From 455611952f90ed0cefaff1e840623ea14ac06be1 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Mon, 22 May 2023 21:41:35 +0200 Subject: [PATCH 01/51] krb5: make sure sockets are closed on timeouts MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If krb5_child runs into a timeout the backend currently does not close the I/O sockets because handle_child_done() is not called when the timeout handlers are acting. To make sure the signal handler can close the sockets the 'in_use' member of struct child_io_fds is set to 'false'. Resolves: https://github.com/SSSD/sssd/issues/6744 Reviewed-by: Alejandro López Reviewed-by: Alexey Tikhonov --- src/providers/krb5/krb5_child_handler.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/providers/krb5/krb5_child_handler.c b/src/providers/krb5/krb5_child_handler.c index 2559d25223b..54088e4d605 100644 --- a/src/providers/krb5/krb5_child_handler.c +++ b/src/providers/krb5/krb5_child_handler.c @@ -281,6 +281,9 @@ static void krb5_child_timeout(struct tevent_context *ev, return; } + /* No I/O expected anymore, make sure sockets are closed properly */ + state->io->in_use = false; + DEBUG(SSSDBG_IMPORTANT_INFO, "Timeout for child [%d] reached. In case KDC is distant or network " "is slow you may consider increasing value of krb5_auth_timeout.\n", @@ -512,6 +515,9 @@ static void child_keep_alive_timeout(struct tevent_context *ev, DEBUG(SSSDBG_IMPORTANT_INFO, "Keep alive timeout for child [%d] reached.\n", io->pid); + /* No I/O expected anymore, make sure sockets are closed properly */ + io->in_use = false; + krb5_child_terminate(io->pid); } From 11eef225c452982877ff26b7984d0351de41da87 Mon Sep 17 00:00:00 2001 From: Shridhar Gadekar Date: Tue, 23 May 2023 00:52:47 +0530 Subject: [PATCH 02/51] Tests: fix default debug level for typo MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit modified docstrings Reviewed-by: Jakub Vávra Reviewed-by: Madhuri Upadhye --- .../alltests/test_default_debug_level.py | 54 ++++++++++++++----- 1 file changed, 40 insertions(+), 14 deletions(-) diff --git a/src/tests/multihost/alltests/test_default_debug_level.py b/src/tests/multihost/alltests/test_default_debug_level.py index 30dfe5b8cfe..5fdbf441d5d 100644 --- a/src/tests/multihost/alltests/test_default_debug_level.py +++ b/src/tests/multihost/alltests/test_default_debug_level.py @@ -156,28 +156,54 @@ def test_0004_bz1893159(self, multihost, backupsssdconf): """ :title: default debug logs: Check default level 2 :id: d44d5883-fc52-418d-b407-3ac63f7104d8 + :bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1893159 + :setup: + 1. Remove debug_level option from sssd.conf + 2. Set domains = typo_domain (non existing) in [sssd] section + 3. Start sssd after clearing cache and logs :steps: - 1. Remove debug_level from sssd.conf - 2. Start sssd after clearing cache and logs - 3. Kill pid of sssd with signal SIGUSR2 - 4. Check logs + 1. Check sssd.log contains log related to 'SSSD cannot load config' :expectedresults: - 1. sssd should use default debug level with no level defined - 2. Succeeds - 3. sssd process is killed - 4. logs of level of 0x0040 are in the log file + 1. /var/log/sssd/sssd.log contains 'SSSD couldn't load configuration' log + """ + section = f"domain/{ds_instance_name}" + domain_params = {'debug_level': ''} + tools = sssdTools(multihost.client[0]) + tools.sssd_conf(section, domain_params, action='delete') + tools.sssd_conf('sssd', {'domains': 'some'}, action='update') + multihost.client[0].service_sssd('stop') + tools.remove_sss_cache('/var/log/sssd') + multihost.client[0].run_command('systemctl start sssd', raiseonerr=False) + log = '/var/log/sssd/sssd.log' + log_str = multihost.client[0].get_file_contents(log).decode('utf-8') + pattern = re.compile(r'SSSD couldn\'t load the configuration database') + assert pattern.search(log_str) + + @pytest.mark.tier1_4 + def test_bz1893159(self, multihost, backupsssdconf): + """ + :title: default debug logs: default log level logs in sssd.log + :id: 8f9c8c47-a1f6-4ec0-b979-202d8d6dc6c3 + :bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1893159 + :setup: + 1. Remove debug_level option from sssd.conf + 2. Set ldap_uri to a non-existing ldap-server + 3. Start sssd after clearing cache and logs + :steps: + 1. Check logs + :expectedresults: + 1. Domain Logs should contain a log related to 'going offline' """ section = f"domain/{ds_instance_name}" domain_params = {'debug_level': ''} tools = sssdTools(multihost.client[0]) tools.sssd_conf(section, domain_params, action='delete') + tools.sssd_conf(section, {'ldap_uri': 'ldap://typo'} , action='update') tools.clear_sssd_cache() - cmd_kill = 'kill -SIGUSR2 $(pidof sssd)' - multihost.client[0].run_command(cmd_kill, raiseonerr=False) - logfilename = 'sssd' - log = f'/var/log/sssd/{logfilename}.log' + log = f'/var/log/sssd/sssd_{ds_instance_name}.log' log_str = multihost.client[0].get_file_contents(log).decode('utf-8') - find = re.compile(r'.0x0040.') + find = re.compile(r'Failed to connect, going offline') + #check what is logged at default debug_level(2) assert find.search(log_str) @pytest.mark.tier1_4 @@ -225,7 +251,7 @@ def test_bz785908(multihost, backupsssdconf): :steps: 1. Runs command getent -s sss group to query the SSSD cache and save the results to a file. 2. Cleans up the LDAP server by deleting the previously created user and group entries, - and finally search for log messages containing the strings "Group111" and "Group22". + and finally search for log messages containing the strings "Group111" and "Group22". :expectedresults: 1. Query the SSSD cache and save the results to a file Should succeed 2. Log messages should containing the strings From 1d69fdb73e5cbaf9789fbb153fa2bc55644e5ec1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alejandro=20L=C3=B3pez?= Date: Wed, 24 May 2023 12:02:12 +0200 Subject: [PATCH 03/51] SYSDB: Make enum sysdb_obj_type public MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Make enum sysdb_obj_type usable outside of sysdb_ops.c. Reviewed-by: Sumit Bose Reviewed-by: Tomáš Halman --- src/db/sysdb.h | 6 ++++++ src/db/sysdb_ops.c | 6 ------ 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/src/db/sysdb.h b/src/db/sysdb.h index 9cc84270b4b..1a78f739b7c 100644 --- a/src/db/sysdb.h +++ b/src/db/sysdb.h @@ -387,6 +387,12 @@ enum sysdb_index_actions { SYSDB_IDX_LIST }; +enum sysdb_obj_type { + SYSDB_UNKNOWN = 0, + SYSDB_USER, + SYSDB_GROUP +}; + /* These attributes are stored in the timestamp cache */ extern const char *sysdb_ts_cache_attrs[]; diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c index 108603722b6..d11d8d956b0 100644 --- a/src/db/sysdb_ops.c +++ b/src/db/sysdb_ops.c @@ -406,12 +406,6 @@ int sysdb_search_entry_by_sid_str(TALLOC_CTX *mem_ctx, /* =Search-User-by-[UID/SID/NAME]============================================= */ -enum sysdb_obj_type { - SYSDB_UNKNOWN = 0, - SYSDB_USER, - SYSDB_GROUP -}; - static errno_t cleanup_dn_filter(TALLOC_CTX *mem_ctx, struct ldb_result *ts_res, const char *object_class, From 99d0ab82e98a8f1e3cab23d871f36b9d890e034c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alejandro=20L=C3=B3pez?= Date: Wed, 12 Apr 2023 17:30:38 +0200 Subject: [PATCH 04/51] IPA: Use a more specific filter when searching for BE_REQ_USER_AND_GROUP MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The previous filter for overrides would sometimes find more than one entry because it was looking for a uidNumber or gidNumber: (&(objectClass=ipaOverrideAnchor)(|(uidNumber=XXXX)(gidNumber=XXXX))) The new filter looks for a specific user override or a specific group override: (|(&(objectClass=ipaUserOverride)(uidNumber=XXXX)) (&(objectClass=ipaGroupOverride)(gidNumber=XXXX))) This filter could return two override entries (one for a group and one for a user). That case must be taken into consideration and discard the user override in favor of the group override. Reviewed-by: Sumit Bose Reviewed-by: Tomáš Halman --- src/db/sysdb.h | 1 + src/providers/ipa/ipa_common.h | 1 + src/providers/ipa/ipa_opts.c | 1 + src/providers/ipa/ipa_views.c | 131 +++++++++++++++++++++++++++++++-- 4 files changed, 129 insertions(+), 5 deletions(-) diff --git a/src/db/sysdb.h b/src/db/sysdb.h index 1a78f739b7c..2f20692ccfa 100644 --- a/src/db/sysdb.h +++ b/src/db/sysdb.h @@ -136,6 +136,7 @@ #define SYSDB_DN_FOR_MEMBER_HASH_TABLE "dnForMemberHashTable" #define SYSDB_ORIG_DN "originalDN" +#define SYSDB_ORIG_OBJECTCLASS "originalObjectClass" #define SYSDB_ORIG_MODSTAMP "originalModifyTimestamp" #define SYSDB_ORIG_MEMBEROF "originalMemberOf" #define SYSDB_ORIG_MEMBER "orig_member" diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h index ff2bccd1314..82b9622bde9 100644 --- a/src/providers/ipa/ipa_common.h +++ b/src/providers/ipa/ipa_common.h @@ -134,6 +134,7 @@ enum ipa_override_attrs { IPA_AT_OVERRIDE_GROUP_GID_NUMBER, IPA_AT_OVERRIDE_USER_SSH_PUBLIC_KEY, IPA_AT_OVERRIDE_USER_CERT, + IPA_AT_OVERRIDE_OBJECTCLASS, IPA_OPTS_OVERRIDE }; diff --git a/src/providers/ipa/ipa_opts.c b/src/providers/ipa/ipa_opts.c index cd3968026a9..97cddb1d70d 100644 --- a/src/providers/ipa/ipa_opts.c +++ b/src/providers/ipa/ipa_opts.c @@ -323,6 +323,7 @@ struct sdap_attr_map ipa_override_map[] = { { "ldap_group_gid_number", "gidNumber", SYSDB_GIDNUM, NULL }, { "ldap_user_ssh_public_key", "ipaSshPubKey", SYSDB_SSH_PUBKEY, NULL }, { "ldap_user_certificate", "userCertificate;binary", SYSDB_USER_CERT, NULL }, + { "", "objectClass", SYSDB_ORIG_OBJECTCLASS, NULL }, /* We don't want this to be configurable */ SDAP_ATTR_MAP_TERMINATOR }; diff --git a/src/providers/ipa/ipa_views.c b/src/providers/ipa/ipa_views.c index 50243098ae5..3e58949e140 100644 --- a/src/providers/ipa/ipa_views.c +++ b/src/providers/ipa/ipa_views.c @@ -27,6 +27,114 @@ #include "util/cert.h" #include "providers/ldap/sdap_async.h" #include "providers/ipa/ipa_id.h" +#include "db/sysdb.h" + +#define MAX_USER_AND_GROUP_REPLIES 2 + +static errno_t get_user_or_group(TALLOC_CTX *mem_ctx, + struct ipa_options *ipa_opts, + struct sysdb_attrs *attrs, + enum sysdb_obj_type *_what_is) +{ + errno_t ret; + const char **values; + const char **value; + bool is_user = false; + bool is_group = false; + const char *ov_user_name = ipa_opts->override_map[IPA_OC_OVERRIDE_USER].name; + const char *ov_group_name = ipa_opts->override_map[IPA_OC_OVERRIDE_GROUP].name; + + ret = sysdb_attrs_get_string_array(attrs, SYSDB_ORIG_OBJECTCLASS, mem_ctx, &values); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to retrieve attribute [%s].\n", + SYSDB_ORIG_OBJECTCLASS); + return ret; + } + + /* We assume an entry can be a user or a group override but not both. + * So we leave as soon as we identify one of them. */ + if (values != NULL) { + for (value = values; *value != NULL; value++) { + if (strcasecmp(*value, ov_user_name) == 0) { + is_user = true; + break; + } else if (strcasecmp(*value, ov_group_name) == 0) { + is_group = true; + break; + } + } + talloc_free(values); + } + + /* We also assume it must be necessarily a user or a group. */ + if (!is_user && !is_group) { + DEBUG(SSSDBG_OP_FAILURE, "Unexpected override found.\n"); + return EINVAL; + } + + if (_what_is != NULL) { + *_what_is = is_user ? SYSDB_USER : SYSDB_GROUP; + } + + return EOK; +} + +/* Verify there are exactly 1 user and 1 group override. Any other combination + * is wrong. Then keep only the group override. */ +static errno_t check_and_filter_user_and_group(struct ipa_options *ipa_opts, + struct sysdb_attrs **reply, + size_t *reply_count) +{ + errno_t ret; + TALLOC_CTX *tmp_ctx; + enum sysdb_obj_type entry_is[MAX_USER_AND_GROUP_REPLIES]; + int i; + + if (*reply_count != MAX_USER_AND_GROUP_REPLIES) { + DEBUG(SSSDBG_TRACE_INTERNAL, "Expected %i replies but got %lu\n", + MAX_USER_AND_GROUP_REPLIES, *reply_count); + return EINVAL; + } + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to allocate memory.\n"); + return ENOMEM; + } + + for (i = 0; i < MAX_USER_AND_GROUP_REPLIES; i++) { + ret = get_user_or_group(tmp_ctx, ipa_opts, reply[i], &entry_is[i]); + if (ret != EOK) { + goto done; + } + } + + if (entry_is[0] == SYSDB_USER && entry_is[1] == SYSDB_USER) { + DEBUG(SSSDBG_CRIT_FAILURE, "Found 2 user overrides.\n"); + ret = EINVAL; + goto done; + } else if (entry_is[0] == SYSDB_GROUP && entry_is[1] == SYSDB_GROUP) { + DEBUG(SSSDBG_CRIT_FAILURE, "Found 2 group overrides.\n"); + ret = EINVAL; + goto done; + } + + /* We have one user and one group override. Keep only the group override. */ + DEBUG(SSSDBG_TRACE_INTERNAL, "Keeping only the group override.\n"); + if (entry_is[0] == SYSDB_USER) { + talloc_free(reply[0]); + reply[0] = reply[1]; + } else { + talloc_free(reply[1]); + } + reply[1] = NULL; + *reply_count = 1; + +done: + talloc_free(tmp_ctx); + + return ret; +} static errno_t dp_id_data_to_override_filter(TALLOC_CTX *mem_ctx, struct ipa_options *ipa_opts, @@ -73,10 +181,12 @@ static errno_t dp_id_data_to_override_filter(TALLOC_CTX *mem_ctx, break; case BE_REQ_USER_AND_GROUP: - filter = talloc_asprintf(mem_ctx, "(&(objectClass=%s)(|(%s=%s)(%s=%s)))", - ipa_opts->override_map[IPA_OC_OVERRIDE].name, + filter = talloc_asprintf(mem_ctx, + "(|(&(objectClass=%s)(%s=%s))(&(objectClass=%s)(%s=%s)))", + ipa_opts->override_map[IPA_OC_OVERRIDE_USER].name, ipa_opts->override_map[IPA_AT_OVERRIDE_USER_NAME].name, - ar->filter_value, + sanitized_name, + ipa_opts->override_map[IPA_OC_OVERRIDE_GROUP].name, ipa_opts->override_map[IPA_AT_OVERRIDE_GROUP_NAME].name, sanitized_name); break; @@ -115,10 +225,11 @@ static errno_t dp_id_data_to_override_filter(TALLOC_CTX *mem_ctx, case BE_REQ_USER_AND_GROUP: filter = talloc_asprintf(mem_ctx, - "(&(objectClass=%s)(|(%s=%"PRIu32")(%s=%"PRIu32")))", - ipa_opts->override_map[IPA_OC_OVERRIDE].name, + "(|(&(objectClass=%s)(%s=%"PRIu32"))(&(objectClass=%s)(%s=%"PRIu32")))", + ipa_opts->override_map[IPA_OC_OVERRIDE_USER].name, ipa_opts->override_map[IPA_AT_OVERRIDE_UID_NUMBER].name, id, + ipa_opts->override_map[IPA_OC_OVERRIDE_GROUP].name, ipa_opts->override_map[IPA_AT_OVERRIDE_GROUP_GID_NUMBER].name, id); break; @@ -456,6 +567,16 @@ static void ipa_get_ad_override_done(struct tevent_req *subreq) state->dp_error = DP_ERR_OK; tevent_req_done(req); return; + } else if (reply_count == MAX_USER_AND_GROUP_REPLIES && + (state->ar->entry_type & BE_REQ_TYPE_MASK) == BE_REQ_USER_AND_GROUP) { + DEBUG(SSSDBG_TRACE_ALL, + "Found two overrides with BE_REQ_USER_AND_GROUP filter [%s].\n", + state->filter); + ret = check_and_filter_user_and_group(state->ipa_options, reply, + &reply_count); + if (ret != EOK) { + goto fail; + } } else if (reply_count > 1) { DEBUG(SSSDBG_CRIT_FAILURE, "Found [%zu] overrides with filter [%s], expected only 1.\n", From 469905bfabdda66555bd179eb7b6ac7b3cd875d1 Mon Sep 17 00:00:00 2001 From: Jakub Vavra Date: Tue, 23 May 2023 10:25:38 +0200 Subject: [PATCH 05/51] Tests: Add conditional skip for simple ifp test. Reviewed-by: Madhuri Upadhye --- src/tests/multihost/basic/test_ifp.py | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/tests/multihost/basic/test_ifp.py b/src/tests/multihost/basic/test_ifp.py index 81737645a2a..a8cf24b9f6c 100644 --- a/src/tests/multihost/basic/test_ifp.py +++ b/src/tests/multihost/basic/test_ifp.py @@ -6,6 +6,7 @@ :upstream: yes :status: approved """ +import pytest class TestInfoPipe(object): @@ -18,6 +19,11 @@ def test_ifp_extra_attributes_property(self, multihost): :id: 23b8c7e8-df4b-47ef-b38e-0503040e1d67 see e.g. https://github.com/SSSD/sssd/issues/4891 """ + # Note that this test needs dbus-tools package that + # is not implicitly installed here. + check_ifp = "libsss_simpleifp" in multihost.master[0].run_command("rpm -qa").stdout_text + if not check_ifp: + pytest.skip("libsss_simpleifp is not present, skipping test.") dbus_send_cmd = \ """ dbus-send --print-reply --system \ From 7f28816479c694ff95939e3becfbcd43423a5744 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alejandro=20L=C3=B3pez?= Date: Tue, 30 May 2023 16:49:06 +0200 Subject: [PATCH 06/51] PAM: Fix a possible segmentation fault Calls to add_expired_warning(struct pam_data *pd, long exp_time) must provide a non-NULL pd. In one of the cases this function is called without checking that pd is not NULL. We here fix that. Reviewed-by: Alexey Tikhonov Reviewed-by: Sumit Bose --- src/providers/ldap/ldap_auth.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c index fbc829e5d38..8ec4d3af5a6 100644 --- a/src/providers/ldap/ldap_auth.c +++ b/src/providers/ldap/ldap_auth.c @@ -164,9 +164,11 @@ static errno_t check_pwexpire_shadow(struct spwd *spwd, time_t now, if (spwd->sp_max != -1 && password_age > spwd->sp_max) { DEBUG(SSSDBG_CONF_SETTINGS, "Password expired.\n"); - ret = add_expired_warning(pd, 0); - if (ret != EOK) { - DEBUG(SSSDBG_CRIT_FAILURE, "add_expired_warning failed.\n"); + if (pd != NULL) { + ret = add_expired_warning(pd, 0); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "add_expired_warning failed.\n"); + } } return ERR_PASSWORD_EXPIRED; } From 8a8869994745429b3f5535a5d0b91f1d0b2fa723 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Wed, 29 Mar 2023 12:58:37 +0200 Subject: [PATCH 07/51] fail_over: protect against a segmentation fault MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit A missing server name in struct fo_server will cause a segmentation fault. Currently it is unclear why the server name is missing at this point. To avoid the segmentation fault it is checked before if the server name is missing. Additionally the state of some internal structures is added to the debug logs to help debugging why the server name is missing. Resolves: https://github.com/SSSD/sssd/issues/6659 Reviewed-by: Alejandro López Reviewed-by: Alexey Tikhonov --- src/providers/data_provider_fo.c | 14 +++++++++ src/providers/fail_over.c | 53 ++++++++++++++++++++++++++++++++ src/providers/fail_over.h | 3 ++ 3 files changed, 70 insertions(+) diff --git a/src/providers/data_provider_fo.c b/src/providers/data_provider_fo.c index eca5f2f8e5b..b0aed54e97b 100644 --- a/src/providers/data_provider_fo.c +++ b/src/providers/data_provider_fo.c @@ -594,6 +594,14 @@ static void be_resolve_server_done(struct tevent_req *subreq) tevent_req_error(req, ret); } +static void dump_be_svc_data(const struct be_svc_data *svc) +{ + DEBUG(SSSDBG_OP_FAILURE, "be_svc_data: name=[%s] last_good_srv=[%s] " + "last_good_port=[%d] last_status_change=[%"SPRItime"]\n", + svc->name, svc->last_good_srv, svc->last_good_port, + svc->last_status_change); +} + errno_t be_resolve_server_process(struct tevent_req *subreq, struct be_resolve_server_state *state, struct tevent_req **new_subreq) @@ -681,6 +689,12 @@ errno_t be_resolve_server_process(struct tevent_req *subreq, fo_get_server_str_name(state->srv), ipaddr, srvaddr->addr_list[0]->ttl); } + } else { + DEBUG(SSSDBG_CRIT_FAILURE, "Missing server name.\n"); + dump_be_svc_data(state->svc); + dump_fo_server(state->srv); + dump_fo_server_list(state->srv); + return ENOENT; } srv_status_change = fo_get_server_hostname_last_change(state->srv); diff --git a/src/providers/fail_over.c b/src/providers/fail_over.c index 9cb26838c9e..7cb64244877 100644 --- a/src/providers/fail_over.c +++ b/src/providers/fail_over.c @@ -200,6 +200,59 @@ str_srv_data_status(enum srv_lookup_status status) return "unknown SRV lookup status"; } +static void dump_srv_data(const struct srv_data *srv_data) +{ + if (srv_data == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "srv_data is NULL\n"); + return; + } + + DEBUG(SSSDBG_OP_FAILURE, "srv_data: dns_domain [%s] discovery_domain [%s] " + "sssd_domain [%s] proto [%s] srv [%s] " + "srv_lookup_status [%s] ttl [%d] " + "last_status_change [%"SPRItime"]\n", + srv_data->dns_domain == NULL ? "dns_domain is NULL" + : srv_data->dns_domain, + srv_data->discovery_domain == NULL ? "discovery_domain is NULL" + : srv_data->discovery_domain, + srv_data->sssd_domain == NULL ? "sssd_domain is NULL" + : srv_data->sssd_domain, + srv_data->proto == NULL ? "proto is NULL" + : srv_data->proto, + srv_data->srv == NULL ? "srv is NULL" + : srv_data->srv, + str_srv_data_status(srv_data->srv_lookup_status), + srv_data->ttl, srv_data->last_status_change.tv_sec); +} + +void dump_fo_server(const struct fo_server *srv) +{ + DEBUG(SSSDBG_OP_FAILURE, "fo_server: primary [%s] port [%d] " + "port_status [%s] common->name [%s].\n", + srv->primary ? "true" : "false", srv->port, + str_port_status(srv->port_status), + srv->common == NULL ? "common is NULL" + : (srv->common->name == NULL + ? "common->name is NULL" + : srv->common->name)); + dump_srv_data(srv->srv_data); +} + +void dump_fo_server_list(const struct fo_server *srv) +{ + const struct fo_server *s; + + s = srv; + while (s->prev != NULL) { + s = s->prev; + } + + while (s != NULL) { + dump_fo_server(s); + s = s->next; + } +} + static const char * str_server_status(enum server_status status) { diff --git a/src/providers/fail_over.h b/src/providers/fail_over.h index 92a0456b565..36021ad6ffb 100644 --- a/src/providers/fail_over.h +++ b/src/providers/fail_over.h @@ -88,6 +88,9 @@ struct fo_options { enum restrict_family family_order; }; +void dump_fo_server(const struct fo_server *srv); +void dump_fo_server_list(const struct fo_server *srv); + /* * Create a new fail over context based on options passed in the * opts parameter From 75ae9e87a264b17dac45f798fb7b4ba7057fc494 Mon Sep 17 00:00:00 2001 From: aborah Date: Wed, 10 May 2023 14:40:07 +0530 Subject: [PATCH 08/51] Tests: Netgroups do not honor entry cache nowait percentage MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit https://gitlab.cee.redhat.com/sssd/sssd-qe/-/blob/RHEL8.8/client/ldap_provider/ldap_id_ldap_auth/bugzilla-automation.sh#L280 Reviewed-by: Jakub Vávra Reviewed-by: Shridhar Gadekar --- src/tests/multihost/alltests/test_misc.py | 95 ++++++++++++++++++++++- 1 file changed, 94 insertions(+), 1 deletion(-) diff --git a/src/tests/multihost/alltests/test_misc.py b/src/tests/multihost/alltests/test_misc.py index 33d64d16ce3..95fc2728fc6 100644 --- a/src/tests/multihost/alltests/test_misc.py +++ b/src/tests/multihost/alltests/test_misc.py @@ -13,9 +13,19 @@ import subprocess import pytest from sssd.testlib.common.expect import pexpect_ssh +from datetime import datetime as D_T from sssd.testlib.common.exceptions import SSHLoginException from sssd.testlib.common.utils import sssdTools, LdapOperations -from constants import ds_instance_name, ds_suffix +from constants import ds_instance_name, ds_suffix, ds_rootdn, ds_rootpw + + +def find_logs(multihost, log_name, string_name): + """This function will find strings in a log file + log_name: Absolute path of log where the search will happen. + string_name: String to search in the log file. + """ + log_str = multihost.client[0].get_file_contents(log_name).decode('utf-8') + return string_name in log_str @pytest.mark.usefixtures('setup_sssd', 'create_posix_usersgroups') @@ -532,3 +542,86 @@ def test_0009_dbus_method_find_usrby_attr(multihost, backupsssdconf, ldap_posix_ assert cmd2.stdout_text.strip('\n') in cmd.stdout_text, 'dbus is not fetching expected users' cmd1 = multihost.client[0].run_command(f'id -u {usr}@{domain_name}', raiseonerr=False) assert cmd1.stdout_text.strip('\n') not in cmd.stdout_text, 'dbus is fetching unwanted user' + + @staticmethod + @pytest.mark.tier1_4 + def test_bz822236(multihost, backupsssdconf): + """ + :title: Netgroups do not honor entry cache nowait percentage + :id: dda33ba4-ef10-11ed-a27d-845cf3eff344 + :bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=822236 + :setup: + 1. Retrieve the name of the network interface that is currently connected using + the 'nmcli' command, and saves it to the 'intf' variable. + 2. Sets up an LDAP connection to the LDAP server using the LdapOperations class. + 3. Creates a new organizational unit named "Netgroup" under the base DN + specified in the 'ds_suffix' variable. + 4. Creates a new LDAP entry for a netgroup named "netgrp_nowait" + under the "Netgroup" organizational unit. + 5. Use the sssdTools class to update the configuration file for the + 'nss' and 'domain/example1' sections of the SSSD service. + 7. Clear the SSSD cache using the 'clear_sssd_cache' method of the sssdTools class. + 8. Delete the contents of the '/var/log/sssd/sssd_nss.log' file + 9. Add a 50ms delay to the network interface using the 'tc' command. + :steps: + 1. Measures the response time for the 'getent netgroup netgrp_nowait' + command and saves it to the 'res_time' variable. + 2. Run a loop that repeats the 'getent netgroup netgrp_nowait' command 4 times + and checks if the response time is less than to the initial response time. + 3. Wait for 15 seconds before deleting the contents of the '/var/log/sssd/sssd_nss.log' file again. + 4. Remove the network delay added in step 9 using the 'tc' command. + :expectedresults: + 1. res_time variable will have the response time + 2. Response time is less than to the initial response time + 3. Wait for 15 seconds + 4. Network delay should be removed + """ + client = multihost.client[0] + log_nss = '/var/log/sssd/sssd_nss.log' + ldap_uri = 'ldap://%s' % (multihost.master[0].sys_hostname) + ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw) + ldap_inst.org_unit("Netgroup", ds_suffix) + user_dn = f'cn=netgrp_nowait,ou=Netgroup,{ds_suffix}' + user_info = {'cn': 'netgrp_nowait'.encode('utf-8'), + 'objectClass': ['nisNetgroup'.encode('utf-8'), + 'top'.encode('utf-8')], + 'nisNetgroupTriple': '(host1,kau10,example.com)'.encode('utf-8')} + ldap_inst.add_entry(user_info, user_dn) + tools = sssdTools(multihost.client[0]) + tools.sssd_conf("nss", {'filter_groups': 'root', + 'filter_users': 'root', + 'debug_level': '9', + 'entry_cache_nowait_percentage': '50'}, action='update') + tools.sssd_conf("domain/example1", + {'entry_cache_timeout': '30', + 'ldap_netgroup_search_base': f"ou=Netgroup,{ds_suffix}"}, action='update') + tools.clear_sssd_cache() + client.run_command(f"> {log_nss}") + intf = [s for s in client.run_command("nmcli").stdout_text.split('\n') + if re.search(r'\b' + "connected to" + r'\b', s)][0].split(":")[0] + client.run_command(f"tc qdisc add dev {intf} root netem delay 50ms") + start = D_T.now() + client.run_command("getent netgroup netgrp_nowait") + end = D_T.now() + res_time = end - start + time.sleep(16) + time_diff = [] + find_logs_results = [] + for _ in range(4): + start = D_T.now() + client.run_command("getent netgroup netgrp_nowait") + end = D_T.now() + loop_response = end - start + time_diff.append(loop_response < res_time) + time.sleep(3) + find_logs_results.append(find_logs(multihost, + log_nss, + "Performing midpoint cache " + "update of [netgrp_nowait@example1]")) + client.run_command(f"> {log_nss}") + time.sleep(15) + client.run_command(f"tc qdisc del dev {intf} root") + ldap_inst.del_dn(user_dn) + ldap_inst.del_dn(f"ou=Netgroup,{ds_suffix}") + assert all(find_logs_results), "Searched string not found in the logs" + assert all(time_diff), "Test failed as the cache response time is higher." From 587cd8dc2004adfd6c6aab4ef928ef2d89ae3f94 Mon Sep 17 00:00:00 2001 From: Shridhar Gadekar Date: Wed, 7 Jun 2023 23:44:02 +0530 Subject: [PATCH 09/51] Tests: move test_access_control.py to tier2 Tests moved to tier2, tests are failing to parse the logs. gating is blocked. same testsuite is available in bash Reviewed-by: Dan Lavu --- src/tests/multihost/ad/test_access_control.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/tests/multihost/ad/test_access_control.py b/src/tests/multihost/ad/test_access_control.py index 5c033dd32f3..9d283974980 100644 --- a/src/tests/multihost/ad/test_access_control.py +++ b/src/tests/multihost/ad/test_access_control.py @@ -48,7 +48,7 @@ def ssh_login(multihost, username): @pytest.mark.usefixtures('joinad') @pytest.mark.ad_access_control -@pytest.mark.tier1_4 +@pytest.mark.tier2 class TestAccessControl(object): """ Test cases for BZ: 1268902 :setup: From 0588bd3b5902c50a9e0ff8e8fa1be56e7a0a070c Mon Sep 17 00:00:00 2001 From: Iker Pedrosa Date: Thu, 18 May 2023 15:16:34 +0200 Subject: [PATCH 10/51] passkey: fix two covscan issues MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes following covscan issues: ``` Error: CLANG_WARNING: sssd-2.9.0/src/krb5_plugin/passkey/passkey_utils.c:562:5: warning[unix.Malloc]: Potential leak of memory pointed to by 'data' # 560| } # 561| # 562|-> json_decref(jroot); # 563| return message; # 564| } Error: UNREACHABLE (CWE-561): sssd-2.9.0/src/responder/pam/pamsrv_passkey.c:1039: unreachable: This code cannot be reached: "if (!pctx->passkey_auth) { ...". # 1037| #endif # 1038| # 1039|-> if (!pctx->passkey_auth) { # 1040| return false; # 1041| } ``` Resolves: https://github.com/SSSD/sssd/issues/6733 Signed-off-by: Iker Pedrosa Reviewed-by: Justin Stephenson Reviewed-by: Pavel Březina Reviewed-by: Sumit Bose --- src/krb5_plugin/passkey/passkey_utils.c | 6 ++---- src/responder/pam/pamsrv_passkey.c | 4 ++-- 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/src/krb5_plugin/passkey/passkey_utils.c b/src/krb5_plugin/passkey/passkey_utils.c index 3d84862ebf5..0fd22fb1757 100644 --- a/src/krb5_plugin/passkey/passkey_utils.c +++ b/src/krb5_plugin/passkey/passkey_utils.c @@ -535,7 +535,7 @@ sss_passkey_prefix_json_data(enum sss_passkey_phase phase, json_error_t jret; json_t *jroot; struct sss_passkey_message *message; - void *data; + struct sss_passkey_reply *data; if (json_str == NULL) { return NULL; @@ -553,9 +553,7 @@ sss_passkey_prefix_json_data(enum sss_passkey_phase phase, } message = sss_passkey_message_init(phase, state, data); - if (message == NULL && phase == SSS_PASSKEY_PHASE_CHALLENGE) { - sss_passkey_challenge_free(data); - } else if (message == NULL && phase == SSS_PASSKEY_PHASE_REPLY) { + if (message == NULL) { sss_passkey_reply_free(data); } diff --git a/src/responder/pam/pamsrv_passkey.c b/src/responder/pam/pamsrv_passkey.c index d884a767034..09cc072c938 100644 --- a/src/responder/pam/pamsrv_passkey.c +++ b/src/responder/pam/pamsrv_passkey.c @@ -1034,8 +1034,7 @@ bool may_do_passkey_auth(struct pam_ctx *pctx, #ifndef BUILD_PASSKEY DEBUG(SSSDBG_TRACE_FUNC, "Passkey auth not possible, SSSD built without passkey support!\n"); return false; -#endif - +#else if (!pctx->passkey_auth) { return false; } @@ -1049,4 +1048,5 @@ bool may_do_passkey_auth(struct pam_ctx *pctx, } return true; +#endif /* BUILD_PASSKEY */ } From 702f7c236e69f934d72dffbf6a980c6f38d8782a Mon Sep 17 00:00:00 2001 From: Iker Pedrosa Date: Wed, 24 May 2023 17:02:49 +0200 Subject: [PATCH 11/51] passkey: rename function MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Rename `sss_passkey_prefix_json_data()` to `sss_passkey_message_from_reply_json()`. Signed-off-by: Iker Pedrosa Reviewed-by: Justin Stephenson Reviewed-by: Pavel Březina Reviewed-by: Sumit Bose --- src/krb5_plugin/passkey/passkey.h | 6 +++--- src/krb5_plugin/passkey/passkey_utils.c | 6 +++--- src/providers/krb5/krb5_child.c | 2 +- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/src/krb5_plugin/passkey/passkey.h b/src/krb5_plugin/passkey/passkey.h index 7c2d7f3a73a..4c143b48db8 100644 --- a/src/krb5_plugin/passkey/passkey.h +++ b/src/krb5_plugin/passkey/passkey.h @@ -81,9 +81,9 @@ void sss_passkey_message_free(struct sss_passkey_message *message); struct sss_passkey_message * -sss_passkey_prefix_json_data(enum sss_passkey_phase phase, - const char *state, - const char *json_str); +sss_passkey_message_from_reply_json(enum sss_passkey_phase phase, + const char *state, + const char *json_str); char * sss_passkey_message_encode(const struct sss_passkey_message *data); diff --git a/src/krb5_plugin/passkey/passkey_utils.c b/src/krb5_plugin/passkey/passkey_utils.c index 0fd22fb1757..3e777aedc68 100644 --- a/src/krb5_plugin/passkey/passkey_utils.c +++ b/src/krb5_plugin/passkey/passkey_utils.c @@ -528,9 +528,9 @@ sss_passkey_message_to_json(const struct sss_passkey_message *message) } struct sss_passkey_message * -sss_passkey_prefix_json_data(enum sss_passkey_phase phase, - const char *state, - const char *json_str) +sss_passkey_message_from_reply_json(enum sss_passkey_phase phase, + const char *state, + const char *json_str) { json_error_t jret; json_t *jroot; diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index ae2c23aa98b..f69cd6d54a8 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -1051,7 +1051,7 @@ static krb5_error_code answer_passkey(krb5_context kctx, phase = SSS_PASSKEY_PHASE_REPLY; state = SSSD_PASSKEY_REPLY_STATE; - reply_msg = sss_passkey_prefix_json_data(phase, state, reply); + reply_msg = sss_passkey_message_from_reply_json(phase, state, reply); if (reply_msg == NULL) { DEBUG(SSSDBG_OP_FAILURE, "Unable to prefix passkey message\n"); kerr = EINVAL; From 27dd3f508b23ae61c757cce6c5b9ca303d7aaf09 Mon Sep 17 00:00:00 2001 From: Shridhar Gadekar Date: Tue, 6 Jun 2023 17:15:41 +0530 Subject: [PATCH 12/51] Tests: Adding c-ares markers for related tests MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit removing flaky ones Reviewed-by: Jakub Vávra --- src/tests/multihost/ad/pytest.ini | 1 + src/tests/multihost/ad/test_adparameters_ported.py | 8 ++++++++ src/tests/multihost/ad/test_dyndns.py | 1 + src/tests/multihost/adsites/test_adsites.py | 4 ++++ 4 files changed, 14 insertions(+) diff --git a/src/tests/multihost/ad/pytest.ini b/src/tests/multihost/ad/pytest.ini index f85b738f2c6..8a055f3cd78 100644 --- a/src/tests/multihost/ad/pytest.ini +++ b/src/tests/multihost/ad/pytest.ini @@ -5,6 +5,7 @@ markers = adloginattr: Tests for AD login attributes admisc: Miscellaneous bugzilla automations for AD automount: Automount test cases with maps stored in AD schema + c_ares: Tests for C-ares library cifs: Cifs test cases converted: Tests that are already converted to the new framework. ad_access_control: Test for AD Access Control diff --git a/src/tests/multihost/ad/test_adparameters_ported.py b/src/tests/multihost/ad/test_adparameters_ported.py index b8234682d4a..a6a6fa42afe 100644 --- a/src/tests/multihost/ad/test_adparameters_ported.py +++ b/src/tests/multihost/ad/test_adparameters_ported.py @@ -749,6 +749,7 @@ def test_0008_ad_parameters_homedir_override_both( @staticmethod @pytest.mark.tier1_2 + @pytest.mark.c_ares def test_0009_ad_parameters_ldap_sasl_full( multihost, create_aduser_group): """ @@ -833,6 +834,7 @@ def test_0009_ad_parameters_ldap_sasl_full( @staticmethod @pytest.mark.tier2 + @pytest.mark.c_ares def test_0010_ad_parameters_ldap_sasl_short( multihost, create_aduser_group): """ @@ -919,6 +921,7 @@ def test_0010_ad_parameters_ldap_sasl_short( @staticmethod @pytest.mark.tier1_2 + @pytest.mark.c_ares def test_0011_ad_parameters_server_resolvable( multihost, adjoin, create_aduser_group): """ @@ -998,6 +1001,7 @@ def test_0011_ad_parameters_server_resolvable( @staticmethod @pytest.mark.tier2 + @pytest.mark.c_ares def test_0012_ad_parameters_server_unresolvable( multihost, adjoin, create_aduser_group): """ @@ -1051,6 +1055,7 @@ def test_0012_ad_parameters_server_unresolvable( @staticmethod @pytest.mark.tier1_2 + @pytest.mark.c_ares def test_0013_ad_parameters_server_srv_record( multihost, adjoin, create_aduser_group): """ @@ -1110,6 +1115,7 @@ def test_0013_ad_parameters_server_srv_record( @staticmethod @pytest.mark.tier1_2 + @pytest.mark.c_ares def test_0014_ad_parameters_server_blank( multihost, adjoin, create_aduser_group): """ @@ -1257,6 +1263,7 @@ def test_0015_ad_parameters_ad_hostname_machine( @staticmethod @pytest.mark.tier1_2 + @pytest.mark.c_ares def test_0016_ad_parameters_ad_hostname_valid( multihost, adjoin, create_aduser_group): """ @@ -2045,6 +2052,7 @@ def test_0025_ad_parameters_empty_group(multihost, adjoin): @staticmethod @pytest.mark.tier2 + @pytest.mark.c_ares def test_0026_ad_parameters_dns_failover( multihost, adjoin, create_plain_aduser_group): """ diff --git a/src/tests/multihost/ad/test_dyndns.py b/src/tests/multihost/ad/test_dyndns.py index ba288b33695..3338aef6141 100644 --- a/src/tests/multihost/ad/test_dyndns.py +++ b/src/tests/multihost/ad/test_dyndns.py @@ -98,6 +98,7 @@ def remove_interface(): @pytest.mark.usefixtures("reverse_zone", "disable_dns_forwarders", "change_client_hostname") @pytest.mark.dyndns @pytest.mark.tier2 +@pytest.mark.c_ares class TestDynDns(object): @staticmethod diff --git a/src/tests/multihost/adsites/test_adsites.py b/src/tests/multihost/adsites/test_adsites.py index 0f1337e89bc..ef2eb68a77c 100644 --- a/src/tests/multihost/adsites/test_adsites.py +++ b/src/tests/multihost/adsites/test_adsites.py @@ -16,6 +16,7 @@ class Testadsites(object): 3. Create secondary site, move second domain controller to second site """ @pytest.mark.adsites + @pytest.mark.c_ares def test_001_ad_startup_discovery(self, multihost, adjoin): """ @Title: IDM-SSSD-TC: ad_startup_discovery @@ -69,6 +70,7 @@ def test_001_ad_startup_discovery(self, multihost, adjoin): assert check_discovery.returncode == 0 @pytest.mark.adsites + @pytest.mark.c_ares def test_002_ad_startup_discovery_one_server_unreachable(self, multihost, adjoin): """ @@ -137,6 +139,7 @@ def test_002_ad_startup_discovery_one_server_unreachable(self, multihost, multihost.client[0].run_command(fw_remove, raiseonerr=True) @pytest.mark.adsites + @pytest.mark.c_ares def test_003_ad_startup_discovery_two_different_sites(self, multihost, adjoin, create_site): """ @@ -189,6 +192,7 @@ def test_003_ad_startup_discovery_two_different_sites(self, multihost, assert check_discovery.returncode == 0 @pytest.mark.adsites + @pytest.mark.c_ares def test_004_ad_startup_discovery_one_server_unreachable(self, multihost, adjoin, From 076a1136ab8650d962c5a462cbed82bd96ba176a Mon Sep 17 00:00:00 2001 From: Alexey Tikhonov Date: Wed, 7 Jun 2023 21:20:43 +0200 Subject: [PATCH 13/51] RESPONDER: avoid log backtrace in case access denined MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Resolves: https://github.com/SSSD/sssd/issues/6442 Reviewed-by: Sumit Bose Reviewed-by: Tomáš Halman --- src/responder/common/responder.h | 2 +- src/responder/common/responder_common.c | 12 ++++++++---- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/src/responder/common/responder.h b/src/responder/common/responder.h index 317e93ea691..5f04d25eec2 100644 --- a/src/responder/common/responder.h +++ b/src/responder/common/responder.h @@ -372,7 +372,7 @@ errno_t csv_string_to_uid_array(TALLOC_CTX *mem_ctx, const char *csv_string, uid_t client_euid(struct cli_creds *creds); errno_t check_allowed_uids(uid_t uid, size_t allowed_uids_count, - uid_t *allowed_uids); + const uid_t *allowed_uids); struct tevent_req * sss_parse_inp_send(TALLOC_CTX *mem_ctx, diff --git a/src/responder/common/responder_common.c b/src/responder/common/responder_common.c index 62177ccf67a..ac0e72790c0 100644 --- a/src/responder/common/responder_common.c +++ b/src/responder/common/responder_common.c @@ -174,7 +174,7 @@ uid_t client_euid(struct cli_creds *creds) } errno_t check_allowed_uids(uid_t uid, size_t allowed_uids_count, - uid_t *allowed_uids) + const uid_t *allowed_uids) { size_t c; @@ -519,6 +519,7 @@ static void accept_fd_handler(struct tevent_context *ev, struct tevent_fd *fde, uint16_t flags, void *ptr) { + static uid_t last_violator_uid = (uid_t)-1; /* accept and attach new event handler */ struct accept_fd_ctx *accept_ctx = talloc_get_type(ptr, struct accept_fd_ctx); @@ -593,9 +594,12 @@ static void accept_fd_handler(struct tevent_context *ev, rctx->allowed_uids); if (ret != EOK) { if (ret == EACCES) { - DEBUG(SSSDBG_CRIT_FAILURE, - "Access denied for uid [%"SPRIuid"].\n", - client_euid(cctx->creds)); + if (client_euid(cctx->creds) != last_violator_uid) { + last_violator_uid = client_euid(cctx->creds); + DEBUG(SSSDBG_IMPORTANT_INFO, + "Access denied for uid [%"SPRIuid"].\n", + last_violator_uid); + } } else { DEBUG(SSSDBG_OP_FAILURE, "check_allowed_uids failed.\n"); } From b033b0dda972e885f63234aa81dca317c8234c2c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= Date: Tue, 23 May 2023 12:21:44 +0200 Subject: [PATCH 14/51] ipa: correctly remove missing attributes on netgroup update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When a netgroup is updated, previously it did not remove the missing attributes. This caused an issue especially when a member was removed. Resolves: https://github.com/SSSD/sssd/issues/6652 Reviewed-by: Alejandro López Reviewed-by: Iker Pedrosa --- src/db/sysdb.c | 9 ++ src/db/sysdb.h | 1 + src/providers/ipa/ipa_netgroups.c | 35 +++++++- src/tests/system/tests/test_netgroups.py | 108 +++++++++++++++++++++++ 4 files changed, 151 insertions(+), 2 deletions(-) create mode 100644 src/tests/system/tests/test_netgroups.py diff --git a/src/db/sysdb.c b/src/db/sysdb.c index 649e79fcac6..1faa11b16e0 100644 --- a/src/db/sysdb.c +++ b/src/db/sysdb.c @@ -523,6 +523,15 @@ static int sysdb_attrs_add_val_int(struct sysdb_attrs *attrs, return EOK; } + +int sysdb_attrs_add_empty(struct sysdb_attrs *attrs, const char *name) +{ + struct ldb_message_element *el; + + /* Calling this will create the element if it does not exist. */ + return sysdb_attrs_get_el_ext(attrs, name, true, &el); +} + int sysdb_attrs_add_val(struct sysdb_attrs *attrs, const char *name, const struct ldb_val *val) { diff --git a/src/db/sysdb.h b/src/db/sysdb.h index 2f20692ccfa..887a9630e72 100644 --- a/src/db/sysdb.h +++ b/src/db/sysdb.h @@ -398,6 +398,7 @@ enum sysdb_obj_type { extern const char *sysdb_ts_cache_attrs[]; /* values are copied in the structure, allocated on "attrs" */ +int sysdb_attrs_add_empty(struct sysdb_attrs *attrs, const char *name); int sysdb_attrs_add_val(struct sysdb_attrs *attrs, const char *name, const struct ldb_val *val); int sysdb_attrs_add_val_safe(struct sysdb_attrs *attrs, diff --git a/src/providers/ipa/ipa_netgroups.c b/src/providers/ipa/ipa_netgroups.c index 52d90af4ff1..57f11a50796 100644 --- a/src/providers/ipa/ipa_netgroups.c +++ b/src/providers/ipa/ipa_netgroups.c @@ -70,7 +70,10 @@ static errno_t ipa_save_netgroup(TALLOC_CTX *mem_ctx, struct ldb_message_element *el; struct sysdb_attrs *netgroup_attrs; const char *name = NULL; + char **missing; + int missing_index; int ret; + int i; size_t c; ret = sysdb_attrs_get_el(attrs, @@ -90,6 +93,23 @@ static errno_t ipa_save_netgroup(TALLOC_CTX *mem_ctx, goto fail; } + missing = talloc_zero_array(netgroup_attrs, char *, attrs->num + 1); + if (missing == NULL) { + ret = ENOMEM; + goto fail; + } + + for (i = 0, missing_index = 0; i < attrs->num; i++) { + if (attrs->a[i].num_values == 0) { + missing[missing_index] = talloc_strdup(missing, attrs->a[i].name); + if (missing[missing_index] == NULL) { + ret = ENOMEM; + goto fail; + } + missing_index++; + } + } + ret = sysdb_attrs_get_el(attrs, SYSDB_ORIG_DN, &el); if (ret) { goto fail; @@ -138,7 +158,6 @@ static errno_t ipa_save_netgroup(TALLOC_CTX *mem_ctx, if (el->num_values == 0) { DEBUG(SSSDBG_TRACE_LIBS, "No original members for netgroup [%s]\n", name); - } else { DEBUG(SSSDBG_TRACE_LIBS, "Adding original members to netgroup [%s]\n", name); @@ -173,7 +192,7 @@ static errno_t ipa_save_netgroup(TALLOC_CTX *mem_ctx, DEBUG(SSSDBG_TRACE_FUNC, "Storing info for netgroup %s\n", name); - ret = sysdb_add_netgroup(dom, name, NULL, netgroup_attrs, NULL, + ret = sysdb_add_netgroup(dom, name, NULL, netgroup_attrs, missing, dom->netgroup_timeout, 0); if (ret) goto fail; @@ -866,6 +885,18 @@ static int ipa_netgr_process_all(struct ipa_get_netgroups_state *state) hash_iterate(state->new_netgroups, extract_netgroups, state); for (i = 0; i < state->netgroups_count; i++) { + /* Make sure these attributes always exist, so we can remove them if + * there are no members. */ + ret = sysdb_attrs_add_empty(state->netgroups[i], SYSDB_NETGROUP_MEMBER); + if (ret != EOK) { + goto done; + } + + ret = sysdb_attrs_add_empty(state->netgroups[i], SYSDB_NETGROUP_TRIPLE); + if (ret != EOK) { + goto done; + } + /* load all its member netgroups, translate */ DEBUG(SSSDBG_TRACE_INTERNAL, "Extracting netgroup members of netgroup %d\n", i); ret = sysdb_attrs_get_string_array(state->netgroups[i], diff --git a/src/tests/system/tests/test_netgroups.py b/src/tests/system/tests/test_netgroups.py new file mode 100644 index 00000000000..6b6bc8e8b88 --- /dev/null +++ b/src/tests/system/tests/test_netgroups.py @@ -0,0 +1,108 @@ +""" +Netgroup tests. + +:requirement: netgroup +""" + +from __future__ import annotations + +import pytest +from sssd_test_framework.roles.client import Client +from sssd_test_framework.roles.generic import GenericProvider +from sssd_test_framework.topology import KnownTopologyGroup + + +@pytest.mark.tier(1) +@pytest.mark.ticket(gh=6652, bz=2162552) +@pytest.mark.topology(KnownTopologyGroup.AnyProvider) +def test_netgroups__add_remove_netgroup_triple(client: Client, provider: GenericProvider): + """ + :title: Netgroup triple is correctly removed from cached record + :setup: + 1. Create local user "user-1" + 2. Create netgroup "ng-1" + 3. Add "(-,user-1,)" triple to the netgroup + 4. Start SSSD + :steps: + 1. Run "getent netgroup ng-1" + 2. Remove "(-,user-1,)" triple from "ng-1" + 3. Invalidate netgroup in cache "sssctl cache-expire -n ng-1" + 4. Run "getent netgroup ng-1" + :expectedresults: + 1. "(-,user-1,)" is present in the netgroup + 2. Triple was removed from the netgroup + 3. Cached record was invalidated + 4. "(-,user-1,)" is not present in the netgroup + :customerscenario: True + """ + user = provider.user("user-1").add() + ng = provider.netgroup("ng-1").add().add_member(user=user) + + client.sssd.start() + + result = client.tools.getent.netgroup("ng-1") + assert result is not None + assert result.name == "ng-1" + assert len(result.members) == 1 + assert "(-, user-1)" in result.members + + ng.remove_member(user=user) + client.sssctl.cache_expire(netgroups=True) + + result = client.tools.getent.netgroup("ng-1") + assert result is not None + assert result.name == "ng-1" + assert len(result.members) == 0 + + +@pytest.mark.tier(1) +@pytest.mark.ticket(gh=6652, bz=2162552) +@pytest.mark.topology(KnownTopologyGroup.AnyProvider) +def test_netgroups__add_remove_netgroup_member(client: Client, provider: GenericProvider): + """ + :title: Netgroup member is correctly removed from cached record + :setup: + 1. Create local user "user-1" + 2. Create local user "user-2" + 3. Create netgroup "ng-1" + 4. Create netgroup "ng-2" + 5. Add "(-,user-1,)" triple to the netgroup "ng-1" + 6. Add "(-,user-2,)" triple to the netgroup "ng-2" + 7. Add "ng-1" as a member to "ng-2" + 8. Start SSSD + :steps: + 1. Run "getent netgroup ng-2" + 2. Remove "ng-1" from "ng-2" + 3. Invalidate netgroup "ng-2" in cache "sssctl cache-expire -n ng-2" + 4. Run "getent netgroup ng-2" + :expectedresults: + 1. "(-,user-1,)", "(-,user-2,)" is present in the netgroup + 2. Netgroup member was removed from the netgroup + 3. Cached record was invalidated + 4. "(-,user-1,)" is not present in the netgroup, only "(-,user-2,)" + :customerscenario: True + """ + u1 = provider.user("user-1").add() + u2 = provider.user("user-2").add() + + ng1 = provider.netgroup("ng-1").add().add_member(user=u1) + ng2 = provider.netgroup("ng-2").add().add_member(user=u2, ng=ng1) + + client.sssd.start() + + result = client.tools.getent.netgroup("ng-2") + assert result is not None + assert result.name == "ng-2" + assert len(result.members) == 2 + assert "(-, user-1)" in result.members + assert "(-, user-2)" in result.members + + ng2.remove_member(ng=ng1) + client.sssctl.cache_expire(netgroups=True) + + result = client.tools.getent.netgroup("ng-2") + assert result is not None + assert result.name == "ng-2" + assert len(result.members) == 1 + assert "(-, user-1)" not in result.members + assert "(-, user-2)" in result.members From fd3ed8afdf5123d4429b540e88abe00ad8dfbaba Mon Sep 17 00:00:00 2001 From: Shridhar Gadekar Date: Mon, 12 Jun 2023 23:38:38 +0530 Subject: [PATCH 15/51] Test: drop c_ares tests from gating These two tests need further investigation, droppting them from gating Reviewed-by: Dan Lavu --- src/tests/multihost/ad/test_dyndns.py | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/src/tests/multihost/ad/test_dyndns.py b/src/tests/multihost/ad/test_dyndns.py index 3338aef6141..9a86359c1fc 100644 --- a/src/tests/multihost/ad/test_dyndns.py +++ b/src/tests/multihost/ad/test_dyndns.py @@ -98,9 +98,9 @@ def remove_interface(): @pytest.mark.usefixtures("reverse_zone", "disable_dns_forwarders", "change_client_hostname") @pytest.mark.dyndns @pytest.mark.tier2 -@pytest.mark.c_ares class TestDynDns(object): + @pytest.mark.c_ares @staticmethod def test_0001_verify_with_default_setting(multihost, adjoin): """ @@ -126,6 +126,7 @@ def test_0001_verify_with_default_setting(multihost, adjoin): assert dns.find_a(hostname, ip) assert dns.find_ptr(hostname, ip) + @pytest.mark.c_ares @staticmethod def test_0002_verify_when_dyndns_update_set_to_false(multihost, adjoin): """ @@ -156,6 +157,7 @@ def test_0002_verify_when_dyndns_update_set_to_false(multihost, adjoin): assert dns.find_a(hostname, ip) is not True assert dns.find_ptr(hostname, ip) is not True + @pytest.mark.c_ares @staticmethod def test_0003_verify_with_dyndns_ttl_functionality(multihost, adjoin): """ @@ -227,6 +229,7 @@ def test_0004_check_dyndns_iface_with_existing_interfaces( assert dns.find_ptr(hostname, extra_ip) assert ip not in dns.print_zone(domain) + @pytest.mark.c_ares @staticmethod def test_0005_check_dyndns_iface_with_non_existing_interfaces(multihost, adjoin): """ @@ -258,6 +261,7 @@ def test_0005_check_dyndns_iface_with_non_existing_interfaces(multihost, adjoin) assert dns.find_a(hostname, ip) is not True assert dns.find_ptr(hostname, ip) is not True + @pytest.mark.c_ares @staticmethod def test_0006_check_with_dyndns_refresh_interval(multihost, adjoin, extra_network, extra_interface): """ @@ -311,6 +315,7 @@ def test_0006_check_with_dyndns_refresh_interval(multihost, adjoin, extra_networ assert dns.find_a(hostname, extra_ip_after_refresh) assert dns.find_ptr(hostname, extra_ip_after_refresh) + @pytest.mark.c_ares @staticmethod def test_0007_set_dyndns_update_ptr_false_ptr_records_are_absent(multihost, adjoin): """ @@ -349,6 +354,7 @@ def test_0007_set_dyndns_update_ptr_false_ptr_records_are_absent(multihost, adjo assert dns.find_a(hostname, ip) assert dns.find_ptr(hostname, ip) is not True + @pytest.mark.c_ares @staticmethod def test_0008_set_dyndns_update_ptr_to_false_ptr_records_are_present( multihost, adjoin, extra_interface, extra_network): @@ -407,6 +413,7 @@ def test_0008_set_dyndns_update_ptr_to_false_ptr_records_are_present( assert dns.find_ptr(hostname, ip) assert dns.find_ptr(hostname, new_ip) is not True + @pytest.mark.c_ares @staticmethod def test_0009_check_with_dyndns_force_tcp(multihost, adjoin): """ @@ -456,6 +463,7 @@ def test_0009_check_with_dyndns_force_tcp(multihost, adjoin): assert dns.find_a(hostname, ip) assert dns.find_ptr(hostname, ip) + @pytest.mark.c_ares @staticmethod def test_0010_check_with_combination_of_addresses( multihost, adjoin, extra_interface, extra_network): @@ -496,6 +504,7 @@ def test_0010_check_with_combination_of_addresses( assert dns.find_ptr(hostname, extra_ip) assert dns.find_ptr(hostname, ip) is not True + @pytest.mark.c_ares @staticmethod def test_0011_verify_use_after_free_in_dyndns_code_bz1132361(multihost, adjoin): """ From dc9466e7371b98bc972ae2b3521f163f31a59a84 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alejandro=20L=C3=B3pez?= Date: Thu, 8 Jun 2023 17:37:51 +0200 Subject: [PATCH 16/51] AD: The shortcut must be used equally on _send() and _done() The conditions to use the shortcut in sdap_ad_tokengroups_initgroups_send() were modified without also changing sdap_ad_tokengroups_initgroups_done(). To avoid future problems like this, and because the condition is becoming more complex to evaluate, we evaluate the condition in the _send() function and keep the result in the state, for the _done() function to use it. Reviewed-by: Alexey Tikhonov Reviewed-by: Sumit Bose --- src/providers/ldap/sdap_async_initgroups_ad.c | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/src/providers/ldap/sdap_async_initgroups_ad.c b/src/providers/ldap/sdap_async_initgroups_ad.c index f5c88e2fbec..efd83d2dac8 100644 --- a/src/providers/ldap/sdap_async_initgroups_ad.c +++ b/src/providers/ldap/sdap_async_initgroups_ad.c @@ -1568,6 +1568,7 @@ errno_t sdap_ad_get_domain_local_groups_recv(struct tevent_req *req) struct sdap_ad_tokengroups_initgroups_state { bool use_id_mapping; + bool use_shortcut; struct sss_domain_info *domain; }; @@ -1591,7 +1592,6 @@ sdap_ad_tokengroups_initgroups_send(TALLOC_CTX *mem_ctx, struct tevent_req *req = NULL; struct tevent_req *subreq = NULL; errno_t ret; - bool use_shortcut; char **param = NULL; req = tevent_req_create(mem_ctx, &state, @@ -1613,14 +1613,14 @@ sdap_ad_tokengroups_initgroups_send(TALLOC_CTX *mem_ctx, * to avoid having to transfer and retain members when the fake * tokengroups object without name is replaced by the full group object */ - use_shortcut = false; + state->use_shortcut = false; if (state->use_id_mapping && !IS_SUBDOMAIN(state->domain) && !state->domain->ignore_group_members) { ret = confdb_get_param(id_ctx->be->cdb, mem_ctx, id_ctx->be->conf_path, CONFDB_NSS_FILTER_GROUPS, ¶m); if (ret == EOK) { - use_shortcut = (param == NULL || param[0] == NULL); + state->use_shortcut = (param == NULL || param[0] == NULL); talloc_free(param); } else { DEBUG(SSSDBG_MINOR_FAILURE, "Failed to access %s: %i (%s)\n", @@ -1628,7 +1628,7 @@ sdap_ad_tokengroups_initgroups_send(TALLOC_CTX *mem_ctx, /* Continue without using the shortcut. Safest option. */ } } - if (use_shortcut) { + if (state->use_shortcut) { subreq = sdap_ad_tokengroups_initgr_mapping_send(state, ev, opts, sysdb, domain, sh, name, orig_dn, @@ -1659,9 +1659,7 @@ static void sdap_ad_tokengroups_initgroups_done(struct tevent_req *subreq) req = tevent_req_callback_data(subreq, struct tevent_req); state = tevent_req_data(req, struct sdap_ad_tokengroups_initgroups_state); - if (state->use_id_mapping - && !IS_SUBDOMAIN(state->domain) - && state->domain->ignore_group_members == false) { + if (state->use_shortcut) { ret = sdap_ad_tokengroups_initgr_mapping_recv(subreq); } else { ret = sdap_ad_tokengroups_initgr_posix_recv(subreq); From 9c50b8ec14f0e167c937446a64213ef59eaa96ef Mon Sep 17 00:00:00 2001 From: Madhuri Upadhye Date: Tue, 13 Jun 2023 15:12:30 +0530 Subject: [PATCH 17/51] Tests: Add package for tc command MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Adding package iproute-tc to get tc command. Signed-off-by: Madhuri Upadhye Reviewed-by: Jakub Vávra Reviewed-by: Shridhar Gadekar --- src/tests/multihost/sssd/testlib/common/utils.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/tests/multihost/sssd/testlib/common/utils.py b/src/tests/multihost/sssd/testlib/common/utils.py index a473f7f3748..de09c331a48 100644 --- a/src/tests/multihost/sssd/testlib/common/utils.py +++ b/src/tests/multihost/sssd/testlib/common/utils.py @@ -81,7 +81,7 @@ def client_install_pkgs(self): 'samba-winbind-clients autofs nfs-utils authconfig '\ 'authselect cifs-utils openldap-clients firewalld '\ 'tcpdump wireshark-cli expect rsyslog gcc gcc-c++ pam-devel '\ - 'tdb-tools libkcapi-hmaccalc strace' + 'tdb-tools libkcapi-hmaccalc strace iproute-tc' sssd_pkgs = 'sssd sssd-tools sssd-proxy sssd-winbind-idmap '\ 'libsss_autofs sssd-kcm sssd-dbus' extra_pkg = ' nss-pam-ldapd krb5-pkinit' From 6efb2779b79b86121f50852416e3ae63feac31a0 Mon Sep 17 00:00:00 2001 From: Shridhar Gadekar Date: Tue, 13 Jun 2023 15:02:39 +0530 Subject: [PATCH 18/51] Test: dropping unstable dyndns tests Dropping unstable dyndns tests from c-ares gating --- src/tests/multihost/ad/test_dyndns.py | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/src/tests/multihost/ad/test_dyndns.py b/src/tests/multihost/ad/test_dyndns.py index 9a86359c1fc..834b3d3a0f6 100644 --- a/src/tests/multihost/ad/test_dyndns.py +++ b/src/tests/multihost/ad/test_dyndns.py @@ -100,8 +100,8 @@ def remove_interface(): @pytest.mark.tier2 class TestDynDns(object): - @pytest.mark.c_ares @staticmethod + @pytest.mark.c_ares def test_0001_verify_with_default_setting(multihost, adjoin): """ :title: IDM-SSSD-TC: ad_provider: dyndns: verify with default settings @@ -126,8 +126,8 @@ def test_0001_verify_with_default_setting(multihost, adjoin): assert dns.find_a(hostname, ip) assert dns.find_ptr(hostname, ip) - @pytest.mark.c_ares @staticmethod + @pytest.mark.c_ares def test_0002_verify_when_dyndns_update_set_to_false(multihost, adjoin): """ :title: IDM-SSSD-TC: ad_provider: dyndns: verify when dyndns update set to false @@ -157,8 +157,8 @@ def test_0002_verify_when_dyndns_update_set_to_false(multihost, adjoin): assert dns.find_a(hostname, ip) is not True assert dns.find_ptr(hostname, ip) is not True - @pytest.mark.c_ares @staticmethod + @pytest.mark.c_ares def test_0003_verify_with_dyndns_ttl_functionality(multihost, adjoin): """ :title: IDM-SSSD-TC: ad_provider: dyndns: verify with dyndns ttl functionality @@ -229,8 +229,8 @@ def test_0004_check_dyndns_iface_with_existing_interfaces( assert dns.find_ptr(hostname, extra_ip) assert ip not in dns.print_zone(domain) - @pytest.mark.c_ares @staticmethod + @pytest.mark.c_ares def test_0005_check_dyndns_iface_with_non_existing_interfaces(multihost, adjoin): """ :title: IDM-SSSD-TC: ad_provider: dyndns: check dyndns iface with non-existing interfaces @@ -261,8 +261,8 @@ def test_0005_check_dyndns_iface_with_non_existing_interfaces(multihost, adjoin) assert dns.find_a(hostname, ip) is not True assert dns.find_ptr(hostname, ip) is not True - @pytest.mark.c_ares @staticmethod + @pytest.mark.c_ares def test_0006_check_with_dyndns_refresh_interval(multihost, adjoin, extra_network, extra_interface): """ :title: IDM-SSSD-TC: ad_provider: dyndns: check with dyndns refresh interval @@ -315,8 +315,8 @@ def test_0006_check_with_dyndns_refresh_interval(multihost, adjoin, extra_networ assert dns.find_a(hostname, extra_ip_after_refresh) assert dns.find_ptr(hostname, extra_ip_after_refresh) - @pytest.mark.c_ares @staticmethod + @pytest.mark.c_ares def test_0007_set_dyndns_update_ptr_false_ptr_records_are_absent(multihost, adjoin): """ :title: IDM-SSSD-TC: ad_provider: dyndns: set dyndns update ptr false ptr records are absent @@ -354,8 +354,8 @@ def test_0007_set_dyndns_update_ptr_false_ptr_records_are_absent(multihost, adjo assert dns.find_a(hostname, ip) assert dns.find_ptr(hostname, ip) is not True - @pytest.mark.c_ares @staticmethod + @pytest.mark.c_ares def test_0008_set_dyndns_update_ptr_to_false_ptr_records_are_present( multihost, adjoin, extra_interface, extra_network): """ @@ -413,8 +413,8 @@ def test_0008_set_dyndns_update_ptr_to_false_ptr_records_are_present( assert dns.find_ptr(hostname, ip) assert dns.find_ptr(hostname, new_ip) is not True - @pytest.mark.c_ares @staticmethod + @pytest.mark.c_ares def test_0009_check_with_dyndns_force_tcp(multihost, adjoin): """ :title: IDM-SSSD-TC: ad_provider: dyndns: check with dyndns force tcp @@ -463,8 +463,8 @@ def test_0009_check_with_dyndns_force_tcp(multihost, adjoin): assert dns.find_a(hostname, ip) assert dns.find_ptr(hostname, ip) - @pytest.mark.c_ares @staticmethod + @pytest.mark.c_ares def test_0010_check_with_combination_of_addresses( multihost, adjoin, extra_interface, extra_network): """ @@ -504,8 +504,8 @@ def test_0010_check_with_combination_of_addresses( assert dns.find_ptr(hostname, extra_ip) assert dns.find_ptr(hostname, ip) is not True - @pytest.mark.c_ares @staticmethod + @pytest.mark.c_ares def test_0011_verify_use_after_free_in_dyndns_code_bz1132361(multihost, adjoin): """ :title: IDM-SSSD-TC: ad_provider: dyndns: verify use after free in dyndns code bz1132361 From 5ebf98a86a75b27c70f6ca6a24fe2bc040f7da05 Mon Sep 17 00:00:00 2001 From: Shridhar Gadekar Date: Wed, 14 Jun 2023 18:14:58 +0530 Subject: [PATCH 19/51] Tests: drop dyndns testcase from gating test is under investigation. This is minor test Reviewed-by: Dan Lavu --- src/tests/multihost/ad/test_dyndns.py | 1 - 1 file changed, 1 deletion(-) diff --git a/src/tests/multihost/ad/test_dyndns.py b/src/tests/multihost/ad/test_dyndns.py index 834b3d3a0f6..10dd135da4f 100644 --- a/src/tests/multihost/ad/test_dyndns.py +++ b/src/tests/multihost/ad/test_dyndns.py @@ -505,7 +505,6 @@ def test_0010_check_with_combination_of_addresses( assert dns.find_ptr(hostname, ip) is not True @staticmethod - @pytest.mark.c_ares def test_0011_verify_use_after_free_in_dyndns_code_bz1132361(multihost, adjoin): """ :title: IDM-SSSD-TC: ad_provider: dyndns: verify use after free in dyndns code bz1132361 From d14be798bdebcc3587769c2406ee025340cf5162 Mon Sep 17 00:00:00 2001 From: aborah Date: Tue, 13 Jun 2023 18:24:44 +0530 Subject: [PATCH 20/51] Tests: Skip test_0001_bz2021196 The test is unstable on other architectures so it is skipped for now. Reviewed-by: Madhuri Upadhye --- src/tests/multihost/alltests/test_backtrace.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/tests/multihost/alltests/test_backtrace.py b/src/tests/multihost/alltests/test_backtrace.py index d72caceeeb1..d4468b36a85 100644 --- a/src/tests/multihost/alltests/test_backtrace.py +++ b/src/tests/multihost/alltests/test_backtrace.py @@ -72,6 +72,10 @@ def test_0001_bz2021196(self, multihost, backupsssdconf): 7. Should fail as expected 8. Should have string 'skipping repetitive backtrace' """ + arch = multihost.client[0].run_command( + 'uname -m', raiseonerr=False).stdout_text + if 'x86_64' not in arch: + pytest.skip("Test is unstable on architectures other than x86_64.") bad_url(multihost) tools = sssdTools(multihost.client[0]) section = f"domain/{ds_instance_name}" From 3e3d098646f7cae90857f9a92348aff14fd65429 Mon Sep 17 00:00:00 2001 From: Jakub Vavra Date: Tue, 13 Jun 2023 13:19:10 +0200 Subject: [PATCH 21/51] Tests: Skip test_0016_ad_parameters_ad_hostname_valid on other architectures. The test is unstable on other architectures so it is skipped for now. Reordered the asserts so we can seed if the connection to AD works as looking for log message has a lower priority. Reviewed-by: Madhuri Upadhye --- .../multihost/ad/test_adparameters_ported.py | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/src/tests/multihost/ad/test_adparameters_ported.py b/src/tests/multihost/ad/test_adparameters_ported.py index a6a6fa42afe..0f8ea417fdc 100644 --- a/src/tests/multihost/ad/test_adparameters_ported.py +++ b/src/tests/multihost/ad/test_adparameters_ported.py @@ -1202,7 +1202,7 @@ def test_0015_ad_parameters_ad_hostname_machine( arch = multihost.client[0].run_command( 'uname -m', raiseonerr=False).stdout_text if 'x86_64' not in arch: - pytest.skip("Test is unstable on architectures other than x68_64.") + pytest.skip("Test is unstable on architectures other than x86_64.") adjoin(membersw='adcli') client = sssdTools(multihost.client[0], multihost.ad[0]) @@ -1256,10 +1256,11 @@ def test_0015_ad_parameters_ad_hostname_machine( f'hostname {old_hostname}', raiseonerr=False) # Evaluate test results - assert "Setting ad_hostname to [host1.kautest.com]" in log_str - assert f"Will look for host1.kautest.com@{ad_realm}" in log_str assert usr_cmd.returncode == 0, f"User {aduser} was not found." assert su_result, "The su command failed!" + assert "Setting ad_hostname to [host1.kautest.com]" in log_str + assert f"Will look for host1.kautest.com@{ad_realm}" in log_str + @staticmethod @pytest.mark.tier1_2 @@ -1293,6 +1294,10 @@ def test_0016_ad_parameters_ad_hostname_valid( 1. Remove AD user. :customerscenario: False """ + arch = multihost.client[0].run_command( + 'uname -m', raiseonerr=False).stdout_text + if 'x86_64' not in arch: + pytest.skip("Test is unstable on architectures other than x86_64.") adjoin(membersw='adcli') client = sssdTools(multihost.client[0], multihost.ad[0]) @@ -1341,13 +1346,13 @@ def test_0016_ad_parameters_ad_hostname_valid( multihost.client[0].run_command( f'hostname {old_hostname}', raiseonerr=False) # Evaluate test results + assert usr_cmd.returncode == 0, f"User {aduser} was not found." + assert grp_cmd.returncode == 0, f"Group {adgroup} was not found!" + assert su_result, "The su command failed!" assert f"Option ad_hostname has value {old_hostname}" in log_str assert f"Setting ad_hostname to [{old_hostname}]" not in log_str assert f"Will look for {old_hostname}@{ad_realm}" in log_str assert f"Trying to find principal {old_hostname}@{ad_realm}" in log_str - assert usr_cmd.returncode == 0, f"User {aduser} was not found." - assert grp_cmd.returncode == 0, f"Group {adgroup} was not found!" - assert su_result, "The su command failed!" @staticmethod @pytest.mark.tier2 From 74d0f4538deb766592079b1abca0d949d6dea105 Mon Sep 17 00:00:00 2001 From: Alexey Tikhonov Date: Thu, 15 Jun 2023 12:05:03 +0200 Subject: [PATCH 22/51] BUILD: Accept krb5 1.21 for building the PAC plugin MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reviewed-by: Alejandro López Reviewed-by: Sumit Bose --- src/external/pac_responder.m4 | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/external/pac_responder.m4 b/src/external/pac_responder.m4 index 3cbe3c9cfba..90727185b57 100644 --- a/src/external/pac_responder.m4 +++ b/src/external/pac_responder.m4 @@ -22,7 +22,8 @@ then Kerberos\ 5\ release\ 1.17* | \ Kerberos\ 5\ release\ 1.18* | \ Kerberos\ 5\ release\ 1.19* | \ - Kerberos\ 5\ release\ 1.20*) + Kerberos\ 5\ release\ 1.20* | \ + Kerberos\ 5\ release\ 1.21*) krb5_version_ok=yes AC_MSG_RESULT([yes]) ;; From 54903c0e38f534bd48f890658b55c626431dd6d5 Mon Sep 17 00:00:00 2001 From: Jakub Vavra Date: Thu, 15 Jun 2023 11:03:06 +0200 Subject: [PATCH 23/51] Tests: Improve stability of test_0004_bz2110091 Reviewed-by: Shridhar Gadekar --- src/tests/multihost/ad/test_ad_misc.py | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/src/tests/multihost/ad/test_ad_misc.py b/src/tests/multihost/ad/test_ad_misc.py index b6de3a11af1..d5f6098b603 100644 --- a/src/tests/multihost/ad/test_ad_misc.py +++ b/src/tests/multihost/ad/test_ad_misc.py @@ -317,8 +317,17 @@ def test_0004_bz2110091(multihost, adjoin, create_aduser_group): client.sssd_conf(dom_section, sssd_params) client.clear_sssd_cache() multihost.client[0].run_command('systemctl reboot', raiseonerr=False) - time.sleep(50) - dom_log = multihost.client[0].get_file_contents(f'/var/log/sssd/sssd_{domainname}.log').decode('utf-8') + time.sleep(30) + # Reboot takes a long time in some cases so we try multiple times. + for _ in range(1, 10): + try: + dom_log = multihost.client[0].get_file_contents(f'/var/log/sssd/sssd_{domainname}.log').decode('utf-8') + break + except OSError: + time.sleep(30) + else: + # There is no need to fail here as the assertion will fail anyway. + dom_log = "Could not pull the log file!" log1 = re.compile(r'Destroying.the.old.c-ares.channel', re.IGNORECASE) log2 = re.compile(r'\[recreate_ares_channel.*Initializing.new.c-ares.channel', re.IGNORECASE) assert log1.search(dom_log), 'Destroying the old c-ares related log missing' From 34dba5a3836a121a6485ec71ffc7234cd5ec24c0 Mon Sep 17 00:00:00 2001 From: aborah Date: Wed, 31 May 2023 21:38:08 +0530 Subject: [PATCH 24/51] Tests: Add ssh module that is fast, reliable, accurate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sssd tests seems to be failing with current ssh module without any reason. Reviewed-by: Jakub Vávra Reviewed-by: Scott Poore --- src/tests/multihost/requirements.txt | 1 + .../sssd/testlib/common/ssh2_python.py | 89 +++++++++++++++++++ 2 files changed, 90 insertions(+) create mode 100644 src/tests/multihost/sssd/testlib/common/ssh2_python.py diff --git a/src/tests/multihost/requirements.txt b/src/tests/multihost/requirements.txt index 46d0c79825d..c5f8139a767 100644 --- a/src/tests/multihost/requirements.txt +++ b/src/tests/multihost/requirements.txt @@ -4,3 +4,4 @@ pytest_multihost python-ldap PyYAML pymmh3 +ssh2-python diff --git a/src/tests/multihost/sssd/testlib/common/ssh2_python.py b/src/tests/multihost/sssd/testlib/common/ssh2_python.py new file mode 100644 index 00000000000..ca21cf28d48 --- /dev/null +++ b/src/tests/multihost/sssd/testlib/common/ssh2_python.py @@ -0,0 +1,89 @@ +import socket +from ssh2.session import Session + + +class SSHClient: + """ ssh2 methods """ + def __init__(self, hostname, username, password): + """Initialize defaults""" + self.hostname = hostname + self.username = username + self.password = password + self.session = None + + def connect(self): + """login to host""" + sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + sock.connect((self.hostname, 22)) + session = Session() + session.handshake(sock) + session.userauth_password(self.username, self.password) + self.session = session + + def execute_command(self, command): + """Run Non interactive Commands""" + channel = self.session.open_session() + channel.execute(command) + size, data = channel.read() + output = "" + while size > 0: + output += data.decode() + size, data = channel.read() + channel.close() + return output + + def close(self): + """Logout of ssh session""" + if self.session: + self.session.disconnect() + + +def check_login(hostname, user, password): + """This function will check user login + user: Name of the user. + hostname: Name of the machine where user will login. + password: User password. + """ + ssh = SSHClient(hostname, user, password) + ssh.connect() + ssh.close() + + +def check_login_client(multihost, user, password): + """This function will check user login + user: Name of the user. + password: User password. + """ + hostname = multihost.client[0].ip + ssh = SSHClient(hostname, user, password) + ssh.connect() + ssh.close() + + +def run_command(hostname, user, password, command): + """This function will execute command + user: Name of the user. + hostname: Name of the machine where user will login. + password: User password. + command: User command + """ + ssh = SSHClient(hostname, user, password) + ssh.connect() + result = ssh.execute_command(command) + ssh.close() + return result + + +def run_command_client(multihost, user, password, command): + """This function will execute command + user: Name of the user. + hostname: Name of the machine where user will login. + password: User password. + command: User command + """ + hostname = multihost.client[0].ip + ssh = SSHClient(hostname, user, password) + ssh.connect() + result = ssh.execute_command(command) + ssh.close() + return result From d99aa97dae7236fd056e21ea3d48997edf1b9823 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Wed, 7 Jun 2023 17:00:33 +0200 Subject: [PATCH 25/51] ldap: return failure if there are no grace logins left MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If a user's password is expired while changing the LDAP password SSSD tries to change the password even if the initial bind of the user failed due to exhausted grace logins. With this patch the change password request will be aborted if the bind fails indicating that there are no grace logins left. Resolves: https://github.com/SSSD/sssd/issues/6768 Reviewed-by: Iker Pedrosa Reviewed-by: Pavel Březina --- src/providers/ldap/sdap_async_connection.c | 26 +++++++++++++++++----- 1 file changed, 21 insertions(+), 5 deletions(-) diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c index e78662495dc..e8638725c78 100644 --- a/src/providers/ldap/sdap_async_connection.c +++ b/src/providers/ldap/sdap_async_connection.c @@ -860,15 +860,31 @@ static void simple_bind_done(struct sdap_op *op, } } else if (result == LDAP_INVALID_CREDENTIALS && pp_error == PP_passwordExpired) { + /* According to + * https://www.ietf.org/archive/id/draft-behera-ldap-password-policy-11.txt + * section 8.1.2.3.2. this condition means "No Remaining + * Grace Authentications". */ DEBUG(SSSDBG_TRACE_LIBS, - "Password expired user must set a new password.\n"); - ret = ERR_PASSWORD_EXPIRED; + "Password expired, grace logins exhausted.\n"); + ret = ERR_AUTH_FAILED; } } else if (strcmp(response_controls[c]->ldctl_oid, LDAP_CONTROL_PWEXPIRED) == 0) { - DEBUG(SSSDBG_TRACE_LIBS, - "Password expired user must set a new password.\n"); - ret = ERR_PASSWORD_EXPIRED; + /* I haven't found a proper documentation of this control only + * the Red Hat Directory Server documentation has a short + * description in the section "Understanding Password + * Expiration Controls", e.g. + * https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/understanding_password_expiration_controls + */ + if (result == LDAP_INVALID_CREDENTIALS) { + DEBUG(SSSDBG_TRACE_LIBS, + "Password expired, grace logins exhausted.\n"); + ret = ERR_AUTH_FAILED; + } else { + DEBUG(SSSDBG_TRACE_LIBS, + "Password expired, user must set a new password.\n"); + ret = ERR_PASSWORD_EXPIRED; + } } else if (strcmp(response_controls[c]->ldctl_oid, LDAP_CONTROL_PWEXPIRING) == 0) { /* ignore controls with suspiciously long values */ From 67c11c2ebae843f7ddd6b857efa2e1f6449986f3 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Wed, 7 Jun 2023 10:45:59 +0200 Subject: [PATCH 26/51] ad: use sAMAccountName to lookup hosts To determine which GPOs apply to the host running SSSD the full DN of the host object in AD is needed. To fine this object we use the NetBIOS name of the host which is stored in AD in the sAMAccountName attribute. Using other attributes, e.g. if ldap_user_name is set to a different attribute, will most probably cause a failure since those attributes are not managed as expected for host object. As a result sAMAccountName should be hardcoded here to avoid issues. Resolves: https://github.com/SSSD/sssd/issues/6766 Reviewed-by: Iker Pedrosa Reviewed-by: Justin Stephenson --- src/providers/ad/ad_gpo.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c index 4b7bbf18200..44e9cbb2735 100644 --- a/src/providers/ad/ad_gpo.c +++ b/src/providers/ad/ad_gpo.c @@ -59,6 +59,7 @@ #define AD_AT_DN "distinguishedName" #define AD_AT_UAC "userAccountControl" +#define AD_AT_SAMACCOUNTNAME "sAMAccountName" #define AD_AT_CONFIG_NC "configurationNamingContext" #define AD_AT_GPLINK "gPLink" #define AD_AT_GPOPTIONS "gpOptions" @@ -2061,7 +2062,7 @@ ad_gpo_connect_done(struct tevent_req *subreq) filter = talloc_asprintf(state, "(&(objectclass=%s)(%s=%s))", state->opts->user_map[SDAP_OC_USER].name, - state->opts->user_map[SDAP_AT_USER_NAME].name, + AD_AT_SAMACCOUNTNAME, sam_account_name); if (filter == NULL) { ret = ENOMEM; From 8b014bf1592454520ef6d113be9a5f1fd02e1285 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= Date: Thu, 1 Jun 2023 13:09:15 +0200 Subject: [PATCH 27/51] cache_req: remove unused field cache_behavior from state MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This field is not used anywhere. Instead, we use value from struct cache_req. Reviewed-by: Alexey Tikhonov Reviewed-by: Tomáš Halman --- src/responder/common/cache_req/cache_req.c | 1 - 1 file changed, 1 deletion(-) diff --git a/src/responder/common/cache_req/cache_req.c b/src/responder/common/cache_req/cache_req.c index 258dc1da507..b3b520492c3 100644 --- a/src/responder/common/cache_req/cache_req.c +++ b/src/responder/common/cache_req/cache_req.c @@ -702,7 +702,6 @@ struct cache_req_search_domains_state { bool check_next; bool dp_success; bool first_iteration; - enum cache_req_behavior cache_behavior; }; static errno_t cache_req_search_domains_next(struct tevent_req *req); From 32f578229d38766b208f33130e28317ca69001d2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= Date: Thu, 1 Jun 2023 13:34:37 +0200 Subject: [PATCH 28/51] cache_req: fix propagation of offline status with cache_first = true MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit During the first iteration where the provider was not yet contacted, we set state->dp_success to false and if the record was not found we returned ERR_OFFLINE instead of ENOENT which causes the cache_req to continue and search the provider. Resolves: https://github.com/SSSD/sssd/issues/6739 Reviewed-by: Alexey Tikhonov Reviewed-by: Tomáš Halman --- src/responder/common/cache_req/cache_req.c | 38 +++- src/tests/system/tests/test_autofs.py | 204 +++++++++++++++++++++ 2 files changed, 236 insertions(+), 6 deletions(-) create mode 100644 src/tests/system/tests/test_autofs.py diff --git a/src/responder/common/cache_req/cache_req.c b/src/responder/common/cache_req/cache_req.c index b3b520492c3..b8275953261 100644 --- a/src/responder/common/cache_req/cache_req.c +++ b/src/responder/common/cache_req/cache_req.c @@ -712,6 +712,26 @@ static void cache_req_search_domains_locate_done(struct tevent_req *subreq); static void cache_req_search_domains_done(struct tevent_req *subreq); +static bool +cache_req_dp_contacted(struct cache_req_search_domains_state *state) +{ + switch (state->cr->cache_behavior) { + case CACHE_REQ_CACHE_FIRST: + if (state->first_iteration) { + /* This is the first iteration so provider was bypassed. */ + return false; + } + + /* This is the second iteration so the provider was contacted. */ + return true; + case CACHE_REQ_BYPASS_PROVIDER: + return false; + default: + /* Other schemas talks to provider immediately. */ + return true; + } +} + struct tevent_req * cache_req_search_domains_send(TALLOC_CTX *mem_ctx, struct tevent_context *ev, @@ -867,7 +887,7 @@ static errno_t cache_req_search_domains_next(struct tevent_req *req) * requests succeeded because only then we can be sure that it does * not exist- */ - if (state->dp_success) { + if (cache_req_dp_contacted(state) && state->dp_success) { cache_req_global_ncache_add(cr); } @@ -971,8 +991,10 @@ static void cache_req_search_domains_done(struct tevent_req *subreq) ret = cache_req_search_recv(state, subreq, &result, &dp_success); talloc_zfree(subreq); - /* Remember if any DP request fails. */ - state->dp_success = !dp_success ? false : state->dp_success; + /* Remember if any DP request fails, if DP was contacted. */ + if (cache_req_dp_contacted(state)) { + state->dp_success = !dp_success ? false : state->dp_success; + } switch (ret) { case EOK: @@ -984,7 +1006,9 @@ static void cache_req_search_domains_done(struct tevent_req *subreq) case ERR_ID_OUTSIDE_RANGE: case ENOENT: if (state->check_next == false) { - if (state->cr->data->propogate_offline_status && !state->dp_success) { + if (cache_req_dp_contacted(state) + && !state->dp_success + && state->cr->data->propogate_offline_status) { /* Not found and data provider request failed so we were * unable to fetch the data. */ ret = ERR_OFFLINE; @@ -1019,8 +1043,10 @@ static void cache_req_search_domains_done(struct tevent_req *subreq) case EAGAIN: break; default: - if (ret == ENOENT && state->cr->data->propogate_offline_status - && !state->dp_success) { + if (cache_req_dp_contacted(state) + && ret == ENOENT + && !state->dp_success + && state->cr->data->propogate_offline_status) { /* Not found and data provider request failed so we were * unable to fetch the data. */ ret = ERR_OFFLINE; diff --git a/src/tests/system/tests/test_autofs.py b/src/tests/system/tests/test_autofs.py new file mode 100644 index 00000000000..efe112231a3 --- /dev/null +++ b/src/tests/system/tests/test_autofs.py @@ -0,0 +1,204 @@ +""" +Autofs tests. + +:requirement: Ldap Provider - automount +""" + +from __future__ import annotations + +import pytest +from sssd_test_framework.roles.client import Client +from sssd_test_framework.roles.generic import GenericProvider +from sssd_test_framework.roles.nfs import NFS +from sssd_test_framework.topology import KnownTopologyGroup + + +@pytest.mark.ticket(gh=6739) +@pytest.mark.parametrize("cache_first", [False, True]) +@pytest.mark.topology(KnownTopologyGroup.AnyProvider) +def test_autofs__cache_first(client: Client, nfs: NFS, provider: GenericProvider, cache_first: bool): + """ + :title: Autofs works correctly with any cache_first value + :setup: + 1. Create NFS export + 2. Create auto.master map + 3. Create auto.export map + 4. Add /export (auto.export) key to auto.master + 5. Add "NFS export" key as "export" to auto.export + 6. Enable autofs responder + 7. Set [autofs]/cache_first = $cache_first + 8. Start SSSD + 9. Reload autofs daemon + :steps: + 1. Access /export/export + 2. Dump automount maps "automount -m" + :expectedresults: + 1. Directory can be accessed and it is correctly mounted to the NFS share + 2. /export contains auto.export map and "export" key + :customerscenario: False + """ + nfs_export = nfs.export("export").add() + auto_master = provider.automount.map("auto.master").add() + auto_export = provider.automount.map("auto.export").add() + auto_master.key("/export").add(info=auto_export) + key = auto_export.key("export").add(info=nfs_export) + + # Start SSSD + client.sssd.common.autofs() + client.sssd.autofs["cache_first"] = str(cache_first) + client.sssd.start() + + # Reload automounter in order fetch updated maps + client.automount.reload() + + # Check that we can mount the exported directory + assert client.automount.mount("/export/export", nfs_export) + + # Check that the maps are correctly fetched + assert client.automount.dumpmaps() == { + "/export": {"map": "auto.export", "keys": [str(key)]}, + } + + +@pytest.mark.topology(KnownTopologyGroup.AnyProvider) +def test_autofs__propagate_offline__single_domain(client: Client, provider: GenericProvider): + """ + :title: Autofs propagates offline status if a domain is offline + :setup: + 1. Block LDAP port on the provider + 2. Enable autofs responder + 3. Start SSSD + 4. Reload autofs daemon + :steps: + 1. Read autofs responder logs + :expectedresults: + 1. cache_req returns "SSSD is offline" when data provider is offline for auto.master search + :customerscenario: False + """ + # Render the provider offline + provider.firewall.drop(389) + + # Start SSSD + client.sssd.common.autofs() + client.sssd.start() + + # Reload automounter in order fetch updated maps + client.automount.reload() + + # Check that offline status was returned from cache req + log = client.fs.read(client.sssd.logs.autofs).splitlines() + offline_status_propagated = False + for index, line in enumerate(log): + if "cache_req_process_result" in line and "Finished: Error" in line and "SSSD is offline" in line: + if "Object [auto.master] was not found in cache" in log[index - 1]: + offline_status_propagated = True + break + + assert offline_status_propagated + + +@pytest.mark.topology(KnownTopologyGroup.AnyProvider) +def test_autofs__propagate_offline__multi_domain(client: Client): + """ + :title: Autofs propagates offline status if a domain is offline in multi domain environment + :setup: + 1. Create two fake LDAP domains that will be offline (the provider is online but does not have autofs maps) + 2. Enable autofs responder + 3. Start SSSD + 4. Reload autofs daemon + :steps: + 1. Read autofs responder logs + :expectedresults: + 1. cache_req returns "SSSD is offline" when data provider is offline for auto.master search + :customerscenario: False + """ + # Create fake domains, these will be offline + client.sssd.dom("fake1").update( + enabled="true", + id_provider="ldap", + ldap_uri="ldap://fake1.test", + ) + + client.sssd.dom("fake2").update( + enabled="true", + id_provider="ldap", + ldap_uri="ldap://fake2.test", + ) + + # Start SSSD + client.sssd.common.autofs() + client.sssd.start() + + # Reload automounter in order fetch updated maps + client.automount.reload() + + # Check that offline status was returned from cache req + log = client.fs.read(client.sssd.logs.autofs).splitlines() + offline_status_propagated = False + for index, line in enumerate(log): + if "cache_req_process_result" in line and "Finished: Error" in line and "SSSD is offline" in line: + if "Object [auto.master] was not found in cache" in log[index - 1]: + offline_status_propagated = True + break + + assert offline_status_propagated + + +@pytest.mark.topology(KnownTopologyGroup.AnyProvider) +def test_autofs__offline_domains(client: Client, nfs: NFS, provider: GenericProvider): + """ + :title: Autofs works if some domain is offline in multi domain environment + :setup: + 1. Create NFS export + 2. Create auto.master map + 3. Create auto.export map + 4. Add /export (auto.export) key to auto.master + 5. Add "NFS export" key as "export" to auto.export + 6. Create two fake LDAP domains that will be offline (the provider is online) + 7. Enable autofs responder + 8. Start SSSD + 9. Reload autofs daemon + :steps: + 1. Access /export/export + 2. Dump automount maps "automount -m" + :expectedresults: + 1. Directory can be accessed and it is correctly mounted to the NFS share + 2. /export contains auto.export map and "export" key + :customerscenario: False + """ + + # Create autofs maps + nfs_export = nfs.export("export").add() + auto_master = provider.automount.map("auto.master").add() + auto_export = provider.automount.map("auto.export").add() + auto_master.key("/export").add(info=auto_export) + key = auto_export.key("export").add(info=nfs_export) + + # Create fake domains, these will be offline + client.sssd.dom("fake1").update( + enabled="true", + id_provider="ldap", + ldap_uri="ldap://fake1.test", + ) + + client.sssd.dom("fake2").update( + enabled="true", + id_provider="ldap", + ldap_uri="ldap://fake2.test", + ) + + # Start SSSD + client.sssd.sssd["domain_resolution_order"] = f"fake1, fake2, {client.sssd.default_domain}" + client.sssd.common.autofs() + client.sssd.start() + + # Reload automounter in order fetch updated maps + client.automount.reload() + + # Check that we can mount the exported directory + assert client.automount.mount("/export/export", nfs_export) + + # Check that the maps are correctly fetched + assert client.automount.dumpmaps() == { + "/export": {"map": "auto.export", "keys": [str(key)]}, + } From 2fd5374fdf78bc7330bd9e6f3b86bec86bdf592b Mon Sep 17 00:00:00 2001 From: Alexey Tikhonov Date: Sat, 10 Jun 2023 16:28:23 +0200 Subject: [PATCH 29/51] SYSDB: in case (ignore_group_members == true) group is actually complete MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Example workflow: - SSSD client is enrolled into AD domain (Token-Groups are enabled) - `id $user` is executed - initgroups() is called for this user - during processing of initgroups() sssd_be obtains a list of group SIDs user is a member of, and then partially resolves those groups and adds it to the local cache as "incomplete" (i.e. 'expired') - as a next step `id` calls getgrnam() for every group in initgroups() list - since groups are saved into the cache as "incomplete" (technically - "expired") this again results in LDAP search of this group. But if `ignore_group_members = true` this search doesn't provide new information. "Incomplete" groups could be used instead. Reviewed-by: Pavel Březina Reviewed-by: Sumit Bose --- src/db/sysdb_ops.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c index d11d8d956b0..7a3c002130f 100644 --- a/src/db/sysdb_ops.c +++ b/src/db/sysdb_ops.c @@ -2307,8 +2307,10 @@ int sysdb_add_incomplete_group(struct sss_domain_info *domain, ret = sysdb_attrs_add_time_t(attrs, SYSDB_LAST_UPDATE, now); if (ret) goto done; + /* in case (ignore_group_members == true) group is actually complete */ ret = sysdb_attrs_add_time_t(attrs, SYSDB_CACHE_EXPIRE, - now-1); + domain->ignore_group_members ? + (now + domain->group_timeout) : (now-1)); if (ret) goto done; ret = sysdb_attrs_add_bool(attrs, SYSDB_POSIX, posix); From ca7c9f6066d150c1a88bda6bda2843f244e5289d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alejandro=20L=C3=B3pez?= Date: Wed, 31 May 2023 11:23:41 +0200 Subject: [PATCH 30/51] TEST: Fix pam-srv-tests to correctly treat the test name Test suite pam-srv-tests accepts a test name as the last argument to just run that test. However, this was failing because a pointer to the name is retrieved but the poptContext is freed immediately after, making pointer invalid. The poptContext is now released after using the pointer. Reviewed-by: Iker Pedrosa Reviewed-by: Sumit Bose --- src/tests/cmocka/test_pam_srv.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/tests/cmocka/test_pam_srv.c b/src/tests/cmocka/test_pam_srv.c index e90a8bbb0e7..05b6790b655 100644 --- a/src/tests/cmocka/test_pam_srv.c +++ b/src/tests/cmocka/test_pam_srv.c @@ -4418,6 +4418,7 @@ int main(int argc, const char *argv[]) { poptContext pc; int opt; + int res; const char *single = NULL; struct poptOption long_options[] = { POPT_AUTOHELP @@ -4682,8 +4683,6 @@ int main(int argc, const char *argv[]) return 1; } - poptFreeContext(pc); - DEBUG_CLI_INIT(debug_level); /* Even though normally the tests should clean up after themselves @@ -4691,7 +4690,8 @@ int main(int argc, const char *argv[]) tests_set_cwd(); test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, TEST_DOM_NAME); - return sss_cmocka_run_group_tests(tests, sizeof(tests)/sizeof(tests[0]), - single); - + res = sss_cmocka_run_group_tests(tests, sizeof(tests)/sizeof(tests[0]), + single); + poptFreeContext(pc); + return res; } From dc508f032904f008714418509a13f79a17660659 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alejandro=20L=C3=B3pez?= Date: Wed, 31 May 2023 13:53:03 +0200 Subject: [PATCH 31/51] IPA: Do not try to add duplicate values to the LDAP attributes When using extra attributes, an attribute could be listed twice and SSSD will try to add it twice to the cache. To handle this situation, each instance will be added to a single attribute with multiple values, but duplicated values will be dropped. This is done by calling `sysdb_attrs_add_val_safe()` instead of `sysdb_attrs_add_val()`. Reviewed-by: Iker Pedrosa Reviewed-by: Sumit Bose --- src/providers/ipa/ipa_s2n_exop.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c index 616757e2d51..ca835f0aa40 100644 --- a/src/providers/ipa/ipa_s2n_exop.c +++ b/src/providers/ipa/ipa_s2n_exop.c @@ -663,7 +663,7 @@ static errno_t get_extra_attrs(BerElement *ber, struct resp_attrs *resp_attrs) v.length = values[c]->bv_len; } - ret = sysdb_attrs_add_val(resp_attrs->sysdb_attrs, name, &v); + ret = sysdb_attrs_add_val_safe(resp_attrs->sysdb_attrs, name, &v); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_val failed.\n"); ldap_memfree(name); From 1b45f29f459f13173af99e75b4bb43ed945680aa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alejandro=20L=C3=B3pez?= Date: Tue, 6 Jun 2023 17:27:31 +0200 Subject: [PATCH 32/51] UTIL: New function string_in_list_size() Similar to string_in_list() but instead of taking a NULL-terminated list it take a list and its size. Reviewed-by: Iker Pedrosa Reviewed-by: Sumit Bose --- src/tests/util-tests.c | 45 +++++++++++++++++++++++++++++++++++++++++- src/util/util.h | 3 +++ src/util/util_ext.c | 21 ++++++++++++++++++++ 3 files changed, 68 insertions(+), 1 deletion(-) diff --git a/src/tests/util-tests.c b/src/tests/util-tests.c index 7f3a0d1bda5..d0a1c6e57a4 100644 --- a/src/tests/util-tests.c +++ b/src/tests/util-tests.c @@ -105,7 +105,7 @@ START_TEST(test_string_in_list) ck_assert_msg(!is_in, "String is in empty list."); is_in = string_in_list("ABC", list, false); - ck_assert_msg(is_in, "String is not list."); + ck_assert_msg(is_in, "String is not in list."); is_in = string_in_list("abc", list, false); ck_assert_msg(is_in, "String is not case in-sensitive list."); @@ -119,6 +119,48 @@ START_TEST(test_string_in_list) } END_TEST +START_TEST(test_string_in_list_size) +{ + bool is_in; + const char *empty_list[] = {}; + size_t empty_list_size = 0; + const char *list[] = {discard_const("ABC"), + discard_const("DEF"), + discard_const("GHI")}; + size_t list_size = sizeof(list) / sizeof(list[0]); + + is_in = string_in_list_size(NULL, NULL, 0, false); + ck_assert_msg(!is_in, "NULL string is in NULL list."); + + is_in = string_in_list_size(NULL, empty_list, empty_list_size, false); + ck_assert_msg(!is_in, "NULL string is in empty list."); + + is_in = string_in_list_size(NULL, list, list_size, false); + ck_assert_msg(!is_in, "NULL string is in list."); + + is_in = string_in_list_size("ABC", NULL, 0, false); + ck_assert_msg(!is_in, "String is in NULL list."); + + is_in = string_in_list_size("ABC", empty_list, empty_list_size, false); + ck_assert_msg(!is_in, "String is in empty list."); + + is_in = string_in_list_size("ABC", list, list_size, false); + ck_assert_msg(is_in, "String is not in list."); + + is_in = string_in_list_size("abc", list, list_size, false); + ck_assert_msg(is_in, "String is not case in-sensitive list."); + + is_in = string_in_list_size("abc", list, list_size, true); + ck_assert_msg(!is_in, "Wrong string found in case sensitive list."); + + is_in = string_in_list_size("123", list, list_size, false); + ck_assert_msg(!is_in, "Wrong string found in list."); + + is_in = string_in_list_size("GHI", list, list_size - 1, false); + ck_assert_msg(!is_in, "Size limit not respected."); +} +END_TEST + START_TEST(test_parse_args) { struct pa_testcase { @@ -1121,6 +1163,7 @@ Suite *util_suite(void) tcase_add_test (tc_util, test_parse_args); tcase_add_test (tc_util, test_add_string_to_list); tcase_add_test (tc_util, test_string_in_list); + tcase_add_test (tc_util, test_string_in_list_size); tcase_add_test (tc_util, test_split_on_separator); tcase_add_test (tc_util, test_check_ipv4_addr); tcase_add_test (tc_util, test_check_ipv6_addr); diff --git a/src/util/util.h b/src/util/util.h index 68302bb725d..c7994f1ff13 100644 --- a/src/util/util.h +++ b/src/util/util.h @@ -532,6 +532,9 @@ errno_t del_string_from_list(const char *string, bool string_in_list(const char *string, char **list, bool case_sensitive); +bool string_in_list_size(const char *string, const char **list, size_t size, + bool case_sensitive); + int domain_to_basedn(TALLOC_CTX *memctx, const char *domain, char **basedn); bool is_host_in_domain(const char *host, const char *domain); diff --git a/src/util/util_ext.c b/src/util/util_ext.c index 3ce03712358..c9839a907c5 100644 --- a/src/util/util_ext.c +++ b/src/util/util_ext.c @@ -147,6 +147,27 @@ bool string_in_list(const char *string, char **list, bool case_sensitive) return false; } +bool string_in_list_size(const char *string, const char **list, size_t size, + bool case_sensitive) +{ + size_t c; + int(*compare)(const char *s1, const char *s2); + + if (string == NULL || list == NULL || size == 0) { + return false; + } + + compare = case_sensitive ? strcmp : strcasecmp; + + for (c = 0; c < size; c++) { + if (compare(string, list[c]) == 0) { + return true; + } + } + + return false; +} + errno_t sss_filter_sanitize_ex(TALLOC_CTX *mem_ctx, const char *input, char **sanitized, From 2b8fed59140e32f7a8fa9bafe9e84b8db96d1ae5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alejandro=20L=C3=B3pez?= Date: Wed, 7 Jun 2023 11:12:46 +0200 Subject: [PATCH 33/51] UTIL: add_strings_lists() becomes add_strings_lists_ex() Old function add_strings_lists() copies any duplicate value. New function add_strings_lists_ex() take an argument to decide whether to discard duplicate values. add_strings_lists() is now a wrapper on add_strings_lists_ex(). Both function now take a const char *** instead of char ** as output parameter. An existing test was adapted and an new one added. Reviewed-by: Iker Pedrosa Reviewed-by: Sumit Bose --- src/providers/ipa/ipa_sudo_conversion.c | 2 +- src/responder/ifp/ifp_cache.c | 3 +- src/tests/cmocka/test_utils.c | 119 +++++++++++++++++++++++- src/util/util.c | 55 +++++++---- src/util/util.h | 22 ++++- 5 files changed, 177 insertions(+), 24 deletions(-) diff --git a/src/providers/ipa/ipa_sudo_conversion.c b/src/providers/ipa/ipa_sudo_conversion.c index 543f71a7b63..220d937b6fb 100644 --- a/src/providers/ipa/ipa_sudo_conversion.c +++ b/src/providers/ipa/ipa_sudo_conversion.c @@ -1082,7 +1082,7 @@ combine_cmdgroups(TALLOC_CTX *mem_ctx, } ret = add_strings_lists(mem_ctx, values, cmdgroup->expanded, - false, discard_const(&values)); + false, &values); if (ret != EOK) { talloc_free(tmp_ctx); return NULL; diff --git a/src/responder/ifp/ifp_cache.c b/src/responder/ifp/ifp_cache.c index 27681d094de..a4dd393aac2 100644 --- a/src/responder/ifp/ifp_cache.c +++ b/src/responder/ifp/ifp_cache.c @@ -173,8 +173,7 @@ ifp_cache_list_domains(TALLOC_CTX *mem_ctx, goto done; } - ret = add_strings_lists(tmp_ctx, paths, tmp_paths, true, - discard_const(&paths)); + ret = add_strings_lists(tmp_ctx, paths, tmp_paths, true, &paths); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, "Unable to build object list " "[%d]: %s\n", ret, sss_strerror(ret)); diff --git a/src/tests/cmocka/test_utils.c b/src/tests/cmocka/test_utils.c index 104dc0af43c..760e7130723 100644 --- a/src/tests/cmocka/test_utils.c +++ b/src/tests/cmocka/test_utils.c @@ -1536,11 +1536,14 @@ static int teardown_leak_tests(void **state) return 0; } +/* add_strings_list() is an alias for add_strings_list_ex() that allows for + * duplicate values. + */ void test_add_strings_lists(void **state) { - const char *l1[] = {"a", "b", "c", NULL}; - const char *l2[] = {"1", "2", "3", NULL}; - char **res; + const char *l1[] = {"a", "b", "c", "b", NULL}; + const char *l2[] = {"1", "2", "3", "2", NULL}; + const char **res; int ret; size_t c; size_t d; @@ -1631,6 +1634,113 @@ void test_add_strings_lists(void **state) talloc_free(res); } +/* add_strings_list_ex(skip_dups=false) was tested by add_string_list(). + * We now test add_strings_list_ex(skip_dups=true). + */ +void test_add_strings_lists_ex(void **state) +{ + /* Set duplicate values at the end of the array to simplify the comparison */ + const char *l1[] = {"a", "b", "c", "b", NULL}; + const char *l2[] = {"1", "2", "3", "2", NULL}; + const char *r1[sizeof(l1) / sizeof(*l1) - 1]; + const char *r2[sizeof(l2) / sizeof(*l2) - 1]; + const char **res; + int ret; + size_t c; + size_t d; + + /* The expected results must have the same pointers */ + memcpy(r1, l1, sizeof(r1) - sizeof(*r1)); + r1[sizeof(r1) / sizeof(*r1) - 1] = NULL; + memcpy(r2, l2, sizeof(r2) - sizeof(*r2)); + r2[sizeof(r2) / sizeof(*r2) - 1] = NULL; + + ret = add_strings_lists_ex(global_talloc_context, NULL, NULL, true, true, &res); + assert_int_equal(ret, EOK); + assert_non_null(res); + assert_null(res[0]); + talloc_free(res); + + ret = add_strings_lists_ex(global_talloc_context, NULL, NULL, false, true, &res); + assert_int_equal(ret, EOK); + assert_non_null(res); + assert_null(res[0]); + talloc_free(res); + + ret = add_strings_lists_ex(global_talloc_context, l1, NULL, false, true, &res); + assert_int_equal(ret, EOK); + assert_non_null(res); + for (c = 0; r1[c] != NULL; c++) { + /* 'copy_strings' is 'false', pointers must be equal */ + assert_int_equal(memcmp(&r1[c], &res[c], sizeof(char *)), 0); + } + assert_null(res[c]); + talloc_free(res); + + ret = add_strings_lists_ex(global_talloc_context, l1, NULL, true, true, &res); + assert_int_equal(ret, EOK); + assert_non_null(res); + for (c = 0; r1[c] != NULL; c++) { + /* 'copy_strings' is 'true', pointers must be different, but strings + * must be equal */ + assert_int_not_equal(memcmp(&r1[c], &res[c], sizeof(char *)), 0); + assert_string_equal(r1[c], res[c]); + } + assert_null(res[c]); + talloc_free(res); + + ret = add_strings_lists_ex(global_talloc_context, NULL, l1, false, true, &res); + assert_int_equal(ret, EOK); + assert_non_null(res); + for (c = 0; r1[c] != NULL; c++) { + /* 'copy_strings' is 'false', pointers must be equal */ + assert_int_equal(memcmp(&r1[c], &res[c], sizeof(char *)), 0); + } + assert_null(res[c]); + talloc_free(res); + + ret = add_strings_lists_ex(global_talloc_context, NULL, l1, true, true, &res); + assert_int_equal(ret, EOK); + assert_non_null(res); + for (c = 0; r1[c] != NULL; c++) { + /* 'copy_strings' is 'true', pointers must be different, but strings + * must be equal */ + assert_int_not_equal(memcmp(&r1[c], &res[c], sizeof(char *)), 0); + assert_string_equal(r1[c], res[c]); + } + assert_null(res[c]); + talloc_free(res); + + ret = add_strings_lists_ex(global_talloc_context, l1, l2, false, true, &res); + assert_int_equal(ret, EOK); + assert_non_null(res); + for (c = 0; r1[c] != NULL; c++) { + /* 'copy_strings' is 'false', pointers must be equal */ + assert_int_equal(memcmp(&r1[c], &res[c], sizeof(char *)), 0); + } + for (d = 0; r2[d] != NULL; d++) { + assert_int_equal(memcmp(&r2[d], &res[c+d], sizeof(char *)), 0); + } + assert_null(res[c+d]); + talloc_free(res); + + ret = add_strings_lists_ex(global_talloc_context, l1, l2, true, true, &res); + assert_int_equal(ret, EOK); + assert_non_null(res); + for (c = 0; r1[c] != NULL; c++) { + /* 'copy_strings' is 'true', pointers must be different, but strings + * must be equal */ + assert_int_not_equal(memcmp(&r1[c], &res[c], sizeof(char *)), 0); + assert_string_equal(r1[c], res[c]); + } + for (d = 0; r2[d] != NULL; d++) { + assert_int_not_equal(memcmp(&r2[d], &res[c+d], sizeof(char *)), 0); + assert_string_equal(r2[d], res[c+d]); + } + assert_null(res[c+d]); + talloc_free(res); +} + void test_sss_write_krb5_conf_snippet(void **state) { int ret; @@ -2331,6 +2441,9 @@ int main(int argc, const char *argv[]) cmocka_unit_test_setup_teardown(test_add_strings_lists, setup_leak_tests, teardown_leak_tests), + cmocka_unit_test_setup_teardown(test_add_strings_lists_ex, + setup_leak_tests, + teardown_leak_tests), cmocka_unit_test(test_sss_write_krb5_conf_snippet), cmocka_unit_test(test_get_hidden_path), cmocka_unit_test_setup_teardown(test_sss_unique_file, diff --git a/src/util/util.c b/src/util/util.c index 1ed526ec3ab..6546b6027c4 100644 --- a/src/util/util.c +++ b/src/util/util.c @@ -674,14 +674,17 @@ const char * const * get_known_services(void) return svc; } -errno_t add_strings_lists(TALLOC_CTX *mem_ctx, const char **l1, const char **l2, - bool copy_strings, char ***_new_list) +errno_t add_strings_lists_ex(TALLOC_CTX *mem_ctx, + const char **l1, const char **l2, + bool copy_strings, bool skip_dups, + const char ***_new_list) { size_t c; + size_t n; size_t l1_count = 0; size_t l2_count = 0; size_t new_count = 0; - char **new; + const char **new; int ret; if (l1 != NULL) { @@ -694,29 +697,49 @@ errno_t add_strings_lists(TALLOC_CTX *mem_ctx, const char **l1, const char **l2, new_count = l1_count + l2_count; - new = talloc_array(mem_ctx, char *, new_count + 1); + new = talloc_zero_array(mem_ctx, const char *, new_count + 1); if (new == NULL) { DEBUG(SSSDBG_OP_FAILURE, "talloc_array failed.\n"); return ENOMEM; } - new [new_count] = NULL; - if (copy_strings) { + if (copy_strings || skip_dups) { + n = 0; for(c = 0; c < l1_count; c++) { - new[c] = talloc_strdup(new, l1[c]); - if (new[c] == NULL) { - DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); - ret = ENOMEM; - goto done; + if (skip_dups) { + if (string_in_list_size(l1[c], new, n, false)) { + continue; + } + } + if (copy_strings) { + new[n] = talloc_strdup(new, l1[c]); + if (new[n] == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); + ret = ENOMEM; + goto done; + } + } else { + new[n] = discard_const(l1[c]); } + n++; } for(c = 0; c < l2_count; c++) { - new[l1_count + c] = talloc_strdup(new, l2[c]); - if (new[l1_count + c] == NULL) { - DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); - ret = ENOMEM; - goto done; + if (skip_dups) { + if (string_in_list_size(l2[c], new, n, false)) { + continue; + } + } + if (copy_strings) { + new[n] = talloc_strdup(new, l2[c]); + if (new[n] == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); + ret = ENOMEM; + goto done; + } + } else { + new[n] = discard_const(l2[c]); } + n++; } } else { if (l1 != NULL) { diff --git a/src/util/util.h b/src/util/util.h index c7994f1ff13..11dc40d572a 100644 --- a/src/util/util.h +++ b/src/util/util.h @@ -434,12 +434,30 @@ bool is_dbus_activated(void); * @param[in] copy_strings If set to 'true' the list items will be copied * otherwise only the pointers to the items are * copied. + * @param[in] skip_dups Whether the function should skip duplicate values. * @param[out] new_list New NULL-terminated list of strings. Must be freed * with talloc_free() by the caller. If copy_strings * is 'true' the new elements will be freed as well. */ -errno_t add_strings_lists(TALLOC_CTX *mem_ctx, const char **l1, const char **l2, - bool copy_strings, char ***_new_list); +errno_t add_strings_lists_ex(TALLOC_CTX *mem_ctx, + const char **l1, const char **l2, + bool copy_strings, bool skip_dups, + const char ***_new_list); + +/** + * @overload errno_t add_strings_lists_ex(TALLOC_CTX *mem_ctx, + * const char **l1, const char **l2, + * bool copy_strings, bool skip_dups, + * const char ***_new_list) + */ +static inline errno_t add_strings_lists(TALLOC_CTX *mem_ctx, + const char **l1, const char **l2, + bool copy_strings, + const char ***_new_list) +{ + return add_strings_lists_ex(mem_ctx, l1, l2, copy_strings, false, _new_list); +} + /** * @brief set file descriptor as nonblocking From de258f011b9c6fc97e9157435cd2845be1c5d0e0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alejandro=20L=C3=B3pez?= Date: Wed, 7 Jun 2023 11:39:55 +0200 Subject: [PATCH 34/51] RESPONDER: attr_in_list() is replaced by string_in_list_size() Both functions do the same thing, so it is useless to have them both. attr_in_list() has, however, a more descriptive name for its use in this module, so we'll keep it as an inlined wrapper. Reviewed-by: Iker Pedrosa Reviewed-by: Sumit Bose --- src/responder/common/responder_utils.c | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/src/responder/common/responder_utils.c b/src/responder/common/responder_utils.c index 8e5dcc017e0..6d630a06773 100644 --- a/src/responder/common/responder_utils.c +++ b/src/responder/common/responder_utils.c @@ -30,15 +30,7 @@ static inline bool attr_in_list(const char **list, size_t nlist, const char *str) { - size_t i; - - for (i = 0; i < nlist; i++) { - if (strcasecmp(list[i], str) == 0) { - break; - } - } - - return (i < nlist) ? true : false; + return string_in_list_size(str, list, nlist, false); } const char **parse_attr_list_ex(TALLOC_CTX *mem_ctx, const char *conf_str, From b50415978d2f0fad3291d86e0a5340be7ab90528 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alejandro=20L=C3=B3pez?= Date: Thu, 8 Jun 2023 13:23:53 +0200 Subject: [PATCH 35/51] IPA: Do not duplicate the entry attributes. The extra attributes are concatenated to other required attributes for some operations. In some cases the attribute list ends up having duplicate attributes, either because accidentally the user added it twice to the ldap_user_extra_attrs list, or one or more of those attributes are also in the required list. Removing the duplicates each time the lists are concatenated increases the concatenation time. And this is done every time. So we try to concatenate the attribute lists at start up, filtering duplicates, and use that list. To do that, we consider the two cases where the list concatenation is done. In one of the cases, the added attributes are a subset of the other list. So we factorized this list to add the common attributes to the list at start up. Only the non-common attributes are added while serving a request. The complete list is now stored in the `full_attribute_list` field. An existing test suite was adapted to this new situation as it now needs to initialize the new field. Reviewed-by: Iker Pedrosa Reviewed-by: Sumit Bose --- src/responder/common/responder_utils.c | 10 ++++++ src/responder/nss/nss_cmd.c | 41 +++++++----------------- src/responder/nss/nss_private.h | 1 + src/responder/nss/nss_protocol_sid.c | 44 ++++++-------------------- src/responder/nss/nsssrv.c | 24 ++++++++++++++ src/tests/cmocka/test_nss_srv.c | 31 +++++++++++++++++- 6 files changed, 87 insertions(+), 64 deletions(-) diff --git a/src/responder/common/responder_utils.c b/src/responder/common/responder_utils.c index 6d630a06773..47aeace8beb 100644 --- a/src/responder/common/responder_utils.c +++ b/src/responder/common/responder_utils.c @@ -110,6 +110,11 @@ const char **parse_attr_list_ex(TALLOC_CTX *mem_ctx, const char *conf_str, continue; } + /* If the attribute is already in the list, skip it */ + if (attr_in_list(list, li, allow[i])) { + continue; + } + list[li] = talloc_strdup(list, allow[i]); if (list[li] == NULL) { goto done; @@ -128,6 +133,11 @@ const char **parse_attr_list_ex(TALLOC_CTX *mem_ctx, const char *conf_str, continue; } + /* If the attribute is already in the list, skip it */ + if (attr_in_list(list, li, defaults[i])) { + continue; + } + list[li] = talloc_strdup(list, defaults[i]); if (list[li] == NULL) { goto done; diff --git a/src/responder/nss/nss_cmd.c b/src/responder/nss/nss_cmd.c index 477920452a3..dd801139bd7 100644 --- a/src/responder/nss/nss_cmd.c +++ b/src/responder/nss/nss_cmd.c @@ -1209,38 +1209,21 @@ static errno_t sss_nss_cmd_getorigbyname_common(struct cli_ctx *cli_ctx, errno_t ret; struct sss_nss_ctx *nss_ctx; const char **attrs; - static const char *defattrs[] = { SYSDB_NAME, SYSDB_OBJECTCATEGORY, - SYSDB_SID_STR, - ORIGINALAD_PREFIX SYSDB_NAME, - ORIGINALAD_PREFIX SYSDB_UIDNUM, - ORIGINALAD_PREFIX SYSDB_GIDNUM, - ORIGINALAD_PREFIX SYSDB_GECOS, - ORIGINALAD_PREFIX SYSDB_HOMEDIR, - ORIGINALAD_PREFIX SYSDB_SHELL, - SYSDB_UPN, - SYSDB_DEFAULT_OVERRIDE_NAME, - SYSDB_AD_ACCOUNT_EXPIRES, - SYSDB_AD_USER_ACCOUNT_CONTROL, - SYSDB_SSH_PUBKEY, - SYSDB_USER_CERT, - SYSDB_USER_EMAIL, - SYSDB_ORIG_DN, - SYSDB_ORIG_MEMBEROF, - SYSDB_DEFAULT_ATTRS, NULL }; + static const char *cache_attrs[] = { SYSDB_NAME, + SYSDB_OBJECTCATEGORY, + SYSDB_SID_STR, + SYSDB_DEFAULT_ATTRS, + NULL }; nss_ctx = talloc_get_type(cli_ctx->rctx->pvt_ctx, struct sss_nss_ctx); - if (nss_ctx->extra_attributes != NULL) { - ret = add_strings_lists(cli_ctx, defattrs, nss_ctx->extra_attributes, - false, discard_const(&attrs)); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, - "Unable to concatenate attributes [%d]: %s\n", - ret, sss_strerror(ret)); - return ENOMEM; - } - } else { - attrs = defattrs; + ret = add_strings_lists_ex(cli_ctx, cache_attrs, nss_ctx->full_attribute_list, + false, true, &attrs); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Unable to concatenate attributes [%d]: %s\n", + ret, sss_strerror(ret)); + return ENOMEM; } return sss_nss_getby_name(cli_ctx, false, type, attrs, diff --git a/src/responder/nss/nss_private.h b/src/responder/nss/nss_private.h index 0e16c51266d..e2f5a3e5a58 100644 --- a/src/responder/nss/nss_private.h +++ b/src/responder/nss/nss_private.h @@ -78,6 +78,7 @@ struct sss_nss_ctx { char *fallback_homedir; char *homedir_substr; const char **extra_attributes; + const char **full_attribute_list; /* Enumeration. */ struct sss_nss_enum_ctx *pwent; diff --git a/src/responder/nss/nss_protocol_sid.c b/src/responder/nss/nss_protocol_sid.c index 089b0488c8b..69d61bb609a 100644 --- a/src/responder/nss/nss_protocol_sid.c +++ b/src/responder/nss/nss_protocol_sid.c @@ -331,11 +331,11 @@ sss_nss_protocol_fill_orig(struct sss_nss_ctx *nss_ctx, { TALLOC_CTX *tmp_ctx; struct ldb_message *msg = result->msgs[0]; - const char **extra_attrs = NULL; + const char **full_attrs = NULL; enum sss_id_type id_type; struct sized_string *keys; struct sized_string *vals; - size_t extra_attrs_count = 0; + size_t full_attrs_count = 0; size_t array_size; size_t sum; size_t found; @@ -344,23 +344,6 @@ sss_nss_protocol_fill_orig(struct sss_nss_ctx *nss_ctx, size_t body_len; uint8_t *body; errno_t ret; - const char *orig_attrs[] = { SYSDB_SID_STR, - ORIGINALAD_PREFIX SYSDB_NAME, - ORIGINALAD_PREFIX SYSDB_UIDNUM, - ORIGINALAD_PREFIX SYSDB_GIDNUM, - ORIGINALAD_PREFIX SYSDB_HOMEDIR, - ORIGINALAD_PREFIX SYSDB_GECOS, - ORIGINALAD_PREFIX SYSDB_SHELL, - SYSDB_UPN, - SYSDB_DEFAULT_OVERRIDE_NAME, - SYSDB_AD_ACCOUNT_EXPIRES, - SYSDB_AD_USER_ACCOUNT_CONTROL, - SYSDB_SSH_PUBKEY, - SYSDB_USER_CERT, - SYSDB_USER_EMAIL, - SYSDB_ORIG_DN, - SYSDB_ORIG_MEMBEROF, - NULL }; if (result->count != 1) { DEBUG(SSSDBG_OP_FAILURE, @@ -379,14 +362,14 @@ sss_nss_protocol_fill_orig(struct sss_nss_ctx *nss_ctx, return ret; } - if (nss_ctx->extra_attributes != NULL) { - extra_attrs = nss_ctx->extra_attributes; - for (extra_attrs_count = 0; - extra_attrs[extra_attrs_count] != NULL; - extra_attrs_count++); + if (nss_ctx->full_attribute_list != NULL) { + full_attrs = nss_ctx->full_attribute_list; + for (full_attrs_count = 0; + full_attrs[full_attrs_count] != NULL; + full_attrs_count++); } - array_size = sizeof(orig_attrs) + extra_attrs_count; + array_size = full_attrs_count; keys = talloc_array(tmp_ctx, struct sized_string, array_size); vals = talloc_array(tmp_ctx, struct sized_string, array_size); if (keys == NULL || vals == NULL) { @@ -398,15 +381,8 @@ sss_nss_protocol_fill_orig(struct sss_nss_ctx *nss_ctx, sum = 0; found = 0; - ret = process_attr_list(tmp_ctx, msg, orig_attrs, &keys, &vals, - &array_size, &sum, &found); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, "process_attr_list failed.\n"); - goto done; - } - - if (extra_attrs_count != 0) { - ret = process_attr_list(tmp_ctx, msg, extra_attrs, &keys, &vals, + if (full_attrs_count != 0) { + ret = process_attr_list(tmp_ctx, msg, full_attrs, &keys, &vals, &array_size, &sum, &found); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, "process_attr_list failed.\n"); diff --git a/src/responder/nss/nsssrv.c b/src/responder/nss/nsssrv.c index 9f645bf848a..4673a64ca47 100644 --- a/src/responder/nss/nsssrv.c +++ b/src/responder/nss/nsssrv.c @@ -175,6 +175,23 @@ static int sss_nss_get_config(struct sss_nss_ctx *nctx, { int ret; char *tmp_str; + static const char *orig_attrs[] = { SYSDB_SID_STR, + ORIGINALAD_PREFIX SYSDB_NAME, + ORIGINALAD_PREFIX SYSDB_UIDNUM, + ORIGINALAD_PREFIX SYSDB_GIDNUM, + ORIGINALAD_PREFIX SYSDB_HOMEDIR, + ORIGINALAD_PREFIX SYSDB_GECOS, + ORIGINALAD_PREFIX SYSDB_SHELL, + SYSDB_UPN, + SYSDB_DEFAULT_OVERRIDE_NAME, + SYSDB_AD_ACCOUNT_EXPIRES, + SYSDB_AD_USER_ACCOUNT_CONTROL, + SYSDB_SSH_PUBKEY, + SYSDB_USER_CERT, + SYSDB_USER_EMAIL, + SYSDB_ORIG_DN, + SYSDB_ORIG_MEMBEROF, + NULL }; ret = confdb_get_int(cdb, CONFDB_NSS_CONF_ENTRY, CONFDB_NSS_ENUM_CACHE_TIMEOUT, 120, @@ -243,6 +260,13 @@ static int sss_nss_get_config(struct sss_nss_ctx *nctx, } } + ret = add_strings_lists_ex(nctx, nctx->extra_attributes, orig_attrs, false, + true, &nctx->full_attribute_list); + if (ret != EOK) { + ret = ENOMEM; + goto done; + } + ret = 0; done: return ret; diff --git a/src/tests/cmocka/test_nss_srv.c b/src/tests/cmocka/test_nss_srv.c index 7925aa2f0a8..c17a4973faf 100644 --- a/src/tests/cmocka/test_nss_srv.c +++ b/src/tests/cmocka/test_nss_srv.c @@ -35,6 +35,7 @@ #include "util/util_sss_idmap.h" #include "util/crypto/sss_crypto.h" #include "util/sss_endian.h" +#include "db/sysdb.h" #include "db/sysdb_iphosts.h" #include "db/sysdb_ipnetworks.h" @@ -57,7 +58,31 @@ struct sss_nss_test_ctx { int ncache_hits; }; -const char *global_extra_attrs[] = {"phone", "mobile", NULL}; +#define EXTRA_ATTRS "phone", "mobile" + +/* This list comes from nsssrv.c:sss_nss_get_config() and must be kept aligned */ +#define ORIG_ATTRS SYSDB_SID_STR, \ + ORIGINALAD_PREFIX SYSDB_NAME, \ + ORIGINALAD_PREFIX SYSDB_UIDNUM, \ + ORIGINALAD_PREFIX SYSDB_GIDNUM, \ + ORIGINALAD_PREFIX SYSDB_HOMEDIR, \ + ORIGINALAD_PREFIX SYSDB_GECOS, \ + ORIGINALAD_PREFIX SYSDB_SHELL, \ + SYSDB_UPN, \ + SYSDB_DEFAULT_OVERRIDE_NAME, \ + SYSDB_AD_ACCOUNT_EXPIRES, \ + SYSDB_AD_USER_ACCOUNT_CONTROL, \ + SYSDB_SSH_PUBKEY, \ + SYSDB_USER_CERT, \ + SYSDB_USER_EMAIL, \ + SYSDB_ORIG_DN, \ + SYSDB_ORIG_MEMBEROF + + +const char *global_extra_attrs[] = { EXTRA_ATTRS, NULL }; +const char *global_orig_attrs[] = { ORIG_ATTRS, NULL }; +const char *global_full_attrs[] = { ORIG_ATTRS, EXTRA_ATTRS, NULL }; + struct sss_nss_test_ctx *sss_nss_test_ctx; @@ -1457,6 +1482,8 @@ void test_sss_nss_setup(struct sss_test_conf_param params[], /* do after previous setup as the former nulls protocol_ctx */ sss_nss_test_ctx->cctx->protocol_ctx = mock_prctx(sss_nss_test_ctx->cctx); assert_non_null(sss_nss_test_ctx->cctx->protocol_ctx); + + sss_nss_test_ctx->nctx->full_attribute_list = global_orig_attrs; } struct group getgrnam_no_members = { @@ -3643,6 +3670,8 @@ static int sss_nss_test_setup_extra_attr(void **state) test_sss_nss_setup(params, state); sss_nss_test_ctx->nctx->extra_attributes = global_extra_attrs; + sss_nss_test_ctx->nctx->full_attribute_list = global_full_attrs; + return 0; } From 57499ff6571a8ca3d8bf2b7d19ec6b14100504c0 Mon Sep 17 00:00:00 2001 From: Madhuri Upadhye Date: Thu, 8 Jun 2023 12:15:38 +0530 Subject: [PATCH 36/51] Tests: When adding attributes ldap_user_extra_attrs with mail value in sssd.conf the cross-forest query stop working MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When adding attributes ldap_user_extra_attrs with mail value in sssd.conf the cross-forest query stop working Automation of BZ2170720 Verifies: #6759 Signed-off-by: Madhuri Upadhye Reviewed-by: Alejandro López Reviewed-by: Jakub Vávra --- src/tests/multihost/ipa/test_adtrust.py | 47 +++++++++++++++++++++++++ 1 file changed, 47 insertions(+) diff --git a/src/tests/multihost/ipa/test_adtrust.py b/src/tests/multihost/ipa/test_adtrust.py index 5350aff73f4..36791aed88c 100644 --- a/src/tests/multihost/ipa/test_adtrust.py +++ b/src/tests/multihost/ipa/test_adtrust.py @@ -809,3 +809,50 @@ def test_search_filter_for_override_usrgrp(multihost, create_aduser_group): assert f"borci{run_id_int}@{domain}" in check_gr_lookup.stdout_text, "Group name was not resolved." assert f"ferko{run_id_int}@{domain}" in check_gr_lookup.stdout_text, "Group name was not resolved." assert log_message in log_file + + @staticmethod + def test_ldap_user_extra_attrs(multihost, create_aduser_group): + """ + :title: When adding attributes ldap_user_extra_attrs with mail value in sssd.conf + the cross-forest query stop working + :id: abc60b52-224d-4ac3-bbae-195cb0c563a0 + :customerscenario: true + :bugzilla: + https://bugzilla.redhat.com/show_bug.cgi?id=2170720 + :description: When adding attributes ldap_user_extra_attrs in sssd.conf + with the cross-forest, id command failed on client side. + working. + :setup: + 1. Create user and group on AD. + :steps: + 1. Add ldap_user_extra_attrs in domain section with mail in client and master. + 2. Add user_attributes in nss section with mail in client and master. + 3. Clear sssd cache from client and master. + 4. Check id lookup of the user. + :expectedresults: + 1. Successfully add parameter in domain section of client and master. + 2. Successfully add user_attributes in nss section of client and master. + 3. Cleared the cache of client and master. + 4. User lookup command succeeds. + """ + client = sssdTools(multihost.client[0], multihost.ad[0]) + master = sssdTools(multihost.master[0]) + domain = multihost.ad[0].domainname + + (aduser, adgroup) = create_aduser_group + section = client.get_domain_section_name() + + for role in [client, master]: + domain_params = {'ldap_user_extra_attrs': f'mail, lastname:sn, firstname:givenname'} + nss_params = {'user_attributes': '+mail, +firstname, +lastname'} + role.sssd_conf(f'domain/{section}', domain_params) + role.sssd_conf('nss', nss_params) + role.clear_sssd_cache() + + # Test evaluation + id_lookup = f'id {aduser}@{domain}' + check_id = multihost.client[0].run_command(id_lookup, raiseonerr=False) + + assert check_id.returncode == 0, f'{aduser} id is not successful' + assert f"{aduser}@{domain}" in check_id.stdout_text, "User name was not resolved." + assert f"{adgroup}@{domain}" in check_id.stdout_text, "Group name was not resolved." From 799e56d61ea6b293e7136d9f83cadc2154e03cca Mon Sep 17 00:00:00 2001 From: Weblate Date: Tue, 13 Jun 2023 15:20:49 +0200 Subject: [PATCH 37/51] po: update translations (Korean) currently translated at 65.3% (1693 of 2589 strings) Translation: SSSD/sssd-manpage Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/ po: update translations (Chinese (Simplified) (zh_CN)) currently translated at 100.0% (714 of 714 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/zh_CN/ po: update translations (Japanese) currently translated at 100.0% (714 of 714 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ja/ po: update translations (French) currently translated at 100.0% (714 of 714 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fr/ po: update translations (Korean) currently translated at 65.2% (1690 of 2589 strings) Translation: SSSD/sssd-manpage Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/ po: update translations (Korean) currently translated at 64.8% (1680 of 2589 strings) Translation: SSSD/sssd-manpage Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/ po: update translations (Korean) currently translated at 64.8% (1678 of 2589 strings) Translation: SSSD/sssd-manpage Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/ po: update translations (Georgian) currently translated at 8.1% (58 of 714 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ka/ po: update translations (Korean) currently translated at 100.0% (714 of 714 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/ po: update translations (Turkish) currently translated at 100.0% (714 of 714 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/tr/ po: update translations (Turkish) currently translated at 100.0% (714 of 714 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/tr/ po: update translations (Korean) currently translated at 64.6% (1673 of 2589 strings) Translation: SSSD/sssd-manpage Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/ po: update translations (Russian) currently translated at 100.0% (2752 of 2752 strings) Translation: SSSD/sssd-manpage Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ru/ po: update translations (Russian) currently translated at 100.0% (2752 of 2752 strings) Translation: SSSD/sssd-manpage Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ru/ po: update translations (Ukrainian) currently translated at 100.0% (714 of 714 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/uk/ po: update translations (Russian) currently translated at 100.0% (714 of 714 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ru/ po: update translations (Korean) currently translated at 100.0% (714 of 714 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/ po: update translations (Korean) currently translated at 100.0% (714 of 714 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/ po: update translations (Ukrainian) currently translated at 100.0% (2752 of 2752 strings) Translation: SSSD/sssd-manpage Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/uk/ po: update translations (Ukrainian) currently translated at 100.0% (714 of 714 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/uk/ po: update translations (Polish) currently translated at 100.0% (714 of 714 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pl/ Update translation files Updated by "Update PO files to match POT (msgmerge)" hook in Weblate. Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ po: update translations (Hungarian) currently translated at 6.2% (44 of 706 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/hu/ --- po/fr.po | 35 ++-- po/hu.po | 10 +- po/ja.po | 42 ++--- po/ka.po | 8 +- po/ko.po | 40 ++--- po/pl.po | 45 +++-- po/ru.po | 34 ++-- po/tr.po | 28 ++-- po/uk.po | 49 +++--- po/zh_CN.po | 32 ++-- src/man/po/ko.po | 58 +++++-- src/man/po/ru.po | 411 ++++++++++++++++------------------------------ src/man/po/uk.po | 417 ++++++++++++++++------------------------------- 13 files changed, 458 insertions(+), 751 deletions(-) diff --git a/po/fr.po b/po/fr.po index 1c900250038..a1de9c9cd96 100644 --- a/po/fr.po +++ b/po/fr.po @@ -19,8 +19,8 @@ msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" "POT-Creation-Date: 2023-05-05 10:11+0200\n" -"PO-Revision-Date: 2023-03-21 09:20+0000\n" -"Last-Translator: grimst \n" +"PO-Revision-Date: 2023-06-10 12:20+0000\n" +"Last-Translator: Ludek Janda \n" "Language-Team: French \n" "Language: fr\n" @@ -28,7 +28,7 @@ msgstr "" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "Plural-Forms: nplurals=2; plural=n > 1;\n" -"X-Generator: Weblate 4.15.2\n" +"X-Generator: Weblate 4.17\n" #: src/config/SSSDConfig/sssdoptions.py:20 #: src/config/SSSDConfig/sssdoptions.py:21 @@ -184,9 +184,8 @@ msgstr "" "Activer ou désactiver les vidages de noyau pour tous les processus SSSD." #: src/config/SSSDConfig/sssdoptions.py:58 -#, fuzzy msgid "Tune passkey verification behavior" -msgstr "Régler la vérification du certificat" +msgstr "Ajustez le comportement de la vérification de la clé de sécurité" #: src/config/SSSDConfig/sssdoptions.py:61 msgid "Enumeration cache timeout length (seconds)" @@ -435,18 +434,17 @@ msgstr "" "appliquées pour l'accès PAM avec authentification GSSAPI" #: src/config/SSSDConfig/sssdoptions.py:117 -#, fuzzy msgid "Allow passkey device authentication." -msgstr "Autoriser l'authentification par certificat/carte à puce." +msgstr "Autoriser l'authentification des périphériques par mot de passe." #: src/config/SSSDConfig/sssdoptions.py:118 -#, fuzzy msgid "How many seconds will pam_sss wait for passkey_child to finish" -msgstr "Combien de secondes pam_sss attendra-t-il la fin de p11_child" +msgstr "" +"Combien de secondes pam_sss attendra-t-il que passkey_child ait terminé ?" #: src/config/SSSDConfig/sssdoptions.py:119 msgid "Enable debugging in the libfido2 library" -msgstr "" +msgstr "Activer le débogage dans la bibliothèque libfido2" #: src/config/SSSDConfig/sssdoptions.py:122 msgid "Whether to evaluate the time-based attributes in sudo rules" @@ -1658,9 +1656,8 @@ msgid "attribute containing the email address of the user" msgstr "attribut contenant l’adresse email de l'utilisateur" #: src/config/SSSDConfig/sssdoptions.py:449 -#, fuzzy msgid "attribute containing the passkey mapping data of the user" -msgstr "attribut contenant l’adresse email de l'utilisateur" +msgstr "attribut contenant les données de mappage de la clé de l'utilisateur" #: src/config/SSSDConfig/sssdoptions.py:450 msgid "A list of extra attributes to download along with the user entry" @@ -2231,7 +2228,7 @@ msgstr "Message du serveur : " #: src/sss_client/pam_sss.c:71 msgid "Enter PIN:" -msgstr "" +msgstr "Saisissez le code PIN :" #: src/sss_client/pam_sss.c:314 msgid "Passwords do not match" @@ -2262,9 +2259,9 @@ msgid "Your password will expire in %1$d %2$s." msgstr "Votre mot de passe expirera dans %1$d %2$s." #: src/sss_client/pam_sss.c:627 -#, fuzzy, c-format +#, c-format msgid "Your password has expired." -msgstr "Votre mot de passe expirera dans %1$d %2$s." +msgstr "Votre mot de passe a expiré." #: src/sss_client/pam_sss.c:678 msgid "Authentication is denied until: " @@ -2327,7 +2324,7 @@ msgstr "Second facteur : " #: src/sss_client/pam_sss.c:2547 msgid "Insert your passkey device, then press ENTER." -msgstr "" +msgstr "Insérez votre passe-partout, puis appuyez sur la touche ENTER." #: src/sss_client/pam_sss.c:2551 src/sss_client/pam_sss.c:2554 msgid "Password: " @@ -2684,9 +2681,8 @@ msgid "Passkey related tools:" msgstr "Outils liés à la clé d’accès :" #: src/tools/sssctl/sssctl.c:348 -#, fuzzy msgid "Perform passkey registration" -msgstr "Effectuer des opérations liées à la clé d’accès" +msgstr "Effectuer l'enregistrement de la clé d'accès" #: src/tools/sssctl/sssctl_cache.c:31 #, c-format @@ -2868,9 +2864,8 @@ msgid "Error while reading configuration directory.\n" msgstr "Erreur lors de la lecture du répertoire de configuration.\n" #: src/tools/sssctl/sssctl_config.c:147 -#, fuzzy msgid "There is no configuration.\n" -msgstr "Impossible de charger la configuration à partir de %s.\n" +msgstr "Il n'y a pas de configuration.\n" #: src/tools/sssctl/sssctl_config.c:157 msgid "Failed to run validators" diff --git a/po/hu.po b/po/hu.po index 34d8c1cbf16..dd9f564b22d 100644 --- a/po/hu.po +++ b/po/hu.po @@ -1991,7 +1991,7 @@ msgstr "" #: src/sss_client/pam_sss.c:70 src/sss_client/pam_sss.c:819 #: src/sss_client/pam_sss.c:830 msgid "Server message: " -msgstr "Szerver üzenete:" +msgstr "Szerver üzenete: " #: src/sss_client/pam_sss.c:71 msgid "Enter PIN:" @@ -2030,7 +2030,7 @@ msgstr ", a gyorsítótárazott jelszó lejár ekkor: " #: src/sss_client/pam_sss.c:678 msgid "Authentication is denied until: " -msgstr "A bejelentkezés tiltott eddig:" +msgstr "A hitelesítés megtagadva, amíg: " #: src/sss_client/pam_sss.c:699 msgid "System is offline, password change not possible" @@ -2048,7 +2048,7 @@ msgstr "" #: src/sss_client/pam_sss.c:816 src/sss_client/pam_sss.c:829 msgid "Password change failed. " -msgstr "A jelszó megváltoztatása nem sikerült." +msgstr "A jelszó megváltoztatása nem sikerült. " #: src/sss_client/pam_sss.c:1797 #, c-format @@ -2066,7 +2066,7 @@ msgstr "" #: src/sss_client/pam_sss.c:2352 msgid "New Password: " -msgstr "Új jelszó:" +msgstr "Új jelszó: " #: src/sss_client/pam_sss.c:2353 msgid "Reenter new Password: " @@ -2098,7 +2098,7 @@ msgstr "" #: src/sss_client/pam_sss.c:2713 msgid "Current Password: " -msgstr "Jelenlegi jelszó:" +msgstr "Jelenlegi jelszó: " #: src/sss_client/pam_sss.c:3070 msgid "Password expired. Change your password now." diff --git a/po/ja.po b/po/ja.po index c8649e5e17c..a6b68a61711 100644 --- a/po/ja.po +++ b/po/ja.po @@ -15,7 +15,7 @@ msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" "POT-Creation-Date: 2023-05-05 10:11+0200\n" -"PO-Revision-Date: 2023-03-02 09:20+0000\n" +"PO-Revision-Date: 2023-06-10 12:20+0000\n" "Last-Translator: Ludek Janda \n" "Language-Team: Japanese \n" @@ -24,7 +24,7 @@ msgstr "" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "Plural-Forms: nplurals=1; plural=0;\n" -"X-Generator: Weblate 4.15.2\n" +"X-Generator: Weblate 4.17\n" #: src/config/SSSDConfig/sssdoptions.py:20 #: src/config/SSSDConfig/sssdoptions.py:21 @@ -172,9 +172,8 @@ msgid "Enable or disable core dumps for all SSSD processes." msgstr "すべての SSSD プロセスのコアダンプを有効または無効にします。" #: src/config/SSSDConfig/sssdoptions.py:58 -#, fuzzy msgid "Tune passkey verification behavior" -msgstr "証明書検証の調整" +msgstr "パスキー検証の動作をチューニングする" #: src/config/SSSDConfig/sssdoptions.py:61 msgid "Enumeration cache timeout length (seconds)" @@ -397,18 +396,16 @@ msgstr "" " のリスト" #: src/config/SSSDConfig/sssdoptions.py:117 -#, fuzzy msgid "Allow passkey device authentication." -msgstr "証明書ベースまたはスマートカードによる認証を許可します。" +msgstr "パスキーデバイス認証を許可します。" #: src/config/SSSDConfig/sssdoptions.py:118 -#, fuzzy msgid "How many seconds will pam_sss wait for passkey_child to finish" -msgstr "p11_child が完了するまでに pam_sss が待つ秒数" +msgstr "pam_sss が passkey_child の終了を待機する秒数" #: src/config/SSSDConfig/sssdoptions.py:119 msgid "Enable debugging in the libfido2 library" -msgstr "" +msgstr "lifido2 ライブラリーでデバッグを有効にする" #: src/config/SSSDConfig/sssdoptions.py:122 msgid "Whether to evaluate the time-based attributes in sudo rules" @@ -1538,9 +1535,8 @@ msgid "attribute containing the email address of the user" msgstr "ユーザーの電子メールアドレスを含む属性" #: src/config/SSSDConfig/sssdoptions.py:449 -#, fuzzy msgid "attribute containing the passkey mapping data of the user" -msgstr "ユーザーの電子メールアドレスを含む属性" +msgstr "ユーザーのパスキーマッピングデータを含む属性" #: src/config/SSSDConfig/sssdoptions.py:450 msgid "A list of extra attributes to download along with the user entry" @@ -2094,7 +2090,7 @@ msgstr "サーバーのメッセージ: " #: src/sss_client/pam_sss.c:71 msgid "Enter PIN:" -msgstr "" +msgstr "PIN の入力:" #: src/sss_client/pam_sss.c:314 msgid "Passwords do not match" @@ -2123,9 +2119,9 @@ msgid "Your password will expire in %1$d %2$s." msgstr "あなたのパスワードは %1$d %2$s に期限切れになります。" #: src/sss_client/pam_sss.c:627 -#, fuzzy, c-format +#, c-format msgid "Your password has expired." -msgstr "あなたのパスワードは %1$d %2$s に期限切れになります。" +msgstr "パスワードの有効期限が切れています。" #: src/sss_client/pam_sss.c:678 msgid "Authentication is denied until: " @@ -2187,7 +2183,7 @@ msgstr "2 番目の要素: " #: src/sss_client/pam_sss.c:2547 msgid "Insert your passkey device, then press ENTER." -msgstr "" +msgstr "パスキーデバイスを挿入し、ENTER キーを押します。" #: src/sss_client/pam_sss.c:2551 src/sss_client/pam_sss.c:2554 msgid "Password: " @@ -2539,9 +2535,8 @@ msgid "Passkey related tools:" msgstr "パスキー関連のツール:" #: src/tools/sssctl/sssctl.c:348 -#, fuzzy msgid "Perform passkey registration" -msgstr "パスキー関連の操作を実行します" +msgstr "パスキー登録の実行" #: src/tools/sssctl/sssctl_cache.c:31 #, c-format @@ -2723,9 +2718,8 @@ msgid "Error while reading configuration directory.\n" msgstr "設定ディレクトリーの読み込み中にエラーが発生しました。\n" #: src/tools/sssctl/sssctl_config.c:147 -#, fuzzy msgid "There is no configuration.\n" -msgstr "%s からの設定の読み込みに失敗しました。\n" +msgstr "設定はありません。\n" #: src/tools/sssctl/sssctl_config.c:157 msgid "Failed to run validators" @@ -3044,7 +3038,7 @@ msgstr "IFP サービスをターゲットに設定" #: src/tools/sssctl/sssctl_logs.c:552 msgid "Specify debug level you want to set" -msgstr "設定したいデバッグレベルを指定します" +msgstr "設定するデバッグレベルを指定します" #: src/tools/sssctl/sssctl_logs.c:600 msgid "ERROR: Tevent chain ID support missing, log analyzer is unsupported.\n" @@ -3082,17 +3076,17 @@ msgstr "SSSD nss ユーザー検索の結果:\n" #: src/tools/sssctl/sssctl_user_checks.c:195 #, c-format msgid " - user name: %s\n" -msgstr " - user name: %s\n" +msgstr " - ユーザー名: %s\n" #: src/tools/sssctl/sssctl_user_checks.c:196 #, c-format msgid " - user id: %d\n" -msgstr " - user id: %d\n" +msgstr " - ユーザー id: %d\n" #: src/tools/sssctl/sssctl_user_checks.c:197 #, c-format msgid " - group id: %d\n" -msgstr " - group id: %d\n" +msgstr " - グループ id: %d\n" #: src/tools/sssctl/sssctl_user_checks.c:198 #, c-format @@ -3102,7 +3096,7 @@ msgstr " - gecos: %s\n" #: src/tools/sssctl/sssctl_user_checks.c:199 #, c-format msgid " - home directory: %s\n" -msgstr " - home directory: %s\n" +msgstr " - ホームディレクトリー: %s\n" #: src/tools/sssctl/sssctl_user_checks.c:200 #, c-format diff --git a/po/ka.po b/po/ka.po index ff8fa46a9ed..c29bf045800 100644 --- a/po/ka.po +++ b/po/ka.po @@ -7,7 +7,7 @@ msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" "POT-Creation-Date: 2023-05-05 10:11+0200\n" -"PO-Revision-Date: 2023-02-25 10:20+0000\n" +"PO-Revision-Date: 2023-06-04 04:20+0000\n" "Last-Translator: Temuri Doghonadze \n" "Language-Team: Georgian \n" @@ -16,7 +16,7 @@ msgstr "" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "Plural-Forms: nplurals=2; plural=n != 1;\n" -"X-Generator: Weblate 4.15.2\n" +"X-Generator: Weblate 4.17\n" #: src/config/SSSDConfig/sssdoptions.py:20 #: src/config/SSSDConfig/sssdoptions.py:21 @@ -2043,7 +2043,7 @@ msgstr "" #: src/sss_client/pam_sss.c:816 src/sss_client/pam_sss.c:829 msgid "Password change failed. " -msgstr "" +msgstr "პაროლის შეცვლის შეცდომა. " #: src/sss_client/pam_sss.c:1797 #, c-format @@ -2829,7 +2829,7 @@ msgstr "" #: src/tools/sssctl/sssctl_logs.c:51 msgid "\n" -msgstr "" +msgstr "\n" #: src/tools/sssctl/sssctl_logs.c:215 msgid "SSSD is not running.\n" diff --git a/po/ko.po b/po/ko.po index 2c17938aa04..89944377f1b 100644 --- a/po/ko.po +++ b/po/ko.po @@ -4,14 +4,14 @@ # Ludek Janda , 2021. # simmon , 2021. # seo hojin , 2021. -# 김인수 , 2022. +# 김인수 , 2022, 2023. # Transtats , 2022. msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" "POT-Creation-Date: 2023-05-05 10:11+0200\n" -"PO-Revision-Date: 2022-12-12 14:09+0000\n" +"PO-Revision-Date: 2023-06-04 04:20+0000\n" "Last-Translator: 김인수 \n" "Language-Team: Korean \n" @@ -20,7 +20,7 @@ msgstr "" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "Plural-Forms: nplurals=1; plural=0;\n" -"X-Generator: Weblate 4.14.2\n" +"X-Generator: Weblate 4.17\n" #: src/config/SSSDConfig/sssdoptions.py:20 #: src/config/SSSDConfig/sssdoptions.py:21 @@ -167,9 +167,8 @@ msgid "Enable or disable core dumps for all SSSD processes." msgstr "SSSD 프로세서를 위한 코어 덤프 활성화 또는 비활성화." #: src/config/SSSDConfig/sssdoptions.py:58 -#, fuzzy msgid "Tune passkey verification behavior" -msgstr "인증 확인을 조정합니다" +msgstr "패스키 확인 동작을 조정합니다" #: src/config/SSSDConfig/sssdoptions.py:61 msgid "Enumeration cache timeout length (seconds)" @@ -386,18 +385,16 @@ msgstr "" "목록" #: src/config/SSSDConfig/sssdoptions.py:117 -#, fuzzy msgid "Allow passkey device authentication." -msgstr "인증서 기반/스마트 카드 인증을 허용합니다." +msgstr "패스키 장치 인증을 허용합니다." #: src/config/SSSDConfig/sssdoptions.py:118 -#, fuzzy msgid "How many seconds will pam_sss wait for passkey_child to finish" -msgstr "p11_child가 완료될 때까지 pam_ss가 몇 초 동안 대기합니까" +msgstr "passkey_child가 완료될 때까지 pam_sss가 몇 초 동안 대기합니까" #: src/config/SSSDConfig/sssdoptions.py:119 msgid "Enable debugging in the libfido2 library" -msgstr "" +msgstr "libfido2 라이브러리에서 디버깅 활성화" #: src/config/SSSDConfig/sssdoptions.py:122 msgid "Whether to evaluate the time-based attributes in sudo rules" @@ -1511,13 +1508,12 @@ msgid "attribute containing the email address of the user" msgstr "사용자의 이메일 주소를 포함하는 속성" #: src/config/SSSDConfig/sssdoptions.py:449 -#, fuzzy msgid "attribute containing the passkey mapping data of the user" -msgstr "사용자의 이메일 주소를 포함하는 속성" +msgstr "사용자의 패스키 대응 자료를 포함하는 속성" #: src/config/SSSDConfig/sssdoptions.py:450 msgid "A list of extra attributes to download along with the user entry" -msgstr "사용자 항목과 함께 다운로드할 추가 속성 목록" +msgstr "사용자 항목과 함께 내려받기 하려는 추가 속성의 목록" #: src/config/SSSDConfig/sssdoptions.py:452 msgid "Base DN for group lookups" @@ -2065,7 +2061,7 @@ msgstr "서버 메시지: " #: src/sss_client/pam_sss.c:71 msgid "Enter PIN:" -msgstr "" +msgstr "PIN 입력:" #: src/sss_client/pam_sss.c:314 msgid "Passwords do not match" @@ -2094,9 +2090,9 @@ msgid "Your password will expire in %1$d %2$s." msgstr "암호는 %1$d %2$s에 만료됩니다." #: src/sss_client/pam_sss.c:627 -#, fuzzy, c-format +#, c-format msgid "Your password has expired." -msgstr "암호는 %1$d %2$s에 만료됩니다." +msgstr "당신의 비밀번호가 만료되었습니다." #: src/sss_client/pam_sss.c:678 msgid "Authentication is denied until: " @@ -2157,7 +2153,7 @@ msgstr "두 번째 요인: " #: src/sss_client/pam_sss.c:2547 msgid "Insert your passkey device, then press ENTER." -msgstr "" +msgstr "자신의 패스키 장치를 넣고, 그런 후에 Enter를 눌러주세요." #: src/sss_client/pam_sss.c:2551 src/sss_client/pam_sss.c:2554 msgid "Password: " @@ -2165,11 +2161,11 @@ msgstr "암호: " #: src/sss_client/pam_sss.c:2706 src/sss_client/pam_sss.c:2709 msgid "First Factor (Current Password): " -msgstr "첫 번째 요인 (현재 암호): " +msgstr "첫 번째 요인 (현재 비밀번호): " #: src/sss_client/pam_sss.c:2713 msgid "Current Password: " -msgstr "현재 암호: " +msgstr "현재 비밀번호: " #: src/sss_client/pam_sss.c:3070 msgid "Password expired. Change your password now." @@ -2508,9 +2504,8 @@ msgid "Passkey related tools:" msgstr "Passkey와 연관된 도구:" #: src/tools/sssctl/sssctl.c:348 -#, fuzzy msgid "Perform passkey registration" -msgstr "passkey와 연관된 동작을 수행합니다" +msgstr "패스키 등록을 수행합니다" #: src/tools/sssctl/sssctl_cache.c:31 #, c-format @@ -2688,9 +2683,8 @@ msgid "Error while reading configuration directory.\n" msgstr "설정 디렉토리를 읽는 도중 오류가 발생했습니다.\n" #: src/tools/sssctl/sssctl_config.c:147 -#, fuzzy msgid "There is no configuration.\n" -msgstr "%s에서 구성을 로드하지 못했습니다.\n" +msgstr "구성이 없습니다.\n" #: src/tools/sssctl/sssctl_config.c:157 msgid "Failed to run validators" diff --git a/po/pl.po b/po/pl.po index 826f4b842a8..1a3a939f1b5 100644 --- a/po/pl.po +++ b/po/pl.po @@ -3,20 +3,20 @@ # This file is distributed under the same license as the PACKAGE package. # # Translators: -# Piotr Drąg , 2011-2014, 2020, 2021, 2022. +# Piotr Drąg , 2011-2014, 2020, 2021, 2022, 2023. # sgallagh , 2011 -# Piotr Drąg , 2015. #zanata, 2020, 2021, 2022. -# Piotr Drąg , 2016. #zanata, 2020, 2021, 2022. -# Piotr Drąg , 2017. #zanata, 2020, 2021, 2022. -# Piotr Drąg , 2018. #zanata, 2020, 2021, 2022. -# Piotr Drąg , 2019. #zanata, 2020, 2021, 2022. -# Piotr Drąg , 2020. #zanata, 2021, 2022. +# Piotr Drąg , 2015. #zanata, 2020, 2021, 2022, 2023. +# Piotr Drąg , 2016. #zanata, 2020, 2021, 2022, 2023. +# Piotr Drąg , 2017. #zanata, 2020, 2021, 2022, 2023. +# Piotr Drąg , 2018. #zanata, 2020, 2021, 2022, 2023. +# Piotr Drąg , 2019. #zanata, 2020, 2021, 2022, 2023. +# Piotr Drąg , 2020. #zanata, 2021, 2022, 2023. msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" "POT-Creation-Date: 2023-05-05 10:11+0200\n" -"PO-Revision-Date: 2022-12-12 12:44+0000\n" +"PO-Revision-Date: 2023-05-14 12:40+0000\n" "Last-Translator: Piotr Drąg \n" "Language-Team: Polish \n" @@ -26,7 +26,7 @@ msgstr "" "Content-Transfer-Encoding: 8bit\n" "Plural-Forms: nplurals=3; plural=n==1 ? 0 : n%10>=2 && n%10<=4 && (n%100<10 " "|| n%100>=20) ? 1 : 2;\n" -"X-Generator: Weblate 4.14.2\n" +"X-Generator: Weblate 4.15.2\n" #: src/config/SSSDConfig/sssdoptions.py:20 #: src/config/SSSDConfig/sssdoptions.py:21 @@ -182,9 +182,8 @@ msgid "Enable or disable core dumps for all SSSD processes." msgstr "Włącza lub wyłącza zrzuty core dla wszystkich procesów SSSD." #: src/config/SSSDConfig/sssdoptions.py:58 -#, fuzzy msgid "Tune passkey verification behavior" -msgstr "Dostraja sprawdzanie poprawności certyfikatów" +msgstr "Dostraja zachowanie sprawdzania poprawności haseł-kluczy" #: src/config/SSSDConfig/sssdoptions.py:61 msgid "Enumeration cache timeout length (seconds)" @@ -418,18 +417,16 @@ msgstr "" "wymuszone dla dostępu PAM za pomocą uwierzytelniania GSSAPI" #: src/config/SSSDConfig/sssdoptions.py:117 -#, fuzzy msgid "Allow passkey device authentication." -msgstr "Zezwala na uwierzytelnianie za pomocą certyfikatów/smartcard." +msgstr "Zezwala na uwierzytelnianie za pomocą urządzenia hasła-klucza." #: src/config/SSSDConfig/sssdoptions.py:118 -#, fuzzy msgid "How many seconds will pam_sss wait for passkey_child to finish" -msgstr "Ile sekund pam_sss ma oczekiwać na ukończenie p11_child" +msgstr "Ile sekund pam_sss ma oczekiwać na ukończenie passkey_child" #: src/config/SSSDConfig/sssdoptions.py:119 msgid "Enable debugging in the libfido2 library" -msgstr "" +msgstr "Włącza debugowanie w bibliotece libfido2" #: src/config/SSSDConfig/sssdoptions.py:122 msgid "Whether to evaluate the time-based attributes in sudo rules" @@ -1601,9 +1598,8 @@ msgid "attribute containing the email address of the user" msgstr "atrybut zawierający adres e-mail użytkownika" #: src/config/SSSDConfig/sssdoptions.py:449 -#, fuzzy msgid "attribute containing the passkey mapping data of the user" -msgstr "atrybut zawierający adres e-mail użytkownika" +msgstr "atrybut zawierający dane mapowania hasła-klucza użytkownika" #: src/config/SSSDConfig/sssdoptions.py:450 msgid "A list of extra attributes to download along with the user entry" @@ -2161,7 +2157,7 @@ msgstr "Komunikat serwera: " #: src/sss_client/pam_sss.c:71 msgid "Enter PIN:" -msgstr "" +msgstr "Proszę podać kod PIN:" #: src/sss_client/pam_sss.c:314 msgid "Passwords do not match" @@ -2190,9 +2186,9 @@ msgid "Your password will expire in %1$d %2$s." msgstr "Hasło wygaśnie za %1$d %2$s." #: src/sss_client/pam_sss.c:627 -#, fuzzy, c-format +#, c-format msgid "Your password has expired." -msgstr "Hasło wygaśnie za %1$d %2$s." +msgstr "Hasło wygasło." #: src/sss_client/pam_sss.c:678 msgid "Authentication is denied until: " @@ -2257,6 +2253,7 @@ msgstr "Drugi czynnik: " #: src/sss_client/pam_sss.c:2547 msgid "Insert your passkey device, then press ENTER." msgstr "" +"Proszę włożyć urządzenie hasła-klucza, a następnie nacisnąć klawisz Enter." #: src/sss_client/pam_sss.c:2551 src/sss_client/pam_sss.c:2554 msgid "Password: " @@ -2609,9 +2606,8 @@ msgid "Passkey related tools:" msgstr "Narzędzia związane z hasłami-kluczami:" #: src/tools/sssctl/sssctl.c:348 -#, fuzzy msgid "Perform passkey registration" -msgstr "Wykonuje działania związane z hasłami-kluczami" +msgstr "Wykonuje rejestrację hasłem-kluczem" #: src/tools/sssctl/sssctl_cache.c:31 #, c-format @@ -2792,9 +2788,8 @@ msgid "Error while reading configuration directory.\n" msgstr "Błąd podczas odczytywania katalogu konfiguracji.\n" #: src/tools/sssctl/sssctl_config.c:147 -#, fuzzy msgid "There is no configuration.\n" -msgstr "Wczytanie konfiguracji z %s się nie powiodło.\n" +msgstr "Nie ma konfiguracji.\n" #: src/tools/sssctl/sssctl_config.c:157 msgid "Failed to run validators" diff --git a/po/ru.po b/po/ru.po index f210c923f1f..00adfa7fefb 100644 --- a/po/ru.po +++ b/po/ru.po @@ -7,13 +7,13 @@ # Oleksii Levan , 2016. #zanata # Evgeny Sinelnikov , 2021. # Olesya Gerasimenko , 2021. -# Elena Mishina , 2022. +# Elena Mishina , 2022, 2023. msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" "POT-Creation-Date: 2023-05-05 10:11+0200\n" -"PO-Revision-Date: 2022-12-14 19:20+0000\n" +"PO-Revision-Date: 2023-05-20 22:20+0000\n" "Last-Translator: Elena Mishina \n" "Language-Team: Russian \n" @@ -23,7 +23,7 @@ msgstr "" "Content-Transfer-Encoding: 8bit\n" "Plural-Forms: nplurals=3; plural=n%10==1 && n%100!=11 ? 0 : n%10>=2 && " "n%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2;\n" -"X-Generator: Weblate 4.14.2\n" +"X-Generator: Weblate 4.17\n" #: src/config/SSSDConfig/sssdoptions.py:20 #: src/config/SSSDConfig/sssdoptions.py:21 @@ -173,9 +173,8 @@ msgid "Enable or disable core dumps for all SSSD processes." msgstr "Включить или отключить дампы памяти для всех процессов SSSD." #: src/config/SSSDConfig/sssdoptions.py:58 -#, fuzzy msgid "Tune passkey verification behavior" -msgstr "Настроить проверку сертификатов" +msgstr "Настроить проверку ключа доступа" #: src/config/SSSDConfig/sssdoptions.py:61 msgid "Enumeration cache timeout length (seconds)" @@ -433,20 +432,18 @@ msgstr "" "GSSAPI" #: src/config/SSSDConfig/sssdoptions.py:117 -#, fuzzy msgid "Allow passkey device authentication." -msgstr "Разрешить проверку подлинности на основе сертификата или смарт-карты." +msgstr "Разрешить проверку подлинности на основе ключа доступа." #: src/config/SSSDConfig/sssdoptions.py:118 -#, fuzzy msgid "How many seconds will pam_sss wait for passkey_child to finish" msgstr "" "Разрешённое количество секунд, в течение которого pam_sss ожидает завершения " -"работы p11_child" +"работы passkey_child" #: src/config/SSSDConfig/sssdoptions.py:119 msgid "Enable debugging in the libfido2 library" -msgstr "" +msgstr "Включить отладку в библиотеке libfido2" #: src/config/SSSDConfig/sssdoptions.py:122 msgid "Whether to evaluate the time-based attributes in sudo rules" @@ -1634,9 +1631,8 @@ msgid "attribute containing the email address of the user" msgstr "Атрибут, который содержит адрес электронной почты пользователя" #: src/config/SSSDConfig/sssdoptions.py:449 -#, fuzzy msgid "attribute containing the passkey mapping data of the user" -msgstr "Атрибут, который содержит адрес электронной почты пользователя" +msgstr "атрибут, содержащий данные сопоставления ключа доступа пользователя" #: src/config/SSSDConfig/sssdoptions.py:450 msgid "A list of extra attributes to download along with the user entry" @@ -2206,7 +2202,7 @@ msgstr "Сообщение сервера: " #: src/sss_client/pam_sss.c:71 msgid "Enter PIN:" -msgstr "" +msgstr "Введите PIN:" #: src/sss_client/pam_sss.c:314 msgid "Passwords do not match" @@ -2235,9 +2231,9 @@ msgid "Your password will expire in %1$d %2$s." msgstr "Срок действия пароля истекает через %1$d %2$s." #: src/sss_client/pam_sss.c:627 -#, fuzzy, c-format +#, c-format msgid "Your password has expired." -msgstr "Срок действия пароля истекает через %1$d %2$s." +msgstr "Срок действия пароля истёк." #: src/sss_client/pam_sss.c:678 msgid "Authentication is denied until: " @@ -2300,7 +2296,7 @@ msgstr "Второй фактор: " #: src/sss_client/pam_sss.c:2547 msgid "Insert your passkey device, then press ENTER." -msgstr "" +msgstr "Вставьте устройство с ключом доступа и нажмите ENTER." #: src/sss_client/pam_sss.c:2551 src/sss_client/pam_sss.c:2554 msgid "Password: " @@ -2653,9 +2649,8 @@ msgid "Passkey related tools:" msgstr "Инструменты, связанные с ключом:" #: src/tools/sssctl/sssctl.c:348 -#, fuzzy msgid "Perform passkey registration" -msgstr "Выполнить связанные с ключом действия" +msgstr "Зарегистрировать ключ доступа" #: src/tools/sssctl/sssctl_cache.c:31 #, c-format @@ -2837,9 +2832,8 @@ msgid "Error while reading configuration directory.\n" msgstr "Ошибка при чтении каталога конфигурации.\n" #: src/tools/sssctl/sssctl_config.c:147 -#, fuzzy msgid "There is no configuration.\n" -msgstr "Не удалось загрузить конфигурацию из %s.\n" +msgstr "Нет никакой конфигурации.\n" #: src/tools/sssctl/sssctl_config.c:157 msgid "Failed to run validators" diff --git a/po/tr.po b/po/tr.po index eadc09fa674..7a65df0530f 100644 --- a/po/tr.po +++ b/po/tr.po @@ -11,7 +11,7 @@ msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" "POT-Creation-Date: 2023-05-05 10:11+0200\n" -"PO-Revision-Date: 2023-04-13 13:20+0000\n" +"PO-Revision-Date: 2023-06-04 04:20+0000\n" "Last-Translator: Kemal Oktay Aktoğan \n" "Language-Team: Turkish \n" @@ -20,7 +20,7 @@ msgstr "" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "Plural-Forms: nplurals=2; plural=(n>1);\n" -"X-Generator: Weblate 4.15.2\n" +"X-Generator: Weblate 4.17\n" #: src/config/SSSDConfig/sssdoptions.py:20 #: src/config/SSSDConfig/sssdoptions.py:21 @@ -177,9 +177,8 @@ msgstr "" "bırakın." #: src/config/SSSDConfig/sssdoptions.py:58 -#, fuzzy msgid "Tune passkey verification behavior" -msgstr "Sertifika doğrulamasını ayarla" +msgstr "Geçiş anahtarı doğrulama davranışını ayarlayın" #: src/config/SSSDConfig/sssdoptions.py:61 msgid "Enumeration cache timeout length (seconds)" @@ -419,18 +418,16 @@ msgstr "" ": çiftlerinin listesi" #: src/config/SSSDConfig/sssdoptions.py:117 -#, fuzzy msgid "Allow passkey device authentication." -msgstr "Sertifika tabanlı/Akıllı kart kimlik doğrulamasına izin ver." +msgstr "Geçiş anahtarı cihaz kimlik doğrulamasına izin ver." #: src/config/SSSDConfig/sssdoptions.py:118 -#, fuzzy msgid "How many seconds will pam_sss wait for passkey_child to finish" msgstr "pam_sss, p11_child'in bitmesi için kaç saniye bekleyecek" #: src/config/SSSDConfig/sssdoptions.py:119 msgid "Enable debugging in the libfido2 library" -msgstr "" +msgstr "libfido2 kitaplığında hata ayıklamayı etkinleştir" #: src/config/SSSDConfig/sssdoptions.py:122 msgid "Whether to evaluate the time-based attributes in sudo rules" @@ -1609,9 +1606,8 @@ msgid "attribute containing the email address of the user" msgstr "kullanıcının e-posta adresini içeren öznitelik" #: src/config/SSSDConfig/sssdoptions.py:449 -#, fuzzy msgid "attribute containing the passkey mapping data of the user" -msgstr "kullanıcının e-posta adresini içeren öznitelik" +msgstr "kullanıcının parola eşleme verilerini içeren öznitelik" #: src/config/SSSDConfig/sssdoptions.py:450 msgid "A list of extra attributes to download along with the user entry" @@ -2176,7 +2172,7 @@ msgstr "Sunucu iletisi: " #: src/sss_client/pam_sss.c:71 msgid "Enter PIN:" -msgstr "" +msgstr "PIN girin:" #: src/sss_client/pam_sss.c:314 msgid "Passwords do not match" @@ -2205,9 +2201,9 @@ msgid "Your password will expire in %1$d %2$s." msgstr "Parolanızın süresi %1$d %2$s içinde dolacak." #: src/sss_client/pam_sss.c:627 -#, fuzzy, c-format +#, c-format msgid "Your password has expired." -msgstr "Parolanızın süresi %1$d %2$s içinde dolacak." +msgstr "Parolanızın süresi doldu." #: src/sss_client/pam_sss.c:678 msgid "Authentication is denied until: " @@ -2269,7 +2265,7 @@ msgstr "İkinci Etken: " #: src/sss_client/pam_sss.c:2547 msgid "Insert your passkey device, then press ENTER." -msgstr "" +msgstr "Geçiş anahtarı aygıtınızı girin ve ardından ENTER'a basın." #: src/sss_client/pam_sss.c:2551 src/sss_client/pam_sss.c:2554 msgid "Password: " @@ -2623,7 +2619,6 @@ msgid "Passkey related tools:" msgstr "Geçiş anahtarıyla ilgili araçlar:" #: src/tools/sssctl/sssctl.c:348 -#, fuzzy msgid "Perform passkey registration" msgstr "Geçiş anahtarıyla ilgili işlemleri gerçekleştirin" @@ -2805,9 +2800,8 @@ msgid "Error while reading configuration directory.\n" msgstr "Yapılandırma dizini okunurken hata oluştu.\n" #: src/tools/sssctl/sssctl_config.c:147 -#, fuzzy msgid "There is no configuration.\n" -msgstr "%s'den yapılandırma yüklenemedi.\n" +msgstr "Yapılandırma yok..\n" #: src/tools/sssctl/sssctl_config.c:157 msgid "Failed to run validators" diff --git a/po/uk.po b/po/uk.po index f3acacd499f..7f67ac6e00d 100644 --- a/po/uk.po +++ b/po/uk.po @@ -4,20 +4,21 @@ # # Translators: # sgallagh , 2011 -# Yuri Chornoivan , 2011-2014, 2020, 2021, 2022. -# Yuri Chornoivan , 2013, 2020, 2021, 2022. -# Yuri Chornoivan , 2015. #zanata, 2020, 2021, 2022. -# Yuri Chornoivan , 2017. #zanata, 2020, 2021, 2022. -# Yuri Chornoivan , 2018. #zanata, 2020, 2021, 2022. -# Yuri Chornoivan , 2019. #zanata, 2020, 2021, 2022. -# Yuri Chornoivan , 2020. #zanata, 2021, 2022. +# Yuri Chornoivan , 2011-2014, 2020, 2021, 2022, 2023. +# Yuri Chornoivan , 2013, 2020, 2021, 2022, 2023. +# Yuri Chornoivan , 2015. #zanata, 2020, 2021, 2022, 2023. +# Yuri Chornoivan , 2017. #zanata, 2020, 2021, 2022, 2023. +# Yuri Chornoivan , 2018. #zanata, 2020, 2021, 2022, 2023. +# Yuri Chornoivan , 2019. #zanata, 2020, 2021, 2022, 2023. +# Yuri Chornoivan , 2020. #zanata, 2021, 2022, 2023. +# Elena Mishina , 2023. msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" "POT-Creation-Date: 2023-05-05 10:11+0200\n" -"PO-Revision-Date: 2022-12-12 14:09+0000\n" -"Last-Translator: Yuri Chornoivan \n" +"PO-Revision-Date: 2023-05-20 22:20+0000\n" +"Last-Translator: Elena Mishina \n" "Language-Team: Ukrainian \n" "Language: uk\n" @@ -26,7 +27,7 @@ msgstr "" "Content-Transfer-Encoding: 8bit\n" "Plural-Forms: nplurals=3; plural=n%10==1 && n%100!=11 ? 0 : n%10>=2 && " "n%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2;\n" -"X-Generator: Weblate 4.14.2\n" +"X-Generator: Weblate 4.17\n" #: src/config/SSSDConfig/sssdoptions.py:20 #: src/config/SSSDConfig/sssdoptions.py:21 @@ -178,9 +179,8 @@ msgid "Enable or disable core dumps for all SSSD processes." msgstr "Увімкнути або вимкнути дампи ядра для усіх процесів SSSD." #: src/config/SSSDConfig/sssdoptions.py:58 -#, fuzzy msgid "Tune passkey verification behavior" -msgstr "Скоригувати перевірку сертифікатів" +msgstr "Скоригувати поведінку при перевірці пароля" #: src/config/SSSDConfig/sssdoptions.py:61 msgid "Enumeration cache timeout length (seconds)" @@ -430,20 +430,18 @@ msgstr "" "примусово встановлено доступ PAM із розпізнаванням GSSAPI" #: src/config/SSSDConfig/sssdoptions.py:117 -#, fuzzy msgid "Allow passkey device authentication." -msgstr "Дозволити розпізнавання за сертифікатом або смарткарткою." +msgstr "Дозволити розпізнавання за допомогою пристрою пароля." #: src/config/SSSDConfig/sssdoptions.py:118 -#, fuzzy msgid "How many seconds will pam_sss wait for passkey_child to finish" msgstr "" "Час у секундах, протягом якого pam_sss очікуватиме на завершення роботи " -"p11_child" +"passkey_child" #: src/config/SSSDConfig/sssdoptions.py:119 msgid "Enable debugging in the libfido2 library" -msgstr "" +msgstr "Увімкнути діагностику у бібліотеці libfido2" #: src/config/SSSDConfig/sssdoptions.py:122 msgid "Whether to evaluate the time-based attributes in sudo rules" @@ -1648,9 +1646,8 @@ msgid "attribute containing the email address of the user" msgstr "атрибут, що містить адресу електронної пошти користувача" #: src/config/SSSDConfig/sssdoptions.py:449 -#, fuzzy msgid "attribute containing the passkey mapping data of the user" -msgstr "атрибут, що містить адресу електронної пошти користувача" +msgstr "атрибут, що містить дані прив'язки ключа користувача" #: src/config/SSSDConfig/sssdoptions.py:450 msgid "A list of extra attributes to download along with the user entry" @@ -2227,7 +2224,7 @@ msgstr "Повідомлення сервера: " #: src/sss_client/pam_sss.c:71 msgid "Enter PIN:" -msgstr "" +msgstr "Введіть PIN:" #: src/sss_client/pam_sss.c:314 msgid "Passwords do not match" @@ -2256,9 +2253,9 @@ msgid "Your password will expire in %1$d %2$s." msgstr "Строк дії вашого пароля завершиться за %1$d %2$s." #: src/sss_client/pam_sss.c:627 -#, fuzzy, c-format +#, c-format msgid "Your password has expired." -msgstr "Строк дії вашого пароля завершиться за %1$d %2$s." +msgstr "Строк дії вашого пароля вичерпано." #: src/sss_client/pam_sss.c:678 msgid "Authentication is denied until: " @@ -2321,7 +2318,7 @@ msgstr "Другий фактор: " #: src/sss_client/pam_sss.c:2547 msgid "Insert your passkey device, then press ENTER." -msgstr "" +msgstr "Вставте ваш пристрій ключа і натисніть клавішу ENTER." #: src/sss_client/pam_sss.c:2551 src/sss_client/pam_sss.c:2554 msgid "Password: " @@ -2673,9 +2670,8 @@ msgid "Passkey related tools:" msgstr "Пов'язані із ключем інструменти:" #: src/tools/sssctl/sssctl.c:348 -#, fuzzy msgid "Perform passkey registration" -msgstr "Виконати пов'язані із ключем дії" +msgstr "Виконати реєстрацію ключа" #: src/tools/sssctl/sssctl_cache.c:31 #, c-format @@ -2858,9 +2854,8 @@ msgid "Error while reading configuration directory.\n" msgstr "Помилка під час спроби прочитати каталог налаштувань.\n" #: src/tools/sssctl/sssctl_config.c:147 -#, fuzzy msgid "There is no configuration.\n" -msgstr "Не вдалося завантажити налаштування з %s.\n" +msgstr "Немає налаштувань.\n" #: src/tools/sssctl/sssctl_config.c:157 msgid "Failed to run validators" diff --git a/po/zh_CN.po b/po/zh_CN.po index c12dfc823d0..d950dbc1722 100644 --- a/po/zh_CN.po +++ b/po/zh_CN.po @@ -14,7 +14,7 @@ msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" "POT-Creation-Date: 2023-05-05 10:11+0200\n" -"PO-Revision-Date: 2023-03-02 09:20+0000\n" +"PO-Revision-Date: 2023-06-10 12:20+0000\n" "Last-Translator: Ludek Janda \n" "Language-Team: Chinese (Simplified) \n" @@ -23,7 +23,7 @@ msgstr "" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "Plural-Forms: nplurals=1; plural=0;\n" -"X-Generator: Weblate 4.15.2\n" +"X-Generator: Weblate 4.17\n" #: src/config/SSSDConfig/sssdoptions.py:20 #: src/config/SSSDConfig/sssdoptions.py:21 @@ -164,9 +164,8 @@ msgid "Enable or disable core dumps for all SSSD processes." msgstr "为所有 SSSD 进程启用或禁用内核转储。" #: src/config/SSSDConfig/sssdoptions.py:58 -#, fuzzy msgid "Tune passkey verification behavior" -msgstr "调整证书验证" +msgstr "调整密码验证行为" #: src/config/SSSDConfig/sssdoptions.py:61 msgid "Enumeration cache timeout length (seconds)" @@ -384,18 +383,16 @@ msgstr "" "验证进行 PAM 访问" #: src/config/SSSDConfig/sssdoptions.py:117 -#, fuzzy msgid "Allow passkey device authentication." -msgstr "允许基于证书/智能卡的身份验证。" +msgstr "允许使用通行密钥设备认证。" #: src/config/SSSDConfig/sssdoptions.py:118 -#, fuzzy msgid "How many seconds will pam_sss wait for passkey_child to finish" -msgstr "pam_sss 等待 p11_child 完成的时间(以秒为单位)" +msgstr "pam_sss 等待 passkey_child 完成的时间" #: src/config/SSSDConfig/sssdoptions.py:119 msgid "Enable debugging in the libfido2 library" -msgstr "" +msgstr "在 libfido2 库中启用调试功能" #: src/config/SSSDConfig/sssdoptions.py:122 msgid "Whether to evaluate the time-based attributes in sudo rules" @@ -1489,9 +1486,8 @@ msgid "attribute containing the email address of the user" msgstr "包含用户电子邮件地址的属性" #: src/config/SSSDConfig/sssdoptions.py:449 -#, fuzzy msgid "attribute containing the passkey mapping data of the user" -msgstr "包含用户电子邮件地址的属性" +msgstr "包含用户的通行密钥映射数据的属性" #: src/config/SSSDConfig/sssdoptions.py:450 msgid "A list of extra attributes to download along with the user entry" @@ -2038,7 +2034,7 @@ msgstr "服务器消息: " #: src/sss_client/pam_sss.c:71 msgid "Enter PIN:" -msgstr "" +msgstr "输入 PIN:" #: src/sss_client/pam_sss.c:314 msgid "Passwords do not match" @@ -2067,9 +2063,9 @@ msgid "Your password will expire in %1$d %2$s." msgstr "您的密码将于 %1$d %2$s 过期。" #: src/sss_client/pam_sss.c:627 -#, fuzzy, c-format +#, c-format msgid "Your password has expired." -msgstr "您的密码将于 %1$d %2$s 过期。" +msgstr "您的密码已经过期。" #: src/sss_client/pam_sss.c:678 msgid "Authentication is denied until: " @@ -2129,7 +2125,7 @@ msgstr "第二因素: " #: src/sss_client/pam_sss.c:2547 msgid "Insert your passkey device, then press ENTER." -msgstr "" +msgstr "插入您的通行密钥设备,然后按回车键。" #: src/sss_client/pam_sss.c:2551 src/sss_client/pam_sss.c:2554 msgid "Password: " @@ -2478,9 +2474,8 @@ msgid "Passkey related tools:" msgstr "与 Passkey 相关的工具:" #: src/tools/sssctl/sssctl.c:348 -#, fuzzy msgid "Perform passkey registration" -msgstr "执行与 passkey 相关的操作" +msgstr "执行通行密钥登记" #: src/tools/sssctl/sssctl_cache.c:31 #, c-format @@ -2656,9 +2651,8 @@ msgid "Error while reading configuration directory.\n" msgstr "读取配置目录时出错。\n" #: src/tools/sssctl/sssctl_config.c:147 -#, fuzzy msgid "There is no configuration.\n" -msgstr "从 %s 加载配置失败。\n" +msgstr "没有任何配置。\n" #: src/tools/sssctl/sssctl_config.c:157 msgid "Failed to run validators" diff --git a/src/man/po/ko.po b/src/man/po/ko.po index c281ac3510b..335eae9ec3a 100644 --- a/src/man/po/ko.po +++ b/src/man/po/ko.po @@ -8,7 +8,7 @@ msgstr "" "Project-Id-Version: sssd-docs 2.5.2\n" "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n" "POT-Creation-Date: 2021-07-12 20:51+0200\n" -"PO-Revision-Date: 2023-04-08 20:20+0000\n" +"PO-Revision-Date: 2023-06-13 13:20+0000\n" "Last-Translator: 김인수 \n" "Language-Team: Korean \n" @@ -17,7 +17,7 @@ msgstr "" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "Plural-Forms: nplurals=1; plural=0;\n" -"X-Generator: Weblate 4.15.2\n" +"X-Generator: Weblate 4.17\n" #. type: Content of: #: sss_groupmod.8.xml:5 sssd.conf.5.xml:5 sssd-ldap.5.xml:5 pam_sss.8.xml:5 @@ -513,6 +513,9 @@ msgid "" "and the administrator must enable the ones allowed to be used by executing: " "\"systemctl enable sssd-@service@.socket\". </phrase>" msgstr "" +"<phrase condition=\"have_systemd\"> 기본적으로, 모든 서비스는 비활성화 되어 " +"있고 관리자는 다음을 실행하여 사용이 허용된 항목을 활성화해야 합니다: " +"\"systemctl enable sssd-@service@.socket\". </phrase>" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:255 sssd.conf.5.xml:718 @@ -548,6 +551,11 @@ msgid "" "alphanumeric ASCII characters, dashes, dots and underscores. '/' character " "is forbidden." msgstr "" +"도메인은 사용자 정보를 포함하는 데이타베이스입니다. SSSD는 동시에 더 많은 " +"도메인을 사용 할 수 있으나 적어도 한 개는 구성되어 있어야만 하고, 그렇지 " +"않으면 SSSD는 시작되지 않을 것입니다. 이와 같은 매개변수는 질의 할 순서대로 " +"도메인의 목록을 설명합니다. 도메인 이름은 영숫자(ASCII) 문자, -, . 및 _만 " +"포함되도록 추천됩니다. '/'문자는 금지됩니다." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:284 sssd.conf.5.xml:3300 @@ -569,6 +577,9 @@ msgid "" "ID providers there are also default regular expressions. See DOMAIN SECTIONS " "for more info on these regular expressions." msgstr "" +"각각의 도메인은 개별 정규 표현식으로 구성 될 수 있습니다. 일부 ID " +"공급자에서는 기본 정규 표현식도 있습니다. 정규 표현식에서 더 많은 정보를 " +"위해 도메인 부분을 참고하세요." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:301 sssd.conf.5.xml:3348 @@ -582,6 +593,9 @@ msgid "" "manvolnum> </citerefentry>-compatible format that describes how to compose a " "fully qualified name from user name and domain name components." msgstr "" +"<citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</" +"manvolnum> </citerefentry>-사용자 이름 및 도메인 이름 구성에서 정규화된 " +"이름을 구성하는 방법을 설명하는 것과 같은 호환 가능한 형식." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:315 sssd.conf.5.xml:3362 @@ -658,6 +672,8 @@ msgid "" "changes and will fall back to polling every five seconds if inotify cannot " "be used." msgstr "" +"기본적으로, SSSD는 알림를 사용하여 구성 파일 변경을 모니터링하려 시도하고 " +"만약 알림을 사용 할 수 없는 경우 매 5초마다 폴링으로 돌아갑니다." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:369 @@ -666,6 +682,8 @@ msgid "" "even trying to use inotify. In these rare cases, this option should be set " "to 'false'" msgstr "" +"알림을 사용하려는 시도조차 건너뛰도록 하는 바람직한 몇 가지 제한된 상황이 " +"있습니다. 이들 드문 경우에서, 이 옵션은 'false'로 설정해야 합니다" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:375 @@ -679,7 +697,8 @@ msgstr "기본값: 알림이 지원되는 기술환경에서 사실입니다. msgid "" "Note: this option will have no effect on platforms where inotify is " "unavailable. On these platforms, polling will always be used." -msgstr "" +msgstr "주의: 이와 같은 옵션은 알림이 사용 할 수 없는 기술환경에서 효과가 없습니다. " +"이들 기술환경에서, 폴링은 항상 사용됩니다." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:386 @@ -701,6 +720,8 @@ msgid "" "This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct " "SSSD to let libkrb5 decide the appropriate location for the replay cache." msgstr "" +"이와 같은 옵션은 libkrb5가 재생 캐쉬를 위해 적절한 위치를 결정하도록 SSSD에 " +"지시하는 특수 값 __LIBKRB5_DEFAULTS__를 허용합니다." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:399 @@ -747,6 +768,11 @@ msgid "" "trusted domain. The option allows those users to log in just with their " "user name without giving a domain name as well." msgstr "" +"이와 같은 문자열은 도메인 이름 구성이 없는 모든 이름을 위해 기본 도메인 " +"이름으로 사용됩니다. 주요 사용 경우는 기본 도메인이 호스트 정책을 관리하고 " +"모든 사용자가 신뢰 할 수 있는 도메인에 있는 환경입니다. 이와 같은 옵션을 " +"사용하면 해당 사용자는 도메인 이름도 제공하지 않고 이들 사용자 이름만으로 " +"로그인 할 수 있습니다." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:445 @@ -2363,7 +2389,8 @@ msgstr "항상" #: sssd.conf.5.xml:1795 msgid "" "Always do an online lookup, please note that pam_id_timeout still applies" -msgstr "" +msgstr "항상 온라인 조회를 실시하고, pam_id_timeout은 여전히 적용 중인 것을 " +"참조하세요" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:1799 @@ -4428,7 +4455,7 @@ msgstr "" #: sssd.conf.5.xml:3665 msgid "" "The value can be overridden by <emphasis>override_homedir</emphasis> option." -msgstr "" +msgstr "값은 <emphasis>override_homedir</emphasis> 옵션에 의해 재정의 될 수 있습니다." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3669 @@ -6127,7 +6154,7 @@ msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:722 msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>" -msgstr "" +msgstr "<emphasis>hard</emphasis> = <quote>demand</quote>와 동일합니다" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:726 @@ -6816,14 +6843,15 @@ msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1361 msgid "<emphasis>host</emphasis>: use the host attribute to determine access" -msgstr "" +msgstr "<emphasis>host</emphasis>: 호스트 속성을 사용하여 접근을 결정합니다" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1365 msgid "" "<emphasis>rhost</emphasis>: use the rhost attribute to determine whether " "remote host can access" -msgstr "" +msgstr "<emphasis>rhost</emphasis>: rhost 속성을 사용하여 원격 호스트가 접근 할 수 " +"있는지 여부를 결정합니다" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1369 @@ -6961,7 +6989,7 @@ msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1476 msgid "At the moment, only the InfoPipe responder supports wildcard lookups." -msgstr "" +msgstr "현재, InfoPipe 응답기만 와일드카드 조회를 지원합니다." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1480 @@ -7109,7 +7137,7 @@ msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1596 msgid "You can disable this offset by setting the value to 0." -msgstr "" +msgstr "당신은 값을 0으로 설정하여 이 옵셋을 비활성화 할 수 있습니다." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1606 @@ -11912,7 +11940,7 @@ msgstr "SSSD가 로그 메시지를 보낼 위치." msgid "" "<emphasis>stderr</emphasis>: Redirect debug messages to standard error " "output." -msgstr "" +msgstr "<emphasis>stderr</emphasis>: 디버그 메시지를 표준 오류 출력으로 재지정합니다." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.8.xml:96 @@ -17044,6 +17072,8 @@ msgid "" "Save the <quote>telephoneNumber</quote> attribute from LDAP as " "<quote>telephoneNumber</quote> to the cache." msgstr "" +"LDAP에서 <quote>telephoneNumber</quote> 속성을 <quote>telephoneNumber</" +"quote> 캐쉬에 저장하세요." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:463 @@ -17056,6 +17086,8 @@ msgid "" "Save the <quote>telephoneNumber</quote> attribute from LDAP as <quote>phone</" "quote> to the cache." msgstr "" +"LDAP에서 <quote>telephoneNumber</quote> 속성을 <quote>phone</quote> 캐쉬에 " +"저장하세요." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:476 @@ -17228,7 +17260,7 @@ msgstr "ldap_user_email (문자열)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:622 msgid "Name of the LDAP attribute containing the email address of the user." -msgstr "" +msgstr "사용자 전자우편 주소를 포함하는 LDAP 속성의 이름." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:626 @@ -19277,6 +19309,8 @@ msgid "" "request is aborted. If possible, the authentication request is continued " "offline." msgstr "" +"온라인 인증 요청 또는 비밀번호 변경 요청이 중단된 후 초 단위 시간 " +"만료입니다. 만약 할 수 있다면, 인증 요청은 오프라인으로 계속됩니다." #. type: Content of: <variablelist><varlistentry><term> #: include/krb5_options.xml:17 diff --git a/src/man/po/ru.po b/src/man/po/ru.po index e0933c85adb..1f8d55235a0 100644 --- a/src/man/po/ru.po +++ b/src/man/po/ru.po @@ -9,7 +9,7 @@ msgstr "" "Project-Id-Version: sssd-docs 2.3.0\n" "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n" "POT-Creation-Date: 2023-05-05 10:09+0200\n" -"PO-Revision-Date: 2022-12-14 19:20+0000\n" +"PO-Revision-Date: 2023-05-25 03:20+0000\n" "Last-Translator: Elena Mishina <lepata@basealt.ru>\n" "Language-Team: Russian <https://translate.fedoraproject.org/projects/sssd/" "sssd-manpage-master/ru/>\n" @@ -19,7 +19,7 @@ msgstr "" "Content-Transfer-Encoding: 8bit\n" "Plural-Forms: nplurals=3; plural=n%10==1 && n%100!=11 ? 0 : n%10>=2 && " "n%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2;\n" -"X-Generator: Weblate 4.14.2\n" +"X-Generator: Weblate 4.17\n" #. type: Content of: <reference><title> #: sssd.conf.5.xml:8 sssd-ldap.5.xml:5 pam_sss.8.xml:5 pam_sss_gss.8.xml:5 @@ -103,8 +103,7 @@ msgid "" "values of <quote>TRUE/FALSE</quote>)." msgstr "" "Используемые типы данных: строка (кавычки не требуются), целое число и " -"логическое значение (возможны два значения: <quote>TRUE</quote> или " -"<quote>FALSE</quote>)." +"логическое значение (возможные значения: <quote>TRUE/FALSE</quote>)." #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:44 @@ -677,19 +676,12 @@ msgid "" "The user to drop the privileges to where appropriate to avoid running as the " "root user. Currently the only supported value is '&sssd_user_name;'." msgstr "" +"Пользователь, чьи привилегии будут использоваться, чтобы избежать запуска от " +"имени пользователя root. В текущей версии единственным поддерживаемым " +"значением является «&sssd_user_name;»." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:419 -#, fuzzy -#| msgid "" -#| "The user to drop the privileges to where appropriate to avoid running as " -#| "the root user. <phrase condition=\"have_systemd\"> This option does not " -#| "work when running socket-activated services, as the user set up to run " -#| "the processes is set up during compilation time. The way to override the " -#| "systemd unit files is by creating the appropriate files in /etc/systemd/" -#| "system/. Keep in mind that any change in the socket user, group or " -#| "permissions may result in a non-usable SSSD. The same may occur in case " -#| "of changes of the user running the NSS responder. </phrase>" msgid "" "This option does not work when running socket-activated services, as the " "user set up to run the processes is set up during compilation time. The way " @@ -698,15 +690,13 @@ msgid "" "or permissions may result in a non-usable SSSD. The same may occur in case " "of changes of the user running the NSS responder." msgstr "" -"Пользователь, чьи привилегии будут использоваться, чтобы избежать выполнения " -"от имени пользователя root. <phrase condition=\"have_systemd\"> Этот " -"параметр не работает для служб, которые активируются с помощью сокета, так " -"как пользователь, от имени которого запускаются процессы, настраивается во " -"время сборки. Чтобы переопределить файлы модулей systemd, следует создать " +"Этот параметр не работает для служб, которые активируются с помощью сокета, " +"так как пользователь, от имени которого запускаются процессы, настраивается " +"во время сборки. Чтобы переопределить файлы модулей systemd, следует создать " "соответствующие файлы в /etc/systemd/system/. Следует учитывать, что любые " "изменения пользователя сокета, группы или прав могут привести к потере " "работоспособности SSSD. То же самое может произойти в случае изменения " -"пользователя, запускающего ответчик NSS. </phrase>" +"пользователя, запускающего ответчик NSS." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:433 @@ -737,16 +727,6 @@ msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:451 -#, fuzzy -#| msgid "" -#| "Please note that if this option is set all users from the primary domain " -#| "have to use their fully qualified name, e.g. user@domain.name, to log in. " -#| "Setting this option changes default of use_fully_qualified_names to True. " -#| "It is not allowed to use this option together with " -#| "use_fully_qualified_names set to False. One exception from this rule are " -#| "domains with <quote>id_provider=files</quote> that always try to match " -#| "the behaviour of nss_files and therefore their output is not qualified " -#| "even when the default_domain_suffix option is used." msgid "" "Please note that if this option is set all users from the primary domain " "have to use their fully qualified name, e.g. user@domain.name, to log in. " @@ -762,11 +742,12 @@ msgstr "" "например user@domain.name, для входа в систему. Установка этого параметра " "изменит стандартное значение use_fully_qualified_names на «True». Этот " "параметр нельзя использовать вместе с параметром use_fully_qualified_names, " -"установленным в значение «False». Единственное исключение из этого правила — " -"домены с <quote>id_provider=files</quote>, для которых всегда выполняется " -"попытка установления поведения в соответствии с nss_files; следовательно, " -"выведенные для них имена не будут полными даже тогда, когда используется " -"параметр default_domain_suffix." +"установленным в значение «False». <phrase condition=\"with_files_provider\"" +">Единственное исключение из этого правила — домены с " +"<quote>id_provider=files</quote>, для которых всегда выполняется попытка " +"установления поведения в соответствии с nss_files; следовательно, выведенные " +"для них имена не будут полными даже тогда, когда используется параметр " +"default_domain_suffix. </phrase>" #. type: Content of: <variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:468 sssd-ldap.5.xml:876 sssd-ldap.5.xml:888 @@ -1078,21 +1059,6 @@ msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:672 -#, fuzzy -#| msgid "" -#| "Please, note that when this option is set the output format of all " -#| "commands is always fully-qualified even when using short names for input, " -#| "for all users but the ones managed by the files provider. In case the " -#| "administrator wants the output not fully-qualified, the full_name_format " -#| "option can be used as shown below: <quote>full_name_format=%1$s</quote> " -#| "However, keep in mind that during login, login applications often " -#| "canonicalize the username by calling <citerefentry> " -#| "<refentrytitle>getpwnam</refentrytitle> <manvolnum>3</manvolnum> </" -#| "citerefentry> which, if a shortname is returned for a qualified input " -#| "(while trying to reach a user which exists in multiple domains) might re-" -#| "route the login attempt into the domain which uses shortnames, making " -#| "this workaround totally not recommended in cases where usernames may " -#| "overlap between domains." msgid "" "Please, note that when this option is set the output format of all commands " "is always fully-qualified even when using short names for input <phrase " @@ -1110,9 +1076,10 @@ msgid "" msgstr "" "Обратите внимание: когда этот параметр задан, для вывода всех команд будет " "использоваться полный формат, даже если во входных данных использовались " -"краткие имена (для всех пользователей, кроме находящихся под управлением " -"поставщика файлов). Если администратору не требуется полный формат, " -"параметр full_name_format можно использовать следующим образом: " +"краткие имена <phrase condition=\"with_files_provider\">(для всех " +"пользователей, кроме находящихся под управлением поставщика файлов)</" +"phrase>. Если администратору не требуется полный формат, параметр " +"full_name_format можно использовать следующим образом: " "<quote>full_name_format=%1$s</quote>. Но следует учитывать, что при входе " "приложения часто преобразуют имя пользователя в каноническую форму, вызывая " "программу <citerefentry> <refentrytitle>getpwnam</refentrytitle> " @@ -1164,17 +1131,13 @@ msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:734 -#, fuzzy -#| msgid "pam_cert_verification (string)" msgid "passkey_verification (string)" -msgstr "pam_cert_verification (строка)" +msgstr "passkey_verification (строка)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:742 -#, fuzzy -#| msgid "pam_cert_verification (string)" msgid "user_verification (boolean)" -msgstr "pam_cert_verification (строка)" +msgstr "user_verification (логическое значение)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:744 @@ -1182,6 +1145,8 @@ msgid "" "Enable or disable the user verification (i.e. PIN, fingerprint) during " "authentication." msgstr "" +"Включить или отключить проверку пользователя (например, PIN-код, отпечаток " +"пальца) во время аутентификации." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:749 @@ -1190,20 +1155,18 @@ msgid "" "kerberos pre-authentication case, this value will be overwritten by the " "server." msgstr "" +"По умолчанию поведение определяется параметрами ключей. В случае " +"предварительной аутентификации IPA или Kerberos это значение будет " +"перезаписано сервером." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:737 -#, fuzzy -#| msgid "" -#| "With this parameter the certificate verification can be tuned with a " -#| "comma separated list of options. Supported options are: <placeholder " -#| "type=\"variablelist\" id=\"0\"/>" msgid "" "With this parameter the passkey verification can be tuned with a comma " "separated list of options. Supported options are: <placeholder " "type=\"variablelist\" id=\"0\"/>" msgstr "" -"При установке этого параметра проверку сертификатов можно настроить с " +"При установке этого параметра проверку ключа доступа можно настроить с " "помощью разделённого запятыми списка параметров. Поддерживаемые параметры: " "<placeholder type=\"variablelist\" id=\"0\"/>" @@ -2080,20 +2043,15 @@ msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1373 -#, fuzzy -#| msgid "" -#| "Default: <quote>not set</quote> (remote domains), <quote>x</quote> (the " -#| "files domain), <quote>x</quote> (proxy domain with nss_files and sssd-" -#| "shadowutils target)" msgid "" "Default: <quote>not set</quote> (remote domains), <phrase " "condition=\"with_files_provider\"> <quote>x</quote> (the files domain), </" "phrase> <quote>x</quote> (proxy domain with nss_files and sssd-shadowutils " "target)" msgstr "" -"По умолчанию: <quote>не задано</quote> (удалённые домены), <quote>x</quote> " -"(домен файлов), <quote>x</quote> (домен прокси с nss_files и целью sssd-" -"shadowutils)" +"По умолчанию: <quote>не задано</quote> (удалённые домены), <phrase condition=" +"\"with_files_provider\"> <quote>x</quote> (домен файлов),</phrase> <quote>x</" +"quote> (домен прокси с nss_files и целью sssd-shadowutils)" #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sssd.conf.5.xml:1385 @@ -2529,15 +2487,13 @@ msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1680 -#, fuzzy -#| msgid "pam_cert_auth (bool)" msgid "pam_passkey_auth (bool)" -msgstr "pam_cert_auth (логическое значение)" +msgstr "pam_passkey_auth (логическое значение)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1683 msgid "Enable passkey device based authentication." -msgstr "" +msgstr "Включите аутентификацию на основе ключа доступа." #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1686 sssd.conf.5.xml:1697 sssd.conf.5.xml:1711 @@ -2550,12 +2506,12 @@ msgstr "По умолчанию: false" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1691 msgid "passkey_debug_libfido2 (bool)" -msgstr "" +msgstr "passkey_debug_libfido2 (логическое значение)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1694 msgid "Enable libfido2 library debug messages." -msgstr "" +msgstr "Включить отладочные сообщения библиотеки libfido2." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1702 @@ -2651,20 +2607,16 @@ msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1771 -#, fuzzy -#| msgid "p11_child_timeout (integer)" msgid "passkey_child_timeout (integer)" -msgstr "p11_child_timeout (целое число)" +msgstr "passkey_child_timeout (целое число)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1774 -#, fuzzy -#| msgid "How many seconds will pam_sss wait for p11_child to finish." msgid "" "How many seconds will the PAM responder wait for passkey_child to finish." msgstr "" -"Разрешённое количество секунд, в течение которого pam_sss ожидает завершения " -"работы p11_child." +"Разрешённое количество секунд, в течение которого ответчик PAM ожидает " +"завершения работы passkey_child." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1783 @@ -4310,13 +4262,10 @@ msgstr "cache_credentials (логическое значение)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2930 -#, fuzzy -#| msgid "" -#| "Determines if user credentials are also cached in the local LDB cache" msgid "Determines if user credentials are also cached in the local LDB cache." msgstr "" "Определяет, следует ли также кэшировать учётные данные пользователя в " -"локальном кэше LDB" +"локальном кэше LDB." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2934 @@ -4326,6 +4275,11 @@ msgid "" "get access to a cache file (normally requires privileged access) and to " "break a password using brute force attack." msgstr "" +"Обратите внимание, что несмотря на то, что учётные данные хранятся в виде " +"зашифрованного хэша SHA512, это по-прежнему потенциально представляет " +"некоторую угрозу безопасности в случае, если злоумышленнику удастся получить " +"доступ к файлу кеша (обычно требуется привилегированный доступ) и взломать " +"пароль с помощью атаки грубой силы." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2948 @@ -5124,20 +5078,13 @@ msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3552 -#, fuzzy -#| msgid "" -#| "Default for the AD and IPA provider: <quote>(((?P<domain>[^\\\\]+)\\" -#| "\\(?P<name>.+$))|((?P<name>.+)@(?P<domain>[^@]+$))|(^(?" -#| "P<name>[^@\\\\]+)$))</quote> which allows three different styles " -#| "for user names:" msgid "" "Default: <quote>^((?P<name>.+)@(?P<domain>[^@]*)|(?P<name>" "[^@]+))$</quote> which allows two different styles for user names:" msgstr "" -"Значение по умолчанию для поставщиков данных AD и IPA: <quote>(((?P<" -"domain>[^\\\\]+)\\\\(?P<name>.+$))|((?P<name>.+)@(?P<" -"domain>[^@]+$))|(^(?P<name>[^@\\\\]+)$))</quote> — оно позволяет " -"назначать три разных стиля записи имён пользователей:" +"Значение: " +"<quote>^((?P<name>.+)@(?P<domain>[^@]*)|(?P<name>[^@]+))$</" +"quote> — оно позволяет назначать два разных стиля записи имён пользователей:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:3557 sssd.conf.5.xml:3571 @@ -5151,22 +5098,16 @@ msgstr "username@domain.name" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3565 -#, fuzzy -#| msgid "" -#| "Default for the AD and IPA provider: <quote>(((?P<domain>[^\\\\]+)\\" -#| "\\(?P<name>.+$))|((?P<name>.+)@(?P<domain>[^@]+$))|(^(?" -#| "P<name>[^@\\\\]+)$))</quote> which allows three different styles " -#| "for user names:" msgid "" "Default for the AD and IPA provider: <quote>^(((?P<domain>[^\\\\]+)\\" "\\(?P<name>.+))|((?P<name>.+)@(?P<domain>[^@]+))|((?P<" "name>[^@\\\\]+)))$</quote> which allows three different styles for user " "names:" msgstr "" -"Значение по умолчанию для поставщиков данных AD и IPA: <quote>(((?P<" -"domain>[^\\\\]+)\\\\(?P<name>.+$))|((?P<name>.+)@(?P<" -"domain>[^@]+$))|(^(?P<name>[^@\\\\]+)$))</quote> — оно позволяет " -"назначать три разных стиля записи имён пользователей:" +"Значение по умолчанию для поставщиков данных AD и IPA: " +"<quote>^(((?P<domain>[^\\\\]+)\\\\(?P<name>.+))|((?P<name>." +"+)@(?P<domain>[^@]+))|((?P<name>[^@\\\\]+)))$</quote> — оно " +"позволяет назначать три разных стиля записи имён пользователей:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:3577 @@ -5191,6 +5132,12 @@ msgid "" "allowed in Windows group names). If a user wishes to use short names with " "<quote>@</quote> they must create their own re_expression." msgstr "" +"По умолчанию re_expression использует символ <quote>@</quote> в качестве " +"разделителя между именем и доменом. Поэтому при использовании этого " +"параметра по умолчанию невозможно использовать символ <quote>@</quote> в " +"кратких именах (как это разрешено в названиях групп Windows). Если " +"пользователь хочет использовать короткие имена с <quote>@</quote>, он должен " +"создать собственное re_expression." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3637 @@ -6428,10 +6375,8 @@ msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:4449 -#, fuzzy -#| msgid "[prompting/password]" msgid "[prompting/passkey]" -msgstr "[prompting/password]" +msgstr "[prompting/passkey]" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:4455 sssd-ad.5.xml:1021 @@ -6445,25 +6390,24 @@ msgid "" "of a passkey device. Recommended if your device doesn’t have a tactile " "trigger." msgstr "" +"логическое значение, если True, отправить запрос и подождать, прежде чем " +"проверить наличие устройства ключа. Рекомендуется, если устройство не имеет " +"тактильного переключателя." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:4465 -#, fuzzy -#| msgid "interactive" msgid "interactive_prompt" -msgstr "interactive" +msgstr "interactive_prompt" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4467 -#, fuzzy -#| msgid "to change the string of the password prompt" msgid "to change the message of the interactive prompt." -msgstr "изменить строку запроса пароля" +msgstr "изменить сообщение интерактивного запроса." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:4472 msgid "touch" -msgstr "" +msgstr "touch" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4474 @@ -6471,42 +6415,30 @@ msgid "" "boolean value, if True prompt a message to remind the user to touch the " "device." msgstr "" +"логическое значение, если True, отправить сообщение для напоминания " +"пользователю о необходимости коснуться устройства." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:4480 -#, fuzzy -#| msgid "first_prompt" msgid "touch_prompt" -msgstr "first_prompt" +msgstr "touch_prompt" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4482 -#, fuzzy -#| msgid "to change the string of the password prompt" msgid "to change the message of the touch prompt." -msgstr "изменить строку запроса пароля" +msgstr "изменить сообщение запроса касания." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4451 -#, fuzzy -#| msgid "" -#| "to configure password prompting, allowed options are: <placeholder " -#| "type=\"variablelist\" id=\"0\"/>" msgid "" "to configure passkey authentication prompting, allowed options are: " "<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -"допустимые параметры настройки запроса пароля: <placeholder " -"type=\"variablelist\" id=\"0\"/>" +"допустимые параметры для настройки аутентификации по ключу доступа: " +"<placeholder type=\"variablelist\" id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:4402 -#, fuzzy -#| msgid "" -#| "Each supported authentication method has its own configuration subsection " -#| "under <quote>[prompting/...]</quote>. Currently there are: <placeholder " -#| "type=\"variablelist\" id=\"0\"/> <placeholder type=\"variablelist\" " -#| "id=\"1\"/>" msgid "" "Each supported authentication method has its own configuration subsection " "under <quote>[prompting/...]</quote>. Currently there are: <placeholder " @@ -6516,7 +6448,8 @@ msgstr "" "Для каждого поддерживаемого способа проверки подлинности предусмотрен " "отдельный подраздел конфигурации: <quote>[prompting/...]</quote>. В " "настоящее время это: <placeholder type=\"variablelist\" id=\"0\"/> " -"<placeholder type=\"variablelist\" id=\"1\"/>" +"<placeholder type=\"variablelist\" id=\"1\"/> <placeholder type=" +"\"variablelist\" id=\"2\"/>" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:4493 @@ -6629,16 +6562,7 @@ msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sssd.conf.5.xml:4550 -#, fuzzy, no-wrap -#| msgid "" -#| "[certmap/my.domain/rule_name]\n" -#| "matchrule = <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$\n" -#| "maprule = (userCertificate;binary={cert!bin})\n" -#| "domains = my.domain, your.domain\n" -#| "priority = 10\n" -#| "\n" -#| "[certmap/files/myname]\n" -#| "matchrule = <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$<SUBJECT>^CN=User.Name,DC=MY,DC=DOMAIN$\n" +#, no-wrap msgid "" "[certmap/my.domain/rule_name]\n" "matchrule = <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$\n" @@ -6651,22 +6575,9 @@ msgstr "" "maprule = (userCertificate;binary={cert!bin})\n" "domains = my.domain, your.domain\n" "priority = 10\n" -"\n" -"[certmap/files/myname]\n" -"matchrule = <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$<SUBJECT>^CN=User.Name,DC=MY,DC=DOMAIN$\n" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:4544 -#, fuzzy -#| msgid "" -#| "3. The following example shows the configuration for two certificate " -#| "mapping rules. The first is valid for the configured domain <quote>my." -#| "domain</quote> and additionally for the subdomains <quote>your.domain</" -#| "quote> and uses the full certificate in the search filter. The second " -#| "example is valid for the domain <quote>files</quote> where it is assumed " -#| "the files provider is used for this domain and contains a matching rule " -#| "for the local user <quote>myname</quote>. <placeholder " -#| "type=\"programlisting\" id=\"0\"/>" msgid "" "3. The following example shows the configuration of a certificate mapping " "rule. It is valid for the configured domain <quote>my.domain</quote> and " @@ -6674,14 +6585,11 @@ msgid "" "certificate in the search filter. <placeholder type=\"programlisting\" " "id=\"0\"/>" msgstr "" -"3. В следующем примере показана конфигурация двух правил сопоставления " -"сертификатов. Первое действительно для настроенного домена <quote>my.domain</" -"quote>, а также для поддоменов <quote>your.domain</quote>, и использует " -"полный сертификат в фильтре поиска. Второе действительно для домена " -"<quote>files</quote>, где предполагается, что для этого домена используется " -"поставщик данных файлов и содержит правило установления соответствия для " -"локального пользователя <quote>myname</quote>. <placeholder " -"type=\"programlisting\" id=\"0\"/>" +"3. В следующем примере показана конфигурация правила сопоставления " +"сертификатов. Правило действительно для настроенного домена <quote>my." +"domain</quote>, а также для поддоменов <quote>your.domain</quote>, и " +"использует полный сертификат в фильтре поиска. <placeholder type=" +"\"programlisting\" id=\"0\"/>" #. type: Content of: <reference><refentry><refnamediv><refname> #: sssd-ldap.5.xml:10 sssd-ldap.5.xml:16 @@ -8568,16 +8476,19 @@ msgid "" "The difference between these options is the action taken if user password is " "expired:" msgstr "" +"Разница между этими параметрами заключается в действиях, которые " +"предпринимаются, если срок действия пароля пользователя истёк:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ldap.5.xml:1467 sssd-ipa.5.xml:374 msgid "pwd_expire_policy_reject - user is denied to log in," -msgstr "" +msgstr "pwd_expire_policy_reject — пользователю отказано во входе в систему," #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ldap.5.xml:1473 sssd-ipa.5.xml:380 msgid "pwd_expire_policy_warn - user is still able to log in," msgstr "" +"pwd_expire_policy_warn — пользователь по-прежнему может войти в систему," #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ldap.5.xml:1479 sssd-ipa.5.xml:386 @@ -8585,6 +8496,8 @@ msgid "" "pwd_expire_policy_renew - user is prompted to change their password " "immediately." msgstr "" +"pwd_expire_policy_renew — пользователю будет предложено немедленно изменить " +"свой пароль." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1487 @@ -12043,20 +11956,15 @@ msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ipa.5.xml:62 -#, fuzzy -#| msgid "" -#| "As an access provider, the IPA provider uses HBAC (host-based access " -#| "control) rules. Please refer to freeipa.org for more information about " -#| "HBAC. No configuration of access provider is required on the client side." msgid "" "As an access provider, the IPA provider has a minimal configuration (see " "<quote>ipa_access_order</quote>) as it mainly uses HBAC (host-based access " "control) rules. Please refer to freeipa.org for more information about HBAC." msgstr "" -"Как поставщик доступа, поставщик данных IPA использует правила HBAC " -"(управление доступом на основе узлов). Более подробные сведения о HBAC " -"доступны на веб-сайте freeipa.org. Настройка поставщика доступа на стороне " -"клиента не требуется." +"Как поставщик доступа, поставщик данных IPA имеет минимальную конфигурацию (" +"см. <quote>ipa_access_order</quote>), поскольку он в основном использует " +"правила HBAC (управление доступом на основе узлов). Более подробные сведения " +"о HBAC доступны на веб-сайте freeipa.org." #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ipa.5.xml:68 @@ -12450,32 +12358,24 @@ msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:348 -#, fuzzy -#| msgid "ldap_access_order (string)" msgid "ipa_access_order (string)" -msgstr "ldap_access_order (строка)" +msgstr "ipa_access_order (строка)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:355 -#, fuzzy -#| msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy" msgid "<emphasis>expire</emphasis>: use IPA's account expiration policy." -msgstr "<emphasis>expire</emphasis>: использовать ldap_account_expire_policy" +msgstr "" +"<emphasis>expire</emphasis>: использовать политику истечения срока действия " +"учетной записи IPA." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:394 -#, fuzzy -#| msgid "" -#| "Please note that 'access_provider = ldap' must be set for this feature to " -#| "work. Also 'ldap_pwd_policy' must be set to an appropriate password " -#| "policy." msgid "" "Please note that 'access_provider = ipa' must be set for this feature to " "work." msgstr "" -"Следует учитывать, что для работы этой возможности необходимо указать " -"«access_provider = ldap». Также необходимо указать соответствующую политику " -"паролей в качестве значения параметра «ldap_pwd_policy»." +"Следует учитывать, что для работы этой возможности необходимо указать «" +"access_provider = ipa»." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:401 @@ -13426,11 +13326,6 @@ msgstr "ad_enabled_domains (строка)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:161 -#, fuzzy -#| msgid "" -#| "A comma-separated list of enabled Active Directory domains. If provided, " -#| "SSSD will ignore any domains not listed in this option. If left unset, " -#| "all domains from the AD forest will be available." msgid "" "A comma-separated list of enabled Active Directory domains. If provided, " "SSSD will ignore any domains not listed in this option. If left unset, all " @@ -13438,7 +13333,8 @@ msgid "" msgstr "" "Разделённый запятыми список включённых доменов Active Directory. Если он " "предоставлен, SSSD будет игнорировать все домены, отсутствующие в этом " -"списке. Если параметр не задан, будут доступны все домены из леса AD." +"списке. Если параметр не задан, будут доступны все обнаруженные домены из " +"леса AD." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:168 @@ -13448,6 +13344,10 @@ msgid "" "are not trusted. If ad_enabled_domains is set, SSSD will try to enable all " "listed domains." msgstr "" +"Во время обнаружения доменов SSSD отфильтрует некоторые домены, флаги или " +"атрибуты которых указывают на то, что они не принадлежат локальному лесу или " +"не являются доверенными. Если установлено значение ad_enabled_domains, SSSD " +"попытается включить все перечисленные домены." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> #: sssd-ad.5.xml:179 @@ -18156,23 +18056,16 @@ msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-files.5.xml:58 -#, fuzzy -#| msgid "" -#| "Please note that some distributions enable the files domain " -#| "automatically, prepending the domain before any explicitly configured " -#| "domains. See enable_files_domain in <citerefentry> <refentrytitle>sssd." -#| "conf</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." msgid "" "Please note that besides explicit domain definition the files provider can " "be configured also implicitly using 'enable_files_domain' option. See " "<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" "manvolnum> </citerefentry> for details." msgstr "" -"Обратите внимание, что в некоторых дистрибутивов домен файлов включается " -"автоматически, так как он добавлен перед явно настроенными доменами. " -"Смотрите описание параметра enable_files_domain на справочной странице " -"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry>." +"Обратите внимание, что помимо явного определения домена поставщик файлов " +"может быть настроен также неявно с помощью параметра «enable_files_domain». " +"Подробнее смотрите <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>." #. type: Content of: <reference><refentry><refsect1><para> #: sssd-files.5.xml:66 @@ -20324,24 +20217,22 @@ msgstr "По умолчанию: mail" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:640 -#, fuzzy -#| msgid "ldap_user_name (string)" msgid "ldap_user_passkey (string)" -msgstr "ldap_user_name (строка)" +msgstr "ldap_user_passkey (строка)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:643 -#, fuzzy -#| msgid "Name of the LDAP attribute containing the email address of the user." msgid "" "Name of the LDAP attribute containing the passkey mapping data of the user." msgstr "" -"Имя атрибута LDAP, который содержит адрес электронной почты пользователя." +"Имя атрибута LDAP, содержащего данные сопоставления ключа доступа " +"пользователя." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:647 msgid "Default: passkey (LDAP), ipaPassKey (IPA), altSecurityIdentities (AD)" msgstr "" +"По умолчанию: passkey (LDAP), ipaPassKey (IPA), altSecurityIdentities (AD)" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-ldap-attributes.5.xml:657 @@ -20376,6 +20267,9 @@ msgid "" "name for every group. This requirement includes non-POSIX groups in the tree " "of nested groups." msgstr "" +"Атрибут LDAP, соответствующий имени группы. В среде с вложенными группами " +"этим значением должен быть атрибут LDAP, имеющий уникальное имя для каждой " +"группы. Это требование касается и не-POSIX групп в иерархии вложенных групп." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:684 @@ -22282,43 +22176,6 @@ msgstr "" #. type: Content of: <refsect1><para> #: include/seealso.xml:4 -#, fuzzy -#| msgid "" -#| "<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</" -#| "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" -#| "refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " -#| "<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" -#| "citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</" -#| "refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " -#| "<refentrytitle>sssd-simple</refentrytitle><manvolnum>5</manvolnum> </" -#| "citerefentry>, <citerefentry> <refentrytitle>sssd-ipa</" -#| "refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " -#| "<refentrytitle>sssd-ad</refentrytitle><manvolnum>5</manvolnum> </" -#| "citerefentry>, <citerefentry> <refentrytitle>sssd-files</" -#| "refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <phrase " -#| "condition=\"with_sudo\"> <citerefentry> <refentrytitle>sssd-sudo</" -#| "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>, </phrase> " -#| "<citerefentry> <refentrytitle>sssd-session-recording</refentrytitle> " -#| "<manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " -#| "<refentrytitle>sss_cache</refentrytitle><manvolnum>8</manvolnum> </" -#| "citerefentry>, <citerefentry> <refentrytitle>sss_debuglevel</" -#| "refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " -#| "<refentrytitle>sss_obfuscate</refentrytitle><manvolnum>8</manvolnum> </" -#| "citerefentry>, <citerefentry> <refentrytitle>sss_seed</" -#| "refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " -#| "<refentrytitle>sssd_krb5_locator_plugin</refentrytitle><manvolnum>8</" -#| "manvolnum> </citerefentry>, <phrase condition=\"with_ssh\"> " -#| "<citerefentry> <refentrytitle>sss_ssh_authorizedkeys</refentrytitle> " -#| "<manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " -#| "<refentrytitle>sss_ssh_knownhostsproxy</refentrytitle> <manvolnum>8</" -#| "manvolnum> </citerefentry>, </phrase> <phrase condition=\"with_ifp\"> " -#| "<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" -#| "manvolnum> </citerefentry>, </phrase> <citerefentry> " -#| "<refentrytitle>pam_sss</refentrytitle><manvolnum>8</manvolnum> </" -#| "citerefentry>. <citerefentry> <refentrytitle>sss_rpcidmapd</" -#| "refentrytitle> <manvolnum>5</manvolnum> </citerefentry> <phrase " -#| "condition=\"with_stap\"> <citerefentry> <refentrytitle>sssd-systemtap</" -#| "refentrytitle> <manvolnum>5</manvolnum> </citerefentry> </phrase>" msgid "" "<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" "citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" @@ -22359,27 +22216,31 @@ msgid "" "citerefentry> </phrase>" msgstr "" "<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" -"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " +"citerefentry>, <citerefentry> <refentrytitle>sssd." +"conf</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " "<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" -"citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</" -"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " -"<refentrytitle>sssd-simple</refentrytitle><manvolnum>5</manvolnum> </" -"citerefentry>, <citerefentry> <refentrytitle>sssd-ipa</" -"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " -"<refentrytitle>sssd-ad</refentrytitle><manvolnum>5</manvolnum> </" -"citerefentry>, <citerefentry> <refentrytitle>sssd-files</" -"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <phrase " -"condition=\"with_sudo\"> <citerefentry> <refentrytitle>sssd-sudo</" +"citerefentry>, <citerefentry> <refentrytitle>sssd-ldap-" +"attributes</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, " +"<citerefentry> <refentrytitle>sssd-krb5</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-" +"simple</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, " +"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-" +"ad</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <phrase " +"condition=\"with_files_provider\"> <citerefentry> <refentrytitle>sssd-" +"files</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, </phrase> " +"<phrase condition=\"with_sudo\"> <citerefentry> <refentrytitle>sssd-sudo</" "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>, </phrase> " "<citerefentry> <refentrytitle>sssd-session-recording</refentrytitle> " "<manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " "<refentrytitle>sss_cache</refentrytitle><manvolnum>8</manvolnum> </" -"citerefentry>, <citerefentry> <refentrytitle>sss_debuglevel</" -"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"citerefentry>, <citerefentry> " +"<refentrytitle>sss_debuglevel</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> " "<refentrytitle>sss_obfuscate</refentrytitle><manvolnum>8</manvolnum> </" -"citerefentry>, <citerefentry> <refentrytitle>sss_seed</" -"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"citerefentry>, <citerefentry> " +"<refentrytitle>sss_seed</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> " "<refentrytitle>sssd_krb5_locator_plugin</refentrytitle><manvolnum>8</" "manvolnum> </citerefentry>, <phrase condition=\"with_ssh\"> <citerefentry> " "<refentrytitle>sss_ssh_authorizedkeys</refentrytitle> <manvolnum>8</" @@ -22387,12 +22248,12 @@ msgstr "" "<refentrytitle>sss_ssh_knownhostsproxy</refentrytitle> <manvolnum>8</" "manvolnum> </citerefentry>, </phrase> <phrase condition=\"with_ifp\"> " "<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry>, </phrase> <citerefentry> <refentrytitle>pam_sss</" -"refentrytitle><manvolnum>8</manvolnum> </citerefentry>. <citerefentry> " -"<refentrytitle>sss_rpcidmapd</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> <phrase condition=\"with_stap\"> <citerefentry> " -"<refentrytitle>sssd-systemtap</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> </phrase>" +"manvolnum> </citerefentry>, </phrase> <citerefentry> " +"<refentrytitle>pam_sss</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>. <citerefentry> <refentrytitle>sss_rpcidmapd</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> <phrase condition=\"with_stap\"> " +"<citerefentry> <refentrytitle>sssd-systemtap</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> </phrase>" #. type: Content of: <listitem><para> #: include/ldap_search_bases.xml:3 diff --git a/src/man/po/uk.po b/src/man/po/uk.po index 500939ae8bc..b5ff91df384 100644 --- a/src/man/po/uk.po +++ b/src/man/po/uk.po @@ -16,7 +16,7 @@ msgstr "" "Project-Id-Version: sssd-docs 2.3.0\n" "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n" "POT-Creation-Date: 2023-05-05 10:09+0200\n" -"PO-Revision-Date: 2022-12-13 18:20+0000\n" +"PO-Revision-Date: 2023-05-14 12:40+0000\n" "Last-Translator: Yuri Chornoivan <yurchor@ukr.net>\n" "Language-Team: Ukrainian <https://translate.fedoraproject.org/projects/sssd/" "sssd-manpage-master/uk/>\n" @@ -26,7 +26,7 @@ msgstr "" "Content-Transfer-Encoding: 8bit\n" "Plural-Forms: nplurals=3; plural=n%10==1 && n%100!=11 ? 0 : n%10>=2 && " "n%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2;\n" -"X-Generator: Weblate 4.14.2\n" +"X-Generator: Weblate 4.15.2\n" #. type: Content of: <reference><title> #: sssd.conf.5.xml:8 sssd-ldap.5.xml:5 pam_sss.8.xml:5 pam_sss_gss.8.xml:5 @@ -684,19 +684,12 @@ msgid "" "The user to drop the privileges to where appropriate to avoid running as the " "root user. Currently the only supported value is '&sssd_user_name;'." msgstr "" +"Користувач, до рівня якого слід скидати права доступу, для уникнення запуску " +"від імені користувача root. У поточній версії єдиним підтримуваним значенням " +"є «&sssd_user_name;»." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:419 -#, fuzzy -#| msgid "" -#| "The user to drop the privileges to where appropriate to avoid running as " -#| "the root user. <phrase condition=\"have_systemd\"> This option does not " -#| "work when running socket-activated services, as the user set up to run " -#| "the processes is set up during compilation time. The way to override the " -#| "systemd unit files is by creating the appropriate files in /etc/systemd/" -#| "system/. Keep in mind that any change in the socket user, group or " -#| "permissions may result in a non-usable SSSD. The same may occur in case " -#| "of changes of the user running the NSS responder. </phrase>" msgid "" "This option does not work when running socket-activated services, as the " "user set up to run the processes is set up during compilation time. The way " @@ -705,15 +698,13 @@ msgid "" "or permissions may result in a non-usable SSSD. The same may occur in case " "of changes of the user running the NSS responder." msgstr "" -"Користувач, до якого слід скинути права доступу, якщо це потрібно для " -"уникнення запуску від імені користувача root. <phrase " -"condition=\"have_systemd\"> Цей параметр не спрацює, якщо запущено служби, " -"які активуються сокетами, оскільки ім'я користувача для запуску " -"налаштовується під час збирання. Параметри файлів модулів systemd можна " -"перевизначити створенням відповідних файлів у /etc/systemd/system/. Слід " -"пам'ятати, щоб будь-які зміни у параметрах користувача, групи чи прав " -"доступу можуть призвести до непрацездатності SSSD. Те саме може статися, " -"якщо змінити користувача, від імені якого запущено відповідач NSS. </phrase>" +"Цей параметр не спрацює, якщо запущено служби, які активуються сокетами, " +"оскільки ім'я користувача для запуску налаштовується під час збирання. " +"Параметри файлів модулів systemd можна перевизначити створенням відповідних " +"файлів у /etc/systemd/system/. Слід пам'ятати, щоб будь-які зміни у " +"параметрах користувача, групи чи прав доступу можуть призвести до " +"непрацездатності SSSD. Те саме може статися, якщо змінити користувача, від " +"імені якого запущено відповідач NSS." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:433 @@ -743,16 +734,6 @@ msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:451 -#, fuzzy -#| msgid "" -#| "Please note that if this option is set all users from the primary domain " -#| "have to use their fully qualified name, e.g. user@domain.name, to log in. " -#| "Setting this option changes default of use_fully_qualified_names to True. " -#| "It is not allowed to use this option together with " -#| "use_fully_qualified_names set to False. One exception from this rule are " -#| "domains with <quote>id_provider=files</quote> that always try to match " -#| "the behaviour of nss_files and therefore their output is not qualified " -#| "even when the default_domain_suffix option is used." msgid "" "Please note that if this option is set all users from the primary domain " "have to use their fully qualified name, e.g. user@domain.name, to log in. " @@ -768,11 +749,12 @@ msgstr "" "користувача — користувач@назва.домену. Встановлення цього параметра змінює " "типове значення параметра use_fully_qualified_names на True. Цей параметр не " "можна використовувати у поєднанні із встановленням для параметра " -"use_fully_qualified_names значення False. Єдиним виключенням з цього правила " -"є домени із <quote>id_provider=files</quote>, для яких завжди виконується " -"спроба встановлення поведінки, як відповідає nss_files, а отже, виведені " -"імена для них не будуть повними, навіть якщо використано параметр " -"default_domain_suffix." +"use_fully_qualified_names значення False. <phrase condition=" +"\"with_files_provider\">Єдиним виключенням з цього правила є домени із " +"<quote>id_provider=files</quote>, для яких завжди виконується спроба " +"встановлення поведінки, як відповідає nss_files, а отже, виведені імена для " +"них не будуть повними, навіть якщо використано параметр " +"default_domain_suffix.</phrase>" #. type: Content of: <variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:468 sssd-ldap.5.xml:876 sssd-ldap.5.xml:888 @@ -1087,21 +1069,6 @@ msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:672 -#, fuzzy -#| msgid "" -#| "Please, note that when this option is set the output format of all " -#| "commands is always fully-qualified even when using short names for input, " -#| "for all users but the ones managed by the files provider. In case the " -#| "administrator wants the output not fully-qualified, the full_name_format " -#| "option can be used as shown below: <quote>full_name_format=%1$s</quote> " -#| "However, keep in mind that during login, login applications often " -#| "canonicalize the username by calling <citerefentry> " -#| "<refentrytitle>getpwnam</refentrytitle> <manvolnum>3</manvolnum> </" -#| "citerefentry> which, if a shortname is returned for a qualified input " -#| "(while trying to reach a user which exists in multiple domains) might re-" -#| "route the login attempt into the domain which uses shortnames, making " -#| "this workaround totally not recommended in cases where usernames may " -#| "overlap between domains." msgid "" "Please, note that when this option is set the output format of all commands " "is always fully-qualified even when using short names for input <phrase " @@ -1119,15 +1086,16 @@ msgid "" msgstr "" "Будь ласка, зауважте, що якщо встановлено цей параметр, для виведення даних " "усіма командами використовуватиметься повний формат, навіть якщо у вхідних " -"даних були скорочені назви для усіх користувачів, окрім тих, які керуються " -"засобом надання даних файлів. Якщо адміністратору потрібні скорочені дані у " -"виведенні, параметр full_name_format можна використати так: " +"даних були скорочені назви для усіх користувачів<phrase condition=" +"\"with_files_provider\">, окрім тих, які керуються засобом надання даних " +"файлів</phrase>. Якщо адміністратору потрібні скорочені дані у виведенні, " +"параметр full_name_format можна використати так: " "<quote>full_name_format=%1$s</quote> Втім, слід пам'ятати, що під час входу " "до облікового запису програми часто перетворюють ім'я користувача до " "канонічної форми, викликаючи програму <citerefentry> " "<refentrytitle>getpwnam</refentrytitle> <manvolnum>3</manvolnum> </" -"citerefentry>, яка, якщо повернуто скорочену назву для повних вхідних даних " -"(під час спроби обробки даних користувача, запис якого існує у декількох " +"citerefentry>, яка, якщо повернуто скорочену назву для повних вхідних даних (" +"під час спроби обробки даних користувача, запис якого існує у декількох " "доменах) може переспрямувати спробу входу до домену, де використовуються " "скорочені назви, і знівелює цей обхідний маневр, якщо імена користувачів у " "різних доменах можуть бути однаковими." @@ -1174,17 +1142,13 @@ msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:734 -#, fuzzy -#| msgid "pam_cert_verification (string)" msgid "passkey_verification (string)" -msgstr "pam_cert_verification (рядок)" +msgstr "passkey_verification (рядок)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:742 -#, fuzzy -#| msgid "pam_cert_verification (string)" msgid "user_verification (boolean)" -msgstr "pam_cert_verification (рядок)" +msgstr "user_verification (булеве значення)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:744 @@ -1192,6 +1156,8 @@ msgid "" "Enable or disable the user verification (i.e. PIN, fingerprint) during " "authentication." msgstr "" +"Увімкнути або вимкнути перевірку користувачів (тобто PIN, відбиток) під час " +"розпізнавання." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:749 @@ -1200,21 +1166,19 @@ msgid "" "kerberos pre-authentication case, this value will be overwritten by the " "server." msgstr "" +"Типовою є ситуація, коли поведінка визначається параметрами ключів. У " +"випадку попереднього розпізнавання IPA або kerberos, це значення буде " +"перезаписано сервером." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:737 -#, fuzzy -#| msgid "" -#| "With this parameter the certificate verification can be tuned with a " -#| "comma separated list of options. Supported options are: <placeholder " -#| "type=\"variablelist\" id=\"0\"/>" msgid "" "With this parameter the passkey verification can be tuned with a comma " "separated list of options. Supported options are: <placeholder " "type=\"variablelist\" id=\"0\"/>" msgstr "" "За допомогою цього параметра можна виконати тонке налаштовування перевірки " -"сертифікатів на основі списку параметрів, відокремлених комами. Підтримувані " +"ключа на основі списку параметрів, відокремлених комами. Підтримувані " "параметри: <placeholder type=\"variablelist\" id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><refsect2><para> @@ -2091,20 +2055,16 @@ msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1373 -#, fuzzy -#| msgid "" -#| "Default: <quote>not set</quote> (remote domains), <quote>x</quote> (the " -#| "files domain), <quote>x</quote> (proxy domain with nss_files and sssd-" -#| "shadowutils target)" msgid "" "Default: <quote>not set</quote> (remote domains), <phrase " "condition=\"with_files_provider\"> <quote>x</quote> (the files domain), </" "phrase> <quote>x</quote> (proxy domain with nss_files and sssd-shadowutils " "target)" msgstr "" -"Типове значення: <quote>не встановлено</quote> (віддалені домени) або " -"<quote>x</quote> (файловий домен), <quote>x</quote> (проміжний домен із цілі " -"nss_files і sssd-shadowutils)" +"Типове значення: <quote>не встановлено</quote> (віддалені домени) <phrase " +"condition=\"with_files_provider\">або <quote>x</quote> (файловий домен), </" +"phrase> <quote>x</quote> (проміжний домен із цілі nss_files і sssd-" +"shadowutils)" #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sssd.conf.5.xml:1385 @@ -2543,15 +2503,13 @@ msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1680 -#, fuzzy -#| msgid "pam_cert_auth (bool)" msgid "pam_passkey_auth (bool)" -msgstr "pam_cert_auth (булеве значення)" +msgstr "pam_passkey_auth (булеве значення)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1683 msgid "Enable passkey device based authentication." -msgstr "" +msgstr "Увімкнути розпізнавання на основі пристрою ключа." #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1686 sssd.conf.5.xml:1697 sssd.conf.5.xml:1711 @@ -2564,12 +2522,12 @@ msgstr "Типове значення: False" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1691 msgid "passkey_debug_libfido2 (bool)" -msgstr "" +msgstr "passkey_debug_libfido2 (булеве значення)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1694 msgid "Enable libfido2 library debug messages." -msgstr "" +msgstr "Увімкнути діагностичні повідомлення бібліотеки libfido2." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1702 @@ -2665,20 +2623,16 @@ msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1771 -#, fuzzy -#| msgid "p11_child_timeout (integer)" msgid "passkey_child_timeout (integer)" -msgstr "p11_child_timeout (ціле число)" +msgstr "passkey_child_timeout (ціле число)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1774 -#, fuzzy -#| msgid "How many seconds will pam_sss wait for p11_child to finish." msgid "" "How many seconds will the PAM responder wait for passkey_child to finish." msgstr "" -"Час у секундах, протягом якого pam_sss очікуватиме на завершення роботи " -"p11_child." +"Час у секундах, протягом якого відповідач PAM очікуватиме на завершення " +"роботи passkey_child." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1783 @@ -4319,13 +4273,10 @@ msgstr "cache_credentials (булеве значення)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2930 -#, fuzzy -#| msgid "" -#| "Determines if user credentials are also cached in the local LDB cache" msgid "Determines if user credentials are also cached in the local LDB cache." msgstr "" "Визначає, чи слід також кешувати реєстраційні дані користувача у локальному " -"кеші LDB" +"кеші LDB." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2934 @@ -4335,6 +4286,10 @@ msgid "" "get access to a cache file (normally requires privileged access) and to " "break a password using brute force attack." msgstr "" +"Зауважте, що хоча реєстраційні дані зберігаються у форматі додатково " +"шифрованого хешу SHA512, це потенційний ризик порушення захисту, якщо " +"нападнику вдасться отримати доступ до файла кешу (зазвичай, це потребує " +"додаткових прав доступу) і визначить пароль за допомогою простого перебору." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2948 @@ -5144,20 +5099,13 @@ msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3552 -#, fuzzy -#| msgid "" -#| "Default for the AD and IPA provider: <quote>(((?P<domain>[^\\\\]+)\\" -#| "\\(?P<name>.+$))|((?P<name>.+)@(?P<domain>[^@]+$))|(^(?" -#| "P<name>[^@\\\\]+)$))</quote> which allows three different styles " -#| "for user names:" msgid "" "Default: <quote>^((?P<name>.+)@(?P<domain>[^@]*)|(?P<name>" "[^@]+))$</quote> which allows two different styles for user names:" msgstr "" -"Типовий для засобів надання AD і IPA: <quote>(((?P<domain>[^\\\\]+)\\" -"\\(?P<name>.+$))|((?P<name>.+)@(?P<domain>[^@]+$))|(^(?" -"P<name>[^@\\\\]+)$))</quote> За його допомогою можна визначати три " -"різні стилі запису імен користувачів:" +"Типове значення: " +"<quote>^((?P<name>.+)@(?P<domain>[^@]*)|(?P<name>[^@]+))$</" +"quote>, що дозволяє два різних стилі імен користувачів:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:3557 sssd.conf.5.xml:3571 @@ -5171,22 +5119,16 @@ msgstr "користувач@назва.домену" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3565 -#, fuzzy -#| msgid "" -#| "Default for the AD and IPA provider: <quote>(((?P<domain>[^\\\\]+)\\" -#| "\\(?P<name>.+$))|((?P<name>.+)@(?P<domain>[^@]+$))|(^(?" -#| "P<name>[^@\\\\]+)$))</quote> which allows three different styles " -#| "for user names:" msgid "" "Default for the AD and IPA provider: <quote>^(((?P<domain>[^\\\\]+)\\" "\\(?P<name>.+))|((?P<name>.+)@(?P<domain>[^@]+))|((?P<" "name>[^@\\\\]+)))$</quote> which allows three different styles for user " "names:" msgstr "" -"Типовий для засобів надання AD і IPA: <quote>(((?P<domain>[^\\\\]+)\\" -"\\(?P<name>.+$))|((?P<name>.+)@(?P<domain>[^@]+$))|(^(?" -"P<name>[^@\\\\]+)$))</quote> За його допомогою можна визначати три " -"різні стилі запису імен користувачів:" +"Типовий для засобів надання AD і IPA: <quote>^(((?P<domain>[^\\\\]+)\\" +"\\(?P<name>.+))|((?P<name>.+)@(?P<domain>[^@]+))|((?P<na" +"me>[^@\\\\]+)))$</quote> За його допомогою можна визначати три різні " +"стилі запису імен користувачів:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:3577 @@ -5211,6 +5153,11 @@ msgid "" "allowed in Windows group names). If a user wishes to use short names with " "<quote>@</quote> they must create their own re_expression." msgstr "" +"У типовому re_expression використано символ <quote>@</quote> як роздільник " +"між іменем і доменом. У результаті використання цього параметра типово " +"неможливо використовувати символ <quote>@</quote> у коротких іменах (як це " +"дозволено у назвах груп Windows). Якщо користувач хоче використати коротке " +"ім'я з <quote>@</quote>, йому слід скорити власний re_expression." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3637 @@ -6448,10 +6395,8 @@ msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:4449 -#, fuzzy -#| msgid "[prompting/password]" msgid "[prompting/passkey]" -msgstr "[prompting/password]" +msgstr "[prompting/passkey]" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:4455 sssd-ad.5.xml:1021 @@ -6465,25 +6410,24 @@ msgid "" "of a passkey device. Recommended if your device doesn’t have a tactile " "trigger." msgstr "" +"булеве значення, якщо True, надіслати запит і зачекати, перш ніж перевірити " +"наявність пристрою ключа. Рекомендовано, якщо ваш пристрій не має " +"тактильного перемикача." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:4465 -#, fuzzy -#| msgid "interactive" msgid "interactive_prompt" -msgstr "interactive" +msgstr "interactive_prompt" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4467 -#, fuzzy -#| msgid "to change the string of the password prompt" msgid "to change the message of the interactive prompt." -msgstr "для зміни рядка запиту пароля" +msgstr "для зміни повідомлення інтерактивного запиту." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:4472 msgid "touch" -msgstr "" +msgstr "touch" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4474 @@ -6491,42 +6435,30 @@ msgid "" "boolean value, if True prompt a message to remind the user to touch the " "device." msgstr "" +"булеве значення, якщо True, надіслати повідомлення для нагадування " +"користувачеві щодо потреби торкнутися пристрою." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:4480 -#, fuzzy -#| msgid "first_prompt" msgid "touch_prompt" -msgstr "first_prompt" +msgstr "touch_prompt" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4482 -#, fuzzy -#| msgid "to change the string of the password prompt" msgid "to change the message of the touch prompt." -msgstr "для зміни рядка запиту пароля" +msgstr "для зміни повідомлення запиту щодо торкання." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4451 -#, fuzzy -#| msgid "" -#| "to configure two-factor authentication prompting, allowed options are: " -#| "<placeholder type=\"variablelist\" id=\"0\"/>" msgid "" "to configure passkey authentication prompting, allowed options are: " "<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -"для налаштовування запиту щодо двофакторного розпізнавання; дозволені " -"параметри: <placeholder type=\"variablelist\" id=\"0\"/>" +"для налаштовування запиту щодо розпізнавання за ключем; дозволені параметри: " +"<placeholder type=\"variablelist\" id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:4402 -#, fuzzy -#| msgid "" -#| "Each supported authentication method has its own configuration subsection " -#| "under <quote>[prompting/...]</quote>. Currently there are: <placeholder " -#| "type=\"variablelist\" id=\"0\"/> <placeholder type=\"variablelist\" " -#| "id=\"1\"/>" msgid "" "Each supported authentication method has its own configuration subsection " "under <quote>[prompting/...]</quote>. Currently there are: <placeholder " @@ -6535,8 +6467,8 @@ msgid "" msgstr "" "У кожного з підтримуваних способів розпізнавання є власний підрозділ " "налаштувань у <quote>[prompting/...]</quote>. У поточній версії це: " -"<placeholder type=\"variablelist\" id=\"0\"/> <placeholder " -"type=\"variablelist\" id=\"1\"/>" +"<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" +"\"variablelist\" id=\"1\"/><placeholder type=\"variablelist\" id=\"2\"/>" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:4493 @@ -6650,16 +6582,7 @@ msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sssd.conf.5.xml:4550 -#, fuzzy, no-wrap -#| msgid "" -#| "[certmap/my.domain/rule_name]\n" -#| "matchrule = <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$\n" -#| "maprule = (userCertificate;binary={cert!bin})\n" -#| "domains = my.domain, your.domain\n" -#| "priority = 10\n" -#| "\n" -#| "[certmap/files/myname]\n" -#| "matchrule = <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$<SUBJECT>^CN=User.Name,DC=MY,DC=DOMAIN$\n" +#, no-wrap msgid "" "[certmap/my.domain/rule_name]\n" "matchrule = <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$\n" @@ -6672,22 +6595,9 @@ msgstr "" "maprule = (userCertificate;binary={cert!bin})\n" "domains = my.domain, your.domain\n" "priority = 10\n" -"\n" -"[certmap/files/myname]\n" -"matchrule = <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$<SUBJECT>^CN=User.Name,DC=MY,DC=DOMAIN$\n" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:4544 -#, fuzzy -#| msgid "" -#| "3. The following example shows the configuration for two certificate " -#| "mapping rules. The first is valid for the configured domain <quote>my." -#| "domain</quote> and additionally for the subdomains <quote>your.domain</" -#| "quote> and uses the full certificate in the search filter. The second " -#| "example is valid for the domain <quote>files</quote> where it is assumed " -#| "the files provider is used for this domain and contains a matching rule " -#| "for the local user <quote>myname</quote>. <placeholder " -#| "type=\"programlisting\" id=\"0\"/>" msgid "" "3. The following example shows the configuration of a certificate mapping " "rule. It is valid for the configured domain <quote>my.domain</quote> and " @@ -6695,14 +6605,11 @@ msgid "" "certificate in the search filter. <placeholder type=\"programlisting\" " "id=\"0\"/>" msgstr "" -"3. У наведеному нижче прикладі показано налаштування для двох правил " -"пов'язування сертифікатів. Перше є чинним для налаштованого домену <quote>my." -"domain</quote> і, додатково, для піддоменів <quote>your.domain</quote> і " -"використовує повний сертифікат у фільтрі пошуку. Другий приклад є чинним для " -"домену <quote>files</quote>, де припускається, що для цього домену " -"використовується засіб надання даних файлів, і містить правило відповідності " -"для локального користувача <quote>myname</quote>. <placeholder " -"type=\"programlisting\" id=\"0\"/>" +"3. У наведеному нижче прикладі показано налаштування правила пов'язування " +"сертифікатів. Воно є чинним для налаштованого домену <quote>my.domain</" +"quote> і, додатково, для піддоменів <quote>your.domain</quote> і " +"використовує повний сертифікат у фільтрі пошуку.<placeholder type=" +"\"programlisting\" id=\"0\"/>" #. type: Content of: <reference><refentry><refnamediv><refname> #: sssd-ldap.5.xml:10 sssd-ldap.5.xml:16 @@ -8586,16 +8493,18 @@ msgid "" "The difference between these options is the action taken if user password is " "expired:" msgstr "" +"Відмінність між цими варіантами полягає у дії, яку буде виконано, якщо строк " +"дії пароля буде вичерпано:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ldap.5.xml:1467 sssd-ipa.5.xml:374 msgid "pwd_expire_policy_reject - user is denied to log in," -msgstr "" +msgstr "pwd_expire_policy_reject — користувачу заборонено входити," #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ldap.5.xml:1473 sssd-ipa.5.xml:380 msgid "pwd_expire_policy_warn - user is still able to log in," -msgstr "" +msgstr "pwd_expire_policy_warn — користувачу можна входити," #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ldap.5.xml:1479 sssd-ipa.5.xml:386 @@ -8603,6 +8512,8 @@ msgid "" "pwd_expire_policy_renew - user is prompted to change their password " "immediately." msgstr "" +"pwd_expire_policy_renew — програма попросить користувача негайно змінити " +"пароль." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1487 @@ -12063,21 +11974,16 @@ msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ipa.5.xml:62 -#, fuzzy -#| msgid "" -#| "As an access provider, the IPA provider uses HBAC (host-based access " -#| "control) rules. Please refer to freeipa.org for more information about " -#| "HBAC. No configuration of access provider is required on the client side." msgid "" "As an access provider, the IPA provider has a minimal configuration (see " "<quote>ipa_access_order</quote>) as it mainly uses HBAC (host-based access " "control) rules. Please refer to freeipa.org for more information about HBAC." msgstr "" -"Як інструмент надання доступу, інструмент надання даних IPA для керування " -"доступом використовує правила HBAC (host-based access control або керування " -"доступом на основі даних щодо вузлів). Докладнішу інформацію щодо HBAC можна " -"отримати на сайті freeipa.org. У налаштуванні керування доступом на боці " -"клієнта немає потреби." +"Як інструмент надання доступу, інструмент надання даних IPA має мінімальні " +"налаштування (див. <quote>ipa_access_order</quote>), оскільки в основному " +"використовує для керування доступом використовує правила HBAC (host-based " +"access control або керування доступом на основі даних щодо вузлів). " +"Докладнішу інформацію щодо HBAC можна отримати на сайті freeipa.org." #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ipa.5.xml:68 @@ -12462,33 +12368,24 @@ msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:348 -#, fuzzy -#| msgid "ldap_access_order (string)" msgid "ipa_access_order (string)" -msgstr "ldap_access_order (рядок)" +msgstr "ipa_access_order (рядок)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:355 -#, fuzzy -#| msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy" msgid "<emphasis>expire</emphasis>: use IPA's account expiration policy." msgstr "" -"<emphasis>expire</emphasis>: використовувати ldap_account_expire_policy" +"<emphasis>expire</emphasis>: використовувати правила строку дії облікового " +"запису IPA." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:394 -#, fuzzy -#| msgid "" -#| "Please note that 'access_provider = ldap' must be set for this feature to " -#| "work. Also 'ldap_pwd_policy' must be set to an appropriate password " -#| "policy." msgid "" "Please note that 'access_provider = ipa' must be set for this feature to " "work." msgstr "" "Будь ласка, зауважте, що для того, щоб цим можна було скористатися, слід " -"встановити «access_provider = ldap». Крім того, слід встановити для " -"параметра «ldap_pwd_policy» відповідні правила поводження із паролями." +"встановити «access_provider = ipa»." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:401 @@ -13440,11 +13337,6 @@ msgstr "ad_enabled_domains (рядок)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:161 -#, fuzzy -#| msgid "" -#| "A comma-separated list of enabled Active Directory domains. If provided, " -#| "SSSD will ignore any domains not listed in this option. If left unset, " -#| "all domains from the AD forest will be available." msgid "" "A comma-separated list of enabled Active Directory domains. If provided, " "SSSD will ignore any domains not listed in this option. If left unset, all " @@ -13453,7 +13345,7 @@ msgstr "" "Список дозволених доменів Active Directory, відокремлених комами. Якщо " "вказано, SSSD ігноруватиме будь-які домени, яких немає у списку цього " "параметра. Якщо значення параметра не встановлено, доступними будуть усі " -"домени з лісу AD." +"виявлені домени з лісу AD." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:168 @@ -13463,6 +13355,10 @@ msgid "" "are not trusted. If ad_enabled_domains is set, SSSD will try to enable all " "listed domains." msgstr "" +"Під час виявлення доменів SSSD відфільтрує домени, де прапорці або атрибути " +"вказуватимуть на те, що вони не належать до локального лісу або не є " +"довіреними. Якщо встановлено ad_enabled_domains, SSSD спробує увімкнути усі " +"домени зі списку." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> #: sssd-ad.5.xml:179 @@ -18182,22 +18078,16 @@ msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-files.5.xml:58 -#, fuzzy -#| msgid "" -#| "Please note that some distributions enable the files domain " -#| "automatically, prepending the domain before any explicitly configured " -#| "domains. See enable_files_domain in <citerefentry> <refentrytitle>sssd." -#| "conf</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." msgid "" "Please note that besides explicit domain definition the files provider can " "be configured also implicitly using 'enable_files_domain' option. See " "<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" "manvolnum> </citerefentry> for details." msgstr "" -"Будь ласка, зауважте, що у деяких дистрибутивах домен files увімкнено " -"автоматично, оскільки цей домен додано до будь-якого із явно визначених " -"доменів. Див. enable_files_domain у <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +"Будь ласка, зауважте, що окрім явного визначення домену надавач файлів можна " +"налаштувати неявно за допомогою параметра «enable_files_domain». Див. " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>." #. type: Content of: <reference><refentry><refsect1><para> #: sssd-files.5.xml:66 @@ -20351,24 +20241,20 @@ msgstr "Типове значення: mail" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:640 -#, fuzzy -#| msgid "ldap_user_name (string)" msgid "ldap_user_passkey (string)" -msgstr "ldap_user_name (рядок)" +msgstr "ldap_user_passkey (рядок)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:643 -#, fuzzy -#| msgid "Name of the LDAP attribute containing the email address of the user." msgid "" "Name of the LDAP attribute containing the passkey mapping data of the user." -msgstr "" -"Назва атрибута LDAP, який містить адресу електронної пошти користувача." +msgstr "Назва атрибута LDAP, який містить дані прив'язки ключа користувача." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:647 msgid "Default: passkey (LDAP), ipaPassKey (IPA), altSecurityIdentities (AD)" msgstr "" +"Типове значення: passkey (LDAP), ipaPassKey (IPA), altSecurityIdentities (AD)" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-ldap-attributes.5.xml:657 @@ -20403,6 +20289,10 @@ msgid "" "name for every group. This requirement includes non-POSIX groups in the tree " "of nested groups." msgstr "" +"Атрибут LDAP, який відповідає назві групи. У середовищі із вкладеними " +"групами, цим значенням має бути атрибут LDAP, який має унікальну назву для " +"кожної групи. Ця вимога стосується і несумісних із POSIX груп у ієрархії " +"вкладених груп." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:684 @@ -22317,43 +22207,6 @@ msgstr "" #. type: Content of: <refsect1><para> #: include/seealso.xml:4 -#, fuzzy -#| msgid "" -#| "<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</" -#| "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" -#| "refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " -#| "<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" -#| "citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</" -#| "refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " -#| "<refentrytitle>sssd-simple</refentrytitle><manvolnum>5</manvolnum> </" -#| "citerefentry>, <citerefentry> <refentrytitle>sssd-ipa</" -#| "refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " -#| "<refentrytitle>sssd-ad</refentrytitle><manvolnum>5</manvolnum> </" -#| "citerefentry>, <citerefentry> <refentrytitle>sssd-files</" -#| "refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <phrase " -#| "condition=\"with_sudo\"> <citerefentry> <refentrytitle>sssd-sudo</" -#| "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>, </phrase> " -#| "<citerefentry> <refentrytitle>sssd-session-recording</refentrytitle> " -#| "<manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " -#| "<refentrytitle>sss_cache</refentrytitle><manvolnum>8</manvolnum> </" -#| "citerefentry>, <citerefentry> <refentrytitle>sss_debuglevel</" -#| "refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " -#| "<refentrytitle>sss_obfuscate</refentrytitle><manvolnum>8</manvolnum> </" -#| "citerefentry>, <citerefentry> <refentrytitle>sss_seed</" -#| "refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " -#| "<refentrytitle>sssd_krb5_locator_plugin</refentrytitle><manvolnum>8</" -#| "manvolnum> </citerefentry>, <phrase condition=\"with_ssh\"> " -#| "<citerefentry> <refentrytitle>sss_ssh_authorizedkeys</refentrytitle> " -#| "<manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " -#| "<refentrytitle>sss_ssh_knownhostsproxy</refentrytitle> <manvolnum>8</" -#| "manvolnum> </citerefentry>, </phrase> <phrase condition=\"with_ifp\"> " -#| "<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" -#| "manvolnum> </citerefentry>, </phrase> <citerefentry> " -#| "<refentrytitle>pam_sss</refentrytitle><manvolnum>8</manvolnum> </" -#| "citerefentry>. <citerefentry> <refentrytitle>sss_rpcidmapd</" -#| "refentrytitle> <manvolnum>5</manvolnum> </citerefentry> <phrase " -#| "condition=\"with_stap\"> <citerefentry> <refentrytitle>sssd-systemtap</" -#| "refentrytitle> <manvolnum>5</manvolnum> </citerefentry> </phrase>" msgid "" "<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" "citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" @@ -22394,27 +22247,31 @@ msgid "" "citerefentry> </phrase>" msgstr "" "<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" -"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " +"citerefentry>, <citerefentry> <refentrytitle>sssd." +"conf</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " "<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" -"citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</" -"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " -"<refentrytitle>sssd-simple</refentrytitle><manvolnum>5</manvolnum> </" -"citerefentry>, <citerefentry> <refentrytitle>sssd-ipa</" -"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " -"<refentrytitle>sssd-ad</refentrytitle><manvolnum>5</manvolnum> </" -"citerefentry>, <citerefentry> <refentrytitle>sssd-files</" -"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <phrase " -"condition=\"with_sudo\"> <citerefentry> <refentrytitle>sssd-sudo</" +"citerefentry>, <citerefentry> <refentrytitle>sssd-ldap-" +"attributes</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, " +"<citerefentry> <refentrytitle>sssd-krb5</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-" +"simple</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, " +"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-" +"ad</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <phrase " +"condition=\"with_files_provider\"> <citerefentry> <refentrytitle>sssd-" +"files</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, </phrase> " +"<phrase condition=\"with_sudo\"> <citerefentry> <refentrytitle>sssd-sudo</" "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>, </phrase> " "<citerefentry> <refentrytitle>sssd-session-recording</refentrytitle> " "<manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " "<refentrytitle>sss_cache</refentrytitle><manvolnum>8</manvolnum> </" -"citerefentry>, <citerefentry> <refentrytitle>sss_debuglevel</" -"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"citerefentry>, <citerefentry> " +"<refentrytitle>sss_debuglevel</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> " "<refentrytitle>sss_obfuscate</refentrytitle><manvolnum>8</manvolnum> </" -"citerefentry>, <citerefentry> <refentrytitle>sss_seed</" -"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"citerefentry>, <citerefentry> " +"<refentrytitle>sss_seed</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> " "<refentrytitle>sssd_krb5_locator_plugin</refentrytitle><manvolnum>8</" "manvolnum> </citerefentry>, <phrase condition=\"with_ssh\"> <citerefentry> " "<refentrytitle>sss_ssh_authorizedkeys</refentrytitle> <manvolnum>8</" @@ -22422,12 +22279,12 @@ msgstr "" "<refentrytitle>sss_ssh_knownhostsproxy</refentrytitle> <manvolnum>8</" "manvolnum> </citerefentry>, </phrase> <phrase condition=\"with_ifp\"> " "<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry>, </phrase> <citerefentry> <refentrytitle>pam_sss</" -"refentrytitle><manvolnum>8</manvolnum> </citerefentry>. <citerefentry> " -"<refentrytitle>sss_rpcidmapd</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> <phrase condition=\"with_stap\"> <citerefentry> " -"<refentrytitle>sssd-systemtap</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> </phrase>" +"manvolnum> </citerefentry>, </phrase> <citerefentry> " +"<refentrytitle>pam_sss</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>. <citerefentry> <refentrytitle>sss_rpcidmapd</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> <phrase condition=\"with_stap\"> " +"<citerefentry> <refentrytitle>sssd-systemtap</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> </phrase>" #. type: Content of: <listitem><para> #: include/ldap_search_bases.xml:3 From 06d6e270201885e38168369dcc8854346283ce22 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com> Date: Fri, 23 Jun 2023 15:25:08 +0200 Subject: [PATCH 38/51] pot: update pot files --- src/man/po/sssd-docs.pot | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/man/po/sssd-docs.pot b/src/man/po/sssd-docs.pot index 19368c3aa67..4d41f2e2a9e 100644 --- a/src/man/po/sssd-docs.pot +++ b/src/man/po/sssd-docs.pot @@ -6,9 +6,9 @@ #, fuzzy msgid "" msgstr "" -"Project-Id-Version: sssd-docs 2.9.0\n" +"Project-Id-Version: sssd-docs 2.10.0\n" "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n" -"POT-Creation-Date: 2023-05-05 10:09+0200\n" +"POT-Creation-Date: 2023-06-23 15:24+0200\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n" "Language-Team: LANGUAGE <LL@li.org>\n" From 0171bcb0663093b4d66774bf18404b76eaab9a85 Mon Sep 17 00:00:00 2001 From: Shridhar Gadekar <sgadekar@redhat.com> Date: Tue, 27 Jun 2023 00:07:59 +0530 Subject: [PATCH 39/51] Test: gating sssd after crash Using new authentication module for ssh login instead of existing one Reviewed-by: Anuj Borah <aborah@redhat.com> --- src/tests/multihost/alltests/test_misc.py | 37 ++++------------------- 1 file changed, 6 insertions(+), 31 deletions(-) diff --git a/src/tests/multihost/alltests/test_misc.py b/src/tests/multihost/alltests/test_misc.py index 95fc2728fc6..45da9718a5e 100644 --- a/src/tests/multihost/alltests/test_misc.py +++ b/src/tests/multihost/alltests/test_misc.py @@ -15,6 +15,7 @@ from sssd.testlib.common.expect import pexpect_ssh from datetime import datetime as D_T from sssd.testlib.common.exceptions import SSHLoginException +from sssd.testlib.common.ssh2_python import check_login_client from sssd.testlib.common.utils import sssdTools, LdapOperations from constants import ds_instance_name, ds_suffix, ds_rootdn, ds_rootpw @@ -133,41 +134,15 @@ def test_0003_sssd_crashes_after_update(self, multihost, client.sssd_conf(f'domain/{domain_name}', domain_params) client.sssd_conf("sssd", {'enable_files_domain': 'true'}, action='update') multihost.client[0].service_sssd('restart') - user = 'foo1@%s' % domain_name - client = pexpect_ssh(multihost.client[0].sys_hostname, user, - 'Secret1234', debug=False) - with pytest.raises(SSHLoginException): - client.login(login_timeout=10, - sync_multiplier=1, auto_prompt_reset=False) + user = f'foo1@{domain_name}' + check_login_client(multihost, user, "Secret123") time.sleep(2) - client = pexpect_ssh(multihost.client[0].sys_hostname, user, - 'Secret123', debug=False) - try: - client.login(login_timeout=30, - sync_multiplier=5, auto_prompt_reset=False) - except SSHLoginException: - pytest.fail("%s failed to login" % user) - else: - client.logout() - for _ in range(3): - client = pexpect_ssh(multihost.client[0].sys_hostname, user, - 'Secret1234', debug=False) - with pytest.raises(SSHLoginException): - client.login(login_timeout=10, - sync_multiplier=1, auto_prompt_reset=False) + check_login_client(multihost, user, "Secret123") time.sleep(2) - client = pexpect_ssh(multihost.client[0].sys_hostname, user, - 'Secret123', debug=False) - try: - client.login(login_timeout=30, - sync_multiplier=5, auto_prompt_reset=False) - except SSHLoginException: - pytest.fail("%s failed to login" % user) - else: - client.logout() + check_login_client(multihost, user, "Secret123") time.sleep(2) - cmd_id = 'id %s' % user + cmd_id = f'id {user}' cmd = multihost.client[0].run_command(cmd_id) if "no such user" in cmd.stdout_text: status = "FAIL" From 56741208742e54228570057eb0b85927f1f7edb8 Mon Sep 17 00:00:00 2001 From: aborah <aborah@redhat.com> Date: Mon, 26 Jun 2023 13:09:17 +0530 Subject: [PATCH 40/51] Tests: Fix alltest tier1_3 tests with new ssh module Fix alltest tier1_3 tests with new ssh module Reviewed-by: Shridhar Gadekar <sgadekar@redhat.com> --- .../alltests/test_ldap_password_policy.py | 2 +- .../multihost/alltests/test_proxy_rfc2307.py | 117 +++--------------- 2 files changed, 16 insertions(+), 103 deletions(-) diff --git a/src/tests/multihost/alltests/test_ldap_password_policy.py b/src/tests/multihost/alltests/test_ldap_password_policy.py index 7b42e22d36f..b24edc60185 100644 --- a/src/tests/multihost/alltests/test_ldap_password_policy.py +++ b/src/tests/multihost/alltests/test_ldap_password_policy.py @@ -172,7 +172,7 @@ def test_maxage(multihost, backupsssdconf, common_sssd_setup): ldap_modify_ds(multihost, ldap.MOD_REPLACE, user_dn, 'userPassword', [b'Secret123']) client.run_command('> /var/log/secure') tools.clear_sssd_cache() - client.run_command('sh /tmp/change_user_password_while_expired.sh') + client.run_command('sh /tmp/change_user_password_while_expired.sh', raiseonerr=False) time.sleep(3) file_scure = '/var/log/secure' file_ssd = f'/var/log/sssd/sssd_{ds_instance_name}.log' diff --git a/src/tests/multihost/alltests/test_proxy_rfc2307.py b/src/tests/multihost/alltests/test_proxy_rfc2307.py index dbcdfbbb88f..dec329d8ad4 100644 --- a/src/tests/multihost/alltests/test_proxy_rfc2307.py +++ b/src/tests/multihost/alltests/test_proxy_rfc2307.py @@ -10,8 +10,7 @@ import subprocess import time from sssd.testlib.common.utils import sssdTools, LdapOperations -from sssd.testlib.common.exceptions import SSHLoginException -from sssd.testlib.common.expect import pexpect_ssh +from sssd.testlib.common.ssh2_python import check_login_client from constants import ds_suffix, ds_instance_name @@ -136,16 +135,8 @@ def test_lookup_user_group(self, multihost, backupsssdconf): "getent group User_CS1_grp1_Alias | grep User_CS1_grp1", "getent group User_CS1_grp1_Alias | grep User_CS1"]: execute_cmd(multihost, i) - client_hostip = multihost.client[0].ip for user in ['User_CS1', 'User_CS1_Alias']: - client = pexpect_ssh(client_hostip, user, 'Secret123', debug=False) - try: - client.login(login_timeout=30, sync_multiplier=5, - auto_prompt_reset=False) - except SSHLoginException: - pytest.fail("%s failed to login" % user) - else: - client.logout() + check_login_client(multihost, user, "Secret123") for i in ["getent passwd user_cs1", "getent passwd user_cs1_alias", "getent group user_cs1_grp1", @@ -198,11 +189,8 @@ def test_simple_deny_groups_user_cs1_grp1(self, multihost, backupsssdconf): "id User_CS1", "> /var/log/secure"]: execute_cmd(multihost, i) - client_hostip = multihost.client[0].ip - client = pexpect_ssh(client_hostip, "User_CS1", 'Secret123', debug=False) with pytest.raises(Exception): - client.login(login_timeout=10, sync_multiplier=1, - auto_prompt_reset=False) + check_login_client(multihost, "User_CS1", "Secret123") time.sleep(3) execute_cmd(multihost, 'cat /var/log/secure | grep -i "Access denied for user User_CS1"') @@ -227,15 +215,7 @@ def test_simple_deny_groups_user_cs_grp1(self, multihost, backupsssdconf): tools.clear_sssd_cache() for i in ["getent passwd User_CS1", "id User_CS1"]: execute_cmd(multihost, i) - client_hostip = multihost.client[0].ip - client = pexpect_ssh(client_hostip, "User_CS1", 'Secret123', debug=False) - try: - client.login(login_timeout=30, sync_multiplier=5, - auto_prompt_reset=False) - except SSHLoginException: - pytest.fail("%s failed to login" % "User_CS1") - else: - client.logout() + check_login_client(multihost, "User_CS1", "Secret123") def test_simple_deny_users_user_CS1(self, multihost, backupsssdconf): """ @@ -260,11 +240,8 @@ def test_simple_deny_users_user_CS1(self, multihost, backupsssdconf): "id User_CS1", "> /var/log/secure"]: execute_cmd(multihost, i) - client_hostip = multihost.client[0].ip - client = pexpect_ssh(client_hostip, "User_CS1", 'Secret123', debug=False) with pytest.raises(Exception): - client.login(login_timeout=10, sync_multiplier=1, - auto_prompt_reset=False) + check_login_client(multihost, "User_CS1", "Secret123") time.sleep(3) execute_cmd(multihost, 'cat /var/log/secure | grep -i "Access denied for user User_CS1"') @@ -286,15 +263,7 @@ def test_simple_deny_users_user_cs1(self, multihost, backupsssdconf): 'simple_deny_users': 'user_cs1'} tools.sssd_conf('domain/' + domain_name, domain_params) tools.clear_sssd_cache() - client_hostip = multihost.client[0].ip - client = pexpect_ssh(client_hostip, "User_CS1", 'Secret123', debug=False) - try: - client.login(login_timeout=30, sync_multiplier=5, - auto_prompt_reset=False) - except SSHLoginException: - pytest.fail("%s failed to login" % "User_CS1") - else: - client.logout() + check_login_client(multihost, "User_CS1", "Secret123") def test_bz1007381(self, multihost, backupsssdconf): """ @@ -441,15 +410,7 @@ def test_fully_qualified_names(self, multihost, backupsssdconf): "getent group User_CS1_grp1@example1", "id User_CS1@example1"]: execute_cmd(multihost, command) - client_hostip = multihost.client[0].ip - client = pexpect_ssh(client_hostip, "User_CS1@example1", 'Secret123', debug=False) - try: - client.login(login_timeout=30, sync_multiplier=5, - auto_prompt_reset=False) - except SSHLoginException: - pytest.fail("%s failed to login" % "User_CS1@example1") - else: - client.logout() + check_login_client(multihost, "User_CS1@example1", "Secret123") def test_min_id_max_id(self, multihost, backupsssdconf): """ @@ -518,16 +479,8 @@ def test_case_sensitive_false_lookup_user_group(self, multihost, backupsssdconf) "id User_cs1 | grep user_cs1_grp1", "id user_cs1_Alias | grep user_cs1_grp1"]: execute_cmd(multihost, command) - client_hostip = multihost.client[0].ip for user in ['user_cs1', 'user_cs1_alias']: - client = pexpect_ssh(client_hostip, user, 'Secret123', debug=False) - try: - client.login(login_timeout=30, sync_multiplier=5, - auto_prompt_reset=False) - except SSHLoginException: - pytest.fail("%s failed to login" % user) - else: - client.logout() + check_login_client(multihost, user, "Secret123") def test_case_sensitive_false_deny_users_user_cs1(self, multihost, backupsssdconf): """ @@ -543,7 +496,6 @@ def test_case_sensitive_false_deny_users_user_cs1(self, multihost, backupsssdcon sssd_params = {'domains': ds_instance_name} tools.sssd_conf('sssd', sssd_params) domain_name = tools.get_domain_section_name() - client_hostip = multihost.client[0].ip domain_params = {'case_sensitive': 'false', 'access_provider': 'simple', 'simple_deny_users': 'user_cs1'} @@ -551,24 +503,15 @@ def test_case_sensitive_false_deny_users_user_cs1(self, multihost, backupsssdcon tools.clear_sssd_cache() for user in ['User_cs1', 'user_cs1_alias']: execute_cmd(multihost, "> /var/log/secure") - client = pexpect_ssh(client_hostip, user, 'Secret123', debug=False) with pytest.raises(Exception): - client.login(login_timeout=10, sync_multiplier=1, - auto_prompt_reset=False) + check_login_client(multihost, user, "Secret123") time.sleep(3) execute_cmd(multihost, f'cat /var/log/secure | grep "Access denied for user {user}"') execute_cmd(multihost, "> /var/log/secure") execute_cmd(multihost, "sed -i 's/user_cs1/user_cs1_alias/' /etc/sssd/sssd.conf") tools.clear_sssd_cache() for user in ['user_cs1', 'user_cs1_alias']: - client = pexpect_ssh(client_hostip, user, 'Secret123', debug=False) - try: - client.login(login_timeout=30, sync_multiplier=5, - auto_prompt_reset=False) - except SSHLoginException: - pytest.fail("%s failed to login" % user) - else: - client.logout() + check_login_client(multihost, user, "Secret123") def test_case_sensitive_false_deny_groups_user_cs1_grp1(self, multihost, backupsssdconf): """ @@ -580,7 +523,6 @@ def test_case_sensitive_false_deny_groups_user_cs1_grp1(self, multihost, backups 1. Should succeed """ config_sssd(multihost) - client_hostip = multihost.client[0].ip tools = sssdTools(multihost.client[0]) sssd_params = {'domains': ds_instance_name} tools.sssd_conf('sssd', sssd_params) @@ -593,24 +535,15 @@ def test_case_sensitive_false_deny_groups_user_cs1_grp1(self, multihost, backups tools.clear_sssd_cache() for user in ['User_cs1', 'user_cs1_alias']: execute_cmd(multihost, "> /var/log/secure") - client = pexpect_ssh(client_hostip, user, 'Secret123', debug=False) with pytest.raises(Exception): - client.login(login_timeout=10, sync_multiplier=1, - auto_prompt_reset=False) + check_login_client(multihost, user, "Secret123") time.sleep(3) execute_cmd(multihost, f'cat /var/log/secure | grep -i "Access denied for user {user}"') execute_cmd(multihost, "> /var/log/secure") execute_cmd(multihost, "sed -i 's/user_cs1_grp1/user_cs1_grp1_alias/' /etc/sssd/sssd.conf") tools.clear_sssd_cache() for user in ['user_cs1', 'user_cs1_alias']: - client = pexpect_ssh(client_hostip, user, 'Secret123', debug=False) - try: - client.login(login_timeout=30, sync_multiplier=5, - auto_prompt_reset=False) - except SSHLoginException: - pytest.fail("%s failed to login" % user) - else: - client.logout() + check_login_client(multihost, user, "Secret123") def test_outgoing_ldaps(self, multihost, backupsssdconf): """ @@ -638,32 +571,12 @@ def test_outgoing_ldaps(self, multihost, backupsssdconf): domain_params = {'access_provider': 'simple', 'cache_credentials': "true"} tools.sssd_conf('domain/' + domain_name, domain_params) tools.clear_sssd_cache() - client_hostip = multihost.client[0].ip - client = pexpect_ssh(client_hostip, "User_CS1", 'Secret123', debug=False) - try: - client.login(login_timeout=30, sync_multiplier=5, - auto_prompt_reset=False) - except SSHLoginException: - pytest.fail("%s failed to login" % "User_CS1") - else: - client.logout() + check_login_client(multihost, "User_CS1", "Secret123") # block master server multihost.client[0].run_command('iptables -A OUTPUT -p tcp --match multiport --dport 389,636') time.sleep(5) - client = pexpect_ssh(client_hostip, "User_CS1", 'Secret123', debug=False) - try: - client.login(login_timeout=30, sync_multiplier=5, auto_prompt_reset=False) - except SSHLoginException: - pytest.fail("%s failed to login" % "User_CS1") - else: - client.logout() + check_login_client(multihost, "User_CS1", "Secret123") # unblock master server multihost.client[0].run_command("iptables -D OUTPUT -p tcp --match multiport --dport 389,636") time.sleep(5) - client = pexpect_ssh(client_hostip, "User_CS1", 'Secret123', debug=False) - try: - client.login(login_timeout=30, sync_multiplier=5, auto_prompt_reset=False) - except SSHLoginException: - pytest.fail("%s failed to login" % "User_CS1") - else: - client.logout() + check_login_client(multihost, "User_CS1", "Secret123") From 7f94e5ca48a16270b0748d87719a807ab85c2ef0 Mon Sep 17 00:00:00 2001 From: aborah <aborah@redhat.com> Date: Mon, 26 Jun 2023 10:26:13 +0530 Subject: [PATCH 41/51] Tests: Fix IPA tire1_2 tests MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix IPA tire1_2 tests Reviewed-by: Jakub Vávra <jvavra@redhat.com> --- src/tests/multihost/ipa/test_misc.py | 52 ++++------------------------ 1 file changed, 6 insertions(+), 46 deletions(-) diff --git a/src/tests/multihost/ipa/test_misc.py b/src/tests/multihost/ipa/test_misc.py index d1e179d364f..a495e0ed170 100644 --- a/src/tests/multihost/ipa/test_misc.py +++ b/src/tests/multihost/ipa/test_misc.py @@ -16,6 +16,7 @@ import pytest from sssd.testlib.common.utils import sssdTools from sssd.testlib.common.exceptions import SSSDException +from sssd.testlib.common.ssh2_python import run_command_client @pytest.mark.usefixtures('default_ipa_users', 'reset_password') @@ -330,22 +331,10 @@ def test_authentication_indicators(multihost, backupsssdconf): multihost.client[0].run_command( f'su -l {user} -c "ipa sudorule-add-user testrule2 --users admin"', raiseonerr=False) - ssh_error = "" - ssh = pexpect.pxssh.pxssh( - options={"StrictHostKeyChecking": "no", - "UserKnownHostsFile": "/dev/null"}, timeout=600) - ssh.force_password = True - try: - ssh.login(multihost.client[0].ip, user, test_password) - ssh.sendline('sudo -l') - ssh.prompt(timeout=600) - ssh.logout() - except pexpect.pxssh.ExceptionPxssh: - ssh_error += "Could not login via ssh first time." - + run_command_client(multihost, user, test_password, "sudo -l") + time.sleep(3) search = multihost.client[0].run_command( 'fgrep gssapi_ /var/log/sssd/sssd_pam.log | tail -10') - domain_params = {'pam_gssapi_services': 'sudo, sudo-i', 'pam_gssapi_indicators_map': 'sudo-i:hardened'} client.sssd_conf('pam', domain_params) @@ -354,18 +343,7 @@ def test_authentication_indicators(multihost, backupsssdconf): multihost.client[0].run_command( f'su -l {user} -c "kinit admin"', stdin_text=test_password, raiseonerr=False) - - ssh = pexpect.pxssh.pxssh(options={"StrictHostKeyChecking": "no", - "UserKnownHostsFile": "/dev/null"}, - timeout=600) - ssh.force_password = True - try: - ssh.login(multihost.client[0].ip, user, test_password) - ssh.sendline('sudo -l') - ssh.prompt(timeout=600) - ssh.logout() - except pexpect.pxssh.ExceptionPxssh: - ssh_error += "\nCould not login via ssh second time." + run_command_client(multihost, user, test_password, "sudo -l") multihost.client[0].run_command( f'su -l {user} -c "klist"', raiseonerr=False) @@ -379,8 +357,6 @@ def test_authentication_indicators(multihost, backupsssdconf): 'cp -vf /etc/pam.d/sudo-i_indicators /etc/pam.d/sudo-i') search2 = multihost.client[0].run_command( 'fgrep gssapi_ /var/log/sssd/sssd_pam.log | tail -10') - - assert not ssh_error, ssh_error assert 'indicators: 0' in search.stdout_text assert 'indicators: 2' in search2.stdout_text @@ -443,24 +419,8 @@ def test_pass_krb5cname_to_pam(multihost, multihost.client[0].run_command( f'su -l {user} -c "sudo -S -l"', stdin_text=test_password, raiseonerr=False) - file_name = 'domain_list_' + str(time.time()) - ssh_error = "" - ssh = pexpect.pxssh.pxssh( - options={"StrictHostKeyChecking": "no", - "UserKnownHostsFile": "/dev/null"}, timeout=600) - ssh.force_password = True - try: - ssh.login(multihost.client[0].ip, user, test_password) - ssh.sendline(f'sudo -S /usr/sbin/sssctl domain-list > ' - f'/tmp/{file_name}') - ssh.expect(".*:", timeout=10) - ssh.sendline(test_password) - ssh.prompt(timeout=60) - ssh.logout() - except pexpect.pxssh.ExceptionPxssh: - ssh_error += "Could not login via ssh." - result = multihost.client[0].run_command(f"cat /tmp/{file_name}" - ).stdout_text + result = run_command_client(multihost, user, test_password, + 'echo -e "Secret123" | sudo -S /usr/sbin/sssctl domain-list') assert domain_name in result @staticmethod From f6bbd591d636e4309ec37659f825b0f9c53d4b6b Mon Sep 17 00:00:00 2001 From: Alexey Tikhonov <atikhono@redhat.com> Date: Mon, 19 Jun 2023 20:56:14 +0200 Subject: [PATCH 42/51] KRB5: avoid another attempt to free 'cc' in 'done:' section if first attempt failed. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reviewed-by: Alejandro López <allopez@redhat.com> Reviewed-by: Tomáš Halman <thalman@redhat.com> --- src/providers/krb5/krb5_ccache.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/providers/krb5/krb5_ccache.c b/src/providers/krb5/krb5_ccache.c index 5b80fec52c8..72c3a23de35 100644 --- a/src/providers/krb5/krb5_ccache.c +++ b/src/providers/krb5/krb5_ccache.c @@ -637,12 +637,12 @@ errno_t get_ccache_file_data(const char *ccache_file, const char *client_name, krb5_free_cred_contents(ctx, &cred); kerr = krb5_cc_close(ctx, cc); + cc = NULL; if (kerr != 0) { KRB5_DEBUG(SSSDBG_OP_FAILURE, ctx, kerr); DEBUG(SSSDBG_CRIT_FAILURE, "krb5_cc_close failed.\n"); goto done; } - cc = NULL; kerr = 0; From ff5096bb766765e45aaad156285a603a21aa1bc8 Mon Sep 17 00:00:00 2001 From: Alexey Tikhonov <atikhono@redhat.com> Date: Mon, 19 Jun 2023 21:29:40 +0200 Subject: [PATCH 43/51] KRB5: use proper function to deallocate mem MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reviewed-by: Alejandro López <allopez@redhat.com> Reviewed-by: Tomáš Halman <thalman@redhat.com> --- src/providers/krb5/krb5_ccache.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/providers/krb5/krb5_ccache.c b/src/providers/krb5/krb5_ccache.c index 72c3a23de35..20d932e535c 100644 --- a/src/providers/krb5/krb5_ccache.c +++ b/src/providers/krb5/krb5_ccache.c @@ -781,7 +781,7 @@ krb5_error_code copy_ccache_into_memory(TALLOC_CTX *mem_ctx, krb5_context kctx, talloc_free(mem_name); } - free(ccache_name); + krb5_free_string(kctx, ccache_name); krb5_free_principal(kctx, princ); if (krb5_cc_close(kctx, ccache) != 0) { From 7f308c6fe01408fa6beb48b9f7627068968da771 Mon Sep 17 00:00:00 2001 From: Alexey Tikhonov <atikhono@redhat.com> Date: Mon, 19 Jun 2023 21:46:08 +0200 Subject: [PATCH 44/51] KRB5: avoid FORWARD_NULL MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reviewed-by: Alejandro López <allopez@redhat.com> Reviewed-by: Tomáš Halman <thalman@redhat.com> --- src/providers/krb5/krb5_ccache.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/providers/krb5/krb5_ccache.c b/src/providers/krb5/krb5_ccache.c index 20d932e535c..88f75a8d824 100644 --- a/src/providers/krb5/krb5_ccache.c +++ b/src/providers/krb5/krb5_ccache.c @@ -788,7 +788,7 @@ krb5_error_code copy_ccache_into_memory(TALLOC_CTX *mem_ctx, krb5_context kctx, DEBUG(SSSDBG_OP_FAILURE, "krb5_cc_close failed.\n"); } - if (krb5_cc_close(kctx, mem_ccache) != 0) { + if ((mem_ccache != NULL) && (krb5_cc_close(kctx, mem_ccache) != 0)) { DEBUG(SSSDBG_OP_FAILURE, "krb5_cc_close failed.\n"); } From b69ff375a2b185219bae91c48aa7bfb3138b98f2 Mon Sep 17 00:00:00 2001 From: Alexey Tikhonov <atikhono@redhat.com> Date: Mon, 19 Jun 2023 21:53:28 +0200 Subject: [PATCH 45/51] KRB5: fix memory leak MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reviewed-by: Alejandro López <allopez@redhat.com> Reviewed-by: Tomáš Halman <thalman@redhat.com> --- src/providers/krb5/krb5_child.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index f69cd6d54a8..774b47e3a25 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -1400,6 +1400,9 @@ static krb5_error_code create_ccache(char *ccname, krb5_creds *creds) /* FIXME: should we krb5_cc_destroy in case of error? */ krb5_cc_close(kctx, kcc); } + + krb5_free_context(kctx); + return kerr; } From 75822701770179582c344960603cce8bd54a7890 Mon Sep 17 00:00:00 2001 From: Alexey Tikhonov <atikhono@redhat.com> Date: Mon, 19 Jun 2023 21:56:13 +0200 Subject: [PATCH 46/51] KRB5: fix memory leak MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reviewed-by: Alejandro López <allopez@redhat.com> Reviewed-by: Tomáš Halman <thalman@redhat.com> --- src/providers/krb5/krb5_child.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index 774b47e3a25..158831198be 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -1854,6 +1854,7 @@ static krb5_error_code validate_tgt(struct krb5_req *kr) if (kerr != 0) { DEBUG(SSSDBG_CRIT_FAILURE, "error reading keytab [%s], " \ "not verifying TGT.\n", kr->keytab); + krb5_kt_close(kr->ctx, keytab); return kerr; } From a83be8fb51172d4e1a282a0a078d81ee93afdcb5 Mon Sep 17 00:00:00 2001 From: Alexey Tikhonov <atikhono@redhat.com> Date: Mon, 19 Jun 2023 22:03:43 +0200 Subject: [PATCH 47/51] KRB5: avoid RESOURCE_LEAK MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reviewed-by: Alejandro López <allopez@redhat.com> Reviewed-by: Tomáš Halman <thalman@redhat.com> --- src/providers/krb5/krb5_child.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index 158831198be..a3d83b4c8c1 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -1869,6 +1869,7 @@ static krb5_error_code validate_tgt(struct krb5_req *kr) &validation_princ); if (kerr != 0) { DEBUG(SSSDBG_CRIT_FAILURE, "krb5_copy_principal failed.\n"); + krb5_kt_end_seq_get(kr->ctx, keytab, &cursor); goto done; } From 01f0d067f1e4ba8ec3710f515d21631a53c9c9ef Mon Sep 17 00:00:00 2001 From: Alexey Tikhonov <atikhono@redhat.com> Date: Tue, 20 Jun 2023 16:48:07 +0200 Subject: [PATCH 48/51] KRB5: fixed RESOURCE_LEAK MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reviewed-by: Alejandro López <allopez@redhat.com> Reviewed-by: Tomáš Halman <thalman@redhat.com> --- src/providers/krb5/krb5_keytab.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/providers/krb5/krb5_keytab.c b/src/providers/krb5/krb5_keytab.c index e70408b9b94..db383d411dd 100644 --- a/src/providers/krb5/krb5_keytab.c +++ b/src/providers/krb5/krb5_keytab.c @@ -214,6 +214,9 @@ krb5_error_code copy_keytab_into_memory(TALLOC_CTX *mem_ctx, krb5_context kctx, if (kerr != 0) { talloc_free(mem_name); + if ((mem_keytab != NULL) && krb5_kt_close(kctx, mem_keytab) != 0) { + DEBUG(SSSDBG_MINOR_FAILURE, "krb5_kt_close failed.\n"); + } } if (tmp_mem_keytab != NULL && krb5_kt_close(kctx, tmp_mem_keytab) != 0) { From fd7da517ddd0e220f081ad9e7b5d7fcb0cae39b7 Mon Sep 17 00:00:00 2001 From: Alexey Tikhonov <atikhono@redhat.com> Date: Tue, 20 Jun 2023 17:22:07 +0200 Subject: [PATCH 49/51] LDAP: fixed RESOURCE_LEAK MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reviewed-by: Alejandro López <allopez@redhat.com> Reviewed-by: Tomáš Halman <thalman@redhat.com> --- src/providers/ldap/ldap_child.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/providers/ldap/ldap_child.c b/src/providers/ldap/ldap_child.c index 4818240d4c9..6ad2fb63af5 100644 --- a/src/providers/ldap/ldap_child.c +++ b/src/providers/ldap/ldap_child.c @@ -212,6 +212,7 @@ static int lc_verify_keytab_ex(const char *principal, DEBUG(SSSDBG_FATAL_FAILURE, "Could not parse keytab entry\n"); sss_log(SSS_LOG_ERR, "Could not parse keytab entry\n"); + krb5_kt_end_seq_get(context, keytab, &cursor); return EIO; } From eca00ef4719c44c4e68ead3346a16229b6471d13 Mon Sep 17 00:00:00 2001 From: Alexey Tikhonov <atikhono@redhat.com> Date: Tue, 20 Jun 2023 17:41:36 +0200 Subject: [PATCH 50/51] LDAP: fixed leak of `kprinc` MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reviewed-by: Alejandro López <allopez@redhat.com> Reviewed-by: Tomáš Halman <thalman@redhat.com> --- src/providers/ldap/ldap_child.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/src/providers/ldap/ldap_child.c b/src/providers/ldap/ldap_child.c index 6ad2fb63af5..6c167d239e7 100644 --- a/src/providers/ldap/ldap_child.c +++ b/src/providers/ldap/ldap_child.c @@ -367,12 +367,6 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx, } DEBUG(SSSDBG_CONF_SETTINGS, "Principal name is: [%s]\n", full_princ); - krberr = krb5_parse_name(context, full_princ, &kprinc); - if (krberr != 0) { - DEBUG(SSSDBG_OP_FAILURE, "krb5_parse_name() failed: %d\n", krberr); - goto done; - } - if (keytab_name) { krberr = krb5_kt_resolve(context, keytab_name, &keytab); } else { @@ -447,8 +441,14 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx, goto done; } + krberr = krb5_parse_name(context, full_princ, &kprinc); + if (krberr != 0) { + DEBUG(SSSDBG_OP_FAILURE, "krb5_parse_name() failed: %d\n", krberr); + goto done; + } krberr = krb5_get_init_creds_keytab(context, &my_creds, kprinc, keytab, 0, NULL, options); + krb5_free_principal(context, kprinc); if (krberr != 0) { DEBUG(SSSDBG_OP_FAILURE, "krb5_get_init_creds_keytab() failed: %d\n", krberr); From d02533caca667b51f29fa02ee9ed48c8b3896c69 Mon Sep 17 00:00:00 2001 From: Alexey Tikhonov <atikhono@redhat.com> Date: Tue, 20 Jun 2023 18:04:51 +0200 Subject: [PATCH 51/51] UTILS: fixed USE_AFTER_FREE MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reviewed-by: Alejandro López <allopez@redhat.com> Reviewed-by: Tomáš Halman <thalman@redhat.com> --- src/util/sss_krb5.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/util/sss_krb5.c b/src/util/sss_krb5.c index 6c4a908b74b..3f57e5b268f 100644 --- a/src/util/sss_krb5.c +++ b/src/util/sss_krb5.c @@ -279,8 +279,8 @@ errno_t select_principal_from_keytab(TALLOC_CTX *mem_ctx, (error_message ? error_message : sss_strerror(ret))); } if (keytab) krb5_kt_close(krb_ctx, keytab); - if (krb_ctx) krb5_free_context(krb_ctx); if (client_princ) krb5_free_principal(krb_ctx, client_princ); + if (krb_ctx) krb5_free_context(krb_ctx); talloc_free(tmp_ctx); return ret; }