RawConfigParser() + krb5config.optionxform = str + krb5config.add_section('logging') + krb5config.set("logging", "default", "FILE:/var/log/krb5libs.log") + krb5config.set("logging", "kdc", "FILE:/var/log/krb5kdc.log") + krb5config.set("logging", "admin_server", + "FILE:/var/log/kadmind.log") + krb5config.add_section('libdefaults') + krb5config.set("libdefaults", "ticket_lifetime", "3600") + krb5config.set("libdefaults", "default_realm", realm.upper()) + krb5config.set("libdefaults", "dns_lookup_realm", "false") + krb5config.set("libdefaults", "dns_lookup_kdc", "false") + krb5config.set("libdefaults", "forwardable", "true") + krb5config.set("libdefaults", "rdns", "false") + krb5config.add_section("realms") + krb5config.set("realms", "realm", realm_def) + krb5config.add_section("domain_realm") + krb5config.set("domain_realm", realm.lower(), realm.upper()) + krb5config.set("domain_realm", ".%s" % (realm.lower()), + realm.upper()) + krb5config.add_section("appdefaults") + krb5config.set("appdefaults", "validate", "true") + krb5config.add_section("kdc") + krb5config.set("kdc", "profile", "/var/kerberos/krb5kdc/kdc.conf") + krb5config.add_section("pam") + krb5config.set("pam", "debug", "false") + krb5config.set("pam", "ticket_lifetime", "3600") + krb5config.set("pam", "renew_lifetime", "3600") + krb5config.set("pam", "forwardable", "true") + temp_fd, temp_file_path = tempfile.mkstemp(suffix='conf', + prefix='krb5conf') + with open(temp_file_path, "w") as outfile: + krb5config.write(outfile) + self.multihost.run_command(['cp', '-f', '/etc/krb5.conf', + '/etc/krb5.conf.orig']) + self.multihost.transport.put_file(temp_file_path, '/etc/krb5.conf') + os.close(temp_fd) + + def enable_kcm(self): + """ Enable kcm + :param: None + :Return: None + :Exception: Raise SSSDException + """ + self.multihost.transport.get_file('/etc/krb5.conf', '/tmp/krb5.conf') + str1 = 'includedir /var/lib/sss/pubconf/krb5.include.d/' + str2 = 'includedir /etc/krb5.conf.d/' + with open('/tmp/krb5.conf', 'r') as krb_org_file: + with open('/tmp/krb5.conf.kcm', 'w+') as krb_new_file: + krb_new_file.write(str1) + krb_new_file.write('\n') + krb_new_file.write(str2) + krb_new_file.write('\n') + krb_new_file.write('\n') + krb_new_file.write(krb_org_file.read()) + backup_krb5_conf = 'cp -f /etc/krb5.conf /etc/krb5.conf.orig' + self.multihost.run_command(backup_krb5_conf) + self.multihost.transport.put_file('/tmp/krb5.conf.kcm', + '/etc/krb5.conf') + enable_sssd_kcm_socket = 'systemctl enable sssd-kcm.socket' + cmd = self.multihost.run_command(enable_sssd_kcm_socket, + raiseonerr=False) + symlink = '/etc/systemd/system/sockets.target.wants/sssd-kcm.socket' + try: + self.multihost.run_command(['ls', '-l', symlink]) + except subprocess.CalledProcessError: + self.multihost.log.info("kcm socket not enabled") + raise SSSDException("kcm socket not enabled") + start_ssd_kcm_socket = 'systemctl start sssd-kcm.socket' + cmd = self.multihost.run_command(start_ssd_kcm_socket, + raiseonerr=False) + if cmd.returncode != 0: + raise SSSDException("sssd-kcm.socket service not started") + enable_kcm_service = 'systemctl enable sssd-kcm.service' + cmd = self.multihost.run_command(enable_kcm_service, + raiseonerr=False) + symlink = '/etc/systemd/system/sockets.target.wants/sssd-kcm.socket' + if cmd.returncode != 0: + raise SSSDException("sssd-kcm.service not enabled") + try: + self.multihost.run_command(['ls', '-l', symlink]) + except subprocess.CalledProcessError: + self.multihost.log.info("kcm socket not enabled") + raise SSSDException("kcm socket not enabled") + + +class LdapOperations(object): + """ + LDapOperations consists of functions related to ldap operations, like + adding entry, adding a DN, modifying DN, search entries. + + Attributes: + uri(str): ldap server uri(ldap(s):/// + binddn(str): Binddn required to bind + bindpw(str): Bind password + conn: ldap bind object (already initialized) + """ + + def __init__(self, uri, binddn, bindpw, port=None): + self.uri = uri if not port else '%s:%s' % (uri, port) + self.binddn = binddn + self.bindpw = bindpw + self.conn = ldap.initialize(uri) + self.conn = self.bind() + + def bind(self): + """ Bind to ldap server + :param: None + :return: None + :Exceptions: None + """ + try: + self.conn.simple_bind_s(self.binddn, self.bindpw) + except ldap.SERVER_DOWN as err: + return self._parseException(err) + except ldap.INVALID_CREDENTIALS as err: + return self._parseException(err) + else: + return self.conn + + def add_entry(self, entry, ldap_dn): + """ Add an entry to ldap server + :param dict entry: attributes/objectclass to be added to dn + :param str dn: Entry dn to be added + """ + print("Adding entry: %s" % (ldap_dn)) + ldif = modlist.addModlist(entry) + try: + self.conn.add_s(ldap_dn, ldif) + except: + raise + else: + return "Success", True + + def _parseException(self, err): + """ Parsing Exception """ + return_value = False + return err, return_value + + def del_dn(self, ldap_dn): + """Delete dn + :param str ldap_dn: DN to be deleted + :return tupele: "Success", return_value + :Exception: ldap exception + """ + try: + ret = self.conn.delete(ldap_dn) + except: + raise + else: + return "Success", ret + + def search(self, basedn, criteria, attributes, scope=ldap.SCOPE_SUBTREE): + """ Search ldap server and return results + + :param str base: basedn of ldap server + :param str criteria: Search criteria(ex: + "(&(objectClass=user)(sAMAccountName=Administrator))" + :param str attributes: Attributes to be returned in the result + :scope obj : scope to be used when search default: + ldap.SCOPE_SUBTREE + :return tuple: Success/Fail, bool(True,False) + """ + + self.conn.set_option(ldap.OPT_REFERRALS, 0) + result = self.conn.search_s(basedn, ldap.SCOPE_SUBTREE, + criteria, attributes) + result_set = [entry for _, entry in result if isinstance(entry, dict)] + return result_set + + def modify_ldap(self, ldap_dn, modify_list): + """ Modify ldap dn """ + try: + self.conn.modify_s(ldap_dn, modify_list) + except ldap.NO_SUCH_ATTRIBUTE: + return "Fail", False + except ldap.NO_SUCH_OBJECT as err: + return self._parseException(err) + except ldap.OBJECT_CLASS_VIOLATION as err: + return self._parseException(err) + except ldap.TYPE_OR_VALUE_EXISTS as err: + return self._parseException(err) + except ldap.UNWILLING_TO_PERFORM: + return self._parseException(err) + else: + return 'Success', True + + def posix_user(self, org_unit, basedn, user_attr): + """ Add POSIX Users + :param str ou: Organizational unit (ou=Users) + :param str basedn: Base dn ('dc=example,dc=test') + :param dict user_attr: Entry attributes + :Return bool: Return True + :Exception: Raise SSSDException if unable to add user + """ + common_name = user_attr['cn'] + uid = user_attr['uid'] + uidnumber = user_attr['uidNumber'] + gidnumber = user_attr['gidNumber'] + try: + surname = user_attr['sn'] + except KeyError: + surname = common_name + try: + shell = user_attr['loginShell'] + except KeyError: + shell = '/bin/bash' + try: + password = user_attr['userPassword'] + except KeyError: + password = 'Secret123' + try: + home_directory = user_attr['homeDirectory'] + except KeyError: + home_directory = '/home/%s' % (uid) + try: + mail = user_attr['mail'] + except KeyError: + mail = '%s@example.test' % (uid) + try: + gecos = user_attr['gecos'] + except KeyError: + gecos = '%s User' % common_name + try: + location = user_attr['location'] + except KeyError: + location = 'US' + + attr = { + 'objectClass': [b'top', b'posixAccount', b'inetOrgPerson'], + 'cn': common_name.encode('utf-8'), 'uid': uid.encode('utf-8'), + 'sn': surname.encode('utf-8'), 'loginShell': shell.encode('utf-8'), + 'homeDirectory': home_directory.encode('utf-8'), + 'uidNumber': uidnumber.encode('utf-8'), + 'gidNumber': gidnumber.encode('utf-8'), + 'userPassword': password.encode('utf-8'), + 'mail': mail.encode('utf-8'), 'gecos': gecos.encode('utf-8'), + 'l': location.encode('utf-8')} + + user_dn = 'uid=%s,%s,%s' % (uid, org_unit, basedn) + (ret, _) = self.add_entry(attr, user_dn) + if ret == 'Success': + return True + else: + raise LdapException('Unable to add User to ldap') + + def posix_group(self, org_unit, basedn, group_attr, memberUid=False): + """ Add POSIX group + :param str ou: Organizational unit (ou=Groups) + :param str basedn: Base dn ('dc=example,dc=test') + :param dict group_attr: Entry attributes + :param memberUid: set by default to false, True when + posix group add with memberUid + :Return bool: Return True + :Exception: Raise LdapException if unable to add user + """ + attr = {} + group_cn = group_attr['cn'] + gidnumber = group_attr['gidNumber'] + if memberUid: + member_uid = group_attr['memberUid'] + objectClass = [b'posixGroup', b'top'] + attr['memberUid'] = member_uid.encode('utf-8') + else: + member_dn = group_attr['uniqueMember'] + objectClass = [b'posixGroup', b'top', b'groupOfUniqueNames'] + attr['uniqueMember'] = member_dn.encode('utf-8') + user_password = '{crypt}x' + attr['objectClass'] = objectClass + attr['gidNumber'] = gidnumber.encode('utf-8') + attr['cn'] = group_cn.encode('utf-8') + attr['userPassword'] = user_password.encode('utf-8') + group_dn = 'cn=%s,%s,%s' % (group_cn, org_unit, basedn) + (ret, _) = self.add_entry(attr, group_dn) + if ret != 'Success': + raise LdapException('Unable to add group to ldap') + + def org_unit(self, org_unit, basedn): + """ Add Organizational Unit + :param str ou: Organizational unit name + :param str basedn: Base dn ('dc=example,dc=test') + :Exception: Raise LdapException if unable to organizational + """ + attr = { + 'objectClass': [b'top', b'organizationalUnit'], + 'ou': org_unit.encode('utf-8')} + org_dn = 'ou=%s,%s' % (org_unit, basedn) + try: + (ret, _) = self.add_entry(attr, org_dn) + except ldap.ALREADY_EXISTS: + ret = 'Success' + + if ret != 'Success': + raise LdapException('Unable to add organizational unit to ldap') + + def add_sudo_rule(self, ruledn, sudoHost, + sudoCommand, sudoUser, sudoOption=None): + """ Add Sudo rules in Directory Server + parm str ruledn: sudo rule DN + param str sudoHost: Host on which sudo command should run + param str sudoCommand: Command to run with sudo + param str sudoUser: Posix user name + param list sudoOption: options like requiretty,authenticate + """ + rulename = ruledn.split(',')[0].split('=')[1] + sudo_attr = { + 'objectClass': [b'top', b'sudoRole'], + 'cn': rulename.encode('utf-8'), + 'sudoHost': sudoHost.encode('utf-8'), + 'sudoCommand': sudoCommand.encode('utf-8'), + 'sudoUser': sudoUser.encode('utf-8')} + (ret, _) = self.add_entry(sudo_attr, ruledn) + + if ret != 'Success': + raise LdapException("Unable to add sudo rule %s" % ruledn) + if sudoOption: + for option in sudoOption: + mod = [(ldap.MOD_ADD, 'sudoOption', option.encode('utf-8'))] + (_, _) = self.modify_ldap(ruledn, mod) + + def enable_autofs_schema(self, basedn): + """ Enable autofs schema + + :param str basedn: base dn of the ldap server + :return: None + :Exceptions: None + """ + + autofs_schema = (""" +dn: ou=automount,%s +ou: automount +objectClass: organizationalUnit + +dn: CN=auto.master,OU=automount,%s +objectClass: top +objectClass: nisMap +cn: auto.master +nisMapName: auto.master + +dn: cn=/-,cn=auto.master,ou=automount,%s +objectClass: nisObject +objectClass: top +cn: /- +nisMapEntry: auto.direct +nisMapName: auto.master + +dn: cn=/home,cn=auto.master,ou=automount,%s +objectClass: nisObject +objectClass: top +cn: /home +nisMapEntry: auto.home +nisMapName: auto.master + +dn: cn=auto.direct,ou=automount,%s +objectClass: nisMap +objectClass: top +cn: auto.direct +nisMapName: auto.direct + +dn: cn=auto.home,ou=automount,%s +objectClass: nisMap +objectClass: top +nisMapName: auto.home""") % (basedn, basedn, basedn, basedn, basedn, basedn) + ldif_file = StringIO(autofs_schema) + parser = ldif.LDIFRecordList(ldif_file) + parser.parse() + + for ldap_dn, entry in parser.all_records: + self.add_entry(entry, ldap_dn) + + +class PkiTools(object): + """ + PkiTools consists of functions related to creation of + certificate requests, updating profile XML with certificate + requests. + """ + + def __init__(self, nssdir=None, nssdir_pwd=None): + + if nssdir is None: + self.nssdb = tempfile.mkdtemp('nssdir') + else: + self.nssdb = nssdir + if nssdir_pwd is None: + self.nssdb_pwd = 'Secret123' + else: + self.nssdb_pwd = nssdir_pwd + self.pwdfilename = 'pwfile' + self.noisefilename = 'noiseFile' + self.pwdfilepath = os.path.join(self.nssdb, self.pwdfilename) + self.noise = array.array('B', os.urandom(128)) + self.noisefilepath = os.path.join(self.nssdb, self.noisefilename) + + def create_nssdb(self): + """ + Create a NSS Database on a temporary Directory + + :return: + str nssdb: path of the NSS DB Directory + """ + with open(self.pwdfilepath, 'w') as outfile: + outfile.write(self.nssdb_pwd) + certutil_cmd = 'certutil -N -d %s -f %s' % (self.nssdb, + self.pwdfilepath) + _, _, ret = self.execute(shlex.split(certutil_cmd)) + if ret != 0: + raise PkiLibException('Could not setup NSS DB on %s' % self.nssdb) + else: + return self.nssdb + + def execute(self, + args, + stdin=None, + capture_output=True, + raiseonerr=False, + env=None, + cwd=None): + """ + Execute a command and return stdout, stderr and return code + + :param str args: List of arguments for the command + :param str stdin: Optional input + :param bool: capture_output: Capture output of the command + (default True) + :param bool raiseonerr: Raise exception if command fails + :param str env: Env variables to be set before the command is run + :param str cwd: Current working Directory + + :return stdout, stderr and returncode: if command return code is 0 + :Exception: raises subprocess.CalledProcessError Exception + """ + + p_in = None + p_out = None + p_err = None + if env is None: + env = os.environ.copy() + if capture_output: + p_out = subprocess.PIPE + p_err = subprocess.PIPE + try: + proc = subprocess.Popen(args, stdin=p_in, stdout=p_out, + stderr=p_err, close_fds=True, + env=env, cwd=cwd) + stdout, stderr = proc.communicate(stdin) + except KeyboardInterrupt: + proc.wait() + raise + if proc.returncode != 0 and raiseonerr: + raise subprocess.CalledProcessError(proc.returncode, args, stdout) + else: + return (stdout, stderr, proc.returncode) + + def createselfsignedcerts(self, + serverlist, + ca_dn=None, + passphrase='Secret123', + canickname='ExampleCA'): + """ + Creates a NSS DB in /tmp/nssDirxxxx where self signed Root CA + and Server Certs are created + + :param str CA_DN: Distinguished Name for CA Cert + :param str Server_DN: Distinguished Name for Server Cert + """ + if ca_dn is None: + ca_dn = 'CN=ExampleCA,O=Example,L=Raleigh,C=US' + nss_passphrase = passphrase + pin_filename = 'pin.txt' + nss_dir = self.create_nssdb() + pin_filepath = os.path.join(nss_dir, pin_filename) + ca_pempath = os.path.join(nss_dir, 'cacert.pem') + server_pempath = os.path.join(nss_dir, 'server.pem') + ca_p12_path = os.path.join(nss_dir, 'ca.p12') + server_p12_path = os.path.join(nss_dir, 'server.p12') + with open(self.noisefilepath, 'w') as outfile: + outfile.write(str(self.noise)) + ca_args = 'certutil -d %s -f %s -S -n "%s" -s %s' \ + ' -t "CT,," -x -z %s' % (nss_dir, self.pwdfilepath, + canickname, ca_dn, + self.noisefilepath) + + ca_pem = 'certutil -d %s -f %s -L -n "%s"' \ + ' -a -o %s' % (nss_dir, self.pwdfilepath, + canickname, ca_pempath) + with open(pin_filepath, 'w') as outfile: + outfile.write('Internal (Software) Token:%s' % nss_passphrase) + _, _, return_code = self.execute(shlex.split(ca_args)) + if return_code != 0: + raise PkiLibException('Could not create Self signed CA Cert') + else: + self.execute(shlex.split(ca_pem)) + + for server in serverlist: + server_cn = 'CN=%s' % (server) + server_nickname = 'Server-Cert-%s' % (server) + server_pem = 'certutil -d %s -f %s -L '\ + '-n "%s" -a -o %s' % (nss_dir, + self.pwdfilepath, + server_nickname, + server_pempath) + rand_var = str(random.randint(1000, 2000)) + server_args = 'certutil -d %s -f %s -S -n "%s" -s %s -c "%s"'\ + ' -t u,u,u -v 720 -m %s -z %s' % (nss_dir, + self.pwdfilepath, + server_nickname, + server_cn, + canickname, + rand_var, + self.noisefilepath) + _, _, return_code = self.execute(shlex.split(server_args)) + if return_code != 0: + raise PkiLibException('Could not create Server-Cert') + else: + _, _, return_code = self.execute(shlex.split(server_pem)) + if return_code != 0: + raise PkiLibException('Could not create Server pem file') + export_ca_p12 = 'pk12util -d %s -o %s -n "%s"'\ + ' -k %s -w %s' % (nss_dir, ca_p12_path, + canickname, self.pwdfilepath, + self.pwdfilepath) + _, _, return_code = self.execute(shlex.split(export_ca_p12)) + export_svr_p12 = 'pk12util -d %s -o %s -n %s'\ + ' -k %s -w %s' % (nss_dir, server_p12_path, + server_nickname, + self.pwdfilepath, + self.pwdfilepath) + _, _, return_code = self.execute(shlex.split(export_svr_p12)) + return nss_dir + + +class ADOperations(object): + """ + ADOperations class consists of methods related to managing AD User With + Unix properties. + """ + + def __init__(self, ad_host): + self.ad_host = ad_host + self.ad_uri = 'ldap://%s' % ad_host.external_hostname + host_domain_basedn_entry = self.ad_host.domain_basedn_entry + self.ad_users_dn_entry = '{},{}'.format('CN=Users', + host_domain_basedn_entry) + self.ad_dn = 'CN={},{}'.format("Administrator", self.ad_users_dn_entry) + self.ad_admin_passwd = self.ad_host.ssh_password + cmd = ['powershell.exe', + '-inputformat', + 'none', + '-noprofile', + '(Get-ADDomain -Current LocalComputer).NetBIOSName'] + self._ad_netbionsname = self.ad_host.run_command(cmd).stdout_text + + def ad_conn(self): + """ Create a LDAP Connection with AD + + :param None + :Return obj: Object of LdapOperations + :Exceptions: None + """ + + ad_conn_inst = LdapOperations(self.ad_uri, self.ad_dn, + self.ad_admin_passwd) + return ad_conn_inst + + def create_ad_unix_user_group(self, username, groupname, + password='Secret123'): + """ Create a AD User with Unix Attributes + + :param str username: AD User Name + :param str groupname: AD Group Name + :param str password: User password (default: Secret123) + :Return bool: if user/group added correctly return True else False + :Exceptions: False + """ + + uid = random.randint(9999, 999999) + user_dn = "CN=%s,%s" % (username, self.ad_users_dn_entry) + group_dn = "CN=%s,%s" % (groupname, self.ad_users_dn_entry) + cmd = self.ad_host.run_command(['dsadd.exe', 'user', user_dn, '-samid', + username, '-pwd', password]) + cmd = self.ad_host.run_command(['dsadd.exe', 'group', group_dn]) + cmd = self.ad_host.run_command(['dsmod', 'group', group_dn, '-addmbr', + user_dn]) + ad_conn_inst = self.ad_conn() + if cmd.returncode == 0: + mod_dn = [(ldap.MOD_ADD, 'msSFU30NisDomain', + self.ad_netbiosname.encode('utf-8'))] + (_, _) = ad_conn_inst.modify_ldap(user_dn, mod_dn) + mod_dn = [(ldap.MOD_ADD, 'uidNumber', str(uid).encode('utf-8'))] + (_, _) = ad_conn_inst.modify_ldap(user_dn, mod_dn) + mod_dn = [(ldap.MOD_ADD, 'gidNumber', str(uid).encode('utf-8'))] + (_, _) = ad_conn_inst.modify_ldap(user_dn, mod_dn) + mod_dn = [(ldap.MOD_ADD, 'unixHomeDirectory', + b'/home/%s' % (username))] + (_, _) = ad_conn_inst.modify_ldap(user_dn, mod_dn) + mod_dn = [(ldap.MOD_ADD, 'loginShell', '/bin/bash')] + (_, _) = ad_conn_inst.modify_ldap(user_dn, mod_dn) + mod_dn = [(ldap.MOD_ADD, 'msSFU30Name', username.encode('utf-8'))] + (_, _) = ad_conn_inst.modify_ldap(user_dn, mod_dn) + mod_dn = [(ldap.MOD_ADD, 'msSFU30NisDomain', + self.ad_netbiosname.encode('utf-8'))] + (_, _) = ad_conn_inst.modify_ldap(group_dn, mod_dn) + mod_dn = [(ldap.MOD_ADD, 'gidNumber', str(uid).encode('utf-8'))] + (_, _) = ad_conn_inst.modify_ldap(group_dn, mod_dn) + mod_dn = [(ldap.MOD_ADD, 'msSFU30Name', groupname.encode('utf-8'))] + (_, _) = ad_conn_inst.modify_ldap(group_dn, mod_dn) + else: + return False + return True + + def create_ad_unix_group(self, groupname): + """ Create AD Group with UNIX Attributes + + :param str groupname: Windows AD Group name + :Return bool : True if AD group was created with Unix Attributes + :Exception: None + """ + + gid = random.randint(9999, 999999) + group_dn = "CN=%s,%s" % (groupname, self.ad_users_dn_entry) + cmd = self.ad_host.run_command(['dsadd.exe', 'group', group_dn]) + ad_conn_inst = self.ad_conn() + if cmd.returncode == 0: + mod_dn = [(ldap.MOD_ADD, 'msSFU30NisDomain', + self.ad_netbiosname.encode('utf-8'))] + (_, _) = ad_conn_inst.modify_ldap(group_dn, mod_dn) + mod_dn = [(ldap.MOD_ADD, 'gidNumber', str(gid).encode('utf-8'))] + (_, _) = ad_conn_inst.modify_ldap(group_dn, mod_dn) + mod_dn = [(ldap.MOD_ADD, 'msSFU30Name', groupname.encode('utf-8'))] + (_, _) = ad_conn_inst.modify_ldap(group_dn, mod_dn) + else: + return False + return True + + def delete_ad_user_group(self, user_group): + """ Delete AD user + + :param str user_group: User or Group Name to be deleted + :Return bool: True if delete is successful else false + :Exceptions: None + """ + + ad_entry = 'CN=%s,%s' % (user_group, self.ad_users_dn_entry) + try: + self.ad_host.run_command(['dsrm.exe', ad_entry, '-noprompt']) + except CalledProcessError: + return False + else: + return True + + def add_user_member_of_group(self, group, user): + """ Add user member of a group + + :param str group: Name of Windows AD Group + :param str user: Name of Windows AD user + :Return bool: True if user is added as member to group + :Exceptions: None + """ + + group_dn = 'CN=%s,%s' % (group, self.ad_users_dn_entry) + user_dn = 'CN=%s,%s' % (user, self.ad_users_dn_entry) + try: + self.ad_host.run_command(['dsmod', 'group', group_dn, '-addmbr', + user_dn]) + except CalledProcessError: + return False + else: + return True + + def remove_user_from_group(self, group, user): + """ Remove User from Group membership + + :param str group: Name of Windows AD Group + :param str user: Name of Windows AD user + :Return bool: True if user is removed from group else False + :Exceptions: None + """ + + group_dn = 'CN=%s,%s' % (group, self.ad_users_dn_entry) + user_dn = 'CN=%s,%s' % (user, self.ad_users_dn_entry) + try: + self.ad_host.run_command(['dsmod', 'group', group_dn, '-rmmbr', + user_dn]) + except CalledProcessError: + return False + return True + + +class SSHClient(paramiko.SSHClient): + """ This class Inherits paramiko.SSHClient and implements + client.exec_commands channel.exec_command """ + + def __init__(self, hostname=None, port=None, username=None, password=None): + """ Initialize connection to Remote Host using Paramiko SSHClient. + Can be initialized with hostname, port, username and password. + """ + self.hostname = hostname + self.username = username + self.password = password + + if port is None: + self.port = 22 + else: + self.port = port + + paramiko.SSHClient.__init__(self) + self.set_missing_host_key_policy(paramiko.AutoAddPolicy()) + try: + self.connect(self.hostname, port=self.port, + username=self.username, + password=self.password, + timeout=30, allow_agent=False, look_for_keys=False) + except (paramiko.AuthenticationException, + paramiko.SSHException, + socket.error): + raise + + def execute_cmd(self, args, stdin=None): + """ This Function executes commands using SSHClient.exec_commands(). + :param str args: actual command to run + :param str stdin: stdin for the command + :Return tuple: stdin stdout stderr + :Exception: paramiko.SSHException + """ + if PARAMIKO_VERSION >= (1, 15, 0): + try: + std_in, std_out, std_err = self.exec_command(args, timeout=30) + except paramiko.SSHException: + raise + else: + if stdin: + std_in.write("%s\n" % (stdin)) + std_in.flush() + exit_status = std_out.channel.recv_exit_status() + return std_out, std_err, exit_status + else: + try: + std_in, std_out, std_err = self.exec_command(args) + except paramiko.SSHException: + raise + else: + if stdin: + std_in.write("%s\n" % (stdin)) + std_in.flush() + exit_status = std_out.channel.recv_exit_status() + return std_out, std_err, exit_status --- sssd-2.2.2.orig/src/tests/python/sssd/testlib/etc/pylintrc +++ sssd-2.2.2/src/tests/python/sssd/testlib/etc/pylintrc @@ -0,0 +1,384 @@ +[MASTER] + +# Specify a configuration file. +#rcfile= + +# Python code to execute, usually for sys.path manipulation such as +# pygtk.require(). +#init-hook= + +# Add files or directories to the blacklist. They should be base names, not +# paths. +ignore=CVS + +# Pickle collected data for later comparisons. +persistent=yes + +# List of plugins (as comma separated values of python modules names) to load, +# usually to register additional checkers. +load-plugins= + +# Use multiple processes to speed up Pylint. +jobs=1 + +# Allow loading of arbitrary C extensions. Extensions are imported into the +# active Python interpreter and may run arbitrary code. +unsafe-load-any-extension=no + +# A comma-separated list of package or module names from where C extensions may +# be loaded. Extensions are loading into the active Python interpreter and may +# run arbitrary code +extension-pkg-whitelist= + +# Allow optimization of some AST trees. This will activate a peephole AST +# optimizer, which will apply various small optimizations. For instance, it can +# be used to obtain the result of joining multiple strings with the addition +# operator. Joining a lot of strings can lead to a maximum recursion error in +# Pylint and this flag can prevent that. It has one side effect, the resulting +# AST will be different than the one from reality. +optimize-ast=no + + +[MESSAGES CONTROL] + +# Only show warnings with the listed confidence levels. Leave empty to show +# all. Valid levels: HIGH, INFERENCE, INFERENCE_FAILURE, UNDEFINED +confidence= + +# Enable the message, report, category or checker with the given id(s). You can +# either give multiple identifier separated by comma (,) or put this option +# multiple time. See also the "--disable" option for examples. +#enable= + +# Disable the message, report, category or checker with the given id(s). You +# can either give multiple identifiers separated by comma (,) or put this +# option multiple times (only on the command line, not in the configuration +# file where it should appear only once).You can also use "--disable=all" to +# disable everything first and then reenable specific checks. For example, if +# you want to run only the similarities checker, you can use "--disable=all +# --enable=similarities". If you want to run only the classes checker, but have +# no Warning level messages displayed, use"--disable=all --enable=classes +# --disable=W" +disable=R0201,R0903,E1123,W0621,E1121 +# IdM-QE skipping: +# # R0201: Method could be a function +# # R0903: Too few public methods +# # E1123: These are needed for defining how the multihost plugin fixtures work. +# # W0621: This is a method in pytest of defining the fixtures used by a function and we need it. +# # E1121: Using the calls as described on pytest docs but, it's red flagged here. +#disable=import-star-module-level,old-octal-literal,oct-method,print-statement,unpacking-in-except,parameter-unpacking,backtick,old-raise-syntax,old-ne-operator,long-suffix,dict-view-method,dict-iter-method,metaclass-assignment,next-method-called,raising-string,indexing-exception,raw_input-builtin,long-builtin,file-builtin,execfile-builtin,coerce-builtin,cmp-builtin,buffer-builtin,basestring-builtin,apply-builtin,filter-builtin-not-iterating,using-cmp-argument,useless-suppression,range-builtin-not-iterating,suppressed-message,no-absolute-import,old-division,cmp-method,reload-builtin,zip-builtin-not-iterating,intern-builtin,unichr-builtin,reduce-builtin,standarderror-builtin,unicode-builtin,xrange-builtin,coerce-method,delslice-method,getslice-method,setslice-method,input-builtin,round-builtin,hex-method,nonzero-method,map-builtin-not-iterating + +[REPORTS] + +# Set the output format. Available formats are text, parseable, colorized, msvs +# (visual studio) and html. You can also give a reporter class, e.g. +# mypackage.mymodule.MyReporterClass. +output-format=text + +# Put messages in a separate file for each module / package specified on the +# command line instead of printing them on stdout. Reports (if any) will be +# written in a file name "pylint_global.[txt|html]". +files-output=no + +# Tells whether to display a full report or only the messages +reports=yes + +# Python expression which should return a note less than 10 (10 is the highest +# note). You have access to the variables errors warning, statement which +# respectively contain the number of errors / warnings messages and the total +# number of statements analyzed. This is used by the global evaluation report +# (RP0004). +evaluation=10.0 - ((float(5 * error + warning + refactor + convention) / statement) * 10) + +# Template used to display messages. This is a python new-style format string +# used to format the message information. See doc for all details +#msg-template= + + +[TYPECHECK] + +# Tells whether missing members accessed in mixin class should be ignored. A +# mixin class is detected if its name ends with "mixin" (case insensitive). +ignore-mixin-members=yes + +# List of module names for which member attributes should not be checked +# (useful for modules/projects where namespaces are manipulated during runtime +# and thus existing member attributes cannot be deduced by static analysis. It +# supports qualified module names, as well as Unix pattern matching. +ignored-modules= + +# List of classes names for which member attributes should not be checked +# (useful for classes with attributes dynamically set). This supports can work +# with qualified names. +ignored-classes=pytest + +# List of members which are set dynamically and missed by pylint inference +# system, and so shouldn't trigger E1101 when accessed. Python regular +# expressions are accepted. +generated-members= + + +[BASIC] + +# List of built-in function names that should not be used, separated by a comma +bad-functions=map,filter,input + +# Good variable names which should always be accepted, separated by a comma +good-names=i,j,k,ex,Run,_ + +# Bad variable names which should always be refused, separated by a comma +bad-names=foo,bar,baz,toto,tutu,tata + +# Colon-delimited sets of names that determine each other's naming style when +# the name regexes allow several styles. +name-group= + +# Include a hint for the correct naming format with invalid-name +include-naming-hint=no + +# Regular expression matching correct function names +function-rgx=[a-z_][a-z0-9_]{2,30}$ + +# Naming hint for function names +function-name-hint=[a-z_][a-z0-9_]{2,30}$ + +# Regular expression matching correct variable names +variable-rgx=[a-z_][a-z0-9_]{2,30}$ + +# Naming hint for variable names +variable-name-hint=[a-z_][a-z0-9_]{2,30}$ + +# Regular expression matching correct constant names +const-rgx=(([A-Z_][A-Z0-9_]*)|(__.*__))$ + +# Naming hint for constant names +const-name-hint=(([A-Z_][A-Z0-9_]*)|(__.*__))$ + +# Regular expression matching correct attribute names +attr-rgx=[a-z_][a-z0-9_]{2,30}$ + +# Naming hint for attribute names +attr-name-hint=[a-z_][a-z0-9_]{2,30}$ + +# Regular expression matching correct argument names +argument-rgx=[a-z_][a-z0-9_]{2,30}$ + +# Naming hint for argument names +argument-name-hint=[a-z_][a-z0-9_]{2,30}$ + +# Regular expression matching correct class attribute names +class-attribute-rgx=([A-Za-z_][A-Za-z0-9_]{2,30}|(__.*__))$ + +# Naming hint for class attribute names +class-attribute-name-hint=([A-Za-z_][A-Za-z0-9_]{2,30}|(__.*__))$ + +# Regular expression matching correct inline iteration names +inlinevar-rgx=[A-Za-z_][A-Za-z0-9_]*$ + +# Naming hint for inline iteration names +inlinevar-name-hint=[A-Za-z_][A-Za-z0-9_]*$ + +# Regular expression matching correct class names +class-rgx=[A-Z_][a-zA-Z0-9]+$ + +# Naming hint for class names +class-name-hint=[A-Z_][a-zA-Z0-9]+$ + +# Regular expression matching correct module names +module-rgx=(([a-z_][a-z0-9_]*)|([A-Z][a-zA-Z0-9]+))$ + +# Naming hint for module names +module-name-hint=(([a-z_][a-z0-9_]*)|([A-Z][a-zA-Z0-9]+))$ + +# Regular expression matching correct method names +method-rgx=[a-z_][a-z0-9_]{2,30}$ + +# Naming hint for method names +method-name-hint=[a-z_][a-z0-9_]{2,30}$ + +# Regular expression which should only match function or class names that do +# not require a docstring. +no-docstring-rgx=^_ + +# Minimum line length for functions/classes that require docstrings, shorter +# ones are exempt. +docstring-min-length=-1 + + +[ELIF] + +# Maximum number of nested blocks for function / method body +max-nested-blocks=5 + + +[SIMILARITIES] + +# Minimum lines number of a similarity. +min-similarity-lines=4 + +# Ignore comments when computing similarities. +ignore-comments=yes + +# Ignore docstrings when computing similarities. +ignore-docstrings=yes + +# Ignore imports when computing similarities. +ignore-imports=no + + +[LOGGING] + +# Logging modules to check that the string format arguments are in logging +# function parameter format +logging-modules=logging + + +[VARIABLES] + +# Tells whether we should check for unused import in __init__ files. +init-import=no + +# A regular expression matching the name of dummy variables (i.e. expectedly +# not used). +dummy-variables-rgx=_$|dummy + +# List of additional names supposed to be defined in built-ins. Remember that +# you should avoid to define new built-ins when possible. +additional-builtins= + +# List of strings which can identify a callback function by name. A callback +# name must start or end with one of those strings. +callbacks=cb_,_cb + + +[FORMAT] + +# Maximum number of characters on a single line. +max-line-length=120 + +# Regexp for a line that is allowed to be longer than the limit. +ignore-long-lines=^\s*(# )??$ + +# Allow the body of an if to be on the same line as the test if there is no +# else. +single-line-if-stmt=no + +# List of optional constructs for which whitespace checking is disabled. `dict- +# separator` is used to allow tabulation in dicts, etc.: {1 : 1,\n222: 2}. +# `trailing-comma` allows a space between comma and closing bracket: (a, ). +# `empty-line` allows space-only lines. +no-space-check=trailing-comma,dict-separator + +# Maximum number of lines in a module +max-module-lines=1000 + +# String used as indentation unit. This is usually " " (4 spaces) or "\t" (1 +# tab). +indent-string=' ' + +# Number of spaces of indent required inside a hanging or continued line. +indent-after-paren=4 + +# Expected format of line ending, e.g. empty (any line ending), LF or CRLF. +expected-line-ending-format= + + +[SPELLING] + +# Spelling dictionary name. Available dictionaries: none. To make it working +# install python-enchant package. +spelling-dict= + +# List of comma separated words that should not be checked. +spelling-ignore-words= + +# A path to a file that contains private dictionary; one word per line. +spelling-private-dict-file= + +# Tells whether to store unknown words to indicated private dictionary in +# --spelling-private-dict-file option instead of raising a message. +spelling-store-unknown-words=no + + +[MISCELLANEOUS] + +# List of note tags to take in consideration, separated by a comma. +notes=FIXME,XXX,TODO + + +[IMPORTS] + +# Deprecated modules which should not be used, separated by a comma +deprecated-modules=regsub,TERMIOS,Bastion,rexec + +# Create a graph of every (i.e. internal and external) dependencies in the +# given file (report RP0402 must not be disabled) +import-graph= + +# Create a graph of external dependencies in the given file (report RP0402 must +# not be disabled) +ext-import-graph= + +# Create a graph of internal dependencies in the given file (report RP0402 must +# not be disabled) +int-import-graph= + + +[DESIGN] + +# Maximum number of arguments for function / method +max-args=5 + +# Argument names that match this expression will be ignored. Default to name +# with leading underscore +ignored-argument-names=_.* + +# Maximum number of locals for function / method body +max-locals=15 + +# Maximum number of return / yield for function / method body +max-returns=6 + +# Maximum number of branch for function / method body +max-branches=12 + +# Maximum number of statements in function / method body +max-statements=99 + +# Maximum number of parents for a class (see R0901). +max-parents=7 + +# Maximum number of attributes for a class (see R0902). +max-attributes=7 + +# Minimum number of public methods for a class (see R0903). +min-public-methods=2 + +# Maximum number of public methods for a class (see R0904). +max-public-methods=20 + +# Maximum number of Boolean expressions in an if statement +max-bool-expr=5 + + +[CLASSES] + +# List of method names used to declare (i.e. assign) instance attributes. +defining-attr-methods=__init__,__new__,setUp + +# List of valid names for the first argument in a class method. +valid-classmethod-first-arg=cls + +# List of valid names for the first argument in a metaclass class method. +valid-metaclass-classmethod-first-arg=mcs + +# List of member names, which should be excluded from the protected access +# warning. +exclude-protected=_asdict,_fields,_replace,_source,_make + + +[EXCEPTIONS] + +# Exceptions that will emit a warning when being caught. Defaults to +# "Exception" +overgeneral-exceptions=Exception --- sssd-2.2.2.orig/src/tests/sbus_codegen_tests.xml +++ sssd-2.2.2/src/tests/sbus_codegen_tests.xml @@ -0,0 +1,150 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + --- sssd-2.2.2.orig/zanata.xml +++ sssd-2.2.2/zanata.xml @@ -0,0 +1,11 @@ + + + https://fedora.zanata.org/ + sssd + master + gettext + . + . + po/*.pot,src/man/po/*.pot + +