From df3001223c7c1f8375c81163a8fb9115bada5b5b Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Nov 09 2021 10:06:44 +0000 Subject: import sssd-2.5.2-2.el8 --- diff --git a/.gitignore b/.gitignore index 56d81dd..7190614 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/sssd-2.4.0.tar.gz +SOURCES/sssd-2.5.2.tar.gz diff --git a/.sssd.metadata b/.sssd.metadata index 54e9039..461c481 100644 --- a/.sssd.metadata +++ b/.sssd.metadata @@ -1 +1 @@ -abcf616bf894d54623bf2541afdc7018e5d150aa SOURCES/sssd-2.4.0.tar.gz +680a282289fdfc6e27562e0ac82933ccd1f9574e SOURCES/sssd-2.5.2.tar.gz diff --git a/SOURCES/0001-SYSDB-merge_res_sysdb_attrs-fixed-to-avoid-NULL-ptr-.patch b/SOURCES/0001-SYSDB-merge_res_sysdb_attrs-fixed-to-avoid-NULL-ptr-.patch deleted file mode 100644 index bc47f70..0000000 --- a/SOURCES/0001-SYSDB-merge_res_sysdb_attrs-fixed-to-avoid-NULL-ptr-.patch +++ /dev/null @@ -1,64 +0,0 @@ -From ff24d1538af88f83d0a3cc2817952cf70e7ca580 Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Sun, 22 Nov 2020 17:44:07 +0100 -Subject: [PATCH] SYSDB: merge_res_sysdb_attrs() fixed to avoid NULL ptr in - msgs[] -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This helps to avoid sssd_be segfaults at be_refresh_get_values_ex() due to NULL -ptrs in results of sysdb_search_with_ts_attr() - -Resolves: https://github.com/SSSD/sssd/issues/5412 - -Reviewed-by: Pavel Březina ---- - src/db/sysdb_search.c | 11 +++++++---- - 1 file changed, 7 insertions(+), 4 deletions(-) - -diff --git a/src/db/sysdb_search.c b/src/db/sysdb_search.c -index e616fd5bc..4ff65c1ae 100644 ---- a/src/db/sysdb_search.c -+++ b/src/db/sysdb_search.c -@@ -221,6 +221,7 @@ static errno_t merge_res_sysdb_attrs(TALLOC_CTX *mem_ctx, - const char *attrs[]) - { - errno_t ret; -+ size_t ts_cache_res_count = 0; - struct ldb_result *ts_cache_res = NULL; - - if (ts_res == NULL || ctx->ldb_ts == NULL) { -@@ -231,7 +232,6 @@ static errno_t merge_res_sysdb_attrs(TALLOC_CTX *mem_ctx, - if (ts_cache_res == NULL) { - return ENOMEM; - } -- ts_cache_res->count = ts_res->count; - ts_cache_res->msgs = talloc_zero_array(ts_cache_res, - struct ldb_message *, - ts_res->count); -@@ -244,15 +244,18 @@ static errno_t merge_res_sysdb_attrs(TALLOC_CTX *mem_ctx, - ret = merge_msg_sysdb_attrs(ts_cache_res->msgs, - ctx, - ts_res->msgs[c], -- &ts_cache_res->msgs[c], attrs); -- if (ret != EOK) { -+ &ts_cache_res->msgs[ts_cache_res_count], -+ attrs); -+ if ((ret != EOK) || (ts_cache_res->msgs[ts_cache_res_count] == NULL)) { - DEBUG(SSSDBG_MINOR_FAILURE, - "Cannot merge sysdb cache values for %s\n", - ldb_dn_get_linearized(ts_res->msgs[c]->dn)); -- /* non-fatal, we just get only the non-timestamp attrs */ -+ /* non-fatal, just skip */ - continue; - } -+ ts_cache_res_count += 1; - } -+ ts_cache_res->count = ts_cache_res_count; - - *_ts_cache_res = ts_cache_res; - return EOK; --- -2.21.3 - diff --git a/SOURCES/0001-TOOLS-replace-system-with-execvp.patch b/SOURCES/0001-TOOLS-replace-system-with-execvp.patch new file mode 100644 index 0000000..5717cee --- /dev/null +++ b/SOURCES/0001-TOOLS-replace-system-with-execvp.patch @@ -0,0 +1,277 @@ +From 3861960837b996d959af504a937a03963dc21d62 Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Fri, 18 Jun 2021 13:17:19 +0200 +Subject: [PATCH] TOOLS: replace system() with execvp() to avoid execution of + user supplied command + +A flaw was found in SSSD, where the sssctl command was vulnerable +to shell command injection via the logs-fetch and cache-expire +subcommands. This flaw allows an attacker to trick the root user +into running a specially crafted sssctl command, such as via sudo, +to gain root access. The highest threat from this vulnerability is +to confidentiality, integrity, as well as system availability. + +:fixes: CVE-2021-3621 +--- + src/tools/sssctl/sssctl.c | 39 ++++++++++++++++------- + src/tools/sssctl/sssctl.h | 2 +- + src/tools/sssctl/sssctl_data.c | 57 +++++++++++----------------------- + src/tools/sssctl/sssctl_logs.c | 32 +++++++++++++++---- + 4 files changed, 73 insertions(+), 57 deletions(-) + +diff --git a/src/tools/sssctl/sssctl.c b/src/tools/sssctl/sssctl.c +index 2997dbf96..8adaf3091 100644 +--- a/src/tools/sssctl/sssctl.c ++++ b/src/tools/sssctl/sssctl.c +@@ -97,22 +97,36 @@ sssctl_prompt(const char *message, + return SSSCTL_PROMPT_ERROR; + } + +-errno_t sssctl_run_command(const char *command) ++errno_t sssctl_run_command(const char *const argv[]) + { + int ret; ++ int wstatus; + +- DEBUG(SSSDBG_TRACE_FUNC, "Running %s\n", command); ++ DEBUG(SSSDBG_TRACE_FUNC, "Running '%s'\n", argv[0]); + +- ret = system(command); ++ ret = fork(); + if (ret == -1) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to execute %s\n", command); + ERROR("Error while executing external command\n"); + return EFAULT; +- } else if (WEXITSTATUS(ret) != 0) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Command %s failed with [%d]\n", +- command, WEXITSTATUS(ret)); ++ } ++ ++ if (ret == 0) { ++ /* cast is safe - see ++ https://pubs.opengroup.org/onlinepubs/9699919799/functions/exec.html ++ "The statement about argv[] and envp[] being constants ... " ++ */ ++ execvp(argv[0], discard_const_p(char * const, argv)); + ERROR("Error while executing external command\n"); +- return EIO; ++ _exit(1); ++ } else { ++ if (waitpid(ret, &wstatus, 0) == -1) { ++ ERROR("Error while executing external command '%s'\n", argv[0]); ++ return EFAULT; ++ } else if (WEXITSTATUS(wstatus) != 0) { ++ ERROR("Command '%s' failed with [%d]\n", ++ argv[0], WEXITSTATUS(wstatus)); ++ return EIO; ++ } + } + + return EOK; +@@ -132,11 +146,14 @@ static errno_t sssctl_manage_service(enum sssctl_svc_action action) + #elif defined(HAVE_SERVICE) + switch (action) { + case SSSCTL_SVC_START: +- return sssctl_run_command(SERVICE_PATH" sssd start"); ++ return sssctl_run_command( ++ (const char *[]){SERVICE_PATH, "sssd", "start", NULL}); + case SSSCTL_SVC_STOP: +- return sssctl_run_command(SERVICE_PATH" sssd stop"); ++ return sssctl_run_command( ++ (const char *[]){SERVICE_PATH, "sssd", "stop", NULL}); + case SSSCTL_SVC_RESTART: +- return sssctl_run_command(SERVICE_PATH" sssd restart"); ++ return sssctl_run_command( ++ (const char *[]){SERVICE_PATH, "sssd", "restart", NULL}); + } + #endif + +diff --git a/src/tools/sssctl/sssctl.h b/src/tools/sssctl/sssctl.h +index 0115b2457..599ef6519 100644 +--- a/src/tools/sssctl/sssctl.h ++++ b/src/tools/sssctl/sssctl.h +@@ -47,7 +47,7 @@ enum sssctl_prompt_result + sssctl_prompt(const char *message, + enum sssctl_prompt_result defval); + +-errno_t sssctl_run_command(const char *command); ++errno_t sssctl_run_command(const char *const argv[]); /* argv[0] - command */ + bool sssctl_start_sssd(bool force); + bool sssctl_stop_sssd(bool force); + bool sssctl_restart_sssd(bool force); +diff --git a/src/tools/sssctl/sssctl_data.c b/src/tools/sssctl/sssctl_data.c +index 8d79b977f..bf2291341 100644 +--- a/src/tools/sssctl/sssctl_data.c ++++ b/src/tools/sssctl/sssctl_data.c +@@ -105,15 +105,15 @@ static errno_t sssctl_backup(bool force) + } + } + +- ret = sssctl_run_command("sss_override user-export " +- SSS_BACKUP_USER_OVERRIDES); ++ ret = sssctl_run_command((const char *[]){"sss_override", "user-export", ++ SSS_BACKUP_USER_OVERRIDES, NULL}); + if (ret != EOK) { + ERROR("Unable to export user overrides\n"); + return ret; + } + +- ret = sssctl_run_command("sss_override group-export " +- SSS_BACKUP_GROUP_OVERRIDES); ++ ret = sssctl_run_command((const char *[]){"sss_override", "group-export", ++ SSS_BACKUP_GROUP_OVERRIDES, NULL}); + if (ret != EOK) { + ERROR("Unable to export group overrides\n"); + return ret; +@@ -158,8 +158,8 @@ static errno_t sssctl_restore(bool force_start, bool force_restart) + } + + if (sssctl_backup_file_exists(SSS_BACKUP_USER_OVERRIDES)) { +- ret = sssctl_run_command("sss_override user-import " +- SSS_BACKUP_USER_OVERRIDES); ++ ret = sssctl_run_command((const char *[]){"sss_override", "user-import", ++ SSS_BACKUP_USER_OVERRIDES, NULL}); + if (ret != EOK) { + ERROR("Unable to import user overrides\n"); + return ret; +@@ -167,8 +167,8 @@ static errno_t sssctl_restore(bool force_start, bool force_restart) + } + + if (sssctl_backup_file_exists(SSS_BACKUP_USER_OVERRIDES)) { +- ret = sssctl_run_command("sss_override group-import " +- SSS_BACKUP_GROUP_OVERRIDES); ++ ret = sssctl_run_command((const char *[]){"sss_override", "group-import", ++ SSS_BACKUP_GROUP_OVERRIDES, NULL}); + if (ret != EOK) { + ERROR("Unable to import group overrides\n"); + return ret; +@@ -296,40 +296,19 @@ errno_t sssctl_cache_expire(struct sss_cmdline *cmdline, + void *pvt) + { + errno_t ret; +- char *cmd_args = NULL; +- const char *cachecmd = SSS_CACHE; +- char *cmd = NULL; +- int i; +- +- if (cmdline->argc == 0) { +- ret = sssctl_run_command(cachecmd); +- goto done; +- } + +- cmd_args = talloc_strdup(tool_ctx, ""); +- if (cmd_args == NULL) { +- ret = ENOMEM; +- goto done; ++ const char **args = talloc_array_size(tool_ctx, ++ sizeof(char *), ++ cmdline->argc + 2); ++ if (!args) { ++ return ENOMEM; + } ++ memcpy(&args[1], cmdline->argv, sizeof(char *) * cmdline->argc); ++ args[0] = SSS_CACHE; ++ args[cmdline->argc + 1] = NULL; + +- for (i = 0; i < cmdline->argc; i++) { +- cmd_args = talloc_strdup_append(cmd_args, cmdline->argv[i]); +- if (i != cmdline->argc - 1) { +- cmd_args = talloc_strdup_append(cmd_args, " "); +- } +- } +- +- cmd = talloc_asprintf(tool_ctx, "%s %s", cachecmd, cmd_args); +- if (cmd == NULL) { +- ret = ENOMEM; +- goto done; +- } +- +- ret = sssctl_run_command(cmd); +- +-done: +- talloc_free(cmd_args); +- talloc_free(cmd); ++ ret = sssctl_run_command(args); + ++ talloc_free(args); + return ret; + } +diff --git a/src/tools/sssctl/sssctl_logs.c b/src/tools/sssctl/sssctl_logs.c +index 9ff2be05b..ebb2c4571 100644 +--- a/src/tools/sssctl/sssctl_logs.c ++++ b/src/tools/sssctl/sssctl_logs.c +@@ -31,6 +31,7 @@ + #include + #include + #include ++#include + + #include "util/util.h" + #include "tools/common/sss_process.h" +@@ -230,6 +231,7 @@ errno_t sssctl_logs_remove(struct sss_cmdline *cmdline, + { + struct sssctl_logs_opts opts = {0}; + errno_t ret; ++ glob_t globbuf; + + /* Parse command line. */ + struct poptOption options[] = { +@@ -253,8 +255,20 @@ errno_t sssctl_logs_remove(struct sss_cmdline *cmdline, + + sss_signal(SIGHUP); + } else { ++ globbuf.gl_offs = 4; ++ ret = glob(LOG_PATH"/*.log", GLOB_ERR|GLOB_DOOFFS, NULL, &globbuf); ++ if (ret != 0) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to expand log files list\n"); ++ return ret; ++ } ++ globbuf.gl_pathv[0] = discard_const_p(char, "truncate"); ++ globbuf.gl_pathv[1] = discard_const_p(char, "--no-create"); ++ globbuf.gl_pathv[2] = discard_const_p(char, "--size"); ++ globbuf.gl_pathv[3] = discard_const_p(char, "0"); ++ + PRINT("Truncating log files...\n"); +- ret = sssctl_run_command("truncate --no-create --size 0 " LOG_FILES); ++ ret = sssctl_run_command((const char * const*)globbuf.gl_pathv); ++ globfree(&globbuf); + if (ret != EOK) { + ERROR("Unable to truncate log files\n"); + return ret; +@@ -269,8 +283,8 @@ errno_t sssctl_logs_fetch(struct sss_cmdline *cmdline, + void *pvt) + { + const char *file; +- const char *cmd; + errno_t ret; ++ glob_t globbuf; + + /* Parse command line. */ + ret = sss_tool_popt_ex(cmdline, NULL, SSS_TOOL_OPT_OPTIONAL, NULL, NULL, +@@ -280,13 +294,19 @@ errno_t sssctl_logs_fetch(struct sss_cmdline *cmdline, + return ret; + } + +- cmd = talloc_asprintf(tool_ctx, "tar -czf %s %s", file, LOG_FILES); +- if (cmd == NULL) { +- ERROR("Out of memory!"); ++ globbuf.gl_offs = 3; ++ ret = glob(LOG_PATH"/*.log", GLOB_ERR|GLOB_DOOFFS, NULL, &globbuf); ++ if (ret != 0) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to expand log files list\n"); ++ return ret; + } ++ globbuf.gl_pathv[0] = discard_const_p(char, "tar"); ++ globbuf.gl_pathv[1] = discard_const_p(char, "-czf"); ++ globbuf.gl_pathv[2] = discard_const_p(char, file); + + PRINT("Archiving log files into %s...\n", file); +- ret = sssctl_run_command(cmd); ++ ret = sssctl_run_command((const char * const*)globbuf.gl_pathv); ++ globfree(&globbuf); + if (ret != EOK) { + ERROR("Unable to archive log files\n"); + return ret; +-- +2.26.3 + diff --git a/SOURCES/0002-KCM-perf-improvements.patch b/SOURCES/0002-KCM-perf-improvements.patch deleted file mode 100644 index 3734ebe..0000000 --- a/SOURCES/0002-KCM-perf-improvements.patch +++ /dev/null @@ -1,3226 +0,0 @@ -From 19c0cfe38670cc56219f0d9acdc2b3363e92616c Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Fri, 4 Dec 2020 12:09:57 +0100 -Subject: [PATCH] Squashed commit of the following: -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -commit 325de5a5bb97ba026be6d22492bea8ab2605f1b5 -Author: Pavel Březina -Date: Thu Nov 26 12:07:06 2020 +0100 - - secrets: remove base64 enctype - - This was added as part of KCM performance improvements but never used. - Ldb is fully capable of holding binary data without the need for base64 - encoding so this is not needed. - - Reviewed-by: Alexey Tikhonov - -commit 39277cdadd317b0ab86cdd37de0616bc3eecbe6a -Author: Pavel Březina -Date: Thu Nov 26 11:55:39 2020 +0100 - - secrets: move attrs names to macros - - Reviewed-by: Alexey Tikhonov - -commit 9c1b51d057390fb5b26151f814a480911cda4cc9 -Author: Pavel Březina -Date: Thu Nov 26 11:47:24 2020 +0100 - - secrets: default to "plaintext" if "enctype" attr is missing - - This is a sane fallback behavior, however it should not happen since - the attribute should be always present. - - Reviewed-by: Alexey Tikhonov - -commit bf127d4f3f42e5b2afe25e512211439bc12a9904 -Author: Pavel Březina -Date: Tue Nov 3 13:35:33 2020 +0100 - - secrets: fix may_payload_size exceeded debug message - - The unit is bytes (B) not bits (b) and the conversion of the input - payload size to KiB was wrong (multiplying bytes * 1024). - - Reviewed-by: Alexey Tikhonov - -commit c3b314db57c34f64aaca7d74e76a9a955288bb51 -Author: Pavel Březina -Date: Mon Oct 19 12:40:07 2020 +0200 - - kcm: store credentials list in hash table to avoid cache lookups - - Iteration over ccache requires CRED_UUID_LIST and then calling - CRED_BY_UUID for each uuid in the obtained list. Each CRED_BY_UUID - operation invoked ldb_search and decryption. This was a substantional - bottle neck. - - Resolves: https://github.com/SSSD/sssd/issues/5349 - - :fixes: KCM performance has improved dramatically for cases where - large amount of credentials are stored in the ccache. - - Reviewed-by: Alexey Tikhonov - -commit a370553c90c2ed6df3b94c169c4960a6f978031f -Author: Pavel Březina -Date: Thu Oct 29 14:57:53 2020 +0100 - - sss_ptr_hash: fix double free for circular dependencies - - If the hash table delete callback deletes the stored item, - we can end up in double free in case when we try to override - an existing item (hash_enter(key) where key already exists). - - ```c - static void delete_cb(hash_entry_t *item, - hash_destroy_enum deltype, - void *pvt) - { - talloc_free(item->value.ptr); - } - - hash_enter(key); - hash_enter(key); - ``` - - The doble free it self is fine, since it is done via talloc destructor - and talloc can cope with that. However, the hash table fails to store - the new entry because hash_delete is called twice. - - ``` - _sss_ptr_hash_add -> hash_enter -> hash_delete(old) -> delete_cb -> sss_ptr_hash_value_destructor -> hash_delete - ``` - - Reviewed-by: Alexey Tikhonov - -commit 241ee30da12f564803793ee2b14c1522aabd9235 -Author: Pavel Březina -Date: Fri Oct 16 15:36:51 2020 +0200 - - kcm: add per-connection data to be shared between requests - - Resolves: https://github.com/SSSD/sssd/issues/5349 - - Reviewed-by: Alexey Tikhonov - -commit 194447d35c11eb914f54719491dc5cfaab01b9a1 -Author: Pavel Březina -Date: Tue Oct 27 16:21:31 2020 +0100 - - kcm: use binary format to store ccache instead of json - - JSON is computationally complex and the parser is a bottleneck which - consumes about 10% of time. It also create the ccache unnecessary - large because it requires lots of unneded character and base64 - encoding. - - Binary format is fast, simple and small. - - This is backwards compatible and there is no need to destroy existing - ccache. It will be stored in binary format at first write to the cache. - - Resolves: https://github.com/SSSD/sssd/issues/5349 - - Reviewed-by: Alexey Tikhonov - -commit f17740d831e16449495fff4ec57cc4800aaac83d -Author: Pavel Březina -Date: Tue Oct 27 17:09:43 2020 +0100 - - kcm: add spaces around operators in kcmsrv_ccache_key.c - - Reviewed-by: Alexey Tikhonov - -commit 15069a647ed6c7f1ead42baa1d421d953c9bc557 -Author: Pavel Březina -Date: Tue Oct 27 16:37:05 2020 +0100 - - kcm: avoid suppression of cppcheck warning - - Reviewed-by: Alexey Tikhonov - -commit e63a15038ac9c186626e4fdf681a6492031d1e40 -Author: Pavel Březina -Date: Tue Oct 27 16:18:11 2020 +0100 - - kcm: move sec key parser to separate file so it can be shared - - Reviewed-by: Alexey Tikhonov - -commit 9b1631defdcaa3ea7e87889eb136e7fa935ab4ce -Author: Pavel Březina -Date: Thu Oct 22 13:34:52 2020 +0200 - - kcm: add json suffix to existing searialization functions - - Reviewed-by: Alexey Tikhonov - -commit b6cc661b9f4162e590137430e945aa321fc13121 -Author: Pavel Březina -Date: Fri Oct 23 13:10:13 2020 +0200 - - iobuf: add more iobuf functions - - These will be used in later patches. - - Reviewed-by: Alexey Tikhonov - -commit ed08ba0023e63024bf1c52ae3f6596b9d804d0a5 -Author: Pavel Březina -Date: Thu Oct 22 12:18:38 2020 +0200 - - secrets: accept binary data instead of string - - Currently, both KCM and secrets responders store JSON formatted string - in the secrets database. One of the next commits makes KCM to store - binary format instead of JSON string to improve performance. We need - to be able to distinguish the formats to keep KCM update compatible - with existing ccache and also to keep secrets responder working. - - Secrets responder test had to be ammended to fit into a new maximum - payload which is now reduced by one byte for the secrets responder - to hold the ending zero of a secret string. - - This is a corner case in a long deprecated responder that is not even - built by default and has no known consumers so it is fine to fast fix - the test. - - Reviewed-by: Alexey Tikhonov - -commit 908c15af9a9f8f0556a588e368e4a0b2e24ace1b -Author: Pavel Březina -Date: Thu Oct 22 11:18:12 2020 +0200 - - secrets: allow to specify secret's data format - - Currently, both KCM and secrets responders store JSON formatted string - in the secrets database. One of the next commits makes KCM to store - binary format instead of JSON string to improve performance. We need - to be able to distinguish the formats to keep KCM update compatible - with existing ccache and also to keep secrets responder working. - - Reviewed-by: Alexey Tikhonov - -commit 74fdaa64b27e88a6e0f153f8cb59989c572d4294 -Author: Pavel Březina -Date: Tue Oct 27 16:45:22 2020 +0100 - - kcm: avoid multiple debug messages if sss_sec_put fails - - sec_put() already logs a message if the underlaying function fails - so this debug message is really unnecessary. - - Reviewed-by: Alexey Tikhonov - -commit b8f28d9aa9d862cf504691c9c3f92941a63fb0a4 -Author: Pavel Březina -Date: Mon Oct 19 12:59:48 2020 +0200 - - kcm: disable encryption - - Encryption was a huge bottleneck for the secdb backend. This is - backwards compatible and there is no need to destroy existing - ccache. It will be stored unencrypted at first write to the cache. - - Note that the encryption did not provide any security as the cache - is accessible only by root and the master key is stored together - with the cache. So once someone gains access to the file it can - be easily decrypted. Additionaly, there was also no encryption at - the memory level. - - Resolves: https://github.com/SSSD/sssd/issues/5349 - - Reviewed-by: Alexey Tikhonov - -commit 8edcea8c377e85d037e83065c1904fa4b92c4a39 -Author: Pavel Březina -Date: Fri Oct 16 15:33:42 2020 +0200 - - kcm: avoid name confusion in GET_CRED_UUID_LIST handlers - - The function name did not follow best practices and it got easily confused - with `kcm_op_get_cred_by_uuid_getbyname_done`. - - ``` - kcm_op_get_cred_uuid_getbyname_done - kcm_op_get_cred_by_uuid_getbyname_done - ``` - - Reviewed-by: Alexey Tikhonov - -commit 47a316c850107f12d406f27abb216e26383dfab7 -Author: Pavel Březina -Date: Mon Sep 14 12:44:57 2020 +0200 - - kcm: fix typos in debug messages - - Reviewed-by: Alexey Tikhonov ---- - Makefile.am | 14 +- - src/responder/kcm/kcmsrv_ccache.c | 66 ++++ - src/responder/kcm/kcmsrv_ccache.h | 47 ++- - src/responder/kcm/kcmsrv_ccache_binary.c | 308 ++++++++++++++++++ - src/responder/kcm/kcmsrv_ccache_json.c | 149 +-------- - src/responder/kcm/kcmsrv_ccache_key.c | 144 ++++++++ - src/responder/kcm/kcmsrv_ccache_mem.c | 30 +- - src/responder/kcm/kcmsrv_ccache_secdb.c | 128 +++----- - src/responder/kcm/kcmsrv_ccache_secrets.c | 9 +- - src/responder/kcm/kcmsrv_cmd.c | 23 +- - src/responder/kcm/kcmsrv_ops.c | 252 ++++++++++---- - src/responder/kcm/kcmsrv_ops.h | 8 + - src/responder/secrets/local.c | 5 +- - src/shared/safealign.h | 4 + - ...n_marshalling.c => test_kcm_marshalling.c} | 147 +++++++-- - src/tests/cmocka/test_sss_ptr_hash.c | 39 +++ - src/tests/cmocka/test_utils.c | 3 + - src/tests/cmocka/test_utils.h | 1 + - src/tests/intg/test_secrets.py | 3 +- - src/tests/multihost/basic/test_kcm.py | 12 +- - src/util/secrets/sec_pvt.h | 2 +- - src/util/secrets/secrets.c | 290 ++++++++++++----- - src/util/secrets/secrets.h | 20 +- - src/util/sss_iobuf.c | 141 ++++++++ - src/util/sss_iobuf.h | 46 +++ - src/util/sss_ptr_hash.c | 20 ++ - 26 files changed, 1457 insertions(+), 454 deletions(-) - create mode 100644 src/responder/kcm/kcmsrv_ccache_binary.c - create mode 100644 src/responder/kcm/kcmsrv_ccache_key.c - rename src/tests/cmocka/{test_kcm_json_marshalling.c => test_kcm_marshalling.c} (71%) - -diff --git a/Makefile.am b/Makefile.am -index 97aa1ec66..430b4e842 100644 ---- a/Makefile.am -+++ b/Makefile.am -@@ -311,7 +311,7 @@ endif # HAVE_INOTIFY - - if BUILD_KCM - non_interactive_cmocka_based_tests += \ -- test_kcm_json \ -+ test_kcm_marshalling \ - test_kcm_queue \ - $(NULL) - endif # BUILD_KCM -@@ -1817,8 +1817,10 @@ sssd_kcm_SOURCES = \ - src/responder/kcm/kcm.c \ - src/responder/kcm/kcmsrv_cmd.c \ - src/responder/kcm/kcmsrv_ccache.c \ -+ src/responder/kcm/kcmsrv_ccache_binary.c \ - src/responder/kcm/kcmsrv_ccache_mem.c \ - src/responder/kcm/kcmsrv_ccache_json.c \ -+ src/responder/kcm/kcmsrv_ccache_key.c \ - src/responder/kcm/kcmsrv_ccache_secdb.c \ - src/responder/kcm/kcmsrv_ops.c \ - src/responder/kcm/kcmsrv_op_queue.c \ -@@ -3927,18 +3929,20 @@ test_sssd_krb5_locator_plugin_LDADD = \ - $(NULL) - - if BUILD_KCM --test_kcm_json_SOURCES = \ -- src/tests/cmocka/test_kcm_json_marshalling.c \ -+test_kcm_marshalling_SOURCES = \ -+ src/tests/cmocka/test_kcm_marshalling.c \ -+ src/responder/kcm/kcmsrv_ccache_binary.c \ - src/responder/kcm/kcmsrv_ccache_json.c \ -+ src/responder/kcm/kcmsrv_ccache_key.c \ - src/responder/kcm/kcmsrv_ccache.c \ - src/util/sss_krb5.c \ - src/util/sss_iobuf.c \ - $(NULL) --test_kcm_json_CFLAGS = \ -+test_kcm_marshalling_CFLAGS = \ - $(AM_CFLAGS) \ - $(UUID_CFLAGS) \ - $(NULL) --test_kcm_json_LDADD = \ -+test_kcm_marshalling_LDADD = \ - $(JANSSON_LIBS) \ - $(UUID_LIBS) \ - $(KRB5_LIBS) \ -diff --git a/src/responder/kcm/kcmsrv_ccache.c b/src/responder/kcm/kcmsrv_ccache.c -index 66e2752ba..60eacd451 100644 ---- a/src/responder/kcm/kcmsrv_ccache.c -+++ b/src/responder/kcm/kcmsrv_ccache.c -@@ -28,6 +28,9 @@ - #include "responder/kcm/kcmsrv_ccache_pvt.h" - #include "responder/kcm/kcmsrv_ccache_be.h" - -+static struct kcm_cred *kcm_cred_dup(TALLOC_CTX *mem_ctx, -+ struct kcm_cred *crd); -+ - static int kcm_cc_destructor(struct kcm_ccache *cc) - { - if (cc == NULL) { -@@ -94,6 +97,33 @@ done: - return ret; - } - -+struct kcm_ccache *kcm_cc_dup(TALLOC_CTX *mem_ctx, -+ const struct kcm_ccache *cc) -+{ -+ struct kcm_ccache *dup; -+ struct kcm_cred *crd_dup; -+ struct kcm_cred *crd; -+ -+ dup = talloc_zero(mem_ctx, struct kcm_ccache); -+ if (dup == NULL) { -+ return NULL; -+ } -+ memcpy(dup, cc, sizeof(struct kcm_ccache)); -+ -+ dup->creds = NULL; -+ DLIST_FOR_EACH(crd, cc->creds) { -+ crd_dup = kcm_cred_dup(dup, crd); -+ if (crd_dup == NULL) { -+ talloc_free(dup); -+ return NULL; -+ } -+ -+ DLIST_ADD(dup->creds, crd_dup); -+ } -+ -+ return dup; -+} -+ - const char *kcm_cc_get_name(struct kcm_ccache *cc) - { - return cc ? cc->name : NULL; -@@ -204,6 +234,22 @@ struct kcm_cred *kcm_cred_new(TALLOC_CTX *mem_ctx, - return kcreds; - } - -+static struct kcm_cred *kcm_cred_dup(TALLOC_CTX *mem_ctx, -+ struct kcm_cred *crd) -+{ -+ struct kcm_cred *dup; -+ -+ dup = talloc_zero(mem_ctx, struct kcm_cred); -+ if (dup == NULL) { -+ return NULL; -+ } -+ -+ uuid_copy(dup->uuid, crd->uuid); -+ dup->cred_blob = crd->cred_blob; -+ -+ return dup; -+} -+ - /* Add a cred to ccache */ - errno_t kcm_cc_store_creds(struct kcm_ccache *cc, - struct kcm_cred *crd) -@@ -213,6 +259,26 @@ errno_t kcm_cc_store_creds(struct kcm_ccache *cc, - return EOK; - } - -+errno_t kcm_cc_set_header(struct kcm_ccache *cc, -+ const char *sec_key, -+ struct cli_creds *client) -+{ -+ errno_t ret; -+ -+ ret = sec_key_parse(cc, sec_key, &cc->name, cc->uuid); -+ if (ret != EOK) { -+ return ret; -+ } -+ -+ /* We rely on sssd-secrets only searching the user's subtree so we -+ * set the ownership to the client -+ */ -+ cc->owner.uid = cli_creds_get_uid(client); -+ cc->owner.gid = cli_creds_get_gid(client); -+ -+ return EOK; -+} -+ - errno_t kcm_cred_get_uuid(struct kcm_cred *crd, uuid_t _uuid) - { - if (crd == NULL) { -diff --git a/src/responder/kcm/kcmsrv_ccache.h b/src/responder/kcm/kcmsrv_ccache.h -index d629923fa..77cf8f61d 100644 ---- a/src/responder/kcm/kcmsrv_ccache.h -+++ b/src/responder/kcm/kcmsrv_ccache.h -@@ -72,6 +72,13 @@ errno_t kcm_cc_new(TALLOC_CTX *mem_ctx, - krb5_principal princ, - struct kcm_ccache **_cc); - -+/* -+ * Duplicate the ccache. Only ccache and credentials are duplicated, -+ * but their data are a shallow copy. -+ */ -+struct kcm_ccache *kcm_cc_dup(TALLOC_CTX *mem_ctx, -+ const struct kcm_ccache *cc); -+ - /* - * Returns true if a client can access a ccache. - * -@@ -100,6 +107,11 @@ struct kcm_cred *kcm_cred_new(TALLOC_CTX *mem_ctx, - errno_t kcm_cc_store_creds(struct kcm_ccache *cc, - struct kcm_cred *crd); - -+/* Set cc header information from sec key and client */ -+errno_t kcm_cc_set_header(struct kcm_ccache *cc, -+ const char *sec_key, -+ struct cli_creds *client); -+ - errno_t kcm_cred_get_uuid(struct kcm_cred *crd, uuid_t uuid); - - /* -@@ -320,6 +332,11 @@ bool sec_key_match_name(const char *sec_key, - bool sec_key_match_uuid(const char *sec_key, - uuid_t uuid); - -+errno_t sec_key_parse(TALLOC_CTX *mem_ctx, -+ const char *sec_key, -+ const char **_name, -+ uuid_t uuid); -+ - const char *sec_key_get_name(const char *sec_key); - - errno_t sec_key_get_uuid(const char *sec_key, -@@ -333,16 +350,30 @@ const char *sec_key_create(TALLOC_CTX *mem_ctx, - * sec_key is a concatenation of the ccache's UUID and name - * sec_value is the JSON dump of the ccache contents - */ --errno_t sec_kv_to_ccache(TALLOC_CTX *mem_ctx, -- const char *sec_key, -- const char *sec_value, -- struct cli_creds *client, -- struct kcm_ccache **_cc); -+errno_t sec_kv_to_ccache_json(TALLOC_CTX *mem_ctx, -+ const char *sec_key, -+ const char *sec_value, -+ struct cli_creds *client, -+ struct kcm_ccache **_cc); - - /* Convert a kcm_ccache to a key-value pair to be stored in secrets */ --errno_t kcm_ccache_to_sec_input(TALLOC_CTX *mem_ctx, -- struct kcm_ccache *cc, -+errno_t kcm_ccache_to_sec_input_json(TALLOC_CTX *mem_ctx, -+ struct kcm_ccache *cc, -+ struct sss_iobuf **_payload); -+ -+/* -+ * sec_key is a concatenation of the ccache's UUID and name -+ * sec_value is the binary representation of ccache. -+ */ -+errno_t sec_kv_to_ccache_binary(TALLOC_CTX *mem_ctx, -+ const char *sec_key, -+ struct sss_iobuf *sec_value, - struct cli_creds *client, -- struct sss_iobuf **_payload); -+ struct kcm_ccache **_cc); -+ -+/* Convert a kcm_ccache to its binary representation. */ -+errno_t kcm_ccache_to_sec_input_binary(TALLOC_CTX *mem_ctx, -+ struct kcm_ccache *cc, -+ struct sss_iobuf **_payload); - - #endif /* _KCMSRV_CCACHE_H_ */ -diff --git a/src/responder/kcm/kcmsrv_ccache_binary.c b/src/responder/kcm/kcmsrv_ccache_binary.c -new file mode 100644 -index 000000000..7bfdbf13b ---- /dev/null -+++ b/src/responder/kcm/kcmsrv_ccache_binary.c -@@ -0,0 +1,308 @@ -+/* -+ Authors: -+ Pavel Březina -+ -+ Copyright (C) 2020 Red Hat -+ -+ This program is free software; you can redistribute it and/or modify -+ it under the terms of the GNU General Public License as published by -+ the Free Software Foundation; either version 3 of the License, or -+ (at your option) any later version. -+ -+ This program is distributed in the hope that it will be useful, -+ but WITHOUT ANY WARRANTY; without even the implied warranty of -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ GNU General Public License for more details. -+ -+ You should have received a copy of the GNU General Public License -+ along with this program. If not, see . -+*/ -+ -+#include "config.h" -+ -+#include -+#include -+ -+#include "util/util.h" -+#include "util/util_creds.h" -+#include "util/crypto/sss_crypto.h" -+#include "responder/kcm/kcmsrv_ccache_pvt.h" -+ -+static errno_t krb_data_to_bin(krb5_data *data, struct sss_iobuf *buf) -+{ -+ return sss_iobuf_write_varlen(buf, (uint8_t *)data->data, data->length); -+} -+ -+static errno_t princ_to_bin(krb5_principal princ, struct sss_iobuf *buf) -+{ -+ errno_t ret; -+ -+ if (princ == NULL) { -+ return sss_iobuf_write_uint8(buf, 0); -+ } -+ -+ /* Mark that principal is not empty. */ -+ ret = sss_iobuf_write_uint8(buf, 1); -+ if (ret != EOK) { -+ return ret; -+ } -+ -+ ret = krb_data_to_bin(&princ->realm, buf); -+ if (ret != EOK) { -+ return ret; -+ } -+ -+ ret = sss_iobuf_write_int32(buf, princ->type); -+ if (ret != EOK) { -+ return ret; -+ } -+ -+ ret = sss_iobuf_write_int32(buf, princ->length); -+ if (ret != EOK) { -+ return ret; -+ } -+ -+ for (krb5_int32 i = 0; i < princ->length; i++) { -+ ret = krb_data_to_bin(&princ->data[i], buf); -+ if (ret != EOK) { -+ return ret; -+ } -+ } -+ -+ return EOK; -+} -+ -+static errno_t creds_to_bin(struct kcm_cred *creds, struct sss_iobuf *buf) -+{ -+ struct kcm_cred *crd; -+ uint32_t count = 0; -+ errno_t ret; -+ -+ DLIST_FOR_EACH(crd, creds) { -+ count++; -+ } -+ -+ ret = sss_iobuf_write_uint32(buf, count); -+ if (ret != EOK) { -+ return ret; -+ } -+ -+ DLIST_FOR_EACH(crd, creds) { -+ ret = sss_iobuf_write_len(buf, (uint8_t *)crd->uuid, sizeof(uuid_t)); -+ if (ret != EOK) { -+ return ret; -+ } -+ -+ ret = sss_iobuf_write_iobuf(buf, crd->cred_blob); -+ if (ret != EOK) { -+ return ret; -+ } -+ } -+ -+ return EOK; -+} -+ -+errno_t kcm_ccache_to_sec_input_binary(TALLOC_CTX *mem_ctx, -+ struct kcm_ccache *cc, -+ struct sss_iobuf **_payload) -+{ -+ struct sss_iobuf *buf; -+ errno_t ret; -+ -+ buf = sss_iobuf_init_empty(mem_ctx, sizeof(krb5_principal_data), 0); -+ if (buf == NULL) { -+ return ENOMEM; -+ } -+ -+ ret = sss_iobuf_write_int32(buf, cc->kdc_offset); -+ if (ret != EOK) { -+ goto done; -+ } -+ -+ ret = princ_to_bin(cc->client, buf); -+ if (ret != EOK) { -+ goto done; -+ } -+ -+ ret = creds_to_bin(cc->creds, buf); -+ if (ret != EOK) { -+ goto done; -+ } -+ -+ *_payload = buf; -+ -+ ret = EOK; -+ -+done: -+ if (ret != EOK) { -+ talloc_free(buf); -+ } -+ -+ return ret; -+} -+ -+static errno_t bin_to_krb_data(TALLOC_CTX *mem_ctx, -+ struct sss_iobuf *buf, -+ krb5_data *out) -+{ -+ uint8_t *data; -+ size_t len; -+ errno_t ret; -+ -+ ret = sss_iobuf_read_varlen(mem_ctx, buf, &data, &len); -+ if (ret != EOK) { -+ return ret; -+ } -+ -+ out->magic = 0; -+ out->data = (char*)data; -+ out->length = len; -+ -+ return EOK; -+} -+ -+static errno_t bin_to_princ(TALLOC_CTX *mem_ctx, -+ struct sss_iobuf *buf, -+ krb5_principal *_princ) -+{ -+ krb5_principal princ; -+ uint8_t non_empty; -+ krb5_int32 i; -+ errno_t ret; -+ -+ ret = sss_iobuf_read_uint8(buf, &non_empty); -+ if (ret != EOK) { -+ return ret; -+ } -+ -+ if (non_empty == 0) { -+ *_princ = NULL; -+ return EOK; -+ } -+ -+ princ = talloc_zero(mem_ctx, struct krb5_principal_data); -+ if (princ == NULL) { -+ return ENOMEM; -+ } -+ princ->magic = KV5M_PRINCIPAL; -+ -+ ret = bin_to_krb_data(princ, buf, &princ->realm); -+ if (ret != EOK) { -+ return ret; -+ } -+ -+ ret = sss_iobuf_read_int32(buf, &princ->type); -+ if (ret != EOK) { -+ return ret; -+ } -+ -+ ret = sss_iobuf_read_int32(buf, &princ->length); -+ if (ret != EOK) { -+ return ret; -+ } -+ -+ princ->data = talloc_zero_array(princ, krb5_data, princ->length); -+ if (princ->length > 0 && princ->data == NULL) { -+ return ENOMEM; -+ } -+ -+ for (i = 0; i < princ->length; i++) { -+ ret = bin_to_krb_data(princ, buf, &princ->data[i]); -+ if (ret != EOK) { -+ return ret; -+ } -+ } -+ -+ *_princ = princ; -+ -+ return EOK; -+} -+ -+static errno_t bin_to_creds(TALLOC_CTX *mem_ctx, -+ struct sss_iobuf *buf, -+ struct kcm_cred **_creds) -+{ -+ struct kcm_cred *creds = NULL; -+ struct kcm_cred *crd; -+ struct sss_iobuf *cred_blob; -+ uint32_t count; -+ uuid_t uuid; -+ errno_t ret; -+ -+ ret = sss_iobuf_read_uint32(buf, &count); -+ if (ret != EOK) { -+ return ret; -+ } -+ -+ for (uint32_t i = 0; i < count; i++) { -+ ret = sss_iobuf_read_len(buf, sizeof(uuid_t), (uint8_t*)uuid); -+ if (ret != EOK) { -+ return ret; -+ } -+ -+ ret = sss_iobuf_read_iobuf(NULL, buf, &cred_blob); -+ if (ret != EOK) { -+ return ret; -+ } -+ -+ crd = kcm_cred_new(mem_ctx, uuid, cred_blob); -+ if (crd == NULL) { -+ talloc_free(cred_blob); -+ return ENOMEM; -+ } -+ -+ DLIST_ADD(creds, crd); -+ } -+ -+ *_creds = creds; -+ -+ return EOK; -+} -+ -+errno_t sec_kv_to_ccache_binary(TALLOC_CTX *mem_ctx, -+ const char *sec_key, -+ struct sss_iobuf *sec_value, -+ struct cli_creds *client, -+ struct kcm_ccache **_cc) -+{ -+ struct kcm_ccache *cc; -+ errno_t ret; -+ -+ cc = talloc_zero(mem_ctx, struct kcm_ccache); -+ if (cc == NULL) { -+ return ENOMEM; -+ } -+ -+ ret = kcm_cc_set_header(cc, sec_key, client); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_CRIT_FAILURE, "Cannot store ccache header [%d]: %s\n", -+ ret, sss_strerror(ret)); -+ goto done; -+ } -+ -+ ret = sss_iobuf_read_int32(sec_value, &cc->kdc_offset); -+ if (ret != EOK) { -+ goto done; -+ } -+ -+ ret = bin_to_princ(cc, sec_value, &cc->client); -+ if (ret != EOK) { -+ goto done; -+ } -+ -+ ret = bin_to_creds(cc, sec_value, &cc->creds); -+ if (ret != EOK) { -+ goto done; -+ } -+ -+ *_cc = cc; -+ -+ ret = EOK; -+ -+done: -+ if (ret != EOK) { -+ talloc_free(cc); -+ } -+ -+ return ret; -+} -diff --git a/src/responder/kcm/kcmsrv_ccache_json.c b/src/responder/kcm/kcmsrv_ccache_json.c -index f78e9f58c..e790cbea3 100644 ---- a/src/responder/kcm/kcmsrv_ccache_json.c -+++ b/src/responder/kcm/kcmsrv_ccache_json.c -@@ -37,12 +37,6 @@ - */ - #define KS_JSON_VERSION 1 - --/* -- * The secrets store is a key-value store at heart. We store the UUID -- * and the name in the key to allow easy lookups be either key -- */ --#define SEC_KEY_SEPARATOR '-' -- - /* Compat definition of json_array_foreach for older systems */ - #ifndef json_array_foreach - #define json_array_foreach(array, idx, value) \ -@@ -51,119 +45,6 @@ - idx++) - #endif - --const char *sec_key_create(TALLOC_CTX *mem_ctx, -- const char *name, -- uuid_t uuid) --{ -- char uuid_str[UUID_STR_SIZE]; -- -- uuid_unparse(uuid, uuid_str); -- return talloc_asprintf(mem_ctx, -- "%s%c%s", uuid_str, SEC_KEY_SEPARATOR, name); --} -- --static bool sec_key_valid(const char *sec_key) --{ -- if (sec_key == NULL) { -- return false; -- } -- -- if (strlen(sec_key) < UUID_STR_SIZE + 1) { -- /* One char for separator (at UUID_STR_SIZE, because strlen doesn't -- * include the '\0', but UUID_STR_SIZE does) and at least one for -- * the name */ -- DEBUG(SSSDBG_CRIT_FAILURE, "Key %s is too short\n", sec_key); -- return false; -- } -- -- if (sec_key[UUID_STR_SIZE - 1] != SEC_KEY_SEPARATOR) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Key doesn't contain the separator\n"); -- return false; -- } -- -- return true; --} -- --static errno_t sec_key_parse(TALLOC_CTX *mem_ctx, -- const char *sec_key, -- const char **_name, -- uuid_t uuid) --{ -- char uuid_str[UUID_STR_SIZE]; -- -- if (!sec_key_valid(sec_key)) { -- return EINVAL; -- } -- -- strncpy(uuid_str, sec_key, sizeof(uuid_str)-1); -- if (sec_key[UUID_STR_SIZE - 1] != SEC_KEY_SEPARATOR) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Key doesn't contain the separator\n"); -- return EINVAL; -- } -- uuid_str[UUID_STR_SIZE-1] = '\0'; -- -- *_name = talloc_strdup(mem_ctx, sec_key + UUID_STR_SIZE); -- if (*_name == NULL) { -- return ENOMEM; -- } -- uuid_parse(uuid_str, uuid); -- -- return EOK; --} -- --errno_t sec_key_get_uuid(const char *sec_key, -- uuid_t uuid) --{ -- char uuid_str[UUID_STR_SIZE]; -- -- if (!sec_key_valid(sec_key)) { -- return EINVAL; -- } -- -- strncpy(uuid_str, sec_key, UUID_STR_SIZE-1); -- uuid_str[UUID_STR_SIZE-1] = '\0'; -- uuid_parse(uuid_str, uuid); -- return EOK; --} -- --const char *sec_key_get_name(const char *sec_key) --{ -- if (!sec_key_valid(sec_key)) { -- return NULL; -- } -- -- return sec_key + UUID_STR_SIZE; --} -- --bool sec_key_match_name(const char *sec_key, -- const char *name) --{ -- if (!sec_key_valid(sec_key) || name == NULL) { -- return false; -- } -- -- return strcmp(sec_key + UUID_STR_SIZE, name) == 0; --} -- --bool sec_key_match_uuid(const char *sec_key, -- uuid_t uuid) --{ -- errno_t ret; -- uuid_t key_uuid; -- -- /* `key_uuid` is output arg and isn't read in sec_key_get_uuid() but -- * since libuuid is opaque for cppcheck it generates false positive here -- */ -- /* cppcheck-suppress uninitvar */ -- ret = sec_key_get_uuid(sec_key, key_uuid); -- if (ret != EOK) { -- DEBUG(SSSDBG_MINOR_FAILURE, "Cannot convert key to UUID\n"); -- return false; -- } -- -- return uuid_compare(key_uuid, uuid) == 0; --} -- - /* - * Creates an array of principal elements that will be used later - * in the form of: -@@ -460,10 +341,9 @@ static errno_t ccache_to_sec_val(TALLOC_CTX *mem_ctx, - return EOK; - } - --errno_t kcm_ccache_to_sec_input(TALLOC_CTX *mem_ctx, -- struct kcm_ccache *cc, -- struct cli_creds *client, -- struct sss_iobuf **_payload) -+errno_t kcm_ccache_to_sec_input_json(TALLOC_CTX *mem_ctx, -+ struct kcm_ccache *cc, -+ struct sss_iobuf **_payload) - { - errno_t ret; - const char *value; -@@ -897,11 +777,11 @@ static errno_t sec_json_value_to_ccache(struct kcm_ccache *cc, - * sec_key is a concatenation of the ccache's UUID and name - * sec_value is the JSON dump of the ccache contents - */ --errno_t sec_kv_to_ccache(TALLOC_CTX *mem_ctx, -- const char *sec_key, -- const char *sec_value, -- struct cli_creds *client, -- struct kcm_ccache **_cc) -+errno_t sec_kv_to_ccache_json(TALLOC_CTX *mem_ctx, -+ const char *sec_key, -+ const char *sec_value, -+ struct cli_creds *client, -+ struct kcm_ccache **_cc) - { - errno_t ret; - json_t *root = NULL; -@@ -911,7 +791,7 @@ errno_t sec_kv_to_ccache(TALLOC_CTX *mem_ctx, - ret = sec_value_to_json(sec_value, &root); - if (ret != EOK) { - DEBUG(SSSDBG_CRIT_FAILURE, -- "Cannot store secret to JSN [%d]: %s\n", -+ "Cannot store secret to JSON [%d]: %s\n", - ret, sss_strerror(ret)); - goto done; - } -@@ -928,16 +808,9 @@ errno_t sec_kv_to_ccache(TALLOC_CTX *mem_ctx, - goto done; - } - -- /* We rely on sssd-secrets only searching the user's subtree so we -- * set the ownership to the client -- */ -- cc->owner.uid = cli_creds_get_uid(client); -- cc->owner.gid = cli_creds_get_gid(client); -- -- ret = sec_key_parse(cc, sec_key, &cc->name, cc->uuid); -+ ret = kcm_cc_set_header(cc, sec_key, client); - if (ret != EOK) { -- DEBUG(SSSDBG_CRIT_FAILURE, -- "Cannt parse secret key [%d]: %s\n", -+ DEBUG(SSSDBG_CRIT_FAILURE, "Cannot store ccache header [%d]: %s\n", - ret, sss_strerror(ret)); - goto done; - } -diff --git a/src/responder/kcm/kcmsrv_ccache_key.c b/src/responder/kcm/kcmsrv_ccache_key.c -new file mode 100644 -index 000000000..59d60453c ---- /dev/null -+++ b/src/responder/kcm/kcmsrv_ccache_key.c -@@ -0,0 +1,144 @@ -+/* -+ SSSD -+ -+ Copyright (C) Red Hat, 2020 -+ -+ This program is free software; you can redistribute it and/or modify -+ it under the terms of the GNU General Public License as published by -+ the Free Software Foundation; either version 3 of the License, or -+ (at your option) any later version. -+ -+ This program is distributed in the hope that it will be useful, -+ but WITHOUT ANY WARRANTY; without even the implied warranty of -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ GNU General Public License for more details. -+ -+ You should have received a copy of the GNU General Public License -+ along with this program. If not, see . -+*/ -+ -+#include "config.h" -+ -+#include -+#include -+ -+#include "util/util.h" -+#include "responder/kcm/kcmsrv_ccache_pvt.h" -+ -+/* -+ * The secrets store is a key-value store at heart. We store the UUID -+ * and the name in the key to allow easy lookups by either part. -+ */ -+#define SEC_KEY_SEPARATOR '-' -+ -+const char *sec_key_create(TALLOC_CTX *mem_ctx, -+ const char *name, -+ uuid_t uuid) -+{ -+ char uuid_str[UUID_STR_SIZE]; -+ -+ uuid_unparse(uuid, uuid_str); -+ return talloc_asprintf(mem_ctx, -+ "%s%c%s", uuid_str, SEC_KEY_SEPARATOR, name); -+} -+ -+static bool sec_key_valid(const char *sec_key) -+{ -+ if (sec_key == NULL) { -+ return false; -+ } -+ -+ if (strlen(sec_key) < UUID_STR_SIZE + 1) { -+ /* One char for separator (at UUID_STR_SIZE, because strlen doesn't -+ * include the '\0', but UUID_STR_SIZE does) and at least one for -+ * the name */ -+ DEBUG(SSSDBG_CRIT_FAILURE, "Key %s is too short\n", sec_key); -+ return false; -+ } -+ -+ if (sec_key[UUID_STR_SIZE - 1] != SEC_KEY_SEPARATOR) { -+ DEBUG(SSSDBG_CRIT_FAILURE, "Key doesn't contain the separator\n"); -+ return false; -+ } -+ -+ return true; -+} -+ -+errno_t sec_key_parse(TALLOC_CTX *mem_ctx, -+ const char *sec_key, -+ const char **_name, -+ uuid_t uuid) -+{ -+ char uuid_str[UUID_STR_SIZE]; -+ -+ if (!sec_key_valid(sec_key)) { -+ return EINVAL; -+ } -+ -+ strncpy(uuid_str, sec_key, sizeof(uuid_str) - 1); -+ if (sec_key[UUID_STR_SIZE - 1] != SEC_KEY_SEPARATOR) { -+ DEBUG(SSSDBG_CRIT_FAILURE, "Key doesn't contain the separator\n"); -+ return EINVAL; -+ } -+ uuid_str[UUID_STR_SIZE - 1] = '\0'; -+ -+ *_name = talloc_strdup(mem_ctx, sec_key + UUID_STR_SIZE); -+ if (*_name == NULL) { -+ return ENOMEM; -+ } -+ uuid_parse(uuid_str, uuid); -+ -+ return EOK; -+} -+ -+errno_t sec_key_get_uuid(const char *sec_key, -+ uuid_t uuid) -+{ -+ char uuid_str[UUID_STR_SIZE]; -+ -+ if (!sec_key_valid(sec_key)) { -+ return EINVAL; -+ } -+ -+ strncpy(uuid_str, sec_key, UUID_STR_SIZE - 1); -+ uuid_str[UUID_STR_SIZE - 1] = '\0'; -+ uuid_parse(uuid_str, uuid); -+ return EOK; -+} -+ -+const char *sec_key_get_name(const char *sec_key) -+{ -+ if (!sec_key_valid(sec_key)) { -+ return NULL; -+ } -+ -+ return sec_key + UUID_STR_SIZE; -+} -+ -+bool sec_key_match_name(const char *sec_key, -+ const char *name) -+{ -+ if (!sec_key_valid(sec_key) || name == NULL) { -+ return false; -+ } -+ -+ return strcmp(sec_key + UUID_STR_SIZE, name) == 0; -+} -+ -+bool sec_key_match_uuid(const char *sec_key, -+ uuid_t uuid) -+{ -+ errno_t ret; -+ uuid_t key_uuid; -+ -+ /* Clear uuid value to avoid cppcheck warning. */ -+ uuid_clear(key_uuid); -+ -+ ret = sec_key_get_uuid(sec_key, key_uuid); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_MINOR_FAILURE, "Cannot convert key to UUID\n"); -+ return false; -+ } -+ -+ return uuid_compare(key_uuid, uuid) == 0; -+} -diff --git a/src/responder/kcm/kcmsrv_ccache_mem.c b/src/responder/kcm/kcmsrv_ccache_mem.c -index baa698054..0e3a7b239 100644 ---- a/src/responder/kcm/kcmsrv_ccache_mem.c -+++ b/src/responder/kcm/kcmsrv_ccache_mem.c -@@ -49,24 +49,6 @@ struct ccdb_mem { - unsigned int nextid; - }; - --/* In order to provide a consistent interface, we need to let the caller -- * of getbyXXX own the ccache, therefore the memory back end returns a shallow -- * copy of the ccache -- */ --static struct kcm_ccache *kcm_ccache_dup(TALLOC_CTX *mem_ctx, -- struct kcm_ccache *in) --{ -- struct kcm_ccache *out; -- -- out = talloc_zero(mem_ctx, struct kcm_ccache); -- if (out == NULL) { -- return NULL; -- } -- memcpy(out, in, sizeof(struct kcm_ccache)); -- -- return out; --} -- - static struct ccache_mem_wrap *memdb_get_by_uuid(struct ccdb_mem *memdb, - struct cli_creds *client, - uuid_t uuid) -@@ -417,7 +399,11 @@ static struct tevent_req *ccdb_mem_getbyuuid_send(TALLOC_CTX *mem_ctx, - - ccwrap = memdb_get_by_uuid(memdb, client, uuid); - if (ccwrap != NULL) { -- state->cc = kcm_ccache_dup(state, ccwrap->cc); -+ /* In order to provide a consistent interface, we need to let the caller -+ * of getbyXXX own the ccache, therefore the memory back end returns a shallow -+ * copy of the ccache -+ */ -+ state->cc = kcm_cc_dup(state, ccwrap->cc); - if (state->cc == NULL) { - ret = ENOMEM; - goto immediate; -@@ -470,7 +456,11 @@ static struct tevent_req *ccdb_mem_getbyname_send(TALLOC_CTX *mem_ctx, - - ccwrap = memdb_get_by_name(memdb, client, name); - if (ccwrap != NULL) { -- state->cc = kcm_ccache_dup(state, ccwrap->cc); -+ /* In order to provide a consistent interface, we need to let the caller -+ * of getbyXXX own the ccache, therefore the memory back end returns a shallow -+ * copy of the ccache -+ */ -+ state->cc = kcm_cc_dup(state, ccwrap->cc); - if (state->cc == NULL) { - ret = ENOMEM; - goto immediate; -diff --git a/src/responder/kcm/kcmsrv_ccache_secdb.c b/src/responder/kcm/kcmsrv_ccache_secdb.c -index ed1c8247f..726711ac4 100644 ---- a/src/responder/kcm/kcmsrv_ccache_secdb.c -+++ b/src/responder/kcm/kcmsrv_ccache_secdb.c -@@ -35,15 +35,16 @@ - #define KCM_SECDB_CCACHE_FMT KCM_SECDB_BASE_FMT"ccache/" - #define KCM_SECDB_DFL_FMT KCM_SECDB_BASE_FMT"default" - --static errno_t sec_get_b64(TALLOC_CTX *mem_ctx, -- struct sss_sec_req *req, -- struct sss_iobuf **_buf) -+static errno_t sec_get(TALLOC_CTX *mem_ctx, -+ struct sss_sec_req *req, -+ struct sss_iobuf **_buf, -+ char **_datatype) - { - errno_t ret; - TALLOC_CTX *tmp_ctx; -- char *b64_sec; -+ char *datatype; - uint8_t *data; -- size_t data_size; -+ size_t len; - struct sss_iobuf *buf; - - tmp_ctx = talloc_new(mem_ctx); -@@ -51,101 +52,61 @@ static errno_t sec_get_b64(TALLOC_CTX *mem_ctx, - return ENOMEM; - } - -- ret = sss_sec_get(tmp_ctx, req, &b64_sec); -+ ret = sss_sec_get(tmp_ctx, req, &data, &len, &datatype); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, - "Cannot retrieve the secret [%d]: %s\n", ret, sss_strerror(ret)); - goto done; - } - -- data = sss_base64_decode(tmp_ctx, b64_sec, &data_size); -- if (data == NULL) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Cannot decode secret from base64\n"); -- ret = EIO; -- goto done; -- } -- -- buf = sss_iobuf_init_readonly(tmp_ctx, data, data_size); -+ buf = sss_iobuf_init_steal(tmp_ctx, data, len); - if (buf == NULL) { - DEBUG(SSSDBG_CRIT_FAILURE, "Cannot init the iobuf\n"); - ret = EIO; - goto done; - } - -- ret = EOK; - *_buf = talloc_steal(mem_ctx, buf); -+ if (_datatype != NULL) { -+ *_datatype = talloc_steal(mem_ctx, datatype); -+ } -+ -+ ret = EOK; -+ - done: - talloc_free(tmp_ctx); - return ret; - } - --static errno_t sec_put_b64(TALLOC_CTX *mem_ctx, -- struct sss_sec_req *req, -- struct sss_iobuf *buf) -+static errno_t sec_put(TALLOC_CTX *mem_ctx, -+ struct sss_sec_req *req, -+ struct sss_iobuf *buf) - { - errno_t ret; -- TALLOC_CTX *tmp_ctx; -- char *secret; - -- tmp_ctx = talloc_new(mem_ctx); -- if (tmp_ctx == NULL) { -- return ENOMEM; -- } -- -- secret = sss_base64_encode(tmp_ctx, -- sss_iobuf_get_data(buf), -- sss_iobuf_get_size(buf)); -- if (secret == NULL) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Cannot encode secret to base64\n"); -- ret = EIO; -- goto done; -- } -- -- ret = sss_sec_put(req, secret); -+ ret = sss_sec_put(req, sss_iobuf_get_data(buf), sss_iobuf_get_size(buf), -+ SSS_SEC_PLAINTEXT, "binary"); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, - "Cannot write the secret [%d]: %s\n", ret, sss_strerror(ret)); -- goto done; - } - -- ret = EOK; --done: -- talloc_free(tmp_ctx); - return ret; - } - --static errno_t sec_update_b64(TALLOC_CTX *mem_ctx, -- struct sss_sec_req *req, -- struct sss_iobuf *buf) -+static errno_t sec_update(TALLOC_CTX *mem_ctx, -+ struct sss_sec_req *req, -+ struct sss_iobuf *buf) - { - errno_t ret; -- TALLOC_CTX *tmp_ctx; -- char *secret; -- -- tmp_ctx = talloc_new(mem_ctx); -- if (tmp_ctx == NULL) { -- return ENOMEM; -- } -- -- secret = sss_base64_encode(tmp_ctx, -- sss_iobuf_get_data(buf), -- sss_iobuf_get_size(buf)); -- if (secret == NULL) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Cannot encode secret to base64\n"); -- ret = EIO; -- goto done; -- } - -- ret = sss_sec_update(req, secret); -+ ret = sss_sec_update(req, sss_iobuf_get_data(buf), sss_iobuf_get_size(buf), -+ SSS_SEC_PLAINTEXT, "binary"); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, - "Cannot write the secret [%d]: %s\n", ret, sss_strerror(ret)); -- goto done; - } - -- ret = EOK; --done: -- talloc_free(tmp_ctx); - return ret; - } - -@@ -206,7 +167,7 @@ static errno_t kcm_ccache_to_secdb_kv(TALLOC_CTX *mem_ctx, - goto done; - } - -- ret = kcm_ccache_to_sec_input(mem_ctx, cc, client, &payload); -+ ret = kcm_ccache_to_sec_input_binary(mem_ctx, cc, &payload); - if (ret != EOK) { - DEBUG(SSSDBG_CRIT_FAILURE, - "Cannot convert ccache to a secret [%d][%s]\n", ret, sss_strerror(ret)); -@@ -480,6 +441,7 @@ static errno_t secdb_get_cc(TALLOC_CTX *mem_ctx, - struct kcm_ccache *cc = NULL; - struct sss_sec_req *sreq = NULL; - struct sss_iobuf *ccbuf; -+ char *datatype; - - tmp_ctx = talloc_new(mem_ctx); - if (tmp_ctx == NULL) { -@@ -493,22 +455,23 @@ static errno_t secdb_get_cc(TALLOC_CTX *mem_ctx, - goto done; - } - -- ret = sec_get_b64(tmp_ctx, sreq, &ccbuf); -+ ret = sec_get(tmp_ctx, sreq, &ccbuf, &datatype); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, - "Cannot get the secret [%d][%s]\n", ret, sss_strerror(ret)); - goto done; - } - -- ret = sec_kv_to_ccache(tmp_ctx, -- secdb_key, -- (const char *) sss_iobuf_get_data(ccbuf), -- client, -- &cc); -+ if (strcmp(datatype, "binary") == 0) { -+ ret = sec_kv_to_ccache_binary(tmp_ctx, secdb_key, ccbuf, client, &cc); -+ } else { -+ ret = sec_kv_to_ccache_json(tmp_ctx, secdb_key, -+ (const char *)sss_iobuf_get_data(ccbuf), -+ client, &cc); -+ } - if (ret != EOK) { -- DEBUG(SSSDBG_OP_FAILURE, -- "Cannot convert JSON keyval to ccache blob [%d]: %s\n", -- ret, sss_strerror(ret)); -+ DEBUG(SSSDBG_OP_FAILURE, "Cannot convert %s data to ccache " -+ "[%d]: %s\n", datatype, ret, sss_strerror(ret)); - goto done; - } - -@@ -746,11 +709,11 @@ static struct tevent_req *ccdb_secdb_set_default_send(TALLOC_CTX *mem_ctx, - goto immediate; - } - -- ret = sss_sec_get(state, sreq, &cur_default); -+ ret = sss_sec_get(state, sreq, (uint8_t**)&cur_default, NULL, NULL); - if (ret == ENOENT) { -- ret = sec_put_b64(state, sreq, iobuf); -+ ret = sec_put(state, sreq, iobuf); - } else if (ret == EOK) { -- ret = sec_update_b64(state, sreq, iobuf); -+ ret = sec_update(state, sreq, iobuf); - } - - if (ret != EOK) { -@@ -804,7 +767,7 @@ static struct tevent_req *ccdb_secdb_get_default_send(TALLOC_CTX *mem_ctx, - goto immediate; - } - -- ret = sec_get_b64(state, sreq, &dfl_iobuf); -+ ret = sec_get(state, sreq, &dfl_iobuf, NULL); - if (ret == ENOENT) { - uuid_clear(state->uuid); - ret = EOK; -@@ -1230,9 +1193,8 @@ static struct tevent_req *ccdb_secdb_create_send(TALLOC_CTX *mem_ctx, - goto immediate; - } - -- ret = sec_put_b64(state, ccache_req, ccache_payload); -+ ret = sec_put(state, ccache_req, ccache_payload); - if (ret != EOK) { -- DEBUG(SSSDBG_OP_FAILURE, "Failed to add the payload\n"); - goto immediate; - } - -@@ -1298,7 +1260,7 @@ static struct tevent_req *ccdb_secdb_mod_send(TALLOC_CTX *mem_ctx, - goto immediate; - } - -- ret = kcm_ccache_to_sec_input(state, cc, client, &payload); -+ ret = kcm_ccache_to_sec_input_binary(state, cc, &payload); - if (ret != EOK) { - goto immediate; - } -@@ -1308,7 +1270,7 @@ static struct tevent_req *ccdb_secdb_mod_send(TALLOC_CTX *mem_ctx, - goto immediate; - } - -- ret = sec_update_b64(state, sreq, payload); -+ ret = sec_update(state, sreq, payload); - if (ret != EOK) { - goto immediate; - } -@@ -1374,7 +1336,7 @@ static struct tevent_req *ccdb_secdb_store_cred_send(TALLOC_CTX *mem_ctx, - goto immediate; - } - -- ret = kcm_ccache_to_sec_input(state, cc, client, &payload); -+ ret = kcm_ccache_to_sec_input_binary(state, cc, &payload); - if (ret != EOK) { - goto immediate; - } -@@ -1384,7 +1346,7 @@ static struct tevent_req *ccdb_secdb_store_cred_send(TALLOC_CTX *mem_ctx, - goto immediate; - } - -- ret = sec_update_b64(state, sreq, payload); -+ ret = sec_update(state, sreq, payload); - if (ret != EOK) { - goto immediate; - } -diff --git a/src/responder/kcm/kcmsrv_ccache_secrets.c b/src/responder/kcm/kcmsrv_ccache_secrets.c -index 440ab3bb9..f3d69842c 100644 ---- a/src/responder/kcm/kcmsrv_ccache_secrets.c -+++ b/src/responder/kcm/kcmsrv_ccache_secrets.c -@@ -195,7 +195,7 @@ static errno_t kcm_ccache_to_sec_kv(TALLOC_CTX *mem_ctx, - goto done; - } - -- ret = kcm_ccache_to_sec_input(mem_ctx, cc, client, &payload); -+ ret = kcm_ccache_to_sec_input_json(mem_ctx, cc, &payload); - if (ret != EOK) { - goto done; - } -@@ -489,11 +489,8 @@ static void sec_get_done(struct tevent_req *subreq) - return; - } - -- ret = sec_kv_to_ccache(state, -- state->sec_key, -- sec_value, -- state->client, -- &state->cc); -+ ret = sec_kv_to_ccache_json(state, state->sec_key, sec_value, state->client, -+ &state->cc); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, - "Cannot convert JSON keyval to ccache blob [%d]: %s\n", -diff --git a/src/responder/kcm/kcmsrv_cmd.c b/src/responder/kcm/kcmsrv_cmd.c -index 421bf4bc5..a1aa9aa20 100644 ---- a/src/responder/kcm/kcmsrv_cmd.c -+++ b/src/responder/kcm/kcmsrv_cmd.c -@@ -314,7 +314,7 @@ static void kcm_reply_error(struct cli_ctx *cctx, - krb5_error_code kerr; - - DEBUG(SSSDBG_OP_FAILURE, -- "KCM operation returs failure [%d]: %s\n", -+ "KCM operation returns failure [%d]: %s\n", - retcode, sss_strerror(retcode)); - kerr = sss2krb5_error(retcode); - -@@ -373,13 +373,16 @@ static errno_t kcm_cmd_dispatch(struct kcm_ctx *kctx, - { - struct tevent_req *req; - struct cli_ctx *cctx; -+ struct kcm_conn_data *conn_data; - - cctx = req_ctx->cctx; -+ conn_data = talloc_get_type(cctx->state_ctx, struct kcm_conn_data); - - req = kcm_cmd_send(req_ctx, - cctx->ev, - kctx->qctx, - req_ctx->kctx->kcm_data, -+ conn_data, - req_ctx->cctx->creds, - &req_ctx->op_io.request, - req_ctx->op_io.op); -@@ -492,7 +495,7 @@ static void kcm_recv(struct cli_ctx *cctx) - int ret; - - kctx = talloc_get_type(cctx->rctx->pvt_ctx, struct kcm_ctx); -- req = talloc_get_type(cctx->state_ctx, struct kcm_req_ctx); -+ req = talloc_get_type(cctx->protocol_ctx, struct kcm_req_ctx); - if (req == NULL) { - /* A new request comes in, setup data structures. */ - req = kcm_new_req(cctx, kctx); -@@ -503,7 +506,17 @@ static void kcm_recv(struct cli_ctx *cctx) - return; - } - -- cctx->state_ctx = req; -+ cctx->protocol_ctx = req; -+ } -+ -+ /* Shared data between requests that originates in the same connection. */ -+ if (cctx->state_ctx == NULL) { -+ cctx->state_ctx = talloc_zero(cctx, struct kcm_conn_data); -+ if (cctx->state_ctx == NULL) { -+ DEBUG(SSSDBG_CRIT_FAILURE, "Cannot set up client state\n"); -+ talloc_free(cctx); -+ return; -+ } - } - - ret = kcm_recv_data(req, cctx->cfd, &req->reqbuf); -@@ -558,7 +571,7 @@ static int kcm_send_data(struct cli_ctx *cctx) - struct kcm_req_ctx *req; - errno_t ret; - -- req = talloc_get_type(cctx->state_ctx, struct kcm_req_ctx); -+ req = talloc_get_type(cctx->protocol_ctx, struct kcm_req_ctx); - - ret = kcm_write_iovec(cctx->cfd, &req->repbuf.v_len); - if (ret != EOK) { -@@ -604,7 +617,7 @@ static void kcm_send(struct cli_ctx *cctx) - DEBUG(SSSDBG_TRACE_INTERNAL, "All data sent!\n"); - TEVENT_FD_NOT_WRITEABLE(cctx->cfde); - TEVENT_FD_READABLE(cctx->cfde); -- talloc_zfree(cctx->state_ctx); -+ talloc_zfree(cctx->protocol_ctx); - return; - } - -diff --git a/src/responder/kcm/kcmsrv_ops.c b/src/responder/kcm/kcmsrv_ops.c -index 6ac66c150..f458c724b 100644 ---- a/src/responder/kcm/kcmsrv_ops.c -+++ b/src/responder/kcm/kcmsrv_ops.c -@@ -22,9 +22,11 @@ - #include "config.h" - - #include -+#include - - #include "util/sss_iobuf.h" - #include "util/sss_krb5.h" -+#include "util/sss_ptr_hash.h" - #include "util/util_creds.h" - #include "responder/kcm/kcm.h" - #include "responder/kcm/kcmsrv_pvt.h" -@@ -38,6 +40,7 @@ - - struct kcm_op_ctx { - struct kcm_resp_ctx *kcm_data; -+ struct kcm_conn_data *conn_data; - struct cli_creds *client; - - struct sss_iobuf *input; -@@ -86,6 +89,7 @@ struct tevent_req *kcm_cmd_send(TALLOC_CTX *mem_ctx, - struct tevent_context *ev, - struct kcm_ops_queue_ctx *qctx, - struct kcm_resp_ctx *kcm_data, -+ struct kcm_conn_data *conn_data, - struct cli_creds *client, - struct kcm_data *input, - struct kcm_op *op) -@@ -135,6 +139,7 @@ struct tevent_req *kcm_cmd_send(TALLOC_CTX *mem_ctx, - } - - state->op_ctx->kcm_data = kcm_data; -+ state->op_ctx->conn_data = conn_data; - state->op_ctx->client = client; - - state->op_ctx->input = sss_iobuf_init_readonly(state->op_ctx, -@@ -1071,8 +1076,75 @@ static void kcm_op_get_principal_getbyname_done(struct tevent_req *subreq) - tevent_req_done(req); - } - -+static void -+kcm_creds_table_delete_cb(hash_entry_t *item, -+ hash_destroy_enum deltype, -+ void *pvt) -+{ -+ /* Delete the old credential if it is being overwritten. */ -+ talloc_free(item->value.ptr); -+} -+ -+/* Store credentials in a hash table. -+ * -+ * If the table already exist we add the new credentials to the table and -+ * overwrite the ones that already exist. This allows us to correctly serve -+ * also parallel GET_CRED_UUID_LIST requests from the same connection since -+ * it will have its own uuid list and cursor on the client side and we make -+ * all uuid (old, updated and newly added) available. -+ */ -+static errno_t -+kcm_creds_to_table(TALLOC_CTX *mem_ctx, -+ struct kcm_cred *creds, -+ hash_table_t **_table) -+{ -+ char str[UUID_STR_SIZE]; -+ uuid_t uuid; -+ errno_t ret; -+ -+ if (*_table == NULL) { -+ *_table = sss_ptr_hash_create(mem_ctx, kcm_creds_table_delete_cb, NULL); -+ if (*_table == NULL) { -+ return ENOMEM; -+ } -+ } -+ -+ for (struct kcm_cred *crd = creds; -+ crd != NULL; -+ crd = kcm_cc_next_cred(crd)) { -+ ret = kcm_cred_get_uuid(crd, uuid); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_MINOR_FAILURE, "Credential has no UUID, skipping\n"); -+ continue; -+ } -+ uuid_unparse(uuid, str); -+ -+ ret = sss_ptr_hash_add_or_override(*_table, str, crd, struct kcm_cred); -+ if (ret != EOK) { -+ return ret; -+ } -+ -+ talloc_steal(*_table, crd); -+ } -+ -+ return EOK; -+} -+ -+static struct kcm_cred * -+kcm_creds_lookup(hash_table_t *table, uuid_t uuid) -+{ -+ char str[UUID_STR_SIZE]; -+ -+ if (uuid == NULL) { -+ return NULL; -+ } -+ -+ uuid_unparse(uuid, str); -+ return sss_ptr_hash_lookup(table, str, struct kcm_cred); -+} -+ - /* (name) -> (uuid, ...) */ --static void kcm_op_get_cred_uuid_getbyname_done(struct tevent_req *subreq); -+static void kcm_op_get_cred_uuid_list_getbyname_done(struct tevent_req *subreq); - - static struct tevent_req * - kcm_op_get_cred_uuid_list_send(TALLOC_CTX *mem_ctx, -@@ -1106,7 +1178,7 @@ kcm_op_get_cred_uuid_list_send(TALLOC_CTX *mem_ctx, - ret = ENOMEM; - goto immediate; - } -- tevent_req_set_callback(subreq, kcm_op_get_cred_uuid_getbyname_done, req); -+ tevent_req_set_callback(subreq, kcm_op_get_cred_uuid_list_getbyname_done, req); - return req; - - immediate: -@@ -1115,17 +1187,20 @@ immediate: - return req; - } - --static void kcm_op_get_cred_uuid_getbyname_done(struct tevent_req *subreq) -+static void kcm_op_get_cred_uuid_list_getbyname_done(struct tevent_req *subreq) - { - errno_t ret; - struct kcm_ccache *cc; - struct kcm_cred *crd; -+ struct kcm_conn_data *conn_data; - uuid_t uuid; - struct tevent_req *req = tevent_req_callback_data(subreq, - struct tevent_req); - struct kcm_op_common_state *state = tevent_req_data(req, - struct kcm_op_common_state); - -+ conn_data = state->op_ctx->conn_data; -+ - ret = kcm_ccdb_getbyname_recv(subreq, state, &cc); - talloc_zfree(subreq); - if (ret != EOK) { -@@ -1137,12 +1212,20 @@ static void kcm_op_get_cred_uuid_getbyname_done(struct tevent_req *subreq) - } - - if (cc == NULL) { -- DEBUG(SSSDBG_MINOR_FAILURE, "No credentials by that UUID\n"); -+ DEBUG(SSSDBG_MINOR_FAILURE, "No ccache by that name\n"); - state->op_ret = ERR_NO_CREDS; - tevent_req_done(req); - return; - } - -+ ret = kcm_creds_to_table(conn_data, kcm_cc_get_cred(cc), &conn_data->creds); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_OP_FAILURE, "Unable to build credentials hash table " -+ "[%d]: %s\n", ret, sss_strerror(ret)); -+ tevent_req_error(req, ret); -+ return; -+ } -+ - for (crd = kcm_cc_get_cred(cc); - crd != NULL; - crd = kcm_cc_next_cred(crd)) { -@@ -1169,6 +1252,34 @@ static void kcm_op_get_cred_uuid_getbyname_done(struct tevent_req *subreq) - tevent_req_done(req); - } - -+static errno_t -+kcm_op_get_cred_by_uuid_reply(struct kcm_cred *crd, -+ struct sss_iobuf *reply) -+{ -+ struct sss_iobuf *cred_blob; -+ errno_t ret; -+ -+ cred_blob = kcm_cred_get_creds(crd); -+ if (cred_blob == NULL) { -+ DEBUG(SSSDBG_CRIT_FAILURE, "Credentials lack the creds blob\n"); -+ return ERR_NO_CREDS; -+ } -+ -+ ret = sss_iobuf_write_len(reply, sss_iobuf_get_data(cred_blob), -+ sss_iobuf_get_size(cred_blob)); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_OP_FAILURE, "Cannot write ccache blob [%d]: %s\n", -+ ret, sss_strerror(ret)); -+ } -+ -+ return ret; -+} -+ -+struct kcm_op_get_cred_by_uuid_state { -+ struct kcm_op_common_state common; -+ uuid_t uuid; -+}; -+ - /* (name, uuid) -> (cred) */ - static void kcm_op_get_cred_by_uuid_getbyname_done(struct tevent_req *subreq); - -@@ -1179,20 +1290,51 @@ kcm_op_get_cred_by_uuid_send(TALLOC_CTX *mem_ctx, - { - struct tevent_req *req = NULL; - struct tevent_req *subreq = NULL; -- struct kcm_op_common_state *state = NULL; -+ struct kcm_op_get_cred_by_uuid_state *state; -+ struct kcm_cred *crd; - errno_t ret; - const char *name; - -- req = tevent_req_create(mem_ctx, &state, struct kcm_op_common_state); -+ req = tevent_req_create(mem_ctx, &state, -+ struct kcm_op_get_cred_by_uuid_state); - if (req == NULL) { - return NULL; - } -- state->op_ctx = op_ctx; -+ state->common.op_ctx = op_ctx; - - ret = sss_iobuf_read_stringz(op_ctx->input, &name); - if (ret != EOK) { - goto immediate; - } -+ -+ ret = sss_iobuf_read_len(state->common.op_ctx->input, UUID_BYTES, -+ state->uuid); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_OP_FAILURE, "Cannot read input UUID [%d]: %s\n", -+ ret, sss_strerror(ret)); -+ goto immediate; -+ } -+ -+ if (op_ctx->conn_data->creds != NULL) { -+ crd = kcm_creds_lookup(op_ctx->conn_data->creds, state->uuid); -+ if (crd == NULL) { -+ /* This should not happen, it can only happen if wrong UUID was -+ * requested which suggests bug in the caller application. */ -+ DEBUG(SSSDBG_MINOR_FAILURE, "No credentials by that UUID\n"); -+ kcm_debug_uuid(state->uuid); -+ state->common.op_ret = ERR_KCM_CC_END; -+ ret = EOK; -+ goto immediate; -+ } else { -+ ret = kcm_op_get_cred_by_uuid_reply(crd, op_ctx->reply); -+ if (ret == ERR_NO_CREDS) { -+ state->common.op_ret = ret; -+ ret = EOK; -+ } -+ goto immediate; -+ } -+ } -+ - DEBUG(SSSDBG_TRACE_LIBS, "Returning creds by UUID for %s\n", name); - - subreq = kcm_ccdb_getbyname_send(state, ev, -@@ -1207,7 +1349,11 @@ kcm_op_get_cred_by_uuid_send(TALLOC_CTX *mem_ctx, - return req; - - immediate: -- tevent_req_error(req, ret); -+ if (ret == EOK) { -+ tevent_req_done(req); -+ } else { -+ tevent_req_error(req, ret); -+ } - tevent_req_post(req, ev); - return req; - } -@@ -1216,14 +1362,14 @@ static void kcm_op_get_cred_by_uuid_getbyname_done(struct tevent_req *subreq) - { - struct tevent_req *req = tevent_req_callback_data(subreq, - struct tevent_req); -- struct kcm_op_common_state *state = tevent_req_data(req, -- struct kcm_op_common_state); -+ struct kcm_op_get_cred_by_uuid_state *state = tevent_req_data(req, -+ struct kcm_op_get_cred_by_uuid_state); - errno_t ret; - struct kcm_ccache *cc; - struct kcm_cred *crd; -- uuid_t uuid_in; -- uuid_t uuid; -- struct sss_iobuf *cred_blob; -+ struct kcm_conn_data *conn_data; -+ -+ conn_data = state->common.op_ctx->conn_data; - - ret = kcm_ccdb_getbyname_recv(subreq, state, &cc); - talloc_zfree(subreq); -@@ -1235,67 +1381,43 @@ static void kcm_op_get_cred_by_uuid_getbyname_done(struct tevent_req *subreq) - return; - } - -- if (cc == NULL) { -- DEBUG(SSSDBG_MINOR_FAILURE, "No credentials by that name\n"); -- state->op_ret = ERR_NO_MATCHING_CREDS; -- tevent_req_done(req); -- return; -- } -- -- ret = sss_iobuf_read_len(state->op_ctx->input, -- UUID_BYTES, uuid_in); -+ ret = kcm_creds_to_table(conn_data, kcm_cc_get_cred(cc), &conn_data->creds); - if (ret != EOK) { -- DEBUG(SSSDBG_OP_FAILURE, -- "Cannot read input UUID [%d]: %s\n", -- ret, sss_strerror(ret)); -+ DEBUG(SSSDBG_OP_FAILURE, "Unable to build credentials hash table " -+ "[%d]: %s\n", ret, sss_strerror(ret)); - tevent_req_error(req, ret); - return; - } - -- for (crd = kcm_cc_get_cred(cc); -- crd != NULL; -- crd = kcm_cc_next_cred(crd)) { -- ret = kcm_cred_get_uuid(crd, uuid); -- if (ret != EOK) { -- DEBUG(SSSDBG_MINOR_FAILURE, -- "Cannot get UUID from creds, skipping\n"); -- continue; -+ if (conn_data->creds != NULL) { -+ crd = kcm_creds_lookup(conn_data->creds, state->uuid); -+ if (crd == NULL) { -+ DEBUG(SSSDBG_MINOR_FAILURE, "No credentials by that UUID\n"); -+ kcm_debug_uuid(state->uuid); -+ state->common.op_ret = ERR_KCM_CC_END; -+ } else { -+ ret = kcm_op_get_cred_by_uuid_reply(crd, state->common.op_ctx->reply); -+ if (ret != EOK && ret != ERR_NO_CREDS) { -+ tevent_req_error(req, ret); -+ return; -+ } -+ state->common.op_ret = ret; - } -- -- if (uuid_compare(uuid, uuid_in) == 0) { -- break; -- } -- kcm_debug_uuid(uuid); - } - -- if (crd == NULL) { -- state->op_ret = ERR_KCM_CC_END; -- DEBUG(SSSDBG_MINOR_FAILURE, "No credentials by that UUID\n"); -- tevent_req_done(req); -- return; -- } -+ tevent_req_done(req); -+} - -- cred_blob = kcm_cred_get_creds(crd); -- if (cred_blob == NULL) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Credentials lack the creds blob\n"); -- state->op_ret = ERR_NO_CREDS; -- tevent_req_done(req); -- return; -- } -+static errno_t kcm_op_get_cred_by_uuid_recv(struct tevent_req *req, -+ uint32_t *_op_ret) -+{ -+ struct kcm_op_get_cred_by_uuid_state *state; - -- ret = sss_iobuf_write_len(state->op_ctx->reply, -- sss_iobuf_get_data(cred_blob), -- sss_iobuf_get_size(cred_blob)); -- if (ret != EOK) { -- DEBUG(SSSDBG_OP_FAILURE, -- "Cannot write ccache blob [%d]: %s\n", -- ret, sss_strerror(ret)); -- tevent_req_error(req, ret); -- return; -- } -+ state = tevent_req_data(req, struct kcm_op_get_cred_by_uuid_state); - -- state->op_ret = EOK; -- tevent_req_done(req); -+ TEVENT_REQ_RETURN_ON_ERROR(req); -+ *_op_ret = state->common.op_ret; -+ return EOK; - } - - /* (name, flags, credtag) -> () */ -@@ -1468,7 +1590,7 @@ static void kcm_op_get_cache_by_uuid_done(struct tevent_req *subreq) - talloc_zfree(subreq); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, -- "Cannot get ccahe by UUID [%d]: %s\n", -+ "Cannot get ccache by UUID [%d]: %s\n", - ret, sss_strerror(ret)); - tevent_req_error(req, ret); - return; -@@ -2153,7 +2275,7 @@ static struct kcm_op kcm_optable[] = { - { "RETRIEVE", NULL, NULL }, - { "GET_PRINCIPAL", kcm_op_get_principal_send, NULL }, - { "GET_CRED_UUID_LIST", kcm_op_get_cred_uuid_list_send, NULL }, -- { "GET_CRED_BY_UUID", kcm_op_get_cred_by_uuid_send, NULL }, -+ { "GET_CRED_BY_UUID", kcm_op_get_cred_by_uuid_send, kcm_op_get_cred_by_uuid_recv }, - { "REMOVE_CRED", kcm_op_remove_cred_send, NULL }, - { "SET_FLAGS", NULL, NULL }, - { "CHOWN", NULL, NULL }, -diff --git a/src/responder/kcm/kcmsrv_ops.h b/src/responder/kcm/kcmsrv_ops.h -index 67d9f8602..ab6c13791 100644 ---- a/src/responder/kcm/kcmsrv_ops.h -+++ b/src/responder/kcm/kcmsrv_ops.h -@@ -24,6 +24,7 @@ - - #include "config.h" - -+#include - #include - #include "util/sss_iobuf.h" - #include "responder/kcm/kcmsrv_pvt.h" -@@ -32,10 +33,17 @@ struct kcm_op; - struct kcm_op *kcm_get_opt(uint16_t opcode); - const char *kcm_opt_name(struct kcm_op *op); - -+struct kcm_conn_data { -+ /* Credentials obtained by GET_CRED_UUID_LIST. We use to improve performance -+ * by avoiding ccache lookups in GET_CRED_BY_UUID. */ -+ hash_table_t *creds; -+}; -+ - struct tevent_req *kcm_cmd_send(TALLOC_CTX *mem_ctx, - struct tevent_context *ev, - struct kcm_ops_queue_ctx *qctx, - struct kcm_resp_ctx *kcm_data, -+ struct kcm_conn_data *conn_data, - struct cli_creds *client, - struct kcm_data *input, - struct kcm_op *op); -diff --git a/src/responder/secrets/local.c b/src/responder/secrets/local.c -index eb37c08b7..252ef3a1d 100644 ---- a/src/responder/secrets/local.c -+++ b/src/responder/secrets/local.c -@@ -134,7 +134,7 @@ static struct tevent_req *local_secret_req(TALLOC_CTX *mem_ctx, - break; - } - -- ret = sss_sec_get(state, ssec_req, &secret); -+ ret = sss_sec_get(state, ssec_req, (uint8_t**)&secret, NULL, NULL); - if (ret) goto done; - - if (body_is_json) { -@@ -168,7 +168,8 @@ static struct tevent_req *local_secret_req(TALLOC_CTX *mem_ctx, - } - if (ret) goto done; - -- ret = sss_sec_put(ssec_req, secret); -+ ret = sss_sec_put(ssec_req, (uint8_t *)secret, strlen(secret) + 1, -+ SSS_SEC_MASTERKEY, "simple"); - if (ret) goto done; - break; - -diff --git a/src/shared/safealign.h b/src/shared/safealign.h -index b00c37f5b..35909faa2 100644 ---- a/src/shared/safealign.h -+++ b/src/shared/safealign.h -@@ -97,6 +97,10 @@ safealign_memcpy(void *dest, const void *src, size_t n, size_t *counter) - #define SAFEALIGN_SETMEM_UINT16(dest, value, pctr) \ - SAFEALIGN_SETMEM_VALUE(dest, value, uint16_t, pctr) - -+/* SAFEALIGN_SETMEM_UINT8(void *dest, uint8_t value, size_t *pctr) */ -+#define SAFEALIGN_SETMEM_UINT8(dest, value, pctr) \ -+ SAFEALIGN_SETMEM_VALUE(dest, value, uint8_t, pctr) -+ - /* These macros are the same as their equivalents without _CHECK suffix, - * but additionally make the caller return EINVAL immediately if *pctr - * would exceed len. */ -diff --git a/src/tests/cmocka/test_kcm_json_marshalling.c b/src/tests/cmocka/test_kcm_marshalling.c -similarity index 71% -rename from src/tests/cmocka/test_kcm_json_marshalling.c -rename to src/tests/cmocka/test_kcm_marshalling.c -index 48ee92bd6..cebebac80 100644 ---- a/src/tests/cmocka/test_kcm_json_marshalling.c -+++ b/src/tests/cmocka/test_kcm_marshalling.c -@@ -154,7 +154,7 @@ static void assert_cc_equal(struct kcm_ccache *cc1, - assert_cc_offset_equal(cc1, cc2); - } - --static void test_kcm_ccache_marshall_unmarshall(void **state) -+static void test_kcm_ccache_marshall_unmarshall_json(void **state) - { - struct kcm_marshalling_test_ctx *test_ctx = talloc_get_type(*state, - struct kcm_marshalling_test_ctx); -@@ -182,10 +182,7 @@ static void test_kcm_ccache_marshall_unmarshall(void **state) - &cc); - assert_int_equal(ret, EOK); - -- ret = kcm_ccache_to_sec_input(test_ctx, -- cc, -- &owner, -- &payload); -+ ret = kcm_ccache_to_sec_input_json(test_ctx, cc, &payload); - assert_int_equal(ret, EOK); - - data = sss_iobuf_get_data(payload); -@@ -196,25 +193,19 @@ static void test_kcm_ccache_marshall_unmarshall(void **state) - key = sec_key_create(test_ctx, name, uuid); - assert_non_null(key); - -- ret = sec_kv_to_ccache(test_ctx, -- key, -- (const char *) data, -- &owner, -- &cc2); -+ ret = sec_kv_to_ccache_json(test_ctx, key, (const char *)data, &owner, -+ &cc2); - assert_int_equal(ret, EOK); - - assert_cc_equal(cc, cc2); - - /* This key is exactly one byte shorter than it should be */ -- ret = sec_kv_to_ccache(test_ctx, -- TEST_UUID_STR"-", -- (const char *) data, -- &owner, -- &cc2); -+ ret = sec_kv_to_ccache_json(test_ctx, TEST_UUID_STR "-", (const char *)data, -+ &owner, &cc2); - assert_int_equal(ret, EINVAL); - } - --static void test_kcm_ccache_no_princ(void **state) -+static void test_kcm_ccache_no_princ_json(void **state) - { - struct kcm_marshalling_test_ctx *test_ctx = talloc_get_type(*state, - struct kcm_marshalling_test_ctx); -@@ -246,10 +237,7 @@ static void test_kcm_ccache_no_princ(void **state) - princ = kcm_cc_get_client_principal(cc); - assert_null(princ); - -- ret = kcm_ccache_to_sec_input(test_ctx, -- cc, -- &owner, -- &payload); -+ ret = kcm_ccache_to_sec_input_json(test_ctx, cc, &payload); - assert_int_equal(ret, EOK); - - data = sss_iobuf_get_data(payload); -@@ -260,11 +248,110 @@ static void test_kcm_ccache_no_princ(void **state) - key = sec_key_create(test_ctx, name, uuid); - assert_non_null(key); - -- ret = sec_kv_to_ccache(test_ctx, -- key, -- (const char *) data, -- &owner, -- &cc2); -+ ret = sec_kv_to_ccache_json(test_ctx, key, (const char *)data, &owner, -+ &cc2); -+ assert_int_equal(ret, EOK); -+ -+ assert_cc_equal(cc, cc2); -+} -+ -+static void test_kcm_ccache_marshall_unmarshall_binary(void **state) -+{ -+ struct kcm_marshalling_test_ctx *test_ctx = talloc_get_type(*state, -+ struct kcm_marshalling_test_ctx); -+ errno_t ret; -+ struct cli_creds owner; -+ struct kcm_ccache *cc; -+ struct kcm_ccache *cc2; -+ struct sss_iobuf *payload; -+ const char *name; -+ const char *key; -+ uint8_t *data; -+ uuid_t uuid; -+ -+ owner.ucred.uid = getuid(); -+ owner.ucred.gid = getuid(); -+ -+ name = talloc_asprintf(test_ctx, "%"SPRIuid, getuid()); -+ assert_non_null(name); -+ -+ ret = kcm_cc_new(test_ctx, -+ test_ctx->kctx, -+ &owner, -+ name, -+ test_ctx->princ, -+ &cc); -+ assert_int_equal(ret, EOK); -+ -+ ret = kcm_ccache_to_sec_input_binary(test_ctx, cc, &payload); -+ assert_int_equal(ret, EOK); -+ -+ data = sss_iobuf_get_data(payload); -+ assert_non_null(data); -+ -+ ret = kcm_cc_get_uuid(cc, uuid); -+ assert_int_equal(ret, EOK); -+ key = sec_key_create(test_ctx, name, uuid); -+ assert_non_null(key); -+ -+ sss_iobuf_cursor_reset(payload); -+ ret = sec_kv_to_ccache_binary(test_ctx, key, payload, &owner, &cc2); -+ assert_int_equal(ret, EOK); -+ -+ assert_cc_equal(cc, cc2); -+ -+ /* This key is exactly one byte shorter than it should be */ -+ sss_iobuf_cursor_reset(payload); -+ ret = sec_kv_to_ccache_binary(test_ctx, TEST_UUID_STR "-", payload, &owner, -+ &cc2); -+ assert_int_equal(ret, EINVAL); -+} -+ -+static void test_kcm_ccache_no_princ_binary(void **state) -+{ -+ struct kcm_marshalling_test_ctx *test_ctx = talloc_get_type(*state, -+ struct kcm_marshalling_test_ctx); -+ errno_t ret; -+ struct cli_creds owner; -+ const char *name; -+ struct kcm_ccache *cc; -+ krb5_principal princ; -+ struct kcm_ccache *cc2; -+ struct sss_iobuf *payload; -+ const char *key; -+ uint8_t *data; -+ uuid_t uuid; -+ -+ owner.ucred.uid = getuid(); -+ owner.ucred.gid = getuid(); -+ -+ name = talloc_asprintf(test_ctx, "%"SPRIuid, getuid()); -+ assert_non_null(name); -+ -+ ret = kcm_cc_new(test_ctx, -+ test_ctx->kctx, -+ &owner, -+ name, -+ NULL, -+ &cc); -+ assert_int_equal(ret, EOK); -+ -+ princ = kcm_cc_get_client_principal(cc); -+ assert_null(princ); -+ -+ ret = kcm_ccache_to_sec_input_binary(test_ctx, cc, &payload); -+ assert_int_equal(ret, EOK); -+ -+ data = sss_iobuf_get_data(payload); -+ assert_non_null(data); -+ -+ ret = kcm_cc_get_uuid(cc, uuid); -+ assert_int_equal(ret, EOK); -+ key = sec_key_create(test_ctx, name, uuid); -+ assert_non_null(key); -+ -+ sss_iobuf_cursor_reset(payload); -+ ret = sec_kv_to_ccache_binary(test_ctx, key, payload, &owner, &cc2); - assert_int_equal(ret, EOK); - - assert_cc_equal(cc, cc2); -@@ -340,10 +427,16 @@ int main(int argc, const char *argv[]) - }; - - const struct CMUnitTest tests[] = { -- cmocka_unit_test_setup_teardown(test_kcm_ccache_marshall_unmarshall, -+ cmocka_unit_test_setup_teardown(test_kcm_ccache_marshall_unmarshall_binary, -+ setup_kcm_marshalling, -+ teardown_kcm_marshalling), -+ cmocka_unit_test_setup_teardown(test_kcm_ccache_no_princ_binary, -+ setup_kcm_marshalling, -+ teardown_kcm_marshalling), -+ cmocka_unit_test_setup_teardown(test_kcm_ccache_marshall_unmarshall_json, - setup_kcm_marshalling, - teardown_kcm_marshalling), -- cmocka_unit_test_setup_teardown(test_kcm_ccache_no_princ, -+ cmocka_unit_test_setup_teardown(test_kcm_ccache_no_princ_json, - setup_kcm_marshalling, - teardown_kcm_marshalling), - cmocka_unit_test(test_sec_key_get_uuid), -diff --git a/src/tests/cmocka/test_sss_ptr_hash.c b/src/tests/cmocka/test_sss_ptr_hash.c -index 1458238f5..31cf8b705 100644 ---- a/src/tests/cmocka/test_sss_ptr_hash.c -+++ b/src/tests/cmocka/test_sss_ptr_hash.c -@@ -91,6 +91,45 @@ void test_sss_ptr_hash_with_free_cb(void **state) - assert_int_equal(free_counter, MAX_ENTRIES_AMOUNT*2); - } - -+void test_sss_ptr_hash_overwrite_with_free_cb(void **state) -+{ -+ hash_table_t *table; -+ int free_counter = 0; -+ unsigned long count; -+ char *payload; -+ char *value; -+ errno_t ret; -+ -+ table = sss_ptr_hash_create(global_talloc_context, -+ free_payload_cb, -+ &free_counter); -+ assert_non_null(table); -+ -+ payload = talloc_strdup(table, "test_value1"); -+ assert_non_null(payload); -+ talloc_set_name_const(payload, "char"); -+ ret = sss_ptr_hash_add_or_override(table, "test", payload, char); -+ assert_int_equal(ret, 0); -+ count = hash_count(table); -+ assert_int_equal(count, 1); -+ value = sss_ptr_hash_lookup(table, "test", char); -+ assert_ptr_equal(value, payload); -+ -+ -+ payload = talloc_strdup(table, "test_value2"); -+ assert_non_null(payload); -+ talloc_set_name_const(payload, "char"); -+ ret = sss_ptr_hash_add_or_override(table, "test", payload, char); -+ assert_int_equal(ret, 0); -+ count = hash_count(table); -+ assert_int_equal(count, 1); -+ value = sss_ptr_hash_lookup(table, "test", char); -+ assert_ptr_equal(value, payload); -+ -+ talloc_free(table); -+ assert_int_equal(free_counter, 2); -+} -+ - struct table_wrapper - { - hash_table_t **table; -diff --git a/src/tests/cmocka/test_utils.c b/src/tests/cmocka/test_utils.c -index d77a972c1..d258622fb 100644 ---- a/src/tests/cmocka/test_utils.c -+++ b/src/tests/cmocka/test_utils.c -@@ -2144,6 +2144,9 @@ int main(int argc, const char *argv[]) - cmocka_unit_test_setup_teardown(test_sss_ptr_hash_with_free_cb, - setup_leak_tests, - teardown_leak_tests), -+ cmocka_unit_test_setup_teardown(test_sss_ptr_hash_overwrite_with_free_cb, -+ setup_leak_tests, -+ teardown_leak_tests), - cmocka_unit_test_setup_teardown(test_sss_ptr_hash_with_lookup_cb, - setup_leak_tests, - teardown_leak_tests), -diff --git a/src/tests/cmocka/test_utils.h b/src/tests/cmocka/test_utils.h -index 44b9479f9..458bcb750 100644 ---- a/src/tests/cmocka/test_utils.h -+++ b/src/tests/cmocka/test_utils.h -@@ -35,6 +35,7 @@ void test_concatenate_string_array(void **state); - - /* from src/tests/cmocka/test_sss_ptr_hash.c */ - void test_sss_ptr_hash_with_free_cb(void **state); -+void test_sss_ptr_hash_overwrite_with_free_cb(void **state); - void test_sss_ptr_hash_with_lookup_cb(void **state); - void test_sss_ptr_hash_without_cb(void **state); - -diff --git a/src/tests/intg/test_secrets.py b/src/tests/intg/test_secrets.py -index 00933fb34..18d722c13 100644 ---- a/src/tests/intg/test_secrets.py -+++ b/src/tests/intg/test_secrets.py -@@ -438,7 +438,8 @@ def run_quota_test(cli, max_secrets, max_payload_size): - KILOBYTE = 1024 - kb_payload_size = max_payload_size * KILOBYTE - -- sec_value = "x" * kb_payload_size -+ # Adjust payload size to hold terminal zero byte. -+ sec_value = "x" * (kb_payload_size - 1) - - cli.set_secret("foo", sec_value) - -diff --git a/src/tests/multihost/basic/test_kcm.py b/src/tests/multihost/basic/test_kcm.py -index e5d315827..6f65431f8 100644 ---- a/src/tests/multihost/basic/test_kcm.py -+++ b/src/tests/multihost/basic/test_kcm.py -@@ -310,6 +310,12 @@ class TestSanityKCM(object): - set_param(multihost, 'kcm', 'max_ccache_size', '1') - self._restart_kcm(multihost) - -- with pytest.raises(paramiko.ssh_exception.AuthenticationException): -- ssh_foo3 = SSHClient(multihost.master[0].sys_hostname, -- username='foo3', password='Secret123') -+ # We use kinit to exceed the maximum ccache size as it creates payload -+ # of 1280 bytes by acquiring tgt and also some control credentials. -+ # SSH authentication is not sufficient as it stores only tgt. -+ ssh_foo3 = SSHClient(multihost.master[0].sys_hostname, -+ username='foo3', password='Secret123') -+ (_, _, exit_status) = ssh_foo3.execute_cmd( -+ 'kinit foo3@EXAMPLE.TEST', 'Secret123' -+ ) -+ assert exit_status != 0 -diff --git a/src/util/secrets/sec_pvt.h b/src/util/secrets/sec_pvt.h -index 92e2b8b25..0e77a660e 100644 ---- a/src/util/secrets/sec_pvt.h -+++ b/src/util/secrets/sec_pvt.h -@@ -33,7 +33,7 @@ - #define SSS_SEC_KCM_BASEPATH "/kcm/" - - struct sss_sec_data { -- char *data; -+ uint8_t *data; - size_t length; - }; - -diff --git a/src/util/secrets/secrets.c b/src/util/secrets/secrets.c -index d701face0..c6310b585 100644 ---- a/src/util/secrets/secrets.c -+++ b/src/util/secrets/secrets.c -@@ -36,9 +36,14 @@ - #define SECRETS_BASEDN "cn=secrets" - #define KCM_BASEDN "cn=kcm" - --#define LOCAL_SIMPLE_FILTER "(type=simple)" -+#define LOCAL_SIMPLE_FILTER "(|(type=simple)(type=binary))" - #define LOCAL_CONTAINER_FILTER "(type=container)" - -+#define SEC_ATTR_SECRET "secret" -+#define SEC_ATTR_ENCTYPE "enctype" -+#define SEC_ATTR_TYPE "type" -+#define SEC_ATTR_CTIME "creationTime" -+ - typedef int (*url_mapper_fn)(TALLOC_CTX *mem_ctx, - const char *url, - uid_t client, -@@ -63,90 +68,136 @@ static struct sss_sec_quota default_kcm_quota = { - .containers_nest_level = DEFAULT_SEC_CONTAINERS_NEST_LEVEL, - }; - --static int local_decrypt(struct sss_sec_ctx *sctx, TALLOC_CTX *mem_ctx, -- const char *secret, const char *enctype, -- char **plain_secret) -+static const char *sss_sec_enctype_to_str(enum sss_sec_enctype enctype) - { -- char *output; -+ switch (enctype) { -+ case SSS_SEC_PLAINTEXT: -+ return "plaintext"; -+ case SSS_SEC_MASTERKEY: -+ return "masterkey"; -+ default: -+ DEBUG(SSSDBG_CRIT_FAILURE, "Bug: unknown encryption type %d\n", -+ enctype); -+ return "unknown"; -+ } -+} - -- if (enctype && strcmp(enctype, "masterkey") == 0) { -- DEBUG(SSSDBG_TRACE_INTERNAL, "Decrypting with masterkey\n"); -+static enum sss_sec_enctype sss_sec_str_to_enctype(const char *str) -+{ -+ if (strcmp("plaintext", str) == 0) { -+ return SSS_SEC_PLAINTEXT; -+ } - -- struct sss_sec_data _secret; -- size_t outlen; -- int ret; -+ if (strcmp("masterkey", str) == 0) { -+ return SSS_SEC_MASTERKEY; -+ } -+ -+ return SSS_SEC_ENCTYPE_SENTINEL; -+} - -- _secret.data = (char *)sss_base64_decode(mem_ctx, secret, -- &_secret.length); -+static int local_decrypt(struct sss_sec_ctx *sctx, -+ TALLOC_CTX *mem_ctx, -+ uint8_t *secret, -+ size_t secret_len, -+ enum sss_sec_enctype enctype, -+ uint8_t **_output, -+ size_t *_output_len) -+{ -+ struct sss_sec_data _secret; -+ uint8_t *output; -+ size_t output_len; -+ int ret; -+ -+ switch (enctype) { -+ case SSS_SEC_PLAINTEXT: -+ output = talloc_memdup(mem_ctx, secret, secret_len); -+ output_len = secret_len; -+ break; -+ case SSS_SEC_MASTERKEY: -+ _secret.data = (uint8_t *)sss_base64_decode(mem_ctx, -+ (const char *)secret, -+ &_secret.length); - if (!_secret.data) { - DEBUG(SSSDBG_OP_FAILURE, "sss_base64_decode failed\n"); - return EINVAL; - } - -+ DEBUG(SSSDBG_TRACE_INTERNAL, "Decrypting with masterkey\n"); - ret = sss_decrypt(mem_ctx, AES256CBC_HMAC_SHA256, -- (uint8_t *)sctx->master_key.data, -+ sctx->master_key.data, - sctx->master_key.length, -- (uint8_t *)_secret.data, _secret.length, -- (uint8_t **)&output, &outlen); -+ _secret.data, _secret.length, -+ &output, &output_len); - talloc_free(_secret.data); - if (ret) { - DEBUG(SSSDBG_OP_FAILURE, - "sss_decrypt failed [%d]: %s\n", ret, sss_strerror(ret)); - return ret; - } -+ break; -+ default: -+ DEBUG(SSSDBG_CRIT_FAILURE, "Unknown encryption type '%d'\n", enctype); -+ return EINVAL; -+ } - -- if (((strnlen(output, outlen) + 1) != outlen) || -- output[outlen - 1] != '\0') { -- DEBUG(SSSDBG_CRIT_FAILURE, -- "Output length mismatch or output not NULL-terminated\n"); -- talloc_free(output); -- return EIO; -- } -- } else { -- DEBUG(SSSDBG_TRACE_INTERNAL, "Unexpected enctype (not 'masterkey')\n"); -- output = talloc_strdup(mem_ctx, secret); -- if (!output) return ENOMEM; -+ if (output == NULL) { -+ return ENOMEM; - } - -- *plain_secret = output; -+ *_output = output; -+ *_output_len = output_len; -+ - return EOK; - } - --static int local_encrypt(struct sss_sec_ctx *sec_ctx, TALLOC_CTX *mem_ctx, -- const char *secret, const char *enctype, -- char **ciphertext) -+static int local_encrypt(struct sss_sec_ctx *sec_ctx, -+ TALLOC_CTX *mem_ctx, -+ uint8_t *secret, -+ size_t secret_len, -+ enum sss_sec_enctype enctype, -+ uint8_t **_output, -+ size_t *_output_len) - { - struct sss_sec_data _secret; -- char *output; -+ uint8_t *output; -+ size_t output_len; -+ char *b64; - int ret; - -- if (enctype == NULL) { -- DEBUG(SSSDBG_CRIT_FAILURE, "No encryption type\n"); -- return EINVAL; -- } -+ switch (enctype) { -+ case SSS_SEC_PLAINTEXT: -+ output = talloc_memdup(mem_ctx, secret, secret_len); -+ output_len = secret_len; -+ break; -+ case SSS_SEC_MASTERKEY: -+ ret = sss_encrypt(mem_ctx, AES256CBC_HMAC_SHA256, -+ sec_ctx->master_key.data, -+ sec_ctx->master_key.length, -+ secret, secret_len, -+ &_secret.data, &_secret.length); -+ if (ret) { -+ DEBUG(SSSDBG_OP_FAILURE, -+ "sss_encrypt failed [%d]: %s\n", ret, sss_strerror(ret)); -+ return ret; -+ } - -- if (strcmp(enctype, "masterkey") != 0) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Unknown encryption type '%s'\n", enctype); -+ b64 = sss_base64_encode(mem_ctx, _secret.data, _secret.length); -+ output = (uint8_t*)b64; -+ output_len = strlen(b64) + 1; -+ talloc_free(_secret.data); -+ break; -+ default: -+ DEBUG(SSSDBG_CRIT_FAILURE, "Unknown encryption type '%d'\n", enctype); - return EINVAL; - } - -- ret = sss_encrypt(mem_ctx, AES256CBC_HMAC_SHA256, -- (uint8_t *)sec_ctx->master_key.data, -- sec_ctx->master_key.length, -- (const uint8_t *)secret, strlen(secret) + 1, -- (uint8_t **)&_secret.data, &_secret.length); -- if (ret) { -- DEBUG(SSSDBG_OP_FAILURE, -- "sss_encrypt failed [%d]: %s\n", ret, sss_strerror(ret)); -- return ret; -+ if (output == NULL) { -+ return ENOMEM; - } - -- output = sss_base64_encode(mem_ctx, -- (uint8_t *)_secret.data, _secret.length); -- talloc_free(_secret.data); -- if (!output) return ENOMEM; -+ *_output = output; -+ *_output_len = output_len; - -- *ciphertext = output; - return EOK; - } - -@@ -338,14 +389,14 @@ static int local_check_max_payload_size(struct sss_sec_req *req, - return EOK; - } - -- max_payload_size = req->quota->max_payload_size * 1024; /* kb */ -+ max_payload_size = req->quota->max_payload_size * 1024; /* KiB */ - if (payload_size > max_payload_size) { - DEBUG(SSSDBG_OP_FAILURE, -- "Secrets' payload size [%d kb (%d)] exceeds the maximum allowed " -- "payload size [%d kb (%d)]\n", -- payload_size * 1024, /* kb */ -+ "Secrets' payload size [%d KiB (%d B)] exceeds the maximum " -+ "allowed payload size [%d KiB (%d B)]\n", -+ payload_size / 1024, /* KiB */ - payload_size, -- req->quota->max_payload_size, /* kb */ -+ req->quota->max_payload_size, /* KiB */ - max_payload_size); - - return ERR_SEC_PAYLOAD_SIZE_IS_TOO_LARGE; -@@ -404,7 +455,7 @@ static int local_db_create(struct sss_sec_req *req) - ret = local_db_check_containers_nest_level(req, msg->dn); - if (ret != EOK) goto done; - -- ret = ldb_msg_add_string(msg, "type", "container"); -+ ret = ldb_msg_add_string(msg, SEC_ATTR_TYPE, "container"); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, - "ldb_msg_add_string failed adding type:container [%d]: %s\n", -@@ -412,7 +463,7 @@ static int local_db_create(struct sss_sec_req *req) - goto done; - } - -- ret = ldb_msg_add_fmt(msg, "creationTime", "%lu", time(NULL)); -+ ret = ldb_msg_add_fmt(msg, SEC_ATTR_CTIME, "%lu", time(NULL)); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, - "ldb_msg_add_string failed adding creationTime [%d]: %s\n", -@@ -892,7 +943,7 @@ errno_t sss_sec_list(TALLOC_CTX *mem_ctx, - size_t *_num_keys) - { - TALLOC_CTX *tmp_ctx; -- static const char *attrs[] = { "secret", NULL }; -+ static const char *attrs[] = { SEC_ATTR_SECRET, NULL }; - struct ldb_result *res; - char **keys; - int ret; -@@ -951,13 +1002,21 @@ done: - - errno_t sss_sec_get(TALLOC_CTX *mem_ctx, - struct sss_sec_req *req, -- char **_secret) -+ uint8_t **_secret, -+ size_t *_secret_len, -+ char **_datatype) - { - TALLOC_CTX *tmp_ctx; -- static const char *attrs[] = { "secret", "enctype", NULL }; -+ static const char *attrs[] = { SEC_ATTR_SECRET, SEC_ATTR_ENCTYPE, -+ SEC_ATTR_TYPE, NULL }; - struct ldb_result *res; -- const char *attr_secret; -+ const struct ldb_val *attr_secret; - const char *attr_enctype; -+ const char *attr_datatype; -+ enum sss_sec_enctype enctype; -+ char *datatype; -+ uint8_t *secret; -+ size_t secret_len; - int ret; - - if (req == NULL || _secret == NULL) { -@@ -996,21 +1055,38 @@ errno_t sss_sec_get(TALLOC_CTX *mem_ctx, - goto done; - } - -- attr_secret = ldb_msg_find_attr_as_string(res->msgs[0], "secret", NULL); -+ attr_secret = ldb_msg_find_ldb_val(res->msgs[0], SEC_ATTR_SECRET); - if (!attr_secret) { - DEBUG(SSSDBG_CRIT_FAILURE, "The 'secret' attribute is missing\n"); - ret = ENOENT; - goto done; - } - -- attr_enctype = ldb_msg_find_attr_as_string(res->msgs[0], "enctype", NULL); -+ attr_enctype = ldb_msg_find_attr_as_string(res->msgs[0], SEC_ATTR_ENCTYPE, -+ "plaintext"); -+ enctype = sss_sec_str_to_enctype(attr_enctype); -+ ret = local_decrypt(req->sctx, tmp_ctx, attr_secret->data, -+ attr_secret->length, enctype, &secret, &secret_len); -+ if (ret) goto done; - -- if (attr_enctype) { -- ret = local_decrypt(req->sctx, mem_ctx, attr_secret, attr_enctype, _secret); -- if (ret) goto done; -- } else { -- *_secret = talloc_strdup(mem_ctx, attr_secret); -+ if (_datatype != NULL) { -+ attr_datatype = ldb_msg_find_attr_as_string(res->msgs[0], SEC_ATTR_TYPE, -+ "simple"); -+ datatype = talloc_strdup(tmp_ctx, attr_datatype); -+ if (datatype == NULL) { -+ ret = ENOMEM; -+ goto done; -+ } -+ -+ *_datatype = talloc_steal(mem_ctx, datatype); - } -+ -+ *_secret = talloc_steal(mem_ctx, secret); -+ -+ if (_secret_len) { -+ *_secret_len = secret_len; -+ } -+ - ret = EOK; - - done: -@@ -1019,11 +1095,13 @@ done: - } - - errno_t sss_sec_put(struct sss_sec_req *req, -- const char *secret) -+ uint8_t *secret, -+ size_t secret_len, -+ enum sss_sec_enctype enctype, -+ const char *datatype) - { - struct ldb_message *msg; -- const char *enctype = "masterkey"; -- char *enc_secret; -+ struct ldb_val enc_secret; - int ret; - - if (req == NULL || secret == NULL) { -@@ -1064,7 +1142,7 @@ errno_t sss_sec_put(struct sss_sec_req *req, - goto done; - } - -- ret = local_check_max_payload_size(req, strlen(secret)); -+ ret = local_check_max_payload_size(req, secret_len); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, - "local_check_max_payload_size failed [%d]: %s\n", -@@ -1072,22 +1150,24 @@ errno_t sss_sec_put(struct sss_sec_req *req, - goto done; - } - -- ret = local_encrypt(req->sctx, msg, secret, enctype, &enc_secret); -+ ret = local_encrypt(req->sctx, msg, secret, secret_len, enctype, -+ &enc_secret.data, &enc_secret.length); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, - "local_encrypt failed [%d]: %s\n", ret, sss_strerror(ret)); - goto done; - } - -- ret = ldb_msg_add_string(msg, "type", "simple"); -+ ret = ldb_msg_add_string(msg, SEC_ATTR_TYPE, datatype); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, -- "ldb_msg_add_string failed adding type:simple [%d]: %s\n", -- ret, sss_strerror(ret)); -+ "ldb_msg_add_string failed adding type:%s [%d]: %s\n", -+ datatype, ret, sss_strerror(ret)); - goto done; - } - -- ret = ldb_msg_add_string(msg, "enctype", enctype); -+ ret = ldb_msg_add_string(msg, SEC_ATTR_ENCTYPE, -+ sss_sec_enctype_to_str(enctype)); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, - "ldb_msg_add_string failed adding enctype [%d]: %s\n", -@@ -1095,7 +1175,7 @@ errno_t sss_sec_put(struct sss_sec_req *req, - goto done; - } - -- ret = ldb_msg_add_string(msg, "secret", enc_secret); -+ ret = ldb_msg_add_value(msg, SEC_ATTR_SECRET, &enc_secret, NULL); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, - "ldb_msg_add_string failed adding secret [%d]: %s\n", -@@ -1103,7 +1183,7 @@ errno_t sss_sec_put(struct sss_sec_req *req, - goto done; - } - -- ret = ldb_msg_add_fmt(msg, "creationTime", "%lu", time(NULL)); -+ ret = ldb_msg_add_fmt(msg, SEC_ATTR_CTIME, "%lu", time(NULL)); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, - "ldb_msg_add_string failed adding creationTime [%d]: %s\n", -@@ -1132,11 +1212,13 @@ done: - } - - errno_t sss_sec_update(struct sss_sec_req *req, -- const char *secret) -+ uint8_t *secret, -+ size_t secret_len, -+ enum sss_sec_enctype enctype, -+ const char *datatype) - { - struct ldb_message *msg; -- const char *enctype = "masterkey"; -- char *enc_secret; -+ struct ldb_val enc_secret; - int ret; - - if (req == NULL || secret == NULL) { -@@ -1177,7 +1259,7 @@ errno_t sss_sec_update(struct sss_sec_req *req, - goto done; - } - -- ret = local_check_max_payload_size(req, strlen(secret)); -+ ret = local_check_max_payload_size(req, secret_len); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, - "local_check_max_payload_size failed [%d]: %s\n", -@@ -1185,15 +1267,49 @@ errno_t sss_sec_update(struct sss_sec_req *req, - goto done; - } - -- ret = local_encrypt(req->sctx, msg, secret, enctype, &enc_secret); -+ ret = local_encrypt(req->sctx, msg, secret, secret_len, enctype, -+ &enc_secret.data, &enc_secret.length); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, - "local_encrypt failed [%d]: %s\n", ret, sss_strerror(ret)); - goto done; - } - -+ ret = ldb_msg_add_empty(msg, SEC_ATTR_ENCTYPE, LDB_FLAG_MOD_REPLACE, NULL); -+ if (ret != LDB_SUCCESS) { -+ DEBUG(SSSDBG_MINOR_FAILURE, -+ "ldb_msg_add_empty failed: [%s]\n", ldb_strerror(ret)); -+ ret = EIO; -+ goto done; -+ } -+ -+ ret = ldb_msg_add_string(msg, SEC_ATTR_ENCTYPE, -+ sss_sec_enctype_to_str(enctype)); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_OP_FAILURE, -+ "ldb_msg_add_string failed adding enctype [%d]: %s\n", -+ ret, sss_strerror(ret)); -+ goto done; -+ } -+ -+ ret = ldb_msg_add_empty(msg, SEC_ATTR_TYPE, LDB_FLAG_MOD_REPLACE, NULL); -+ if (ret != LDB_SUCCESS) { -+ DEBUG(SSSDBG_MINOR_FAILURE, -+ "ldb_msg_add_empty failed: [%s]\n", ldb_strerror(ret)); -+ ret = EIO; -+ goto done; -+ } -+ -+ ret = ldb_msg_add_string(msg, SEC_ATTR_TYPE, datatype); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_OP_FAILURE, -+ "ldb_msg_add_string failed adding type:%s [%d]: %s\n", -+ datatype, ret, sss_strerror(ret)); -+ goto done; -+ } -+ - /* FIXME - should we have a lastUpdate timestamp? */ -- ret = ldb_msg_add_empty(msg, "secret", LDB_FLAG_MOD_REPLACE, NULL); -+ ret = ldb_msg_add_empty(msg, SEC_ATTR_SECRET, LDB_FLAG_MOD_REPLACE, NULL); - if (ret != LDB_SUCCESS) { - DEBUG(SSSDBG_MINOR_FAILURE, - "ldb_msg_add_empty failed: [%s]\n", ldb_strerror(ret)); -@@ -1201,7 +1317,7 @@ errno_t sss_sec_update(struct sss_sec_req *req, - goto done; - } - -- ret = ldb_msg_add_string(msg, "secret", enc_secret); -+ ret = ldb_msg_add_value(msg, SEC_ATTR_SECRET, &enc_secret, NULL); - if (ret != LDB_SUCCESS) { - DEBUG(SSSDBG_MINOR_FAILURE, - "ldb_msg_add_string failed: [%s]\n", ldb_strerror(ret)); -diff --git a/src/util/secrets/secrets.h b/src/util/secrets/secrets.h -index 9cf397516..f79bfaa4b 100644 ---- a/src/util/secrets/secrets.h -+++ b/src/util/secrets/secrets.h -@@ -43,6 +43,12 @@ - #define DEFAULT_SEC_KCM_MAX_UID_SECRETS 64 - #define DEFAULT_SEC_KCM_MAX_PAYLOAD_SIZE 65536 - -+enum sss_sec_enctype { -+ SSS_SEC_PLAINTEXT, -+ SSS_SEC_MASTERKEY, -+ SSS_SEC_ENCTYPE_SENTINEL -+}; -+ - struct sss_sec_ctx; - - struct sss_sec_req; -@@ -88,13 +94,21 @@ errno_t sss_sec_list(TALLOC_CTX *mem_ctx, - - errno_t sss_sec_get(TALLOC_CTX *mem_ctx, - struct sss_sec_req *req, -- char **_secret); -+ uint8_t **_secret, -+ size_t *_secret_len, -+ char **_datatype); - - errno_t sss_sec_put(struct sss_sec_req *req, -- const char *secret); -+ uint8_t *secret, -+ size_t secret_len, -+ enum sss_sec_enctype enctype, -+ const char *datatype); - - errno_t sss_sec_update(struct sss_sec_req *req, -- const char *secret); -+ uint8_t *secret, -+ size_t secret_len, -+ enum sss_sec_enctype enctype, -+ const char *datatype); - - errno_t sss_sec_create_container(struct sss_sec_req *req); - -diff --git a/src/util/sss_iobuf.c b/src/util/sss_iobuf.c -index 518713e4c..3056a7b0d 100644 ---- a/src/util/sss_iobuf.c -+++ b/src/util/sss_iobuf.c -@@ -66,6 +66,30 @@ struct sss_iobuf *sss_iobuf_init_readonly(TALLOC_CTX *mem_ctx, - return iobuf; - } - -+struct sss_iobuf *sss_iobuf_init_steal(TALLOC_CTX *mem_ctx, -+ uint8_t *data, -+ size_t size) -+{ -+ struct sss_iobuf *iobuf; -+ -+ iobuf = talloc_zero(mem_ctx, struct sss_iobuf); -+ if (iobuf == NULL) { -+ return NULL; -+ } -+ -+ iobuf->data = talloc_steal(iobuf, data); -+ iobuf->size = size; -+ iobuf->capacity = size; -+ iobuf->dp = 0; -+ -+ return iobuf; -+} -+ -+void sss_iobuf_cursor_reset(struct sss_iobuf *iobuf) -+{ -+ iobuf->dp = 0; -+} -+ - size_t sss_iobuf_get_len(struct sss_iobuf *iobuf) - { - if (iobuf == NULL) { -@@ -223,6 +247,109 @@ errno_t sss_iobuf_write_len(struct sss_iobuf *iobuf, - return EOK; - } - -+errno_t sss_iobuf_read_varlen(TALLOC_CTX *mem_ctx, -+ struct sss_iobuf *iobuf, -+ uint8_t **_out, -+ size_t *_len) -+{ -+ uint8_t *out; -+ uint32_t len; -+ size_t slen; -+ errno_t ret; -+ -+ if (iobuf == NULL || _out == NULL || _len == NULL) { -+ return EINVAL; -+ } -+ -+ ret = sss_iobuf_read_uint32(iobuf, &len); -+ if (ret != EOK) { -+ return ret; -+ } -+ -+ if (len == 0) { -+ *_out = NULL; -+ *_len = 0; -+ return EOK; -+ } -+ -+ out = talloc_array(mem_ctx, uint8_t, len); -+ if (out == NULL) { -+ return ENOMEM; -+ } -+ -+ slen = len; -+ ret = sss_iobuf_read_len(iobuf, slen, out); -+ if (ret != EOK) { -+ talloc_free(out); -+ return ret; -+ } -+ -+ *_out = out; -+ *_len = slen; -+ -+ return EOK; -+} -+ -+errno_t sss_iobuf_write_varlen(struct sss_iobuf *iobuf, -+ uint8_t *data, -+ size_t len) -+{ -+ errno_t ret; -+ -+ if (iobuf == NULL || (data == NULL && len != 0)) { -+ return EINVAL; -+ } -+ -+ ret = sss_iobuf_write_uint32(iobuf, len); -+ if (ret != EOK) { -+ return ret; -+ } -+ -+ if (len == 0) { -+ return EOK; -+ } -+ -+ return sss_iobuf_write_len(iobuf, data, len); -+} -+ -+errno_t sss_iobuf_read_iobuf(TALLOC_CTX *mem_ctx, -+ struct sss_iobuf *iobuf, -+ struct sss_iobuf **_out) -+{ -+ struct sss_iobuf *out; -+ uint8_t *data; -+ size_t len; -+ errno_t ret; -+ -+ ret = sss_iobuf_read_varlen(NULL, iobuf, &data, &len); -+ if (ret != EOK) { -+ return ret; -+ } -+ -+ out = sss_iobuf_init_steal(mem_ctx, data, len); -+ if (out == NULL) { -+ return ENOMEM; -+ } -+ -+ *_out = out; -+ -+ return EOK; -+} -+ -+errno_t sss_iobuf_write_iobuf(struct sss_iobuf *iobuf, -+ struct sss_iobuf *data) -+{ -+ return sss_iobuf_write_varlen(iobuf, data->data, data->size); -+} -+ -+errno_t sss_iobuf_read_uint8(struct sss_iobuf *iobuf, -+ uint8_t *_val) -+{ -+ SAFEALIGN_COPY_UINT8_CHECK(_val, iobuf_ptr(iobuf), -+ iobuf->capacity, &iobuf->dp); -+ return EOK; -+} -+ - errno_t sss_iobuf_read_uint32(struct sss_iobuf *iobuf, - uint32_t *_val) - { -@@ -239,6 +366,20 @@ errno_t sss_iobuf_read_int32(struct sss_iobuf *iobuf, - return EOK; - } - -+errno_t sss_iobuf_write_uint8(struct sss_iobuf *iobuf, -+ uint8_t val) -+{ -+ errno_t ret; -+ -+ ret = ensure_bytes(iobuf, sizeof(uint8_t)); -+ if (ret != EOK) { -+ return ret; -+ } -+ -+ SAFEALIGN_SETMEM_UINT8(iobuf_ptr(iobuf), val, &iobuf->dp); -+ return EOK; -+} -+ - errno_t sss_iobuf_write_uint32(struct sss_iobuf *iobuf, - uint32_t val) - { -diff --git a/src/util/sss_iobuf.h b/src/util/sss_iobuf.h -index cc3dfd1e9..159fbc0b9 100644 ---- a/src/util/sss_iobuf.h -+++ b/src/util/sss_iobuf.h -@@ -50,6 +50,29 @@ struct sss_iobuf *sss_iobuf_init_readonly(TALLOC_CTX *mem_ctx, - const uint8_t *data, - size_t size); - -+/* -+ * @brief Allocate an IO buffer with a fixed size, stealing input data. -+ * -+ * This function is useful for parsing an input buffer from an existing -+ * buffer pointed to by data. -+ * -+ * The iobuf assumes ownership of the data buffer. -+ * -+ * @param[in] mem_ctx The talloc context that owns the iobuf -+ * @param[in] data The data to initialize the IO buffer with. -+ * @param[in] size The size of the data buffer -+ * -+ * @return The newly created buffer on success or NULL on an error. -+ */ -+struct sss_iobuf *sss_iobuf_init_steal(TALLOC_CTX *mem_ctx, -+ uint8_t *data, -+ size_t size); -+ -+/* -+ * @brief Reset internal cursor of the IO buffer (seek to the start) -+ */ -+void sss_iobuf_cursor_reset(struct sss_iobuf *iobuf); -+ - /* - * @brief Returns the number of bytes currently stored in the iobuf - * -@@ -131,6 +154,28 @@ errno_t sss_iobuf_write_len(struct sss_iobuf *iobuf, - uint8_t *buf, - size_t len); - -+errno_t sss_iobuf_read_varlen(TALLOC_CTX *mem_ctx, -+ struct sss_iobuf *iobuf, -+ uint8_t **_out, -+ size_t *_len); -+ -+errno_t sss_iobuf_write_varlen(struct sss_iobuf *iobuf, -+ uint8_t *data, -+ size_t len); -+ -+errno_t sss_iobuf_read_iobuf(TALLOC_CTX *mem_ctx, -+ struct sss_iobuf *iobuf, -+ struct sss_iobuf **_out); -+ -+errno_t sss_iobuf_write_iobuf(struct sss_iobuf *iobuf, -+ struct sss_iobuf *data); -+ -+errno_t sss_iobuf_read_uint8(struct sss_iobuf *iobuf, -+ uint8_t *_val); -+ -+errno_t sss_iobuf_write_uint8(struct sss_iobuf *iobuf, -+ uint8_t val); -+ - errno_t sss_iobuf_read_uint32(struct sss_iobuf *iobuf, - uint32_t *_val); - -@@ -148,4 +193,5 @@ errno_t sss_iobuf_read_stringz(struct sss_iobuf *iobuf, - - errno_t sss_iobuf_write_stringz(struct sss_iobuf *iobuf, - const char *str); -+ - #endif /* __SSS_IOBUF_H_ */ -diff --git a/src/util/sss_ptr_hash.c b/src/util/sss_ptr_hash.c -index 6409236c7..e3805dac4 100644 ---- a/src/util/sss_ptr_hash.c -+++ b/src/util/sss_ptr_hash.c -@@ -54,6 +54,7 @@ struct sss_ptr_hash_value { - hash_table_t *table; - const char *key; - void *payload; -+ bool delete_in_progress; - }; - - static int -@@ -61,12 +62,22 @@ sss_ptr_hash_value_destructor(struct sss_ptr_hash_value *value) - { - hash_key_t table_key; - -+ /* Do not call hash_delete() if we got here from hash delete callback when -+ * the callback calls talloc_free(payload) which frees the value. This -+ * should not happen since talloc will avoid circular free but let's be -+ * over protective here. */ -+ if (value->delete_in_progress) { -+ return 0; -+ } -+ -+ value->delete_in_progress = true; - if (value->table && value->key) { - table_key.type = HASH_KEY_STRING; - table_key.str = discard_const_p(char, value->key); - if (hash_delete(value->table, &table_key) != HASH_SUCCESS) { - DEBUG(SSSDBG_CRIT_FAILURE, - "failed to delete entry with key '%s'\n", value->key); -+ value->delete_in_progress = false; - } - } - -@@ -127,6 +138,15 @@ sss_ptr_hash_delete_cb(hash_entry_t *item, - callback_entry.key = item->key; - callback_entry.value.type = HASH_VALUE_PTR; - callback_entry.value.ptr = value->payload; -+ -+ /* Delete the value in case this callback has been called directly -+ * from dhash (overwriting existing entry) instead of hash_delete() -+ * in value's destructor. */ -+ if (!value->delete_in_progress) { -+ talloc_set_destructor(value, NULL); -+ talloc_free(value); -+ } -+ - /* Even if execution is already in the context of - * talloc_free(payload) -> talloc_free(value) -> ... - * there still might be legitimate reasons to execute callback. --- -2.21.3 - diff --git a/SOURCES/0002-po-update-translations.patch b/SOURCES/0002-po-update-translations.patch new file mode 100644 index 0000000..90f5c86 --- /dev/null +++ b/SOURCES/0002-po-update-translations.patch @@ -0,0 +1,10871 @@ +From 861e226b5f8588d491a20b14aa9536f63746a723 Mon Sep 17 00:00:00 2001 +From: Weblate +Date: Tue, 20 Jul 2021 09:04:36 +0200 +Subject: [PATCH] po: update translations + +(Russian) currently translated at 47.2% (1333 of 2821 strings) +Translation: SSSD/sssd-manpage +Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ru/ + +po: update translations + +(Japanese) currently translated at 36.5% (1030 of 2821 strings) +Translation: SSSD/sssd-manpage +Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ja/ + +po: update translations + +(Chinese (Simplified) (zh_CN)) currently translated at 100.0% (730 of 730 strings) +Translation: SSSD/sssd +Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/zh_CN/ + +po: update translations + +(French) currently translated at 100.0% (730 of 730 strings) +Translation: SSSD/sssd +Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fr/ + +po: update translations + +(Japanese) currently translated at 100.0% (730 of 730 strings) +Translation: SSSD/sssd +Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ja/ + +po: update translations + +(Japanese) currently translated at 100.0% (730 of 730 strings) +Translation: SSSD/sssd +Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ja/ + +po: update translations + +(Korean) currently translated at 3.5% (26 of 730 strings) +Translation: SSSD/sssd +Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/ + +po: update translations + +(Ukrainian) currently translated at 100.0% (2821 of 2821 strings) +Translation: SSSD/sssd-manpage +Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/uk/ + +po: update translations + +(Russian) currently translated at 41.1% (1160 of 2821 strings) +Translation: SSSD/sssd-manpage +Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ru/ + +Added translation using Weblate (Korean) + +po: update translations + +(Ukrainian) currently translated at 99.8% (2816 of 2821 strings) +Translation: SSSD/sssd-manpage +Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/uk/ +--- + po/LINGUAS | 1 + + po/fr.po | 64 +- + po/ja.po | 55 +- + po/ko.po | 3230 ++++++++++++++++++++++++++++++++++++++++++++++ + po/zh_CN.po | 75 +- + src/man/po/ja.po | 35 +- + src/man/po/ru.po | 1922 +++++++++++++++++++++------ + src/man/po/uk.po | 69 +- + 8 files changed, 4888 insertions(+), 563 deletions(-) + create mode 100644 po/ko.po + +diff --git a/po/LINGUAS b/po/LINGUAS +index 6b7728d4c..3defbc44a 100644 +--- a/po/LINGUAS ++++ b/po/LINGUAS +@@ -23,3 +23,4 @@ uk + zh_CN + zh_TW + ++ko +diff --git a/po/fr.po b/po/fr.po +index dfe73dbd4..b8a821f14 100644 +--- a/po/fr.po ++++ b/po/fr.po +@@ -17,7 +17,7 @@ msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" + "POT-Creation-Date: 2021-07-12 20:53+0200\n" +-"PO-Revision-Date: 2021-03-18 10:39+0000\n" ++"PO-Revision-Date: 2021-07-20 07:04+0000\n" + "Last-Translator: Sundeep Anand \n" + "Language-Team: French \n" +@@ -26,7 +26,7 @@ msgstr "" + "Content-Type: text/plain; charset=UTF-8\n" + "Content-Transfer-Encoding: 8bit\n" + "Plural-Forms: nplurals=2; plural=n > 1;\n" +-"X-Generator: Weblate 4.5.1\n" ++"X-Generator: Weblate 4.7.1\n" + + #: src/config/SSSDConfig/sssdoptions.py:20 + #: src/config/SSSDConfig/sssdoptions.py:21 +@@ -44,7 +44,7 @@ msgstr "" + + #: src/config/SSSDConfig/sssdoptions.py:24 + msgid "Enable/disable debug backtrace" +-msgstr "" ++msgstr "Activer/Désactiver Backtrace débogage" + + #: src/config/SSSDConfig/sssdoptions.py:25 + msgid "Watchdog timeout before restarting service" +@@ -353,15 +353,15 @@ msgstr "Liste des uid ou noms d'utilisateurs dignes de confiance" + msgid "List of domains accessible even for untrusted users." + msgstr "" + "Liste des domaines accessibles y compris par les utilisateurs non dignes de " +-"confiance" ++"confiance." + + #: src/config/SSSDConfig/sssdoptions.py:97 + msgid "Message printed when user account is expired." +-msgstr "Message affiché lorsque le compte a expiré" ++msgstr "Message affiché lorsque le compte a expiré." + + #: src/config/SSSDConfig/sssdoptions.py:98 + msgid "Message printed when user account is locked." +-msgstr "Message affiché lorsque le compte a expiré" ++msgstr "Message affiché lorsque le compte a expiré." + + #: src/config/SSSDConfig/sssdoptions.py:99 + msgid "Allow certificate based/Smartcard authentication." +@@ -373,9 +373,8 @@ msgstr "" + "Chemin d'accès à la base de données des certificats des modules PKCS#11." + + #: src/config/SSSDConfig/sssdoptions.py:101 +-#, fuzzy + msgid "Tune certificate verification for PAM authentication." +-msgstr "Régler la vérification du certificat" ++msgstr "Régler la vérification du certificat d’authentification PAM." + + #: src/config/SSSDConfig/sssdoptions.py:102 + msgid "How many seconds will pam_sss wait for p11_child to finish" +@@ -420,6 +419,8 @@ msgid "" + "List of pairs : that must be enforced " + "for PAM access with GSSAPI authentication" + msgstr "" ++"Liste des paires : qui doivent être " ++"appliquées pour l'accès PAM avec authentification GSSAPI" + + #: src/config/SSSDConfig/sssdoptions.py:114 + msgid "Whether to evaluate the time-based attributes in sudo rules" +@@ -689,7 +690,7 @@ msgstr "Afficher les utilisateurs/groupes dans un format complétement qualifié + + #: src/config/SSSDConfig/sssdoptions.py:194 + msgid "Don't include group members in group lookups" +-msgstr "Ne pas inclure les membres des groupes dans les recherches de groupes." ++msgstr "Ne pas inclure les membres des groupes dans les recherches de groupes" + + #: src/config/SSSDConfig/sssdoptions.py:195 + #: src/config/SSSDConfig/sssdoptions.py:205 +@@ -935,7 +936,7 @@ msgstr "Classe d'objet surchargeant les objets" + + #: src/config/SSSDConfig/sssdoptions.py:259 + msgid "Attribute with the reference to the original object" +-msgstr "Attribut faisant référence à l'objet originel " ++msgstr "Attribut faisant référence à l'objet originel" + + #: src/config/SSSDConfig/sssdoptions.py:260 + msgid "Objectclass for user override objects" +@@ -1481,7 +1482,7 @@ msgstr "Désactiver le contrôle des pages LDAP" + + #: src/config/SSSDConfig/sssdoptions.py:405 + msgid "Disable Active Directory range retrieval" +-msgstr "Désactiver la récupération de plage Active Directory." ++msgstr "Désactiver la récupération de plage Active Directory" + + #: src/config/SSSDConfig/sssdoptions.py:408 + msgid "Length of time to wait for a search request" +@@ -1511,7 +1512,7 @@ msgstr "" + + #: src/config/SSSDConfig/sssdoptions.py:414 + msgid "Base DN for user lookups" +-msgstr "Base DN pour les recherches d'utilisateurs" ++msgstr "Base DN pour les recherches d'utilisateurs" + + #: src/config/SSSDConfig/sssdoptions.py:415 + msgid "Scope of user lookups" +@@ -1877,7 +1878,7 @@ msgstr "Périodicité de rafraichissement intelligent" + + #: src/config/SSSDConfig/sssdoptions.py:518 + msgid "Smart and full refresh random offset" +-msgstr "" ++msgstr "Décalage aléatoire Smart ou de Rafraîchissement total" + + #: src/config/SSSDConfig/sssdoptions.py:519 + msgid "Whether to filter rules by hostname, IP addresses and network" +@@ -2152,15 +2153,15 @@ msgstr "Afficher le numéro de version et quitte" + + #: src/monitor/monitor.c:2461 + msgid "Option -i|--interactive is not allowed together with -D|--daemon\n" +-msgstr "" ++msgstr "Option -i|--interactive non authorisée avec -D|--daemon\n" + + #: src/monitor/monitor.c:2467 + msgid "Option -g is incompatible with -D or -i\n" +-msgstr "" ++msgstr "Option -g incompatible avec -D ou -i\n" + + #: src/monitor/monitor.c:2480 + msgid "Running under %" +-msgstr "" ++msgstr "En cours d’exécution sous %" + + #: src/monitor/monitor.c:2562 + msgid "SSSD is already running\n" +@@ -2196,7 +2197,7 @@ msgstr "Options FAST ('never', 'try', 'demand')" + + #: src/providers/krb5/krb5_child.c:3343 + msgid "Specifies the server principal to use for FAST" +-msgstr "Spécifie le principal de serveur afin d'utiliser FAST." ++msgstr "Spécifie le principal de serveur afin d'utiliser FAST" + + #: src/providers/krb5/krb5_child.c:3345 + msgid "Requests canonicalization of the principal name" +@@ -2207,13 +2208,12 @@ msgid "Use custom version of krb5_get_init_creds_password" + msgstr "Utiliser la version personnalisée de krb5_get_init_creds_password" + + #: src/providers/krb5/krb5_child.c:3375 src/providers/ldap/ldap_child.c:663 +-#, fuzzy + msgid "talloc_asprintf failed.\n" +-msgstr "malloc a échoué.\n" ++msgstr "Échec de talloc_asprintf.\n" + + #: src/providers/krb5/krb5_child.c:3385 src/providers/ldap/ldap_child.c:672 + msgid "set_debug_file_from_fd failed.\n" +-msgstr "" ++msgstr "Échec de set_debug_file_from_fd.\n" + + #: src/providers/data_provider_be.c:733 + msgid "Domain of the information provider (mandatory)" +@@ -2255,7 +2255,7 @@ msgstr "Erreur inattendue lors de la recherche de la description de l'erreur" + + #: src/sss_client/pam_sss.c:68 + msgid "Permission denied. " +-msgstr "Accès refusé." ++msgstr "Accès refusé. " + + #: src/sss_client/pam_sss.c:69 src/sss_client/pam_sss.c:785 + #: src/sss_client/pam_sss.c:796 +@@ -2277,7 +2277,7 @@ msgstr "Authentifié avec les crédits mis en cache" + + #: src/sss_client/pam_sss.c:533 + msgid ", your cached password will expire at: " +-msgstr ", votre mot de passe en cache expirera à :" ++msgstr ", votre mot de passe en cache expirera à : " + + #: src/sss_client/pam_sss.c:563 + #, c-format +@@ -2292,7 +2292,7 @@ msgstr "Votre mot de passe expirera dans %1$d %2$s." + + #: src/sss_client/pam_sss.c:658 + msgid "Authentication is denied until: " +-msgstr "L'authentification est refusée jusque :" ++msgstr "L'authentification est refusée jusque : " + + #: src/sss_client/pam_sss.c:679 + msgid "System is offline, password change not possible" +@@ -2309,7 +2309,7 @@ msgstr "" + + #: src/sss_client/pam_sss.c:782 src/sss_client/pam_sss.c:795 + msgid "Password change failed. " +-msgstr "Échec du changement de mot de passe." ++msgstr "Échec du changement de mot de passe. " + + #: src/sss_client/pam_sss.c:2045 + msgid "New Password: " +@@ -2321,7 +2321,7 @@ msgstr "Retaper le nouveau mot de passe : " + + #: src/sss_client/pam_sss.c:2208 src/sss_client/pam_sss.c:2211 + msgid "First Factor: " +-msgstr "Premier facteur :" ++msgstr "Premier facteur : " + + #: src/sss_client/pam_sss.c:2209 src/sss_client/pam_sss.c:2383 + msgid "Second Factor (optional): " +@@ -2329,7 +2329,7 @@ msgstr "Deuxième facteur (facultatif) : " + + #: src/sss_client/pam_sss.c:2212 src/sss_client/pam_sss.c:2386 + msgid "Second Factor: " +-msgstr "Second facteur :" ++msgstr "Second facteur : " + + #: src/sss_client/pam_sss.c:2230 + msgid "Password: " +@@ -2662,7 +2662,7 @@ msgstr "Erreur de transaction. Impossible de modifier le groupe.\n" + + #: src/tools/sss_groupshow.c:616 + msgid "Magic Private " +-msgstr "Magie privée" ++msgstr "Magie privée " + + #: src/tools/sss_groupshow.c:615 + #, c-format +@@ -2677,7 +2677,7 @@ msgstr "%1$s GID numéro : %2$d\n" + #: src/tools/sss_groupshow.c:620 + #, c-format + msgid "%1$sMember users: " +-msgstr "Utilisateurs membres de %1$s :" ++msgstr "Utilisateurs membres de %1$s : " + + #: src/tools/sss_groupshow.c:627 + #, c-format +@@ -2826,12 +2826,12 @@ msgid "" + "multi-valued attributes, the command replaces the values already present" + msgstr "" + "Définir une paire attribut/valeur. Le format est nom_attribut=valeur. Pour " +-"les attributs multi-valués, la commande remplace les valeurs déjà présentes." ++"les attributs multi-valués, la commande remplace les valeurs déjà présentes" + + #: src/tools/sss_usermod.c:117 src/tools/sss_usermod.c:126 + #: src/tools/sss_usermod.c:135 + msgid "Specify the attribute name/value pair(s)\n" +-msgstr "Indiquer les paires nom d'attributs et valeurs.\n" ++msgstr "Indiquer les paires nom d'attributs et valeurs\n" + + #: src/tools/sss_usermod.c:152 + msgid "Specify user to modify\n" +@@ -3003,7 +3003,7 @@ msgstr "Impossible de lire l'entrée de l'utilisateur\n" + #: src/tools/sssctl/sssctl.c:91 + #, c-format + msgid "Invalid input, please provide either '%s' or '%s'.\n" +-msgstr "Entrée non valable, veuillez fournir %s ou %s\n" ++msgstr "Entrée non valable, veuillez fournir %s ou %s.\n" + + #: src/tools/sssctl/sssctl.c:109 src/tools/sssctl/sssctl.c:114 + msgid "Error while executing external command\n" +@@ -3149,7 +3149,7 @@ msgstr "Fichiers de configuration utilisés : %zu\n" + #: src/tools/sssctl/sssctl_data.c:89 + #, c-format + msgid "Unable to create backup directory [%d]: %s" +-msgstr "Impossible de créer le répertoire de sauvegarde [%d]: %s" ++msgstr "Impossible de créer le répertoire de sauvegarde [%d]: %s" + + #: src/tools/sssctl/sssctl_data.c:95 + msgid "SSSD backup of local data already exists, override?" +diff --git a/po/ja.po b/po/ja.po +index 598c3f915..27f88fe52 100644 +--- a/po/ja.po ++++ b/po/ja.po +@@ -6,7 +6,7 @@ + # Tomoyuki KATO , 2012-2013 + # Noriko Mizumoto , 2016. #zanata + # Keiko Moriguchi , 2019. #zanata +-# Ludek Janda , 2020. #zanata ++# Ludek Janda , 2020. #zanata, 2021. + # Pavel Brezina , 2020. #zanata + # Sundeep Anand , 2021. + msgid "" +@@ -14,7 +14,7 @@ msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" + "POT-Creation-Date: 2021-07-12 20:53+0200\n" +-"PO-Revision-Date: 2021-03-18 10:39+0000\n" ++"PO-Revision-Date: 2021-07-19 07:07+0000\n" + "Last-Translator: Sundeep Anand \n" + "Language-Team: Japanese \n" +@@ -23,7 +23,7 @@ msgstr "" + "Content-Type: text/plain; charset=UTF-8\n" + "Content-Transfer-Encoding: 8bit\n" + "Plural-Forms: nplurals=1; plural=0;\n" +-"X-Generator: Weblate 4.5.1\n" ++"X-Generator: Weblate 4.7.1\n" + + #: src/config/SSSDConfig/sssdoptions.py:20 + #: src/config/SSSDConfig/sssdoptions.py:21 +@@ -40,7 +40,7 @@ msgstr "デバッグログにミリ秒単位のタイムスタンプを含める + + #: src/config/SSSDConfig/sssdoptions.py:24 + msgid "Enable/disable debug backtrace" +-msgstr "" ++msgstr "デバッグバックトレースの有効化/無効化" + + #: src/config/SSSDConfig/sssdoptions.py:25 + msgid "Watchdog timeout before restarting service" +@@ -150,9 +150,7 @@ msgstr "検索するドメインの特定の順番" + msgid "" + "Controls if SSSD should monitor the state of resolv.conf to identify when it " + "needs to update its internal DNS resolver." +-msgstr "" +-"内部 DNS リゾルバーを更新する必要があるときを判断するために SSSD が resolv." +-"conf の状態を監視するかどうかを制御します。" ++msgstr "内部 DNS リゾルバーを更新する必要があるときを判断するために SSSD が resolv.conf の状態を監視するかどうかを制御します。" + + #: src/config/SSSDConfig/sssdoptions.py:54 + msgid "" +@@ -342,9 +340,8 @@ msgid "Path to certificate database with PKCS#11 modules." + msgstr "PKCS#11 モジュールでの証明書データベースへのパス。" + + #: src/config/SSSDConfig/sssdoptions.py:101 +-#, fuzzy + msgid "Tune certificate verification for PAM authentication." +-msgstr "証明書検証の調整" ++msgstr "PAM 認証の証明書検証の調整。" + + #: src/config/SSSDConfig/sssdoptions.py:102 + msgid "How many seconds will pam_sss wait for p11_child to finish" +@@ -384,6 +381,7 @@ msgid "" + "List of pairs : that must be enforced " + "for PAM access with GSSAPI authentication" + msgstr "" ++"GSSAPI 認証で PAM アクセスを強制する必要があるペア : のリスト" + + #: src/config/SSSDConfig/sssdoptions.py:114 + msgid "Whether to evaluate the time-based attributes in sudo rules" +@@ -539,9 +537,8 @@ msgid "" + "Matches user names as returned by NSS. I.e. after the possible space " + "replacement, case changes, etc." + msgstr "" +-"セッション記録を有効にしておくべきユーザーのカンマ区切りのリストです。NSS が" +-"返すユーザー名にマッチします。つまり、スペースの置換、大文字小文字の変更など" +-"の可能性がある場合には、その後になります。" ++"セッション記録を有効にしておくべきユーザーのカンマ区切りのリストです。NSS " ++"が返すユーザー名にマッチします。つまり、スペースの置換、大文字小文字の変更などの可能性がある場合には、その後になります。" + + #: src/config/SSSDConfig/sssdoptions.py:167 + msgid "" +@@ -549,9 +546,8 @@ msgid "" + "recording enabled. Matches group names as returned by NSS. I.e. after the " + "possible space replacement, case changes, etc." + msgstr "" +-"セッション記録を有効にしておくべきユーザーのグループごとのカンマ区切りのリス" +-"トです。NSS が返すグループ名にマッチします。つまり、スペースの置換、大文字小" +-"文字の変更などの可能性がある場合には、その後になります。" ++"セッション記録を有効にしておくべきユーザーのグループごとのカンマ区切りのリストです。NSS " ++"が返すグループ名にマッチします。つまり、スペースの置換、大文字小文字の変更などの可能性がある場合には、その後になります。" + + #: src/config/SSSDConfig/sssdoptions.py:170 + msgid "" +@@ -771,9 +767,7 @@ msgstr "" + msgid "" + "How many seconds to keep a host ssh key after refresh. IE how long to cache " + "the host key for." +-msgstr "" +-"リフレッシュ後にホストの ssh 鍵を保持するには何秒かかるか。IE ホストキーを何" +-"秒キャッシュするか。" ++msgstr "リフレッシュ後にホストの ssh 鍵を保持するには何秒かかるか。IE ホストキーを何秒キャッシュするか。" + + #: src/config/SSSDConfig/sssdoptions.py:233 + msgid "" +@@ -781,9 +775,8 @@ msgid "" + "this value determines the minimal length the first authentication factor " + "(long term password) must have to be saved as SHA512 hash into the cache." + msgstr "" +-"2-Factor-Authentication (2FA) が使用され、認証情報を保存する必要がある場合、" +-"この値は、最初の認証要素 (長期パスワード) を SHA512 ハッシュとしてキャッシュ" +-"に保存する必要がある最小の長さを決定します。" ++"2-Factor-Authentication (2FA) が使用され、認証情報を保存する必要がある場合、この値は、最初の認証要素 (長期パスワード) " ++"を SHA512 ハッシュとしてキャッシュに保存する必要がある最小の長さを決定します。" + + #: src/config/SSSDConfig/sssdoptions.py:239 + msgid "IPA domain" +@@ -1347,9 +1340,7 @@ msgstr "" + msgid "" + "Allows to retain local users as members of an LDAP group for servers that " + "use the RFC2307 schema." +-msgstr "" +-"RFC2307 スキーマを使用するサーバーの LDAP グループのメンバーとしてローカル" +-"ユーザーを保持することができます。" ++msgstr "RFC2307 スキーマを使用するサーバーの LDAP グループのメンバーとしてローカルユーザーを保持することができます。" + + #: src/config/SSSDConfig/sssdoptions.py:398 + msgid "entryUSN attribute" +@@ -1752,7 +1743,7 @@ msgstr "自動的なスマート更新間隔" + + #: src/config/SSSDConfig/sssdoptions.py:518 + msgid "Smart and full refresh random offset" +-msgstr "" ++msgstr "スマートおよびフル更新ランダムオフセット" + + #: src/config/SSSDConfig/sssdoptions.py:519 + msgid "Whether to filter rules by hostname, IP addresses and network" +@@ -2017,15 +2008,15 @@ msgstr "バージョン番号を表示して終了する" + + #: src/monitor/monitor.c:2461 + msgid "Option -i|--interactive is not allowed together with -D|--daemon\n" +-msgstr "" ++msgstr "Option -i|--interactive iは、 -D|--daemon とは使用できません\n" + + #: src/monitor/monitor.c:2467 + msgid "Option -g is incompatible with -D or -i\n" +-msgstr "" ++msgstr "Option -g は -D または -i と互換性がありません\n" + + #: src/monitor/monitor.c:2480 + msgid "Running under %" +-msgstr "" ++msgstr "% 化で実行" + + #: src/monitor/monitor.c:2562 + msgid "SSSD is already running\n" +@@ -2072,13 +2063,12 @@ msgid "Use custom version of krb5_get_init_creds_password" + msgstr "krb5_get_init_creds_password のカスタムバージョンを使用します" + + #: src/providers/krb5/krb5_child.c:3375 src/providers/ldap/ldap_child.c:663 +-#, fuzzy + msgid "talloc_asprintf failed.\n" +-msgstr "malloc は失敗しました。\n" ++msgstr "talloc_asprintf failed.\n" + + #: src/providers/krb5/krb5_child.c:3385 src/providers/ldap/ldap_child.c:672 + msgid "set_debug_file_from_fd failed.\n" +-msgstr "" ++msgstr "set_debug_file_from_fd failed.\n" + + #: src/providers/data_provider_be.c:733 + msgid "Domain of the information provider (mandatory)" +@@ -2670,8 +2660,7 @@ msgid "" + "Set an attribute to a name/value pair. The format is attrname=value. For " + "multi-valued attributes, the command replaces the values already present" + msgstr "" +-"名前/値のペアに属性を指定します。形式は attrname=value です。複数の値を持つ属" +-"性の場合、コマンドがすでに存在する値に置き換えられます" ++"名前/値のペアに属性を指定します。形式は attrname=value です。複数の値を持つ属性の場合、コマンドがすでに存在する値に置き換えられます" + + #: src/tools/sss_usermod.c:117 src/tools/sss_usermod.c:126 + #: src/tools/sss_usermod.c:135 +diff --git a/po/ko.po b/po/ko.po +new file mode 100644 +index 000000000..19ba2c466 +--- /dev/null ++++ b/po/ko.po +@@ -0,0 +1,3230 @@ ++# SOME DESCRIPTIVE TITLE. ++# Copyright (C) YEAR Red Hat, Inc. ++# This file is distributed under the same license as the PACKAGE package. ++# Ludek Janda , 2021. ++# simmon , 2021. ++msgid "" ++msgstr "" ++"Project-Id-Version: PACKAGE VERSION\n" ++"Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" ++"POT-Creation-Date: 2021-07-12 20:53+0200\n" ++"PO-Revision-Date: 2021-07-17 04:04+0000\n" ++"Last-Translator: simmon \n" ++"Language-Team: Korean \n" ++"Language: ko\n" ++"MIME-Version: 1.0\n" ++"Content-Type: text/plain; charset=UTF-8\n" ++"Content-Transfer-Encoding: 8bit\n" ++"Plural-Forms: nplurals=1; plural=0;\n" ++"X-Generator: Weblate 4.7.1\n" ++ ++#: src/config/SSSDConfig/sssdoptions.py:20 ++#: src/config/SSSDConfig/sssdoptions.py:21 ++msgid "Set the verbosity of the debug logging" ++msgstr "디버그 로깅의 자세한 정보 설정" ++ ++#: src/config/SSSDConfig/sssdoptions.py:22 ++msgid "Include timestamps in debug logs" ++msgstr "디버그 기록에 시간표시 포함" ++ ++#: src/config/SSSDConfig/sssdoptions.py:23 ++msgid "Include microseconds in timestamps in debug logs" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:24 ++msgid "Enable/disable debug backtrace" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:25 ++msgid "Watchdog timeout before restarting service" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:26 ++msgid "Command to start service" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:27 ++msgid "Number of times to attempt connection to Data Providers" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:28 ++msgid "The number of file descriptors that may be opened by this responder" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:29 ++msgid "Idle time before automatic disconnection of a client" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:30 ++msgid "Idle time before automatic shutdown of the responder" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:31 ++msgid "Always query all the caches before querying the Data Providers" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:32 ++msgid "" ++"When SSSD switches to offline mode the amount of time before it tries to go " ++"back online will increase based upon the time spent disconnected. This value " ++"is in seconds and calculated by the following: offline_timeout + " ++"random_offset." ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:38 ++msgid "" ++"Indicates what is the syntax of the config file. SSSD 0.6.0 and later use " ++"version 2." ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:39 ++msgid "SSSD Services to start" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:40 ++msgid "SSSD Domains to start" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:41 ++msgid "Timeout for messages sent over the SBUS" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:42 ++msgid "Regex to parse username and domain" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:43 ++msgid "Printf-compatible format for displaying fully-qualified names" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:44 ++msgid "" ++"Directory on the filesystem where SSSD should store Kerberos replay cache " ++"files." ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:45 ++msgid "Domain to add to names without a domain component." ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:46 ++msgid "The user to drop privileges to" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:47 ++msgid "Tune certificate verification" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:48 ++msgid "All spaces in group or user names will be replaced with this character" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:49 ++msgid "Tune sssd to honor or ignore netlink state changes" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:50 ++msgid "Enable or disable the implicit files domain" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:51 ++msgid "A specific order of the domains to be looked up" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:52 ++msgid "" ++"Controls if SSSD should monitor the state of resolv.conf to identify when it " ++"needs to update its internal DNS resolver." ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:54 ++msgid "" ++"SSSD monitors the state of resolv.conf to identify when it needs to update " ++"its internal DNS resolver. By default, we will attempt to use inotify for " ++"this, and will fall back to polling resolv.conf every five seconds if " ++"inotify cannot be used." ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:59 ++msgid "Enumeration cache timeout length (seconds)" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:60 ++msgid "Entry cache background update timeout length (seconds)" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:61 ++#: src/config/SSSDConfig/sssdoptions.py:120 ++msgid "Negative cache timeout length (seconds)" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:62 ++msgid "Files negative cache timeout length (seconds)" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:63 ++msgid "Users that SSSD should explicitly ignore" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:64 ++msgid "Groups that SSSD should explicitly ignore" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:65 ++msgid "Should filtered users appear in groups" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:66 ++msgid "The value of the password field the NSS provider should return" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:67 ++msgid "Override homedir value from the identity provider with this value" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:68 ++msgid "" ++"Substitute empty homedir value from the identity provider with this value" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:69 ++msgid "Override shell value from the identity provider with this value" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:70 ++msgid "The list of shells users are allowed to log in with" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:71 ++msgid "" ++"The list of shells that will be vetoed, and replaced with the fallback shell" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:72 ++msgid "" ++"If a shell stored in central directory is allowed but not available, use " ++"this fallback" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:73 ++msgid "Shell to use if the provider does not list one" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:74 ++msgid "How long will be in-memory cache records valid" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:75 ++msgid "" ++"Size (in megabytes) of the data table allocated inside fast in-memory cache " ++"for passwd requests" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:76 ++msgid "" ++"Size (in megabytes) of the data table allocated inside fast in-memory cache " ++"for group requests" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:77 ++msgid "" ++"Size (in megabytes) of the data table allocated inside fast in-memory cache " ++"for initgroups requests" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:78 ++msgid "" ++"The value of this option will be used in the expansion of the " ++"override_homedir option if the template contains the format string %H." ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:80 ++msgid "" ++"Specifies time in seconds for which the list of subdomains will be " ++"considered valid." ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:82 ++msgid "" ++"The entry cache can be set to automatically update entries in the background " ++"if they are requested beyond a percentage of the entry_cache_timeout value " ++"for the domain." ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:87 ++msgid "How long to allow cached logins between online logins (days)" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:88 ++msgid "How many failed logins attempts are allowed when offline" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:90 ++msgid "" ++"How long (minutes) to deny login after offline_failed_login_attempts has " ++"been reached" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:91 ++msgid "What kind of messages are displayed to the user during authentication" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:92 ++msgid "Filter PAM responses sent to the pam_sss" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:93 ++msgid "How many seconds to keep identity information cached for PAM requests" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:94 ++msgid "How many days before password expiration a warning should be displayed" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:95 ++msgid "List of trusted uids or user's name" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:96 ++msgid "List of domains accessible even for untrusted users." ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:97 ++msgid "Message printed when user account is expired." ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:98 ++msgid "Message printed when user account is locked." ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:99 ++msgid "Allow certificate based/Smartcard authentication." ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:100 ++msgid "Path to certificate database with PKCS#11 modules." ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:101 ++msgid "Tune certificate verification for PAM authentication." ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:102 ++msgid "How many seconds will pam_sss wait for p11_child to finish" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:103 ++msgid "Which PAM services are permitted to contact application domains" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:104 ++msgid "Allowed services for using smartcards" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:105 ++msgid "Additional timeout to wait for a card if requested" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:106 ++msgid "" ++"PKCS#11 URI to restrict the selection of devices for Smartcard authentication" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:107 ++msgid "When shall the PAM responder force an initgroups request" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:108 ++msgid "List of PAM services that are allowed to authenticate with GSSAPI." ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:109 ++msgid "Whether to match authenticated UPN with target user" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:110 ++msgid "" ++"List of pairs : that must be enforced " ++"for PAM access with GSSAPI authentication" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:114 ++msgid "Whether to evaluate the time-based attributes in sudo rules" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:115 ++msgid "If true, SSSD will switch back to lower-wins ordering logic" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:116 ++msgid "" ++"Maximum number of rules that can be refreshed at once. If this is exceeded, " ++"full refresh is performed." ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:123 ++msgid "Whether to hash host names and addresses in the known_hosts file" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:124 ++msgid "" ++"How many seconds to keep a host in the known_hosts file after its host keys " ++"were requested" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:126 ++msgid "Path to storage of trusted CA certificates" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:127 ++msgid "Allow to generate ssh-keys from certificates" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:128 ++msgid "" ++"Use the following matching rules to filter the certificates for ssh-key " ++"generation" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:132 ++msgid "List of UIDs or user names allowed to access the PAC responder" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:133 ++msgid "How long the PAC data is considered valid" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:136 ++msgid "List of user attributes the InfoPipe is allowed to publish" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:139 ++msgid "The provider where the secrets will be stored in" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:140 ++msgid "The maximum allowed number of nested containers" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:141 ++msgid "The maximum number of secrets that can be stored" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:142 ++msgid "The maximum number of secrets that can be stored per UID" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:143 ++msgid "The maximum payload size of a secret in kilobytes" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:145 ++msgid "The URL Custodia server is listening on" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:146 ++msgid "The method to use when authenticating to a Custodia server" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:147 ++msgid "" ++"The name of the headers that will be added into a HTTP request with the " ++"value defined in auth_header_value" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:149 ++msgid "The value sssd-secrets would use for auth_header_name" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:150 ++msgid "" ++"The list of the headers to forward to the Custodia server together with the " ++"request" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:151 ++msgid "" ++"The username to use when authenticating to a Custodia server using basic_auth" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:152 ++msgid "" ++"The password to use when authenticating to a Custodia server using basic_auth" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:153 ++msgid "If true peer's certificate is verified if proxy_url uses https protocol" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:154 ++msgid "" ++"If false peer's certificate may contain different hostname than proxy_url " ++"when https protocol is used" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:156 ++msgid "Path to directory where certificate authority certificates are stored" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:157 ++msgid "Path to file containing server's CA certificate" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:158 ++msgid "Path to file containing client's certificate" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:159 ++msgid "Path to file containing client's private key" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:162 ++msgid "" ++"One of the following strings specifying the scope of session recording: none " ++"- No users are recorded. some - Users/groups specified by users and groups " ++"options are recorded. all - All users are recorded." ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:165 ++msgid "" ++"A comma-separated list of users which should have session recording enabled. " ++"Matches user names as returned by NSS. I.e. after the possible space " ++"replacement, case changes, etc." ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:167 ++msgid "" ++"A comma-separated list of groups, members of which should have session " ++"recording enabled. Matches group names as returned by NSS. I.e. after the " ++"possible space replacement, case changes, etc." ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:170 ++msgid "" ++"A comma-separated list of users to be excluded from recording, only when " ++"scope=all" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:171 ++msgid "" ++"A comma-separated list of groups, members of which should be excluded from " ++"recording, only when scope=all. " ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:175 ++msgid "Identity provider" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:176 ++msgid "Authentication provider" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:177 ++msgid "Access control provider" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:178 ++msgid "Password change provider" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:179 ++msgid "SUDO provider" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:180 ++msgid "Autofs provider" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:181 ++msgid "Host identity provider" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:182 ++msgid "SELinux provider" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:183 ++msgid "Session management provider" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:184 ++msgid "Resolver provider" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:187 ++msgid "Whether the domain is usable by the OS or by applications" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:188 ++msgid "Enable or disable the domain" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:189 ++msgid "Minimum user ID" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:190 ++msgid "Maximum user ID" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:191 ++msgid "Enable enumerating all users/groups" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:192 ++msgid "Cache credentials for offline login" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:193 ++msgid "Display users/groups in fully-qualified form" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:194 ++msgid "Don't include group members in group lookups" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:195 ++#: src/config/SSSDConfig/sssdoptions.py:205 ++#: src/config/SSSDConfig/sssdoptions.py:206 ++#: src/config/SSSDConfig/sssdoptions.py:207 ++#: src/config/SSSDConfig/sssdoptions.py:208 ++#: src/config/SSSDConfig/sssdoptions.py:209 ++#: src/config/SSSDConfig/sssdoptions.py:210 ++#: src/config/SSSDConfig/sssdoptions.py:211 ++msgid "Entry cache timeout length (seconds)" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:196 ++msgid "" ++"Restrict or prefer a specific address family when performing DNS lookups" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:197 ++msgid "How long to keep cached entries after last successful login (days)" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:198 ++msgid "" ++"How long should SSSD talk to single DNS server before trying next server " ++"(miliseconds)" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:200 ++msgid "How long should keep trying to resolve single DNS query (seconds)" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:201 ++msgid "How long to wait for replies from DNS when resolving servers (seconds)" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:202 ++msgid "The domain part of service discovery DNS query" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:203 ++msgid "Override GID value from the identity provider with this value" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:204 ++msgid "Treat usernames as case sensitive" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:212 ++msgid "How often should expired entries be refreshed in background" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:213 ++msgid "Whether to automatically update the client's DNS entry" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:214 ++#: src/config/SSSDConfig/sssdoptions.py:244 ++msgid "The TTL to apply to the client's DNS entry after updating it" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:215 ++#: src/config/SSSDConfig/sssdoptions.py:245 ++msgid "The interface whose IP should be used for dynamic DNS updates" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:216 ++msgid "How often to periodically update the client's DNS entry" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:217 ++msgid "Whether the provider should explicitly update the PTR record as well" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:218 ++msgid "Whether the nsupdate utility should default to using TCP" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:219 ++msgid "What kind of authentication should be used to perform the DNS update" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:220 ++msgid "Override the DNS server used to perform the DNS update" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:221 ++msgid "Control enumeration of trusted domains" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:222 ++msgid "How often should subdomains list be refreshed" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:223 ++msgid "List of options that should be inherited into a subdomain" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:224 ++msgid "Default subdomain homedir value" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:225 ++msgid "How long can cached credentials be used for cached authentication" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:226 ++msgid "Whether to automatically create private groups for users" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:227 ++msgid "Display a warning N days before the password expires." ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:228 ++msgid "" ++"Various tags stored by the realmd configuration service for this domain." ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:229 ++msgid "" ++"The provider which should handle fetching of subdomains. This value should " ++"be always the same as id_provider." ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:231 ++msgid "" ++"How many seconds to keep a host ssh key after refresh. IE how long to cache " ++"the host key for." ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:233 ++msgid "" ++"If 2-Factor-Authentication (2FA) is used and credentials should be saved " ++"this value determines the minimal length the first authentication factor " ++"(long term password) must have to be saved as SHA512 hash into the cache." ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:239 ++msgid "IPA domain" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:240 ++msgid "IPA server address" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:241 ++msgid "Address of backup IPA server" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:242 ++msgid "IPA client hostname" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:243 ++msgid "Whether to automatically update the client's DNS entry in FreeIPA" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:246 ++msgid "Search base for HBAC related objects" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:247 ++msgid "" ++"The amount of time between lookups of the HBAC rules against the IPA server" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:248 ++msgid "" ++"The amount of time in seconds between lookups of the SELinux maps against " ++"the IPA server" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:250 ++msgid "If set to false, host argument given by PAM will be ignored" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:251 ++msgid "The automounter location this IPA client is using" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:252 ++msgid "Search base for object containing info about IPA domain" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:253 ++msgid "Search base for objects containing info about ID ranges" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:254 ++#: src/config/SSSDConfig/sssdoptions.py:308 ++msgid "Enable DNS sites - location based service discovery" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:255 ++msgid "Search base for view containers" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:256 ++msgid "Objectclass for view containers" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:257 ++msgid "Attribute with the name of the view" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:258 ++msgid "Objectclass for override objects" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:259 ++msgid "Attribute with the reference to the original object" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:260 ++msgid "Objectclass for user override objects" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:261 ++msgid "Objectclass for group override objects" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:262 ++msgid "Search base for Desktop Profile related objects" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:263 ++msgid "" ++"The amount of time in seconds between lookups of the Desktop Profile rules " ++"against the IPA server" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:265 ++msgid "" ++"The amount of time in minutes between lookups of Desktop Profiles rules " ++"against the IPA server when the last request did not find any rule" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:268 ++msgid "The LDAP attribute that contains FQDN of the host." ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:269 ++#: src/config/SSSDConfig/sssdoptions.py:292 ++msgid "The object class of a host entry in LDAP." ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:270 ++msgid "Use the given string as search base for host objects." ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:271 ++msgid "The LDAP attribute that contains the host's SSH public keys." ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:272 ++msgid "The LDAP attribute that contains NIS domain name of the netgroup." ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:273 ++msgid "The LDAP attribute that contains the names of the netgroup's members." ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:274 ++msgid "" ++"The LDAP attribute that lists FQDNs of hosts and host groups that are " ++"members of the netgroup." ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:276 ++msgid "" ++"The LDAP attribute that lists hosts and host groups that are direct members " ++"of the netgroup." ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:278 ++msgid "The LDAP attribute that lists netgroup's memberships." ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:279 ++msgid "" ++"The LDAP attribute that lists system users and groups that are direct " ++"members of the netgroup." ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:281 ++msgid "The LDAP attribute that corresponds to the netgroup name." ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:282 ++msgid "The object class of a netgroup entry in LDAP." ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:283 ++msgid "" ++"The LDAP attribute that contains the UUID/GUID of an LDAP netgroup object." ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:284 ++msgid "" ++"The LDAP attribute that contains whether or not is user map enabled for " ++"usage." ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:286 ++msgid "The LDAP attribute that contains host category such as 'all'." ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:287 ++msgid "" ++"The LDAP attribute that contains all hosts / hostgroups this rule match " ++"against." ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:289 ++msgid "" ++"The LDAP attribute that contains all users / groups this rule match against." ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:291 ++msgid "The LDAP attribute that contains the name of SELinux usermap." ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:293 ++msgid "" ++"The LDAP attribute that contains DN of HBAC rule which can be used for " ++"matching instead of memberUser and memberHost." ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:295 ++msgid "The LDAP attribute that contains SELinux user string itself." ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:296 ++msgid "The LDAP attribute that contains user category such as 'all'." ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:297 ++msgid "The LDAP attribute that contains unique ID of the user map." ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:298 ++msgid "" ++"The option denotes that the SSSD is running on IPA server and should perform " ++"lookups of users and groups from trusted domains differently." ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:300 ++msgid "Use the given string as search base for trusted domains." ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:303 ++msgid "Active Directory domain" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:304 ++msgid "Enabled Active Directory domains" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:305 ++msgid "Active Directory server address" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:306 ++msgid "Active Directory backup server address" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:307 ++msgid "Active Directory client hostname" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:309 ++#: src/config/SSSDConfig/sssdoptions.py:503 ++msgid "LDAP filter to determine access privileges" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:310 ++msgid "Whether to use the Global Catalog for lookups" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:311 ++msgid "Operation mode for GPO-based access control" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:312 ++msgid "" ++"The amount of time between lookups of the GPO policy files against the AD " ++"server" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:313 ++msgid "" ++"PAM service names that map to the GPO (Deny)InteractiveLogonRight policy " ++"settings" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:315 ++msgid "" ++"PAM service names that map to the GPO (Deny)RemoteInteractiveLogonRight " ++"policy settings" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:317 ++msgid "" ++"PAM service names that map to the GPO (Deny)NetworkLogonRight policy settings" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:318 ++msgid "" ++"PAM service names that map to the GPO (Deny)BatchLogonRight policy settings" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:319 ++msgid "" ++"PAM service names that map to the GPO (Deny)ServiceLogonRight policy settings" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:320 ++msgid "PAM service names for which GPO-based access is always granted" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:321 ++msgid "PAM service names for which GPO-based access is always denied" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:322 ++msgid "" ++"Default logon right (or permit/deny) to use for unmapped PAM service names" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:323 ++msgid "a particular site to be used by the client" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:324 ++msgid "" ++"Maximum age in days before the machine account password should be renewed" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:326 ++msgid "Option for tuning the machine account renewal task" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:327 ++msgid "Whether to update the machine account password in the Samba database" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:329 ++msgid "Use LDAPS port for LDAP and Global Catalog requests" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:330 ++msgid "Do not filter domain local groups from other domains" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:333 ++#: src/config/SSSDConfig/sssdoptions.py:334 ++msgid "Kerberos server address" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:335 ++msgid "Kerberos backup server address" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:336 ++msgid "Kerberos realm" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:337 ++msgid "Authentication timeout" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:338 ++msgid "Whether to create kdcinfo files" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:339 ++msgid "Where to drop krb5 config snippets" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:342 ++msgid "Directory to store credential caches" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:343 ++msgid "Location of the user's credential cache" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:344 ++msgid "Location of the keytab to validate credentials" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:345 ++msgid "Enable credential validation" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:346 ++msgid "Store password if offline for later online authentication" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:347 ++msgid "Renewable lifetime of the TGT" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:348 ++msgid "Lifetime of the TGT" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:349 ++msgid "Time between two checks for renewal" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:350 ++msgid "Enables FAST" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:351 ++msgid "Selects the principal to use for FAST" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:352 ++msgid "Enables principal canonicalization" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:353 ++msgid "Enables enterprise principals" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:354 ++msgid "Enables using of subdomains realms for authentication" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:355 ++msgid "A mapping from user names to Kerberos principal names" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:358 ++#: src/config/SSSDConfig/sssdoptions.py:359 ++msgid "Server where the change password service is running if not on the KDC" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:362 ++msgid "ldap_uri, The URI of the LDAP server" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:363 ++msgid "ldap_backup_uri, The URI of the LDAP server" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:364 ++msgid "The default base DN" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:365 ++msgid "The Schema Type in use on the LDAP server, rfc2307" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:366 ++msgid "Mode used to change user password" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:367 ++msgid "The default bind DN" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:368 ++msgid "The type of the authentication token of the default bind DN" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:369 ++msgid "The authentication token of the default bind DN" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:370 ++msgid "Length of time to attempt connection" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:371 ++msgid "Length of time to attempt synchronous LDAP operations" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:372 ++msgid "Length of time between attempts to reconnect while offline" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:373 ++msgid "Use only the upper case for realm names" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:374 ++msgid "File that contains CA certificates" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:375 ++msgid "Path to CA certificate directory" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:376 ++msgid "File that contains the client certificate" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:377 ++msgid "File that contains the client key" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:378 ++msgid "List of possible ciphers suites" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:379 ++msgid "Require TLS certificate verification" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:380 ++msgid "Specify the sasl mechanism to use" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:381 ++msgid "Specify the sasl authorization id to use" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:382 ++msgid "Specify the sasl authorization realm to use" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:383 ++msgid "Specify the minimal SSF for LDAP sasl authorization" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:384 ++msgid "Specify the maximal SSF for LDAP sasl authorization" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:385 ++msgid "Kerberos service keytab" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:386 ++msgid "Use Kerberos auth for LDAP connection" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:387 ++msgid "Follow LDAP referrals" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:388 ++msgid "Lifetime of TGT for LDAP connection" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:389 ++msgid "How to dereference aliases" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:390 ++msgid "Service name for DNS service lookups" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:391 ++msgid "The number of records to retrieve in a single LDAP query" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:392 ++msgid "The number of members that must be missing to trigger a full deref" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:393 ++msgid "" ++"Whether the LDAP library should perform a reverse lookup to canonicalize the " ++"host name during a SASL bind" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:395 ++msgid "" ++"Allows to retain local users as members of an LDAP group for servers that " ++"use the RFC2307 schema." ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:398 ++msgid "entryUSN attribute" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:399 ++msgid "lastUSN attribute" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:401 ++msgid "How long to retain a connection to the LDAP server before disconnecting" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:404 ++msgid "Disable the LDAP paging control" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:405 ++msgid "Disable Active Directory range retrieval" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:408 ++msgid "Length of time to wait for a search request" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:409 ++msgid "Length of time to wait for a enumeration request" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:410 ++msgid "Length of time between enumeration updates" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:411 ++msgid "Length of time between cache cleanups" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:412 ++msgid "Require TLS for ID lookups" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:413 ++msgid "Use ID-mapping of objectSID instead of pre-set IDs" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:414 ++msgid "Base DN for user lookups" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:415 ++msgid "Scope of user lookups" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:416 ++msgid "Filter for user lookups" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:417 ++msgid "Objectclass for users" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:418 ++msgid "Username attribute" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:419 ++msgid "UID attribute" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:420 ++msgid "Primary GID attribute" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:421 ++msgid "GECOS attribute" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:422 ++msgid "Home directory attribute" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:423 ++msgid "Shell attribute" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:424 ++msgid "UUID attribute" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:425 ++#: src/config/SSSDConfig/sssdoptions.py:463 ++msgid "objectSID attribute" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:426 ++msgid "Active Directory primary group attribute for ID-mapping" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:427 ++msgid "User principal attribute (for Kerberos)" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:428 ++msgid "Full Name" ++msgstr "성명" ++ ++#: src/config/SSSDConfig/sssdoptions.py:429 ++msgid "memberOf attribute" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:430 ++msgid "Modification time attribute" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:431 ++msgid "shadowLastChange attribute" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:432 ++msgid "shadowMin attribute" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:433 ++msgid "shadowMax attribute" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:434 ++msgid "shadowWarning attribute" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:435 ++msgid "shadowInactive attribute" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:436 ++msgid "shadowExpire attribute" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:437 ++msgid "shadowFlag attribute" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:438 ++msgid "Attribute listing authorized PAM services" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:439 ++msgid "Attribute listing authorized server hosts" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:440 ++msgid "Attribute listing authorized server rhosts" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:441 ++msgid "krbLastPwdChange attribute" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:442 ++msgid "krbPasswordExpiration attribute" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:443 ++msgid "Attribute indicating that server side password policies are active" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:444 ++msgid "accountExpires attribute of AD" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:445 ++msgid "userAccountControl attribute of AD" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:446 ++msgid "nsAccountLock attribute" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:447 ++msgid "loginDisabled attribute of NDS" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:448 ++msgid "loginExpirationTime attribute of NDS" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:449 ++msgid "loginAllowedTimeMap attribute of NDS" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:450 ++msgid "SSH public key attribute" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:451 ++msgid "attribute listing allowed authentication types for a user" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:452 ++msgid "attribute containing the X509 certificate of the user" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:453 ++msgid "attribute containing the email address of the user" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:454 ++msgid "A list of extra attributes to download along with the user entry" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:456 ++msgid "Base DN for group lookups" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:457 ++msgid "Objectclass for groups" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:458 ++msgid "Group name" ++msgstr "그룹 이름" ++ ++#: src/config/SSSDConfig/sssdoptions.py:459 ++msgid "Group password" ++msgstr "그룹 비밀번호" ++ ++#: src/config/SSSDConfig/sssdoptions.py:460 ++msgid "GID attribute" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:461 ++msgid "Group member attribute" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:462 ++msgid "Group UUID attribute" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:464 ++msgid "Modification time attribute for groups" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:465 ++msgid "Type of the group and other flags" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:466 ++msgid "The LDAP group external member attribute" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:467 ++msgid "Maximum nesting level SSSD will follow" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:468 ++msgid "Filter for group lookups" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:469 ++msgid "Scope of group lookups" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:471 ++msgid "Base DN for netgroup lookups" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:472 ++msgid "Objectclass for netgroups" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:473 ++msgid "Netgroup name" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:474 ++msgid "Netgroups members attribute" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:475 ++msgid "Netgroup triple attribute" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:476 ++msgid "Modification time attribute for netgroups" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:478 ++msgid "Base DN for service lookups" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:479 ++msgid "Objectclass for services" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:480 ++msgid "Service name attribute" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:481 ++msgid "Service port attribute" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:482 ++msgid "Service protocol attribute" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:484 ++msgid "Lower bound for ID-mapping" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:485 ++msgid "Upper bound for ID-mapping" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:486 ++msgid "Number of IDs for each slice when ID-mapping" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:487 ++msgid "Use autorid-compatible algorithm for ID-mapping" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:488 ++msgid "Name of the default domain for ID-mapping" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:489 ++msgid "SID of the default domain for ID-mapping" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:490 ++msgid "Number of secondary slices" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:492 ++msgid "Whether to use Token-Groups" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:493 ++msgid "Set lower boundary for allowed IDs from the LDAP server" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:494 ++msgid "Set upper boundary for allowed IDs from the LDAP server" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:495 ++msgid "DN for ppolicy queries" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:496 ++msgid "How many maximum entries to fetch during a wildcard request" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:497 ++msgid "Set libldap debug level" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:500 ++msgid "Policy to evaluate the password expiration" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:504 ++msgid "Which attributes shall be used to evaluate if an account is expired" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:505 ++msgid "Which rules should be used to evaluate access control" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:508 ++msgid "URI of an LDAP server where password changes are allowed" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:509 ++msgid "URI of a backup LDAP server where password changes are allowed" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:510 ++msgid "DNS service name for LDAP password change server" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:511 ++msgid "" ++"Whether to update the ldap_user_shadow_last_change attribute after a " ++"password change" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:515 ++msgid "Base DN for sudo rules lookups" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:516 ++msgid "Automatic full refresh period" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:517 ++msgid "Automatic smart refresh period" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:518 ++msgid "Smart and full refresh random offset" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:519 ++msgid "Whether to filter rules by hostname, IP addresses and network" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:520 ++msgid "" ++"Hostnames and/or fully qualified domain names of this machine to filter sudo " ++"rules" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:521 ++msgid "IPv4 or IPv6 addresses or network of this machine to filter sudo rules" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:522 ++msgid "Whether to include rules that contains netgroup in host attribute" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:523 ++msgid "" ++"Whether to include rules that contains regular expression in host attribute" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:524 ++msgid "Object class for sudo rules" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:525 ++msgid "Name of attribute that is used as object class for sudo rules" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:526 ++msgid "Sudo rule name" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:527 ++msgid "Sudo rule command attribute" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:528 ++msgid "Sudo rule host attribute" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:529 ++msgid "Sudo rule user attribute" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:530 ++msgid "Sudo rule option attribute" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:531 ++msgid "Sudo rule runas attribute" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:532 ++msgid "Sudo rule runasuser attribute" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:533 ++msgid "Sudo rule runasgroup attribute" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:534 ++msgid "Sudo rule notbefore attribute" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:535 ++msgid "Sudo rule notafter attribute" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:536 ++msgid "Sudo rule order attribute" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:539 ++msgid "Object class for automounter maps" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:540 ++msgid "Automounter map name attribute" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:541 ++msgid "Object class for automounter map entries" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:542 ++msgid "Automounter map entry key attribute" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:543 ++msgid "Automounter map entry value attribute" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:544 ++msgid "Base DN for automounter map lookups" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:545 ++msgid "The name of the automount master map in LDAP." ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:548 ++msgid "Base DN for IP hosts lookups" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:549 ++msgid "Object class for IP hosts" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:550 ++msgid "IP host name attribute" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:551 ++msgid "IP host number (address) attribute" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:552 ++msgid "IP host entryUSN attribute" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:553 ++msgid "Base DN for IP networks lookups" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:554 ++msgid "Object class for IP networks" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:555 ++msgid "IP network name attribute" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:556 ++msgid "IP network number (address) attribute" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:557 ++msgid "IP network entryUSN attribute" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:560 ++msgid "Comma separated list of allowed users" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:561 ++msgid "Comma separated list of prohibited users" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:562 ++msgid "" ++"Comma separated list of groups that are allowed to log in. This applies only " ++"to groups within this SSSD domain. Local groups are not evaluated." ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:564 ++msgid "" ++"Comma separated list of groups that are explicitly denied access. This " ++"applies only to groups within this SSSD domain. Local groups are not " ++"evaluated." ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:568 ++msgid "Base for home directories" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:569 ++msgid "Indicate if a home directory should be created for new users." ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:570 ++msgid "Indicate if a home directory should be removed for deleted users." ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:571 ++msgid "Specify the default permissions on a newly created home directory." ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:572 ++msgid "The skeleton directory." ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:573 ++msgid "The mail spool directory." ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:574 ++msgid "The command that is run after a user is removed." ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:577 ++msgid "The number of preforked proxy children." ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:580 ++msgid "The name of the NSS library to use" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:581 ++msgid "The name of the NSS library to use for hosts and networks lookups" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:582 ++msgid "Whether to look up canonical group name from cache if possible" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:585 ++msgid "PAM stack to use" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:588 ++msgid "Path of passwd file sources." ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:589 ++msgid "Path of group file sources." ++msgstr "" ++ ++#: src/monitor/monitor.c:2408 ++msgid "Become a daemon (default)" ++msgstr "" ++ ++#: src/monitor/monitor.c:2410 ++msgid "Run interactive (not a daemon)" ++msgstr "" ++ ++#: src/monitor/monitor.c:2413 ++msgid "Disable netlink interface" ++msgstr "" ++ ++#: src/monitor/monitor.c:2415 src/tools/sssctl/sssctl_config.c:77 ++#: src/tools/sssctl/sssctl_logs.c:310 ++msgid "Specify a non-default config file" ++msgstr "" ++ ++#: src/monitor/monitor.c:2417 ++msgid "Refresh the configuration database, then exit" ++msgstr "" ++ ++#: src/monitor/monitor.c:2420 ++msgid "Similar to --genconf, but only refreshes the given section" ++msgstr "" ++ ++#: src/monitor/monitor.c:2423 ++msgid "Print version number and exit" ++msgstr "" ++ ++#: src/monitor/monitor.c:2461 ++msgid "Option -i|--interactive is not allowed together with -D|--daemon\n" ++msgstr "" ++ ++#: src/monitor/monitor.c:2467 ++msgid "Option -g is incompatible with -D or -i\n" ++msgstr "" ++ ++#: src/monitor/monitor.c:2480 ++msgid "Running under %" ++msgstr "" ++ ++#: src/monitor/monitor.c:2562 ++msgid "SSSD is already running\n" ++msgstr "" ++ ++#: src/providers/krb5/krb5_child.c:3327 src/providers/ldap/ldap_child.c:639 ++msgid "An open file descriptor for the debug logs" ++msgstr "" ++ ++#: src/providers/krb5/krb5_child.c:3330 ++msgid "The user to create FAST ccache as" ++msgstr "" ++ ++#: src/providers/krb5/krb5_child.c:3332 ++msgid "The group to create FAST ccache as" ++msgstr "" ++ ++#: src/providers/krb5/krb5_child.c:3334 ++msgid "Kerberos realm to use" ++msgstr "" ++ ++#: src/providers/krb5/krb5_child.c:3336 ++msgid "Requested lifetime of the ticket" ++msgstr "" ++ ++#: src/providers/krb5/krb5_child.c:3338 ++msgid "Requested renewable lifetime of the ticket" ++msgstr "" ++ ++#: src/providers/krb5/krb5_child.c:3340 ++msgid "FAST options ('never', 'try', 'demand')" ++msgstr "" ++ ++#: src/providers/krb5/krb5_child.c:3343 ++msgid "Specifies the server principal to use for FAST" ++msgstr "" ++ ++#: src/providers/krb5/krb5_child.c:3345 ++msgid "Requests canonicalization of the principal name" ++msgstr "" ++ ++#: src/providers/krb5/krb5_child.c:3347 ++msgid "Use custom version of krb5_get_init_creds_password" ++msgstr "" ++ ++#: src/providers/krb5/krb5_child.c:3375 src/providers/ldap/ldap_child.c:663 ++msgid "talloc_asprintf failed.\n" ++msgstr "" ++ ++#: src/providers/krb5/krb5_child.c:3385 src/providers/ldap/ldap_child.c:672 ++msgid "set_debug_file_from_fd failed.\n" ++msgstr "" ++ ++#: src/providers/data_provider_be.c:733 ++msgid "Domain of the information provider (mandatory)" ++msgstr "" ++ ++#: src/sss_client/common.c:1088 ++msgid "Privileged socket has wrong ownership or permissions." ++msgstr "" ++ ++#: src/sss_client/common.c:1091 ++msgid "Public socket has wrong ownership or permissions." ++msgstr "" ++ ++#: src/sss_client/common.c:1094 ++msgid "Unexpected format of the server credential message." ++msgstr "" ++ ++#: src/sss_client/common.c:1097 ++msgid "SSSD is not run by root." ++msgstr "" ++ ++#: src/sss_client/common.c:1100 ++msgid "SSSD socket does not exist." ++msgstr "" ++ ++#: src/sss_client/common.c:1103 ++msgid "Cannot get stat of SSSD socket." ++msgstr "" ++ ++#: src/sss_client/common.c:1108 ++msgid "An error occurred, but no description can be found." ++msgstr "" ++ ++#: src/sss_client/common.c:1114 ++msgid "Unexpected error while looking for an error description" ++msgstr "" ++ ++#: src/sss_client/pam_sss.c:68 ++msgid "Permission denied. " ++msgstr "권한이 거부되었습니다. " ++ ++#: src/sss_client/pam_sss.c:69 src/sss_client/pam_sss.c:785 ++#: src/sss_client/pam_sss.c:796 ++msgid "Server message: " ++msgstr "" ++ ++#: src/sss_client/pam_sss.c:303 ++msgid "Passwords do not match" ++msgstr "비밀번호가 일치하지 않습니다" ++ ++#: src/sss_client/pam_sss.c:491 ++msgid "Password reset by root is not supported." ++msgstr "" ++ ++#: src/sss_client/pam_sss.c:532 ++msgid "Authenticated with cached credentials" ++msgstr "" ++ ++#: src/sss_client/pam_sss.c:533 ++msgid ", your cached password will expire at: " ++msgstr "" ++ ++#: src/sss_client/pam_sss.c:563 ++#, c-format ++msgid "Your password has expired. You have %1$d grace login(s) remaining." ++msgstr "" ++ ++#: src/sss_client/pam_sss.c:609 ++#, c-format ++msgid "Your password will expire in %1$d %2$s." ++msgstr "" ++ ++#: src/sss_client/pam_sss.c:658 ++msgid "Authentication is denied until: " ++msgstr "" ++ ++#: src/sss_client/pam_sss.c:679 ++msgid "System is offline, password change not possible" ++msgstr "" ++ ++#: src/sss_client/pam_sss.c:694 ++msgid "" ++"After changing the OTP password, you need to log out and back in order to " ++"acquire a ticket" ++msgstr "" ++ ++#: src/sss_client/pam_sss.c:782 src/sss_client/pam_sss.c:795 ++msgid "Password change failed. " ++msgstr "" ++ ++#: src/sss_client/pam_sss.c:2045 ++msgid "New Password: " ++msgstr "신규 비밀번호: " ++ ++#: src/sss_client/pam_sss.c:2046 ++msgid "Reenter new Password: " ++msgstr "" ++ ++#: src/sss_client/pam_sss.c:2208 src/sss_client/pam_sss.c:2211 ++msgid "First Factor: " ++msgstr "" ++ ++#: src/sss_client/pam_sss.c:2209 src/sss_client/pam_sss.c:2383 ++msgid "Second Factor (optional): " ++msgstr "" ++ ++#: src/sss_client/pam_sss.c:2212 src/sss_client/pam_sss.c:2386 ++msgid "Second Factor: " ++msgstr "" ++ ++#: src/sss_client/pam_sss.c:2230 ++msgid "Password: " ++msgstr "비밀번호: " ++ ++#: src/sss_client/pam_sss.c:2382 src/sss_client/pam_sss.c:2385 ++msgid "First Factor (Current Password): " ++msgstr "" ++ ++#: src/sss_client/pam_sss.c:2389 ++msgid "Current Password: " ++msgstr "" ++ ++#: src/sss_client/pam_sss.c:2746 ++msgid "Password expired. Change your password now." ++msgstr "" ++ ++#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:41 ++#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:186 src/tools/sss_useradd.c:48 ++#: src/tools/sss_groupadd.c:41 src/tools/sss_groupdel.c:44 ++#: src/tools/sss_groupmod.c:42 src/tools/sss_groupshow.c:668 ++#: src/tools/sss_userdel.c:136 src/tools/sss_usermod.c:47 ++#: src/tools/sss_cache.c:732 ++msgid "The debug level to run with" ++msgstr "" ++ ++#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:43 ++#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:190 ++msgid "The SSSD domain to use" ++msgstr "" ++ ++#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:57 src/tools/sss_useradd.c:74 ++#: src/tools/sss_groupadd.c:59 src/tools/sss_groupdel.c:54 ++#: src/tools/sss_groupmod.c:66 src/tools/sss_groupshow.c:680 ++#: src/tools/sss_userdel.c:154 src/tools/sss_usermod.c:79 ++#: src/tools/sss_cache.c:778 ++msgid "Error setting the locale\n" ++msgstr "" ++ ++#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:64 ++msgid "Not enough memory\n" ++msgstr "" ++ ++#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:83 ++msgid "User not specified\n" ++msgstr "" ++ ++#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:97 ++msgid "Error looking up public keys\n" ++msgstr "" ++ ++#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:188 ++msgid "The port to use to connect to the host" ++msgstr "" ++ ++#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:192 ++msgid "Print the host ssh public keys" ++msgstr "" ++ ++#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:234 ++msgid "Invalid port\n" ++msgstr "잘못된 포트\n" ++ ++#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:239 ++msgid "Host not specified\n" ++msgstr "" ++ ++#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:245 ++msgid "The path to the proxy command must be absolute\n" ++msgstr "" ++ ++#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:326 ++#, c-format ++msgid "sss_ssh_knownhostsproxy: unable to proxy data: %s\n" ++msgstr "" ++ ++#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:330 ++#, c-format ++msgid "sss_ssh_knownhostsproxy: connect to host %s port %d: %s\n" ++msgstr "" ++ ++#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:334 ++#, c-format ++msgid "sss_ssh_knownhostsproxy: Could not resolve hostname %s\n" ++msgstr "" ++ ++#: src/tools/sss_useradd.c:49 src/tools/sss_usermod.c:48 ++msgid "The UID of the user" ++msgstr "" ++ ++#: src/tools/sss_useradd.c:50 src/tools/sss_usermod.c:50 ++msgid "The comment string" ++msgstr "" ++ ++#: src/tools/sss_useradd.c:51 src/tools/sss_usermod.c:51 ++msgid "Home directory" ++msgstr "홈 디렉토리" ++ ++#: src/tools/sss_useradd.c:52 src/tools/sss_usermod.c:52 ++msgid "Login shell" ++msgstr "" ++ ++#: src/tools/sss_useradd.c:53 ++msgid "Groups" ++msgstr "그룹" ++ ++#: src/tools/sss_useradd.c:54 ++msgid "Create user's directory if it does not exist" ++msgstr "" ++ ++#: src/tools/sss_useradd.c:55 ++msgid "Never create user's directory, overrides config" ++msgstr "" ++ ++#: src/tools/sss_useradd.c:56 ++msgid "Specify an alternative skeleton directory" ++msgstr "" ++ ++#: src/tools/sss_useradd.c:57 src/tools/sss_usermod.c:60 ++msgid "The SELinux user for user's login" ++msgstr "" ++ ++#: src/tools/sss_useradd.c:87 src/tools/sss_groupmod.c:79 ++#: src/tools/sss_usermod.c:92 ++msgid "Specify group to add to\n" ++msgstr "" ++ ++#: src/tools/sss_useradd.c:111 ++msgid "Specify user to add\n" ++msgstr "" ++ ++#: src/tools/sss_useradd.c:121 src/tools/sss_groupadd.c:86 ++#: src/tools/sss_groupdel.c:80 src/tools/sss_groupmod.c:113 ++#: src/tools/sss_groupshow.c:714 src/tools/sss_userdel.c:200 ++#: src/tools/sss_usermod.c:162 ++msgid "Error initializing the tools - no local domain\n" ++msgstr "" ++ ++#: src/tools/sss_useradd.c:123 src/tools/sss_groupadd.c:88 ++#: src/tools/sss_groupdel.c:82 src/tools/sss_groupmod.c:115 ++#: src/tools/sss_groupshow.c:716 src/tools/sss_userdel.c:202 ++#: src/tools/sss_usermod.c:164 ++msgid "Error initializing the tools\n" ++msgstr "" ++ ++#: src/tools/sss_useradd.c:132 src/tools/sss_groupadd.c:97 ++#: src/tools/sss_groupdel.c:91 src/tools/sss_groupmod.c:123 ++#: src/tools/sss_groupshow.c:725 src/tools/sss_userdel.c:211 ++#: src/tools/sss_usermod.c:173 ++msgid "Invalid domain specified in FQDN\n" ++msgstr "" ++ ++#: src/tools/sss_useradd.c:142 src/tools/sss_groupmod.c:144 ++#: src/tools/sss_groupmod.c:173 src/tools/sss_usermod.c:197 ++#: src/tools/sss_usermod.c:226 ++msgid "Internal error while parsing parameters\n" ++msgstr "" ++ ++#: src/tools/sss_useradd.c:151 src/tools/sss_usermod.c:206 ++#: src/tools/sss_usermod.c:235 ++msgid "Groups must be in the same domain as user\n" ++msgstr "" ++ ++#: src/tools/sss_useradd.c:159 ++#, c-format ++msgid "Cannot find group %1$s in local domain\n" ++msgstr "" ++ ++#: src/tools/sss_useradd.c:174 src/tools/sss_userdel.c:221 ++msgid "Cannot set default values\n" ++msgstr "" ++ ++#: src/tools/sss_useradd.c:181 src/tools/sss_usermod.c:187 ++msgid "The selected UID is outside the allowed range\n" ++msgstr "" ++ ++#: src/tools/sss_useradd.c:210 src/tools/sss_usermod.c:305 ++msgid "Cannot set SELinux login context\n" ++msgstr "" ++ ++#: src/tools/sss_useradd.c:224 ++msgid "Cannot get info about the user\n" ++msgstr "" ++ ++#: src/tools/sss_useradd.c:236 ++msgid "User's home directory already exists, not copying data from skeldir\n" ++msgstr "" ++ ++#: src/tools/sss_useradd.c:239 ++#, c-format ++msgid "Cannot create user's home directory: %1$s\n" ++msgstr "" ++ ++#: src/tools/sss_useradd.c:250 ++#, c-format ++msgid "Cannot create user's mail spool: %1$s\n" ++msgstr "" ++ ++#: src/tools/sss_useradd.c:270 ++msgid "Could not allocate ID for the user - domain full?\n" ++msgstr "" ++ ++#: src/tools/sss_useradd.c:274 ++msgid "A user or group with the same name or ID already exists\n" ++msgstr "" ++ ++#: src/tools/sss_useradd.c:280 ++msgid "Transaction error. Could not add user.\n" ++msgstr "" ++ ++#: src/tools/sss_groupadd.c:43 src/tools/sss_groupmod.c:48 ++msgid "The GID of the group" ++msgstr "" ++ ++#: src/tools/sss_groupadd.c:76 ++msgid "Specify group to add\n" ++msgstr "" ++ ++#: src/tools/sss_groupadd.c:106 src/tools/sss_groupmod.c:198 ++msgid "The selected GID is outside the allowed range\n" ++msgstr "" ++ ++#: src/tools/sss_groupadd.c:143 ++msgid "Could not allocate ID for the group - domain full?\n" ++msgstr "" ++ ++#: src/tools/sss_groupadd.c:147 ++msgid "A group with the same name or GID already exists\n" ++msgstr "" ++ ++#: src/tools/sss_groupadd.c:153 ++msgid "Transaction error. Could not add group.\n" ++msgstr "" ++ ++#: src/tools/sss_groupdel.c:70 ++msgid "Specify group to delete\n" ++msgstr "" ++ ++#: src/tools/sss_groupdel.c:104 ++#, c-format ++msgid "Group %1$s is outside the defined ID range for domain\n" ++msgstr "" ++ ++#: src/tools/sss_groupdel.c:119 src/tools/sss_groupmod.c:225 ++#: src/tools/sss_groupmod.c:232 src/tools/sss_groupmod.c:239 ++#: src/tools/sss_userdel.c:297 src/tools/sss_usermod.c:282 ++#: src/tools/sss_usermod.c:289 src/tools/sss_usermod.c:296 ++#, c-format ++msgid "NSS request failed (%1$d). Entry might remain in memory cache.\n" ++msgstr "" ++ ++#: src/tools/sss_groupdel.c:132 ++msgid "" ++"No such group in local domain. Removing groups only allowed in local " ++"domain.\n" ++msgstr "" ++ ++#: src/tools/sss_groupdel.c:137 ++msgid "Internal error. Could not remove group.\n" ++msgstr "" ++ ++#: src/tools/sss_groupmod.c:44 ++msgid "Groups to add this group to" ++msgstr "" ++ ++#: src/tools/sss_groupmod.c:46 ++msgid "Groups to remove this group from" ++msgstr "" ++ ++#: src/tools/sss_groupmod.c:87 src/tools/sss_usermod.c:100 ++msgid "Specify group to remove from\n" ++msgstr "" ++ ++#: src/tools/sss_groupmod.c:101 ++msgid "Specify group to modify\n" ++msgstr "" ++ ++#: src/tools/sss_groupmod.c:130 ++msgid "" ++"Cannot find group in local domain, modifying groups is allowed only in local " ++"domain\n" ++msgstr "" ++ ++#: src/tools/sss_groupmod.c:153 src/tools/sss_groupmod.c:182 ++msgid "Member groups must be in the same domain as parent group\n" ++msgstr "" ++ ++#: src/tools/sss_groupmod.c:161 src/tools/sss_groupmod.c:190 ++#: src/tools/sss_usermod.c:214 src/tools/sss_usermod.c:243 ++#, c-format ++msgid "" ++"Cannot find group %1$s in local domain, only groups in local domain are " ++"allowed\n" ++msgstr "" ++ ++#: src/tools/sss_groupmod.c:257 ++msgid "Could not modify group - check if member group names are correct\n" ++msgstr "" ++ ++#: src/tools/sss_groupmod.c:261 ++msgid "Could not modify group - check if groupname is correct\n" ++msgstr "" ++ ++#: src/tools/sss_groupmod.c:265 ++msgid "Transaction error. Could not modify group.\n" ++msgstr "" ++ ++#: src/tools/sss_groupshow.c:616 ++msgid "Magic Private " ++msgstr "" ++ ++#: src/tools/sss_groupshow.c:615 ++#, c-format ++msgid "%1$s%2$sGroup: %3$s\n" ++msgstr "" ++ ++#: src/tools/sss_groupshow.c:618 ++#, c-format ++msgid "%1$sGID number: %2$d\n" ++msgstr "" ++ ++#: src/tools/sss_groupshow.c:620 ++#, c-format ++msgid "%1$sMember users: " ++msgstr "" ++ ++#: src/tools/sss_groupshow.c:627 ++#, c-format ++msgid "" ++"\n" ++"%1$sIs a member of: " ++msgstr "" ++ ++#: src/tools/sss_groupshow.c:634 ++#, c-format ++msgid "" ++"\n" ++"%1$sMember groups: " ++msgstr "" ++ ++#: src/tools/sss_groupshow.c:670 ++msgid "Print indirect group members recursively" ++msgstr "" ++ ++#: src/tools/sss_groupshow.c:704 ++msgid "Specify group to show\n" ++msgstr "" ++ ++#: src/tools/sss_groupshow.c:744 ++msgid "" ++"No such group in local domain. Printing groups only allowed in local " ++"domain.\n" ++msgstr "" ++ ++#: src/tools/sss_groupshow.c:749 ++msgid "Internal error. Could not print group.\n" ++msgstr "" ++ ++#: src/tools/sss_userdel.c:138 ++msgid "Remove home directory and mail spool" ++msgstr "" ++ ++#: src/tools/sss_userdel.c:140 ++msgid "Do not remove home directory and mail spool" ++msgstr "" ++ ++#: src/tools/sss_userdel.c:142 ++msgid "Force removal of files not owned by the user" ++msgstr "" ++ ++#: src/tools/sss_userdel.c:144 ++msgid "Kill users' processes before removing him" ++msgstr "" ++ ++#: src/tools/sss_userdel.c:190 ++msgid "Specify user to delete\n" ++msgstr "" ++ ++#: src/tools/sss_userdel.c:236 ++#, c-format ++msgid "User %1$s is outside the defined ID range for domain\n" ++msgstr "" ++ ++#: src/tools/sss_userdel.c:261 ++msgid "Cannot reset SELinux login context\n" ++msgstr "" ++ ++#: src/tools/sss_userdel.c:273 ++#, c-format ++msgid "WARNING: The user (uid %1$lu) was still logged in when deleted.\n" ++msgstr "" ++ ++#: src/tools/sss_userdel.c:278 ++msgid "Cannot determine if the user was logged in on this platform" ++msgstr "" ++ ++#: src/tools/sss_userdel.c:283 ++msgid "Error while checking if the user was logged in\n" ++msgstr "" ++ ++#: src/tools/sss_userdel.c:290 ++#, c-format ++msgid "The post-delete command failed: %1$s\n" ++msgstr "" ++ ++#: src/tools/sss_userdel.c:310 ++msgid "Not removing home dir - not owned by user\n" ++msgstr "" ++ ++#: src/tools/sss_userdel.c:312 ++#, c-format ++msgid "Cannot remove homedir: %1$s\n" ++msgstr "" ++ ++#: src/tools/sss_userdel.c:326 ++msgid "" ++"No such user in local domain. Removing users only allowed in local domain.\n" ++msgstr "" ++ ++#: src/tools/sss_userdel.c:331 ++msgid "Internal error. Could not remove user.\n" ++msgstr "" ++ ++#: src/tools/sss_usermod.c:49 ++msgid "The GID of the user" ++msgstr "" ++ ++#: src/tools/sss_usermod.c:53 ++msgid "Groups to add this user to" ++msgstr "" ++ ++#: src/tools/sss_usermod.c:54 ++msgid "Groups to remove this user from" ++msgstr "" ++ ++#: src/tools/sss_usermod.c:55 ++msgid "Lock the account" ++msgstr "" ++ ++#: src/tools/sss_usermod.c:56 ++msgid "Unlock the account" ++msgstr "" ++ ++#: src/tools/sss_usermod.c:57 ++msgid "Add an attribute/value pair. The format is attrname=value." ++msgstr "" ++ ++#: src/tools/sss_usermod.c:58 ++msgid "Delete an attribute/value pair. The format is attrname=value." ++msgstr "" ++ ++#: src/tools/sss_usermod.c:59 ++msgid "" ++"Set an attribute to a name/value pair. The format is attrname=value. For " ++"multi-valued attributes, the command replaces the values already present" ++msgstr "" ++ ++#: src/tools/sss_usermod.c:117 src/tools/sss_usermod.c:126 ++#: src/tools/sss_usermod.c:135 ++msgid "Specify the attribute name/value pair(s)\n" ++msgstr "" ++ ++#: src/tools/sss_usermod.c:152 ++msgid "Specify user to modify\n" ++msgstr "" ++ ++#: src/tools/sss_usermod.c:180 ++msgid "" ++"Cannot find user in local domain, modifying users is allowed only in local " ++"domain\n" ++msgstr "" ++ ++#: src/tools/sss_usermod.c:322 ++msgid "Could not modify user - check if group names are correct\n" ++msgstr "" ++ ++#: src/tools/sss_usermod.c:326 ++msgid "Could not modify user - user already member of groups?\n" ++msgstr "" ++ ++#: src/tools/sss_usermod.c:330 ++msgid "Transaction error. Could not modify user.\n" ++msgstr "" ++ ++#: src/tools/sss_cache.c:245 ++msgid "No cache object matched the specified search\n" ++msgstr "" ++ ++#: src/tools/sss_cache.c:536 ++#, c-format ++msgid "Couldn't invalidate %1$s\n" ++msgstr "" ++ ++#: src/tools/sss_cache.c:543 ++#, c-format ++msgid "Couldn't invalidate %1$s %2$s\n" ++msgstr "" ++ ++#: src/tools/sss_cache.c:734 ++msgid "Invalidate all cached entries" ++msgstr "" ++ ++#: src/tools/sss_cache.c:736 ++msgid "Invalidate particular user" ++msgstr "" ++ ++#: src/tools/sss_cache.c:738 ++msgid "Invalidate all users" ++msgstr "" ++ ++#: src/tools/sss_cache.c:740 ++msgid "Invalidate particular group" ++msgstr "" ++ ++#: src/tools/sss_cache.c:742 ++msgid "Invalidate all groups" ++msgstr "" ++ ++#: src/tools/sss_cache.c:744 ++msgid "Invalidate particular netgroup" ++msgstr "" ++ ++#: src/tools/sss_cache.c:746 ++msgid "Invalidate all netgroups" ++msgstr "" ++ ++#: src/tools/sss_cache.c:748 ++msgid "Invalidate particular service" ++msgstr "" ++ ++#: src/tools/sss_cache.c:750 ++msgid "Invalidate all services" ++msgstr "" ++ ++#: src/tools/sss_cache.c:753 ++msgid "Invalidate particular autofs map" ++msgstr "" ++ ++#: src/tools/sss_cache.c:755 ++msgid "Invalidate all autofs maps" ++msgstr "" ++ ++#: src/tools/sss_cache.c:759 ++msgid "Invalidate particular SSH host" ++msgstr "" ++ ++#: src/tools/sss_cache.c:761 ++msgid "Invalidate all SSH hosts" ++msgstr "" ++ ++#: src/tools/sss_cache.c:765 ++msgid "Invalidate particular sudo rule" ++msgstr "" ++ ++#: src/tools/sss_cache.c:767 ++msgid "Invalidate all cached sudo rules" ++msgstr "" ++ ++#: src/tools/sss_cache.c:770 ++msgid "Only invalidate entries from a particular domain" ++msgstr "" ++ ++#: src/tools/sss_cache.c:824 ++msgid "" ++"Unexpected argument(s) provided, options that invalidate a single object " ++"only accept a single provided argument.\n" ++msgstr "" ++ ++#: src/tools/sss_cache.c:834 ++msgid "Please select at least one object to invalidate\n" ++msgstr "" ++ ++#: src/tools/sss_cache.c:917 ++#, c-format ++msgid "" ++"Could not open domain %1$s. If the domain is a subdomain (trusted domain), " ++"use fully qualified name instead of --domain/-d parameter.\n" ++msgstr "" ++ ++#: src/tools/sss_cache.c:922 ++msgid "Could not open available domains\n" ++msgstr "" ++ ++#: src/tools/tools_util.c:202 ++#, c-format ++msgid "Name '%1$s' does not seem to be FQDN ('%2$s = TRUE' is set)\n" ++msgstr "" ++ ++#: src/tools/tools_util.c:309 ++msgid "Out of memory\n" ++msgstr "메모리 부족\n" ++ ++#: src/tools/tools_util.h:40 ++#, c-format ++msgid "%1$s must be run as root\n" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl.c:35 ++msgid "yes" ++msgstr "예" ++ ++#: src/tools/sssctl/sssctl.c:37 ++msgid "no" ++msgstr "아니요" ++ ++#: src/tools/sssctl/sssctl.c:39 ++msgid "error" ++msgstr "오류" ++ ++#: src/tools/sssctl/sssctl.c:42 ++msgid "Invalid result." ++msgstr "" ++ ++#: src/tools/sssctl/sssctl.c:78 ++msgid "Unable to read user input\n" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl.c:91 ++#, c-format ++msgid "Invalid input, please provide either '%s' or '%s'.\n" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl.c:109 src/tools/sssctl/sssctl.c:114 ++msgid "Error while executing external command\n" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl.c:156 ++msgid "SSSD needs to be running. Start SSSD now?" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl.c:195 ++msgid "SSSD must not be running. Stop SSSD now?" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl.c:231 ++msgid "SSSD needs to be restarted. Restart SSSD now?" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_cache.c:31 ++#, c-format ++msgid " %s is not present in cache.\n" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_cache.c:33 ++msgid "Name" ++msgstr "이름" ++ ++#: src/tools/sssctl/sssctl_cache.c:34 ++msgid "Cache entry creation date" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_cache.c:35 ++msgid "Cache entry last update time" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_cache.c:36 ++msgid "Cache entry expiration time" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_cache.c:37 ++msgid "Cached in InfoPipe" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_cache.c:522 ++#, c-format ++msgid "Error: Unable to get object [%d]: %s\n" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_cache.c:538 ++#, c-format ++msgid "%s: Unable to read value [%d]: %s\n" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_cache.c:566 ++msgid "Specify name." ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_cache.c:576 ++#, c-format ++msgid "Unable to parse name %s.\n" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_cache.c:602 src/tools/sssctl/sssctl_cache.c:649 ++msgid "Search by SID" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_cache.c:603 ++msgid "Search by user ID" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_cache.c:612 ++msgid "Initgroups expiration time" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_cache.c:650 ++msgid "Search by group ID" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_config.c:79 ++msgid "" ++"Specify a non-default snippet dir (The default is to look in the same place " ++"where the main config file is located. For example if the config is set to " ++"\"/my/path/sssd.conf\", the snippet dir \"/my/path/conf.d\" is used)" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_config.c:118 ++#, c-format ++msgid "Failed to open %s\n" ++msgstr "%s 열기 실패\n" ++ ++#: src/tools/sssctl/sssctl_config.c:123 ++#, c-format ++msgid "File %1$s does not exist.\n" ++msgstr "파일 %1$s이 존재하지 않음.\n" ++ ++#: src/tools/sssctl/sssctl_config.c:127 ++msgid "" ++"File ownership and permissions check failed. Expected root:root and 0600.\n" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_config.c:133 ++#, c-format ++msgid "Failed to load configuration from %s.\n" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_config.c:139 ++msgid "Error while reading configuration directory.\n" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_config.c:147 ++msgid "" ++"There is no configuration. SSSD will use default configuration with files " ++"provider.\n" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_config.c:159 ++msgid "Failed to run validators" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_config.c:163 ++#, c-format ++msgid "Issues identified by validators: %zu\n" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_config.c:174 ++#, c-format ++msgid "Messages generated during configuration merging: %zu\n" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_config.c:185 ++#, c-format ++msgid "Used configuration snippet files: %zu\n" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_data.c:89 ++#, c-format ++msgid "Unable to create backup directory [%d]: %s" ++msgstr "백업 디렉토리를 만들 수 없습니다 [%d]: %s" ++ ++#: src/tools/sssctl/sssctl_data.c:95 ++msgid "SSSD backup of local data already exists, override?" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_data.c:111 ++msgid "Unable to export user overrides\n" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_data.c:118 ++msgid "Unable to export group overrides\n" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_data.c:134 src/tools/sssctl/sssctl_data.c:217 ++msgid "Override existing backup" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_data.c:164 ++msgid "Unable to import user overrides\n" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_data.c:173 ++msgid "Unable to import group overrides\n" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_data.c:194 src/tools/sssctl/sssctl_domains.c:82 ++#: src/tools/sssctl/sssctl_domains.c:328 ++msgid "Start SSSD if it is not running" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_data.c:195 ++msgid "Restart SSSD after data import" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_data.c:218 ++msgid "Create clean cache files and import local data" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_data.c:219 ++msgid "Stop SSSD before removing the cache" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_data.c:220 ++msgid "Start SSSD when the cache is removed" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_data.c:235 ++msgid "Creating backup of local data...\n" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_data.c:238 ++msgid "Unable to create backup of local data, can not remove the cache.\n" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_data.c:243 ++msgid "Removing cache files...\n" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_data.c:246 ++msgid "Unable to remove cache files\n" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_data.c:251 ++msgid "Restoring local data...\n" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_domains.c:83 ++msgid "Show domain list including primary or trusted domain type" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:367 ++#: src/tools/sssctl/sssctl_user_checks.c:95 ++msgid "Unable to connect to system bus!\n" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_domains.c:167 ++msgid "Online" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_domains.c:167 ++msgid "Offline" ++msgstr "오프라인" ++ ++#: src/tools/sssctl/sssctl_domains.c:167 ++#, c-format ++msgid "Online status: %s\n" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_domains.c:213 ++msgid "This domain has no active servers.\n" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_domains.c:218 ++msgid "Active servers:\n" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_domains.c:230 ++msgid "not connected" ++msgstr "연결되지 않음" ++ ++#: src/tools/sssctl/sssctl_domains.c:267 ++msgid "No servers discovered.\n" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_domains.c:273 ++#, c-format ++msgid "Discovered %s servers:\n" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_domains.c:285 ++msgid "None so far.\n" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_domains.c:325 ++msgid "Show online status" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_domains.c:326 ++msgid "Show information about active server" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_domains.c:327 ++msgid "Show list of discovered servers" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_domains.c:333 ++msgid "Specify domain name." ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_domains.c:355 ++msgid "Out of memory!\n" ++msgstr "메모리가 다 찼습니다!\n" ++ ++#: src/tools/sssctl/sssctl_domains.c:375 src/tools/sssctl/sssctl_domains.c:385 ++msgid "Unable to get online status\n" ++msgstr "온라인 상태를 얻는 데 실패\n" ++ ++#: src/tools/sssctl/sssctl_domains.c:395 ++msgid "Unable to get server list\n" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_logs.c:46 ++msgid "\n" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_logs.c:236 ++msgid "Delete log files instead of truncating" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_logs.c:247 ++msgid "Deleting log files...\n" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_logs.c:250 ++msgid "Unable to remove log files\n" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_logs.c:256 ++msgid "Truncating log files...\n" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_logs.c:259 ++msgid "Unable to truncate log files\n" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_logs.c:285 ++msgid "Out of memory!" ++msgstr "메모리가 다 찼습니다!" ++ ++#: src/tools/sssctl/sssctl_logs.c:288 ++#, c-format ++msgid "Archiving log files into %s...\n" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_logs.c:291 ++msgid "Unable to archive log files\n" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_logs.c:316 ++msgid "Specify debug level you want to set" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_user_checks.c:117 ++msgid "SSSD InfoPipe user lookup result:\n" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_user_checks.c:167 ++#, c-format ++msgid "dlopen failed with [%s].\n" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_user_checks.c:174 ++#, c-format ++msgid "dlsym failed with [%s].\n" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_user_checks.c:182 ++msgid "malloc failed.\n" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_user_checks.c:189 ++#, c-format ++msgid "sss_getpwnam_r failed with [%d].\n" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_user_checks.c:194 ++msgid "SSSD nss user lookup result:\n" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_user_checks.c:195 ++#, c-format ++msgid " - user name: %s\n" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_user_checks.c:196 ++#, c-format ++msgid " - user id: %d\n" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_user_checks.c:197 ++#, c-format ++msgid " - group id: %d\n" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_user_checks.c:198 ++#, c-format ++msgid " - gecos: %s\n" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_user_checks.c:199 ++#, c-format ++msgid " - home directory: %s\n" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_user_checks.c:200 ++#, c-format ++msgid "" ++" - shell: %s\n" ++"\n" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_user_checks.c:232 ++msgid "PAM action [auth|acct|setc|chau|open|clos], default: " ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_user_checks.c:235 ++msgid "PAM service, default: " ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_user_checks.c:240 ++msgid "Specify user name." ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_user_checks.c:247 ++#, c-format ++msgid "" ++"user: %s\n" ++"action: %s\n" ++"service: %s\n" ++"\n" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_user_checks.c:252 ++#, c-format ++msgid "User name lookup with [%s] failed.\n" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_user_checks.c:257 ++#, c-format ++msgid "InfoPipe User lookup with [%s] failed.\n" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_user_checks.c:263 ++#, c-format ++msgid "pam_start failed: %s\n" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_user_checks.c:268 ++msgid "" ++"testing pam_authenticate\n" ++"\n" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_user_checks.c:272 ++#, c-format ++msgid "pam_get_item failed: %s\n" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_user_checks.c:275 ++#, c-format ++msgid "" ++"pam_authenticate for user [%s]: %s\n" ++"\n" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_user_checks.c:278 ++msgid "" ++"testing pam_chauthtok\n" ++"\n" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_user_checks.c:280 ++#, c-format ++msgid "" ++"pam_chauthtok: %s\n" ++"\n" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_user_checks.c:282 ++msgid "" ++"testing pam_acct_mgmt\n" ++"\n" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_user_checks.c:284 ++#, c-format ++msgid "" ++"pam_acct_mgmt: %s\n" ++"\n" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_user_checks.c:286 ++msgid "" ++"testing pam_setcred\n" ++"\n" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_user_checks.c:288 ++#, c-format ++msgid "" ++"pam_setcred: [%s]\n" ++"\n" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_user_checks.c:290 ++msgid "" ++"testing pam_open_session\n" ++"\n" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_user_checks.c:292 ++#, c-format ++msgid "" ++"pam_open_session: %s\n" ++"\n" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_user_checks.c:294 ++msgid "" ++"testing pam_close_session\n" ++"\n" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_user_checks.c:296 ++#, c-format ++msgid "" ++"pam_close_session: %s\n" ++"\n" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_user_checks.c:298 ++msgid "unknown action\n" ++msgstr "알 수 없는 동작\n" ++ ++#: src/tools/sssctl/sssctl_user_checks.c:301 ++msgid "PAM Environment:\n" ++msgstr "" ++ ++#: src/tools/sssctl/sssctl_user_checks.c:309 ++msgid " - no env -\n" ++msgstr "" ++ ++#: src/util/util.h:93 ++msgid "The user ID to run the server as" ++msgstr "" ++ ++#: src/util/util.h:95 ++msgid "The group ID to run the server as" ++msgstr "" ++ ++#: src/util/util.h:103 ++msgid "Informs that the responder has been socket-activated" ++msgstr "" ++ ++#: src/util/util.h:105 ++msgid "Informs that the responder has been dbus-activated" ++msgstr "" +diff --git a/po/zh_CN.po b/po/zh_CN.po +index 31542dd52..c10779e8c 100644 +--- a/po/zh_CN.po ++++ b/po/zh_CN.po +@@ -13,7 +13,7 @@ msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" + "POT-Creation-Date: 2021-07-12 20:53+0200\n" +-"PO-Revision-Date: 2021-03-18 10:39+0000\n" ++"PO-Revision-Date: 2021-07-20 07:04+0000\n" + "Last-Translator: Sundeep Anand \n" + "Language-Team: Chinese (Simplified) \n" +@@ -22,7 +22,7 @@ msgstr "" + "Content-Type: text/plain; charset=UTF-8\n" + "Content-Transfer-Encoding: 8bit\n" + "Plural-Forms: nplurals=1; plural=0;\n" +-"X-Generator: Weblate 4.5.1\n" ++"X-Generator: Weblate 4.7.1\n" + + #: src/config/SSSDConfig/sssdoptions.py:20 + #: src/config/SSSDConfig/sssdoptions.py:21 +@@ -39,7 +39,7 @@ msgstr "在调试日志中的时间戳中包含微秒" + + #: src/config/SSSDConfig/sssdoptions.py:24 + msgid "Enable/disable debug backtrace" +-msgstr "" ++msgstr "启用/禁用 debug backtrace" + + #: src/config/SSSDConfig/sssdoptions.py:25 + msgid "Watchdog timeout before restarting service" +@@ -329,9 +329,8 @@ msgid "Path to certificate database with PKCS#11 modules." + msgstr "带有 PKCS#11 模块的证书数据库的路径。" + + #: src/config/SSSDConfig/sssdoptions.py:101 +-#, fuzzy + msgid "Tune certificate verification for PAM authentication." +-msgstr "调整证书验证" ++msgstr "对 PAM 验证调整证书验证。" + + #: src/config/SSSDConfig/sssdoptions.py:102 + msgid "How many seconds will pam_sss wait for p11_child to finish" +@@ -347,12 +346,12 @@ msgstr "允许服务使用智能卡" + + #: src/config/SSSDConfig/sssdoptions.py:105 + msgid "Additional timeout to wait for a card if requested" +-msgstr "等待卡的额外超时,如果请求。" ++msgstr "等待卡的额外超时,如果请求" + + #: src/config/SSSDConfig/sssdoptions.py:106 + msgid "" + "PKCS#11 URI to restrict the selection of devices for Smartcard authentication" +-msgstr "PKCS#11 URI,用于限制智能卡认证设备的选择。" ++msgstr "PKCS#11 URI,用于限制智能卡认证设备的选择" + + #: src/config/SSSDConfig/sssdoptions.py:107 + msgid "When shall the PAM responder force an initgroups request" +@@ -371,6 +370,7 @@ msgid "" + "List of pairs : that must be enforced " + "for PAM access with GSSAPI authentication" + msgstr "" ++": 对列表,它们必须强制使用 GSSAPI 身份验证进行 PAM 访问" + + #: src/config/SSSDConfig/sssdoptions.py:114 + msgid "Whether to evaluate the time-based attributes in sudo rules" +@@ -403,13 +403,13 @@ msgstr "到可信 CA 证书存储的路径" + + #: src/config/SSSDConfig/sssdoptions.py:127 + msgid "Allow to generate ssh-keys from certificates" +-msgstr "允许从证书中生成 ssh-keys。" ++msgstr "允许从证书中生成 ssh-keys" + + #: src/config/SSSDConfig/sssdoptions.py:128 + msgid "" + "Use the following matching rules to filter the certificates for ssh-key " + "generation" +-msgstr "使用以下匹配规则来过滤生成 ssh-key 的证书。" ++msgstr "使用以下匹配规则来过滤生成 ssh-key 的证书" + + #: src/config/SSSDConfig/sssdoptions.py:132 + msgid "List of UIDs or user names allowed to access the PAC responder" +@@ -1698,7 +1698,7 @@ msgstr "自动智能刷新周期" + + #: src/config/SSSDConfig/sssdoptions.py:518 + msgid "Smart and full refresh random offset" +-msgstr "" ++msgstr "智能和完整刷新随机偏移" + + #: src/config/SSSDConfig/sssdoptions.py:519 + msgid "Whether to filter rules by hostname, IP addresses and network" +@@ -1905,7 +1905,7 @@ msgstr "使用的 NSS 库的名称" + + #: src/config/SSSDConfig/sssdoptions.py:581 + msgid "The name of the NSS library to use for hosts and networks lookups" +-msgstr "用于查询主机和网络的 NSS 库名称。" ++msgstr "用于查询主机和网络的 NSS 库名称" + + #: src/config/SSSDConfig/sssdoptions.py:582 + msgid "Whether to look up canonical group name from cache if possible" +@@ -1946,7 +1946,7 @@ msgstr "刷新配置数据库,然后退出" + + #: src/monitor/monitor.c:2420 + msgid "Similar to --genconf, but only refreshes the given section" +-msgstr "类似于 --genconf,但只刷新指定的部分。" ++msgstr "类似于 --genconf,但只刷新指定的部分" + + #: src/monitor/monitor.c:2423 + msgid "Print version number and exit" +@@ -1954,15 +1954,15 @@ msgstr "显示版本号并退出" + + #: src/monitor/monitor.c:2461 + msgid "Option -i|--interactive is not allowed together with -D|--daemon\n" +-msgstr "" ++msgstr "选项 -i|--interactive 不能和 -D|--daemon 一起使用\n" + + #: src/monitor/monitor.c:2467 + msgid "Option -g is incompatible with -D or -i\n" +-msgstr "" ++msgstr "选项 -g 与 -D 或 -i 不兼容\n" + + #: src/monitor/monitor.c:2480 + msgid "Running under %" +-msgstr "" ++msgstr "运行于 % 下" + + #: src/monitor/monitor.c:2562 + msgid "SSSD is already running\n" +@@ -2009,13 +2009,12 @@ msgid "Use custom version of krb5_get_init_creds_password" + msgstr "使用自定义版本的 krb5_get_init_creds_password" + + #: src/providers/krb5/krb5_child.c:3375 src/providers/ldap/ldap_child.c:663 +-#, fuzzy + msgid "talloc_asprintf failed.\n" +-msgstr "malloc 失败。\n" ++msgstr "talloc_asprintf 失败。\n" + + #: src/providers/krb5/krb5_child.c:3385 src/providers/ldap/ldap_child.c:672 + msgid "set_debug_file_from_fd failed.\n" +-msgstr "" ++msgstr "set_debug_file_from_fd 失败。\n" + + #: src/providers/data_provider_be.c:733 + msgid "Domain of the information provider (mandatory)" +@@ -2055,7 +2054,7 @@ msgstr "查找错误说明时出现意外错误" + + #: src/sss_client/pam_sss.c:68 + msgid "Permission denied. " +-msgstr "权限被拒绝。" ++msgstr "权限被拒绝。 " + + #: src/sss_client/pam_sss.c:69 src/sss_client/pam_sss.c:785 + #: src/sss_client/pam_sss.c:796 +@@ -2104,15 +2103,15 @@ msgstr "更改 OTP 密码后,您需要注销并重新登录以获得票证" + + #: src/sss_client/pam_sss.c:782 src/sss_client/pam_sss.c:795 + msgid "Password change failed. " +-msgstr "更改密码失败。" ++msgstr "更改密码失败。 " + + #: src/sss_client/pam_sss.c:2045 + msgid "New Password: " +-msgstr "新密码:" ++msgstr "新密码: " + + #: src/sss_client/pam_sss.c:2046 + msgid "Reenter new Password: " +-msgstr "重新输入新密码:" ++msgstr "重新输入新密码: " + + #: src/sss_client/pam_sss.c:2208 src/sss_client/pam_sss.c:2211 + msgid "First Factor: " +@@ -2128,7 +2127,7 @@ msgstr "第二因素: " + + #: src/sss_client/pam_sss.c:2230 + msgid "Password: " +-msgstr "密码:" ++msgstr "密码: " + + #: src/sss_client/pam_sss.c:2382 src/sss_client/pam_sss.c:2385 + msgid "First Factor (Current Password): " +@@ -2136,7 +2135,7 @@ msgstr "第一因素(当前密码): " + + #: src/sss_client/pam_sss.c:2389 + msgid "Current Password: " +-msgstr "当前密码:" ++msgstr "当前密码: " + + #: src/sss_client/pam_sss.c:2746 + msgid "Password expired. Change your password now." +@@ -2268,7 +2267,7 @@ msgstr "初始化工具时出错 - 没有本地域\n" + #: src/tools/sss_groupshow.c:716 src/tools/sss_userdel.c:202 + #: src/tools/sss_usermod.c:164 + msgid "Error initializing the tools\n" +-msgstr "初始化工具出错。\n" ++msgstr "初始化工具出错\n" + + #: src/tools/sss_useradd.c:132 src/tools/sss_groupadd.c:97 + #: src/tools/sss_groupdel.c:91 src/tools/sss_groupmod.c:123 +@@ -2426,7 +2425,7 @@ msgstr "无法修改组 - 检查成员组名称是否正确\n" + + #: src/tools/sss_groupmod.c:261 + msgid "Could not modify group - check if groupname is correct\n" +-msgstr " 无法修改组 - 检查组名是否正确\n" ++msgstr "无法修改组 - 检查组名是否正确\n" + + #: src/tools/sss_groupmod.c:265 + msgid "Transaction error. Could not modify group.\n" +@@ -2449,7 +2448,7 @@ msgstr "%1$sGID 号:%2$d\n" + #: src/tools/sss_groupshow.c:620 + #, c-format + msgid "%1$sMember users: " +-msgstr "%1$sMember 用户:" ++msgstr "%1$sMember 用户: " + + #: src/tools/sss_groupshow.c:627 + #, c-format +@@ -2458,7 +2457,7 @@ msgid "" + "%1$sIs a member of: " + msgstr "" + "\n" +-"%1$sIs 一个成员:" ++"%1$sIs 一个成员: " + + #: src/tools/sss_groupshow.c:634 + #, c-format +@@ -2467,7 +2466,7 @@ msgid "" + "%1$sMember groups: " + msgstr "" + "\n" +-"%1$sMember 组:" ++"%1$sMember 组: " + + #: src/tools/sss_groupshow.c:670 + msgid "Print indirect group members recursively" +@@ -2541,7 +2540,7 @@ msgstr "没有删除主目录 - 不归用户所有\n" + #: src/tools/sss_userdel.c:312 + #, c-format + msgid "Cannot remove homedir: %1$s\n" +-msgstr "无法删除主目录:%1$s\n" ++msgstr "无法删除主目录: %1$s\n" + + #: src/tools/sss_userdel.c:326 + msgid "" +@@ -2584,9 +2583,7 @@ msgstr "删除一个属性/值对。格式为 attrname=value。" + msgid "" + "Set an attribute to a name/value pair. The format is attrname=value. For " + "multi-valued attributes, the command replaces the values already present" +-msgstr "" +-"将属性设置为名称/值对。格式为 attrname=value。对于多值属性,替换值的命令已存" +-"在。" ++msgstr "将属性设置为名称/值对。格式为 attrname=value。对于多值属性,替换值的命令已存在" + + #: src/tools/sss_usermod.c:117 src/tools/sss_usermod.c:126 + #: src/tools/sss_usermod.c:135 +@@ -2843,12 +2840,12 @@ msgstr "" + #: src/tools/sssctl/sssctl_config.c:118 + #, c-format + msgid "Failed to open %s\n" +-msgstr "打开失败:%s\n" ++msgstr "打开失败: %s\n" + + #: src/tools/sssctl/sssctl_config.c:123 + #, c-format + msgid "File %1$s does not exist.\n" +-msgstr "文件 %1$s 不存在\n" ++msgstr "文件 %1$s 不存在。\n" + + #: src/tools/sssctl/sssctl_config.c:127 + msgid "" +@@ -3138,11 +3135,11 @@ msgstr "" + + #: src/tools/sssctl/sssctl_user_checks.c:232 + msgid "PAM action [auth|acct|setc|chau|open|clos], default: " +-msgstr "PAM 操作 [auth|acct|setc|chau|open|clos],默认:" ++msgstr "PAM 操作 [auth|acct|setc|chau|open|clos],默认: " + + #: src/tools/sssctl/sssctl_user_checks.c:235 + msgid "PAM service, default: " +-msgstr "PAM 服务,默认:" ++msgstr "PAM 服务,默认: " + + #: src/tools/sssctl/sssctl_user_checks.c:240 + msgid "Specify user name." +@@ -3174,7 +3171,7 @@ msgstr "使用 [%s] 进行 InfoPipe 用户查找失败。\n" + #: src/tools/sssctl/sssctl_user_checks.c:263 + #, c-format + msgid "pam_start failed: %s\n" +-msgstr "pam_start 失败:%s\n" ++msgstr "pam_start 失败: %s\n" + + #: src/tools/sssctl/sssctl_user_checks.c:268 + msgid "" +@@ -3187,7 +3184,7 @@ msgstr "" + #: src/tools/sssctl/sssctl_user_checks.c:272 + #, c-format + msgid "pam_get_item failed: %s\n" +-msgstr "pam_get_item 失败:%s\n" ++msgstr "pam_get_item 失败: %s\n" + + #: src/tools/sssctl/sssctl_user_checks.c:275 + #, c-format +diff --git a/src/man/po/ja.po b/src/man/po/ja.po +index fc098a03a..3c3bd956d 100644 +--- a/src/man/po/ja.po ++++ b/src/man/po/ja.po +@@ -13,16 +13,16 @@ msgstr "" + "Project-Id-Version: sssd-docs 2.3.0\n" + "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n" + "POT-Creation-Date: 2021-07-12 20:51+0200\n" +-"PO-Revision-Date: 2020-07-22 07:48-0400\n" +-"Last-Translator: Copied by Zanata \n" +-"Language-Team: Japanese (http://www.transifex.com/projects/p/sssd/language/" +-"ja/)\n" ++"PO-Revision-Date: 2021-07-20 07:04+0000\n" ++"Last-Translator: Ludek Janda \n" ++"Language-Team: Japanese \n" + "Language: ja\n" + "MIME-Version: 1.0\n" + "Content-Type: text/plain; charset=UTF-8\n" + "Content-Transfer-Encoding: 8bit\n" + "Plural-Forms: nplurals=1; plural=0;\n" +-"X-Generator: Zanata 4.6.2\n" ++"X-Generator: Weblate 4.7.1\n" + + #. type: Content of: + #: sss_groupmod.8.xml:5 sssd.conf.5.xml:5 sssd-ldap.5.xml:5 pam_sss.8.xml:5 +@@ -608,7 +608,7 @@ msgstr "" + msgid "" + "Controls if SSSD should monitor the state of resolv.conf to identify when it " + "needs to update its internal DNS resolver." +-msgstr "" ++msgstr "内部 DNS リゾルバーを更新する必要があるときを判断するために SSSD が resolv.conf の状態を監視するかどうかを制御します。" + + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> + #: sssd.conf.5.xml:360 +@@ -1620,7 +1620,7 @@ msgstr "get_domains_timeout (整数)" + msgid "" + "Specifies time in seconds for which the list of subdomains will be " + "considered valid." +-msgstr "" ++msgstr "サブドメインのリストが有効とみなされる時間を秒単位で指定します。" + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> + #: sssd.conf.5.xml:1137 +@@ -2960,6 +2960,8 @@ msgid "" + "Matches user names as returned by NSS. I.e. after the possible space " + "replacement, case changes, etc." + msgstr "" ++"セッション記録を有効にしておくべきユーザーのカンマ区切りのリストです。NSS " ++"が返すユーザー名にマッチします。つまり、スペースの置換、大文字小文字の変更などの可能性がある場合には、その後になります。" + + #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:2265 sssd-session-recording.5.xml:115 +@@ -2978,6 +2980,8 @@ msgid "" + "recording enabled. Matches group names as returned by NSS. I.e. after the " + "possible space replacement, case changes, etc." + msgstr "" ++"セッション記録を有効にしておくべきユーザーのグループごとのカンマ区切りのリストです。NSS " ++"が返すグループ名にマッチします。つまり、スペースの置換、大文字小文字の変更などの可能性がある場合には、その後になります。" + + #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:2279 sssd.conf.5.xml:2311 sssd-session-recording.5.xml:129 +@@ -3394,7 +3398,7 @@ msgstr "" + msgid "" + "How many seconds to keep a host ssh key after refresh. IE how long to cache " + "the host key for." +-msgstr "" ++msgstr "リフレッシュ後にホストの ssh 鍵を保持するには何秒かかるか。IE ホストキーを何秒キャッシュするか。" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd.conf.5.xml:2632 +@@ -3487,6 +3491,8 @@ msgid "" + "this value determines the minimal length the first authentication factor " + "(long term password) must have to be saved as SHA512 hash into the cache." + msgstr "" ++"2-Factor-Authentication (2FA) が使用され、認証情報を保存する必要がある場合、この値は、最初の認証要素 (長期パスワード) " ++"を SHA512 ハッシュとしてキャッシュに保存する必要がある最小の長さを決定します。" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:2715 +@@ -4524,7 +4530,7 @@ msgstr "realmd_tags (文字列)" + #: sssd.conf.5.xml:3677 + msgid "" + "Various tags stored by the realmd configuration service for this domain." +-msgstr "" ++msgstr "このドメインのための realmd 設定サービスによって格納された様々なタグ。" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd.conf.5.xml:3683 +@@ -7113,7 +7119,7 @@ msgstr "ldap_rfc2307_fallback_to_local_users (論理値)" + msgid "" + "Allows to retain local users as members of an LDAP group for servers that " + "use the RFC2307 schema." +-msgstr "" ++msgstr "RFC2307 スキーマを使用するサーバーの LDAP グループのメンバーとしてローカルユーザーを保持することができます。" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap.5.xml:1446 +@@ -7440,7 +7446,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap.5.xml:1731 + msgid "The name of the automount master map in LDAP." +-msgstr "" ++msgstr "LDAP のオートマウントマスターマップの名前。" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap.5.xml:1734 +@@ -13765,8 +13771,7 @@ msgid "" + "Set an attribute to a name/value pair. The format is attrname=value. For " + "multi-valued attributes, the command replaces the values already present" + msgstr "" +-"名前/値のペアに属性を指定します。形式は attrname=value です。複数の値を持つ属" +-"性の場合、コマンドがすでに存在する値に置き換えられます。" ++"名前/値のペアに属性を指定します。形式は attrname=value です。複数の値を持つ属性の場合、コマンドがすでに存在する値に置き換えられます" + + #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> + #: sss_usermod.8.xml:160 +@@ -17766,7 +17771,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap-attributes.5.xml:878 + msgid "The object class of a host entry in LDAP." +-msgstr "" ++msgstr "LDAP にあるホストエントリーのオブジェクトクラスです。" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap-attributes.5.xml:881 sssd-ldap-attributes.5.xml:978 +@@ -17828,7 +17833,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap-attributes.5.xml:942 + msgid "The LDAP attribute that contains the host's SSH public keys." +-msgstr "" ++msgstr "ホストの SSH 公開鍵を含む LDAP 属性です。" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-ldap-attributes.5.xml:952 +diff --git a/src/man/po/ru.po b/src/man/po/ru.po +index b56765f17..931165a06 100644 +--- a/src/man/po/ru.po ++++ b/src/man/po/ru.po +@@ -9,7 +9,7 @@ msgstr "" + "Project-Id-Version: sssd-docs 2.3.0\n" + "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n" + "POT-Creation-Date: 2021-07-12 20:51+0200\n" +-"PO-Revision-Date: 2021-07-10 16:04+0000\n" ++"PO-Revision-Date: 2021-07-20 07:04+0000\n" + "Last-Translator: Olesya Gerasimenko <gammaray@basealt.ru>\n" + "Language-Team: Russian <https://translate.fedoraproject.org/projects/sssd/" + "sssd-manpage-master/ru/>\n" +@@ -1107,6 +1107,9 @@ msgid "" + "The SSSD state changes caused by netlink events may be undesirable and can " + "be disabled by setting this option to 'true'" + msgstr "" ++"Изменения состояния SSSD, вызванные событиями netlink, могут быть " ++"нежелательными. Чтобы их отключить, установите этот параметр в значение " ++"«true»." + + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:630 +@@ -1124,11 +1127,13 @@ msgid "" + "When this option is enabled, SSSD prepends an implicit domain with " + "<quote>id_provider=files</quote> before any explicitly configured domains." + msgstr "" ++"Когда этот параметр включён, SSSD добавляет перед всеми явно настроенными " ++"доменами неявный домен с<quote>id_provider=files</quote>." + + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> + #: sssd.conf.5.xml:652 + msgid "domain_resolution_order" +-msgstr "" ++msgstr "domain_resolution_order" + + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:655 +@@ -1140,6 +1145,12 @@ msgid "" + "subdomains which are not listed as part of <quote>lookup_order</quote> will " + "be looked up in a random order for each parent domain." + msgstr "" ++"Разделённый запятыми список доменов и поддоменов, который указывает порядок " ++"поиска. В список не требуется включать все возможные домены, так как поиск " ++"отсутствующих доменов будет выполняться на основе порядка, в котором они " ++"представлены в параметре конфигурации <quote>domains</quote>. Поиск " ++"поддоменов, которые не указаны в параметре <quote>lookup_order</quote>, " ++"будет выполняться в случайном порядке для каждого родительского домена." + + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:667 +@@ -1157,12 +1168,26 @@ msgid "" + "shortnames, making this workaround totally not recommended in cases where " + "usernames may overlap between domains." + msgstr "" ++"Обратите внимание: когда этот параметр задан, для вывода всех команд будет " ++"использоваться полный формат, даже если во входных данных использовались " ++"краткие имена (для всех пользователей, кроме находящихся под управлением " ++"поставщика файлов). Если администратору не требуется полный формат, " ++"параметр full_name_format можно использовать следующим образом: " ++"<quote>full_name_format=%1$s</quote>. Но следует учитывать, что при входе " ++"приложения часто преобразуют имя пользователя в каноническую форму, вызывая " ++"программу <citerefentry> <refentrytitle>getpwnam</refentrytitle> " ++"<manvolnum>3</manvolnum> </citerefentry>, которая, если для входных данных в " ++"полной форме возвращается краткое имя (при попытке обработки данных " ++"пользователя, существующего в нескольких доменах), может перенаправить " ++"попытку входа в домен, который использует краткие имена; следовательно, " ++"такое использование параметра категорически не рекомендуется, когда имена " ++"пользователей в разных доменах могут быть одинаковыми." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:692 sssd.conf.5.xml:1659 sssd.conf.5.xml:3927 + #: sssd-ad.5.xml:164 sssd-ad.5.xml:304 sssd-ad.5.xml:318 + msgid "Default: Not set" +-msgstr "" ++msgstr "По умолчанию: не задано" + + #. type: Content of: <reference><refentry><refsect1><refsect2><para> + #: sssd.conf.5.xml:208 +@@ -1174,11 +1199,17 @@ msgid "" + "some other important options like the identity domains. <placeholder type=" + "\"variablelist\" id=\"0\"/>" + msgstr "" ++"Отдельные функциональные возможности SSSD обеспечиваются специальными " ++"службами SSSD, которые запускаются и останавливаются вместе с SSSD. Эти " ++"службы находятся под управлением специальной службы, которую часто называют " ++"<quote>монитором</quote>. Настройка монитора и некоторых других важных " ++"параметров (например, доменов профилей) выполняется в разделе <quote>[sssd]</" ++"quote>. <placeholder type=\"variablelist\" id=\"0\"/>" + + #. type: Content of: <reference><refentry><refsect1><title> + #: sssd.conf.5.xml:703 + msgid "SERVICES SECTIONS" +-msgstr "" ++msgstr "РАЗДЕЛЫ СЛУЖБ" + + #. type: Content of: <reference><refentry><refsect1><para> + #: sssd.conf.5.xml:705 +@@ -1188,21 +1219,25 @@ msgid "" + "section, for example, for NSS service, the section would be <quote>[nss]</" + "quote>" + msgstr "" ++"В этом разделе приводится описание параметров, которые можно использовать " ++"для настройки различных служб. Они должны находится в разделах с именами " ++"[<replaceable>$NAME</replaceable>]. Например, для службы NSS это будет " ++"раздел <quote>[nss]</quote>." + + #. type: Content of: <reference><refentry><refsect1><refsect2><title> + #: sssd.conf.5.xml:712 + msgid "General service configuration options" +-msgstr "" ++msgstr "Общие параметры настройки служб" + + #. type: Content of: <reference><refentry><refsect1><refsect2><para> + #: sssd.conf.5.xml:714 + msgid "These options can be used to configure any service." +-msgstr "" ++msgstr "Эти параметры можно использовать для настройки любых служб." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> + #: sssd.conf.5.xml:731 + msgid "fd_limit" +-msgstr "" ++msgstr "fd_limit" + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:734 +@@ -1213,16 +1248,22 @@ msgid "" + "systems without this capability, the resulting value will be the lower value " + "of this or the limits.conf \"hard\" limit." + msgstr "" ++"Этот параметр задаёт максимальное количество файловых дескрипторов, которые " ++"может одновременно открыть этот процесс SSSD. В системах, где у SSSD имеется " ++"возможность CAP_SYS_RESOURCE, этот параметр будет использоваться независимо " ++"от других параметров системы. В системах без такой возможности количество " ++"дескрипторов будет определяться наименьшим значением этого параметра или " ++"ограничением «hard» в limits.conf." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:743 + msgid "Default: 8192 (or limits.conf \"hard\" limit)" +-msgstr "" ++msgstr "По умолчанию: 8192 (или ограничение «hard» в limits.conf)" + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> + #: sssd.conf.5.xml:748 + msgid "client_idle_timeout" +-msgstr "" ++msgstr "client_idle_timeout" + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:751 +@@ -1233,6 +1274,11 @@ msgid "" + "can't be shorter than 10 seconds. If a lower value is configured, it will be " + "adjusted to 10 seconds." + msgstr "" ++"Этот параметр задаёт количество секунд, в течение которого клиент процесса " ++"SSSD может удерживать файловый дескриптор без передачи данных. Это значение " ++"ограничено в целях предотвращения исчерпания ресурсов системы. Оно не может " ++"быть меньше 10 секунд. Если указано меньшее значение, оно будет исправлено " ++"на 10 секунд." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:760 +@@ -1254,6 +1300,13 @@ msgid "" + "time for the previous ones. After each unsuccessful attempt to go online, " + "the new interval is recalculated by the following:" + msgstr "" ++"Когда SSSD переключается в автономный режим, количество времени до " ++"выполнения попытки вернуться в сеть будет увеличиваться в соответствии со " ++"временем, проведённым без подключения. По умолчанию SSSD использует " ++"приращение для расчёта задержки между повторными попытками. Поэтому время " ++"ожидания для конкретной попытки будет больше, чем для предыдущих. После " ++"каждой неудачной попытки вернуться в сеть интервал будет пересчитываться по " ++"следующей формуле:" + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:779 sssd.conf.5.xml:835 +@@ -1261,6 +1314,8 @@ msgid "" + "new_delay = Minimum(old_delay * 2, offline_timeout_max) + random[0..." + "offline_timeout_random_offset]" + msgstr "" ++"new_delay = Minimum(old_delay * 2, offline_timeout_max) + random[0..." ++"offline_timeout_random_offset]" + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:782 +@@ -1269,6 +1324,10 @@ msgid "" + "value is 3600. The offline_timeout_random_offset default value is 30. The " + "end result is amount of seconds before next retry." + msgstr "" ++"Стандартное значение offline_timeout составляет 60. Стандартное значение " ++"offline_timeout_max — 3600. Стандартное значение " ++"offline_timeout_random_offset — 30. Конечный результат представляет собой " ++"количество секунд до следующей попытки." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:788 +@@ -1276,12 +1335,14 @@ msgid "" + "Note that the maximum length of each interval is defined by " + "offline_timeout_max (apart of random part)." + msgstr "" ++"Обратите внимание, что максимальная длительность каждого интервала задана " ++"параметром offline_timeout_max (кроме случайной части)." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:792 sssd.conf.5.xml:1132 sssd.conf.5.xml:1486 + #: sssd.conf.5.xml:1748 sssd-ldap.5.xml:469 + msgid "Default: 60" +-msgstr "" ++msgstr "По умолчанию: 60" + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> + #: sssd.conf.5.xml:797 +@@ -1294,11 +1355,13 @@ msgid "" + "Controls by how much the time between attempts to go online can be " + "incremented following unsuccessful attempts to go online." + msgstr "" ++"Управляет тем, насколько можно увеличить время между попытками вернуться в " ++"сеть после неудачных попыток восстановления подключения." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:805 + msgid "A value of 0 disables the incrementing behaviour." +-msgstr "" ++msgstr "Значение «0» отключает использование приращения." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:808 +@@ -1306,6 +1369,8 @@ msgid "" + "The value of this parameter should be set in correlation to offline_timeout " + "parameter value." + msgstr "" ++"Значение этого параметра следует устанавливать с учётом значения параметра " ++"offline_timeout." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:812 +@@ -1315,6 +1380,11 @@ msgid "" + "rule here should be to set offline_timeout_max to at least 4 times " + "offline_timeout." + msgstr "" ++"Если параметр offline_timeout установлен в значение «60» (значение по " ++"умолчанию), нет смысла указывать для параметра offlinet_timeout_max значение " ++"меньше 120, поскольку первый же шаг увеличения приведёт к его превышению. " ++"Общее правило таково: значение offline_timeout_max должно по крайней мере в " ++"4 раза превышать значение offline_timeout." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:818 +@@ -1322,6 +1392,9 @@ msgid "" + "Although a value between 0 and offline_timeout may be specified, it has the " + "effect of overriding the offline_timeout value so is of little use." + msgstr "" ++"Несмотря на то, что возможно указать значение от 0 до offline_timeout, " ++"результатом этого станет переопределение значения offline_timeout, что не " ++"имеет практического смысла." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:823 +@@ -1339,6 +1412,8 @@ msgid "" + "When SSSD is in offline mode it keeps probing backend servers in specified " + "time intervals:" + msgstr "" ++"Когда сервис SSSD находится в автономном режиме, он продолжает обращаться к " ++"внутренним серверам через заданные промежутки времени:" + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:838 +@@ -1346,16 +1421,19 @@ msgid "" + "This parameter controls the value of the random offset used for the above " + "equation. Final random_offset value will be random number in range:" + msgstr "" ++"Этот параметр управляет значением случайной задержки, которое используется " ++"для приведённого выше уравнения. Итоговым значением random_offset будет " ++"случайное число, принадлежащее диапазону:" + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:843 + msgid "[0 - offline_timeout_random_offset]" +-msgstr "" ++msgstr "[0 - offline_timeout_random_offset]" + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:846 + msgid "A value of 0 disables the random offset addition." +-msgstr "" ++msgstr "Значение «0» отключает добавление случайной задержки." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:849 +@@ -1365,7 +1443,7 @@ msgstr "По умолчанию: 30" + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> + #: sssd.conf.5.xml:854 + msgid "responder_idle_timeout" +-msgstr "" ++msgstr "responder_idle_timeout" + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:857 +@@ -1378,17 +1456,24 @@ msgid "" + "built with systemd support and when services are either socket or D-Bus " + "activated." + msgstr "" ++"Этот параметр задаёт количество секунд, в течение которого процесс ответчика " ++"SSSD может работать без использования. Это значение ограничено в целях " ++"предотвращения исчерпания ресурсов системы. Минимально допустимое значение: " ++"60 секунд. Установка этого параметра в значение «0» (ноль) означает, что для " ++"ответчика не устанавливается тайм-аут. Этот параметр используется только в " ++"том случае, если сервис SSSD собран с поддержкой systemd и если службы " ++"активируются с помощью сокетов или D-Bus." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:871 sssd.conf.5.xml:1145 sssd.conf.5.xml:2187 + #: sssd-ldap.5.xml:326 + msgid "Default: 300" +-msgstr "" ++msgstr "По умолчанию: 300" + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> + #: sssd.conf.5.xml:876 + msgid "cache_first" +-msgstr "" ++msgstr "cache_first" + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:879 +@@ -1396,17 +1481,21 @@ msgid "" + "This option specifies whether the responder should query all caches before " + "querying the Data Providers." + msgstr "" ++"Этот параметр определяет, следует ли ответчику опрашивать все кэши перед " ++"опросом поставщиков данных." + + #. type: Content of: <reference><refentry><refsect1><refsect2><title> + #: sssd.conf.5.xml:891 + msgid "NSS configuration options" +-msgstr "" ++msgstr "Параметры настройки NSS" + + #. type: Content of: <reference><refentry><refsect1><refsect2><para> + #: sssd.conf.5.xml:893 + msgid "" + "These options can be used to configure the Name Service Switch (NSS) service." + msgstr "" ++"Эти параметры можно использовать для настройки службы диспетчера службы имён " ++"(NSS)." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> + #: sssd.conf.5.xml:898 +@@ -1419,6 +1508,8 @@ msgid "" + "How many seconds should nss_sss cache enumerations (requests for info about " + "all users)" + msgstr "" ++"Длительность хранения перечислений (запросов информации обо всех " ++"пользователях) в кэше nss_sss в секундах" + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:905 +@@ -1437,6 +1528,9 @@ msgid "" + "if they are requested beyond a percentage of the entry_cache_timeout value " + "for the domain." + msgstr "" ++"Можно настроить кэш записей на автоматическое обновление записей в " ++"фоновомрежиме, если запрос о них поступает в срок, определённый в процентах " ++"от значенияentry_cache_timeout для домена." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:919 +@@ -1447,6 +1541,12 @@ msgid "" + "but the SSSD will go and update the cache on its own, so that future " + "requests will not need to block waiting for a cache update." + msgstr "" ++"Например, если параметр entry_cache_timeout домена установлен в значение " ++"«30s» (секунд), а параметр entry_cache_nowait_percentage установлен в " ++"значение «50» (процентов), записи, которые поступят через 15 секунд после " ++"последнего обновления кэша, будут возвращены сразу, но SSSD выполнит " ++"обновление кэша, поэтому будущим запросам не потребуется блокировка в " ++"ожидании обновления кэша." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:929 +@@ -1456,11 +1556,16 @@ msgid "" + "percentage will never reduce the nowait timeout to less than 10 seconds. (0 " + "disables this feature)" + msgstr "" ++"Корректные значения этого параметра находятся в диапазоне 0-99 и " ++"представляют собой значение в процентах от entry_cache_timeout для каждого " ++"домена. Чтобы сохранить производительность, это значение никогда не " ++"уменьшает тайм-аут nowait так, что он становится меньше 10 секунд. Установка " ++"значения «0» отключает эту возможность." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:937 sssd.conf.5.xml:1987 + msgid "Default: 50" +-msgstr "" ++msgstr "По умолчанию: 50" + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> + #: sssd.conf.5.xml:942 +@@ -1474,6 +1579,10 @@ msgid "" + "(that is, queries for invalid database entries, like nonexistent ones) " + "before asking the back end again." + msgstr "" ++"Означает количество секунд, в течение которого в кэше nss_sss будут " ++"храниться неудачные обращения к кэшу (запросы некорректных записей базы " ++"данных, например, несуществующих) перед повторным запросом к внутреннему " ++"серверу." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:951 sssd.conf.5.xml:2011 +@@ -1492,11 +1601,15 @@ msgid "" + "negative cache before trying to look it up in the back end again. Setting " + "the option to 0 disables this feature." + msgstr "" ++"Означает количество секунд, в течение которого в негативном кэше nss_sss " ++"будут храниться локальные пользователи и группы перед попыткой повторного " ++"поиска на внутреннем сервере. Установка значения «0» отключает эту " ++"возможность." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:965 + msgid "Default: 14400 (4 hours)" +-msgstr "" ++msgstr "По умолчанию: 14400 (4 часа)" + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> + #: sssd.conf.5.xml:970 +@@ -1511,6 +1624,12 @@ msgid "" + "also be set per-domain or include fully-qualified names to filter only users " + "from the particular domain or by a user principal name (UPN)." + msgstr "" ++"Исключить определённых пользователей или группы из списка получения данных " ++"из базы данных NSS sss. Эта возможность особенно полезна для системных " ++"учётных записей. Этот параметр также возможно установить для каждого домена " ++"отдельно или включить в него полные имена, чтобы выполнить фильтрацию только " ++"пользователей из конкретного домена или по именам участников-пользователей " ++"(UPN)." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:981 +@@ -1520,6 +1639,11 @@ msgid "" + "NSS. E.g. a group having a member group filtered out will still have the " + "member users of the latter listed." + msgstr "" ++"ПРИМЕЧАНИЕ: параметр filter_groups не влияет на наследование участников " ++"вложенных групп, так как фильтрация выполняется после их распространения для " ++"возврата с помощью NSS. Например, в списке участников группы, вложенная " ++"группа которой была отфильтрована, останутся пользователи из этой " ++"отфильтрованной вложенной группы." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:989 +@@ -1536,6 +1660,8 @@ msgstr "filter_users_in_groups (логическое значение)" + msgid "" + "If you want filtered user still be group members set this option to false." + msgstr "" ++"Если отфильтрованные пользователи должны оставаться участниками групп, " ++"установите этот параметр в значение «false»." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> + #: sssd.conf.5.xml:1008 +@@ -1548,12 +1674,16 @@ msgid "" + "Set a default template for a user's home directory if one is not specified " + "explicitly by the domain's data provider." + msgstr "" ++"Установить стандартный шаблон для домашнего каталога пользователя, если он " ++"явно не указан поставщиком данных домена." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:1016 + msgid "" + "The available values for this option are the same as for override_homedir." + msgstr "" ++"Допустимые значения этого параметра совпадают с допустимыми значениями " ++"параметра override_homedir." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> + #: sssd.conf.5.xml:1022 +@@ -1562,17 +1692,19 @@ msgid "" + "fallback_homedir = /home/%u\n" + " " + msgstr "" ++"fallback_homedir = /home/%u\n" ++" " + + #. type: Content of: <varlistentry><listitem><para> + #: sssd.conf.5.xml:1020 sssd.conf.5.xml:1553 sssd.conf.5.xml:1572 + #: sssd.conf.5.xml:1627 sssd-krb5.5.xml:435 include/override_homedir.xml:59 + msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>" +-msgstr "" ++msgstr "пример: <placeholder type=\"programlisting\" id=\"0\"/>" + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:1026 + msgid "Default: not set (no substitution for unset home directories)" +-msgstr "" ++msgstr "По умолчанию: не задано (без замен для незаданных домашних каталогов)" + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> + #: sssd.conf.5.xml:1032 +@@ -1586,11 +1718,16 @@ msgid "" + "shell options if it takes effect and can be set either in the [nss] section " + "or per-domain." + msgstr "" ++"Переопределить исходную оболочку для всех пользователей. Этот параметр имеет " ++"приоритет над любыми другими параметрами оболочки, когда действует. Его " ++"возможно установить либо в разделе [nss], либо для каждого домена отдельно." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:1041 + msgid "Default: not set (SSSD will use the value retrieved from LDAP)" + msgstr "" ++"По умолчанию: не задано (SSSD будет использовать значение, полученное от " ++"LDAP)" + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> + #: sssd.conf.5.xml:1047 +@@ -1602,11 +1739,15 @@ msgstr "allowed_shells (строка)" + msgid "" + "Restrict user shell to one of the listed values. The order of evaluation is:" + msgstr "" ++"Ограничить оболочку пользователя одним из указанных в списке значений. " ++"Порядок вычисления:" + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:1053 + msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used." + msgstr "" ++"1. Если оболочка присутствует в файле <quote>/etc/shells</quote>, будет " ++"использована она." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:1057 +@@ -1614,6 +1755,8 @@ msgid "" + "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</" + "quote>, use the value of the shell_fallback parameter." + msgstr "" ++"2. Если оболочка присутствует в списке allowed_shells, но не в файле <quote>/" ++"etc/shells</quote>, использовать значение параметра shell_fallback." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:1062 +@@ -1621,11 +1764,15 @@ msgid "" + "3. If the shell is not in the allowed_shells list and not in <quote>/etc/" + "shells</quote>, a nologin shell is used." + msgstr "" ++"3. Если оболочка отсутствует в списке allowed_shells и файле <quote>/etc/" ++"shells</quote>, будет использована оболочка, которая не требует входа." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:1067 + msgid "The wildcard (*) can be used to allow any shell." + msgstr "" ++"Чтобы разрешить использование любой оболочки, можно использовать " ++"подстановочный знак (*)." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:1070 +@@ -1634,6 +1781,9 @@ msgid "" + "shell is not in <quote>/etc/shells</quote> and maintaining list of all " + "allowed shells in allowed_shells would be to much overhead." + msgstr "" ++"Знаком (*) можно воспользоваться, чтобы использовать shell_fallback, когда " ++"оболочка пользователя отсутствует в файле <quote>/etc/shells</quote>, а " ++"ведение списка всех разрешённых оболочек в allowed_shells было бы излишним." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:1077 +@@ -1646,11 +1796,14 @@ msgid "" + "The <quote>/etc/shells</quote> is only read on SSSD start up, which means " + "that a restart of the SSSD is required in case a new shell is installed." + msgstr "" ++"Чтение файла <quote>/etc/shells</quote> выполняется только при запуске SSSD. " ++"Следовательно, в случае установки новой оболочки потребуется перезапуск SSSD." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:1084 + msgid "Default: Not set. The user shell is automatically used." + msgstr "" ++"По умолчанию: не задано. Автоматически используется оболочка пользователя." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> + #: sssd.conf.5.xml:1089 +@@ -1660,7 +1813,7 @@ msgstr "vetoed_shells (строка)" + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:1092 + msgid "Replace any instance of these shells with the shell_fallback" +-msgstr "" ++msgstr "Заменять все экземпляры этих оболочек на shell_fallback" + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> + #: sssd.conf.5.xml:1097 +@@ -1672,16 +1825,18 @@ msgstr "shell_fallback (строка)" + msgid "" + "The default shell to use if an allowed shell is not installed on the machine." + msgstr "" ++"Оболочка по умолчанию, которую следует использовать, если разрешённая " ++"оболочка не установлена на компьютере." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:1104 + msgid "Default: /bin/sh" +-msgstr "" ++msgstr "По умолчанию: /bin/sh" + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> + #: sssd.conf.5.xml:1109 + msgid "default_shell" +-msgstr "" ++msgstr "default_shell" + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:1112 +@@ -1689,6 +1844,9 @@ msgid "" + "The default shell to use if the provider does not return one during lookup. " + "This option can be specified globally in the [nss] section or per-domain." + msgstr "" ++"Оболочка по умолчанию, которую следует использовать, если поставщик не " ++"вернул оболочку при поиске. Этот параметр можно указать как глобальный в " ++"разделе [nss] или для каждого домена отдельно." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:1118 +@@ -1696,11 +1854,13 @@ msgid "" + "Default: not set (Return NULL if no shell is specified and rely on libc to " + "substitute something sensible when necessary, usually /bin/sh)" + msgstr "" ++"По умолчанию: не задано (вернуть NULL, если оболочка не указана, и " ++"положиться на libc в плане подстановки подходящего варианта, обычно /bin/sh)" + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> + #: sssd.conf.5.xml:1125 sssd.conf.5.xml:1479 + msgid "get_domains_timeout (int)" +-msgstr "" ++msgstr "get_domains_timeout (целое число)" + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:1128 sssd.conf.5.xml:1482 +@@ -1708,6 +1868,8 @@ msgid "" + "Specifies time in seconds for which the list of subdomains will be " + "considered valid." + msgstr "" ++"Указывает время в секундах, в течение которого список поддоменов считается " ++"действительным." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> + #: sssd.conf.5.xml:1137 +@@ -1720,6 +1882,9 @@ msgid "" + "Specifies time in seconds for which records in the in-memory cache will be " + "valid. Setting this option to zero will disable the in-memory cache." + msgstr "" ++"Указывает время в секундах, в течение которого записи кэша в памяти будут " ++"оставаться действительными. Установка этого параметра в значение «0» " ++"отключит кэш в памяти." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:1148 +@@ -1727,6 +1892,9 @@ msgid "" + "WARNING: Disabling the in-memory cache will have significant negative impact " + "on SSSD's performance and should only be used for testing." + msgstr "" ++"ПРЕДУПРЕЖДЕНИЕ: отключение кэша в памяти окажет значительное негативное " ++"воздействие на производительность SSSD. Этот параметр следует использовать " ++"только для тестирования." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:1154 sssd.conf.5.xml:1179 sssd.conf.5.xml:1204 +@@ -1735,6 +1903,9 @@ msgid "" + "NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", " + "client applications will not use the fast in-memory cache." + msgstr "" ++"ПРИМЕЧАНИЕ: если переменная среды SSS_NSS_USE_MEMCACHE установлена в " ++"значение «NO», клиентские приложения не будут использовать быстрый кэш в " ++"памяти." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> + #: sssd.conf.5.xml:1162 +@@ -1748,11 +1919,14 @@ msgid "" + "for passwd requests. Setting the size to 0 will disable the passwd in-" + "memory cache." + msgstr "" ++"Размер (в мегабайтах) таблицы данных, которая размещена в быстром кэше в " ++"памяти для запросов passwd. Установка размера в значение «0» отключит кэш в " ++"памяти для запросов passwd." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:1171 sssd.conf.5.xml:2720 sssd-ldap.5.xml:513 + msgid "Default: 8" +-msgstr "" ++msgstr "По умолчанию: 8" + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:1174 sssd.conf.5.xml:1199 sssd.conf.5.xml:1224 +@@ -1760,6 +1934,8 @@ msgid "" + "WARNING: Disabled or too small in-memory cache can have significant negative " + "impact on SSSD's performance." + msgstr "" ++"ПРЕДУПРЕЖДЕНИЕ: отключение кэша в памяти или его слишком малый размер окажет " ++"значительное негативное воздействие на производительность SSSD." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> + #: sssd.conf.5.xml:1187 +@@ -1773,12 +1949,15 @@ msgid "" + "for group requests. Setting the size to 0 will disable the group in-memory " + "cache." + msgstr "" ++"Размер (в мегабайтах) таблицы данных, которая размещена в быстром кэше в " ++"памяти для запросов group. Установка размера в значение «0» отключит кэш в " ++"памяти для запросов group." + + #. type: Content of: <variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:1196 sssd.conf.5.xml:3515 sssd-ldap.5.xml:453 + #: sssd-ldap.5.xml:495 include/failover.xml:116 include/krb5_options.xml:11 + msgid "Default: 6" +-msgstr "" ++msgstr "По умолчанию: 6" + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> + #: sssd.conf.5.xml:1212 +@@ -1792,6 +1971,9 @@ msgid "" + "for initgroups requests. Setting the size to 0 will disable the initgroups " + "in-memory cache." + msgstr "" ++"Размер (в мегабайтах) таблицы данных, которая размещена в быстром кэше в " ++"памяти для запросов групп инициализации. Установка размера в значение «0» " ++"отключит кэш в памяти для запросов групп инициализации." + + #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> + #: sssd.conf.5.xml:1237 sssd-ifp.5.xml:74 +@@ -1808,6 +1990,12 @@ msgid "" + "<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" + "manvolnum> </citerefentry> for details) but with no default values." + msgstr "" ++"Некоторые из дополнительных запросов ответчика NSS могут возвращать больше " ++"атрибутов, чем просто атрибуты POSIX, определённые интерфейсом NSS. Этот " ++"параметр управляет списком атрибутов. Обработка выполняется тем же способом, " ++"что и для параметра <quote>user_attributes</quote> ответчика InfoPipe (см. " ++"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" ++"manvolnum> </citerefentry>), но без стандартных значений." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:1253 +@@ -1815,11 +2003,13 @@ msgid "" + "To make configuration more easy the NSS responder will check the InfoPipe " + "option if it is not set for the NSS responder." + msgstr "" ++"Для упрощения настройки ответчик NSS проверит параметр InfoPipe на то, задан " ++"ли он для ответчика NSS." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:1258 + msgid "Default: not set, fallback to InfoPipe option" +-msgstr "По умолчанию: не задано, вернуться к параметру InfoPipe" ++msgstr "По умолчанию: не задано, использовать параметр InfoPipe" + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> + #: sssd.conf.5.xml:1263 +@@ -1832,6 +2022,8 @@ msgid "" + "The value that NSS operations that return users or groups will return for " + "the <quote>password</quote> field." + msgstr "" ++"Значение, которое операции NSS, возвращающие пользователей или группы, " ++"вернут для поля <quote>password</quote>." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:1271 +@@ -1844,6 +2036,8 @@ msgid "" + "Note: This option can also be set per-domain which overwrites the value in " + "[nss] section." + msgstr "" ++"Примечание: этот параметр также возможно задать для каждого домена отдельно, " ++"что будет иметь приоритет над значением в разделе [nss]." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:1278 +@@ -1852,11 +2046,14 @@ msgid "" + "files domain), <quote>x</quote> (proxy domain with nss_files and sssd-" + "shadowutils target)" + msgstr "" ++"По умолчанию: <quote>не задано</quote> (удалённые домены), <quote>x</quote> (" ++"домен файлов), <quote>x</quote> (домен прокси с nss_files и целью sssd-" ++"shadowutils)" + + #. type: Content of: <reference><refentry><refsect1><refsect2><title> + #: sssd.conf.5.xml:1288 + msgid "PAM configuration options" +-msgstr "" ++msgstr "Параметры настройки PAM" + + #. type: Content of: <reference><refentry><refsect1><refsect2><para> + #: sssd.conf.5.xml:1290 +@@ -1864,6 +2061,8 @@ msgid "" + "These options can be used to configure the Pluggable Authentication Module " + "(PAM) service." + msgstr "" ++"Эти параметры можно использовать для настройки службы подключаемых модулей " ++"проверки подлинности (PAM)" + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> + #: sssd.conf.5.xml:1295 +@@ -1876,6 +2075,9 @@ msgid "" + "If the authentication provider is offline, how long should we allow cached " + "logins (in days since the last successful online login)." + msgstr "" ++"Если поставщик данных для проверки подлинности находится в автономном " ++"режиме, как долго следует разрешать вход по кэшированным данным (в днях с " ++"момента последнего успешного входа в сетевом режиме)" + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:1303 sssd.conf.5.xml:1316 +@@ -1893,6 +2095,8 @@ msgid "" + "If the authentication provider is offline, how many failed login attempts " + "are allowed." + msgstr "" ++"Если поставщик данных для проверки подлинности находится в автономном " ++"режиме, сколько следует допускать неудачных попыток входа." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> + #: sssd.conf.5.xml:1322 +@@ -1905,6 +2109,9 @@ msgid "" + "The time in minutes which has to pass after offline_failed_login_attempts " + "has been reached before a new login attempt is possible." + msgstr "" ++"Время в минутах, которое должно пройти после достижения значения " ++"offline_failed_login_attempts, прежде чем станет возможной новая попытка " ++"входа." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:1330 +@@ -1913,6 +2120,10 @@ msgid "" + "offline_failed_login_attempts has been reached. Only a successful online " + "authentication can enable offline authentication again." + msgstr "" ++"Если задано значение «0», пользователь не сможет пройти проверку подлинности " ++"в автономном режиме после достижения значения offline_failed_login_attempts. " ++"Для того, чтобы проверка подлинности в автономном режиме снова стала " ++"возможной, необходимо успешно пройти проверку подлинности в сетевом режиме." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:1336 sssd.conf.5.xml:1446 +@@ -1930,6 +2141,8 @@ msgid "" + "Controls what kind of messages are shown to the user during authentication. " + "The higher the number to more messages are displayed." + msgstr "" ++"Управляет тем, какие сообщения будут показаны пользователю во время проверки " ++"подлинности. Чем больше число, тем больше сообщений будет показано." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:1350 +@@ -1939,22 +2152,23 @@ msgstr "В настоящее время sssd поддерживает след + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:1353 + msgid "<emphasis>0</emphasis>: do not show any message" +-msgstr "" ++msgstr "<emphasis>0</emphasis>: не показывать никаких сообщений" + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:1356 + msgid "<emphasis>1</emphasis>: show only important messages" +-msgstr "" ++msgstr "<emphasis>1</emphasis>: показывать только важные сообщения" + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:1360 + msgid "<emphasis>2</emphasis>: show informational messages" +-msgstr "" ++msgstr "<emphasis>2</emphasis>: показывать информационные сообщения" + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:1363 + msgid "<emphasis>3</emphasis>: show all messages and debug information" + msgstr "" ++"<emphasis>3</emphasis>: показывать все сообщения и отладочную информацию" + + #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:1367 sssd.8.xml:63 +@@ -1974,6 +2188,11 @@ msgid "" + "responses sent to pam_sss e.g. messages displayed to the user or environment " + "variables which should be set by pam_sss." + msgstr "" ++"Разделённый запятыми список строк, который позволяет удалять (фильтровать) " ++"данные, отправленные ответчиком PAM модулю PAM pam_sss. Ответы, которые " ++"отправляются pam_sss, могут быть разного вида (например, сообщения, которые " ++"показываются пользователю, или переменные среды, которые должны быть " ++"установлены pam_sss)." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:1384 +@@ -1981,36 +2200,38 @@ msgid "" + "While messages already can be controlled with the help of the pam_verbosity " + "option this option allows to filter out other kind of responses as well." + msgstr "" ++"Сообщениями можно управлять с помощью параметра pam_verbosity, а этот " ++"параметр позволяет отфильтровать также и другие типы ответов." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> + #: sssd.conf.5.xml:1391 + msgid "ENV" +-msgstr "" ++msgstr "ENV" + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:1392 + msgid "Do not send any environment variables to any service." +-msgstr "" ++msgstr "Не отправлять никаким службам никакие переменные среды." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> + #: sssd.conf.5.xml:1395 + msgid "ENV:var_name" +-msgstr "" ++msgstr "ENV:var_name" + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:1396 + msgid "Do not send environment variable var_name to any service." +-msgstr "" ++msgstr "Не отправлять переменную среды var_name никаким службам." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> + #: sssd.conf.5.xml:1400 + msgid "ENV:var_name:service" +-msgstr "" ++msgstr "ENV:var_name:service" + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:1401 + msgid "Do not send environment variable var_name to service." +-msgstr "" ++msgstr "Не отправлять переменную среды var_name указанной службе." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:1389 +@@ -2018,6 +2239,8 @@ msgid "" + "Currently the following filters are supported: <placeholder type=" + "\"variablelist\" id=\"0\"/>" + msgstr "" ++"В настоящее время поддерживаются следующие фильтры: <placeholder type=" ++"\"variablelist\" id=\"0\"/>" + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:1408 +@@ -2029,17 +2252,24 @@ msgid "" + "that either all list elements must have a '+' or '-' prefix or none. It is " + "considered as an error to mix both styles." + msgstr "" ++"Список строк может представлять собой список фильтров, который установит эти " ++"фильтры, перезаписав стандартные значения. Либо каждый элемент списка может " ++"предваряться символом «+» или «-», что, соответственно, добавит этот фильтр " ++"к существующим стандартным фильтрам или удалит его из стандартных фильтров. " ++"Обратите внимание, что следует либо использовать префикс «+» или «-» для " ++"всех элементов списка, либо не использовать его вообще. Использование " ++"префикса только для части элементов списка считается ошибкой." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:1419 + msgid "Default: ENV:KRB5CCNAME:sudo, ENV:KRB5CCNAME:sudo-i" +-msgstr "" ++msgstr "По умолчанию: ENV:KRB5CCNAME:sudo, ENV:KRB5CCNAME:sudo-i" + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:1422 + msgid "" + "Example: -ENV:KRB5CCNAME:sudo-i will remove the filter from the default list" +-msgstr "" ++msgstr "Пример: -ENV:KRB5CCNAME:sudo-i удалит фильтр из списка стандартных" + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> + #: sssd.conf.5.xml:1429 +@@ -2053,6 +2283,10 @@ msgid "" + "immediately update the cached identity information for the user in order to " + "ensure that authentication takes place with the latest information." + msgstr "" ++"При любом запросе PAM, поступающем во время работы SSSD в сети, SSSD " ++"выполняет попытку незамедлительно обновить кэшированные данные идентификации " ++"пользователя, чтобы при проверке подлинности использовались самые последние " ++"данные." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:1438 +@@ -2062,6 +2296,11 @@ msgid "" + "client-application basis) how long (in seconds) we can cache the identity " + "information to avoid excessive round-trips to the identity provider." + msgstr "" ++"Полный обмен данными PAM может включать несколько запросов PAM (в частности, " ++"для управления учётными записями и открытия сеансов). Этот параметр " ++"управляет (для каждого клиента-приложения отдельно) длительностью (в " ++"секундах) кэширования данных идентификации, позволяющего избежать повторных " ++"обменов данными с поставщиком данных идентификации." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> + #: sssd.conf.5.xml:1452 +@@ -2071,7 +2310,7 @@ msgstr "pam_pwd_expiration_warning (целое число)" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:1455 sssd.conf.5.xml:2744 + msgid "Display a warning N days before the password expires." +-msgstr "" ++msgstr "Показать предупреждение за N дней до истечения срока действия пароля." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:1458 +@@ -2080,6 +2319,9 @@ msgid "" + "expiration time of the password. If this information is missing, sssd " + "cannot display a warning." + msgstr "" ++"Обратите внимание, что внутренний сервер должен предоставить информацию о " ++"времени истечения срока действия пароля. Если она отсутствует, sssd не " ++"сможет показать предупреждение." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:1464 sssd.conf.5.xml:2747 +@@ -2087,6 +2329,9 @@ msgid "" + "If zero is set, then this filter is not applied, i.e. if the expiration " + "warning was received from backend server, it will automatically be displayed." + msgstr "" ++"Если указан ноль, этот фильтр не применяется: если от внутреннего сервера " ++"было получено предупреждение об истечении строка действия, оно будет " ++"показано автоматически." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:1469 +@@ -2094,11 +2339,13 @@ msgid "" + "This setting can be overridden by setting <emphasis>pwd_expiration_warning</" + "emphasis> for a particular domain." + msgstr "" ++"Этот параметр можно переопределить, установив " ++"<emphasis>pwd_expiration_warning</emphasis> для конкретного домена." + + #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:1474 sssd.conf.5.xml:3709 sssd-ldap.5.xml:549 sssd.8.xml:79 + msgid "Default: 0" +-msgstr "" ++msgstr "По умолчанию: 0" + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> + #: sssd.conf.5.xml:1491 +@@ -2114,11 +2361,16 @@ msgid "" + "<quote>pam_public_domains</quote>. User names are resolved to UIDs at " + "startup." + msgstr "" ++"Разделённый запятыми список значений UID или имён пользователей, которым " ++"разрешено выполнять обмен данными PAM с доверенными доменами. Пользователям, " ++"которые отсутствуют в этом списке, разрешён доступ только к доменам, " ++"отмеченным как общедоступные с помощью параметра <quote>pam_public_domains</" ++"quote>. Имена пользователей разрешаются в UID при запуске." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:1504 + msgid "Default: All users are considered trusted by default" +-msgstr "" ++msgstr "По умолчанию: все пользователи считаются доверенными по умолчанию" + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:1508 +@@ -2126,6 +2378,8 @@ msgid "" + "Please note that UID 0 is always allowed to access the PAM responder even in " + "case it is not in the pam_trusted_users list." + msgstr "" ++"Обратите внимание, что UID 0 всегда разрешён доступ к ответчику PAM, даже " ++"если этот идентификатор пользователя отсутствует в списке pam_trusted_users." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> + #: sssd.conf.5.xml:1515 +@@ -2138,17 +2392,21 @@ msgid "" + "Specifies the comma-separated list of domain names that are accessible even " + "to untrusted users." + msgstr "" ++"Разделённый запятыми список имён доменов, которые доступны даже для " ++"недоверенных пользователей." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:1522 + msgid "Two special values for pam_public_domains option are defined:" +-msgstr "" ++msgstr "Для параметра pam_public_domains определены два особых значения:" + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:1526 + msgid "" + "all (Untrusted users are allowed to access all domains in PAM responder.)" + msgstr "" ++"all (недоверенным пользователя разрешён доступ ко всем доменам в ответчике " ++"PAM)" + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:1530 +@@ -2156,13 +2414,15 @@ msgid "" + "none (Untrusted users are not allowed to access any domains PAM in " + "responder.)" + msgstr "" ++"none (недоверенным пользователя запрещён доступ ко всем доменам в ответчике " ++"PAM)" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:1534 sssd.conf.5.xml:1559 sssd.conf.5.xml:1578 + #: sssd.conf.5.xml:1781 sssd.conf.5.xml:2493 sssd.conf.5.xml:3638 + #: sssd-ldap.5.xml:1091 + msgid "Default: none" +-msgstr "" ++msgstr "По умолчанию: none" + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> + #: sssd.conf.5.xml:1539 +@@ -2175,6 +2435,8 @@ msgid "" + "Allows a custom expiration message to be set, replacing the default " + "'Permission denied' message." + msgstr "" ++"Позволяет задать пользовательское сообщение об истечении срока действия, " ++"которое заменит стандартное сообщение «Доступ запрещён»." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:1547 +@@ -2182,6 +2444,9 @@ msgid "" + "Note: Please be aware that message is only printed for the SSH service " + "unless pam_verbosity is set to 3 (show all messages and debug information)." + msgstr "" ++"Примечание: следует учитывать, что для службы SSH сообщение будет показано " ++"только при условии, что параметр pam_verbosity установлен в значение «3» (" ++"показывать все сообщения и отладочную информацию)." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> + #: sssd.conf.5.xml:1555 +@@ -2190,6 +2455,9 @@ msgid "" + "pam_account_expired_message = Account expired, please contact help desk.\n" + " " + msgstr "" ++"pam_account_expired_message = Срок действия учётной записи истёк, обратитесь " ++"в службу поддержки.\n" ++" " + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> + #: sssd.conf.5.xml:1564 +@@ -2202,6 +2470,8 @@ msgid "" + "Allows a custom lockout message to be set, replacing the default 'Permission " + "denied' message." + msgstr "" ++"Позволяет задать пользовательское сообщение о блокировке, которое заменит " ++"стандартное сообщение «Доступ запрещён»." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> + #: sssd.conf.5.xml:1574 +@@ -2210,6 +2480,9 @@ msgid "" + "pam_account_locked_message = Account locked, please contact help desk.\n" + " " + msgstr "" ++"pam_account_locked_message = Учётная запись заблокирована, обратитесь в " ++"службу поддержки.\n" ++" " + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> + #: sssd.conf.5.xml:1583 +@@ -2223,13 +2496,16 @@ msgid "" + "additional communication with the Smartcard which will delay the " + "authentication process this option is disabled by default." + msgstr "" ++"Включить проверку подлинности на основе сертификата или смарт-карты. Так как " ++"для этого требуется дополнительный обмен данными со смарт-картой, который " ++"задержит процесс проверки подлинности, по умолчанию этот параметр отключён." + + #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:1592 sssd-ldap.5.xml:590 sssd-ldap.5.xml:611 + #: sssd-ldap.5.xml:1169 sssd-ad.5.xml:482 sssd-ad.5.xml:558 sssd-ad.5.xml:1103 + #: sssd-ad.5.xml:1152 include/ldap_id_mapping.xml:244 + msgid "Default: False" +-msgstr "" ++msgstr "По умолчанию: false" + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> + #: sssd.conf.5.xml:1597 +@@ -2239,12 +2515,12 @@ msgstr "pam_cert_db_path (строка)" + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:1600 + msgid "The path to the certificate database." +-msgstr "" ++msgstr "Путь к базе данных сертификатов." + + #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:1603 sssd.conf.5.xml:2113 sssd.conf.5.xml:4165 + msgid "Default:" +-msgstr "" ++msgstr "По умолчанию:" + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> + #: sssd.conf.5.xml:1605 sssd.conf.5.xml:2115 +@@ -2252,6 +2528,8 @@ msgid "" + "/etc/sssd/pki/sssd_auth_ca_db.pem (path to a file with trusted CA " + "certificates in PEM format)" + msgstr "" ++"/etc/sssd/pki/sssd_auth_ca_db.pem (путь к файлу с доверенными сертификатами " ++"CA в формате PEM)" + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> + #: sssd.conf.5.xml:1615 +@@ -2267,6 +2545,11 @@ msgid "" + "section. Supported options are the same of <quote>certificate_verification</" + "quote>." + msgstr "" ++"Этот параметр позволяет выполнить тонкую настройку проверки сертификатов PAM " ++"с помощью разделённого запятыми списка параметров. Эти параметры " ++"переопределяют значение <quote>certificate_verification</quote> в разделе " ++"<quote>[sssd]</quote>. Поддерживаются те же параметры, что и для " ++"<quote>certificate_verification</quote>." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> + #: sssd.conf.5.xml:1629 +@@ -2275,6 +2558,8 @@ msgid "" + "pam_cert_verification = partial_chain\n" + " " + msgstr "" ++"pam_cert_verification = partial_chain\n" ++" " + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:1633 +@@ -2282,9 +2567,9 @@ msgid "" + "Default: not set, i.e. use default <quote>certificate_verification</quote> " + "option defined in <quote>[sssd]</quote> section." + msgstr "" +-"По умолчанию: не задано, то есть использовать стандартный параметр " +-"<quote>certificate_verification</quote>, указанный в разделе <quote>[sssd]</" +-"quote>." ++"По умолчанию: не задано, то есть следует использовать стандартный параметр " ++"<quote>certificate_verification</quote>, указанный в разделе " ++"<quote>[sssd]</quote>." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> + #: sssd.conf.5.xml:1640 +@@ -2295,6 +2580,8 @@ msgstr "p11_child_timeout (целое число)" + #: sssd.conf.5.xml:1643 + msgid "How many seconds will pam_sss wait for p11_child to finish." + msgstr "" ++"Разрешённое количество секунд, в течение которого pam_sss ожидает завершения " ++"работы p11_child." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> + #: sssd.conf.5.xml:1652 +@@ -2307,6 +2594,8 @@ msgid "" + "Which PAM services are permitted to contact domains of type " + "<quote>application</quote>" + msgstr "" ++"Указывает, каким службам PAM разрешено устанавливать соединение с доменами " ++"типа <quote>application</quote>" + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> + #: sssd.conf.5.xml:1664 +@@ -2319,6 +2608,8 @@ msgid "" + "A comma-separated list of PAM service names for which it will be allowed to " + "use Smartcards." + msgstr "" ++"Разделённый запятыми список имён служб PAM, для которых будет разрешено " ++"использовать смарт-карты." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> + #: sssd.conf.5.xml:1682 +@@ -2327,6 +2618,8 @@ msgid "" + "pam_p11_allowed_services = +my_pam_service, -login\n" + " " + msgstr "" ++"pam_p11_allowed_services = +my_pam_service, -login\n" ++" " + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:1671 +@@ -2339,57 +2632,64 @@ msgid "" + "<quote>my_pam_service</quote>), you would use the following configuration: " + "<placeholder type=\"programlisting\" id=\"0\"/>" + msgstr "" ++"Можно добавить имя ещё одной службы PAM в стандартный набор с помощью " ++"<quote>+service_name</quote>. Также можно явно удалить имя службы PAM из " ++"стандартного набора с помощью <quote>-service_name</quote>. Например, чтобы " ++"заменить стандартное имя службы PAM для проверки подлинности с помощью смарт-" ++"карт (например, <quote>login</quote>) на пользовательское имя службы PAM (" ++"например, <quote>my_pam_service</quote>), необходимо использовать следующую " ++"конфигурацию: <placeholder type=\"programlisting\" id=\"0\"/>" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:1686 sssd-ad.5.xml:621 sssd-ad.5.xml:730 sssd-ad.5.xml:788 + #: sssd-ad.5.xml:846 sssd-ad.5.xml:924 + msgid "Default: the default set of PAM service names includes:" +-msgstr "" ++msgstr "По умолчанию: стандартный набор имён служб PAM включает:" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> + #: sssd.conf.5.xml:1691 sssd-ad.5.xml:625 + msgid "login" +-msgstr "" ++msgstr "login" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> + #: sssd.conf.5.xml:1696 sssd-ad.5.xml:630 + msgid "su" +-msgstr "" ++msgstr "su" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> + #: sssd.conf.5.xml:1701 sssd-ad.5.xml:635 + msgid "su-l" +-msgstr "" ++msgstr "su-l" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> + #: sssd.conf.5.xml:1706 sssd-ad.5.xml:650 + msgid "gdm-smartcard" +-msgstr "" ++msgstr "gdm-smartcard" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> + #: sssd.conf.5.xml:1711 sssd-ad.5.xml:645 + msgid "gdm-password" +-msgstr "" ++msgstr "gdm-password" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> + #: sssd.conf.5.xml:1716 sssd-ad.5.xml:655 + msgid "kdm" +-msgstr "" ++msgstr "kdm" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> + #: sssd.conf.5.xml:1721 sssd-ad.5.xml:933 + msgid "sudo" +-msgstr "" ++msgstr "sudo" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> + #: sssd.conf.5.xml:1726 sssd-ad.5.xml:938 + msgid "sudo-i" +-msgstr "" ++msgstr "sudo-i" + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> + #: sssd.conf.5.xml:1731 + msgid "gnome-screensaver" +-msgstr "" ++msgstr "gnome-screensaver" + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> + #: sssd.conf.5.xml:1739 +@@ -2403,6 +2703,9 @@ msgid "" + "to p11_child_timeout should the PAM responder wait until a Smartcard is " + "inserted." + msgstr "" ++"Когда требуется проверка подлинности по смарт-карте, этот параметр " ++"определяет, в течение какого количества секунд (в дополнение к значению " ++"p11_child_timeout) ответчик PAM должен ожидать вставки смарт-карты." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> + #: sssd.conf.5.xml:1753 +@@ -2419,6 +2722,13 @@ msgid "" + "first slot found. If multiple readers are connected p11_uri can be used to " + "tell p11_child to use a specific reader." + msgstr "" ++"URI PKCS#11 (подробное описание доступно в RFC-7512) для ограничения перечня " ++"устройств с проверкой подлинности по смарт-карте. По умолчанию p11_child " ++"SSSD выполняет поиск слота PKCS#11 (устройства чтения) с установленным " ++"флагом «removable» и затем чтение сертификатов со вставленного маркера из " ++"первого найденного слота. Если подключено несколько устройств чтения, с " ++"помощью p11_uri можно указать p11_child использовать конкретное устройство " ++"чтения." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> + #: sssd.conf.5.xml:1769 +@@ -2427,6 +2737,8 @@ msgid "" + "p11_uri = pkcs11:slot-description=My%20Smartcard%20Reader\n" + " " + msgstr "" ++"p11_uri = pkcs11:slot-description=My%20Smartcard%20Reader\n" ++" " + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> + #: sssd.conf.5.xml:1773 +@@ -2435,6 +2747,9 @@ msgid "" + "p11_uri = pkcs11:library-description=OpenSC%20smartcard%20framework;slot-id=2\n" + " " + msgstr "" ++"p11_uri = pkcs11:library-description=OpenSC%20smartcard%20framework;slot-id=" ++"2\n" ++" " + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:1767 +@@ -2444,27 +2759,34 @@ msgid "" + "debug output of p11_child. As an alternative the GnuTLS utility 'p11tool' " + "with e.g. the '--list-all' will show PKCS#11 URIs as well." + msgstr "" ++"Пример: <placeholder type=\"programlisting\" id=\"0\"/> или <placeholder " ++"type=\"programlisting\" id=\"1\"/> Чтобы найти подходящий URI, проверьте " ++"отладочный вывод p11_child. Либо можно использовать утилиту «p11tool» " ++"GnuTLS, например, с параметром «--list-all»: это тоже позволит просмотреть " ++"URI PKCS#11." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> + #: sssd.conf.5.xml:1786 + msgid "pam_initgroups_scheme" +-msgstr "" ++msgstr "pam_initgroups_scheme" + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> + #: sssd.conf.5.xml:1794 + msgid "always" +-msgstr "" ++msgstr "always" + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:1795 + msgid "" + "Always do an online lookup, please note that pam_id_timeout still applies" + msgstr "" ++"Всегда выполнять поиск в сети (обратите внимание, что параметр " ++"pam_id_timeout всё равно применяется)" + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> + #: sssd.conf.5.xml:1799 + msgid "no_session" +-msgstr "" ++msgstr "no_session" + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:1800 +@@ -2472,11 +2794,13 @@ msgid "" + "Only do an online lookup if there is no active session of the user, i.e. if " + "the user is currently not logged in" + msgstr "" ++"Выполнять поиск в сети только при отсутствии активного сеанса пользователя, " ++"то есть тогда, когда пользователь не находится в системе" + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> + #: sssd.conf.5.xml:1805 + msgid "never" +-msgstr "" ++msgstr "never" + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:1806 +@@ -2484,6 +2808,8 @@ msgid "" + "Never force an online lookup, use the data from the cache as long as they " + "are not expired" + msgstr "" ++"Никогда не выполнять поиск в сети принудительно, использовать данные из кэша " ++"до тех пор, пока они не устареют" + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:1789 +@@ -2493,16 +2819,20 @@ msgid "" + "should be done and the following values are allowed: <placeholder type=" + "\"variablelist\" id=\"0\"/>" + msgstr "" ++"Ответчик PAM может принудительно запустить поиск в сети для получения данных " ++"об участии в группах того пользователя, который пытается войти в систему. " ++"Этот параметр управляет тем, когда это следует делать, и имеет следующие " ++"допустимые значения: <placeholder type=\"variablelist\" id=\"0\"/>" + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:1813 + msgid "Default: no_session" +-msgstr "" ++msgstr "По умолчанию: no_session" + + #. type: Content of: <reference><refentry><refsect1><para> + #: sssd.conf.5.xml:1818 sssd.conf.5.xml:4104 + msgid "pam_gssapi_services" +-msgstr "" ++msgstr "pam_gssapi_services" + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:1821 +@@ -2510,12 +2840,16 @@ msgid "" + "Comma separated list of PAM services that are allowed to try GSSAPI " + "authentication using pam_sss_gss.so module." + msgstr "" ++"Разделённый запятыми список служб PAM, которым разрешено пытаться выполнить " ++"проверку подлинности по GSSAPI с помощью модуля pam_sss_gss.so." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:1826 + msgid "" + "To disable GSSAPI authentication, set this option to <quote>-</quote> (dash)." + msgstr "" ++"Чтобы отключить проверку подлинности с помощью GSSAPI, установите этот " ++"параметр в значение <quote>-</quote> (дефис)." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:1830 sssd.conf.5.xml:1861 sssd.conf.5.xml:1899 +@@ -2524,6 +2858,10 @@ msgid "" + "[pam] section. It can also be set for trusted domain which overwrites the " + "value in the domain section." + msgstr "" ++"Примечание: этот параметр также возможно задать для каждого домена отдельно, " ++"что будет иметь приоритет над значением в разделе [pam]. Также этот параметр " ++"можно задать для доверенного домена, что будет иметь приоритет над значением " ++"в разделе домена." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> + #: sssd.conf.5.xml:1838 +@@ -2532,21 +2870,23 @@ msgid "" + "pam_gssapi_services = sudo, sudo-i\n" + " " + msgstr "" ++"pam_gssapi_services = sudo, sudo-i\n" ++" " + + #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:1836 sssd.conf.5.xml:3632 sssd-secrets.5.xml:448 + msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>" +-msgstr "" ++msgstr "Пример: <placeholder type=\"programlisting\" id=\"0\"/>" + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:1842 + msgid "Default: - (GSSAPI authentication is disabled)" +-msgstr "" ++msgstr "По умолчанию: - (проверка подлинности с помощью GSSAPI отключена)" + + #. type: Content of: <reference><refentry><refsect1><para> + #: sssd.conf.5.xml:1847 sssd.conf.5.xml:4105 + msgid "pam_gssapi_check_upn" +-msgstr "" ++msgstr "pam_gssapi_check_upn" + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:1850 +@@ -2555,6 +2895,10 @@ msgid "" + "successfully authenticated through GSSAPI can be associated with the user " + "who is being authenticated. Authentication will fail if the check fails." + msgstr "" ++"Если значение «True», SSSD будет требоваться наличие привязки участника-" ++"пользователя Kerberos, который успешно прошёл проверку подлинности с помощью " ++"GSSAPI, к пользователю, проверка подлинности которого выполняется. Если " ++"такой привязки нет, проверка подлинности завершится ошибкой." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:1857 +@@ -2562,17 +2906,19 @@ msgid "" + "If False, every user that is able to obtained required service ticket will " + "be authenticated." + msgstr "" ++"Если значение «False», проверка подлинности будет выполняться для всех " ++"пользователь, получивших необходимый билет службы." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:1867 sssd-ad.5.xml:1243 sss_rpcidmapd.5.xml:76 + #: sssd-files.5.xml:146 + msgid "Default: True" +-msgstr "" ++msgstr "По умолчанию: true" + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> + #: sssd.conf.5.xml:1872 + msgid "pam_gssapi_indicators_map" +-msgstr "" ++msgstr "pam_gssapi_indicators_map" + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:1875 +@@ -2581,6 +2927,10 @@ msgid "" + "a Kerberos ticket to access a PAM service that is allowed to try GSSAPI " + "authentication using pam_sss_gss.so module." + msgstr "" ++"Разделённый запятыми список индикаторов проверки подлинности, которые должны " ++"присутствовать в билете Kerberos для получения доступа к службе PAM, которой " ++"разрешено пытаться выполнить проверку подлинности по GSSAPI с помощью модуля " ++"pam_sss_gss.so." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:1881 +@@ -2596,6 +2946,18 @@ msgid "" + "be denied. If the resulting list of indicators for the PAM service is empty, " + "the check will not prevent the access." + msgstr "" ++"Каждый элемент списка может быть либо именем индикатора проверки " ++"подлинности, либо парой <quote>service:indicator</quote>. Индикаторы, " ++"которые не предваряются именем службы PAM, будут требоваться для доступа к " ++"любой службе PAM, настроенной на использование с " ++"<option>pam_gssapi_services</option>. Итоговый список индикаторов для " ++"отдельной службы PAM затем проверяется на соответствие индикаторам в билете " ++"Kerberos во время проверки подлинности с помощью pam_sss_gss.so. Доступ " ++"будет предоставлен, если в билете будет найден индикатор, совпадающий с " ++"индикатором из итогового списка индикаторов для соответствующей службы PAM. " ++"Доступ будет запрещён, если в списке не обнаружатся совпадающие индикаторы. " ++"Если итоговый список индикаторов для службы PAM пуст, проверка не закроет " ++"доступ." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:1894 +@@ -2604,6 +2966,10 @@ msgid "" + "</quote> (dash). To disable the check for a specific PAM service, add " + "<quote>service:-</quote>." + msgstr "" ++"Чтобы отключить проверку индикаторов для проверки подлинности с помощью " ++"GSSAPI, установите этот параметр в значение <quote>-</quote> (дефис). Чтобы " ++"отключить проверку индикаторов для определённой службы PAM, добавьте " ++"<quote>service:-</quote>." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:1905 +@@ -2611,6 +2977,8 @@ msgid "" + "Following authentication indicators are supported by IPA Kerberos " + "deployments:" + msgstr "" ++"В развёрнутых системах IPA с Kerberos предусмотрена поддержка следующих " ++"индикаторов проверки подлинности:" + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> + #: sssd.conf.5.xml:1908 +@@ -2618,6 +2986,8 @@ msgid "" + "pkinit -- pre-authentication using X.509 certificates -- whether stored in " + "files or on smart cards." + msgstr "" ++"pkinit — предварительная проверка подлинности с помощью сертификатов X.509, " ++"которые хранятся в файлах или на смарт-картах." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> + #: sssd.conf.5.xml:1911 +@@ -2625,11 +2995,13 @@ msgid "" + "hardened -- SPAKE pre-authentication or any pre-authentication wrapped in a " + "FAST channel." + msgstr "" ++"hardened — предварительная проверка подлинности SPAKE или любая " ++"предварительная проверка подлинности, помещённая в канал FAST." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> + #: sssd.conf.5.xml:1914 + msgid "radius -- pre-authentication with the help of a RADIUS server." +-msgstr "" ++msgstr "radius — предварительная проверка подлинности с помощью сервера RADIUS." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> + #: sssd.conf.5.xml:1917 +@@ -2637,6 +3009,8 @@ msgid "" + "otp -- pre-authentication using integrated two-factor authentication (2FA or " + "one-time password, OTP) in IPA." + msgstr "" ++"otp — предварительная проверка подлинности с помощью встроенной " ++"двухфакторной проверки подлинности (2FA или одноразовый пароль, OTP) в IPA." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> + #: sssd.conf.5.xml:1927 +@@ -2645,6 +3019,8 @@ msgid "" + "pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit\n" + " " + msgstr "" ++"pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit\n" ++" " + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:1922 +@@ -2653,16 +3029,22 @@ msgid "" + "their Kerberos tickets with a X.509 certificate pre-authentication (PKINIT), " + "set <placeholder type=\"programlisting\" id=\"0\"/>" + msgstr "" ++"Пример: чтобы доступ к службам SUDO предоставлялся только пользователям, " ++"которые получили свои билеты Kerberos с предварительной проверкой " ++"подлинности сертификата X.509 (PKINIT), укажите <placeholder type=" ++"\"programlisting\" id=\"0\"/>" + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:1931 + msgid "Default: not set (use of authentication indicators is not required)" + msgstr "" ++"По умолчанию: не задано (использование индикаторов проверки подлинности не " ++"требуется)" + + #. type: Content of: <reference><refentry><refsect1><refsect2><title> + #: sssd.conf.5.xml:1939 + msgid "SUDO configuration options" +-msgstr "" ++msgstr "Параметры настройки SUDO" + + #. type: Content of: <reference><refentry><refsect1><refsect2><para> + #: sssd.conf.5.xml:1941 +@@ -2674,6 +3056,12 @@ msgid "" + "</citerefentry> are in the manual page <citerefentry> <refentrytitle>sssd-" + "sudo</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." + msgstr "" ++"Эти параметры можно использовать для настройки службы sudo. Подробные " ++"инструкции по настройке <citerefentry> <refentrytitle>sudo</refentrytitle> " ++"<manvolnum>8</manvolnum> </citerefentry> для работы с <citerefentry> " ++"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " ++"доступны на справочной странице <citerefentry> <refentrytitle>sssd-sudo</" ++"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> + #: sssd.conf.5.xml:1958 +@@ -2686,6 +3074,8 @@ msgid "" + "Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes " + "that implement time-dependent sudoers entries." + msgstr "" ++"Следует ли обрабатывать атрибуты sudoNotBefore и sudoNotAfter, " ++"предназначенные для определения временных ограничений для записей sudoers." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> + #: sssd.conf.5.xml:1973 +@@ -2701,16 +3091,22 @@ msgid "" + "<quote>full refresh</quote> of sudo rules is triggered instead. This " + "threshold number also applies to IPA sudo command and command group searches." + msgstr "" ++"Максимальное количество устаревших правил, которые можно обновить за один " ++"раз. Если количество устаревших правил меньше заданного порогового значения, " ++"эти правила обновляются с помощью механизма <quote>rules refresh</quote>. " ++"Если пороговое значение превышено, будет использоваться механизм <quote>full " ++"refresh</quote>. Это пороговое значение также применяется к поискам команд и " ++"групп команд sudo IPA." + + #. type: Content of: <reference><refentry><refsect1><refsect2><title> + #: sssd.conf.5.xml:1995 + msgid "AUTOFS configuration options" +-msgstr "" ++msgstr "Параметры настройки AUTOFS" + + #. type: Content of: <reference><refentry><refsect1><refsect2><para> + #: sssd.conf.5.xml:1997 + msgid "These options can be used to configure the autofs service." +-msgstr "" ++msgstr "Эти параметры можно использовать для настройки службы autofs." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> + #: sssd.conf.5.xml:2001 +@@ -2724,16 +3120,19 @@ msgid "" + "hits (that is, queries for invalid map entries, like nonexistent ones) " + "before asking the back end again." + msgstr "" ++"Означает количество секунд, в течение которого в кэше ответчика autofs будут " ++"храниться неудачные обращения к кэшу (запросы некорректных записей карты, " ++"например, несуществующих) перед повторным запросом к внутреннему серверу." + + #. type: Content of: <reference><refentry><refsect1><refsect2><title> + #: sssd.conf.5.xml:2020 + msgid "SSH configuration options" +-msgstr "" ++msgstr "Параметры настройки SSH" + + #. type: Content of: <reference><refentry><refsect1><refsect2><para> + #: sssd.conf.5.xml:2022 + msgid "These options can be used to configure the SSH service." +-msgstr "" ++msgstr "Эти параметры можно использовать для настройки службы SSH." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> + #: sssd.conf.5.xml:2026 +@@ -2746,6 +3145,7 @@ msgid "" + "Whether or not to hash host names and addresses in the managed known_hosts " + "file." + msgstr "" ++"Следует ли хэшировать имена и адреса узлов в управляемом файле known_hosts." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> + #: sssd.conf.5.xml:2038 +@@ -2758,11 +3158,13 @@ msgid "" + "How many seconds to keep a host in the managed known_hosts file after its " + "host keys were requested." + msgstr "" ++"Разрешённое количество секунд, в течение которого узел хранится в " ++"управляемом файле known_hosts после запроса ключей этого узла." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:2045 + msgid "Default: 180" +-msgstr "" ++msgstr "По умолчанию: 180" + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> + #: sssd.conf.5.xml:2050 +@@ -2777,6 +3179,11 @@ msgid "" + "entry as well. See <citerefentry> <refentrytitle>sss_ssh_authorizedkeys</" + "refentrytitle> <manvolnum>1</manvolnum> </citerefentry> for details." + msgstr "" ++"Если задано значение «true», команда <command>sss_ssh_authorizedkeys</" ++"command> вернёт производные от открытого ключа ключи ssh сертификатов X.509, " ++"которые также хранятся в записи пользователя. Подробнее: <citerefentry> " ++"<refentrytitle>sss_ssh_authorizedkeys</refentrytitle> <manvolnum>1</" ++"manvolnum> </citerefentry>." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> + #: sssd.conf.5.xml:2068 +@@ -2792,6 +3199,12 @@ msgid "" + "comma separated list of mapping and matching rule names. All other rules " + "will be ignored." + msgstr "" ++"По умолчанию ответчик SSH использует все доступные правила сопоставления " ++"сертификатов для фильтрации сертификатов, поэтому ключи SSH будут " ++"создаваться на основе только тех сертификатов, для которых было установлено " ++"соответствие. Этот параметр позволяет ограничить используемые правила " ++"разделённым запятыми списком названий правил привязки и сопоставления. Все " ++"другие правила будут игнорироваться." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:2080 +@@ -2800,6 +3213,10 @@ msgid "" + "all or no rules, respectively. The latter means that no certificates will be " + "filtered out and ssh keys will be generated from all valid certificates." + msgstr "" ++"Два особых ключевых слова «all_rules» и «no_rules» позволяют, " ++"соответственно, включить все правила или не включать их вообще. Последнее " ++"означает, что фильтрация сертификатов не будет выполняться; следовательно, " ++"ключи SSH будут создаваться на основе всех действительных сертификатов." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:2087 +@@ -2809,6 +3226,11 @@ msgid "" + "the same behavior as for the PAM responder if certificate authentication is " + "enabled." + msgstr "" ++"Если не настроено никаких правил, использование «all_rules» приведёт к " ++"включению стандартного правила, которое разрешает использовать все " ++"сертификаты, подходящие для проверки подлинности клиента. Это поведение " ++"соответствует поведению ответчика PAM в том случае, когда включена проверка " ++"подлинности сертификатов." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:2094 +@@ -2816,6 +3238,8 @@ msgid "" + "A non-existing rule name is considered an error. If as a result no rule is " + "selected all certificates will be ignored." + msgstr "" ++"Несуществующее имя правила считается ошибкой. Если в результате не будет " ++"выбрано ни одного правила, все сертификаты будут проигнорированы." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:2099 +@@ -2837,11 +3261,14 @@ msgid "" + "Path to a storage of trusted CA certificates. The option is used to validate " + "user certificates before deriving public ssh keys from them." + msgstr "" ++"Путь к хранилищу доверенных сертификатов CA. Параметр используется для " ++"проверки сертификатов пользователей перед получением из них открытых ключей " ++"SSH." + + #. type: Content of: <reference><refentry><refsect1><refsect2><title> + #: sssd.conf.5.xml:2128 + msgid "PAC responder configuration options" +-msgstr "" ++msgstr "Параметры настройки ответчика PAC" + + #. type: Content of: <reference><refentry><refsect1><refsect2><para> + #: sssd.conf.5.xml:2130 +@@ -2853,6 +3280,13 @@ msgid "" + "joined to and of remote trusted domains from the local domain controller. If " + "the PAC is decoded and evaluated some of the following operations are done:" + msgstr "" ++"Ответчик PAC работает совместно с модулем данных проверки подлинности " ++"sssd_pac_plugin.so для MIT Kerberos и поставщиком данных поддоменов. Этот " ++"модуль отправляет данные PAC ответчику PAC во время проверки подлинности с " ++"помощью GSSAPI. Поставщик данных поддоменов собирает данные по диапазонам " ++"SID и ID домена, к которому подключился клиент, а также удалённых доверенных " ++"доменов с локального контроллера доменов. Если PAC расшифровывается и " ++"обрабатывается, выполнятся некоторые из следующих операций:" + + #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> + #: sssd.conf.5.xml:2139 +@@ -2864,6 +3298,12 @@ msgid "" + "the system defaults are used, but can be overwritten with the default_shell " + "parameter." + msgstr "" ++"Если запись удалённого пользователя отсутствует в кэше, она будет создана. " ++"UID определяется с помощью SID, у доверенных доменов будут UPG, а GID будет " ++"иметь то же значение, что и UID. Домашний каталог устанавливается на основе " ++"значения параметра subdomain_homedir. По умолчанию значение оболочки будет " ++"пустым, то есть будут использованы стандартные параметры системы, но их " ++"можно переопределить с помощью параметра default_shell." + + #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> + #: sssd.conf.5.xml:2147 +@@ -2871,11 +3311,13 @@ msgid "" + "If there are SIDs of groups from domains sssd knows about, the user will be " + "added to those groups." + msgstr "" ++"Если имеются SID групп из известных SSSD доменов, пользователь будет " ++"добавлен в эти группы." + + #. type: Content of: <reference><refentry><refsect1><refsect2><para> + #: sssd.conf.5.xml:2153 + msgid "These options can be used to configure the PAC responder." +-msgstr "" ++msgstr "Эти параметры можно использовать для настройки ответчика PAC." + + #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> + #: sssd.conf.5.xml:2157 sssd-ifp.5.xml:50 +@@ -2889,11 +3331,15 @@ msgid "" + "allowed to access the PAC responder. User names are resolved to UIDs at " + "startup." + msgstr "" ++"Разделённый запятыми список значений UID или имён пользователей, которым " ++"разрешён доступ к ответчику PAC. Имена пользователей разрешаются в UID при " ++"запуске." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:2166 + msgid "Default: 0 (only the root user is allowed to access the PAC responder)" + msgstr "" ++"По умолчанию: 0 (доступ к ответчику PAC разрешён только пользователю root)" + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:2170 +@@ -2903,6 +3349,11 @@ msgid "" + "access the PAC responder, which would be the typical case, you have to add 0 " + "to the list of allowed UIDs as well." + msgstr "" ++"Обратите внимание: несмотря на то, что в качестве стандартного значения " ++"используется UID 0, оно будет перезаписано этим параметром. Если всё равно " ++"требуется разрешить пользователю root доступ к ответчику PAC (типичный " ++"случай), будет необходимо добавить запись «0» в список UID, которым разрешён " ++"доступ." + + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> + #: sssd.conf.5.xml:2179 +@@ -2915,11 +3366,13 @@ msgid "" + "Lifetime of the PAC entry in seconds. As long as the PAC is valid the PAC " + "data can be used to determine the group memberships of a user." + msgstr "" ++"Время жизни записи PAC (в секундах). Пока запись PAC действительна, данные " ++"PAC можно использовать для определения участия пользователя в группах." + + #. type: Content of: <reference><refentry><refsect1><refsect2><title> + #: sssd.conf.5.xml:2195 + msgid "Session recording configuration options" +-msgstr "" ++msgstr "Параметры настройки записи сеансов" + + #. type: Content of: <reference><refentry><refsect1><refsect2><para> + #: sssd.conf.5.xml:2197 +@@ -2930,11 +3383,17 @@ msgid "" + "they log in on a text terminal. See also <citerefentry> <refentrytitle>sssd-" + "session-recording</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." + msgstr "" ++"Запись сеансов работает совместно с <citerefentry> <refentrytitle>tlog-rec-" ++"session</refentrytitle> <manvolnum>8</manvolnum> </citerefentry>, частью " ++"пакета tlog, обеспечивая ведение журнала данных, которые пользователи видят " ++"и вводят после входа в текстовый терминал. См. также <citerefentry> " ++"<refentrytitle>sssd-session-recording</refentrytitle> <manvolnum>5</" ++"manvolnum> </citerefentry>." + + #. type: Content of: <reference><refentry><refsect1><refsect2><para> + #: sssd.conf.5.xml:2210 + msgid "These options can be used to configure session recording." +-msgstr "" ++msgstr "Эти параметры можно использовать для настройки записи сеансов." + + #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> + #: sssd.conf.5.xml:2214 sssd-session-recording.5.xml:64 +@@ -2944,17 +3403,17 @@ msgstr "scope (строка)" + #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> + #: sssd.conf.5.xml:2221 sssd-session-recording.5.xml:71 + msgid "\"none\"" +-msgstr "" ++msgstr "«none»" + + #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:2224 sssd-session-recording.5.xml:74 + msgid "No users are recorded." +-msgstr "" ++msgstr "Пользователи не записываются." + + #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> + #: sssd.conf.5.xml:2229 sssd-session-recording.5.xml:79 + msgid "\"some\"" +-msgstr "" ++msgstr "«some»" + + #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:2232 sssd-session-recording.5.xml:82 +@@ -2962,16 +3421,18 @@ msgid "" + "Users/groups specified by <replaceable>users</replaceable> and " + "<replaceable>groups</replaceable> options are recorded." + msgstr "" ++"Записываются пользователи и группы, указанные с помощью параметров " ++"<replaceable>users</replaceable> и <replaceable>groups</replaceable>." + + #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> + #: sssd.conf.5.xml:2241 sssd-session-recording.5.xml:91 + msgid "\"all\"" +-msgstr "" ++msgstr "«all»" + + #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:2244 sssd-session-recording.5.xml:94 + msgid "All users are recorded." +-msgstr "" ++msgstr "Записываются все пользователи." + + #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:2217 sssd-session-recording.5.xml:67 +@@ -2979,11 +3440,13 @@ msgid "" + "One of the following strings specifying the scope of session recording: " + "<placeholder type=\"variablelist\" id=\"0\"/>" + msgstr "" ++"Одна из следующих строк, которые определяют область записи сеанса: " ++"<placeholder type=\"variablelist\" id=\"0\"/>" + + #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:2251 sssd-session-recording.5.xml:101 + msgid "Default: \"none\"" +-msgstr "" ++msgstr "По умолчанию: «none»" + + #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> + #: sssd.conf.5.xml:2256 sssd-session-recording.5.xml:106 +@@ -2997,11 +3460,15 @@ msgid "" + "Matches user names as returned by NSS. I.e. after the possible space " + "replacement, case changes, etc." + msgstr "" ++"Разделённый запятыми список пользователей, для которых включена запись " ++"сеансов. Соответствие списку устанавливается по именам пользователей, " ++"возвращённым NSS, то есть после возможной замены пробелов, смены регистра и " ++"так далее." + + #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:2265 sssd-session-recording.5.xml:115 + msgid "Default: Empty. Matches no users." +-msgstr "" ++msgstr "По умолчанию: пусто. Не соответствует ни одному пользователю." + + #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> + #: sssd.conf.5.xml:2270 sssd-session-recording.5.xml:120 +@@ -3015,6 +3482,9 @@ msgid "" + "recording enabled. Matches group names as returned by NSS. I.e. after the " + "possible space replacement, case changes, etc." + msgstr "" ++"Разделённый запятыми список групп, для участников которых включена запись " ++"сеансов. Соответствие списку устанавливается по именам групп, возвращённым " ++"NSS, то есть после возможной замены пробелов, смены регистра и так далее." + + #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:2279 sssd.conf.5.xml:2311 sssd-session-recording.5.xml:129 +@@ -3024,11 +3494,15 @@ msgid "" + "performance cost, because each uncached request for a user requires " + "retrieving and matching the groups the user is member of." + msgstr "" ++"ПРИМЕЧАНИЕ: использование этого параметра (его установка в одно из значений) " ++"значительно сказывается на производительности, поскольку при каждом " ++"некэшированном запросе данных пользователя требуется выполнить получение и " ++"установление соответствия групп, участником которых он является." + + #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:2286 sssd-session-recording.5.xml:136 + msgid "Default: Empty. Matches no groups." +-msgstr "" ++msgstr "По умолчанию: пусто. Не соответствует ни одной группе." + + #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> + #: sssd.conf.5.xml:2291 sssd-session-recording.5.xml:141 +@@ -3041,11 +3515,13 @@ msgid "" + "A comma-separated list of users to be excluded from recording, only " + "applicable with 'scope=all'." + msgstr "" ++"Разделённый запятыми список пользователей, которые исключаются из записи; " ++"применимо только при «scope=all»." + + #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:2298 sssd-session-recording.5.xml:148 + msgid "Default: Empty. No users excluded." +-msgstr "" ++msgstr "По умолчанию: пусто. Не исключается ни один пользователь." + + #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> + #: sssd.conf.5.xml:2303 sssd-session-recording.5.xml:153 +@@ -3058,11 +3534,13 @@ msgid "" + "A comma-separated list of groups, members of which should be excluded from " + "recording. Only applicable with 'scope=all'." + msgstr "" ++"Разделённый запятыми список групп, участники которых исключаются из записи; " ++"применимо только при «scope=all»." + + #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:2318 sssd-session-recording.5.xml:168 + msgid "Default: Empty. No groups excluded." +-msgstr "" ++msgstr "По умолчанию: пусто. Не исключается ни одна группа." + + #. type: Content of: <reference><refentry><refsect1><title> + #: sssd.conf.5.xml:2328 +@@ -3072,7 +3550,7 @@ msgstr "РАЗДЕЛЫ ДОМЕНОВ" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd.conf.5.xml:2335 + msgid "enabled" +-msgstr "" ++msgstr "enabled" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:2338 +@@ -3102,6 +3580,10 @@ msgid "" + "be present or generated. Only objects from POSIX domains are available to " + "the operating system interfaces and utilities." + msgstr "" ++"Указывает, предназначен ли домен для использования клиентами, " ++"поддерживающими POSIX (например, NSS), или приложениями, которым не " ++"требуется наличие или создание данных POSIX. Интерфейсам и утилитам " ++"операционной системы доступны только объекты из доменов POSIX." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:2361 +@@ -3109,6 +3591,8 @@ msgid "" + "Allowed values for this option are <quote>posix</quote> and " + "<quote>application</quote>." + msgstr "" ++"Допустимые значение этого параметра: <quote>posix</quote> и " ++"<quote>application</quote>." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:2365 +@@ -3118,6 +3602,9 @@ msgid "" + "<refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</manvolnum> </" + "citerefentry>) and the PAM responder." + msgstr "" ++"Домены POSIX доступны для всех служб. Домены приложений доступны только для " ++"ответчика InfoPipe (см. <citerefentry> <refentrytitle>sssd-ifp</" ++"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>) и ответчика PAM." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:2373 +@@ -3125,6 +3612,8 @@ msgid "" + "NOTE: The application domains are currently well tested with " + "<quote>id_provider=ldap</quote> only." + msgstr "" ++"ПРИМЕЧАНИЕ: в настоящее время тщательно тестируются только домены приложений " ++"с <quote>id_provider=ldap</quote>." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:2377 +@@ -3132,11 +3621,13 @@ msgid "" + "For an easy way to configure a non-POSIX domains, please see the " + "<quote>Application domains</quote> section." + msgstr "" ++"Описание простого способа настройки доменов не-POSIX доступно в разделе " ++"<quote>Домены приложений</quote>." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:2381 + msgid "Default: posix" +-msgstr "" ++msgstr "По умолчанию: posix" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd.conf.5.xml:2387 +@@ -3149,6 +3640,8 @@ msgid "" + "UID and GID limits for the domain. If a domain contains an entry that is " + "outside these limits, it is ignored." + msgstr "" ++"Пределы диапазона UID и GID для домена. Если домен содержит запись, " ++"находящуюся вне указанного диапазона, она будет проигнорирована." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:2395 +@@ -3158,6 +3651,11 @@ msgid "" + "primary group memberships, those that are in range will be reported as " + "expected." + msgstr "" ++"Что касается записей пользователей, этот параметр ограничивает диапазон " ++"основного GID. Запись пользователя не будет возвращена в NSS, если UID или " ++"основной GID находится за пределами диапазона. Находящиеся в пределах " ++"диапазона записи пользователей, которые не являются участниками основной " ++"группы, будут выведены в обычном режиме." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:2402 +@@ -3165,11 +3663,13 @@ msgid "" + "These ID limits affect even saving entries to cache, not only returning them " + "by name or ID." + msgstr "" ++"Эти пределы диапазона идентификаторов влияют даже на сохранение записей в " ++"кэш, а не только на их возврат по имени или идентификатору." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:2406 + msgid "Default: 1 for min_id, 0 (no limit) for max_id" +-msgstr "" ++msgstr "По умолчанию: 1 для min_id, 0 (без ограничений) для max_id" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd.conf.5.xml:2412 +@@ -3184,16 +3684,20 @@ msgid "" + "enable enumeration in order for secondary groups to be displayed. This " + "parameter can have one of the following values:" + msgstr "" ++"Определяет, можно ли выполнить перечисление для домена, то есть может ли " ++"домен вывести перечень всех содержащихся в нём пользователей и групп. " ++"Обратите внимание, что перечисление не требуется включать для просмотра " ++"вторичных групп. Этот параметр может иметь одно из следующих значений:" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:2423 + msgid "TRUE = Users and groups are enumerated" +-msgstr "" ++msgstr "TRUE = пользователи и группы перечисляются" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:2426 + msgid "FALSE = No enumerations for this domain" +-msgstr "" ++msgstr "FALSE = для этого домена не выполняется перечисление" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:2429 sssd.conf.5.xml:2699 sssd.conf.5.xml:2875 +@@ -3206,6 +3710,8 @@ msgid "" + "Enumerating a domain requires SSSD to download and store ALL user and group " + "entries from the remote server." + msgstr "" ++"Чтобы выполнить перечисление для домена, SSSD потребуется загрузить и " ++"сохранить ВСЕ записи пользователей и групп с удалённого сервера." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:2437 +@@ -3220,6 +3726,16 @@ msgid "" + "quote> process becoming unresponsive or even restarted by the internal " + "watchdog." + msgstr "" ++"Примечание: если включить перечисление, во время его выполнения " ++"производительность SSSD умеренно снижается. Перечисление может занять до " ++"нескольких минут после запуска SSSD. В это время отдельные запросы " ++"информации отправляются непосредственно в LDAP, хотя это может выполняться " ++"медленно из-за ресурсоёмкой обработки перечисления. Сохранение большого " ++"количества записей в кэш после завершения перечисления также может давать " ++"интенсивную вычислительную нагрузку на центральный процессор, так как данные " ++"об участии в группах требуется вычислить заново. Это может привести к тому, " ++"что процесс <quote>sssd_be</quote> перестанет отвечать или даже будет " ++"перезапущен внутренним сторожевым таймером." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:2452 +@@ -3227,6 +3743,8 @@ msgid "" + "While the first enumeration is running, requests for the complete user or " + "group lists may return no results until it completes." + msgstr "" ++"Когда выполняется первое перечисление, запросы полных списков пользователей " ++"или групп могут не вернуть результатов до момента завершения перечисления." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:2457 +@@ -3236,6 +3754,11 @@ msgid "" + "enumeration lookups are completed successfully. For more information, refer " + "to the man pages for the specific id_provider in use." + msgstr "" ++"Более того, включение перечисления может увеличить время, необходимое для " ++"обнаружения отсутствия подключения к сети, так как для успешного выполнения " ++"поисков перечисления требуются более длительные тайм-ауты. Дополнительные " ++"сведения доступны на man-страницах конкретного используемого поставщика " ++"идентификаторов (id_provider)." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:2465 +@@ -3243,6 +3766,8 @@ msgid "" + "For the reasons cited above, enabling enumeration is not recommended, " + "especially in large environments." + msgstr "" ++"По вышеуказанным причинам не рекомендуется включать перечисление, особенно в " ++"средах большого размера." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd.conf.5.xml:2473 +@@ -3252,22 +3777,22 @@ msgstr "subdomain_enumerate (строка)" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> + #: sssd.conf.5.xml:2480 + msgid "all" +-msgstr "" ++msgstr "all" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:2481 + msgid "All discovered trusted domains will be enumerated" +-msgstr "" ++msgstr "Выполнить перечисление для всех обнаруженных доверенных доменов" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> + #: sssd.conf.5.xml:2484 + msgid "none" +-msgstr "" ++msgstr "none" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:2485 + msgid "No discovered trusted domains will be enumerated" +-msgstr "" ++msgstr "Не выполнять перечисление для обнаруженных доверенных доменов" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:2476 +@@ -3277,6 +3802,11 @@ msgid "" + "Optionally, a list of one or more domain names can enable enumeration just " + "for these trusted domains." + msgstr "" ++"Следует ли выполнять перечисление для каких-либо автоматически обнаруженных " ++"доверенных доменов. Поддерживаемые значения: <placeholder type=\"variablelist" ++"\" id=\"0\"/> При необходимости можно указать список из одного или " ++"нескольких имён доверенных доменов, чтобы включить перечисление только для " ++"них." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd.conf.5.xml:2499 +@@ -3289,6 +3819,8 @@ msgid "" + "How many seconds should nss_sss consider entries valid before asking the " + "backend again" + msgstr "" ++"Количество секунд, в течение которого nss_sss следует считать записи " ++"действительными, прежде чем снова обратиться к внутреннему серверу" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:2506 +@@ -3300,11 +3832,17 @@ msgid "" + "citerefentry> tool in order to force refresh of entries that have already " + "been cached." + msgstr "" ++"Отметки времени устаревания записей кэша хранятся как атрибуты отдельных " ++"объектов в кэше. Следовательно, изменение тайм-аута кэша повлияет только на " ++"новые добавленные или устаревшие записи. Следует запустить инструмент " ++"<citerefentry> <refentrytitle>sss_cache</refentrytitle> <manvolnum>8</" ++"manvolnum> </citerefentry> для принудительного обновления записей, которые " ++"уже были кэшированы." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:2519 + msgid "Default: 5400" +-msgstr "" ++msgstr "По умолчанию: 5400" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd.conf.5.xml:2525 +@@ -3317,13 +3855,16 @@ msgid "" + "How many seconds should nss_sss consider user entries valid before asking " + "the backend again" + msgstr "" ++"Количество секунд, в течение которого nss_sss следует считать записи " ++"пользователей действительными, прежде чем снова обратиться к внутреннему " ++"серверу" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:2532 sssd.conf.5.xml:2545 sssd.conf.5.xml:2558 + #: sssd.conf.5.xml:2571 sssd.conf.5.xml:2585 sssd.conf.5.xml:2598 + #: sssd.conf.5.xml:2612 sssd.conf.5.xml:2626 sssd.conf.5.xml:2639 + msgid "Default: entry_cache_timeout" +-msgstr "" ++msgstr "По умолчанию: entry_cache_timeout" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd.conf.5.xml:2538 +@@ -3336,6 +3877,8 @@ msgid "" + "How many seconds should nss_sss consider group entries valid before asking " + "the backend again" + msgstr "" ++"Количество секунд, в течение которого nss_sss следует считать записи групп " ++"действительными, прежде чем снова обратиться к внутреннему серверу" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd.conf.5.xml:2551 +@@ -3348,6 +3891,8 @@ msgid "" + "How many seconds should nss_sss consider netgroup entries valid before " + "asking the backend again" + msgstr "" ++"Количество секунд, в течение которого nss_sss следует считать записи сетевых " ++"групп действительными, прежде чем снова обратиться к внутреннему серверу" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd.conf.5.xml:2564 +@@ -3360,6 +3905,8 @@ msgid "" + "How many seconds should nss_sss consider service entries valid before asking " + "the backend again" + msgstr "" ++"Количество секунд, в течение которого nss_sss следует считать записи служб " ++"действительными, прежде чем снова обратиться к внутреннему серверу" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd.conf.5.xml:2577 +@@ -3372,6 +3919,8 @@ msgid "" + "How many seconds should nss_sss consider hosts and networks entries valid " + "before asking the backend again" + msgstr "" ++"Количество секунд, в течение которого nss_sss следует считать записи узлов и " ++"сетей действительными, прежде чем снова обратиться к внутреннему серверу" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd.conf.5.xml:2591 +@@ -3384,6 +3933,8 @@ msgid "" + "How many seconds should sudo consider rules valid before asking the backend " + "again" + msgstr "" ++"Количество секунд, в течение которого sudo следует считать правила " ++"действительными, прежде чем снова обратиться к внутреннему серверу" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd.conf.5.xml:2604 +@@ -3396,6 +3947,9 @@ msgid "" + "How many seconds should the autofs service consider automounter maps valid " + "before asking the backend again" + msgstr "" ++"Количество секунд, в течение которого службе autofs следует считать карты " ++"автоматического монтирования действительными, прежде чем снова обратиться к " ++"внутреннему серверу" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd.conf.5.xml:2618 +@@ -3408,6 +3962,9 @@ msgid "" + "How many seconds to keep a host ssh key after refresh. IE how long to cache " + "the host key for." + msgstr "" ++"Количество секунд, в течение которого ключ SSH узла хранится после " ++"обновления. Иными словами, параметр определяет длительность хранения ключа " ++"узла в кэше." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd.conf.5.xml:2632 +@@ -3420,6 +3977,8 @@ msgid "" + "How many seconds to keep the local computer entry before asking the backend " + "again" + msgstr "" ++"Количество секунд, в течение которого следует хранить запись локального " ++"компьютера, прежде чем снова обратиться к внутреннему серверу" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd.conf.5.xml:2645 +@@ -3432,6 +3991,8 @@ msgid "" + "Specifies how many seconds SSSD has to wait before triggering a background " + "refresh task which will refresh all expired or nearly expired records." + msgstr "" ++"Указывает время ожидания SSSD (в секундах) перед активацией задания фонового " ++"обновления всех устаревших или почти устаревших записей." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:2653 +@@ -3441,16 +4002,21 @@ msgid "" + "user, typically ran at login) operation in the past, both the user entry " + "and the group membership are updated." + msgstr "" ++"При фоновом обновлении обрабатываются содержащиеся в кэше записи " ++"пользователей, групп и сетевых групп. Обновление как записи пользователя, " ++"так и участия в группах выполняется для тех пользователей, для которых ранее " ++"выполнялись действия по инициализации групп (получение данных об участии " ++"пользователя в группах, обычно выполняется при запуске)." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:2661 + msgid "This option is automatically inherited for all trusted domains." +-msgstr "" ++msgstr "Этот параметр автоматически наследуется для всех доверенных доменов." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:2665 + msgid "You can consider setting this value to 3/4 * entry_cache_timeout." +-msgstr "" ++msgstr "Рекомендуется установить это значение равным 3/4 * entry_cache_timeout." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:2669 +@@ -3463,12 +4029,21 @@ msgid "" + "offline mode operation and reuse of existing valid cache entries. To make " + "this change instant the user may want to manually invalidate existing cache." + msgstr "" ++"Запись кэша будет обновлена фоновым заданием, если прошло 2/3 времени " ++"ожиданияустаревания кэша. Если в кэше уже есть записи, фоновое задание будет " ++"использовать значения времени ожидания устаревания исходных записей, а " ++"нетекущее значение конфигурации. Может возникнуть ситуация, в которой будет " ++"казаться, что фоновое задание по обновлению записей не работает. Это сделано " ++"специально для усовершенствования работы в автономном режиме иповторного " ++"использования имеющихся корректных записей в кэше. Чтобы мгновенно выполнить " ++"изменение, пользователю следует вручную объявить недействительность " ++"существующего кэша." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:2682 sssd-ldap.5.xml:350 sssd-ldap.5.xml:1600 + #: sssd-ipa.5.xml:269 + msgid "Default: 0 (disabled)" +-msgstr "" ++msgstr "По умолчанию: 0 (отключено)" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd.conf.5.xml:2688 +@@ -3479,16 +4054,20 @@ msgstr "cache_credentials (логическое значение)" + #: sssd.conf.5.xml:2691 + msgid "Determines if user credentials are also cached in the local LDB cache" + msgstr "" ++"Определяет, следует ли также кэшировать учётные данные пользователя в " ++"локальном кэше LDB" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:2695 + msgid "User credentials are stored in a SHA512 hash, not in plaintext" + msgstr "" ++"Учётные данные пользователя хранятся в хэше SHA512, а не в виде простого " ++"текста" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd.conf.5.xml:2705 + msgid "cache_credentials_minimal_first_factor_length (int)" +-msgstr "" ++msgstr "cache_credentials_minimal_first_factor_length (целое число)" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:2708 +@@ -3497,6 +4076,10 @@ msgid "" + "this value determines the minimal length the first authentication factor " + "(long term password) must have to be saved as SHA512 hash into the cache." + msgstr "" ++"Если используется двухфакторная проверка подлинности (2FA) и следует " ++"сохранить учётные данные, это значение определяет минимальную длину первого " ++"фактора проверки подлинности (долговременного пароля), который должен быть " ++"сохранён в формате контрольной суммы SHA512 в кэше." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:2715 +@@ -3504,6 +4087,9 @@ msgid "" + "This should avoid that the short PINs of a PIN based 2FA scheme are saved in " + "the cache which would make them easy targets for brute-force attacks." + msgstr "" ++"Таким образом удаётся предотвратить ситуацию, когда короткие PIN-" ++"кодыоснованной на PIN-кодах схемы 2FA хранятся в кэше и становятся " ++"лёгкоймишенью для атак методом подбора." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd.conf.5.xml:2726 +@@ -3518,11 +4104,15 @@ msgid "" + "value of this parameter must be greater than or equal to " + "offline_credentials_expiration." + msgstr "" ++"Количество дней, в течение которого записи хранятся в кэше после последнего " ++"успешного входа, прежде чем будут удалены при очистке кэша. Значение «0» " ++"означает, что записи будут храниться вечно. Значение этого параметра должно " ++"быть больше или равно значению offline_credentials_expiration." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:2736 + msgid "Default: 0 (unlimited)" +-msgstr "" ++msgstr "По умолчанию: 0 (без ограничений)" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd.conf.5.xml:2741 +@@ -3537,11 +4127,15 @@ msgid "" + "cannot display a warning. Also an auth provider has to be configured for the " + "backend." + msgstr "" ++"Обратите внимание, что внутренний сервер должен предоставить информацию о " ++"времени истечения срока действия пароля. Если она отсутствует, sssd не " ++"сможет показать предупреждение. Кроме того, для этого сервера следует " ++"настроить поставщика данных проверки подлинности." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:2759 + msgid "Default: 7 (Kerberos), 0 (LDAP)" +-msgstr "" ++msgstr "По умолчанию: 7 (Kerberos), 0 (LDAP)" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd.conf.5.xml:2765 +@@ -3553,17 +4147,21 @@ msgstr "id_provider (строка)" + msgid "" + "The identification provider used for the domain. Supported ID providers are:" + msgstr "" ++"Поставщик данных идентификации, который используется для домена. " ++"Поддерживаемые поставщики ID:" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:2772 + msgid "<quote>proxy</quote>: Support a legacy NSS provider." +-msgstr "" ++msgstr "<quote>proxy</quote>: поддержка устаревшего поставщика NSS." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:2775 + msgid "" + "<quote>local</quote>: SSSD internal provider for local users (DEPRECATED)." + msgstr "" ++"<quote>local</quote>: внутренний поставщик SSSD для локальных пользователей (" ++"НЕ РЕКОМЕНДУЕТСЯ)." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:2779 +@@ -3572,6 +4170,10 @@ msgid "" + "files</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more " + "information on how to mirror local users and groups into SSSD." + msgstr "" ++"<quote>files</quote>: поставщик данных ФАЙЛОВ. Дополнительные сведения о " ++"зеркалировании локальных пользователей и групп в SSSD: <citerefentry> " ++"<refentrytitle>sssd-files</refentrytitle> <manvolnum>5</manvolnum> " ++"</citerefentry>." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:2787 +@@ -3580,6 +4182,9 @@ msgid "" + "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more " + "information on configuring LDAP." + msgstr "" ++"<quote>ldap</quote>: поставщик данных LDAP. Дополнительные сведения о " ++"настройке LDAP: <citerefentry> <refentrytitle>sssd-ldap</refentrytitle> " ++"<manvolnum>5</manvolnum> </citerefentry>." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:2795 sssd.conf.5.xml:2901 sssd.conf.5.xml:2956 +@@ -3590,6 +4195,10 @@ msgid "" + "<manvolnum>5</manvolnum> </citerefentry> for more information on configuring " + "FreeIPA." + msgstr "" ++"<quote>ipa</quote>: поставщик данных FreeIPA и Red Hat Enterprise Identity " ++"Management. Дополнительные сведения о настройке FreeIPA: <citerefentry> " ++"<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> " ++"</citerefentry>." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:2804 sssd.conf.5.xml:2910 sssd.conf.5.xml:2965 +@@ -3599,6 +4208,9 @@ msgid "" + "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </" + "citerefentry> for more information on configuring Active Directory." + msgstr "" ++"<quote>ad</quote>: поставщик данных Active Directory. Дополнительные " ++"сведения о настройке Active Directory: <citerefentry> <refentrytitle>sssd-" ++"ad</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd.conf.5.xml:2815 +@@ -3611,6 +4223,8 @@ msgid "" + "Use the full name and domain (as formatted by the domain's full_name_format) " + "as the user's login name reported to NSS." + msgstr "" ++"Использовать полные имя и домен (в формате, заданном full_name_format домена)" ++" в качестве имени учётной записи пользователя, которое сообщается NSS." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:2823 +@@ -3620,6 +4234,11 @@ msgid "" + "<command>getent passwd test</command> wouldn't find the user while " + "<command>getent passwd test@LOCAL</command> would." + msgstr "" ++"Если задано значение «TRUE», во всех запросах к домену должны использоваться " ++"полные имена. Например, если этот параметр используется в домене LOCAL, " ++"содержащем пользователя «test», с помощью команды <command>getent passwd " ++"test</command> его не удастся найти, а с помощью команды <command>getent " ++"passwd test@LOCAL</command> получится это сделать." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:2831 +@@ -3628,6 +4247,9 @@ msgid "" + "include nested netgroups without qualified names. For netgroups, all domains " + "will be searched when an unqualified name is requested." + msgstr "" ++"ПРИМЕЧАНИЕ: этот параметр не влияет на поиск сетевых групп, так как они " ++"зачастую включают вложенные сетевые группы без полных имён. Для сетевых " ++"групп выполняется поиск во всех доменах, когда запрашивается неполное имя." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:2838 +@@ -3635,6 +4257,8 @@ msgid "" + "Default: FALSE (TRUE for trusted domain/sub-domains or if " + "default_domain_suffix is used)" + msgstr "" ++"По умолчанию: FALSE (TRUE для доверенных доменов/поддоменов или в случае " ++"использования default_domain_suffix)" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd.conf.5.xml:2845 +@@ -3644,7 +4268,7 @@ msgstr "ignore_group_members (логическое значение)" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:2848 + msgid "Do not return group members for group lookups." +-msgstr "" ++msgstr "Не возвращать участников групп для поиска групп." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:2851 +@@ -3657,6 +4281,13 @@ msgid "" + "citerefentry>. As an effect, <quote>getent group $groupname</quote> would " + "return the requested group as if it was empty." + msgstr "" ++"Если установлено значение «TRUE», атрибут участия в группах не запрашивается " ++"с сервера LDAP, а списки участников групп не возвращаются при обработке " ++"вызовов поиска групп, таких как <citerefentry> <refentrytitle>getgrnam</" ++"refentrytitle> <manvolnum>3</manvolnum> </citerefentry> или <citerefentry> " ++"<refentrytitle>getgrgid</refentrytitle> <manvolnum>3</manvolnum> </" ++"citerefentry>. Как следствие, <quote>getent group $groupname</quote> вернёт " ++"запрошенную группу так, как будто она пуста." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:2869 +@@ -3665,6 +4296,9 @@ msgid "" + "membership significantly faster, especially for groups containing many " + "members." + msgstr "" ++"Включение этого параметра также может значительно ускорить проверки участия " ++"в группах у поставщика доступа (особенно для групп, содержащих большое " ++"количество участников)." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd.conf.5.xml:2880 +@@ -3677,6 +4311,8 @@ msgid "" + "The authentication provider used for the domain. Supported auth providers " + "are:" + msgstr "" ++"Поставщик данных для проверки подлинности, который используется для домена. " ++"Поддерживаемые поставщики данных для проверки подлинности:" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:2887 sssd.conf.5.xml:2949 +@@ -3685,6 +4321,9 @@ msgid "" + "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" + "citerefentry> for more information on configuring LDAP." + msgstr "" ++"<quote>ldap</quote> — использовать встроенную проверку подлинности LDAP. " ++"Дополнительные сведения о настройке LDAP: <citerefentry> <refentrytitle>sssd-" ++"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:2894 +@@ -3693,22 +4332,28 @@ msgid "" + "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" + "citerefentry> for more information on configuring Kerberos." + msgstr "" ++"<quote>krb5</quote> — использовать проверку подлинности Kerberos. " ++"Дополнительные сведения о настройке Kerberos: <citerefentry> <refentrytitle" ++">sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:2918 + msgid "" + "<quote>proxy</quote> for relaying authentication to some other PAM target." + msgstr "" ++"<quote>proxy</quote> — передать проверку подлинности какой-либо другой цели " ++"PAM." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:2921 + msgid "<quote>local</quote>: SSSD internal provider for local users" + msgstr "" ++"<quote>local</quote> — внутренний поставщик SSSD для локальных пользователей." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:2925 + msgid "<quote>none</quote> disables authentication explicitly." +-msgstr "" ++msgstr "<quote>none</quote> — явно отключить проверку подлинности." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:2928 +@@ -3716,6 +4361,8 @@ msgid "" + "Default: <quote>id_provider</quote> is used if it is set and can handle " + "authentication requests." + msgstr "" ++"По умолчанию: использовать <quote>id_provider</quote>, если этот параметр " ++"задан и поддерживает обработку запросов проверки подлинности." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd.conf.5.xml:2934 +@@ -3729,6 +4376,9 @@ msgid "" + "access providers (in addition to any included in installed backends) " + "Internal special providers are:" + msgstr "" ++"Поставщик управления доступом, который используется для домена. Существуют " ++"два встроенных поставщика доступа (в дополнение к тем поставщикам, которые " ++"включены в установленные внутренние серверы). Внутренние особые поставщики:" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:2943 +@@ -3736,11 +4386,13 @@ msgid "" + "<quote>permit</quote> always allow access. It's the only permitted access " + "provider for a local domain." + msgstr "" ++"<quote>permit</quote> — всегда разрешать доступ. Это единственный поставщик " ++"разрешённого доступа для локального домена." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:2946 + msgid "<quote>deny</quote> always deny access." +-msgstr "" ++msgstr "<quote>deny</quote> — всегда отказывать в доступе." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:2973 +@@ -3750,6 +4402,10 @@ msgid "" + "manvolnum></citerefentry> for more information on configuring the simple " + "access module." + msgstr "" ++"<quote>simple</quote> — управление доступом на основе разрешающего или " ++"запрещающего списка. Дополнительные сведения о настройке модуля доступа " ++"simple: <citerefentry> <refentrytitle>sssd-simple</refentrytitle> " ++"<manvolnum>5</manvolnum></citerefentry>." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:2980 +@@ -3758,16 +4414,19 @@ msgid "" + "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></" + "citerefentry> for more information on configuring Kerberos." + msgstr "" ++"<quote>krb5</quote> — управление доступом на основе .k5login. Дополнительные " ++"сведения о настройке Kerberos: <citerefentry> <refentrytitle>sssd-krb5</" ++"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:2987 + msgid "<quote>proxy</quote> for relaying access control to another PAM module." +-msgstr "" ++msgstr "<quote>proxy</quote> — передать управление доступом другому модулю PAM." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:2990 + msgid "Default: <quote>permit</quote>" +-msgstr "" ++msgstr "По умолчанию: <quote>permit</quote>" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd.conf.5.xml:2995 +@@ -3780,6 +4439,8 @@ msgid "" + "The provider which should handle change password operations for the domain. " + "Supported change password providers are:" + msgstr "" ++"Поставщик данных, который должен обрабатывать операции смены пароля для " ++"домена. Поддерживаемые поставщики данных смены пароля:" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:3003 +@@ -3788,6 +4449,9 @@ msgid "" + "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" + "manvolnum> </citerefentry> for more information on configuring LDAP." + msgstr "" ++"<quote>ldap</quote> — сменить пароль, который хранится на сервере LDAP. " ++"Дополнительные сведения о настройке LDAP: <citerefentry> <refentrytitle>sssd-" ++"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:3011 +@@ -3796,17 +4460,21 @@ msgid "" + "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" + "citerefentry> for more information on configuring Kerberos." + msgstr "" ++"<quote>krb5</quote> — сменить пароль Kerberos. Дополнительные сведения о " ++"настройке Kerberos: <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " ++"<manvolnum>5</manvolnum> </citerefentry>." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:3036 + msgid "" + "<quote>proxy</quote> for relaying password changes to some other PAM target." + msgstr "" ++"<quote>proxy</quote> — передать смену пароля какой-либо другой цели PAM." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:3040 + msgid "<quote>none</quote> disallows password changes explicitly." +-msgstr "" ++msgstr "<quote>none</quote> — явно запретить смену пароля." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:3043 +@@ -3814,6 +4482,8 @@ msgid "" + "Default: <quote>auth_provider</quote> is used if it is set and can handle " + "change password requests." + msgstr "" ++"По умолчанию: использовать <quote>auth_provider</quote>, если этот параметр " ++"задан и поддерживает обработку запросов смены пароля." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd.conf.5.xml:3050 +@@ -3824,6 +4494,8 @@ msgstr "sudo_provider (строка)" + #: sssd.conf.5.xml:3053 + msgid "The SUDO provider used for the domain. Supported SUDO providers are:" + msgstr "" ++"Поставщик данных SUDO, который используется для домена. Поддерживаемые " ++"поставщики данных SUDO:" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:3057 +@@ -3832,6 +4504,9 @@ msgid "" + "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" + "citerefentry> for more information on configuring LDAP." + msgstr "" ++"<quote>ldap</quote> — для правил, которые хранятся в LDAP. Дополнительные " ++"сведения о настройке LDAP: <citerefentry> <refentrytitle>sssd-ldap</" ++"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:3065 +@@ -3839,6 +4514,8 @@ msgid "" + "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default " + "settings." + msgstr "" ++"<quote>ipa</quote> — то же, что и <quote>ldap</quote>, но со стандартными " ++"параметрами IPA." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:3069 +@@ -3846,17 +4523,21 @@ msgid "" + "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default " + "settings." + msgstr "" ++"<quote>ad</quote> — то же, что и <quote>ldap</quote>, но со стандартными " ++"параметрами AD." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:3073 + msgid "<quote>none</quote> disables SUDO explicitly." +-msgstr "" ++msgstr "<quote>none</quote> — явно отключить SUDO." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:3076 sssd.conf.5.xml:3162 sssd.conf.5.xml:3232 + #: sssd.conf.5.xml:3257 sssd.conf.5.xml:3293 + msgid "Default: The value of <quote>id_provider</quote> is used if it is set." + msgstr "" ++"По умолчанию: использовать значение <quote>id_provider</quote>, если этот " ++"параметр задан." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:3080 +@@ -3868,6 +4549,12 @@ msgid "" + "\"ldap_sudo_*\" in <citerefentry> <refentrytitle>sssd-ldap</refentrytitle> " + "<manvolnum>5</manvolnum> </citerefentry>." + msgstr "" ++"Подробные инструкции по настройке sudo_provider доступны на справочной " ++"странице <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " ++"<manvolnum>5</manvolnum> </citerefentry>. Предусмотрено много параметров, " ++"которыми можно воспользоваться для настройки поведения программы. Подробное " ++"описание доступно в разделах «ldap_sudo_*» <citerefentry> <refentrytitle" ++">sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:3095 +@@ -3877,6 +4564,11 @@ msgid "" + "<emphasis>sudo_provider = None</emphasis> to disable all sudo-related " + "activity in SSSD if you do not want to use sudo with SSSD at all." + msgstr "" ++"<emphasis>ПРИМЕЧАНИЕ:</emphasis> загрузка правил SUDO периодически " ++"выполняется в фоновом режиме (при условии, что поставщик данных SUDO не был " ++"явно отключён). Укажите <emphasis>sudo_provider = None</emphasis> для " ++"отключения в SSSD всей связанной с SUDO активности, если в SSSD вообще не " ++"планируется использовать SUDO." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd.conf.5.xml:3105 +@@ -3890,6 +4582,9 @@ msgid "" + "provider will be called right after access provider ends. Supported selinux " + "providers are:" + msgstr "" ++"Поставщик данных, который должен обрабатывать загрузку параметров SELinux. " ++"Обратите внимание, что этот поставщик будет вызываться сразу после окончания " ++"работы поставщика доступа. Поддерживаемые поставщики данных SELinux:" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:3114 +@@ -3898,11 +4593,14 @@ msgid "" + "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" + "manvolnum> </citerefentry> for more information on configuring IPA." + msgstr "" ++"<quote>ipa</quote> — загрузить параметры SELinux с сервера IPA. " ++"Дополнительные сведения о настройке IPA: <citerefentry> <refentrytitle>sssd-" ++"ipa</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:3122 + msgid "<quote>none</quote> disallows fetching selinux settings explicitly." +-msgstr "" ++msgstr "<quote>none</quote> — явно отключает получение параметров SELinux." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:3125 +@@ -3910,6 +4608,8 @@ msgid "" + "Default: <quote>id_provider</quote> is used if it is set and can handle " + "selinux loading requests." + msgstr "" ++"По умолчанию: использовать <quote>id_provider</quote>, если этот параметр " ++"задан и поддерживает обработку запросов загрузки параметров SELinux." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd.conf.5.xml:3131 +@@ -3922,6 +4622,9 @@ msgid "" + "The provider which should handle fetching of subdomains. This value should " + "be always the same as id_provider. Supported subdomain providers are:" + msgstr "" ++"Поставщик данных, который должен обрабатывать получение данных поддоменов. " ++"Это значение всегда должно совпадать со значением id_provider. " ++"Поддерживаемые поставщики данных поддоменов:" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:3140 +@@ -3930,6 +4633,9 @@ msgid "" + "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" + "manvolnum> </citerefentry> for more information on configuring IPA." + msgstr "" ++"<quote>ipa</quote> — загрузить список поддоменов с сервера IPA. " ++"Дополнительные сведения о настройке IPA: <citerefentry> <refentrytitle>sssd-" ++"ipa</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:3149 +@@ -3939,11 +4645,15 @@ msgid "" + "<manvolnum>5</manvolnum> </citerefentry> for more information on configuring " + "the AD provider." + msgstr "" ++"<quote>ad</quote> — загрузить список поддоменов с сервера Active Directory. " ++"Дополнительные сведения о настройке поставщика данных AD: <citerefentry> " ++"<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> " ++"</citerefentry>." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:3158 + msgid "<quote>none</quote> disallows fetching subdomains explicitly." +-msgstr "" ++msgstr "<quote>none</quote> — явно отключает получение данных поддоменов." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd.conf.5.xml:3168 +@@ -3957,17 +4667,25 @@ msgid "" + "only user session task currently provided is the integration with Fleet " + "Commander, which works only with IPA. Supported session providers are:" + msgstr "" ++"Поставщик данных, который настраивает задания, связанные с сеансами " ++"пользователей, и управляет ими. В настоящее время предоставляется только " ++"одно задание, связанное с сеансами пользователей: интеграция с Fleet " ++"Commander (работает только c IPA). Поддерживаемые поставщики данных сеансов:" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:3178 + msgid "<quote>ipa</quote> to allow performing user session related tasks." + msgstr "" ++"<quote>ipa</quote> — разрешить выполнение заданий, связанных с сеансами " ++"пользователей." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:3182 + msgid "" + "<quote>none</quote> does not perform any kind of user session related tasks." + msgstr "" ++"<quote>none</quote> — не выполнять никакие задания, связанные с сеансами " ++"пользователей." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:3186 +@@ -3975,6 +4693,8 @@ msgid "" + "Default: <quote>id_provider</quote> is used if it is set and can perform " + "session related tasks." + msgstr "" ++"По умолчанию: использовать <quote>id_provider</quote>, если этот параметр " ++"задан и поддерживает выполнение заданий, связанных с сеансами." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:3190 +@@ -3982,6 +4702,9 @@ msgid "" + "<emphasis>NOTE:</emphasis> In order to have this feature working as expected " + "SSSD must be running as \"root\" and not as the unprivileged user." + msgstr "" ++"<emphasis>ПРИМЕЧАНИЕ:</emphasis> чтобы эта возможность работала должным " ++"образом, SSSD необходимо запускать от имени пользователя root, а не от имени " ++"пользователя без привилегий." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd.conf.5.xml:3198 +@@ -3993,6 +4716,8 @@ msgstr "autofs_provider (строка)" + msgid "" + "The autofs provider used for the domain. Supported autofs providers are:" + msgstr "" ++"Поставщик данных autofs, который используется для домена. Поддерживаемые " ++"поставщики данных autofs:" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:3205 +@@ -4001,6 +4726,9 @@ msgid "" + "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" + "citerefentry> for more information on configuring LDAP." + msgstr "" ++"<quote>ldap</quote> — загрузить карты, которые хранятся в LDAP. " ++"Дополнительные сведения о настройке LDAP: <citerefentry> <refentrytitle>sssd-" ++"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:3212 +@@ -4009,6 +4737,9 @@ msgid "" + "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </" + "citerefentry> for more information on configuring IPA." + msgstr "" ++"<quote>ipa</quote> — загрузить карты, которые хранятся на сервере IPA. " ++"Дополнительные сведения о настройке IPA: <citerefentry> <refentrytitle>sssd-" ++"ipa</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:3220 +@@ -4017,11 +4748,15 @@ msgid "" + "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </" + "citerefentry> for more information on configuring the AD provider." + msgstr "" ++"<quote>ad</quote> — загрузить карты, которые хранятся на сервере AD. " ++"Дополнительные сведения о настройке поставщика данных AD: <citerefentry> " ++"<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> " ++"</citerefentry>." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:3229 + msgid "<quote>none</quote> disables autofs explicitly." +-msgstr "" ++msgstr "<quote>none</quote> — явно отключить autofs." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd.conf.5.xml:3239 +@@ -4034,6 +4769,8 @@ msgid "" + "The provider used for retrieving host identity information. Supported " + "hostid providers are:" + msgstr "" ++"Поставщик данных, который используется для получения данных идентификации " ++"узла. Поддерживаемые поставщики hostid:" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:3246 +@@ -4042,11 +4779,15 @@ msgid "" + "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" + "manvolnum> </citerefentry> for more information on configuring IPA." + msgstr "" ++"<quote>ipa</quote> — загрузить данные идентификации узла, которые хранятся " ++"на сервере IPA. Дополнительные сведения о настройке IPA: <citerefentry> " ++"<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> " ++"</citerefentry>." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:3254 + msgid "<quote>none</quote> disables hostid explicitly." +-msgstr "" ++msgstr "<quote>none</quote> — явно отключить hostid." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd.conf.5.xml:3264 +@@ -4059,6 +4800,8 @@ msgid "" + "The provider which should handle hosts and networks lookups. Supported " + "resolver providers are:" + msgstr "" ++"Поставщик данных, который должен обрабатывать поиск узлов и сетей. " ++"Поддерживаемые поставщики данных сопоставления:" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:3271 +@@ -4066,6 +4809,8 @@ msgid "" + "<quote>proxy</quote> to forward lookups to another NSS library. See " + "<quote>proxy_resolver_lib_name</quote>" + msgstr "" ++"<quote>proxy</quote> — перенаправлять поисковые запросы другой библиотеке " ++"NSS. См. <quote>proxy_resolver_lib_name</quote>" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:3275 +@@ -4074,6 +4819,9 @@ msgid "" + "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" + "manvolnum> </citerefentry> for more information on configuring LDAP." + msgstr "" ++"<quote>ldap</quote> — получить записи узлов и сетей, которые хранятся в " ++"LDAP. Дополнительные сведения о настройке LDAP: <citerefentry> <refentrytitle" ++">sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:3282 +@@ -4083,11 +4831,15 @@ msgid "" + "manvolnum> </citerefentry> for more information on configuring the AD " + "provider." + msgstr "" ++"<quote>ad</quote> — получить записи узлов и сетей, которые хранятся на " ++"сервере AD. Дополнительные сведения о настройке поставщика данных AD: " ++"<citerefentry> <refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</" ++"manvolnum> </citerefentry>." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:3290 + msgid "<quote>none</quote> disallows fetching hosts and networks explicitly." +-msgstr "" ++msgstr "<quote>none</quote> — явно отключает получение записей узлов и сетей." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:3303 +@@ -4098,6 +4850,11 @@ msgid "" + "trust subdomains and Active Directory domains, the flat (NetBIOS) name of " + "the domain." + msgstr "" ++"Регулярное выражение для этого домена, которое описывает, как получить из " ++"строки, содержащей имя пользователя и домен, эти компоненты. «Домен» может " ++"соответствовать либо имени домена в конфигурации SSSD, либо (в случае " ++"поддоменов доверия IPA и доменов Active Directory) плоскому (NetBIOS) имени " ++"домена." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:3312 +@@ -4107,21 +4864,25 @@ msgid "" + "P<name>[^@\\\\]+)$))</quote> which allows three different styles for " + "user names:" + msgstr "" ++"Значение по умолчанию для поставщиков данных AD и IPA: " ++"<quote>(((?P<domain>[^\\\\]+)\\\\(?P<name>.+$))|((?P<name>[" ++"^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\\\]+)$))</quote> — оно " ++"позволяет назначать три разных стиля записи имён пользователей:" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> + #: sssd.conf.5.xml:3317 + msgid "username" +-msgstr "" ++msgstr "username" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> + #: sssd.conf.5.xml:3320 + msgid "username@domain.name" +-msgstr "" ++msgstr "username@domain.name" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> + #: sssd.conf.5.xml:3323 + msgid "domain\\username" +-msgstr "" ++msgstr "domain\\username" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:3326 +@@ -4129,6 +4890,8 @@ msgid "" + "While the first two correspond to the general default the third one is " + "introduced to allow easy integration of users from Windows domains." + msgstr "" ++"Первые два стиля соответствуют общим стандартным стилям, а третий введён для " ++"обеспечения простой интеграции пользователей из доменов Windows." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:3331 +@@ -4137,6 +4900,9 @@ msgid "" + "which translates to \"the name is everything up to the <quote>@</quote> " + "sign, the domain everything after that\"" + msgstr "" ++"По умолчанию: <quote>(?P<name>[^@]+)@?(?P<domain>[^@]*$)</" ++"quote>, что означает «имя — это всё, что предшествует знаку <quote>@</" ++"quote>, домен — всё, что идёт после этого знака»." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:3337 +@@ -4147,6 +4913,12 @@ msgid "" + "consider changing the re_expression value to: <quote>((?P<name>.+)@(?" + "P<domain>[^@]+$))</quote>." + msgstr "" ++"ПРИМЕЧАНИЕ: имена некоторых групп Active Directory (как правило, тех, " ++"которые используются для MS Exchange) содержат символ <quote>@</quote>, что " ++"конфликтует со стандартным значением re_expression для поставщиков данных AD " ++"и IPA. Чтобы обеспечить поддержку этих групп, рекомендуется изменить " ++"значение re_expression на " ++"<quote>((?P<name>.+)@(?P<domain>[^@]+$))</quote>." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:3388 +@@ -4164,6 +4936,8 @@ msgid "" + "Provides the ability to select preferred address family to use when " + "performing DNS lookups." + msgstr "" ++"Предоставляет возможность выбрать предпочитаемое семейство адресов, которое " ++"следует использовать при выполнении запросов DNS." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:3401 +@@ -4174,26 +4948,30 @@ msgstr "Поддерживаемые значения:" + #: sssd.conf.5.xml:3404 + msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6" + msgstr "" ++"ipv4_first: попытаться найти адрес IPv4, в случае неудачи попытаться найти " ++"адрес IPv6" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:3407 + msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses." +-msgstr "" ++msgstr "ipv4_only: пытаться разрешать имена узлов только в адреса IPv4" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:3410 + msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4" + msgstr "" ++"ipv6_first: попытаться найти адрес IPv6, в случае неудачи попытаться найти " ++"адрес IPv4" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:3413 + msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses." +-msgstr "" ++msgstr "ipv6_only: пытаться разрешать имена узлов только в адреса IPv6" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:3416 + msgid "Default: ipv4_first" +-msgstr "" ++msgstr "По умолчанию: ipv4_first" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd.conf.5.xml:3422 sssd.conf.5.xml:3461 +@@ -4206,6 +4984,9 @@ msgid "" + "Defines the amount of time (in milliseconds) SSSD would try to talk to DNS " + "server before trying next DNS server." + msgstr "" ++"Определяет количество времени (в миллисекундах), в течение которого SSSD " ++"будет пытаться обменяться данными с сервером DNS перед переходом к " ++"следующему." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:3430 sssd.conf.5.xml:3450 sssd.conf.5.xml:3469 +@@ -4214,12 +4995,14 @@ msgid "" + "Please see the section <quote>FAILOVER</quote> for more information about " + "the service resolution." + msgstr "" ++"Более подробные сведения о разрешении служб доступны в разделе " ++"<quote>ОБРАБОТКА ОТКАЗА</quote>." + + #. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:3435 sssd.conf.5.xml:3474 sssd-ldap.5.xml:563 + #: include/failover.xml:84 + msgid "Default: 1000" +-msgstr "" ++msgstr "По умолчанию: 1000" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd.conf.5.xml:3441 sssd.conf.5.xml:3480 +@@ -4233,6 +5016,10 @@ msgid "" + "(e.g. resolution of a hostname or an SRV record) before try next hostname " + "or DNS discovery." + msgstr "" ++"Определяет количество времени (в секундах), в течение которого будет " ++"ожидаться разрешение одного запроса DNS (например, разрешение имени узла или " ++"записи SRV) перед переходом к следующему имени узла или поиску следующего " ++"DNS." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd.conf.5.xml:3500 +@@ -4247,6 +5034,10 @@ msgid "" + "If this timeout is reached, the domain will continue to operate in offline " + "mode." + msgstr "" ++"Определяет количество времени (в секундах), в течение которого будет " ++"ожидаться ответ от внутренней службы отказоустойчивости, прежде служба будет " ++"считаться недоступной. Если это время ожидания истекло, домен продолжит " ++"работу в автономном режиме." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd.conf.5.xml:3521 +@@ -4259,11 +5050,13 @@ msgid "" + "If service discovery is used in the back end, specifies the domain part of " + "the service discovery DNS query." + msgstr "" ++"Если на внутреннем сервере используется обнаружение служб, указывает " ++"доменную часть запроса обнаружения служб DNS." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:3528 + msgid "Default: Use the domain part of machine's hostname" +-msgstr "По умолчанию: использовать имя домена из имени узла компьютера" ++msgstr "По умолчанию: использовать доменную часть имени узла компьютера" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd.conf.5.xml:3534 +@@ -4273,7 +5066,7 @@ msgstr "override_gid (целое число)" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:3537 + msgid "Override the primary GID value with the one specified." +-msgstr "" ++msgstr "Переопределить значение основного GID указанным значением." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd.conf.5.xml:3543 +@@ -4283,27 +5076,29 @@ msgstr "case_sensitive (строка)" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> + #: sssd.conf.5.xml:3554 + msgid "True" +-msgstr "" ++msgstr "True" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:3557 + msgid "Case sensitive. This value is invalid for AD provider." + msgstr "" ++"С учётом регистра. Это значение не является корректным для поставщика данных " ++"AD." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> + #: sssd.conf.5.xml:3563 + msgid "False" +-msgstr "" ++msgstr "False" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:3565 + msgid "Case insensitive." +-msgstr "" ++msgstr "Без учёта регистра." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> + #: sssd.conf.5.xml:3569 + msgid "Preserving" +-msgstr "" ++msgstr "Preserving" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:3572 +@@ -4312,6 +5107,10 @@ msgid "" + "of NSS operations. Note that name aliases (and in case of services also " + "protocol names) are still lowercased in the output." + msgstr "" ++"То же, что «False» (без учёта регистра), но не переводит в нижний регистр " ++"имена в результатах операций NSS. Обратите внимание, что псевдонимы (а в " ++"случае служб также и имена протоколов) всё равно будут переведены в нижний " ++"регистр в выведенных данных." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:3580 +@@ -4319,6 +5118,9 @@ msgid "" + "If you want to set this value for trusted domain with IPA provider, you need " + "to set it on both the client and SSSD on the server." + msgstr "" ++"Если требуется установить это значение для доверенного домена с поставщиком " ++"данных IPA, необходимо установить его как на стороне клиента, так и для SSSD " ++"на сервере." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:3546 +@@ -4328,6 +5130,10 @@ msgid "" + "the local provider. </phrase> Possible option values are: <placeholder type=" + "\"variablelist\" id=\"0\"/>" + msgstr "" ++"Обрабатывать имена пользователей и групп с учётом регистра. <phrase " ++"condition=\"enable_local_provider\"> В настоящее время этот параметр не " ++"поддерживается локальным поставщиком. </phrase> Возможные значения параметра:" ++" <placeholder type=\"variablelist\" id=\"0\"/>" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:3590 +@@ -4335,11 +5141,13 @@ msgid "" + "This option can be also set per subdomain or inherited via " + "<emphasis>subdomain_inherit</emphasis>." + msgstr "" ++"Этот параметр также может быть задан для каждого поддомена отдельно или " ++"унаследован с помощью <emphasis>subdomain_inherit</emphasis>." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:3595 + msgid "Default: True (False for AD provider)" +-msgstr "" ++msgstr "По умолчанию: True (False для поставщика данных AD)" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd.conf.5.xml:3601 +@@ -4357,22 +5165,22 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:3610 + msgid "ignore_group_members" +-msgstr "" ++msgstr "ignore_group_members" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:3613 + msgid "ldap_purge_cache_timeout" +-msgstr "" ++msgstr "ldap_purge_cache_timeout" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd.conf.5.xml:3616 sssd-ldap.5.xml:390 + msgid "ldap_use_tokengroups" +-msgstr "" ++msgstr "ldap_use_tokengroups" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:3619 + msgid "ldap_user_principal" +-msgstr "" ++msgstr "ldap_user_principal" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:3622 +@@ -4380,16 +5188,18 @@ msgid "" + "ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab " + "is not set explicitly)" + msgstr "" ++"ldap_krb5_keytab (будет использоваться значение krb5_keytab, если параметр " ++"ldap_krb5_keytab не задан явно)" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:3626 + msgid "auto_private_groups" +-msgstr "" ++msgstr "auto_private_groups" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:3629 + msgid "case_sensitive" +-msgstr "" ++msgstr "case_sensitive" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> + #: sssd.conf.5.xml:3634 +@@ -4398,11 +5208,14 @@ msgid "" + "subdomain_inherit = ldap_purge_cache_timeout\n" + " " + msgstr "" ++"subdomain_inherit = ldap_purge_cache_timeout\n" ++" " + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:3641 + msgid "Note: This option only works with the IPA and AD provider." + msgstr "" ++"Примечание: этот параметр работает только для поставщиков данных IPA и AD." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd.conf.5.xml:3648 +@@ -4412,12 +5225,12 @@ msgstr "subdomain_homedir (строка)" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> + #: sssd.conf.5.xml:3659 + msgid "%F" +-msgstr "" ++msgstr "%F" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:3660 + msgid "flat (NetBIOS) name of a subdomain." +-msgstr "" ++msgstr "плоское (NetBIOS) имя поддомена." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:3651 +@@ -4428,17 +5241,25 @@ msgid "" + "with <emphasis>subdomain_homedir</emphasis>. <placeholder type=" + "\"variablelist\" id=\"0\"/>" + msgstr "" ++"Использовать этот домашний каталог как значение по умолчанию для всех " ++"поддоменов в пределах доверия AD IPA. Сведения о возможных значениях " ++"доступны в описании параметра <emphasis>override_homedir</emphasis>. В " ++"дополнение к этому, приведённое ниже расширение можно использовать только с " ++"<emphasis>subdomain_homedir</emphasis>. <placeholder type=\"variablelist\" " ++"id=\"0\"/>" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:3665 + msgid "" + "The value can be overridden by <emphasis>override_homedir</emphasis> option." + msgstr "" ++"Это значение может быть переопределено параметром " ++"<emphasis>override_homedir</emphasis>." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:3669 + msgid "Default: <filename>/home/%d/%u</filename>" +-msgstr "" ++msgstr "По умолчанию: <filename>/home/%d/%u</filename>" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd.conf.5.xml:3674 +@@ -4449,12 +5270,12 @@ msgstr "realmd_tags (строка)" + #: sssd.conf.5.xml:3677 + msgid "" + "Various tags stored by the realmd configuration service for this domain." +-msgstr "" ++msgstr "Различные метки, сохранённые службой настройки realmd для этого домена." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd.conf.5.xml:3683 + msgid "cached_auth_timeout (int)" +-msgstr "" ++msgstr "cached_auth_timeout (целое число)" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:3686 +@@ -4493,7 +5314,7 @@ msgstr "auto_private_groups (строка)" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> + #: sssd.conf.5.xml:3720 + msgid "true" +-msgstr "" ++msgstr "true" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:3723 +@@ -4514,7 +5335,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> + #: sssd.conf.5.xml:3736 + msgid "false" +-msgstr "" ++msgstr "false" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:3739 +@@ -4526,7 +5347,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> + #: sssd.conf.5.xml:3745 + msgid "hybrid" +-msgstr "" ++msgstr "hybrid" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:3748 +@@ -4537,6 +5358,11 @@ msgid "" + "GID in the user entry is also used by a group object, the primary GID of the " + "user resolves to that group object." + msgstr "" ++"Основная группа автоматически генерируется для записей пользователей, номера " ++"UID и GID которых имеют одно и то же значение, и при этом номер GID не " ++"соответствует реальному объекту группы в LDAP. Если значения совпадают, но " ++"основной GID в записи пользователя также используется объектом группы, " ++"основной GID этого пользователя разрешается в этот объект группы." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:3761 +@@ -4559,6 +5385,8 @@ msgid "" + "This option takes any of three available values: <placeholder type=" + "\"variablelist\" id=\"0\"/>" + msgstr "" ++"Этот параметр принимает одно из трёх допустимых значений: <placeholder type=" ++"\"variablelist\" id=\"0\"/>" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:3780 +@@ -4617,6 +5445,8 @@ msgid "" + "Default: not set by default, you have to take an existing pam configuration " + "or create a new one and add the service name here." + msgstr "" ++"По умолчанию: не задано по умолчанию; следует воспользоваться существующей " ++"конфигурацией PAM или создать новую и добавить здесь имя службы." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd.conf.5.xml:3823 +@@ -4681,7 +5511,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><refsect2><title> + #: sssd.conf.5.xml:3886 + msgid "Application domains" +-msgstr "" ++msgstr "Домены приложений" + + #. type: Content of: <reference><refentry><refsect1><refsect2><para> + #: sssd.conf.5.xml:3888 +@@ -4736,6 +5566,11 @@ msgid "" + "the telephoneNumber attribute, stores it as the phone attribute in the cache " + "and makes the phone attribute reachable through the D-Bus interface." + msgstr "" ++"В следующем примере показано использование домена приложений. В этой " ++"конфигурации домен POSIX подключён к серверу LDAP и используется ОС с " ++"помощью ответчика NSS. Кроме того, домен приложений также запрашивает " ++"атрибут telephoneNumber, сохраняет его как атрибут phone в кэше и делает " ++"атрибут phone доступным через интерфейс D-Bus." + + #. type: Content of: <reference><refentry><refsect1><refsect2><programlisting> + #: sssd.conf.5.xml:3941 +@@ -4902,12 +5737,12 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:4075 + msgid "Default: None, no command is run" +-msgstr "" ++msgstr "По умолчанию: none, команда не выполняется" + + #. type: Content of: <reference><refentry><refsect1><title> + #: sssd.conf.5.xml:4085 + msgid "TRUSTED DOMAIN SECTION" +-msgstr "" ++msgstr "РАЗДЕЛ ДОВЕРЕННЫХ ДОМЕНОВ" + + #. type: Content of: <reference><refentry><refsect1><para> + #: sssd.conf.5.xml:4087 +@@ -4923,52 +5758,52 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para> + #: sssd.conf.5.xml:4094 + msgid "ldap_search_base," +-msgstr "" ++msgstr "ldap_search_base," + + #. type: Content of: <reference><refentry><refsect1><para> + #: sssd.conf.5.xml:4095 + msgid "ldap_user_search_base," +-msgstr "" ++msgstr "ldap_user_search_base," + + #. type: Content of: <reference><refentry><refsect1><para> + #: sssd.conf.5.xml:4096 + msgid "ldap_group_search_base," +-msgstr "" ++msgstr "ldap_group_search_base," + + #. type: Content of: <reference><refentry><refsect1><para> + #: sssd.conf.5.xml:4097 + msgid "ldap_netgroup_search_base," +-msgstr "" ++msgstr "ldap_netgroup_search_base," + + #. type: Content of: <reference><refentry><refsect1><para> + #: sssd.conf.5.xml:4098 + msgid "ldap_service_search_base," +-msgstr "" ++msgstr "ldap_service_search_base," + + #. type: Content of: <reference><refentry><refsect1><para> + #: sssd.conf.5.xml:4099 + msgid "ldap_sasl_mech," +-msgstr "" ++msgstr "ldap_sasl_mech," + + #. type: Content of: <reference><refentry><refsect1><para> + #: sssd.conf.5.xml:4100 + msgid "ad_server," +-msgstr "" ++msgstr "ad_server," + + #. type: Content of: <reference><refentry><refsect1><para> + #: sssd.conf.5.xml:4101 + msgid "ad_backup_server," +-msgstr "" ++msgstr "ad_backup_server," + + #. type: Content of: <reference><refentry><refsect1><para> + #: sssd.conf.5.xml:4102 + msgid "ad_site," +-msgstr "" ++msgstr "ad_site," + + #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> + #: sssd.conf.5.xml:4103 sssd-ipa.5.xml:811 + msgid "use_fully_qualified_names" +-msgstr "" ++msgstr "use_fully_qualified_names" + + #. type: Content of: <reference><refentry><refsect1><para> + #: sssd.conf.5.xml:4107 +@@ -5072,7 +5907,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:4193 + msgid "Default: the configured domain in sssd.conf" +-msgstr "" ++msgstr "По умолчанию: настроенный домен в sssd.conf" + + #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> + #: sssd.conf.5.xml:4198 +@@ -5090,7 +5925,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> + #: sssd.conf.5.xml:4207 + msgid "Default: the lowest priority" +-msgstr "" ++msgstr "По умолчанию: самый низкий приоритет" + + #. type: Content of: <reference><refentry><refsect1><para> + #: sssd.conf.5.xml:4213 +@@ -5377,6 +6212,12 @@ msgid "" + "neither option is specified, service discovery is enabled. For more " + "information, refer to the <quote>SERVICE DISCOVERY</quote> section." + msgstr "" ++"Разделённый запятыми список URI серверов LDAP, к которым SSSD следует " ++"подключаться в порядке приоритета. Дополнительные сведения об отработке " ++"отказа и избыточности сервера доступны в разделе <quote>ОТРАБОТКА ОТКАЗА</" ++"quote>. Если не указан ни один из параметров, будет включено обнаружение " ++"служб. Дополнительные сведения доступны в разделе <quote>ОБНАРУЖЕНИЕ " ++"СЛУЖБ</quote>." + + #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> + #: sssd-ldap.5.xml:76 sssd-secrets.5.xml:264 +@@ -5412,6 +6253,10 @@ msgid "" + "Refer to the <quote>FAILOVER</quote> section for more information on " + "failover and server redundancy." + msgstr "" ++"Разделённый запятыми список URI серверов LDAP, к которым SSSD следует " ++"подключаться в порядке приоритета для смены пароля пользователя. " ++"Дополнительные сведения об отработке отказа и избыточности сервера доступны " ++"в разделе <quote>ОТРАБОТКА ОТКАЗА</quote>." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap.5.xml:101 +@@ -5421,7 +6266,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap.5.xml:105 + msgid "Default: empty, i.e. ldap_uri is used." +-msgstr "" ++msgstr "По умолчанию: пусто, то есть используется ldap_uri." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-ldap.5.xml:111 +@@ -5594,7 +6439,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap.5.xml:247 + msgid "Default: exop" +-msgstr "" ++msgstr "По умолчанию: exop" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-ldap.5.xml:253 +@@ -5614,27 +6459,27 @@ msgstr "ldap_default_authtok_type (строка)" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap.5.xml:266 + msgid "The type of the authentication token of the default bind DN." +-msgstr "" ++msgstr "Тип маркера проверки подлинности для bind DN по умолчанию." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap.5.xml:270 + msgid "The two mechanisms currently supported are:" +-msgstr "" ++msgstr "В настоящее время поддерживаются два механизма:" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap.5.xml:273 + msgid "password" +-msgstr "пароль" ++msgstr "password" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap.5.xml:276 + msgid "obfuscated_password" +-msgstr "" ++msgstr "obfuscated_password" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap.5.xml:279 + msgid "Default: password" +-msgstr "" ++msgstr "По умолчанию: password" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap.5.xml:282 +@@ -5678,6 +6523,8 @@ msgid "" + "Specifies how many seconds SSSD has to wait before refreshing its cache of " + "enumerated records." + msgstr "" ++"Указывает время ожидания SSSD (в секундах) перед обновлением своего кэша " ++"перечисленных записей." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-ldap.5.xml:332 +@@ -5737,7 +6584,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap.5.xml:384 + msgid "Default: 2" +-msgstr "" ++msgstr "По умолчанию: 2" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap.5.xml:393 +@@ -5749,7 +6596,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap.5.xml:398 + msgid "Default: True for AD and IPA otherwise False." +-msgstr "" ++msgstr "По умолчанию: True для AD и IPA, в ином случае — False." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-ldap.5.xml:404 +@@ -5774,7 +6621,7 @@ msgstr "" + #. type: Content of: <listitem><para> + #: sssd-ldap.5.xml:416 sssd-ipa.5.xml:394 include/ldap_search_bases.xml:27 + msgid "Default: the value of <emphasis>ldap_search_base</emphasis>" +-msgstr "" ++msgstr "По умолчанию: значение <emphasis>ldap_search_base</emphasis>" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-ldap.5.xml:423 +@@ -5879,7 +6726,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap.5.xml:535 sssd-ldap.5.xml:1575 + msgid "Default: 900 (15 minutes)" +-msgstr "" ++msgstr "По умолчанию: 900 (15 минут)" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-ldap.5.xml:541 +@@ -6076,7 +6923,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap.5.xml:726 + msgid "Default: hard" +-msgstr "" ++msgstr "По умолчанию: hard" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-ldap.5.xml:732 +@@ -6193,7 +7040,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap.5.xml:853 + msgid "Default: not set (both options are set to 0)" +-msgstr "" ++msgstr "По умолчанию: не задано (оба параметра установлены в значение 0)" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-ldap.5.xml:859 +@@ -6235,6 +7082,13 @@ msgid "" + "host/*\n" + " " + msgstr "" ++"hostname@REALM\n" ++"netbiosname$@REALM\n" ++"host/hostname@REALM\n" ++"*$@REALM\n" ++"host/*@REALM\n" ++"host/*\n" ++" " + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap.5.xml:885 +@@ -6251,7 +7105,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap.5.xml:905 + msgid "Default: host/hostname@REALM" +-msgstr "" ++msgstr "По умолчанию: host/hostname@REALM" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-ldap.5.xml:911 +@@ -6269,7 +7123,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap.5.xml:920 + msgid "Default: the value of krb5_realm." +-msgstr "" ++msgstr "По умолчанию: значение krb5_realm." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-ldap.5.xml:926 +@@ -6286,7 +7140,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap.5.xml:934 + msgid "Default: false;" +-msgstr "" ++msgstr "По умолчанию: false;" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-ldap.5.xml:940 +@@ -6302,6 +7156,8 @@ msgstr "" + #: sssd-ldap.5.xml:947 sssd-krb5.5.xml:247 + msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>" + msgstr "" ++"По умолчанию: системная таблица ключей, обычно <filename>/etc/krb5." ++"keytab</filename>" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-ldap.5.xml:953 +@@ -6330,7 +7186,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap.5.xml:975 sssd-ad.5.xml:1229 + msgid "Default: 86400 (24 hours)" +-msgstr "" ++msgstr "По умолчанию: 86400 (24 часа)" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-ldap.5.xml:981 sssd-krb5.5.xml:74 +@@ -6348,6 +7204,13 @@ msgid "" + "discovery is enabled - for more information, refer to the <quote>SERVICE " + "DISCOVERY</quote> section." + msgstr "" ++"Разделённый запятыми список IP-адресов или названий узлов серверов Kerberos, " ++"к которым SSSD следует подключаться в порядке приоритета. Дополнительные " ++"сведения об отработке отказа и избыточности сервера доступны в разделе " ++"<quote>ОТРАБОТКА ОТКАЗА</quote>. После адресов или имён узлов можно " ++"(необязательно) добавить номер порта (предварив его двоеточием). Если у " ++"параметра пустое значение, будет включено обнаружение служб — дополнительные " ++"сведения доступны в разделе <quote>ОБНАРУЖЕНИЕ СЛУЖБ</quote>." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap.5.xml:996 sssd-krb5.5.xml:89 +@@ -6449,6 +7312,10 @@ msgid "" + "to determine if the password has expired. Use chpass_provider=krb5 to update " + "these attributes when the password is changed." + msgstr "" ++"<emphasis>mit_kerberos</emphasis> — использовать атрибуты, которые " ++"используются MIT Kerberos, для определения того, не истёк ли срок действия " ++"пароля. Чтобы обновить эти атрибуты в случае пароля, воспользуйтесь " ++"chpass_provider=krb5." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap.5.xml:1094 +@@ -6456,6 +7323,9 @@ msgid "" + "<emphasis>Note</emphasis>: if a password policy is configured on server " + "side, it always takes precedence over policy set with this option." + msgstr "" ++"<emphasis>Примечание</emphasis>: если на стороне сервера настроена политика " ++"паролей, она всегда будет иметь приоритет над политикой, заданной с помощью " ++"этого параметра." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-ldap.5.xml:1102 +@@ -6500,7 +7370,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap.5.xml:1140 + msgid "Default: ldap" +-msgstr "" ++msgstr "По умолчанию: ldap" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-ldap.5.xml:1146 +@@ -6662,6 +7532,8 @@ msgstr "ldap_access_order (строка)" + #: sssd-ldap.5.xml:1284 + msgid "Comma separated list of access control options. Allowed values are:" + msgstr "" ++"Разделённый запятыми список параметров управления доступом. Допустимые " ++"значения:" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap.5.xml:1288 +@@ -6728,6 +7600,8 @@ msgstr "" + msgid "" + "Note If user password is expired no explicit message is prompted by SSSD." + msgstr "" ++"Обратите внимание, что при истечении срока действия пароля от SSSD не " ++"поступит запрос с явным уведомлением." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap.5.xml:1351 +@@ -6761,6 +7635,9 @@ msgid "" + "Please note, rhost field in pam is set by application, it is better to check " + "what the application sends to pam, before enabling this access control option" + msgstr "" ++"Обратите внимание, что значение поля rhost в pam устанавливается приложением;" ++" рекомендуется проверить, что приложение отправляет в pam, прежде чем " ++"включать этот параметр управления доступом" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap.5.xml:1374 +@@ -6796,7 +7673,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap.5.xml:1398 + msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base" +-msgstr "" ++msgstr "По умолчанию: cn=ppolicy,ou=policies,$ldap_search_base" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-ldap.5.xml:1404 +@@ -6894,7 +7771,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap.5.xml:1480 + msgid "Default: 1000 (often the size of one page)" +-msgstr "" ++msgstr "По умолчанию: 1000 (часто размер одной страницы)" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-ldap.5.xml:1486 +@@ -6918,7 +7795,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap.5.xml:1499 + msgid "Default: 0 (libldap debugging disabled)" +-msgstr "" ++msgstr "По умолчанию: 0 (отладка libldap отключена)" + + #. type: Content of: <reference><refentry><refsect1><para> + #: sssd-ldap.5.xml:51 +@@ -6935,7 +7812,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><title> + #: sssd-ldap.5.xml:1509 + msgid "SUDO OPTIONS" +-msgstr "" ++msgstr "ПАРАМЕТРЫ SUDO" + + #. type: Content of: <reference><refentry><refsect1><para> + #: sssd-ldap.5.xml:1511 +@@ -6974,7 +7851,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap.5.xml:1540 + msgid "Default: 21600 (6 hours)" +-msgstr "" ++msgstr "По умолчанию: 21600 (6 часов)" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-ldap.5.xml:1546 +@@ -7081,7 +7958,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap.5.xml:1638 sssd-ldap.5.xml:1661 + msgid "Default: not specified" +-msgstr "" ++msgstr "По умолчанию: не указано" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-ldap.5.xml:1644 +@@ -7145,7 +8022,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><title> + #: sssd-ldap.5.xml:1720 + msgid "AUTOFS OPTIONS" +-msgstr "" ++msgstr "ПАРАМЕТРЫ AUTOFS" + + #. type: Content of: <reference><refentry><refsect1><para> + #: sssd-ldap.5.xml:1722 +@@ -7167,12 +8044,12 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap.5.xml:1734 + msgid "Default: auto.master" +-msgstr "" ++msgstr "По умолчанию: auto.master" + + #. type: Content of: <reference><refentry><refsect1><title> + #: sssd-ldap.5.xml:1745 + msgid "ADVANCED OPTIONS" +-msgstr "" ++msgstr "ДОПОЛНИТЕЛЬНЫЕ ПАРАМЕТРЫ" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-ldap.5.xml:1752 +@@ -7290,6 +8167,16 @@ msgid "" + "ldap_tls_reqcert = demand\n" + "cache_credentials = true\n" + msgstr "" ++"[domain/LDAP]\n" ++"id_provider = ldap\n" ++"auth_provider = ldap\n" ++"access_provider = ldap\n" ++"ldap_access_order = lockout\n" ++"ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org\n" ++"ldap_uri = ldap://ldap.mydomain.org\n" ++"ldap_search_base = dc=mydomain,dc=org\n" ++"ldap_tls_reqcert = demand\n" ++"cache_credentials = true\n" + + #. type: Content of: <reference><refentry><refsect1><title> + #: sssd-ldap.5.xml:1839 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148 +@@ -7340,6 +8227,9 @@ msgid "" + "Services daemon (SSSD). Errors and results are logged through " + "<command>syslog(3)</command> with the LOG_AUTHPRIV facility." + msgstr "" ++"<command>pam_sss.so</command> — это интерфейс PAM к сервису SSSD. Ошибки и " ++"результаты записываются в журнал посредством <command>syslog(3)</command> с " ++"LOG_AUTHPRIV." + + #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> + #: pam_sss.8.xml:74 +@@ -7801,27 +8691,29 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> + #: pam_sss.8.xml:446 + msgid "PAM_MODULE_UNKNOWN" +-msgstr "" ++msgstr "PAM_MODULE_UNKNOWN" + + #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> + #: pam_sss.8.xml:449 + msgid "Unsupported PAM task or command." +-msgstr "" ++msgstr "Неподдерживаемое задание или команда PAM." + + #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> + #: pam_sss.8.xml:454 + msgid "PAM_BAD_ITEM" +-msgstr "" ++msgstr "PAM_BAD_ITEM" + + #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> + #: pam_sss.8.xml:457 + msgid "The authentication module cannot handle Smartcard credentials." + msgstr "" ++"Модулю проверки подлинности не удалось обработать учётные данные со " ++"смарт-карты." + + #. type: Content of: <reference><refentry><refsect1><title> + #: pam_sss.8.xml:465 + msgid "FILES" +-msgstr "" ++msgstr "ФАЙЛЫ" + + #. type: Content of: <reference><refentry><refsect1><para> + #: pam_sss.8.xml:466 +@@ -7854,12 +8746,12 @@ msgstr "" + #. type: Content of: <reference><refentry><refnamediv><refname> + #: pam_sss_gss.8.xml:11 pam_sss_gss.8.xml:16 + msgid "pam_sss_gss" +-msgstr "" ++msgstr "pam_sss_gss" + + #. type: Content of: <reference><refentry><refnamediv><refpurpose> + #: pam_sss_gss.8.xml:17 + msgid "PAM module for SSSD GSSAPI authentication" +-msgstr "" ++msgstr "Модуль PAM для проверки подлинности с помощью GSSAPI в SSSD" + + #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> + #: pam_sss_gss.8.xml:22 +@@ -7867,6 +8759,8 @@ msgid "" + "<command>pam_sss_gss.so</command> <arg choice='opt'> <replaceable>debug</" + "replaceable> </arg>" + msgstr "" ++"<command>pam_sss_gss.so</command> <arg choice='opt'> <replaceable>debug</" ++"replaceable> </arg>" + + #. type: Content of: <reference><refentry><refsect1><para> + #: pam_sss_gss.8.xml:32 +@@ -7874,6 +8768,8 @@ msgid "" + "<command>pam_sss_gss.so</command> authenticates user over GSSAPI in " + "cooperation with SSSD." + msgstr "" ++"<command>pam_sss_gss.so</command> выполняет проверку подлинности " ++"пользователя с помощью GSSAPI совместно с SSSD." + + #. type: Content of: <reference><refentry><refsect1><para> + #: pam_sss_gss.8.xml:36 +@@ -7995,6 +8891,10 @@ msgid "" + "...\n" + " " + msgstr "" ++"...\n" ++"auth sufficient pam_sss_gss.so\n" ++"...\n" ++" " + + #. type: Content of: <reference><refentry><refsect1><title> + #: pam_sss_gss.8.xml:180 +@@ -8208,6 +9108,12 @@ msgid "" + "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" + "citerefentry> manual page." + msgstr "" ++"На этой справочной странице представлено описание настройки простого " ++"поставщика управления доступом для <citerefentry> <refentrytitle>sssd</" ++"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. Подробные сведения " ++"о синтаксисе доступны в разделе <quote>ФОРМАТ ФАЙЛА</quote> справочной " ++"страницы <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " ++"<manvolnum>5</manvolnum> </citerefentry>." + + #. type: Content of: <reference><refentry><refsect1><para> + #: sssd-simple.5.xml:38 +@@ -8215,11 +9121,14 @@ msgid "" + "The simple access provider grants or denies access based on an access or " + "deny list of user or group names. The following rules apply:" + msgstr "" ++"Простой поставщик доступа предоставляет или запрещает доступ на основании " ++"разрешающего или запрещающего списка имён пользователей или групп. " ++"Применяются следующие правила:" + + #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> + #: sssd-simple.5.xml:43 + msgid "If all lists are empty, access is granted" +-msgstr "" ++msgstr "Если все списки пусты, доступ предоставляется" + + #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> + #: sssd-simple.5.xml:47 +@@ -8227,6 +9136,9 @@ msgid "" + "If any list is provided, the order of evaluation is allow,deny. This means " + "that any matching deny rule will supersede any matched allow rule." + msgstr "" ++"Если предоставлен список, используется порядок вычисления «allow,deny». Это " ++"означает, что любое соответствующее заданным условиям правило запрета будет " ++"превалировать над любым соответствующим заданным условиям правилом допуска." + + #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> + #: sssd-simple.5.xml:54 +@@ -8500,47 +9412,47 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> + #: sss-certmap.5.xml:135 + msgid "digitalSignature" +-msgstr "" ++msgstr "digitalSignature" + + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> + #: sss-certmap.5.xml:136 + msgid "nonRepudiation" +-msgstr "" ++msgstr "nonRepudiation" + + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> + #: sss-certmap.5.xml:137 + msgid "keyEncipherment" +-msgstr "" ++msgstr "keyEncipherment" + + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> + #: sss-certmap.5.xml:138 + msgid "dataEncipherment" +-msgstr "" ++msgstr "dataEncipherment" + + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> + #: sss-certmap.5.xml:139 + msgid "keyAgreement" +-msgstr "" ++msgstr "keyAgreement" + + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> + #: sss-certmap.5.xml:140 + msgid "keyCertSign" +-msgstr "" ++msgstr "keyCertSign" + + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> + #: sss-certmap.5.xml:141 + msgid "cRLSign" +-msgstr "" ++msgstr "cRLSign" + + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> + #: sss-certmap.5.xml:142 + msgid "encipherOnly" +-msgstr "" ++msgstr "encipherOnly" + + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> + #: sss-certmap.5.xml:143 + msgid "decipherOnly" +-msgstr "" ++msgstr "decipherOnly" + + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> + #: sss-certmap.5.xml:147 +@@ -8569,47 +9481,47 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> + #: sss-certmap.5.xml:163 + msgid "serverAuth" +-msgstr "" ++msgstr "serverAuth" + + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> + #: sss-certmap.5.xml:164 + msgid "clientAuth" +-msgstr "" ++msgstr "clientAuth" + + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> + #: sss-certmap.5.xml:165 + msgid "codeSigning" +-msgstr "" ++msgstr "codeSigning" + + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> + #: sss-certmap.5.xml:166 + msgid "emailProtection" +-msgstr "" ++msgstr "emailProtection" + + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> + #: sss-certmap.5.xml:167 + msgid "timeStamping" +-msgstr "" ++msgstr "timeStamping" + + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> + #: sss-certmap.5.xml:168 + msgid "OCSPSigning" +-msgstr "" ++msgstr "OCSPSigning" + + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> + #: sss-certmap.5.xml:169 + msgid "KPClientAuth" +-msgstr "" ++msgstr "KPClientAuth" + + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> + #: sss-certmap.5.xml:170 + msgid "pkinit" +-msgstr "" ++msgstr "pkinit" + + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> + #: sss-certmap.5.xml:171 + msgid "msScLogin" +-msgstr "" ++msgstr "msScLogin" + + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> + #: sss-certmap.5.xml:175 +@@ -8898,7 +9810,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> + #: sss-certmap.5.xml:393 + msgid "{issuer_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +-msgstr "" ++msgstr "{issuer_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" + + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> + #: sss-certmap.5.xml:396 +@@ -8939,7 +9851,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> + #: sss-certmap.5.xml:419 + msgid "{subject_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +-msgstr "" ++msgstr "{subject_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" + + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> + #: sss-certmap.5.xml:422 +@@ -8959,7 +9871,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> + #: sss-certmap.5.xml:445 + msgid "{cert[!(bin|base64)]}" +-msgstr "" ++msgstr "{cert[!(bin|base64)]}" + + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> + #: sss-certmap.5.xml:448 +@@ -8979,7 +9891,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> + #: sss-certmap.5.xml:461 + msgid "{subject_principal[.short_name]}" +-msgstr "" ++msgstr "{subject_principal[.short_name]}" + + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> + #: sss-certmap.5.xml:464 +@@ -8999,7 +9911,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> + #: sss-certmap.5.xml:475 + msgid "{subject_pkinit_principal[.short_name]}" +-msgstr "" ++msgstr "{subject_pkinit_principal[.short_name]}" + + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> + #: sss-certmap.5.xml:478 +@@ -9019,7 +9931,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> + #: sss-certmap.5.xml:489 + msgid "{subject_nt_principal[.short_name]}" +-msgstr "" ++msgstr "{subject_nt_principal[.short_name]}" + + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> + #: sss-certmap.5.xml:492 +@@ -9039,7 +9951,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> + #: sss-certmap.5.xml:503 + msgid "{subject_rfc822_name[.short_name]}" +-msgstr "" ++msgstr "{subject_rfc822_name[.short_name]}" + + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> + #: sss-certmap.5.xml:506 +@@ -9059,7 +9971,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> + #: sss-certmap.5.xml:517 + msgid "{subject_dns_name[.short_name]}" +-msgstr "" ++msgstr "{subject_dns_name[.short_name]}" + + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> + #: sss-certmap.5.xml:520 +@@ -9078,7 +9990,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> + #: sss-certmap.5.xml:531 + msgid "{subject_uri}" +-msgstr "" ++msgstr "{subject_uri}" + + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> + #: sss-certmap.5.xml:534 +@@ -9095,7 +10007,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> + #: sss-certmap.5.xml:543 + msgid "{subject_ip_address}" +-msgstr "" ++msgstr "{subject_ip_address}" + + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> + #: sss-certmap.5.xml:546 +@@ -9112,7 +10024,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> + #: sss-certmap.5.xml:555 + msgid "{subject_x400_address}" +-msgstr "" ++msgstr "{subject_x400_address}" + + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> + #: sss-certmap.5.xml:558 +@@ -9131,6 +10043,7 @@ msgstr "" + msgid "" + "{subject_directory_name[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" + msgstr "" ++"{subject_directory_name[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" + + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> + #: sss-certmap.5.xml:571 +@@ -9147,7 +10060,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> + #: sss-certmap.5.xml:580 + msgid "{subject_ediparty_name}" +-msgstr "" ++msgstr "{subject_ediparty_name}" + + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> + #: sss-certmap.5.xml:583 +@@ -9164,7 +10077,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> + #: sss-certmap.5.xml:593 + msgid "{subject_registered_id}" +-msgstr "" ++msgstr "{subject_registered_id}" + + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> + #: sss-certmap.5.xml:596 +@@ -9191,7 +10104,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><refsect2><title> + #: sss-certmap.5.xml:609 + msgid "DOMAIN LIST" +-msgstr "" ++msgstr "СПИСОК ДОМЕНОВ" + + #. type: Content of: <reference><refentry><refsect1><refsect2><para> + #: sss-certmap.5.xml:611 +@@ -9204,12 +10117,12 @@ msgstr "" + #. type: Content of: <reference><refentry><refnamediv><refname> + #: sssd-ipa.5.xml:10 sssd-ipa.5.xml:16 + msgid "sssd-ipa" +-msgstr "" ++msgstr "sssd-ipa" + + #. type: Content of: <reference><refentry><refnamediv><refpurpose> + #: sssd-ipa.5.xml:17 + msgid "SSSD IPA provider" +-msgstr "" ++msgstr "Поставщик данных IPA SSSD" + + #. type: Content of: <reference><refentry><refsect1><para> + #: sssd-ipa.5.xml:23 +@@ -9220,6 +10133,12 @@ msgid "" + "FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" + "refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." + msgstr "" ++"На этой справочной странице представлено описание настройки поставщика " ++"данных IPA для <citerefentry> <refentrytitle>sssd</refentrytitle> " ++"<manvolnum>8</manvolnum> </citerefentry>. Подробные сведения о синтаксисе " ++"доступны в разделе <quote>ФОРМАТ ФАЙЛА</quote> справочной страницы " ++"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" ++"manvolnum> </citerefentry>." + + #. type: Content of: <reference><refentry><refsect1><para> + #: sssd-ipa.5.xml:36 +@@ -9229,6 +10148,11 @@ msgid "" + "requires that the machine be joined to the IPA domain; configuration is " + "almost entirely self-discovered and obtained directly from the server." + msgstr "" ++"Поставщик данных IPA — это внутренний сервер, который используется для " ++"подключения к серверу IPA. (Сведения о серверах IPA доступны на веб-сайте " ++"freeipa.org.) Для работы этого поставщика требуется, чтобы компьютер был " ++"подключён к домену IPA; настройка почти полностью автоматизирована, " ++"получение её данных выполняется непосредственно с сервера." + + #. type: Content of: <reference><refentry><refsect1><para> + #: sssd-ipa.5.xml:43 +@@ -9241,6 +10165,14 @@ msgid "" + "options used by the sssd-ldap and sssd-krb5 providers with some exceptions. " + "However, it is neither necessary nor recommended to set these options." + msgstr "" ++"Поставщик данных IPA позволяет SSSD использовать поставщика данных " ++"идентификации <citerefentry> <refentrytitle>sssd-ldap</refentrytitle> " ++"<manvolnum>5</manvolnum> </citerefentry> и поставщика данных проверки " ++"подлинности <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " ++"<manvolnum>5</manvolnum> </citerefentry> с оптимизацией для сред IPA. " ++"Поставщик данных IPA принимает те же параметры, которые используются " ++"поставщиками sssd-ldap и sssd-krb5 providers, за некоторыми исключениями. Но " ++"установка этих параметров не является ни необходимой, ни рекомендуемой." + + #. type: Content of: <reference><refentry><refsect1><para> + #: sssd-ipa.5.xml:57 +@@ -9249,6 +10181,9 @@ msgid "" + "default options with some exceptions, the differences are listed in the " + "<quote>MODIFIED DEFAULT OPTIONS</quote> section." + msgstr "" ++"Поставщик данных IPA в основном копирует стандартные параметры традиционных " ++"поставщиков данных ldap и krb5, за некоторыми исключениями. Список различий " ++"доступен в разделе <quote>ИЗМЕНЁННЫЕ СТАНДАРТНЫЕ ПАРАМЕТРЫ</quote>." + + #. type: Content of: <reference><refentry><refsect1><para> + #: sssd-ipa.5.xml:62 +@@ -9257,6 +10192,10 @@ msgid "" + "control) rules. Please refer to freeipa.org for more information about " + "HBAC. No configuration of access provider is required on the client side." + msgstr "" ++"Как поставщик доступа, поставщик данных IPA использует правила HBAC (" ++"управление доступом на основе узлов). Более подробные сведения о HBAC " ++"доступны на веб-сайте freeipa.org. Настройка поставщика доступа на стороне " ++"клиента не требуется." + + #. type: Content of: <reference><refentry><refsect1><para> + #: sssd-ipa.5.xml:67 +@@ -9273,6 +10212,10 @@ msgid "" + "from trusted realms contain a PAC. To make configuration easier the PAC " + "responder is started automatically if the IPA ID provider is configured." + msgstr "" ++"Поставщик данных IPA будет использовать ответчик PAC, если билеты Kerberos " ++"пользователей из доверенных областей содержат PAC. Для упрощения настройки " ++"запуск ответчика PAC выполняется автоматически, если настроен поставщик " ++"идентификаторов IPA." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-ipa.5.xml:89 +@@ -9368,7 +10311,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ipa.5.xml:171 + msgid "Default: 1200 (seconds)" +-msgstr "" ++msgstr "По умолчанию: 1200 (секунд)" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-ipa.5.xml:177 sssd-ad.5.xml:1197 +@@ -9420,7 +10363,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ipa.5.xml:212 sssd-ad.5.xml:1271 + msgid "Default: GSS-TSIG" +-msgstr "" ++msgstr "По умолчанию: GSS-TSIG" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-ipa.5.xml:218 sssd-ad.5.xml:1277 +@@ -9438,7 +10381,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ipa.5.xml:227 sssd-ad.5.xml:1286 + msgid "Default: Same as dyndns_auth" +-msgstr "" ++msgstr "По умолчанию: то же, что и dyndns_auth" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-ipa.5.xml:233 +@@ -9497,7 +10440,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ipa.5.xml:289 + msgid "Default: False (disabled)" +-msgstr "" ++msgstr "По умолчанию: false (отключено)" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-ipa.5.xml:295 sssd-ad.5.xml:1249 +@@ -9514,7 +10457,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ipa.5.xml:302 sssd-ad.5.xml:1256 + msgid "Default: False (let nsupdate choose the protocol)" +-msgstr "" ++msgstr "По умолчанию: false (разрешить nsupdate выбрать протокол)" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-ipa.5.xml:308 sssd-ad.5.xml:1292 +@@ -9545,7 +10488,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ipa.5.xml:326 sssd-ad.5.xml:1310 + msgid "Default: None (let nsupdate choose the server)" +-msgstr "" ++msgstr "По умолчанию: none (разрешить nsupdate выбрать сервер)" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-ipa.5.xml:332 sssd-ad.5.xml:1316 +@@ -9577,7 +10520,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ipa.5.xml:354 sssd-ipa.5.xml:367 + msgid "Default: Use base DN" +-msgstr "" ++msgstr "По умолчанию: использовать base DN" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-ipa.5.xml:360 +@@ -9599,7 +10542,7 @@ msgstr "ipa_host_search_base (строка)" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ipa.5.xml:376 + msgid "Deprecated. Use ldap_host_search_base instead." +-msgstr "" ++msgstr "Не рекомендуется. Используйте ldap_host_search_base." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-ipa.5.xml:382 +@@ -9628,7 +10571,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ipa.5.xml:413 + msgid "Default: the value of <emphasis>cn=trusts,%basedn</emphasis>" +-msgstr "" ++msgstr "По умолчанию: значение <emphasis>cn=trusts,%basedn</emphasis>" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-ipa.5.xml:420 +@@ -9645,7 +10588,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ipa.5.xml:432 + msgid "Default: the value of <emphasis>cn=ad,cn=etc,%basedn</emphasis>" +-msgstr "" ++msgstr "По умолчанию: значение <emphasis>cn=ad,cn=etc,%basedn</emphasis>" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-ipa.5.xml:439 +@@ -9663,6 +10606,7 @@ msgstr "" + #: sssd-ipa.5.xml:451 + msgid "Default: the value of <emphasis>cn=views,cn=accounts,%basedn</emphasis>" + msgstr "" ++"По умолчанию: значение <emphasis>cn=views,cn=accounts,%basedn</emphasis>" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ipa.5.xml:461 +@@ -9702,6 +10646,7 @@ msgstr "" + msgid "" + "Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)" + msgstr "" ++"По умолчанию: не задано (подкаталог krb5.include.d каталога pubconf SSSD)" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-ipa.5.xml:491 +@@ -9719,7 +10664,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ipa.5.xml:501 sssd-ipa.5.xml:531 sssd-ipa.5.xml:547 sssd-ad.5.xml:576 + msgid "Default: 5 (seconds)" +-msgstr "" ++msgstr "По умолчанию: 5 (секунд)" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-ipa.5.xml:507 +@@ -9736,7 +10681,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ipa.5.xml:515 + msgid "Default: 60 (minutes)" +-msgstr "" ++msgstr "По умолчанию: 60 (минут)" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-ipa.5.xml:521 +@@ -9818,7 +10763,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ipa.5.xml:601 + msgid "Default: The location named \"default\"" +-msgstr "" ++msgstr "По умолчанию: расположение с именем «default»" + + #. type: Content of: <reference><refentry><refsect1><refsect2><title> + #: sssd-ipa.5.xml:609 +@@ -9838,7 +10783,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> + #: sssd-ipa.5.xml:624 + msgid "Default: nsContainer" +-msgstr "" ++msgstr "По умолчанию: nsContainer" + + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> + #: sssd-ipa.5.xml:630 +@@ -9856,7 +10801,7 @@ msgstr "" + #: sssd-ldap-attributes.5.xml:991 sssd-ldap-attributes.5.xml:1049 + #: sssd-ldap-attributes.5.xml:1207 sssd-ldap-attributes.5.xml:1252 + msgid "Default: cn" +-msgstr "" ++msgstr "По умолчанию: cn" + + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> + #: sssd-ipa.5.xml:643 +@@ -9871,7 +10816,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> + #: sssd-ipa.5.xml:649 + msgid "Default: ipaOverrideAnchor" +-msgstr "" ++msgstr "По умолчанию: ipaOverrideAnchor" + + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> + #: sssd-ipa.5.xml:655 +@@ -9888,7 +10833,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> + #: sssd-ipa.5.xml:662 + msgid "Default: ipaAnchorUUID" +-msgstr "" ++msgstr "По умолчанию: ipaAnchorUUID" + + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> + #: sssd-ipa.5.xml:668 +@@ -9910,42 +10855,42 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> + #: sssd-ipa.5.xml:679 + msgid "ldap_user_name" +-msgstr "" ++msgstr "ldap_user_name" + + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> + #: sssd-ipa.5.xml:682 + msgid "ldap_user_uid_number" +-msgstr "" ++msgstr "ldap_user_uid_number" + + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> + #: sssd-ipa.5.xml:685 + msgid "ldap_user_gid_number" +-msgstr "" ++msgstr "ldap_user_gid_number" + + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> + #: sssd-ipa.5.xml:688 + msgid "ldap_user_gecos" +-msgstr "" ++msgstr "ldap_user_gecos" + + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> + #: sssd-ipa.5.xml:691 + msgid "ldap_user_home_directory" +-msgstr "" ++msgstr "ldap_user_home_directory" + + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> + #: sssd-ipa.5.xml:694 + msgid "ldap_user_shell" +-msgstr "" ++msgstr "ldap_user_shell" + + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> + #: sssd-ipa.5.xml:697 + msgid "ldap_user_ssh_public_key" +-msgstr "" ++msgstr "ldap_user_ssh_public_key" + + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> + #: sssd-ipa.5.xml:702 + msgid "Default: ipaUserOverride" +-msgstr "" ++msgstr "По умолчанию: ipaUserOverride" + + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> + #: sssd-ipa.5.xml:708 +@@ -9967,17 +10912,17 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> + #: sssd-ipa.5.xml:719 + msgid "ldap_group_name" +-msgstr "" ++msgstr "ldap_group_name" + + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> + #: sssd-ipa.5.xml:722 + msgid "ldap_group_gid_number" +-msgstr "" ++msgstr "ldap_group_gid_number" + + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> + #: sssd-ipa.5.xml:727 + msgid "Default: ipaGroupOverride" +-msgstr "" ++msgstr "По умолчанию: ipaGroupOverride" + + #. type: Content of: <reference><refentry><refsect1><refsect2><para> + #: sssd-ipa.5.xml:611 +@@ -10061,54 +11006,56 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><refsect2><title> + #: sssd-ipa.5.xml:787 + msgid "OPTIONS TUNABLE ON IPA MASTERS" +-msgstr "" ++msgstr "ПАРАМЕТРЫ, КОТОРЫЕ МОЖНО НАСТРОИТЬ НА ОСНОВНЫХ СЕРВЕРАХ IPA" + + #. type: Content of: <reference><refentry><refsect1><refsect2><para> + #: sssd-ipa.5.xml:789 + msgid "" + "The following options can be set in a subdomain section on an IPA master:" + msgstr "" ++"В разделе поддомена на основном сервере IPA можно настроить следующие " ++"параметры:" + + #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> + #: sssd-ipa.5.xml:793 sssd-ipa.5.xml:823 + msgid "ad_server" +-msgstr "" ++msgstr "ad_server" + + #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> + #: sssd-ipa.5.xml:796 + msgid "ad_backup_server" +-msgstr "" ++msgstr "ad_backup_server" + + #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> + #: sssd-ipa.5.xml:799 sssd-ipa.5.xml:826 + msgid "ad_site" +-msgstr "" ++msgstr "ad_site" + + #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> + #: sssd-ipa.5.xml:802 + msgid "ldap_search_base" +-msgstr "" ++msgstr "ldap_search_base" + + #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> + #: sssd-ipa.5.xml:805 + msgid "ldap_user_search_base" +-msgstr "" ++msgstr "ldap_user_search_base" + + #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> + #: sssd-ipa.5.xml:808 + msgid "ldap_group_search_base" +-msgstr "" ++msgstr "ldap_group_search_base" + + #. type: Content of: <reference><refentry><refsect1><refsect2><title> + #: sssd-ipa.5.xml:817 + msgid "OPTIONS TUNABLE ON IPA CLIENTS" +-msgstr "" ++msgstr "ПАРАМЕТРЫ, КОТОРЫЕ МОЖНО НАСТРОИТЬ НА КЛИЕНТАХ IPA" + + #. type: Content of: <reference><refentry><refsect1><refsect2><para> + #: sssd-ipa.5.xml:819 + msgid "" + "The following options can be set in a subdomain section on an IPA client:" +-msgstr "" ++msgstr "В разделе поддомена на клиенте IPA можно настроить следующие параметры:" + + #. type: Content of: <reference><refentry><refsect1><refsect2><para> + #: sssd-ipa.5.xml:831 +@@ -10152,12 +11099,12 @@ msgstr "" + #. type: Content of: <reference><refentry><refnamediv><refname> + #: sssd-ad.5.xml:10 sssd-ad.5.xml:16 + msgid "sssd-ad" +-msgstr "" ++msgstr "sssd-ad" + + #. type: Content of: <reference><refentry><refnamediv><refpurpose> + #: sssd-ad.5.xml:17 + msgid "SSSD Active Directory provider" +-msgstr "" ++msgstr "Поставщик Active Directory SSSD" + + #. type: Content of: <reference><refentry><refsect1><para> + #: sssd-ad.5.xml:23 +@@ -10207,6 +11154,15 @@ msgid "" + "exceptions. However, it is neither necessary nor recommended to set these " + "options." + msgstr "" ++"Поставщик данных AD позволяет SSSD использовать поставщика данных " ++"идентификации <citerefentry> <refentrytitle>sssd-ldap</refentrytitle> " ++"<manvolnum>5</manvolnum> </citerefentry> и поставщика данных проверки " ++"подлинности <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " ++"<manvolnum>5</manvolnum> </citerefentry> с оптимизацией для сред Active " ++"Directory. Поставщик данных AD принимает те же параметры, которые " ++"используются поставщиками sssd-ldap и sssd-krb5 providers, за некоторыми " ++"исключениями. Но установка этих параметров не является ни необходимой, ни " ++"рекомендуемой." + + #. type: Content of: <reference><refentry><refsect1><para> + #: sssd-ad.5.xml:69 +@@ -10215,6 +11171,9 @@ msgid "" + "default options with some exceptions, the differences are listed in the " + "<quote>MODIFIED DEFAULT OPTIONS</quote> section." + msgstr "" ++"Поставщик данных AD в основном копирует стандартные параметры традиционных " ++"поставщиков данных ldap и krb5, за некоторыми исключениями. Список различий " ++"доступен в разделе <quote>ИЗМЕНЁННЫЕ СТАНДАРТНЫЕ ПАРАМЕТРЫ</quote>." + + #. type: Content of: <reference><refentry><refsect1><para> + #: sssd-ad.5.xml:74 +@@ -10618,12 +11577,12 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ad.5.xml:458 + msgid "Default: permissive" +-msgstr "" ++msgstr "По умолчанию: permissive" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ad.5.xml:461 + msgid "Default: enforcing" +-msgstr "" ++msgstr "По умолчанию: enforcing" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-ad.5.xml:467 +@@ -10657,59 +11616,62 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry> + #: sssd-ad.5.xml:499 sssd-ad.5.xml:525 + msgid "allow-rules" +-msgstr "" ++msgstr "правила разрешения" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry> + #: sssd-ad.5.xml:499 sssd-ad.5.xml:525 + msgid "deny-rules" +-msgstr "" ++msgstr "правила запрета" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry> + #: sssd-ad.5.xml:500 sssd-ad.5.xml:526 + msgid "results" +-msgstr "" ++msgstr "результат" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry> + #: sssd-ad.5.xml:503 sssd-ad.5.xml:506 sssd-ad.5.xml:509 sssd-ad.5.xml:529 + #: sssd-ad.5.xml:532 sssd-ad.5.xml:535 + msgid "missing" +-msgstr "" ++msgstr "отсутствуют" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para> + #: sssd-ad.5.xml:504 + msgid "all users are allowed" +-msgstr "" ++msgstr "доступ разрешён всем пользователям" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry> + #: sssd-ad.5.xml:506 sssd-ad.5.xml:509 sssd-ad.5.xml:512 sssd-ad.5.xml:532 + #: sssd-ad.5.xml:535 sssd-ad.5.xml:538 + msgid "present" +-msgstr "" ++msgstr "присутствуют" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para> + #: sssd-ad.5.xml:507 + msgid "only users not in deny-rules are allowed" +-msgstr "" ++msgstr "доступ разрешён только пользователям, отсутствующим в правилах запрета" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para> + #: sssd-ad.5.xml:510 sssd-ad.5.xml:536 + msgid "only users in allow-rules are allowed" + msgstr "" ++"доступ разрешён только пользователям, присутствующим в правилах разрешения" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para> + #: sssd-ad.5.xml:513 sssd-ad.5.xml:539 + msgid "only users in allow-rules and not in deny-rules are allowed" + msgstr "" ++"доступ разрешён только пользователям, присутствующим в правилах разрешения и " ++"отсутствующим в правилах запрета" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry> + #: sssd-ad.5.xml:524 + msgid "ad_gpo_implicit_deny = True" +-msgstr "" ++msgstr "ad_gpo_implicit_deny = True" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para> + #: sssd-ad.5.xml:530 sssd-ad.5.xml:533 + msgid "no users are allowed" +-msgstr "" ++msgstr "доступ запрещён всем пользователям" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-ad.5.xml:546 +@@ -10790,32 +11752,32 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> + #: sssd-ad.5.xml:640 + msgid "gdm-fingerprint" +-msgstr "" ++msgstr "gdm-fingerprint" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> + #: sssd-ad.5.xml:660 + msgid "lightdm" +-msgstr "" ++msgstr "lightdm" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> + #: sssd-ad.5.xml:665 + msgid "lxdm" +-msgstr "" ++msgstr "lxdm" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> + #: sssd-ad.5.xml:670 + msgid "sddm" +-msgstr "" ++msgstr "sddm" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> + #: sssd-ad.5.xml:675 + msgid "unity" +-msgstr "" ++msgstr "unity" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> + #: sssd-ad.5.xml:680 + msgid "xdm" +-msgstr "" ++msgstr "xdm" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-ad.5.xml:689 +@@ -11128,12 +12090,12 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> + #: sssd-ad.5.xml:998 + msgid "interactive" +-msgstr "" ++msgstr "interactive" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> + #: sssd-ad.5.xml:1003 + msgid "remote_interactive" +-msgstr "" ++msgstr "remote_interactive" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> + #: sssd-ad.5.xml:1008 +@@ -11153,7 +12115,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> + #: sssd-ad.5.xml:1023 + msgid "permit" +-msgstr "" ++msgstr "permit" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> + #: sssd-ad.5.xml:1028 +@@ -11163,7 +12125,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ad.5.xml:1034 + msgid "Default: deny" +-msgstr "" ++msgstr "По умолчанию: deny" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-ad.5.xml:1040 +@@ -11181,7 +12143,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ad.5.xml:1049 + msgid "Default: 30 days" +-msgstr "" ++msgstr "По умолчанию: 30 дней" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-ad.5.xml:1055 +@@ -11201,7 +12163,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ad.5.xml:1067 + msgid "Default: 86400:750 (24h and 15m)" +-msgstr "" ++msgstr "По умолчанию: 86400:750 (24 часа и 15 минут)" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-ad.5.xml:1073 +@@ -11290,7 +12252,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ad.5.xml:1191 + msgid "Default: 3600 (seconds)" +-msgstr "" ++msgstr "По умолчанию: 3600 (секунд)" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ad.5.xml:1207 +@@ -11655,6 +12617,8 @@ msgid "" + "<command>sssd</command> <arg choice='opt'> <replaceable>options</" + "replaceable> </arg>" + msgstr "" ++"<command>sssd</command> <arg choice='opt'> <replaceable>параметры</" ++"replaceable> </arg>" + + #. type: Content of: <reference><refentry><refsect1><para> + #: sssd.8.xml:31 +@@ -11742,6 +12706,8 @@ msgstr "" + msgid "" + "Default: not set (fall back to journald if available, otherwise to stderr)" + msgstr "" ++"По умолчанию: не задано (использовать journald, если это возможно, в ином " ++"случае — stderr)" + + #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> + #: sssd.8.xml:113 +@@ -11821,7 +12787,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> + #: sssd.8.xml:193 + msgid "SIGTERM/SIGINT" +-msgstr "" ++msgstr "SIGTERM/SIGINT" + + #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> + #: sssd.8.xml:196 +@@ -11894,6 +12860,9 @@ msgid "" + "replaceable> </arg> <arg choice='plain'><replaceable>[PASSWORD]</" + "replaceable></arg>" + msgstr "" ++"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>параметры</" ++"replaceable> </arg> <arg " ++"choice='plain'><replaceable>[ПАРОЛЬ]</replaceable></arg>" + + #. type: Content of: <reference><refentry><refsect1><para> + #: sss_obfuscate.8.xml:32 +@@ -11964,7 +12933,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> + #: sss_obfuscate.8.xml:95 + msgid "Default: <filename>/etc/sssd/sssd.conf</filename>" +-msgstr "" ++msgstr "По умолчанию: <filename>/etc/sssd/sssd.conf</filename>" + + #. type: Content of: <reference><refentry><refnamediv><refname> + #: sss_override.8.xml:10 sss_override.8.xml:15 +@@ -11983,6 +12952,9 @@ msgid "" + "replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" + "arg>" + msgstr "" ++"<command>sss_override</command> <arg " ++"choice='plain'><replaceable>КОМАНДА</replaceable></arg> <arg choice='opt'> " ++"<replaceable>параметры</replaceable> </arg>" + + #. type: Content of: <reference><refentry><refsect1><para> + #: sss_override.8.xml:32 +@@ -12230,7 +13202,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><title> + #: sss_override.8.xml:267 sssctl.8.xml:50 + msgid "COMMON OPTIONS" +-msgstr "" ++msgstr "ОБЩИЕ ПАРАМЕТРЫ" + + #. type: Content of: <reference><refentry><refsect1><para> + #: sss_override.8.xml:269 sssctl.8.xml:52 +@@ -12259,6 +13231,9 @@ msgid "" + "replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" + "arg>" + msgstr "" ++"<command>sss_useradd</command> <arg choice='opt'> <replaceable>параметры</" ++"replaceable> </arg> <arg " ++"choice='plain'><replaceable>ИМЯ_УЧЁТНОЙ_ЗАПИСИ</replaceable></arg>" + + #. type: Content of: <reference><refentry><refsect1><para> + #: sss_useradd.8.xml:32 +@@ -12469,6 +13444,13 @@ msgid "" + "discovery is enabled; for more information, refer to the <quote>SERVICE " + "DISCOVERY</quote> section." + msgstr "" ++"Разделённый запятыми список IP-адресов или названий узлов серверов Kerberos, " ++"к которым SSSD следует подключаться в порядке приоритета. Дополнительные " ++"сведения об отработке отказа и избыточности сервера доступны в разделе " ++"<quote>ОТРАБОТКА ОТКАЗА</quote>. После адресов или имён узлов можно " ++"(необязательно) добавить номер порта (предварив его двоеточием). Если у " ++"параметра пустое значение, будет включено обнаружение служб — дополнительные " ++"сведения доступны в разделе <quote>ОБНАРУЖЕНИЕ СЛУЖБ</quote>." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-krb5.5.xml:106 +@@ -12502,7 +13484,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-krb5.5.xml:129 + msgid "Default: Use the KDC" +-msgstr "" ++msgstr "По умолчанию: использовать KDC" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-krb5.5.xml:135 +@@ -12520,7 +13502,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-krb5.5.xml:145 + msgid "Default: /tmp" +-msgstr "" ++msgstr "По умолчанию: /tmp" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-krb5.5.xml:151 +@@ -12530,7 +13512,7 @@ msgstr "krb5_ccname_template (строка)" + #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> + #: sssd-krb5.5.xml:165 include/override_homedir.xml:11 + msgid "%u" +-msgstr "" ++msgstr "%u" + + #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> + #: sssd-krb5.5.xml:166 include/override_homedir.xml:12 +@@ -12540,7 +13522,7 @@ msgstr "" + #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> + #: sssd-krb5.5.xml:169 include/override_homedir.xml:15 + msgid "%U" +-msgstr "" ++msgstr "%U" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> + #: sssd-krb5.5.xml:170 +@@ -12550,7 +13532,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> + #: sssd-krb5.5.xml:173 + msgid "%p" +-msgstr "" ++msgstr "%p" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> + #: sssd-krb5.5.xml:174 +@@ -12560,7 +13542,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> + #: sssd-krb5.5.xml:178 + msgid "%r" +-msgstr "" ++msgstr "%r" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> + #: sssd-krb5.5.xml:179 +@@ -12570,7 +13552,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> + #: sssd-krb5.5.xml:182 + msgid "%h" +-msgstr "" ++msgstr "%h" + + #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> + #: sssd-krb5.5.xml:183 sssd-ifp.5.xml:108 +@@ -12580,7 +13562,7 @@ msgstr "" + #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> + #: sssd-krb5.5.xml:187 include/override_homedir.xml:19 + msgid "%d" +-msgstr "" ++msgstr "%d" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> + #: sssd-krb5.5.xml:188 +@@ -12590,7 +13572,7 @@ msgstr "" + #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> + #: sssd-krb5.5.xml:193 include/override_homedir.xml:31 + msgid "%P" +-msgstr "" ++msgstr "%P" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> + #: sssd-krb5.5.xml:194 +@@ -12600,12 +13582,12 @@ msgstr "" + #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> + #: sssd-krb5.5.xml:199 include/override_homedir.xml:49 + msgid "%%" +-msgstr "" ++msgstr "%%" + + #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> + #: sssd-krb5.5.xml:200 include/override_homedir.xml:50 + msgid "a literal '%'" +-msgstr "" ++msgstr "литерал «%»" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-krb5.5.xml:154 +@@ -12619,6 +13601,14 @@ msgid "" + "the template ends with 'XXXXXX' mkstemp(3) is used to create a unique " + "filename in a safe way." + msgstr "" ++"Расположение кэша учётных данных пользователя. В настоящее время " ++"поддерживаются три типа кэша учётных данных: <quote>FILE</quote>, " ++"<quote>DIR</quote> и <quote>KEYRING:persistent</quote>. Кэш можно указать " ++"либо как <replaceable>TYPE:RESIDUAL</replaceable>, либо как абсолютный путь, " ++"что предполагает тип <quote>FILE</quote>. В шаблоне заменяются следующие " ++"последовательности: <placeholder type=\"variablelist\" id=\"0\"/> Если " ++"шаблон заканчивается на «XXXXXX», для безопасного создания уникального имени " ++"файла используется mkstemp(3)." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-krb5.5.xml:208 +@@ -12650,7 +13640,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-krb5.5.xml:234 + msgid "Default: (from libkrb5)" +-msgstr "" ++msgstr "По умолчанию: (из libkrb5)" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-krb5.5.xml:240 +@@ -12779,7 +13769,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-krb5.5.xml:376 + msgid "Default: 3:1" +-msgstr "" ++msgstr "По умолчанию: 3:1" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-krb5.5.xml:382 +@@ -12796,7 +13786,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-krb5.5.xml:391 + msgid "Default: false (AD provider: true)" +-msgstr "" ++msgstr "По умолчанию: false (поставщик данных AD: true)" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-krb5.5.xml:394 +@@ -12900,6 +13890,9 @@ msgid "" + "replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" + "arg>" + msgstr "" ++"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>параметры</" ++"replaceable> </arg> <arg " ++"choice='plain'><replaceable>ГРУППА</replaceable></arg>" + + #. type: Content of: <reference><refentry><refsect1><para> + #: sss_groupadd.8.xml:32 +@@ -12939,6 +13932,9 @@ msgid "" + "replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" + "arg>" + msgstr "" ++"<command>sss_userdel</command> <arg choice='opt'> <replaceable>параметры</" ++"replaceable> </arg> <arg " ++"choice='plain'><replaceable>ИМЯ_УЧЁТНОЙ_ЗАПИСИ</replaceable></arg>" + + #. type: Content of: <reference><refentry><refsect1><para> + #: sss_userdel.8.xml:32 +@@ -13010,6 +14006,9 @@ msgid "" + "replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" + "arg>" + msgstr "" ++"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>параметры</" ++"replaceable> </arg> <arg " ++"choice='plain'><replaceable>ГРУППА</replaceable></arg>" + + #. type: Content of: <reference><refentry><refsect1><para> + #: sss_groupdel.8.xml:32 +@@ -13035,6 +14034,9 @@ msgid "" + "replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" + "arg>" + msgstr "" ++"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>параметры</" ++"replaceable> </arg> <arg " ++"choice='plain'><replaceable>ГРУППА</replaceable></arg>" + + #. type: Content of: <reference><refentry><refsect1><para> + #: sss_groupshow.8.xml:32 +@@ -13074,6 +14076,9 @@ msgid "" + "replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" + "arg>" + msgstr "" ++"<command>sss_usermod</command> <arg choice='opt'> <replaceable>параметры</" ++"replaceable> </arg> <arg " ++"choice='plain'><replaceable>ИМЯ_УЧЁТНОЙ_ЗАПИСИ</replaceable></arg>" + + #. type: Content of: <reference><refentry><refsect1><para> + #: sss_usermod.8.xml:32 +@@ -13117,6 +14122,8 @@ msgstr "" + #: sss_usermod.8.xml:107 + msgid "Lock the user account. The user won't be able to log in." + msgstr "" ++"Заблокировать учётную запись пользователя. Пользователь не сможет выполнить " ++"вход." + + #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> + #: sss_usermod.8.xml:114 +@@ -13126,7 +14133,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> + #: sss_usermod.8.xml:118 + msgid "Unlock the user account." +-msgstr "" ++msgstr "Разблокировать учётную запись пользователя." + + #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> + #: sss_usermod.8.xml:129 +@@ -13168,12 +14175,12 @@ msgstr "" + #. type: Content of: <reference><refentry><refnamediv><refname> + #: sss_cache.8.xml:10 sss_cache.8.xml:15 + msgid "sss_cache" +-msgstr "" ++msgstr "sss_cache" + + #. type: Content of: <reference><refentry><refnamediv><refpurpose> + #: sss_cache.8.xml:16 + msgid "perform cache cleanup" +-msgstr "" ++msgstr "выполнить очистку кэша" + + #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> + #: sss_cache.8.xml:21 +@@ -13181,6 +14188,8 @@ msgid "" + "<command>sss_cache</command> <arg choice='opt'> <replaceable>options</" + "replaceable> </arg>" + msgstr "" ++"<command>sss_cache</command> <arg choice='opt'> <replaceable>параметры</" ++"replaceable> </arg>" + + #. type: Content of: <reference><refentry><refsect1><para> + #: sss_cache.8.xml:31 +@@ -13190,6 +14199,11 @@ msgid "" + "backend is online. Options that invalidate a single object only accept a " + "single provided argument." + msgstr "" ++"<command>sss_cache</command> объявляет недействительными записи в кэше " ++"SSSD. Объявленные недействительными записи принудительно повторно " ++"загружаются с сервера, как только соответствующий внутренний сервер SSSD " ++"появляется в сети. Параметры, объявляющие недействительность одного объекта, " ++"принимают только один предоставленный аргумент." + + #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> + #: sss_cache.8.xml:43 +@@ -13434,7 +14448,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refnamediv><refpurpose> + #: sss_debuglevel.8.xml:16 + msgid "[DEPRECATED] change debug level while SSSD is running" +-msgstr "" ++msgstr "[НЕ РЕКОМЕНДУЕТСЯ] изменить уровень отладки во время работы SSSD" + + #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> + #: sss_debuglevel.8.xml:21 +@@ -13443,6 +14457,9 @@ msgid "" + "replaceable> </arg> <arg choice='plain'><replaceable>NEW_DEBUG_LEVEL</" + "replaceable></arg>" + msgstr "" ++"<command>sss_debuglevel</command> <arg choice='opt'> <replaceable>параметры</" ++"replaceable> </arg> <arg " ++"choice='plain'><replaceable>НОВЫЙ_УРОВЕНЬ_ОТЛАДКИ</replaceable></arg>" + + #. type: Content of: <reference><refentry><refsect1><para> + #: sss_debuglevel.8.xml:32 +@@ -13451,6 +14468,9 @@ msgid "" + "debug-level command. Please refer to the <command>sssctl</command> man page " + "for more information on sssctl usage." + msgstr "" ++"<command>sss_debuglevel</command> устарела и заменена командой debug-level " ++"sssctl. Дополнительные сведения об использовании sssctl доступны на man-" ++"странице <command>sssctl</command>." + + #. type: Content of: <reference><refentry><refnamediv><refname> + #: sss_seed.8.xml:10 sss_seed.8.xml:15 +@@ -13470,6 +14490,9 @@ msgid "" + "replaceable></arg> <arg choice='plain'>-n <replaceable>USER</replaceable></" + "arg>" + msgstr "" ++"<command>sss_seed</command> <arg choice='opt'> <replaceable>параметры</" ++"replaceable> </arg> <arg choice='plain'>-D <replaceable>ДОМЕН</replaceable></" ++"arg> <arg choice='plain'>-n <replaceable>ПОЛЬЗОВАТЕЛЬ</replaceable></arg>" + + #. type: Content of: <reference><refentry><refsect1><para> + #: sss_seed.8.xml:33 +@@ -13563,12 +14586,12 @@ msgstr "" + #. type: Content of: <reference><refentry><refnamediv><refname> + #: sssd-ifp.5.xml:10 sssd-ifp.5.xml:16 + msgid "sssd-ifp" +-msgstr "" ++msgstr "sssd-ifp" + + #. type: Content of: <reference><refentry><refnamediv><refpurpose> + #: sssd-ifp.5.xml:17 + msgid "SSSD InfoPipe responder" +-msgstr "" ++msgstr "Ответчик InfoPipe SSSD" + + #. type: Content of: <reference><refentry><refsect1><para> + #: sssd-ifp.5.xml:23 +@@ -13600,12 +14623,17 @@ msgid "" + "allowed to access the InfoPipe responder. User names are resolved to UIDs at " + "startup." + msgstr "" ++"Разделённый запятыми список значений UID или имён пользователей, которым " ++"разрешён доступ к ответчику InfoPipe. Имена пользователей разрешаются в UID " ++"при запуске." + + #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> + #: sssd-ifp.5.xml:59 + msgid "" + "Default: 0 (only the root user is allowed to access the InfoPipe responder)" + msgstr "" ++"По умолчанию: 0 (доступ к ответчику InfoPipe разрешён только пользователю " ++"root)" + + #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> + #: sssd-ifp.5.xml:63 +@@ -13620,61 +14648,62 @@ msgstr "" + #: sssd-ifp.5.xml:77 + msgid "Specifies the comma-separated list of white or blacklisted attributes." + msgstr "" ++"Разделённый запятыми список атрибутов из «белого» или «чёрного» списков." + + #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> + #: sssd-ifp.5.xml:91 + msgid "name" +-msgstr "" ++msgstr "name" + + #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> + #: sssd-ifp.5.xml:92 + msgid "user's login name" +-msgstr "" ++msgstr "имя пользователя для входа" + + #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> + #: sssd-ifp.5.xml:95 + msgid "uidNumber" +-msgstr "" ++msgstr "uidNumber" + + #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> + #: sssd-ifp.5.xml:96 + msgid "user ID" +-msgstr "" ++msgstr "идентификатор пользователя" + + #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> + #: sssd-ifp.5.xml:99 + msgid "gidNumber" +-msgstr "" ++msgstr "gidNumber" + + #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> + #: sssd-ifp.5.xml:100 + msgid "primary group ID" +-msgstr "" ++msgstr "идентификатор основной группы" + + #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> + #: sssd-ifp.5.xml:103 + msgid "gecos" +-msgstr "" ++msgstr "gecos" + + #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> + #: sssd-ifp.5.xml:104 + msgid "user information, typically full name" +-msgstr "" ++msgstr "данные о пользователи, обычно полное имя" + + #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> + #: sssd-ifp.5.xml:107 + msgid "homeDirectory" +-msgstr "" ++msgstr "homeDirectory" + + #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> + #: sssd-ifp.5.xml:111 + msgid "loginShell" +-msgstr "" ++msgstr "loginShell" + + #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> + #: sssd-ifp.5.xml:112 + msgid "user shell" +-msgstr "" ++msgstr "оболочка пользователя" + + #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> + #: sssd-ifp.5.xml:81 +@@ -13708,6 +14737,7 @@ msgstr "" + #: sssd-ifp.5.xml:129 + msgid "Default: not set. Only the default set of POSIX attributes is allowed." + msgstr "" ++"По умолчанию: не задано. Разрешён только стандартный набор атрибутов POSIX." + + #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> + #: sssd-ifp.5.xml:139 +@@ -13720,6 +14750,7 @@ msgstr "" + #: sssd-ifp.5.xml:144 + msgid "Default: 0 (let the caller set an upper limit)" + msgstr "" ++"По умолчанию: 0 (разрешить вызывающей стороне установить верхнее ограничение)" + + #. type: Content of: <reference><refentry><refentryinfo> + #: sss_rpcidmapd.5.xml:8 +@@ -13731,6 +14762,12 @@ msgid "" + "<contrib>Developer (2014-)</contrib> <email>tsnoam@gmail.com</email> </" + "author>" + msgstr "" ++"<productname>Модуль SSS rpc.idmapd</productname> <author> <firstname>Noam</" ++"firstname> <surname>Meltzer</surname> <affiliation> <orgname>Primary Data " ++"Inc.</orgname> </affiliation> <contrib>Разработчик (2013—2014)</contrib> </" ++"author> <author> <firstname>Noam</firstname> <surname>Meltzer</surname> " ++"<contrib>Разработчик (2014—)</contrib> <email>tsnoam@gmail.com</email> " ++"</author>" + + #. type: Content of: <reference><refentry><refnamediv><refname> + #: sss_rpcidmapd.5.xml:26 sss_rpcidmapd.5.xml:32 +@@ -13763,7 +14800,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><refsect2><title> + #: sss_rpcidmapd.5.xml:51 + msgid "Enable SSS plugin" +-msgstr "" ++msgstr "Включить модуль SSS" + + #. type: Content of: <reference><refentry><refsect1><refsect2><para> + #: sss_rpcidmapd.5.xml:53 +@@ -13811,6 +14848,8 @@ msgid "" + "The sss plugin requires the <emphasis>NSS Responder</emphasis> to be enabled " + "in sssd." + msgstr "" ++"Для работы модуля SSS необходимо включить в SSSD <emphasis>ответчик " ++"NSS</emphasis>." + + #. type: Content of: <reference><refentry><refsect1><para> + #: sss_rpcidmapd.5.xml:91 +@@ -13880,6 +14919,9 @@ msgid "" + "<replaceable>options</replaceable> </arg> <arg " + "choice='plain'><replaceable>USER</replaceable></arg>" + msgstr "" ++"<command>sss_ssh_authorizedkeys</command> <arg choice='opt'> " ++"<replaceable>параметры</replaceable> </arg> <arg " ++"choice='plain'><replaceable>ПОЛЬЗОВАТЕЛЬ</replaceable></arg>" + + #. type: Content of: <reference><refentry><refsect1><para> + #: sss_ssh_authorizedkeys.1.xml:32 +@@ -14036,6 +15078,10 @@ msgid "" + "choice='plain'><replaceable>HOST</replaceable></arg> <arg " + "choice='opt'><replaceable>PROXY_COMMAND</replaceable></arg>" + msgstr "" ++"<command>sss_ssh_knownhostsproxy</command> <arg choice='opt'> " ++"<replaceable>параметры</replaceable> </arg> <arg " ++"choice='plain'><replaceable>УЗЕЛ</replaceable></arg> <arg " ++"choice='opt'><replaceable>КОМАНДА_ПРОКСИ</replaceable></arg>" + + #. type: Content of: <reference><refentry><refsect1><para> + #: sss_ssh_knownhostsproxy.1.xml:33 +@@ -14123,7 +15169,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><title> + #: idmap_sss.8.xml:29 + msgid "IDMAP OPTIONS" +-msgstr "" ++msgstr "ПАРАМЕТРЫ IDMAP" + + #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> + #: idmap_sss.8.xml:33 +@@ -14158,6 +15204,17 @@ msgid "" + "idmap config * : range = 100000-199999\n" + " " + msgstr "" ++"[global]\n" ++"security = ads\n" ++"workgroup = <AD-DOMAIN-SHORTNAME>\n" ++"\n" ++"idmap config <AD-DOMAIN-SHORTNAME> : backend = sss\n" ++"idmap config <AD-DOMAIN-SHORTNAME> : range = 200000-" ++"2147483647\n" ++"\n" ++"idmap config * : backend = tdb\n" ++"idmap config * : range = 100000-199999\n" ++" " + + #. type: Content of: <reference><refentry><refsect1><para> + #: idmap_sss.8.xml:62 +@@ -14192,6 +15249,9 @@ msgid "" + "replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" + "arg>" + msgstr "" ++"<command>sssctl</command> <arg " ++"choice='plain'><replaceable>КОМАНДА</replaceable></arg> <arg choice='opt'> " ++"<replaceable>параметры</replaceable> </arg>" + + #. type: Content of: <reference><refentry><refsect1><para> + #: sssctl.8.xml:32 +@@ -14290,7 +15350,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-files.5.xml:105 + msgid "Default: /etc/passwd" +-msgstr "" ++msgstr "По умолчанию: /etc/passwd" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-files.5.xml:111 +@@ -14308,14 +15368,12 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-files.5.xml:120 + msgid "Default: /etc/group" +-msgstr "" ++msgstr "Default: /etc/group" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-files.5.xml:126 +-#, fuzzy +-#| msgid "ldap_rfc2307_fallback_to_local_users (boolean)" + msgid "fallback_to_nss (boolean)" +-msgstr "ldap_rfc2307_fallback_to_local_users (логическое значение)" ++msgstr "fallback_to_nss (логическое значение)" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-files.5.xml:129 +@@ -14591,7 +15649,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> + #: sssd-secrets.5.xml:199 + msgid "Default: 4" +-msgstr "" ++msgstr "По умолчанию: 4" + + #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> + #: sssd-secrets.5.xml:204 +@@ -14608,7 +15666,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> + #: sssd-secrets.5.xml:211 + msgid "Default: 1024 (secrets hive), 256 (kcm hive)" +-msgstr "" ++msgstr "По умолчанию: 1024 (куст секретов), 256 (куст kcm)" + + #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> + #: sssd-secrets.5.xml:216 +@@ -14625,7 +15683,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> + #: sssd-secrets.5.xml:223 + msgid "Default: 256 (secrets hive), 64 (kcm hive)" +-msgstr "" ++msgstr "По умолчанию: 256 (куст секретов), 64 (куст kcm)" + + #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> + #: sssd-secrets.5.xml:228 +@@ -14642,7 +15700,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> + #: sssd-secrets.5.xml:235 + msgid "Default: 16 (secrets hive), 65536 (64 MiB) (kcm hive)" +-msgstr "" ++msgstr "По умолчанию: 16 (куст секретов), 65536 (64 МиБ) (куст kcm)" + + #. type: Content of: <reference><refentry><refsect1><para><programlisting> + #: sssd-secrets.5.xml:244 +@@ -15360,7 +16418,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><title> + #: sssd-kcm.8.xml:133 + msgid "OBTAINING DEBUG LOGS" +-msgstr "" ++msgstr "ПОЛУЧЕНИЕ ЖУРНАЛА ОТЛАДКИ" + + #. type: Content of: <reference><refentry><refsect1><para><programlisting> + #: sssd-kcm.8.xml:144 +@@ -15402,11 +16460,14 @@ msgid "" + "if the main configuration file at <filename>/etc/sssd/sssd.conf</filename> " + "exists at all." + msgstr "" ++"Обратите внимание, что в настоящее время фрагменты конфигурации " ++"обрабатываются только в том случае, если основной файл конфигурации по пути " ++"<filename>/etc/sssd/sssd.conf</filename> существует." + + #. type: Content of: <reference><refentry><refsect1><title> + #: sssd-kcm.8.xml:166 + msgid "RENEWALS" +-msgstr "" ++msgstr "ОБНОВЛЕНИЯ" + + #. type: Content of: <reference><refentry><refsect1><para><programlisting> + #: sssd-kcm.8.xml:174 +@@ -15416,6 +16477,9 @@ msgid "" + "krb5_renew_interval = 60m\n" + " " + msgstr "" ++"tgt_renewal = true\n" ++"krb5_renew_interval = 60m\n" ++" " + + #. type: Content of: <reference><refentry><refsect1><para> + #: sssd-kcm.8.xml:168 +@@ -15506,6 +16570,7 @@ msgstr "" + #: sssd-kcm.8.xml:240 + msgid "Default: <replaceable>/var/run/.heim_org.h5l.kcm-socket</replaceable>" + msgstr "" ++"По умолчанию: <replaceable>/var/run/.heim_org.h5l.kcm-socket</replaceable>" + + #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> + #: sssd-kcm.8.xml:243 +@@ -15529,6 +16594,8 @@ msgstr "" + #: sssd-kcm.8.xml:259 + msgid "Default: 0 (unlimited, only the per-UID quota is enforced)" + msgstr "" ++"По умолчанию: 0 (без ограничений, принудительно применяется только квота для " ++"отдельного UID)" + + #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> + #: sssd-kcm.8.xml:264 +@@ -15545,7 +16612,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> + #: sssd-kcm.8.xml:272 + msgid "Default: 64" +-msgstr "" ++msgstr "По умолчанию: 64" + + #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> + #: sssd-kcm.8.xml:277 +@@ -15562,7 +16629,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> + #: sssd-kcm.8.xml:284 + msgid "Default: 65536" +-msgstr "" ++msgstr "По умолчанию: 65536" + + #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> + #: sssd-kcm.8.xml:289 +@@ -15577,7 +16644,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> + #: sssd-kcm.8.xml:295 + msgid "Default: False (Automatic renewals disabled)" +-msgstr "" ++msgstr "По умолчанию: False (автоматические обновления отключены)" + + #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> + #: sssd-kcm.8.xml:300 +@@ -16177,7 +17244,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap-attributes.5.xml:61 + msgid "Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" +-msgstr "" ++msgstr "По умолчанию: uid (rfc2307, rfc2307bis и IPA), sAMAccountName (AD)" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-ldap-attributes.5.xml:68 +@@ -16192,7 +17259,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap-attributes.5.xml:75 + msgid "Default: uidNumber" +-msgstr "" ++msgstr "По умолчанию: uidNumber" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-ldap-attributes.5.xml:81 +@@ -16203,11 +17270,12 @@ msgstr "ldap_user_gid_number (строка)" + #: sssd-ldap-attributes.5.xml:84 + msgid "The LDAP attribute that corresponds to the user's primary group id." + msgstr "" ++"Атрибут LDAP, соответствующий идентификатору основной группы пользователя." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap-attributes.5.xml:88 sssd-ldap-attributes.5.xml:681 + msgid "Default: gidNumber" +-msgstr "" ++msgstr "По умолчанию: gidNumber" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-ldap-attributes.5.xml:94 +@@ -16221,6 +17289,9 @@ msgid "" + "attribute should only be set manually if you are running the <quote>ldap</" + "quote> provider with ID mapping." + msgstr "" ++"Атрибут основной группы Active Directory для сопоставления ID. Обратите " ++"внимание, что этот атрибут следует устанавливать только вручную, если " ++"запущен поставщик <quote>ldap</quote> с сопоставлением ID." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap-attributes.5.xml:103 +@@ -16255,7 +17326,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap-attributes.5.xml:129 + msgid "Default: homeDirectory (LDAP and IPA), unixHomeDirectory (AD)" +-msgstr "" ++msgstr "По умолчанию: homeDirectory (LDAP и IPA), unixHomeDirectory (AD)" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-ldap-attributes.5.xml:135 +@@ -16305,6 +17376,7 @@ msgstr "" + #: sssd-ldap-attributes.5.xml:170 sssd-ldap-attributes.5.xml:722 + msgid "Default: objectSid for ActiveDirectory, not set for other servers." + msgstr "" ++"По умолчанию: objectSid для ActiveDirectory, не задано для других серверов." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-ldap-attributes.5.xml:177 +@@ -16342,7 +17414,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap-attributes.5.xml:203 + msgid "Default: shadowLastChange" +-msgstr "" ++msgstr "По умолчанию: shadowLastChange" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-ldap-attributes.5.xml:209 +@@ -16361,7 +17433,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap-attributes.5.xml:221 + msgid "Default: shadowMin" +-msgstr "" ++msgstr "По умолчанию: shadowMin" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-ldap-attributes.5.xml:227 +@@ -16380,7 +17452,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap-attributes.5.xml:239 + msgid "Default: shadowMax" +-msgstr "" ++msgstr "По умолчанию: shadowMax" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-ldap-attributes.5.xml:245 +@@ -16455,7 +17527,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap-attributes.5.xml:311 + msgid "Default: krbLastPwdChange" +-msgstr "" ++msgstr "По умолчанию: krbLastPwdChange" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-ldap-attributes.5.xml:317 +@@ -16472,7 +17544,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap-attributes.5.xml:326 + msgid "Default: krbPasswordExpiration" +-msgstr "" ++msgstr "По умолчанию: krbPasswordExpiration" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-ldap-attributes.5.xml:332 +@@ -16489,7 +17561,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap-attributes.5.xml:340 + msgid "Default: accountExpires" +-msgstr "" ++msgstr "По умолчанию: accountExpires" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-ldap-attributes.5.xml:346 +@@ -16506,7 +17578,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap-attributes.5.xml:354 + msgid "Default: userAccountControl" +-msgstr "" ++msgstr "По умолчанию: userAccountControl" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-ldap-attributes.5.xml:360 +@@ -16523,7 +17595,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap-attributes.5.xml:368 + msgid "Default: nsAccountLock" +-msgstr "" ++msgstr "По умолчанию: nsAccountLock" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-ldap-attributes.5.xml:374 +@@ -16540,7 +17612,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap-attributes.5.xml:381 sssd-ldap-attributes.5.xml:395 + msgid "Default: loginDisabled" +-msgstr "" ++msgstr "По умолчанию: loginDisabled" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-ldap-attributes.5.xml:387 +@@ -16569,7 +17641,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap-attributes.5.xml:409 + msgid "Default: loginAllowedTimeMap" +-msgstr "" ++msgstr "По умолчанию: loginAllowedTimeMap" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-ldap-attributes.5.xml:415 +@@ -16586,7 +17658,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap-attributes.5.xml:422 + msgid "Default: krbPrincipalName" +-msgstr "" ++msgstr "По умолчанию: krbPrincipalName" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-ldap-attributes.5.xml:428 +@@ -16655,7 +17727,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap-attributes.5.xml:483 sssd-ldap-attributes.5.xml:946 + msgid "Default: sshPublicKey" +-msgstr "" ++msgstr "По умолчанию: sshPublicKey" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-ldap-attributes.5.xml:489 +@@ -16680,7 +17752,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap-attributes.5.xml:509 sssd-ldap-attributes.5.xml:933 + msgid "Default: memberOf" +-msgstr "" ++msgstr "По умолчанию: memberOf" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-ldap-attributes.5.xml:515 +@@ -16722,7 +17794,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap-attributes.5.xml:545 + msgid "Default: authorizedService" +-msgstr "" ++msgstr "По умолчанию: authorizedService" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-ldap-attributes.5.xml:551 +@@ -16755,7 +17827,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap-attributes.5.xml:572 + msgid "Default: host" +-msgstr "" ++msgstr "По умолчанию: host" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-ldap-attributes.5.xml:578 +@@ -16788,7 +17860,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap-attributes.5.xml:600 + msgid "Default: rhost" +-msgstr "" ++msgstr "По умолчанию: rhost" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-ldap-attributes.5.xml:606 +@@ -16803,7 +17875,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap-attributes.5.xml:613 + msgid "Default: userCertificate;binary" +-msgstr "" ++msgstr "По умолчанию: userCertificate;binary" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-ldap-attributes.5.xml:619 +@@ -16828,7 +17900,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap-attributes.5.xml:635 + msgid "Default: mail" +-msgstr "" ++msgstr "По умолчанию: mail" + + #. type: Content of: <reference><refentry><refsect1><title> + #: sssd-ldap-attributes.5.xml:644 +@@ -16848,7 +17920,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap-attributes.5.xml:654 + msgid "Default: posixGroup" +-msgstr "" ++msgstr "По умолчанию: posixGroup" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-ldap-attributes.5.xml:660 +@@ -16863,7 +17935,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap-attributes.5.xml:667 + msgid "Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" +-msgstr "" ++msgstr "По умолчанию: cn (rfc2307, rfc2307bis и IPA), sAMAccountName (AD)" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-ldap-attributes.5.xml:674 +@@ -16888,7 +17960,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap-attributes.5.xml:694 + msgid "Default: memberuid (rfc2307) / member (rfc2307bis)" +-msgstr "" ++msgstr "По умолчанию: memberuid (rfc2307) / member (rfc2307bis)" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-ldap-attributes.5.xml:700 +@@ -16943,6 +18015,7 @@ msgstr "" + #: sssd-ldap-attributes.5.xml:756 + msgid "Default: groupType in the AD provider, otherwise not set" + msgstr "" ++"По умолчанию: groupType для поставщика данных AD, в ином случае не задано" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-ldap-attributes.5.xml:763 +@@ -16960,6 +18033,8 @@ msgstr "" + #: sssd-ldap-attributes.5.xml:772 + msgid "Default: ipaExternalMember in the IPA provider, otherwise unset." + msgstr "" ++"По умолчанию: ipaExternalMember для поставщика данных IPA, в ином случае не " ++"задано." + + #. type: Content of: <reference><refentry><refsect1><title> + #: sssd-ldap-attributes.5.xml:782 +@@ -16974,7 +18049,7 @@ msgstr "ldap_netgroup_object_class (строка)" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap-attributes.5.xml:789 + msgid "The object class of a netgroup entry in LDAP." +-msgstr "" ++msgstr "Класс объектов записи сетевой группы в LDAP." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap-attributes.5.xml:792 +@@ -16984,7 +18059,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap-attributes.5.xml:796 + msgid "Default: nisNetgroup" +-msgstr "" ++msgstr "По умолчанию: nisNetgroup" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-ldap-attributes.5.xml:802 +@@ -17019,7 +18094,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap-attributes.5.xml:830 + msgid "Default: memberNisNetgroup" +-msgstr "" ++msgstr "По умолчанию: memberNisNetgroup" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-ldap-attributes.5.xml:836 +@@ -17040,7 +18115,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap-attributes.5.xml:846 + msgid "Default: nisNetgroupTriple" +-msgstr "" ++msgstr "По умолчанию: nisNetgroupTriple" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-ldap-attributes.5.xml:852 +@@ -17065,7 +18140,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap-attributes.5.xml:881 sssd-ldap-attributes.5.xml:978 + msgid "Default: ipService" +-msgstr "" ++msgstr "По умолчанию: ipService" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-ldap-attributes.5.xml:887 +@@ -17092,7 +18167,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap-attributes.5.xml:907 + msgid "Default: fqdn" +-msgstr "" ++msgstr "По умолчанию: fqdn" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-ldap-attributes.5.xml:913 +@@ -17102,7 +18177,7 @@ msgstr "ldap_host_serverhostname (строка)" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap-attributes.5.xml:920 + msgid "Default: serverHostname" +-msgstr "" ++msgstr "По умолчанию: serverHostname" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-ldap-attributes.5.xml:926 +@@ -17174,7 +18249,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap-attributes.5.xml:1004 + msgid "Default: ipServicePort" +-msgstr "" ++msgstr "По умолчанию: ipServicePort" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-ldap-attributes.5.xml:1010 +@@ -17190,7 +18265,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap-attributes.5.xml:1017 + msgid "Default: ipServiceProtocol" +-msgstr "" ++msgstr "По умолчанию: ipServiceProtocol" + + #. type: Content of: <reference><refentry><refsect1><title> + #: sssd-ldap-attributes.5.xml:1026 +@@ -17210,7 +18285,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap-attributes.5.xml:1036 + msgid "Default: sudoRole" +-msgstr "" ++msgstr "По умолчанию: sudoRole" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-ldap-attributes.5.xml:1042 +@@ -17235,7 +18310,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap-attributes.5.xml:1062 + msgid "Default: sudoCommand" +-msgstr "" ++msgstr "По умолчанию: sudoCommand" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-ldap-attributes.5.xml:1068 +@@ -17252,7 +18327,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap-attributes.5.xml:1076 + msgid "Default: sudoHost" +-msgstr "" ++msgstr "По умолчанию: sudoHost" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-ldap-attributes.5.xml:1082 +@@ -17269,7 +18344,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap-attributes.5.xml:1089 + msgid "Default: sudoUser" +-msgstr "" ++msgstr "По умолчанию: sudoUser" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-ldap-attributes.5.xml:1095 +@@ -17284,7 +18359,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap-attributes.5.xml:1102 + msgid "Default: sudoOption" +-msgstr "" ++msgstr "По умолчанию: sudoOption" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-ldap-attributes.5.xml:1108 +@@ -17301,7 +18376,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap-attributes.5.xml:1115 + msgid "Default: sudoRunAsUser" +-msgstr "" ++msgstr "По умолчанию: sudoRunAsUser" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-ldap-attributes.5.xml:1121 +@@ -17318,7 +18393,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap-attributes.5.xml:1128 + msgid "Default: sudoRunAsGroup" +-msgstr "" ++msgstr "По умолчанию: sudoRunAsGroup" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-ldap-attributes.5.xml:1134 +@@ -17335,7 +18410,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap-attributes.5.xml:1141 + msgid "Default: sudoNotBefore" +-msgstr "" ++msgstr "По умолчанию: sudoNotBefore" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-ldap-attributes.5.xml:1147 +@@ -17352,7 +18427,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap-attributes.5.xml:1155 + msgid "Default: sudoNotAfter" +-msgstr "" ++msgstr "По умолчанию: sudoNotAfter" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-ldap-attributes.5.xml:1161 +@@ -17367,7 +18442,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap-attributes.5.xml:1168 + msgid "Default: sudoOrder" +-msgstr "" ++msgstr "По умолчанию: sudoOrder" + + #. type: Content of: <reference><refentry><refsect1><title> + #: sssd-ldap-attributes.5.xml:1177 +@@ -17392,7 +18467,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap-attributes.5.xml:1194 + msgid "Default: ipHost" +-msgstr "" ++msgstr "По умолчанию: ipHost" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-ldap-attributes.5.xml:1200 +@@ -17419,7 +18494,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap-attributes.5.xml:1220 + msgid "Default: ipHostNumber" +-msgstr "" ++msgstr "По умолчанию: ipHostNumber" + + #. type: Content of: <reference><refentry><refsect1><title> + #: sssd-ldap-attributes.5.xml:1229 +@@ -17439,7 +18514,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap-attributes.5.xml:1239 + msgid "Default: ipNetwork" +-msgstr "" ++msgstr "По умолчанию: ipNetwork" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-ldap-attributes.5.xml:1245 +@@ -17466,7 +18541,7 @@ msgstr "" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-ldap-attributes.5.xml:1265 + msgid "Default: ipNetworkNumber" +-msgstr "" ++msgstr "По умолчанию: ipNetworkNumber" + + #. type: Content of: <variablelist><varlistentry><term> + #: include/autofs_attributes.xml:3 +@@ -17482,6 +18557,8 @@ msgstr "" + #: include/autofs_attributes.xml:9 + msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap" + msgstr "" ++"По умолчанию: nisMap (rfc2307, autofs_provider=ad), в ином случае — " ++"automountMap" + + #. type: Content of: <variablelist><varlistentry><term> + #: include/autofs_attributes.xml:16 +@@ -17498,6 +18575,8 @@ msgstr "" + msgid "" + "Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName" + msgstr "" ++"По умолчанию: nisMapName (rfc2307, autofs_provider=ad), в ином случае — " ++"automountMapName" + + #. type: Content of: <variablelist><varlistentry><term> + #: include/autofs_attributes.xml:29 +@@ -17515,6 +18594,8 @@ msgstr "" + #: include/autofs_attributes.xml:37 + msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount" + msgstr "" ++"По умолчанию: nisObject (rfc2307, autofs_provider=ad), в ином случае — " ++"automount" + + #. type: Content of: <variablelist><varlistentry><term> + #: include/autofs_attributes.xml:44 +@@ -17532,6 +18613,7 @@ msgstr "" + #: include/autofs_attributes.xml:51 + msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey" + msgstr "" ++"По умолчанию: cn (rfc2307, autofs_provider=ad), в ином случае — automountKey" + + #. type: Content of: <variablelist><varlistentry><term> + #: include/autofs_attributes.xml:58 +@@ -17544,11 +18626,13 @@ msgid "" + "Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise " + "automountInformation" + msgstr "" ++"По умолчанию: nisMapEntry (rfc2307, autofs_provider=ad), в ином случае — " ++"automountInformation" + + #. type: Content of: <refsect1><title> + #: include/service_discovery.xml:2 + msgid "SERVICE DISCOVERY" +-msgstr "" ++msgstr "ОБНАРУЖЕНИЕ СЛУЖБ" + + #. type: Content of: <refsect1><para> + #: include/service_discovery.xml:4 +@@ -17603,7 +18687,7 @@ msgstr "" + #. type: Content of: <refsect1><refsect2><title> + #: include/service_discovery.xml:42 + msgid "See Also" +-msgstr "" ++msgstr "См. также" + + #. type: Content of: <refsect1><refsect2><para> + #: include/service_discovery.xml:44 +@@ -17626,7 +18710,7 @@ msgstr "" + #. type: Content of: <refsect1><title> + #: include/failover.xml:2 + msgid "FAILOVER" +-msgstr "" ++msgstr "ОТРАБОТКА ОТКАЗА" + + #. type: Content of: <refsect1><para> + #: include/failover.xml:4 +@@ -17716,7 +18800,7 @@ msgstr "" + #. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><term> + #: include/failover.xml:76 + msgid "dns_resolver_server_timeout" +-msgstr "" ++msgstr "dns_resolver_server_timeout" + + #. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> + #: include/failover.xml:80 +@@ -17728,7 +18812,7 @@ msgstr "" + #. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><term> + #: include/failover.xml:90 + msgid "dns_resolver_op_timeout" +-msgstr "" ++msgstr "dns_resolver_op_timeout" + + #. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> + #: include/failover.xml:94 +@@ -17741,7 +18825,7 @@ msgstr "" + #. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><term> + #: include/failover.xml:106 + msgid "dns_resolver_timeout" +-msgstr "" ++msgstr "dns_resolver_timeout" + + #. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> + #: include/failover.xml:110 +@@ -17939,7 +19023,7 @@ msgstr "" + #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> + #: include/ldap_id_mapping.xml:137 include/ldap_id_mapping.xml:191 + msgid "Default: 200000" +-msgstr "" ++msgstr "По умолчанию: 200000" + + #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> + #: include/ldap_id_mapping.xml:142 +@@ -17966,7 +19050,7 @@ msgstr "" + #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> + #: include/ldap_id_mapping.xml:159 + msgid "Default: 2000200000" +-msgstr "" ++msgstr "По умолчанию: 2000200000" + + #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> + #: include/ldap_id_mapping.xml:164 +@@ -18461,7 +19545,7 @@ msgstr "" + #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> + #: include/override_homedir.xml:23 + msgid "%f" +-msgstr "" ++msgstr "%f" + + #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> + #: include/override_homedir.xml:24 +@@ -18471,7 +19555,7 @@ msgstr "" + #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> + #: include/override_homedir.xml:27 + msgid "%l" +-msgstr "" ++msgstr "%l" + + #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> + #: include/override_homedir.xml:28 +@@ -18486,7 +19570,7 @@ msgstr "" + #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> + #: include/override_homedir.xml:35 + msgid "%o" +-msgstr "" ++msgstr "%o" + + #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> + #: include/override_homedir.xml:37 +@@ -18496,7 +19580,7 @@ msgstr "" + #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> + #: include/override_homedir.xml:42 + msgid "%H" +-msgstr "" ++msgstr "%H" + + #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> + #: include/override_homedir.xml:44 +@@ -18529,6 +19613,8 @@ msgstr "" + #: include/override_homedir.xml:65 + msgid "Default: Not set (SSSD will use the value retrieved from LDAP)" + msgstr "" ++"По умолчанию: не задано (SSSD будет использовать значение, полученное от " ++"LDAP)" + + #. type: Content of: <varlistentry><listitem><para> + #: include/override_homedir.xml:69 +@@ -18560,12 +19646,12 @@ msgstr "" + #. type: Content of: <varlistentry><listitem><para> + #: include/homedir_substring.xml:15 + msgid "Default: /home" +-msgstr "" ++msgstr "По умолчанию: /home" + + #. type: Content of: <refsect1><title> + #: include/ad_modified_defaults.xml:2 include/ipa_modified_defaults.xml:2 + msgid "MODIFIED DEFAULT OPTIONS" +-msgstr "" ++msgstr "ИЗМЕНЁННЫЕ СТАНДАРТНЫЕ ПАРАМЕТРЫ" + + #. type: Content of: <refsect1><para> + #: include/ad_modified_defaults.xml:4 +@@ -18583,7 +19669,7 @@ msgstr "" + #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> + #: include/ad_modified_defaults.xml:13 include/ipa_modified_defaults.xml:13 + msgid "krb5_validate = true" +-msgstr "" ++msgstr "krb5_validate = true" + + #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> + #: include/ad_modified_defaults.xml:18 +@@ -18598,42 +19684,42 @@ msgstr "" + #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> + #: include/ad_modified_defaults.xml:28 + msgid "ldap_schema = ad" +-msgstr "" ++msgstr "ldap_schema = ad" + + #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> + #: include/ad_modified_defaults.xml:33 include/ipa_modified_defaults.xml:38 + msgid "ldap_force_upper_case_realm = true" +-msgstr "" ++msgstr "ldap_force_upper_case_realm = true" + + #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> + #: include/ad_modified_defaults.xml:38 + msgid "ldap_id_mapping = true" +-msgstr "" ++msgstr "ldap_id_mapping = true" + + #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> + #: include/ad_modified_defaults.xml:43 + msgid "ldap_sasl_mech = GSS-SPNEGO" +-msgstr "" ++msgstr "ldap_sasl_mech = GSS-SPNEGO" + + #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> + #: include/ad_modified_defaults.xml:48 + msgid "ldap_referrals = false" +-msgstr "" ++msgstr "ldap_referrals = false" + + #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> + #: include/ad_modified_defaults.xml:53 + msgid "ldap_account_expire_policy = ad" +-msgstr "" ++msgstr "ldap_account_expire_policy = ad" + + #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> + #: include/ad_modified_defaults.xml:58 include/ipa_modified_defaults.xml:58 + msgid "ldap_use_tokengroups = true" +-msgstr "" ++msgstr "ldap_use_tokengroups = true" + + #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> + #: include/ad_modified_defaults.xml:63 + msgid "ldap_sasl_authid = sAMAccountName@REALM (typically SHORTNAME$@REALM)" +-msgstr "" ++msgstr "ldap_sasl_authid = sAMAccountName@REALM (обычно SHORTNAME$@REALM)" + + #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> + #: include/ad_modified_defaults.xml:66 +diff --git a/src/man/po/uk.po b/src/man/po/uk.po +index e9466997c..02ae32c87 100644 +--- a/src/man/po/uk.po ++++ b/src/man/po/uk.po +@@ -16,7 +16,7 @@ msgstr "" + "Project-Id-Version: sssd-docs 2.3.0\n" + "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n" + "POT-Creation-Date: 2021-07-12 20:51+0200\n" +-"PO-Revision-Date: 2021-06-12 18:04+0000\n" ++"PO-Revision-Date: 2021-07-17 04:04+0000\n" + "Last-Translator: Yuri Chornoivan <yurchor@ukr.net>\n" + "Language-Team: Ukrainian <https://translate.fedoraproject.org/projects/sssd/" + "sssd-manpage-master/uk/>\n" +@@ -26,7 +26,7 @@ msgstr "" + "Content-Transfer-Encoding: 8bit\n" + "Plural-Forms: nplurals=3; plural=n%10==1 && n%100!=11 ? 0 : n%10>=2 && n" + "%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2;\n" +-"X-Generator: Weblate 4.6.2\n" ++"X-Generator: Weblate 4.7.1\n" + + #. type: Content of: <reference><title> + #: sss_groupmod.8.xml:5 sssd.conf.5.xml:5 sssd-ldap.5.xml:5 pam_sss.8.xml:5 +@@ -9727,13 +9727,6 @@ msgstr "" + + #. type: Content of: <reference><refentry><refsect1><para> + #: pam_sss_gss.8.xml:74 +-#, fuzzy +-#| msgid "" +-#| "Some Kerberos deployments allow to assocate authentication indicators " +-#| "with a particular pre-authentication method used to obtain the ticket " +-#| "granting ticket by the user. <command>pam_sss_gss.so</command> allows to " +-#| "enforce presence of authentication indicators in the service tickets " +-#| "before a particular PAM service can be accessed." + msgid "" + "Some Kerberos deployments allow to associate authentication indicators with " + "a particular pre-authentication method used to obtain the ticket granting " +@@ -9879,12 +9872,6 @@ msgstr "" + + #. type: Content of: <reference><refentry><refsect1><para> + #: pam_sss_gss.8.xml:200 +-#, fuzzy +-#| msgid "" +-#| "3. Authentication does not work and syslog contains \"No Kerberos " +-#| "credentials available\": You don't have any credentials that can be used " +-#| "to obtain the required service ticket. Use kinit or autheticate over SSSD " +-#| "to acquire those credentials." + msgid "" + "3. Authentication does not work and syslog contains \"No Kerberos " + "credentials available\": You don't have any credentials that can be used to " +@@ -14488,13 +14475,6 @@ msgstr "Коригування швидкодії" + + #. type: Content of: <reference><refentry><refsect1><para> + #: sssd-sudo.5.xml:215 +-#, fuzzy +-#| msgid "" +-#| "SSSD uses different kinds of mechanisms with more or less complex LDAP " +-#| "filters to keep the cached sudo rules up to date. The default " +-#| "configuration is set to values that should satisfy most of our users, but " +-#| "the following paragraps contains few tips on how to fine tune the " +-#| "configuration to your requirements." + msgid "" + "SSSD uses different kinds of mechanisms with more or less complex LDAP " + "filters to keep the cached sudo rules up to date. The default configuration " +@@ -16748,7 +16728,7 @@ msgstr "Обмежити процедуру скасування визначе + #. type: Content of: <reference><refentry><refsect1><title> + #: sss_cache.8.xml:224 + msgid "EFFECTS ON THE FAST MEMORY CACHE" +-msgstr "" ++msgstr "ВПЛИВ НА ШВИДКИЙ КЕШ У ПАМ'ЯТІ" + + #. type: Content of: <reference><refentry><refsect1><para> + #: sss_cache.8.xml:226 +@@ -16765,6 +16745,17 @@ msgid "" + "kernel can release the occupied disk space and the old memory cache file is " + "finally removed completely." + msgstr "" ++"Крім того, <command>sss_cache</command> вимикає кеш у пам'яті. Оскільки кеш " ++"у пам'яті є файлом, копію якого програма створює у пам'яті кожного процесу, " ++"який викликає SSSD для визначення користувачів або груп, файл не може бути " ++"обрізано. У заголовку файла встановлюють спеціальний прапорець для " ++"позначення некоректності вмісту, а потім файл від'єднується відповідачем NSS " ++"SSSD і створюється новий файл кешу. Після цього, кожного разу, коли процес " ++"виконує новий пошук користувача або групи, він бачить цей прапорець, " ++"закриває старий файл кешу у пам'яті і відтворює новий файл у своїй пам'яті. " ++"Коли усі процеси, які відкривали старий файл кешу у пам'яті, закриють його " ++"під час пошуку користувача або групи, ядро може звільнити зайняте ним місце " ++"на диску і нарешті повністю вилучити застарілий файл кешу у пам'яті." + + #. type: Content of: <reference><refentry><refsect1><para> + #: sss_cache.8.xml:240 +@@ -16779,6 +16770,17 @@ msgid "" + "disk usage because old memory cache files cannot be removed from the disk " + "because they are still mapped by long running processes." + msgstr "" ++"Особливим випадком є процеси довготривалої дії, які виконують пошук " ++"користувачів або груп лише під час запуску, наприклад, щоб визначити назву " ++"облікового запису користувача, від імені якого запущено процес. Для таких " ++"пошуків файл кешу у пам'яті відображається до пам'яті процесу. Але оскільки " ++"подальших пошуків виконано не буде, цей процес ніколи не зможе визначити " ++"втрату чинності файлом кешу у пам'яті, а отже, файл лишатиметься у пам'яті і " ++"займатиме місце на диску аж до завершення процесом роботи. У результаті " ++"виклик <command>sss_cache</command> може збільшити обсяг використаного " ++"програмою місця на диску, оскільки вилучення застарілих файлів кешу у " ++"пам'яті виявиться неможливим, оскільки їх буде пов'язано із процесами " ++"довготривалої дії." + + #. type: Content of: <reference><refentry><refsect1><para> + #: sss_cache.8.xml:252 +@@ -16791,6 +16793,14 @@ msgid "" + "so that they meet the local expectations and calling <command>sss_cache</" + "command> is not needed." + msgstr "" ++"Можливим обхідним маневром у випадках процесів довготривалої дії, які " ++"виконують пошук користувачів та груп лише під час запуску або дуже нечасто, " ++"є запуск процесів із встановленим для змінної середовища " ++"SSS_NSS_USE_MEMCACHE значенням «NO», щоб вони взагалі не використовували кеш " ++"у пам'яті або не відображали файл кешу до своєї пам'яті. Загалом, кращим " ++"варіантом є коригування параметрів часу очікування кешування так, щоб вони " ++"відповідали конкретному випадку. Тоді виклик <command>sss_cache</command> " ++"стане непотрібним." + + #. type: Content of: <reference><refentry><refnamediv><refname> + #: sss_debuglevel.8.xml:10 sss_debuglevel.8.xml:15 +@@ -17947,10 +17957,8 @@ msgstr "Типове значення: /etc/group" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> + #: sssd-files.5.xml:126 +-#, fuzzy +-#| msgid "ldap_rfc2307_fallback_to_local_users (boolean)" + msgid "fallback_to_nss (boolean)" +-msgstr "ldap_rfc2307_fallback_to_local_users (булеве значення)" ++msgstr "fallback_to_nss (булеве значення)" + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-files.5.xml:129 +@@ -17961,6 +17969,11 @@ msgid "" + "<filename>/etc/group</filename> and the NSS configuration has 'sss' before " + "'files' for the 'passwd' and 'group' maps." + msgstr "" ++"Під час оновлення внутрішніх даних SSSD поверне повідомлення про помилку і " ++"надасть змогу клієнту продовжити роботу з наступним модулем NSS. Це " ++"допомагає уникнути затримок при використанні типових файлів системи " ++"<filename>/etc/passwd</filename> і <filename>/etc/group</filename>. " ++"Налаштування NSS містять «sss» до «files» для прив'язок «passwd» і «group»." + + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> + #: sssd-files.5.xml:139 +@@ -17969,6 +17982,10 @@ msgid "" + "set this option to 'False' to avoid inconsistent behavior because in general " + "there would be no other NSS module which can be used as a fallback." + msgstr "" ++"Якщо надавача даних файлів налаштовано на спостереження за іншими файлами, " ++"має сенс встановлення для цього параметра значення False для уникнення " ++"несумісної поведінки, оскільки, загалом, не буде іншого модуля NSS, яким " ++"можна буде скористатися як резервним." + + #. type: Content of: <reference><refentry><refsect1><para> + #: sssd-files.5.xml:80 +-- +2.26.3 + diff --git a/SOURCES/0003-DEBUG-journal_send-was-made-static.patch b/SOURCES/0003-DEBUG-journal_send-was-made-static.patch deleted file mode 100644 index faa9c9e..0000000 --- a/SOURCES/0003-DEBUG-journal_send-was-made-static.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 833034f5332d2492d413a9c97fded1480b58bf14 Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov <atikhono@redhat.com> -Date: Wed, 21 Oct 2020 18:47:32 +0200 -Subject: [PATCH 3/4] DEBUG: journal_send() was made static -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Reviewed-by: Tomáš Halman <thalman@redhat.com> ---- - src/util/debug.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/util/debug.c b/src/util/debug.c -index 1d5f75e4d..c162987b9 100644 ---- a/src/util/debug.c -+++ b/src/util/debug.c -@@ -201,7 +201,7 @@ static void debug_printf(const char *format, ...) - } - - #ifdef WITH_JOURNALD --errno_t journal_send(const char *file, -+static errno_t journal_send(const char *file, - long line, - const char *function, - int level, --- -2.21.3 - diff --git a/SOURCES/0004-DEBUG-fixes-program-identifier-as-seen-in-syslog.patch b/SOURCES/0004-DEBUG-fixes-program-identifier-as-seen-in-syslog.patch deleted file mode 100644 index 8352ea6..0000000 --- a/SOURCES/0004-DEBUG-fixes-program-identifier-as-seen-in-syslog.patch +++ /dev/null @@ -1,71 +0,0 @@ -From 18233532b72e62452eac6886652fa633ba055d8c Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov <atikhono@redhat.com> -Date: Wed, 21 Oct 2020 19:20:03 +0200 -Subject: [PATCH 4/4] DEBUG: fixes program identifier as seen in syslog -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Commit 225fe9950f2807d5fb226f6b3be1ff4cefd731f0 changed `debug_prg_name` -to accomodate needs of own SSSD logs, but this affected journal/syslog -as well. - -This patch amends situation: - - journal messages gets "umbrella" identifier "sssd[]" - - syslog uses default which is program name - -Resolves: https://github.com/SSSD/sssd/issues/5384 - -Reviewed-by: Tomáš Halman <thalman@redhat.com> ---- - src/util/debug.c | 2 +- - src/util/sss_log.c | 12 +++--------- - 2 files changed, 4 insertions(+), 10 deletions(-) - -diff --git a/src/util/debug.c b/src/util/debug.c -index c162987b9..f05b26500 100644 ---- a/src/util/debug.c -+++ b/src/util/debug.c -@@ -250,7 +250,7 @@ static errno_t journal_send(const char *file, - "MESSAGE=%s", message, - "PRIORITY=%i", LOG_DEBUG, - "SSSD_DOMAIN=%s", domain, -- "SSSD_PRG_NAME=%s", debug_prg_name, -+ "SSSD_PRG_NAME=sssd[%s]", debug_prg_name, - "SSSD_DEBUG_LEVEL=%x", level, - NULL); - ret = -res; -diff --git a/src/util/sss_log.c b/src/util/sss_log.c -index 48e73dbea..c6b7435c6 100644 ---- a/src/util/sss_log.c -+++ b/src/util/sss_log.c -@@ -107,7 +107,7 @@ static void sss_log_internal(int priority, int facility, const char *format, - "SSSD_DOMAIN=%s", domain, - "PRIORITY=%i", syslog_priority, - "SYSLOG_FACILITY=%i", LOG_FAC(facility), -- "SYSLOG_IDENTIFIER=%s", debug_prg_name, -+ "SYSLOG_IDENTIFIER=sssd[%s]", debug_prg_name, - NULL); - - free(message); -@@ -118,15 +118,9 @@ static void sss_log_internal(int priority, int facility, const char *format, - static void sss_log_internal(int priority, int facility, const char *format, - va_list ap) - { -- int syslog_priority; -- -- syslog_priority = sss_to_syslog(priority); -- -- openlog(debug_prg_name, 0, facility); -- -- vsyslog(syslog_priority, format, ap); -+ int syslog_priority = sss_to_syslog(priority); - -- closelog(); -+ vsyslog(facility|syslog_priority, format, ap); - } - - #endif /* WITH_JOURNALD */ --- -2.21.3 - diff --git a/SOURCES/0005-negcache-make-sure-domain-config-does-not-leak-into-.patch b/SOURCES/0005-negcache-make-sure-domain-config-does-not-leak-into-.patch deleted file mode 100644 index 8aeda8b..0000000 --- a/SOURCES/0005-negcache-make-sure-domain-config-does-not-leak-into-.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 0e1bcf77bd73baa0fea64830eb1f4f65a63c7afe Mon Sep 17 00:00:00 2001 -From: Sumit Bose <sbose@redhat.com> -Date: Thu, 8 Oct 2020 12:18:41 +0200 -Subject: [PATCH 5/8] negcache: make sure domain config does not leak into - global - -Resolves: https://github.com/SSSD/sssd/issues/5238 - -Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> ---- - src/responder/common/negcache.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/src/responder/common/negcache.c b/src/responder/common/negcache.c -index ce1c0ab8c..139218420 100644 ---- a/src/responder/common/negcache.c -+++ b/src/responder/common/negcache.c -@@ -1050,6 +1050,7 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, - } - } - -+ talloc_zfree(filter_list); - /* Populate non domain-specific negative cache user entries */ - ret = confdb_get_string_as_list(cdb, tmpctx, CONFDB_NSS_CONF_ENTRY, - CONFDB_NSS_FILTER_USERS, &filter_list); -@@ -1185,6 +1186,7 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, - } - } - -+ talloc_zfree(filter_list); - /* Populate non domain-specific negative cache group entries */ - ret = confdb_get_string_as_list(cdb, tmpctx, CONFDB_NSS_CONF_ENTRY, - CONFDB_NSS_FILTER_GROUPS, &filter_list); --- -2.21.3 - diff --git a/SOURCES/0006-utils-add-SSS_GND_SUBDOMAINS-flag-for-get_next_domai.patch b/SOURCES/0006-utils-add-SSS_GND_SUBDOMAINS-flag-for-get_next_domai.patch deleted file mode 100644 index e3aeec3..0000000 --- a/SOURCES/0006-utils-add-SSS_GND_SUBDOMAINS-flag-for-get_next_domai.patch +++ /dev/null @@ -1,106 +0,0 @@ -From 385af99ff4d5a75d0c1edc9ad830da3eb7478295 Mon Sep 17 00:00:00 2001 -From: Sumit Bose <sbose@redhat.com> -Date: Thu, 8 Oct 2020 17:57:29 +0200 -Subject: [PATCH 6/8] utils: add SSS_GND_SUBDOMAINS flag for get_next_domain() - -To allow to only iterate over a singel domain an its sub-domains a new -flag is added to get_next_domain(). - -Resolves: https://github.com/SSSD/sssd/issues/5238 - -Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> ---- - src/tests/cmocka/test_utils.c | 31 +++++++++++++++++++++++++++++++ - src/util/domain_info_utils.c | 10 +++++++--- - src/util/util.h | 4 ++++ - 3 files changed, 42 insertions(+), 3 deletions(-) - -diff --git a/src/tests/cmocka/test_utils.c b/src/tests/cmocka/test_utils.c -index 945f5cb44..d77a972c1 100644 ---- a/src/tests/cmocka/test_utils.c -+++ b/src/tests/cmocka/test_utils.c -@@ -877,6 +877,37 @@ static void test_get_next_domain_flags(void **state) - - dom = get_next_domain(dom, gnd_flags); - assert_null(dom); -+ -+ /* Descend only to subdomains */ -+ gnd_flags = SSS_GND_SUBDOMAINS | SSS_GND_INCLUDE_DISABLED; -+ -+ dom = get_next_domain(test_ctx->dom_list, gnd_flags); -+ assert_non_null(dom); -+ assert_string_equal(dom->name, "sub1a"); -+ -+ dom = get_next_domain(dom, gnd_flags); -+ assert_null(dom); -+ -+ dom = find_domain_by_name_ex(test_ctx->dom_list, "dom2", true, -+ SSS_GND_ALL_DOMAINS); -+ assert_non_null(dom); -+ assert_string_equal(dom->name, "dom2"); -+ -+ dom = get_next_domain(dom, gnd_flags); -+ assert_non_null(dom); -+ assert_string_equal(dom->name, "sub2a"); -+ -+ dom = get_next_domain(dom, gnd_flags); -+ assert_non_null(dom); -+ assert_string_equal(dom->name, "sub2b"); -+ -+ dom = get_next_domain(dom, gnd_flags); -+ assert_null(dom); -+ -+ /* Expect NULL if the domain has no sub-domains */ -+ test_ctx->dom_list->subdomains = NULL; -+ dom = get_next_domain(test_ctx->dom_list, gnd_flags); -+ assert_null(dom); - } - - struct name_init_test_ctx { -diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c -index aa3582f03..4d4726daa 100644 ---- a/src/util/domain_info_utils.c -+++ b/src/util/domain_info_utils.c -@@ -39,16 +39,20 @@ struct sss_domain_info *get_next_domain(struct sss_domain_info *domain, - uint32_t gnd_flags) - { - struct sss_domain_info *dom; -- bool descend = gnd_flags & SSS_GND_DESCEND; -+ bool descend = gnd_flags & (SSS_GND_DESCEND | SSS_GND_SUBDOMAINS); - bool include_disabled = gnd_flags & SSS_GND_INCLUDE_DISABLED; -+ bool only_subdomains = gnd_flags & SSS_GND_SUBDOMAINS; - - dom = domain; - while (dom) { - if (descend && dom->subdomains) { - dom = dom->subdomains; -- } else if (dom->next) { -+ } else if (dom->next && only_subdomains && IS_SUBDOMAIN(dom)) { - dom = dom->next; -- } else if (descend && IS_SUBDOMAIN(dom) && dom->parent->next) { -+ } else if (dom->next && !only_subdomains) { -+ dom = dom->next; -+ } else if (descend && !only_subdomains && IS_SUBDOMAIN(dom) -+ && dom->parent->next) { - dom = dom->parent->next; - } else { - dom = NULL; -diff --git a/src/util/util.h b/src/util/util.h -index fbcac5cd0..581c0edfb 100644 ---- a/src/util/util.h -+++ b/src/util/util.h -@@ -565,7 +565,11 @@ struct sss_domain_info *get_domains_head(struct sss_domain_info *domain); - - #define SSS_GND_DESCEND 0x01 - #define SSS_GND_INCLUDE_DISABLED 0x02 -+/* Descend to sub-domains of current domain but do not go to next parent */ -+#define SSS_GND_SUBDOMAINS 0x04 - #define SSS_GND_ALL_DOMAINS (SSS_GND_DESCEND | SSS_GND_INCLUDE_DISABLED) -+#define SSS_GND_ALL_SUBDOMAINS (SSS_GND_SUBDOMAINS | SSS_GND_INCLUDE_DISABLED) -+ - struct sss_domain_info *get_next_domain(struct sss_domain_info *domain, - uint32_t gnd_flags); - struct sss_domain_info *find_domain_by_name(struct sss_domain_info *domain, --- -2.21.3 - diff --git a/SOURCES/0007-negcache-make-sure-short-names-are-added-to-sub-doma.patch b/SOURCES/0007-negcache-make-sure-short-names-are-added-to-sub-doma.patch deleted file mode 100644 index 9d405fc..0000000 --- a/SOURCES/0007-negcache-make-sure-short-names-are-added-to-sub-doma.patch +++ /dev/null @@ -1,443 +0,0 @@ -From 0dc81a52e2836010974e9f71b1f3e47c20fd498d Mon Sep 17 00:00:00 2001 -From: Sumit Bose <sbose@redhat.com> -Date: Fri, 9 Oct 2020 11:56:21 +0200 -Subject: [PATCH 7/8] negcache: make sure short names are added to sub-domains - -If short names are used with filter_users or filter_groups in a -[domain/...] section they should be added to the sub-domains of this -domain as well. - -Resolves: https://github.com/SSSD/sssd/issues/5238 - -Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> ---- - src/responder/common/negcache.c | 105 +++++++------ - src/tests/cmocka/test_negcache.c | 254 +++++++++++++++++++++++++++++++ - 2 files changed, 312 insertions(+), 47 deletions(-) - -diff --git a/src/responder/common/negcache.c b/src/responder/common/negcache.c -index 139218420..9ee39ce3e 100644 ---- a/src/responder/common/negcache.c -+++ b/src/responder/common/negcache.c -@@ -971,6 +971,7 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, - char *name = NULL; - struct sss_domain_info *dom = NULL; - struct sss_domain_info *domain_list = rctx->domains; -+ struct sss_domain_info *ddom; - char *domainname = NULL; - char *conf_path = NULL; - TALLOC_CTX *tmpctx = talloc_new(NULL); -@@ -1013,39 +1014,44 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, - continue; - } - -- if (domainname && strcmp(domainname, dom->name)) { -- DEBUG(SSSDBG_TRACE_FUNC, -- "Mismatch between domain name (%s) and name " -- "set in FQN (%s), assuming %s is UPN\n", -- dom->name, domainname, filter_list[i]); -- ret = sss_ncache_set_upn(ncache, true, dom, filter_list[i]); -+ /* Check domain and its sub-domains */ -+ for (ddom = dom; ddom != NULL; -+ ddom = get_next_domain(ddom, SSS_GND_ALL_SUBDOMAINS)) { -+ -+ if (domainname && strcmp(domainname, ddom->name)) { -+ DEBUG(SSSDBG_TRACE_FUNC, -+ "Mismatch between domain name (%s) and name " -+ "set in FQN (%s), assuming %s is UPN\n", -+ ddom->name, domainname, filter_list[i]); -+ ret = sss_ncache_set_upn(ncache, true, ddom, filter_list[i]); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_OP_FAILURE, -+ "sss_ncache_set_upn failed (%d [%s]), ignored\n", -+ ret, sss_strerror(ret)); -+ } -+ continue; -+ } -+ -+ fqname = sss_create_internal_fqname(tmpctx, name, ddom->name); -+ if (fqname == NULL) { -+ continue; -+ } -+ -+ ret = sss_ncache_set_upn(ncache, true, ddom, fqname); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, - "sss_ncache_set_upn failed (%d [%s]), ignored\n", - ret, sss_strerror(ret)); - } -- continue; -- } -- -- fqname = sss_create_internal_fqname(tmpctx, name, dom->name); -- if (fqname == NULL) { -- continue; -- } -- -- ret = sss_ncache_set_upn(ncache, true, dom, fqname); -- if (ret != EOK) { -- DEBUG(SSSDBG_OP_FAILURE, -- "sss_ncache_set_upn failed (%d [%s]), ignored\n", -- ret, sss_strerror(ret)); -- } -- ret = sss_ncache_set_user(ncache, true, dom, fqname); -- talloc_zfree(fqname); -- if (ret != EOK) { -- DEBUG(SSSDBG_CRIT_FAILURE, -- "Failed to store permanent user filter for [%s]" -- " (%d [%s])\n", filter_list[i], -- ret, sss_strerror(ret)); -- continue; -+ ret = sss_ncache_set_user(ncache, true, ddom, fqname); -+ talloc_zfree(fqname); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ "Failed to store permanent user filter for [%s]" -+ " (%d [%s])\n", filter_list[i], -+ ret, sss_strerror(ret)); -+ continue; -+ } - } - } - } -@@ -1161,27 +1167,32 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, - continue; - } - -- if (domainname && strcmp(domainname, dom->name)) { -- DEBUG(SSSDBG_CRIT_FAILURE, -- "Mismatch between domain name (%s) and name " -- "set in FQN (%s), skipping group %s\n", -- dom->name, domainname, name); -- continue; -- } -+ /* Check domain and its sub-domains */ -+ for (ddom = dom; -+ ddom != NULL && (ddom == dom || ddom->parent != NULL); -+ ddom = get_next_domain(ddom, SSS_GND_ALL_DOMAINS)) { -+ if (domainname && strcmp(domainname, ddom->name)) { -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ "Mismatch between domain name (%s) and name " -+ "set in FQN (%s), skipping group %s\n", -+ ddom->name, domainname, name); -+ continue; -+ } - -- fqname = sss_create_internal_fqname(tmpctx, name, dom->name); -- if (fqname == NULL) { -- continue; -- } -+ fqname = sss_create_internal_fqname(tmpctx, name, ddom->name); -+ if (fqname == NULL) { -+ continue; -+ } - -- ret = sss_ncache_set_group(ncache, true, dom, fqname); -- talloc_zfree(fqname); -- if (ret != EOK) { -- DEBUG(SSSDBG_CRIT_FAILURE, -- "Failed to store permanent group filter for [%s]" -- " (%d [%s])\n", filter_list[i], -- ret, strerror(ret)); -- continue; -+ ret = sss_ncache_set_group(ncache, true, ddom, fqname); -+ talloc_zfree(fqname); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ "Failed to store permanent group filter for [%s]" -+ " (%d [%s])\n", filter_list[i], -+ ret, strerror(ret)); -+ continue; -+ } - } - } - } -diff --git a/src/tests/cmocka/test_negcache.c b/src/tests/cmocka/test_negcache.c -index b3a379227..fb306b110 100644 ---- a/src/tests/cmocka/test_negcache.c -+++ b/src/tests/cmocka/test_negcache.c -@@ -119,6 +119,8 @@ static int setup(void **state) - int ret; - struct test_state *ts; - -+ test_dom_suite_setup(TESTS_PATH); -+ - ts = talloc(NULL, struct test_state); - assert_non_null(ts); - -@@ -133,6 +135,7 @@ static int setup(void **state) - static int teardown(void **state) - { - struct test_state *ts = talloc_get_type_abort(*state, struct test_state); -+ test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, TEST_DOM_NAME); - talloc_free(ts); - return 0; - } -@@ -921,6 +924,255 @@ static void test_sss_ncache_reset_prepopulate(void **state) - assert_int_equal(ret, EEXIST); - } - -+/* The main purpose of test_sss_ncache_short_name_in_domain is to test that -+ * short names in the filter_users or filter_groups options in a [domain/...] -+ * section are properly added to the related sub-domains as well (if there are -+ * any) and not added to domains from other [domain/...] sections. For -+ * completeness entries with fully-qualified names of the parent and the -+ * sub-domain and the generic UPN are added as well. -+ * -+ * The result should of course be independent of the present domains. To -+ * verify this the domains are added one after the other and the negative -+ * cache is repopulated each time. -+ * -+ * With the given domains, users and group we have to following expectations: -+ * - the short name entry will be added to the domain and all sub-domains as -+ * name and as upn by expanding it to a fully-qualified name with the -+ * domain name or sub-domain name respectively -+ * - the fully-qualified name from the parent domain is added as name and upn -+ * to the parent domain and as upn to all sub-domains -+ * - the fully-qualified name from the sub-domain is added as name to the -+ * sub-domain and as upn to the parent and all sub-domains -+ * - the generic upn is nowhere added as name and as upn to the parent and all -+ * sub-domains -+ * - none of the names is added to a different parent domain -+ * -+ * The following table should illustrated the expectations: -+ * -+ * user (name): -+ * | shortuser | parentu@TEST_DOM_NAME | subdomu@subTEST_DOM_NAME | upn@upn.dom -+ *-----------------+-----------+-----------------------+--------------------------+------------ -+ * TEST_DOM_NAME | PRESENT | PRESENT | MISSING | MISSING -+ * subTEST_DOM_NAME| PRESENT | MISSING | PRESENT | MISSING -+ * TEST_DOM_NAME2 | MISSING | MISSING | MISSING | MISSING -+ * -+ * user (upn): -+ * | shortuser | parentu@TEST_DOM_NAME | subdomu@subTEST_DOM_NAME | upn@upn.dom -+ *-----------------+-----------+-----------------------+--------------------------+------------ -+ * TEST_DOM_NAME | PRESENT | PRESENT | PRESENT | PRESENT -+ * subTEST_DOM_NAME| PRESENT | PRESENT | PRESENT | PRESENT -+ * TEST_DOM_NAME2 | MISSING | MISSING | MISSING | MISSING -+ * -+ * -+ * -+ * groups: -+ * | shortgroup | parentg@TEST_DOM_NAME | subdomg@subTEST_DOM_NAME -+ *-----------------+------------+-----------------------+------------------------- -+ * TEST_DOM_NAME | PRESENT | PRESENT | MISSING -+ * subTEST_DOM_NAME| PRESENT | MISSING | PRESENT -+ * TEST_DOM_NAME2 | MISSING | MISSING | MISSING -+ * -+ * -+ * The following expect_*() implement checks for the expextations: -+ */ -+ -+static void expect_in_parent(struct sss_nc_ctx *ncache, -+ struct sss_domain_info *dom) -+{ -+ int ret; -+ -+ ret = check_user_in_ncache(ncache, dom, "shortuser"); -+ assert_int_equal(ret, EEXIST); -+ ret = sss_ncache_check_upn(ncache, dom, "shortuser@"TEST_DOM_NAME); -+ assert_int_equal(ret, EEXIST); -+ -+ ret = check_user_in_ncache(ncache, dom, "parentu"); -+ assert_int_equal(ret, EEXIST); -+ ret = sss_ncache_check_upn(ncache, dom, "parentu@"TEST_DOM_NAME); -+ assert_int_equal(ret, EEXIST); -+ -+ ret = check_user_in_ncache(ncache, dom, "subdomu"); -+ assert_int_equal(ret, ENOENT); -+ ret = sss_ncache_check_upn(ncache, dom, "subdomu@sub"TEST_DOM_NAME); -+ assert_int_equal(ret, EEXIST); -+ -+ ret = check_user_in_ncache(ncache, dom, "upn"); -+ assert_int_equal(ret, ENOENT); -+ ret = sss_ncache_check_upn(ncache, dom, "upn@upn.dom"); -+ assert_int_equal(ret, EEXIST); -+ -+ ret = check_group_in_ncache(ncache, dom, "shortgroup"); -+ assert_int_equal(ret, EEXIST); -+ -+ ret = check_group_in_ncache(ncache, dom, "parentg"); -+ assert_int_equal(ret, EEXIST); -+ -+ ret = check_group_in_ncache(ncache, dom, "subdomg"); -+ assert_int_equal(ret, ENOENT); -+} -+ -+static void expect_in_subdomain(struct sss_nc_ctx *ncache, -+ struct sss_domain_info *sub_dom) -+{ -+ int ret; -+ -+ ret = check_user_in_ncache(ncache, sub_dom, "shortuser"); -+ assert_int_equal(ret, EEXIST); -+ ret = sss_ncache_check_upn(ncache, sub_dom, "shortuser@sub"TEST_DOM_NAME); -+ assert_int_equal(ret, EEXIST); -+ -+ ret = check_user_in_ncache(ncache, sub_dom, "subdomu"); -+ assert_int_equal(ret, EEXIST); -+ ret = sss_ncache_check_upn(ncache, sub_dom, "subdomu@sub"TEST_DOM_NAME); -+ assert_int_equal(ret, EEXIST); -+ -+ ret = check_user_in_ncache(ncache, sub_dom, "upn"); -+ assert_int_equal(ret, ENOENT); -+ ret = sss_ncache_check_upn(ncache, sub_dom, "upn@upn.dom"); -+ assert_int_equal(ret, EEXIST); -+ -+ ret = check_user_in_ncache(ncache, sub_dom, "parentu"); -+ assert_int_equal(ret, ENOENT); -+ ret = sss_ncache_check_upn(ncache, sub_dom, "parentu@"TEST_DOM_NAME); -+ assert_int_equal(ret, EEXIST); -+ -+ -+ ret = check_group_in_ncache(ncache, sub_dom, "shortgroup"); -+ assert_int_equal(ret, EEXIST); -+ -+ ret = check_group_in_ncache(ncache, sub_dom, "parentg"); -+ assert_int_equal(ret, ENOENT); -+ -+ ret = check_group_in_ncache(ncache, sub_dom, "subdomg"); -+ assert_int_equal(ret, EEXIST); -+} -+static void expect_no_entries_in_dom(struct sss_nc_ctx *ncache, -+ struct sss_domain_info *dom2) -+{ -+ int ret; -+ -+ ret = check_user_in_ncache(ncache, dom2, "shortuser"); -+ assert_int_equal(ret, ENOENT); -+ ret = sss_ncache_check_upn(ncache, dom2, "shortuser"TEST_DOM_NAME); -+ assert_int_equal(ret, ENOENT); -+ -+ ret = check_user_in_ncache(ncache, dom2, "parentu"); -+ assert_int_equal(ret, ENOENT); -+ ret = sss_ncache_check_upn(ncache, dom2, "parentu@"TEST_DOM_NAME); -+ assert_int_equal(ret, ENOENT); -+ -+ ret = check_user_in_ncache(ncache, dom2, "subdomu"); -+ assert_int_equal(ret, ENOENT); -+ ret = sss_ncache_check_upn(ncache, dom2, "subdomu@sub"TEST_DOM_NAME); -+ assert_int_equal(ret, ENOENT); -+ -+ ret = check_user_in_ncache(ncache, dom2, "upn"); -+ assert_int_equal(ret, ENOENT); -+ ret = sss_ncache_check_upn(ncache, dom2, "upn@upn.dom"); -+ assert_int_equal(ret, ENOENT); -+ -+ ret = check_group_in_ncache(ncache, dom2, "shortgroup"); -+ assert_int_equal(ret, ENOENT); -+ -+ ret = check_group_in_ncache(ncache, dom2, "parentg"); -+ assert_int_equal(ret, ENOENT); -+ -+ ret = check_group_in_ncache(ncache, dom2, "subdomg"); -+ assert_int_equal(ret, ENOENT); -+} -+ -+static void test_sss_ncache_short_name_in_domain(void **state) -+{ -+ int ret; -+ struct test_state *ts; -+ struct tevent_context *ev; -+ struct sss_nc_ctx *ncache; -+ struct sss_test_ctx *tc; -+ struct sss_domain_info *dom; -+ struct sss_domain_info *dom2; -+ struct sss_domain_info *sub_dom; -+ -+ struct sss_test_conf_param params[] = { -+ { "filter_users", "shortuser, parentu@"TEST_DOM_NAME", " -+ "subdomu@sub"TEST_DOM_NAME", upn@upn.dom" }, -+ { "filter_groups", "shortgroup, parentg@"TEST_DOM_NAME", " -+ "subdomg@sub"TEST_DOM_NAME }, -+ { NULL, NULL }, -+ }; -+ -+ const char *nss_filter_users[] = { params[0].value, NULL}; -+ const char *nss_filter_groups[] = { params[1].value, NULL}; -+ -+ ts = talloc_get_type_abort(*state, struct test_state); -+ -+ ev = tevent_context_init(ts); -+ assert_non_null(ev); -+ -+ dom = talloc_zero(ts, struct sss_domain_info); -+ assert_non_null(dom); -+ dom->name = discard_const_p(char, TEST_DOM_NAME); -+ sss_domain_set_state(dom, DOM_ACTIVE); -+ -+ ts->nctx = mock_nctx(ts); -+ assert_non_null(ts->nctx); -+ -+ tc = create_dom_test_ctx(ts, TESTS_PATH, TEST_CONF_DB, -+ TEST_DOM_NAME, TEST_ID_PROVIDER, params); -+ assert_non_null(tc); -+ -+ ret = confdb_add_param(tc->confdb, true, "config/domain/"TEST_DOM_NAME, -+ "filter_users", nss_filter_users); -+ assert_int_equal(ret, EOK); -+ -+ ret = confdb_add_param(tc->confdb, true, "config/domain"TEST_DOM_NAME, -+ "filter_groups", nss_filter_groups); -+ assert_int_equal(ret, EOK); -+ -+ ncache = ts->ctx; -+ ts->rctx = mock_rctx(ts, ev, dom, ts->nctx); -+ assert_non_null(ts->rctx); -+ ts->rctx->cdb = tc->confdb; -+ -+ ret = sss_names_init(ts, tc->confdb, TEST_DOM_NAME, &dom->names); -+ assert_int_equal(ret, EOK); -+ -+ ret = sss_ncache_reset_repopulate_permanent(ts->rctx, ncache); -+ assert_int_equal(ret, EOK); -+ -+ /* Add another domain */ -+ dom2 = talloc_zero(ts, struct sss_domain_info); -+ assert_non_null(dom2); -+ dom2->name = discard_const_p(char, TEST_DOM_NAME"2"); -+ sss_domain_set_state(dom2, DOM_ACTIVE); -+ dom->next = dom2; -+ dom2->names = dom->names; -+ -+ expect_in_parent(ncache, dom); -+ expect_no_entries_in_dom(ncache, dom2); -+ -+ ret = sss_ncache_reset_repopulate_permanent(ts->rctx, ncache); -+ assert_int_equal(ret, EOK); -+ -+ expect_in_parent(ncache, dom); -+ expect_no_entries_in_dom(ncache, dom2); -+ -+ /* Add a sub domain */ -+ sub_dom = talloc_zero(ts, struct sss_domain_info); -+ assert_non_null(sub_dom); -+ sub_dom->name = discard_const_p(char, "sub"TEST_DOM_NAME); -+ sss_domain_set_state(sub_dom, DOM_ACTIVE); -+ sub_dom->parent = dom; -+ dom->subdomains = sub_dom; -+ sub_dom->names = dom->names; -+ -+ ret = sss_ncache_reset_repopulate_permanent(ts->rctx, ncache); -+ assert_int_equal(ret, EOK); -+ -+ expect_in_parent(ncache, dom); -+ expect_in_subdomain(ncache, sub_dom); -+ expect_no_entries_in_dom(ncache, dom2); -+} -+ - static void test_sss_ncache_reset(void **state) - { - errno_t ret; -@@ -1083,6 +1335,8 @@ int main(void) - setup, teardown), - cmocka_unit_test_setup_teardown(test_sss_ncache_reset_prepopulate, - setup, teardown), -+ cmocka_unit_test_setup_teardown(test_sss_ncache_short_name_in_domain, -+ setup, teardown), - cmocka_unit_test_setup_teardown(test_sss_ncache_reset, - setup, teardown), - cmocka_unit_test_setup_teardown(test_sss_ncache_locate_uid_gid, --- -2.21.3 - diff --git a/SOURCES/0008-negcache-do-not-use-default_domain_suffix.patch b/SOURCES/0008-negcache-do-not-use-default_domain_suffix.patch deleted file mode 100644 index 17ce2db..0000000 --- a/SOURCES/0008-negcache-do-not-use-default_domain_suffix.patch +++ /dev/null @@ -1,154 +0,0 @@ -From fa4b46e7de7297da3c0e37913eab8cba7f103629 Mon Sep 17 00:00:00 2001 -From: Sumit Bose <sbose@redhat.com> -Date: Fri, 9 Oct 2020 15:26:39 +0200 -Subject: [PATCH 8/8] negcache: do not use default_domain_suffix - -When splitting the names from the filter_users and filter_groups options -do not use the default_domain_suffix because it will hide that the -original name is a short name and should be added everywhere. - -Additionally this patch fixes a typo where sss_parse_name() was used -instead of sss_parse_name_for_domains(). - -Resolves: https://github.com/SSSD/sssd/issues/5238 - -Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> ---- - src/responder/common/negcache.c | 29 +++++++++++++++-------------- - src/tests/cmocka/test_negcache.c | 22 ++++++++++++++++++++-- - 2 files changed, 35 insertions(+), 16 deletions(-) - -diff --git a/src/responder/common/negcache.c b/src/responder/common/negcache.c -index 9ee39ce3e..59e8ad7e7 100644 ---- a/src/responder/common/negcache.c -+++ b/src/responder/common/negcache.c -@@ -1000,13 +1000,13 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, - - for (i = 0; (filter_list && filter_list[i]); i++) { - ret = sss_parse_name_for_domains(tmpctx, domain_list, -- rctx->default_domain, -+ NULL, - filter_list[i], - &domainname, &name); - if (ret == EAGAIN) { - DEBUG(SSSDBG_MINOR_FAILURE, -- "cannot add [%s] to negcache because the required or " -- "default domain are not known yet\n", filter_list[i]); -+ "Can add [%s] only as UPN to negcache because the " -+ "required domain is not known yet\n", filter_list[i]); - } else if (ret != EOK) { - DEBUG(SSSDBG_CRIT_FAILURE, - "Invalid name in filterUsers list: [%s] (%d)\n", -@@ -1066,12 +1066,12 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, - - for (i = 0; (filter_list && filter_list[i]); i++) { - ret = sss_parse_name_for_domains(tmpctx, domain_list, -- rctx->default_domain, filter_list[i], -+ NULL, filter_list[i], - &domainname, &name); - if (ret == EAGAIN) { - DEBUG(SSSDBG_MINOR_FAILURE, -- "Cannot add [%s] to negcache because the required or " -- "default domain are not known yet\n", filter_list[i]); -+ "Can add [%s] only as UPN to negcache because the " -+ "required domain is not known yet\n", filter_list[i]); - } else if (ret != EOK) { - DEBUG(SSSDBG_CRIT_FAILURE, - "Invalid name in filterUsers list: [%s] (%d)\n", -@@ -1158,9 +1158,12 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, - if (ret != EOK) goto done; - - for (i = 0; (filter_list && filter_list[i]); i++) { -- ret = sss_parse_name(tmpctx, dom->names, filter_list[i], -- &domainname, &name); -+ ret = sss_parse_name_for_domains(tmpctx, domain_list, -+ NULL, filter_list[i], -+ &domainname, &name); - if (ret != EOK) { -+ /* Groups do not have UPNs, so domain names, if present, -+ * must be known */ - DEBUG(SSSDBG_CRIT_FAILURE, - "Invalid name in filterGroups list: [%s] (%d)\n", - filter_list[i], ret); -@@ -1207,13 +1210,11 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, - - for (i = 0; (filter_list && filter_list[i]); i++) { - ret = sss_parse_name_for_domains(tmpctx, domain_list, -- rctx->default_domain, filter_list[i], -+ NULL, filter_list[i], - &domainname, &name); -- if (ret == EAGAIN) { -- DEBUG(SSSDBG_MINOR_FAILURE, -- "Cannot add [%s] to negcache because the required or " -- "default domain are not known yet\n", filter_list[i]); -- } else if (ret != EOK) { -+ if (ret != EOK) { -+ /* Groups do not have UPNs, so domain names, if present, -+ * must be known */ - DEBUG(SSSDBG_CRIT_FAILURE, - "Invalid name in filterGroups list: [%s] (%d)\n", - filter_list[i], ret); -diff --git a/src/tests/cmocka/test_negcache.c b/src/tests/cmocka/test_negcache.c -index fb306b110..30218d52a 100644 ---- a/src/tests/cmocka/test_negcache.c -+++ b/src/tests/cmocka/test_negcache.c -@@ -933,7 +933,9 @@ static void test_sss_ncache_reset_prepopulate(void **state) - * - * The result should of course be independent of the present domains. To - * verify this the domains are added one after the other and the negative -- * cache is repopulated each time. -+ * cache is repopulated each time. The result should be also independent of -+ * the setting of default_domain_suffix option which is tested by -+ * test_sss_ncache_short_name_in_domain_with_prefix. - * - * With the given domains, users and group we have to following expectations: - * - the short name entry will be added to the domain and all sub-domains as -@@ -1081,7 +1083,8 @@ static void expect_no_entries_in_dom(struct sss_nc_ctx *ncache, - assert_int_equal(ret, ENOENT); - } - --static void test_sss_ncache_short_name_in_domain(void **state) -+static void run_sss_ncache_short_name_in_domain(void **state, -+ bool use_default_domain_prefix) - { - int ret; - struct test_state *ts; -@@ -1131,6 +1134,9 @@ static void test_sss_ncache_short_name_in_domain(void **state) - ncache = ts->ctx; - ts->rctx = mock_rctx(ts, ev, dom, ts->nctx); - assert_non_null(ts->rctx); -+ if (use_default_domain_prefix) { -+ ts->rctx->default_domain = discard_const(TEST_DOM_NAME); -+ } - ts->rctx->cdb = tc->confdb; - - ret = sss_names_init(ts, tc->confdb, TEST_DOM_NAME, &dom->names); -@@ -1173,6 +1179,16 @@ static void test_sss_ncache_short_name_in_domain(void **state) - expect_no_entries_in_dom(ncache, dom2); - } - -+static void test_sss_ncache_short_name_in_domain(void **state) -+{ -+ run_sss_ncache_short_name_in_domain(state, false); -+} -+ -+static void test_sss_ncache_short_name_in_domain_with_prefix(void **state) -+{ -+ run_sss_ncache_short_name_in_domain(state, true); -+} -+ - static void test_sss_ncache_reset(void **state) - { - errno_t ret; -@@ -1337,6 +1353,8 @@ int main(void) - setup, teardown), - cmocka_unit_test_setup_teardown(test_sss_ncache_short_name_in_domain, - setup, teardown), -+ cmocka_unit_test_setup_teardown(test_sss_ncache_short_name_in_domain_with_prefix, -+ setup, teardown), - cmocka_unit_test_setup_teardown(test_sss_ncache_reset, - setup, teardown), - cmocka_unit_test_setup_teardown(test_sss_ncache_locate_uid_gid, --- -2.21.3 - diff --git a/SOURCES/0009-kcm-decode-base64-encoded-secret-on-upgrade-path.patch b/SOURCES/0009-kcm-decode-base64-encoded-secret-on-upgrade-path.patch deleted file mode 100644 index 032f1c4..0000000 --- a/SOURCES/0009-kcm-decode-base64-encoded-secret-on-upgrade-path.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 18b98836ef8e337992f0ecb239a32b9c3cedb750 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com> -Date: Wed, 9 Dec 2020 14:07:22 +0100 -Subject: [PATCH] kcm: decode base64 encoded secret on upgrade path - -Previous unefficient code encoded the secret multiple times: - secret -> base64 -> masterkey -> base64 - -To allow smooth upgrade for already existant ccache we need to also decode -the secret if it is still in the old format (type == simple). Otherwise -users are not able to log in. - -Resolves: https://github.com/SSSD/sssd/issues/5349 - -Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> ---- - src/responder/kcm/kcmsrv_ccache_secdb.c | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/src/responder/kcm/kcmsrv_ccache_secdb.c b/src/responder/kcm/kcmsrv_ccache_secdb.c -index 726711ac4..ea5c8f9ee 100644 ---- a/src/responder/kcm/kcmsrv_ccache_secdb.c -+++ b/src/responder/kcm/kcmsrv_ccache_secdb.c -@@ -59,6 +59,16 @@ static errno_t sec_get(TALLOC_CTX *mem_ctx, - goto done; - } - -+ if (strcmp(datatype, "simple") == 0) { -+ /* The secret is stored in b64 encoding, we need to decode it first. */ -+ data = sss_base64_decode(tmp_ctx, (const char*)data, &len); -+ if (data == NULL) { -+ DEBUG(SSSDBG_CRIT_FAILURE, "Cannot decode secret from base64\n"); -+ ret = EIO; -+ goto done; -+ } -+ } -+ - buf = sss_iobuf_init_steal(tmp_ctx, data, len); - if (buf == NULL) { - DEBUG(SSSDBG_CRIT_FAILURE, "Cannot init the iobuf\n"); --- -2.21.3 - diff --git a/SOURCES/0010-nss-check-if-groups-are-filtered-during-initgroups.patch b/SOURCES/0010-nss-check-if-groups-are-filtered-during-initgroups.patch deleted file mode 100644 index 8e76f9a..0000000 --- a/SOURCES/0010-nss-check-if-groups-are-filtered-during-initgroups.patch +++ /dev/null @@ -1,112 +0,0 @@ -From c87b2208b9a58c12eeceb5b8ccf9c34dcd835b8d Mon Sep 17 00:00:00 2001 -From: Sumit Bose <sbose@redhat.com> -Date: Tue, 17 Nov 2020 12:59:23 +0100 -Subject: [PATCH] nss: check if groups are filtered during initgroups -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -If groups are filtered, i.e. SSSD should not handle them, they should -not appear in the group list returned by an initgroups request. - -Resolves: https://github.com/SSSD/sssd/issues/5403 - -Reviewed-by: Pavel Březina <pbrezina@redhat.com> ---- - src/responder/nss/nss_protocol_grent.c | 35 ++++++++++++++++++++++++++ - src/tests/intg/test_ldap.py | 12 +++++++++ - 2 files changed, 47 insertions(+) - -diff --git a/src/responder/nss/nss_protocol_grent.c b/src/responder/nss/nss_protocol_grent.c -index 8f1d3fe81..135b392f7 100644 ---- a/src/responder/nss/nss_protocol_grent.c -+++ b/src/responder/nss/nss_protocol_grent.c -@@ -326,6 +326,34 @@ done: - return EOK; - } - -+static bool is_group_filtered(struct sss_nc_ctx *ncache, -+ struct sss_domain_info *domain, -+ const char *grp_name, gid_t gid) -+{ -+ int ret; -+ -+ if (grp_name == NULL) { -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ "Group with gid [%"SPRIgid"] has no name, this should never " -+ "happen, trying to continue without.\n", gid); -+ } else { -+ ret = sss_ncache_check_group(ncache, domain, grp_name); -+ if (ret == EEXIST) { -+ DEBUG(SSSDBG_TRACE_FUNC, "Group [%s] is filtered out! " -+ "(negative cache)", grp_name); -+ return true; -+ } -+ } -+ ret = sss_ncache_check_gid(ncache, domain, gid); -+ if (ret == EEXIST) { -+ DEBUG(SSSDBG_TRACE_FUNC, "Group [%"SPRIgid"] is filtered out! " -+ "(negative cache)", gid); -+ return true; -+ } -+ -+ return false; -+} -+ - errno_t - nss_protocol_fill_initgr(struct nss_ctx *nss_ctx, - struct nss_cmd_ctx *cmd_ctx, -@@ -344,6 +372,7 @@ nss_protocol_fill_initgr(struct nss_ctx *nss_ctx, - size_t body_len; - size_t rp; - gid_t gid; -+ const char *grp_name; - gid_t orig_gid; - errno_t ret; - int i; -@@ -392,6 +421,8 @@ nss_protocol_fill_initgr(struct nss_ctx *nss_ctx, - gid = sss_view_ldb_msg_find_attr_as_uint64(domain, msg, SYSDB_GIDNUM, - 0); - posix = ldb_msg_find_attr_as_string(msg, SYSDB_POSIX, NULL); -+ grp_name = sss_view_ldb_msg_find_attr_as_string(domain, msg, SYSDB_NAME, -+ NULL); - - if (gid == 0) { - if (posix != NULL && strcmp(posix, "FALSE") == 0) { -@@ -404,6 +435,10 @@ nss_protocol_fill_initgr(struct nss_ctx *nss_ctx, - } - } - -+ if (is_group_filtered(nss_ctx->rctx->ncache, domain, grp_name, gid)) { -+ continue; -+ } -+ - SAFEALIGN_COPY_UINT32(&body[rp], &gid, &rp); - num_results++; - -diff --git a/src/tests/intg/test_ldap.py b/src/tests/intg/test_ldap.py -index 194d7d9cc..6a78c960f 100644 ---- a/src/tests/intg/test_ldap.py -+++ b/src/tests/intg/test_ldap.py -@@ -1190,6 +1190,18 @@ def test_nss_filters(ldap_conn, sanity_nss_filter): - with pytest.raises(KeyError): - grp.getgrgid(14) - -+ # test initgroups - user1 is member of group_two_one_user_groups (2019) -+ # which is filtered out -+ (res, errno, gids) = sssd_id.call_sssd_initgroups("user1", 2001) -+ assert res == sssd_id.NssReturnCode.SUCCESS -+ -+ user_with_group_ids = [2001, 2012, 2015, 2017, 2018] -+ assert sorted(gids) == sorted(user_with_group_ids), \ -+ "result: %s\n expected %s" % ( -+ ", ".join(["%s" % s for s in sorted(gids)]), -+ ", ".join(["%s" % s for s in sorted(user_with_group_ids)]) -+ ) -+ - - @pytest.fixture - def sanity_nss_filter_cached(request, ldap_conn): --- -2.21.3 - diff --git a/SOURCES/0011-ifp-fix-use-after-free.patch b/SOURCES/0011-ifp-fix-use-after-free.patch deleted file mode 100644 index 8e42b4d..0000000 --- a/SOURCES/0011-ifp-fix-use-after-free.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 81e757b7b1d69893b5725f9c148c55d89c779e7b Mon Sep 17 00:00:00 2001 -From: Sumit Bose <sbose@redhat.com> -Date: Tue, 3 Nov 2020 10:12:15 +0100 -Subject: [PATCH] ifp: fix use-after-free -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The variable fqdn is pointing to some data from state->res->msgs[0]. But -before fqdn is used in the next search state->res and the memory -hierarchy below is freed. As a result the location where fqdn is pointing -to might hold the expected data or other data and the search will fail -intermittently. - -Resolves: https://github.com/SSSD/sssd/issues/5382 - -Reviewed-by: Pavel Březina <pbrezina@redhat.com> ---- - src/responder/ifp/ifpsrv_cmd.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/responder/ifp/ifpsrv_cmd.c b/src/responder/ifp/ifpsrv_cmd.c -index 9f20bf2db..d95618127 100644 ---- a/src/responder/ifp/ifpsrv_cmd.c -+++ b/src/responder/ifp/ifpsrv_cmd.c -@@ -128,6 +128,7 @@ static void ifp_user_get_attr_done(struct tevent_req *subreq) - tevent_req_error(req, ERR_INTERNAL); - return; - } -+ fqdn = talloc_steal(state, fqdn); - - if (state->search_type == SSS_DP_USER) { - /* throw away the result and perform attr search */ --- -2.21.3 - diff --git a/SOURCES/0012-ifp-fix-original-fix-use-after-free.patch b/SOURCES/0012-ifp-fix-original-fix-use-after-free.patch deleted file mode 100644 index 8e87526..0000000 --- a/SOURCES/0012-ifp-fix-original-fix-use-after-free.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 3b158934cbb8f87cbfaf1650389b8dcd654b92ca Mon Sep 17 00:00:00 2001 -From: Sumit Bose <sbose@redhat.com> -Date: Thu, 19 Nov 2020 18:05:00 +0100 -Subject: [PATCH] ifp: fix original fix use-after-free - -The original fix stole the fqdn too earlier. Only for SSS_DP_USER -requests the steal is important. For other request where the first -result is returned to the caller the original version -might even cause issues since the name does not belong to the memory -hierarchy of the result anymore. - -Resolves: https://github.com/SSSD/sssd/issues/5382 - -Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> ---- - src/responder/ifp/ifpsrv_cmd.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/responder/ifp/ifpsrv_cmd.c b/src/responder/ifp/ifpsrv_cmd.c -index d95618127..8cf1ec84c 100644 ---- a/src/responder/ifp/ifpsrv_cmd.c -+++ b/src/responder/ifp/ifpsrv_cmd.c -@@ -128,10 +128,10 @@ static void ifp_user_get_attr_done(struct tevent_req *subreq) - tevent_req_error(req, ERR_INTERNAL); - return; - } -- fqdn = talloc_steal(state, fqdn); - - if (state->search_type == SSS_DP_USER) { -- /* throw away the result and perform attr search */ -+ /* throw away the result but keep the fqdn and perform attr search */ -+ fqdn = talloc_steal(state, fqdn); - talloc_zfree(state->res); - - ret = sysdb_get_user_attr_with_views(state, state->dom, fqdn, --- -2.21.3 - diff --git a/SOURCES/0013-pam_sss-use-unique-id-for-gdm-choice-list.patch b/SOURCES/0013-pam_sss-use-unique-id-for-gdm-choice-list.patch deleted file mode 100644 index c374782..0000000 --- a/SOURCES/0013-pam_sss-use-unique-id-for-gdm-choice-list.patch +++ /dev/null @@ -1,68 +0,0 @@ -From 1b9b7f5a635ede8eee90d13bfe0e1f87e51191a9 Mon Sep 17 00:00:00 2001 -From: Sumit Bose <sbose@redhat.com> -Date: Fri, 13 Nov 2020 12:59:39 +0100 -Subject: [PATCH 13/16] pam_sss: use unique id for gdm choice list - -Currently the key-id read from the Smartcard is used as key value for -the gdm choice list dialog. Since it might be possible that multiple -certificates use the same key and hence the same key-id this is not a -suitable value. - -With this patch the string representation of a numerical counter is used. - -Resolves: https://github.com/SSSD/sssd/issues/5400 - -Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> ---- - src/sss_client/pam_sss.c | 14 ++++++++++++-- - 1 file changed, 12 insertions(+), 2 deletions(-) - -diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c -index b844d257e..04dfdb55d 100644 ---- a/src/sss_client/pam_sss.c -+++ b/src/sss_client/pam_sss.c -@@ -128,6 +128,7 @@ struct cert_auth_info { - char *key_id; - char *prompt_str; - char *pam_cert_user; -+ char *choice_list_id; - struct cert_auth_info *prev; - struct cert_auth_info *next; - }; -@@ -141,6 +142,7 @@ static void free_cai(struct cert_auth_info *cai) - free(cai->module_name); - free(cai->key_id); - free(cai->prompt_str); -+ free(cai->choice_list_id); - free(cai); - } - } -@@ -1698,7 +1700,15 @@ static int prompt_multi_cert_gdm(pam_handle_t *pamh, struct pam_items *pi) - ret = ENOMEM; - goto done; - } -- request->list.items[c].key = cai->key_id; -+ free(cai->choice_list_id); -+ ret = asprintf(&cai->choice_list_id, "%zu", c); -+ if (ret == -1) { -+ cai->choice_list_id = NULL; -+ ret = ENOMEM; -+ goto done; -+ } -+ -+ request->list.items[c].key = cai->choice_list_id; - request->list.items[c++].text = prompt; - } - -@@ -1719,7 +1729,7 @@ static int prompt_multi_cert_gdm(pam_handle_t *pamh, struct pam_items *pi) - } - - DLIST_FOR_EACH(cai, pi->cert_list) { -- if (strcmp(response->key, cai->key_id) == 0) { -+ if (strcmp(response->key, cai->choice_list_id) == 0) { - pam_info(pamh, "Certificate ‘%s’ selected", cai->key_id); - pi->selected_cert = cai; - ret = 0; --- -2.21.3 - diff --git a/SOURCES/0014-authtok-add-label-to-Smartcard-token.patch b/SOURCES/0014-authtok-add-label-to-Smartcard-token.patch deleted file mode 100644 index 741fc5d..0000000 --- a/SOURCES/0014-authtok-add-label-to-Smartcard-token.patch +++ /dev/null @@ -1,1072 +0,0 @@ -From 8b6be52e95e953ae0431676de0b8c8be7a3262bc Mon Sep 17 00:00:00 2001 -From: Sumit Bose <sbose@redhat.com> -Date: Fri, 13 Nov 2020 18:05:14 +0100 -Subject: [PATCH 14/16] authtok: add label to Smartcard token - -The key-id might not be sufficient to identify a certificate on a -Smartcard since it is possible that multiple certificates will use the -same key. - -This patch adds the certificate label to the Smartcard authtok item to -resolve the ambiguity if the key-id is used for multiple certificates. - -Resolves: https://github.com/SSSD/sssd/issues/5400 - -Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> ---- - src/p11_child/p11_child.h | 3 +- - src/p11_child/p11_child_common.c | 12 +++-- - src/p11_child/p11_child_openssl.c | 16 +++++-- - src/providers/krb5/krb5_child.c | 14 +++++- - src/responder/pam/pamsrv_cmd.c | 5 +- - src/responder/pam/pamsrv_p11.c | 8 +++- - src/sss_client/pam_sss.c | 3 ++ - src/tests/cmocka/test_authtok.c | 36 +++++++++------ - src/tests/cmocka/test_pam_srv.c | 65 ++++++++++++++------------ - src/util/authtok-utils.c | 30 ++++++++++-- - src/util/authtok-utils.h | 11 ++++- - src/util/authtok.c | 77 +++++++++++++++++++++++++------ - src/util/authtok.h | 14 +++++- - 13 files changed, 214 insertions(+), 80 deletions(-) - -diff --git a/src/p11_child/p11_child.h b/src/p11_child/p11_child.h -index 0b53e70c5..9c0cefe05 100644 ---- a/src/p11_child/p11_child.h -+++ b/src/p11_child/p11_child.h -@@ -68,7 +68,8 @@ bool do_verification_b64(struct p11_ctx *p11_ctx, const char *cert_b64); - errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx, - enum op_mode mode, const char *pin, - const char *module_name_in, const char *token_name_in, -- const char *key_id_in, const char *uri, char **_multi); -+ const char *key_id_in, const char *label, -+ const char *uri, char **_multi); - - errno_t parse_cert_verify_opts(TALLOC_CTX *mem_ctx, const char *verify_opts, - struct cert_verify_opts **cert_verify_opts); -diff --git a/src/p11_child/p11_child_common.c b/src/p11_child/p11_child_common.c -index 236d7dac4..f17de1a9e 100644 ---- a/src/p11_child/p11_child_common.c -+++ b/src/p11_child/p11_child_common.c -@@ -60,7 +60,8 @@ static int do_work(TALLOC_CTX *mem_ctx, enum op_mode mode, const char *ca_db, - bool wait_for_card, - const char *cert_b64, const char *pin, - const char *module_name, const char *token_name, -- const char *key_id, const char *uri, char **multi) -+ const char *key_id, const char *label, const char *uri, -+ char **multi) - { - int ret; - struct p11_ctx *p11_ctx; -@@ -91,7 +92,7 @@ static int do_work(TALLOC_CTX *mem_ctx, enum op_mode mode, const char *ca_db, - } - } else { - ret = do_card(mem_ctx, p11_ctx, mode, pin, -- module_name, token_name, key_id, uri, multi); -+ module_name, token_name, key_id, label, uri, multi); - } - - done: -@@ -158,6 +159,7 @@ int main(int argc, const char *argv[]) - char *module_name = NULL; - char *token_name = NULL; - char *key_id = NULL; -+ char *label = NULL; - char *cert_b64 = NULL; - bool wait_for_card = false; - char *uri = NULL; -@@ -194,6 +196,8 @@ int main(int argc, const char *argv[]) - _("Token name for authentication"), NULL}, - {"key_id", 0, POPT_ARG_STRING, &key_id, 0, - _("Key ID for authentication"), NULL}, -+ {"label", 0, POPT_ARG_STRING, &label, 0, -+ _("Label for authentication"), NULL}, - {"certificate", 0, POPT_ARG_STRING, &cert_b64, 0, - _("certificate to verify, base64 encoded"), NULL}, - {"uri", 0, POPT_ARG_STRING, &uri, 0, -@@ -340,6 +344,7 @@ int main(int argc, const char *argv[]) - } - talloc_steal(main_ctx, debug_prg_name); - -+ /* We do not require the label, but it is recommended */ - if (mode == OP_AUTH && (module_name == NULL || token_name == NULL - || key_id == NULL)) { - DEBUG(SSSDBG_FATAL_FAILURE, -@@ -369,7 +374,8 @@ int main(int argc, const char *argv[]) - } - - ret = do_work(main_ctx, mode, ca_db, cert_verify_opts, wait_for_card, -- cert_b64, pin, module_name, token_name, key_id, uri, &multi); -+ cert_b64, pin, module_name, token_name, key_id, label, uri, -+ &multi); - if (ret != 0) { - DEBUG(SSSDBG_OP_FAILURE, "do_work failed.\n"); - goto fail; -diff --git a/src/p11_child/p11_child_openssl.c b/src/p11_child/p11_child_openssl.c -index 04b3e1467..d81a1a9ea 100644 ---- a/src/p11_child/p11_child_openssl.c -+++ b/src/p11_child/p11_child_openssl.c -@@ -1587,7 +1587,8 @@ static errno_t wait_for_card(CK_FUNCTION_LIST *module, CK_SLOT_ID *slot_id) - errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx, - enum op_mode mode, const char *pin, - const char *module_name_in, const char *token_name_in, -- const char *key_id_in, const char *uri_str, char **_multi) -+ const char *key_id_in, const char *label_in, -+ const char *uri_str, char **_multi) - { - int ret; - size_t c; -@@ -1845,11 +1846,13 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx, - DLIST_FOR_EACH(item, all_cert_list) { - /* Check if we found the certificates we needed for authentication or - * the requested ones for pre-auth. For authentication all attributes -- * must be given and match, for pre-auth only the given ones must -- * match. */ -- DEBUG(SSSDBG_TRACE_ALL, "%s %s %s %s %s %s.\n", -+ * except the label must be given and match. The label is optional for -+ * authentication but if given it must match as well. For pre-auth -+ * only the given ones must match. */ -+ DEBUG(SSSDBG_TRACE_ALL, "%s %s %s %s %s %s %s.\n", - module_name_in, module_file_name, token_name_in, token_name, -- key_id_in, item->id); -+ key_id_in, label_in == NULL ? "- no label given-" : label_in, -+ item->id); - - if ((mode == OP_AUTH - && module_name_in != NULL -@@ -1857,6 +1860,9 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx, - && key_id_in != NULL - && item->id != NULL - && strcmp(key_id_in, item->id) == 0 -+ && (label_in == NULL -+ || (label_in != NULL && item->label != NULL -+ && strcmp(label_in, item->label) == 0)) - && strcmp(token_name_in, token_name) == 0 - && strcmp(module_name_in, module_file_name) == 0) - || (mode == OP_PREAUTH -diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c -index 6e2bf6d75..cab7b27a2 100644 ---- a/src/providers/krb5/krb5_child.c -+++ b/src/providers/krb5/krb5_child.c -@@ -714,7 +714,7 @@ static krb5_error_code answer_pkinit(krb5_context ctx, - kerr = sss_authtok_get_sc(kr->pd->authtok, &pin, NULL, - &token_name, NULL, - &module_name, NULL, -- NULL, NULL); -+ NULL, NULL, NULL, NULL); - if (kerr != EOK) { - DEBUG(SSSDBG_OP_FAILURE, - "sss_authtok_get_sc failed.\n"); -@@ -1226,11 +1226,12 @@ static errno_t get_pkinit_identity(TALLOC_CTX *mem_ctx, - const char *token_name; - const char *module_name; - const char *key_id; -+ const char *label; - - ret = sss_authtok_get_sc(authtok, NULL, NULL, - &token_name, NULL, - &module_name, NULL, -- &key_id, NULL); -+ &key_id, NULL, &label, NULL); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, "sss_authtok_get_sc failed.\n"); - return ret; -@@ -1267,6 +1268,15 @@ static errno_t get_pkinit_identity(TALLOC_CTX *mem_ctx, - } - } - -+ if (label != NULL && *label != '\0') { -+ identity = talloc_asprintf_append(identity, ":certlabel=%s", label); -+ if (identity == NULL) { -+ DEBUG(SSSDBG_OP_FAILURE, -+ "talloc_asprintf_append failed.\n"); -+ return ENOMEM; -+ } -+ } -+ - *_identity = identity; - - DEBUG(SSSDBG_TRACE_ALL, "Using pkinit identity [%s].\n", identity); -diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c -index 9ea488be4..d3f092b2b 100644 ---- a/src/responder/pam/pamsrv_cmd.c -+++ b/src/responder/pam/pamsrv_cmd.c -@@ -1258,7 +1258,7 @@ static errno_t pam_forwarder_parse_data(struct cli_ctx *cctx, struct pam_data *p - || sss_authtok_get_type(pd->authtok) - == SSS_AUTHTOK_TYPE_SC_KEYPAD)) { - ret = sss_authtok_get_sc(pd->authtok, NULL, NULL, NULL, NULL, NULL, -- NULL, &key_id, NULL); -+ NULL, &key_id, NULL, NULL, NULL); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, "sss_authtok_get_sc failed.\n"); - goto done; -@@ -2274,7 +2274,8 @@ static void pam_dom_forwarder(struct pam_auth_req *preq) - SSS_AUTHTOK_TYPE_SC_PIN, NULL, 0, - sss_cai_get_token_name(preq->current_cert), 0, - sss_cai_get_module_name(preq->current_cert), 0, -- sss_cai_get_key_id(preq->current_cert), 0); -+ sss_cai_get_key_id(preq->current_cert), 0, -+ sss_cai_get_label(preq->current_cert), 0); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, - "sss_authtok_set_sc failed, Smartcard " -diff --git a/src/responder/pam/pamsrv_p11.c b/src/responder/pam/pamsrv_p11.c -index abc987804..23f94927a 100644 ---- a/src/responder/pam/pamsrv_p11.c -+++ b/src/responder/pam/pamsrv_p11.c -@@ -727,6 +727,7 @@ struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx, - const char *module_name = NULL; - const char *token_name = NULL; - const char *key_id = NULL; -+ const char *label = NULL; - - req = tevent_req_create(mem_ctx, &state, struct pam_check_cert_state); - if (req == NULL) { -@@ -766,7 +767,8 @@ struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx, - if (sss_authtok_get_type(pd->authtok) == SSS_AUTHTOK_TYPE_SC_PIN - || sss_authtok_get_type(pd->authtok) == SSS_AUTHTOK_TYPE_SC_KEYPAD) { - ret = sss_authtok_get_sc(pd->authtok, NULL, NULL, &token_name, NULL, -- &module_name, NULL, &key_id, NULL); -+ &module_name, NULL, &key_id, NULL, -+ &label, NULL); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, "sss_authtok_get_sc failed.\n"); - goto done; -@@ -784,6 +786,10 @@ struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx, - extra_args[arg_c++] = key_id; - extra_args[arg_c++] = "--key_id"; - } -+ if (label != NULL && *label != '\0') { -+ extra_args[arg_c++] = label; -+ extra_args[arg_c++] = "--label"; -+ } - } - - if (pd->cmd == SSS_PAM_AUTHENTICATE) { -diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c -index 04dfdb55d..cffbfa770 100644 ---- a/src/sss_client/pam_sss.c -+++ b/src/sss_client/pam_sss.c -@@ -126,6 +126,7 @@ struct cert_auth_info { - char *token_name; - char *module_name; - char *key_id; -+ char *label; - char *prompt_str; - char *pam_cert_user; - char *choice_list_id; -@@ -1962,6 +1963,7 @@ static int prompt_sc_pin(pam_handle_t *pamh, struct pam_items *pi) - ret = sss_auth_pack_sc_blob(answer, 0, cai->token_name, 0, - cai->module_name, 0, - cai->key_id, 0, -+ cai->label, 0, - NULL, 0, &needed_size); - if (ret != EAGAIN) { - D(("sss_auth_pack_sc_blob failed.")); -@@ -1979,6 +1981,7 @@ static int prompt_sc_pin(pam_handle_t *pamh, struct pam_items *pi) - ret = sss_auth_pack_sc_blob(answer, 0, cai->token_name, 0, - cai->module_name, 0, - cai->key_id, 0, -+ cai->label, 0, - (uint8_t *) pi->pam_authtok, needed_size, - &needed_size); - if (ret != EOK) { -diff --git a/src/tests/cmocka/test_authtok.c b/src/tests/cmocka/test_authtok.c -index a8f5bdee7..a31014eb6 100644 ---- a/src/tests/cmocka/test_authtok.c -+++ b/src/tests/cmocka/test_authtok.c -@@ -451,25 +451,27 @@ void test_sss_authtok_sc_blobs(void **state) - size_t module_name_len; - const char *key_id; - size_t key_id_len; -+ const char *label; -+ size_t label_len; - - ts = talloc_get_type_abort(*state, struct test_state); - - ret = sss_auth_pack_sc_blob("abc", 0, "defg", 0, "hijkl", 0, "mnopqr", 0, -- NULL, 0, &needed_size); -+ "stuvw", 0, NULL, 0, &needed_size); - assert_int_equal(ret, EAGAIN); - - buf = talloc_size(ts, needed_size); - assert_non_null(buf); - - ret = sss_auth_pack_sc_blob("abc", 0, "defg", 0, "hijkl", 0, "mnopqr", 0, -- buf, needed_size, &needed_size); -+ "stuvw", 0, buf, needed_size, &needed_size); - assert_int_equal(ret, EOK); - - #if __BYTE_ORDER == __LITTLE_ENDIAN -- assert_memory_equal(buf, "\4\0\0\0\5\0\0\0\6\0\0\0\7\0\0\0abc\0defg\0hijkl\0mnopqr\0", -+ assert_memory_equal(buf, "\4\0\0\0\5\0\0\0\6\0\0\0\7\0\0\0\6\0\0\0abc\0defg\0hijkl\0mnopqr\0stuvw\0", - needed_size); - #else -- assert_memory_equal(buf, "\0\0\0\4\0\0\0\5\0\0\0\6\0\0\0\7abc\0defg\0hijkl\0mnopqr\0", -+ assert_memory_equal(buf, "\0\0\0\4\0\0\0\5\0\0\0\6\0\0\0\7\0\0\0\6abc\0defg\0hijkl\0mnopqr\0stuvw\0", - needed_size); - #endif - -@@ -485,7 +487,8 @@ void test_sss_authtok_sc_blobs(void **state) - ret = sss_authtok_get_sc(ts->authtoken, &pin, &pin_len, - &token_name, &token_name_len, - &module_name, &module_name_len, -- &key_id, &key_id_len); -+ &key_id, &key_id_len, -+ &label, &label_len); - assert_int_equal(ret, EOK); - assert_int_equal(pin_len, 3); - assert_string_equal(pin, "abc"); -@@ -495,11 +498,14 @@ void test_sss_authtok_sc_blobs(void **state) - assert_string_equal(module_name, "hijkl"); - assert_int_equal(key_id_len, 6); - assert_string_equal(key_id, "mnopqr"); -+ assert_int_equal(label_len, 5); -+ assert_string_equal(label, "stuvw"); - - ret = sss_authtok_get_sc(ts->authtoken, NULL, NULL, - &token_name, &token_name_len, - &module_name, &module_name_len, -- &key_id, &key_id_len); -+ &key_id, &key_id_len, -+ &label, &label_len); - assert_int_equal(ret, EOK); - assert_int_equal(token_name_len, 4); - assert_string_equal(token_name, "defg"); -@@ -507,15 +513,19 @@ void test_sss_authtok_sc_blobs(void **state) - assert_string_equal(module_name, "hijkl"); - assert_int_equal(key_id_len, 6); - assert_string_equal(key_id, "mnopqr"); -+ assert_int_equal(label_len, 5); -+ assert_string_equal(label, "stuvw"); - - ret = sss_authtok_get_sc(ts->authtoken, NULL, NULL, - &token_name, NULL, - &module_name, NULL, -- &key_id, NULL); -+ &key_id, NULL, -+ &label, NULL); - assert_int_equal(ret, EOK); - assert_string_equal(token_name, "defg"); - assert_string_equal(module_name, "hijkl"); - assert_string_equal(key_id, "mnopqr"); -+ assert_string_equal(label, "stuvw"); - - sss_authtok_set_empty(ts->authtoken); - talloc_free(buf); -@@ -608,14 +618,14 @@ void test_sss_authtok_sc_pin(void **state) - assert_int_equal(sss_authtok_get_type(ts->authtoken), - SSS_AUTHTOK_TYPE_SC_PIN); - size = sss_authtok_get_size(ts->authtoken); -- assert_int_equal(size, 28); -+ assert_int_equal(size, 33); - #if __BYTE_ORDER == __LITTLE_ENDIAN - assert_memory_equal(sss_authtok_get_data(ts->authtoken), -- "\11\0\0\0\1\0\0\0\1\0\0\0\1\0\0\0" "12345678\0\0\0\0", -+ "\11\0\0\0\1\0\0\0\1\0\0\0\1\0\0\0\1\0\0\0" "12345678\0\0\0\0\0", - size); - #else - assert_memory_equal(sss_authtok_get_data(ts->authtoken), -- "\0\0\0\11\0\0\0\1\0\0\0\1\0\0\0\1" "12345678\0\0\0\0", -+ "\0\0\0\11\0\0\0\1\0\0\0\1\0\0\0\1\0\0\0\1" "12345678\0\0\0\0\0", - size); - #endif - -@@ -624,14 +634,14 @@ void test_sss_authtok_sc_pin(void **state) - assert_int_equal(sss_authtok_get_type(ts->authtoken), - SSS_AUTHTOK_TYPE_SC_PIN); - size = sss_authtok_get_size(ts->authtoken); -- assert_int_equal(size, 25); -+ assert_int_equal(size, 30); - #if __BYTE_ORDER == __LITTLE_ENDIAN - assert_memory_equal(sss_authtok_get_data(ts->authtoken), -- "\6\0\0\0\1\0\0\0\1\0\0\0\1\0\0\0" "12345\0\0\0\0", -+ "\6\0\0\0\1\0\0\0\1\0\0\0\1\0\0\0\1\0\0\0" "12345\0\0\0\0\0", - size); - #else - assert_memory_equal(sss_authtok_get_data(ts->authtoken), -- "\0\0\0\6\0\0\0\1\0\0\0\1\0\0\0\1" "12345\0\0\0\0", -+ "\0\0\0\6\0\0\0\1\0\0\0\1\0\0\0\1\0\0\0\1" "12345\0\0\0\0\0", - size); - #endif - -diff --git a/src/tests/cmocka/test_pam_srv.c b/src/tests/cmocka/test_pam_srv.c -index 326deaf1f..cb05042de 100644 ---- a/src/tests/cmocka/test_pam_srv.c -+++ b/src/tests/cmocka/test_pam_srv.c -@@ -536,7 +536,7 @@ static void mock_input_pam(TALLOC_CTX *mem_ctx, - static void mock_input_pam_cert(TALLOC_CTX *mem_ctx, const char *name, - const char *pin, const char *token_name, - const char *module_name, const char *key_id, -- const char *service, -+ const char *label, const char *service, - acct_cb_t acct_cb, const char *cert) - { - size_t buf_size; -@@ -556,14 +556,14 @@ static void mock_input_pam_cert(TALLOC_CTX *mem_ctx, const char *name, - - if (pin != NULL) { - ret = sss_auth_pack_sc_blob(pin, 0, token_name, 0, module_name, 0, -- key_id, 0, NULL, 0, &needed_size); -+ key_id, 0, label, 0, NULL, 0, &needed_size); - assert_int_equal(ret, EAGAIN); - - pi.pam_authtok = malloc(needed_size); - assert_non_null(pi.pam_authtok); - - ret = sss_auth_pack_sc_blob(pin, 0, token_name, 0, module_name, 0, -- key_id, 0, -+ key_id, 0, label, 0, - (uint8_t *)pi.pam_authtok, needed_size, - &needed_size); - assert_int_equal(ret, EOK); -@@ -1766,7 +1766,7 @@ void test_pam_preauth_no_logon_name(void **state) - int ret; - - mock_input_pam_cert(pam_test_ctx, NULL, NULL, NULL, NULL, NULL, NULL, NULL, -- NULL); -+ NULL, NULL); - - will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH); - will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); -@@ -1862,7 +1862,7 @@ void test_pam_preauth_cert_nocert(void **state) - unsetenv("SOFTHSM2_CONF"); - - mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL, NULL, -- NULL, NULL); -+ NULL, NULL, NULL); - - will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH); - will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); -@@ -2004,7 +2004,7 @@ void test_pam_preauth_cert_nomatch(void **state) - set_cert_auth_param(pam_test_ctx->pctx, CA_DB); - - mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL, NULL, -- test_lookup_by_cert_cb, NULL); -+ NULL, test_lookup_by_cert_cb, NULL); - - will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH); - will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); -@@ -2026,7 +2026,7 @@ void test_pam_preauth_cert_match(void **state) - set_cert_auth_param(pam_test_ctx->pctx, CA_DB); - - mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL, NULL, -- test_lookup_by_cert_cb, SSSD_TEST_CERT_0001); -+ NULL, test_lookup_by_cert_cb, SSSD_TEST_CERT_0001); - - will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH); - will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); -@@ -2048,7 +2048,7 @@ void test_pam_preauth_cert_match_gdm_smartcard(void **state) - - set_cert_auth_param(pam_test_ctx->pctx, CA_DB); - -- mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL, -+ mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL, NULL, - "gdm-smartcard", test_lookup_by_cert_cb, - SSSD_TEST_CERT_0001); - -@@ -2072,7 +2072,7 @@ void test_pam_preauth_cert_match_wrong_user(void **state) - set_cert_auth_param(pam_test_ctx->pctx, CA_DB); - - mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL, NULL, -- test_lookup_by_cert_wrong_user_cb, -+ NULL, test_lookup_by_cert_wrong_user_cb, - SSSD_TEST_CERT_0001); - - will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH); -@@ -2104,7 +2104,7 @@ void test_pam_preauth_cert_no_logon_name(void **state) - * request will be done with the username found by the certificate - * lookup. */ - mock_input_pam_cert(pam_test_ctx, NULL, NULL, NULL, NULL, NULL, NULL, -- test_lookup_by_cert_cb, SSSD_TEST_CERT_0001); -+ NULL, test_lookup_by_cert_cb, SSSD_TEST_CERT_0001); - mock_account_recv_simple(); - mock_parse_inp("pamuser", NULL, EOK); - mock_parse_inp("pamuser", NULL, EOK); -@@ -2134,7 +2134,7 @@ void test_pam_preauth_cert_no_logon_name_with_hint(void **state) - * during pre-auth and there is no need for an extra mocked response as in - * test_pam_preauth_cert_no_logon_name. */ - mock_input_pam_cert(pam_test_ctx, NULL, NULL, NULL, NULL, NULL, NULL, -- test_lookup_by_cert_cb, SSSD_TEST_CERT_0001); -+ NULL, test_lookup_by_cert_cb, SSSD_TEST_CERT_0001); - - will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH); - will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); -@@ -2155,7 +2155,7 @@ void test_pam_preauth_cert_no_logon_name_double_cert(void **state) - - set_cert_auth_param(pam_test_ctx->pctx, CA_DB); - -- mock_input_pam_cert(pam_test_ctx, NULL, NULL, NULL, NULL, NULL, NULL, -+ mock_input_pam_cert(pam_test_ctx, NULL, NULL, NULL, NULL, NULL, NULL, NULL, - test_lookup_by_cert_double_cb, SSSD_TEST_CERT_0001); - - will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH); -@@ -2178,7 +2178,7 @@ void test_pam_preauth_cert_no_logon_name_double_cert_with_hint(void **state) - set_cert_auth_param(pam_test_ctx->pctx, CA_DB); - pam_test_ctx->rctx->domains->user_name_hint = true; - -- mock_input_pam_cert(pam_test_ctx, NULL, NULL, NULL, NULL, NULL, NULL, -+ mock_input_pam_cert(pam_test_ctx, NULL, NULL, NULL, NULL, NULL, NULL, NULL, - test_lookup_by_cert_double_cb, SSSD_TEST_CERT_0001); - - will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH); -@@ -2201,7 +2201,7 @@ void test_pam_preauth_no_cert_no_logon_name(void **state) - set_cert_auth_param(pam_test_ctx->pctx, "/no/path"); - - mock_input_pam_cert(pam_test_ctx, NULL, NULL, NULL, NULL, NULL, NULL, NULL, -- NULL); -+ NULL, NULL); - - will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH); - will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); -@@ -2223,7 +2223,7 @@ void test_pam_preauth_cert_no_logon_name_no_match(void **state) - set_cert_auth_param(pam_test_ctx->pctx, CA_DB); - - mock_input_pam_cert(pam_test_ctx, NULL, NULL, NULL, NULL, NULL, NULL, -- test_lookup_by_cert_cb, NULL); -+ NULL, test_lookup_by_cert_cb, NULL); - - will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH); - will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); -@@ -2252,7 +2252,8 @@ void test_pam_cert_auth(void **state) - * in the cache and no second request to the backend is needed. */ - mock_input_pam_cert(pam_test_ctx, "pamuser", "123456", "SSSD Test Token", - TEST_MODULE_NAME, -- "C554C9F82C2A9D58B70921C143304153A8A42F17", NULL, -+ "C554C9F82C2A9D58B70921C143304153A8A42F17", -+ "SSSD test cert 0001", NULL, - test_lookup_by_cert_cb, SSSD_TEST_CERT_0001); - - will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE); -@@ -2289,7 +2290,8 @@ void test_pam_ecc_cert_auth(void **state) - mock_input_pam_cert(pam_test_ctx, "pamuser", "123456", - "SSSD Test ECC Token", - TEST_MODULE_NAME, -- "190E513C9A3DFAACDE5D2D0592F0FDFF559C10CB", NULL, -+ "190E513C9A3DFAACDE5D2D0592F0FDFF559C10CB", -+ "SSSD test ECC cert 0001", NULL, - test_lookup_by_cert_cb, SSSD_TEST_ECC_CERT_0001); - - will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE); -@@ -2324,7 +2326,8 @@ void test_pam_cert_auth_no_logon_name(void **state) - * in the cache and no second request to the backend is needed. */ - mock_input_pam_cert(pam_test_ctx, NULL, "123456", "SSSD Test Token", - TEST_MODULE_NAME, -- "C554C9F82C2A9D58B70921C143304153A8A42F17", NULL, -+ "C554C9F82C2A9D58B70921C143304153A8A42F17", -+ "SSSD test cert 0001", NULL, - test_lookup_by_cert_cb, SSSD_TEST_CERT_0001); - - mock_account_recv_simple(); -@@ -2360,7 +2363,7 @@ void test_pam_cert_auth_no_logon_name_no_key_id(void **state) - * to the user entry the lookup by certificate will already find the user - * in the cache and no second request to the backend is needed. */ - mock_input_pam_cert(pam_test_ctx, NULL, "123456", "SSSD Test Token", -- TEST_MODULE_NAME, NULL, NULL, -+ TEST_MODULE_NAME, NULL, NULL, NULL, - NULL, NULL); - - will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE); -@@ -2387,7 +2390,8 @@ void test_pam_cert_auth_double_cert(void **state) - - mock_input_pam_cert(pam_test_ctx, "pamuser", "123456", "SSSD Test Token", - TEST_MODULE_NAME, -- "C554C9F82C2A9D58B70921C143304153A8A42F17", NULL, -+ "C554C9F82C2A9D58B70921C143304153A8A42F17", -+ "SSSD test cert 0001", NULL, - test_lookup_by_cert_double_cb, SSSD_TEST_CERT_0001); - - will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE); -@@ -2416,7 +2420,7 @@ void test_pam_cert_preauth_2certs_one_mapping(void **state) - ret = test_lookup_by_cert_cb(discard_const(SSSD_TEST_CERT_0001)); - assert_int_equal(ret, EOK); - mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL, NULL, -- test_lookup_by_cert_cb, NULL); -+ NULL, test_lookup_by_cert_cb, NULL); - - will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH); - will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); -@@ -2439,7 +2443,7 @@ void test_pam_cert_preauth_2certs_two_mappings(void **state) - putenv(discard_const("SOFTHSM2_CONF=" ABS_BUILD_DIR "/src/tests/test_CA/softhsm2_two.conf")); - - mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL, NULL, -- test_lookup_by_cert_cb_2nd_cert_same_user, -+ NULL, test_lookup_by_cert_cb_2nd_cert_same_user, - SSSD_TEST_CERT_0001); - - will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH); -@@ -2464,7 +2468,8 @@ void test_pam_cert_auth_2certs_one_mapping(void **state) - - mock_input_pam_cert(pam_test_ctx, "pamuser", "123456", "SSSD Test Token", - TEST_MODULE_NAME, -- "C554C9F82C2A9D58B70921C143304153A8A42F17", NULL, -+ "C554C9F82C2A9D58B70921C143304153A8A42F17", -+ "SSSD test cert 0001", NULL, - test_lookup_by_cert_double_cb, SSSD_TEST_CERT_0001); - - will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE); -@@ -2498,7 +2503,7 @@ void test_pam_cert_preauth_uri_token1(void **state) - putenv(discard_const("SOFTHSM2_CONF=" ABS_BUILD_DIR "/src/tests/test_CA/softhsm2_2tokens.conf")); - - mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL, NULL, -- test_lookup_by_cert_cb, SSSD_TEST_CERT_0001); -+ NULL, test_lookup_by_cert_cb, SSSD_TEST_CERT_0001); - - will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH); - will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); -@@ -2528,7 +2533,7 @@ void test_pam_cert_preauth_uri_token2(void **state) - putenv(discard_const("SOFTHSM2_CONF=" ABS_BUILD_DIR "/src/tests/test_CA/softhsm2_2tokens.conf")); - - mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL, NULL, -- test_lookup_by_cert_cb, SSSD_TEST_CERT_0002); -+ NULL, test_lookup_by_cert_cb, SSSD_TEST_CERT_0002); - - will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH); - will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); -@@ -2567,7 +2572,7 @@ void test_pam_preauth_expired_crl_file(void **state) - set_cert_auth_param(pam_test_ctx->pctx, CA_DB); - - mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL, NULL, -- NULL, NULL); -+ NULL, NULL, NULL); - - will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH); - will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); -@@ -2599,7 +2604,7 @@ void test_pam_preauth_expired_crl_file_soft(void **state) - set_cert_auth_param(pam_test_ctx->pctx, CA_DB); - - mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL, NULL, -- test_lookup_by_cert_cb, SSSD_TEST_CERT_0001); -+ NULL, test_lookup_by_cert_cb, SSSD_TEST_CERT_0001); - - will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH); - will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); -@@ -2632,7 +2637,7 @@ void test_pam_preauth_ocsp(void **state) - putenv(discard_const("SOFTHSM2_CONF=" ABS_BUILD_DIR "/src/tests/test_CA/softhsm2_ocsp.conf")); - - mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL, NULL, -- NULL, NULL); -+ NULL, NULL, NULL); - - will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH); - will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); -@@ -2674,7 +2679,7 @@ void test_pam_preauth_ocsp_no_ocsp(void **state) - putenv(discard_const("SOFTHSM2_CONF=" ABS_BUILD_DIR "/src/tests/test_CA/softhsm2_ocsp.conf")); - - mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL, NULL, -- test_lookup_by_cert_cb, SSSD_TEST_CERT_0005); -+ NULL, test_lookup_by_cert_cb, SSSD_TEST_CERT_0005); - - will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH); - will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); -@@ -2708,7 +2713,7 @@ void test_pam_preauth_ocsp_soft_ocsp(void **state) - putenv(discard_const("SOFTHSM2_CONF=" ABS_BUILD_DIR "/src/tests/test_CA/softhsm2_ocsp.conf")); - - mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL, NULL, -- test_lookup_by_cert_cb, SSSD_TEST_CERT_0005); -+ NULL, test_lookup_by_cert_cb, SSSD_TEST_CERT_0005); - - will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH); - will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); -diff --git a/src/util/authtok-utils.c b/src/util/authtok-utils.c -index e50f86741..e76bd17c5 100644 ---- a/src/util/authtok-utils.c -+++ b/src/util/authtok-utils.c -@@ -77,6 +77,7 @@ errno_t sss_auth_pack_sc_blob(const char *pin, size_t pin_len, - const char *token_name, size_t token_name_len, - const char *module_name, size_t module_name_len, - const char *key_id, size_t key_id_len, -+ const char *label, size_t label_len, - uint8_t *buf, size_t buf_len, - size_t *_sc_blob_len) - { -@@ -88,7 +89,8 @@ errno_t sss_auth_pack_sc_blob(const char *pin, size_t pin_len, - || (pin_len != 0 && pin == NULL) - || (token_name_len != 0 && token_name == NULL) - || (module_name_len != 0 && module_name == NULL) -- || (key_id_len != 0 && key_id == NULL)) { -+ || (key_id_len != 0 && key_id == NULL) -+ || (label_len != 0 && label == NULL)) { - return EINVAL; - } - -@@ -113,6 +115,11 @@ errno_t sss_auth_pack_sc_blob(const char *pin, size_t pin_len, - key_id_len = 0; - } - -+ if (label == NULL) { -+ label = ""; -+ label_len = 0; -+ } -+ - /* len should not include the trailing \0 */ - if (pin_len == 0 || pin[pin_len - 1] == '\0') { - pin_len = strlen(pin); -@@ -130,8 +137,12 @@ errno_t sss_auth_pack_sc_blob(const char *pin, size_t pin_len, - key_id_len = strlen(key_id); - } - -- *_sc_blob_len = pin_len + token_name_len + module_name_len + key_id_len + 4 -- + 4 * sizeof(uint32_t); -+ if (label_len == 0 || label[label_len - 1] == '\0') { -+ label_len = strlen(label); -+ } -+ -+ *_sc_blob_len = pin_len + token_name_len + module_name_len + key_id_len -+ + label_len + 5 + 5 * sizeof(uint32_t); - if (buf == NULL || buf_len < *_sc_blob_len) { - return EAGAIN; - } -@@ -145,6 +156,8 @@ errno_t sss_auth_pack_sc_blob(const char *pin, size_t pin_len, - SAFEALIGN_COPY_UINT32(buf + c, &tmp_uint32_t, &c); - tmp_uint32_t = (uint32_t) key_id_len + 1; - SAFEALIGN_COPY_UINT32(buf + c, &tmp_uint32_t, &c); -+ tmp_uint32_t = (uint32_t) label_len + 1; -+ SAFEALIGN_COPY_UINT32(buf + c, &tmp_uint32_t, &c); - - memcpy(buf + c, pin, pin_len); - buf[c + pin_len] = '\0'; -@@ -160,6 +173,10 @@ errno_t sss_auth_pack_sc_blob(const char *pin, size_t pin_len, - - memcpy(buf + c, key_id, key_id_len); - buf[c + key_id_len] = '\0'; -+ c += key_id_len +1; -+ -+ memcpy(buf + c, label, label_len); -+ buf[c + label_len] = '\0'; - - return 0; - } -@@ -171,6 +188,7 @@ const char *sss_auth_get_pin_from_sc_blob(uint8_t *blob, size_t blob_len) - uint32_t token_name_len; - uint32_t module_name_len; - uint32_t key_id_len; -+ uint32_t label_len; - - if (blob == NULL || blob_len == 0) { - return NULL; -@@ -184,9 +202,11 @@ const char *sss_auth_get_pin_from_sc_blob(uint8_t *blob, size_t blob_len) - SAFEALIGN_COPY_UINT32(&token_name_len, blob + c, &c); - SAFEALIGN_COPY_UINT32(&module_name_len, blob + c, &c); - SAFEALIGN_COPY_UINT32(&key_id_len, blob + c, &c); -+ SAFEALIGN_COPY_UINT32(&label_len, blob + c, &c); - -- if (blob_len != 4 * sizeof(uint32_t) + pin_len + token_name_len -- + module_name_len + key_id_len) { -+ if (blob_len != 5 * sizeof(uint32_t) + pin_len + token_name_len -+ + module_name_len + key_id_len -+ + label_len) { - return NULL; - } - -diff --git a/src/util/authtok-utils.h b/src/util/authtok-utils.h -index 714c8187e..f3b268f78 100644 ---- a/src/util/authtok-utils.h -+++ b/src/util/authtok-utils.h -@@ -39,6 +39,9 @@ - * @param[in] key_id Key ID of the certificate - * @param[in] key_id_len Length of the key id of the certificate, if 0 - * strlen() will be called internally -+ * @param[in] label Label of the certificate -+ * @param[in] label_len Length of the label of the certificate, if 0 -+ * strlen() will be called internally - * @param[in] buf memory buffer of size buf_len, may be NULL - * @param[in] buf_len size of memory buffer buf - * -@@ -53,6 +56,7 @@ errno_t sss_auth_pack_sc_blob(const char *pin, size_t pin_len, - const char *token_name, size_t token_name_len, - const char *module_name, size_t module_name_len, - const char *key_id, size_t key_id_len, -+ const char *label, size_t label_len, - uint8_t *buf, size_t buf_len, - size_t *_sc_blob_len); - /** -@@ -112,6 +116,10 @@ errno_t sss_auth_unpack_2fa_blob(TALLOC_CTX *mem_ctx, - * @param[out] _token_name_len Length of the token name - * @param[out] _module_name Name of PKCS#11 module, null terminated - * @param[out] _module_name_len Length of the module name -+ * @param[out] _key_id Key ID of the certificate, null terminated -+ * @param[out] _key_id_len Length of the key ID -+ * @param[out] _labe l Label of the certificate, null terminated -+ * @param[out] _label_len Length of the label - * - * @return EOK on success - * EINVAL if input data is not consistent -@@ -122,7 +130,8 @@ errno_t sss_auth_unpack_sc_blob(TALLOC_CTX *mem_ctx, - char **pin, size_t *_pin_len, - char **token_name, size_t *_token_name_len, - char **module_name, size_t *_module_name_len, -- char **key_id, size_t *_key_id_len); -+ char **key_id, size_t *_key_id_len, -+ char **label, size_t *_label_len); - - /** - * @brief Return a pointer to the PIN string in the memory buffer -diff --git a/src/util/authtok.c b/src/util/authtok.c -index f8b44d6d6..7254ed1da 100644 ---- a/src/util/authtok.c -+++ b/src/util/authtok.c -@@ -503,7 +503,8 @@ errno_t sss_authtok_set_sc(struct sss_auth_token *tok, - const char *pin, size_t pin_len, - const char *token_name, size_t token_name_len, - const char *module_name, size_t module_name_len, -- const char *key_id, size_t key_id_len) -+ const char *key_id, size_t key_id_len, -+ const char *label, size_t label_len) - { - int ret; - size_t needed_size; -@@ -518,7 +519,7 @@ errno_t sss_authtok_set_sc(struct sss_auth_token *tok, - - ret = sss_auth_pack_sc_blob(pin, pin_len, token_name, token_name_len, - module_name, module_name_len, -- key_id, key_id_len, NULL, 0, -+ key_id, key_id_len, label, label_len, NULL, 0, - &needed_size); - if (ret != EAGAIN) { - DEBUG(SSSDBG_OP_FAILURE, "sss_auth_pack_sc_blob failed.\n"); -@@ -533,7 +534,7 @@ errno_t sss_authtok_set_sc(struct sss_auth_token *tok, - - ret = sss_auth_pack_sc_blob(pin, pin_len, token_name, token_name_len, - module_name, module_name_len, -- key_id, key_id_len, tok->data, -+ key_id, key_id_len, label, label_len, tok->data, - needed_size, &needed_size); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, "sss_auth_pack_sc_blob failed.\n"); -@@ -560,6 +561,8 @@ errno_t sss_authtok_set_sc_from_blob(struct sss_auth_token *tok, - size_t module_name_len; - char *key_id = NULL; - size_t key_id_len; -+ char *label = NULL; -+ size_t label_len; - TALLOC_CTX *tmp_ctx; - - if (tok == NULL) { -@@ -579,7 +582,7 @@ errno_t sss_authtok_set_sc_from_blob(struct sss_auth_token *tok, - ret = sss_auth_unpack_sc_blob(tmp_ctx, data, len, &pin, &pin_len, - &token_name, &token_name_len, - &module_name, &module_name_len, -- &key_id, &key_id_len); -+ &key_id, &key_id_len, &label, &label_len); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, "sss_auth_unpack_sc_blob failed.\n"); - goto done; -@@ -588,7 +591,7 @@ errno_t sss_authtok_set_sc_from_blob(struct sss_auth_token *tok, - ret = sss_authtok_set_sc(tok, SSS_AUTHTOK_TYPE_SC_PIN, pin, pin_len, - token_name, token_name_len, - module_name, module_name_len, -- key_id, key_id_len); -+ key_id, key_id_len, label, label_len); - - done: - talloc_free(tmp_ctx); -@@ -607,7 +610,7 @@ errno_t sss_authtok_set_sc_pin(struct sss_auth_token *tok, const char *pin, - } - - return sss_authtok_set_sc(tok, SSS_AUTHTOK_TYPE_SC_PIN, pin, len, -- NULL, 0, NULL, 0, NULL, 0); -+ NULL, 0, NULL, 0, NULL, 0, NULL, 0); - } - - errno_t sss_authtok_get_sc_pin(struct sss_auth_token *tok, const char **_pin, -@@ -625,7 +628,8 @@ errno_t sss_authtok_get_sc_pin(struct sss_auth_token *tok, const char **_pin, - return ENOENT; - case SSS_AUTHTOK_TYPE_SC_PIN: - ret = sss_authtok_get_sc(tok, &pin, &pin_len, -- NULL, NULL, NULL, NULL, NULL, NULL); -+ NULL, NULL, NULL, NULL, NULL, NULL, -+ NULL, NULL); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, "sss_authtok_get_sc failed.\n"); - return ret; -@@ -663,13 +667,15 @@ errno_t sss_auth_unpack_sc_blob(TALLOC_CTX *mem_ctx, - char **pin, size_t *_pin_len, - char **token_name, size_t *_token_name_len, - char **module_name, size_t *_module_name_len, -- char **key_id, size_t *_key_id_len) -+ char **key_id, size_t *_key_id_len, -+ char **label, size_t *_label_len) - { - size_t c; - uint32_t pin_len; - uint32_t token_name_len; - uint32_t module_name_len; - uint32_t key_id_len; -+ uint32_t label_len; - - c = 0; - -@@ -678,14 +684,16 @@ errno_t sss_auth_unpack_sc_blob(TALLOC_CTX *mem_ctx, - token_name_len = 0; - module_name_len = 0; - key_id_len = 0; -+ label_len = 0; - } else if (blob_len > 0 - && strnlen((const char *) blob, blob_len) == blob_len - 1) { - pin_len = blob_len; - token_name_len = 0; - module_name_len = 0; - key_id_len = 0; -+ label_len = 0; - } else { -- if (blob_len < 4 * sizeof(uint32_t)) { -+ if (blob_len < 5 * sizeof(uint32_t)) { - DEBUG(SSSDBG_CRIT_FAILURE, "Blob too small.\n"); - return EINVAL; - } -@@ -694,9 +702,11 @@ errno_t sss_auth_unpack_sc_blob(TALLOC_CTX *mem_ctx, - SAFEALIGN_COPY_UINT32(&token_name_len, blob + c, &c); - SAFEALIGN_COPY_UINT32(&module_name_len, blob + c, &c); - SAFEALIGN_COPY_UINT32(&key_id_len, blob + c, &c); -+ SAFEALIGN_COPY_UINT32(&label_len, blob + c, &c); - -- if (blob_len != 4 * sizeof(uint32_t) + pin_len + token_name_len -- + module_name_len + key_id_len) { -+ if (blob_len != 5 * sizeof(uint32_t) + pin_len + token_name_len -+ + module_name_len + key_id_len -+ + label_len) { - DEBUG(SSSDBG_CRIT_FAILURE, "Blob size mismatch.\n"); - return EINVAL; - } -@@ -756,6 +766,25 @@ errno_t sss_auth_unpack_sc_blob(TALLOC_CTX *mem_ctx, - *key_id = NULL; - } - -+ if (label_len != 0) { -+ *label = talloc_strndup(mem_ctx, -+ (const char *) blob + c + pin_len -+ + token_name_len -+ + module_name_len -+ + key_id_len, -+ label_len); -+ if (*label == NULL) { -+ DEBUG(SSSDBG_OP_FAILURE, "talloc_strndup failed.\n"); -+ talloc_free(*pin); -+ talloc_free(*token_name); -+ talloc_free(*module_name); -+ talloc_free(*key_id); -+ return ENOMEM; -+ } -+ } else { -+ *label = NULL; -+ } -+ - /* Re-calculate length for the case where \0 was missing in the blob */ - if (_pin_len != NULL) { - *_pin_len = (*pin == NULL) ? 0 : strlen(*pin); -@@ -771,6 +800,10 @@ errno_t sss_auth_unpack_sc_blob(TALLOC_CTX *mem_ctx, - *_key_id_len = (*key_id == NULL) ? 0 : strlen(*key_id); - } - -+ if (_label_len != NULL) { -+ *_label_len = (*label == NULL) ? 0 : strlen(*label); -+ } -+ - return EOK; - } - -@@ -778,13 +811,15 @@ errno_t sss_authtok_get_sc(struct sss_auth_token *tok, - const char **_pin, size_t *_pin_len, - const char **_token_name, size_t *_token_name_len, - const char **_module_name, size_t *_module_name_len, -- const char **_key_id, size_t *_key_id_len) -+ const char **_key_id, size_t *_key_id_len, -+ const char **_label, size_t *_label_len) - { - size_t c = 0; - size_t pin_len; - size_t token_name_len; - size_t module_name_len; - size_t key_id_len; -+ size_t label_len; - uint32_t tmp_uint32_t; - - if (!tok) { -@@ -796,7 +831,7 @@ errno_t sss_authtok_get_sc(struct sss_auth_token *tok, - return (tok->type == SSS_AUTHTOK_TYPE_EMPTY) ? ENOENT : EACCES; - } - -- if (tok->length < 4 * sizeof(uint32_t)) { -+ if (tok->length < 5 * sizeof(uint32_t)) { - DEBUG(SSSDBG_CRIT_FAILURE, "Blob too small.\n"); - return EINVAL; - } -@@ -809,9 +844,12 @@ errno_t sss_authtok_get_sc(struct sss_auth_token *tok, - module_name_len = tmp_uint32_t -1; - SAFEALIGN_COPY_UINT32(&tmp_uint32_t, tok->data + c, &c); - key_id_len = tmp_uint32_t -1; -+ SAFEALIGN_COPY_UINT32(&tmp_uint32_t, tok->data + c, &c); -+ label_len = tmp_uint32_t -1; - -- if (tok->length != 4 * sizeof(uint32_t) + 4 + pin_len + token_name_len -- + module_name_len + key_id_len) { -+ if (tok->length != 5 * sizeof(uint32_t) + 5 + pin_len + token_name_len -+ + module_name_len + key_id_len -+ + label_len) { - DEBUG(SSSDBG_CRIT_FAILURE, "Blob size mismatch.\n"); - return EINVAL; - } -@@ -846,5 +884,14 @@ errno_t sss_authtok_get_sc(struct sss_auth_token *tok, - *_key_id_len = key_id_len; - } - -+ if (_label != NULL) { -+ *_label = (const char *) tok->data + c + pin_len + 1 -+ + token_name_len + 1 + module_name_len + 1 -+ + key_id_len + 1; -+ } -+ if (_label_len != NULL) { -+ *_label_len = label_len; -+ } -+ - return EOK; - } -diff --git a/src/util/authtok.h b/src/util/authtok.h -index f70c9da13..6fd3e9ef0 100644 ---- a/src/util/authtok.h -+++ b/src/util/authtok.h -@@ -296,6 +296,10 @@ void sss_authtok_set_sc_keypad(struct sss_auth_token *tok); - * terminated string containing the PKCS#11 key id - * @param key_id_len The length of the key id string, if set to 0 it will be - * calculated -+ * @param label A pointer to a const char *, that will point to a null -+ * terminated string containing the PKCS#11 label -+ * @param label_len The length of the label string, if set to 0 it will be -+ * calculated - * - * @return EOK on success - * EINVAL unexpected or inval input -@@ -306,7 +310,8 @@ errno_t sss_authtok_set_sc(struct sss_auth_token *tok, - const char *pin, size_t pin_len, - const char *token_name, size_t token_name_len, - const char *module_name, size_t module_name_len, -- const char *key_id, size_t key_id_len); -+ const char *key_id, size_t key_id_len, -+ const char *label, size_t label_len); - /** - * @brief Set a Smart Card authentication data, replacing any previous data - * -@@ -342,6 +347,10 @@ errno_t sss_authtok_set_sc_from_blob(struct sss_auth_token *tok, - * a null terminated string holding the PKCS#11 - * key id, may not be modified or freed - * @param[out] _key_id_len Length of the PKCS#11 key id -+ * @param[out] _label A pointer to a const char *, that will point to -+ * a null terminated string holding the PKCS#11 -+ * label, may not be modified or freed -+ * @param[out] _label_len Length of the PKCS#11 label - * - * Any of the output pointers may be NULL if the caller does not need the - * specific item. -@@ -356,7 +365,8 @@ errno_t sss_authtok_get_sc(struct sss_auth_token *tok, - const char **_pin, size_t *_pin_len, - const char **_token_name, size_t *_token_name_len, - const char **_module_name, size_t *_module_name_len, -- const char **_key_id, size_t *_key_id_len); -+ const char **_key_id, size_t *_key_id_len, -+ const char **_label, size_t *_label_len); - - - /** --- -2.21.3 - diff --git a/SOURCES/0015-pam_sss-add-certificate-label-to-reply-to-pam_sss.patch b/SOURCES/0015-pam_sss-add-certificate-label-to-reply-to-pam_sss.patch deleted file mode 100644 index 88fcc9f..0000000 --- a/SOURCES/0015-pam_sss-add-certificate-label-to-reply-to-pam_sss.patch +++ /dev/null @@ -1,208 +0,0 @@ -From b8800d3e1b43f2eb28b2df7adb2bcb323bf2d1f1 Mon Sep 17 00:00:00 2001 -From: Sumit Bose <sbose@redhat.com> -Date: Sat, 14 Nov 2020 17:52:35 +0100 -Subject: [PATCH 15/16] pam_sss: add certificate label to reply to pam_sss - -Add the certificate label to the data send back and forth to the pam -module to avoid the ambiguity if two certificates use the same key. - -Resolves: https://github.com/SSSD/sssd/issues/5400 - -Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> ---- - src/responder/pam/pamsrv_p11.c | 13 ++++++++++--- - src/sss_client/pam_sss.c | 15 +++++++++++++++ - src/tests/cmocka/test_pam_srv.c | 20 ++++++++++++++++---- - 3 files changed, 41 insertions(+), 7 deletions(-) - -diff --git a/src/responder/pam/pamsrv_p11.c b/src/responder/pam/pamsrv_p11.c -index 23f94927a..e1fd72e64 100644 ---- a/src/responder/pam/pamsrv_p11.c -+++ b/src/responder/pam/pamsrv_p11.c -@@ -1086,11 +1086,13 @@ static errno_t pack_cert_data(TALLOC_CTX *mem_ctx, const char *sysdb_username, - const char *token_name; - const char *module_name; - const char *key_id; -+ const char *label; - char *prompt; - size_t user_len; - size_t token_len; - size_t module_len; - size_t key_id_len; -+ size_t label_len; - size_t prompt_len; - size_t nss_name_len; - const char *username = ""; -@@ -1113,16 +1115,18 @@ static errno_t pack_cert_data(TALLOC_CTX *mem_ctx, const char *sysdb_username, - token_name = sss_cai_get_token_name(cert_info); - module_name = sss_cai_get_module_name(cert_info); - key_id = sss_cai_get_key_id(cert_info); -+ label = sss_cai_get_label(cert_info); - - user_len = strlen(username) + 1; - token_len = strlen(token_name) + 1; - module_len = strlen(module_name) + 1; - key_id_len = strlen(key_id) + 1; -+ label_len = strlen(label) + 1; - prompt_len = strlen(prompt) + 1; - nss_name_len = strlen(nss_username) +1; - -- msg_len = user_len + token_len + module_len + key_id_len + prompt_len -- + nss_name_len; -+ msg_len = user_len + token_len + module_len + key_id_len + label_len -+ + prompt_len + nss_name_len; - - msg = talloc_zero_size(mem_ctx, msg_len); - if (msg == NULL) { -@@ -1136,8 +1140,11 @@ static errno_t pack_cert_data(TALLOC_CTX *mem_ctx, const char *sysdb_username, - memcpy(msg + user_len + token_len, module_name, module_len); - memcpy(msg + user_len + token_len + module_len, key_id, key_id_len); - memcpy(msg + user_len + token_len + module_len + key_id_len, -+ label, label_len); -+ memcpy(msg + user_len + token_len + module_len + key_id_len + label_len, - prompt, prompt_len); -- memcpy(msg + user_len + token_len + module_len + key_id_len + prompt_len, -+ memcpy(msg + user_len + token_len + module_len + key_id_len + label_len -+ + prompt_len, - nss_username, nss_name_len); - talloc_free(prompt); - -diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c -index cffbfa770..c539d6de6 100644 ---- a/src/sss_client/pam_sss.c -+++ b/src/sss_client/pam_sss.c -@@ -142,6 +142,7 @@ static void free_cai(struct cert_auth_info *cai) - free(cai->token_name); - free(cai->module_name); - free(cai->key_id); -+ free(cai->label); - free(cai->prompt_str); - free(cai->choice_list_id); - free(cai); -@@ -936,6 +937,20 @@ static int parse_cert_info(struct pam_items *pi, uint8_t *buf, size_t len, - goto done; - } - -+ cai->label = strdup((char *) &buf[*p + offset]); -+ if (cai->label == NULL) { -+ D(("strdup failed")); -+ ret = ENOMEM; -+ goto done; -+ } -+ -+ offset += strlen(cai->label) + 1; -+ if (offset >= len) { -+ D(("Cert message size mismatch")); -+ ret = EINVAL; -+ goto done; -+ } -+ - cai->prompt_str = strdup((char *) &buf[*p + offset]); - if (cai->prompt_str == NULL) { - D(("strdup failed")); -diff --git a/src/tests/cmocka/test_pam_srv.c b/src/tests/cmocka/test_pam_srv.c -index cb05042de..5506fbf34 100644 ---- a/src/tests/cmocka/test_pam_srv.c -+++ b/src/tests/cmocka/test_pam_srv.c -@@ -62,13 +62,16 @@ - #define TEST_TOKEN_NAME "SSSD Test Token" - #define TEST_TOKEN2_NAME "SSSD Test Token Number 2" - #define TEST_KEY_ID "C554C9F82C2A9D58B70921C143304153A8A42F17" -+#define TEST_LABEL "SSSD test cert 0001" - #define TEST_MODULE_NAME SOFTHSM2_PATH - #define TEST_PROMPT "SSSD test cert 0001\nCN=SSSD test cert 0001,OU=SSSD test,O=SSSD" - #define TEST2_PROMPT "SSSD test cert 0002\nCN=SSSD test cert 0002,OU=SSSD test,O=SSSD" - #define TEST5_PROMPT "SSSD test cert 0005\nCN=SSSD test cert 0005,OU=SSSD test,O=SSSD" - - #define TEST2_KEY_ID "5405842D56CF31F0BB025A695C5F3E907051C5B9" -+#define TEST2_LABEL "SSSD test cert 0002" - #define TEST5_KEY_ID "1195833C424AB00297F582FC43FFFFAB47A64CC9" -+#define TEST5_LABEL "SSSD test cert 0005" - - static char CACHED_AUTH_TIMEOUT_STR[] = "4"; - static const int CACHED_AUTH_TIMEOUT = 4; -@@ -673,6 +676,7 @@ static int test_pam_cert_check_gdm_smartcard(uint32_t status, uint8_t *body, - + sizeof(TEST_TOKEN_NAME) - + sizeof(TEST_MODULE_NAME) - + sizeof(TEST_KEY_ID) -+ + sizeof(TEST_LABEL) - + sizeof(TEST_PROMPT) - + sizeof("pamuser"))); - -@@ -692,6 +696,10 @@ static int test_pam_cert_check_gdm_smartcard(uint32_t status, uint8_t *body, - assert_string_equal(body + rp, TEST_KEY_ID); - rp += sizeof(TEST_KEY_ID); - -+ assert_int_equal(*(body + rp + sizeof(TEST_LABEL) - 1), 0); -+ assert_string_equal(body + rp, TEST_LABEL); -+ rp += sizeof(TEST_LABEL); -+ - assert_int_equal(*(body + rp + sizeof(TEST_PROMPT) - 1), 0); - assert_string_equal(body + rp, TEST_PROMPT); - rp += sizeof(TEST_PROMPT); -@@ -740,6 +748,7 @@ static int test_pam_cert_check_ex(uint32_t status, uint8_t *body, size_t blen, - TEST_TOKEN_NAME, - TEST_MODULE_NAME, - TEST_KEY_ID, -+ TEST_LABEL, - TEST_PROMPT, - NULL, - NULL }; -@@ -749,6 +758,7 @@ static int test_pam_cert_check_ex(uint32_t status, uint8_t *body, size_t blen, - TEST_TOKEN_NAME, - TEST_MODULE_NAME, - TEST2_KEY_ID, -+ TEST2_LABEL, - TEST2_PROMPT, - NULL, - NULL }; -@@ -756,10 +766,10 @@ static int test_pam_cert_check_ex(uint32_t status, uint8_t *body, size_t blen, - assert_int_equal(status, 0); - - check_strings[0] = name; -- check_strings[5] = nss_name; -+ check_strings[6] = nss_name; - check_len = check_string_array_len(check_strings); - check2_strings[0] = name; -- check2_strings[5] = nss_name; -+ check2_strings[6] = nss_name; - check2_len = check_string_array_len(check2_strings); - - -@@ -843,6 +853,7 @@ static int test_pam_cert2_token2_check_ex(uint32_t status, uint8_t *body, - TEST_TOKEN2_NAME, - TEST_MODULE_NAME, - TEST2_KEY_ID, -+ TEST2_LABEL, - TEST2_PROMPT, - NULL, - NULL }; -@@ -850,7 +861,7 @@ static int test_pam_cert2_token2_check_ex(uint32_t status, uint8_t *body, - assert_int_equal(status, 0); - - check2_strings[0] = name; -- check2_strings[5] = nss_name; -+ check2_strings[6] = nss_name; - check2_len = check_string_array_len(check2_strings); - - SAFEALIGN_COPY_UINT32(&val, body + rp, &rp); -@@ -895,7 +906,7 @@ static int test_pam_cert_X_token_X_check_ex(uint32_t status, uint8_t *body, - assert_int_equal(status, 0); - - check_strings[0] = name; -- check_strings[5] = nss_name; -+ check_strings[6] = nss_name; - check_len = check_string_array_len(check_strings); - - SAFEALIGN_COPY_UINT32(&val, body + rp, &rp); -@@ -946,6 +957,7 @@ static int test_pam_cert5_check(uint32_t status, uint8_t *body, size_t blen) - TEST_TOKEN_NAME, - TEST_MODULE_NAME, - TEST5_KEY_ID, -+ TEST5_LABEL, - TEST5_PROMPT, - NULL, - NULL }; --- -2.21.3 - diff --git a/SOURCES/0016-add-tests-multiple-certs-same-id.patch b/SOURCES/0016-add-tests-multiple-certs-same-id.patch deleted file mode 100644 index cd9cefd..0000000 --- a/SOURCES/0016-add-tests-multiple-certs-same-id.patch +++ /dev/null @@ -1,265 +0,0 @@ -From f633f37e712cb0f7524a2ee257e15f34468149b4 Mon Sep 17 00:00:00 2001 -From: Sumit Bose <sbose@redhat.com> -Date: Tue, 3 Nov 2020 09:58:52 +0100 -Subject: [PATCH 16/16] add tests multiple certs same id - -Add unit test for the case that two certificates use the same key. - -Resolves: https://github.com/SSSD/sssd/issues/5400 - -Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> ---- - src/tests/cmocka/test_pam_srv.c | 116 +++++++++++++++++++ - src/tests/test_CA/Makefile.am | 26 ++++- - src/tests/test_CA/SSSD_test_cert_0006.config | 20 ++++ - 3 files changed, 161 insertions(+), 1 deletion(-) - create mode 100644 src/tests/test_CA/SSSD_test_cert_0006.config - -diff --git a/src/tests/cmocka/test_pam_srv.c b/src/tests/cmocka/test_pam_srv.c -index 5506fbf34..8ca5abd43 100644 ---- a/src/tests/cmocka/test_pam_srv.c -+++ b/src/tests/cmocka/test_pam_srv.c -@@ -40,12 +40,14 @@ - #include "tests/test_CA/SSSD_test_cert_x509_0001.h" - #include "tests/test_CA/SSSD_test_cert_x509_0002.h" - #include "tests/test_CA/SSSD_test_cert_x509_0005.h" -+#include "tests/test_CA/SSSD_test_cert_x509_0006.h" - - #include "tests/test_ECC_CA/SSSD_test_ECC_cert_x509_0001.h" - #else - #define SSSD_TEST_CERT_0001 "" - #define SSSD_TEST_CERT_0002 "" - #define SSSD_TEST_CERT_0005 "" -+#define SSSD_TEST_CERT_0006 "" - - #define SSSD_TEST_ECC_CERT_0001 "" - #endif -@@ -1093,6 +1095,13 @@ static int test_pam_creds_insufficient_check(uint32_t status, - return EOK; - } - -+static int test_pam_auth_err_check(uint32_t status, uint8_t *body, size_t blen) -+{ -+ /* PAM_AUTH_ERR is returned for different types of error, we use different -+ * names for the check functions to make the purpose more clear. */ -+ return test_pam_wrong_pw_offline_auth_check(status, body, blen); -+} -+ - static int test_pam_user_unknown_check(uint32_t status, - uint8_t *body, size_t blen) - { -@@ -2500,6 +2509,107 @@ void test_pam_cert_auth_2certs_one_mapping(void **state) - assert_int_equal(ret, EOK); - } - -+/* The following three tests cover a use case where multiple certificates are -+ * using the same key-pair. According to PKCS#11 specs "The CKA_ID field is -+ * intended to distinguish among multiple keys. In the case of public and -+ * private keys, this field assists in handling multiple keys held by the same -+ * subject; the key identifier for a public key and its corresponding private -+ * key should be the same. The key identifier should also be the same as for -+ * the corresponding certificate, if one exists. Cryptoki does not enforce -+ * these associations, however." As a result certificates sharing the same -+ * key-pair will have the same id on the Smartcard. This means a second -+ * parameter is needed to distinguish them. We use the label here. -+ * -+ * The first test makes sure authentication fails is the label is missing, the -+ * second and third test make sure that each certificate can be selected with -+ * the proper label. */ -+void test_pam_cert_auth_2certs_same_id_no_label(void **state) -+{ -+ int ret; -+ -+ set_cert_auth_param(pam_test_ctx->pctx, CA_DB); -+ putenv(discard_const("SOFTHSM2_CONF=" ABS_BUILD_DIR "/src/tests/test_CA/softhsm2_2certs_same_id.conf")); -+ -+ mock_input_pam_cert(pam_test_ctx, "pamuser", "123456", "SSSD Test Token", -+ TEST_MODULE_NAME, -+ "11111111", -+ NULL, NULL, -+ NULL, SSSD_TEST_CERT_0001); -+ -+ will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE); -+ will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); -+ -+ /* Assume backend cannot handle Smartcard credentials */ -+ pam_test_ctx->exp_pam_status = PAM_BAD_ITEM; -+ -+ set_cmd_cb(test_pam_auth_err_check); -+ ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE, -+ pam_test_ctx->pam_cmds); -+ assert_int_equal(ret, EOK); -+ -+ /* Wait until the test finishes with EOK */ -+ ret = test_ev_loop(pam_test_ctx->tctx); -+ assert_int_equal(ret, EOK); -+} -+ -+void test_pam_cert_auth_2certs_same_id_with_label_1(void **state) -+{ -+ int ret; -+ -+ set_cert_auth_param(pam_test_ctx->pctx, CA_DB); -+ putenv(discard_const("SOFTHSM2_CONF=" ABS_BUILD_DIR "/src/tests/test_CA/softhsm2_2certs_same_id.conf")); -+ -+ mock_input_pam_cert(pam_test_ctx, "pamuser", "123456", "SSSD Test Token", -+ TEST_MODULE_NAME, -+ "11111111", -+ "SSSD test cert 0001", NULL, -+ test_lookup_by_cert_double_cb, SSSD_TEST_CERT_0001); -+ -+ will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE); -+ will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); -+ -+ /* Assume backend cannot handle Smartcard credentials */ -+ pam_test_ctx->exp_pam_status = PAM_BAD_ITEM; -+ -+ set_cmd_cb(test_pam_simple_check_success); -+ ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE, -+ pam_test_ctx->pam_cmds); -+ assert_int_equal(ret, EOK); -+ -+ /* Wait until the test finishes with EOK */ -+ ret = test_ev_loop(pam_test_ctx->tctx); -+ assert_int_equal(ret, EOK); -+} -+ -+void test_pam_cert_auth_2certs_same_id_with_label_6(void **state) -+{ -+ int ret; -+ -+ set_cert_auth_param(pam_test_ctx->pctx, CA_DB); -+ putenv(discard_const("SOFTHSM2_CONF=" ABS_BUILD_DIR "/src/tests/test_CA/softhsm2_2certs_same_id.conf")); -+ -+ mock_input_pam_cert(pam_test_ctx, "pamuser", "123456", "SSSD Test Token", -+ TEST_MODULE_NAME, -+ "11111111", -+ "SSSD test cert 0006", NULL, -+ test_lookup_by_cert_double_cb, SSSD_TEST_CERT_0006); -+ -+ will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE); -+ will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); -+ -+ /* Assume backend cannot handle Smartcard credentials */ -+ pam_test_ctx->exp_pam_status = PAM_BAD_ITEM; -+ -+ set_cmd_cb(test_pam_simple_check_success); -+ ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE, -+ pam_test_ctx->pam_cmds); -+ assert_int_equal(ret, EOK); -+ -+ /* Wait until the test finishes with EOK */ -+ ret = test_ev_loop(pam_test_ctx->tctx); -+ assert_int_equal(ret, EOK); -+} -+ - void test_pam_cert_preauth_uri_token1(void **state) - { - int ret; -@@ -3179,6 +3289,12 @@ int main(int argc, const char *argv[]) - pam_test_setup, pam_test_teardown), - cmocka_unit_test_setup_teardown(test_pam_cert_auth_2certs_one_mapping, - pam_test_setup, pam_test_teardown), -+ cmocka_unit_test_setup_teardown(test_pam_cert_auth_2certs_same_id_no_label, -+ pam_test_setup, pam_test_teardown), -+ cmocka_unit_test_setup_teardown(test_pam_cert_auth_2certs_same_id_with_label_1, -+ pam_test_setup, pam_test_teardown), -+ cmocka_unit_test_setup_teardown(test_pam_cert_auth_2certs_same_id_with_label_6, -+ pam_test_setup, pam_test_teardown), - cmocka_unit_test_setup_teardown(test_pam_cert_auth_no_logon_name, - pam_test_setup, pam_test_teardown), - cmocka_unit_test_setup_teardown(test_pam_cert_auth_no_logon_name_no_key_id, -diff --git a/src/tests/test_CA/Makefile.am b/src/tests/test_CA/Makefile.am -index 0e0122737..8765d0fd6 100644 ---- a/src/tests/test_CA/Makefile.am -+++ b/src/tests/test_CA/Makefile.am -@@ -6,6 +6,7 @@ dist_noinst_DATA = \ - SSSD_test_cert_0003.config \ - SSSD_test_cert_0004.config \ - SSSD_test_cert_0005.config \ -+ SSSD_test_cert_0006.config \ - SSSD_test_cert_key_0001.pem \ - SSSD_test_cert_key_0002.pem \ - SSSD_test_cert_key_0003.pem \ -@@ -25,7 +26,7 @@ pubkeys = $(addprefix SSSD_test_cert_pubsshkey_,$(addsuffix .pub,$(ids))) - pubkeys_h = $(addprefix SSSD_test_cert_pubsshkey_,$(addsuffix .h,$(ids))) - pkcs12 = $(addprefix SSSD_test_cert_pkcs12_,$(addsuffix .pem,$(ids))) - --extra = softhsm2_none softhsm2_one softhsm2_two softhsm2_2tokens softhsm2_ocsp -+extra = softhsm2_none softhsm2_one softhsm2_two softhsm2_2tokens softhsm2_ocsp softhsm2_2certs_same_id - if HAVE_FAKETIME - extra += SSSD_test_CA_expired_crl.pem - endif -@@ -41,6 +42,14 @@ $(pwdfile): - SSSD_test_CA.pem: $(openssl_ca_key) $(openssl_ca_config) serial - $(OPENSSL) req -batch -config ${openssl_ca_config} -x509 -new -nodes -key $< -sha256 -days 1024 -set_serial 0 -extensions v3_ca -out $@ - -+# SSSD_test_cert_0006 should use the same key as SSSD_test_cert_0001 -+.INTERMEDIATE: SSSD_test_cert_req_0006.pem -+SSSD_test_cert_req_0006.pem: $(srcdir)/SSSD_test_cert_key_0001.pem $(srcdir)/SSSD_test_cert_0006.config -+ if [ $(shell grep -c req_exts $(srcdir)/SSSD_test_cert_0006.config) -eq 0 ]; then \ -+ $(OPENSSL) req -new -nodes -key $< -config $(srcdir)/SSSD_test_cert_0006.config -out $@ ; \ -+ else \ -+ $(OPENSSL) req -new -nodes -key $< -reqexts req_exts -config $(srcdir)/SSSD_test_cert_0006.config -out $@ ; \ -+ fi - - SSSD_test_cert_req_%.pem: $(srcdir)/SSSD_test_cert_key_%.pem $(srcdir)/SSSD_test_cert_%.config - if [ $(shell grep -c req_exts $(srcdir)/SSSD_test_cert_$*.config) -eq 0 ]; then \ -@@ -52,6 +61,9 @@ SSSD_test_cert_req_%.pem: $(srcdir)/SSSD_test_cert_key_%.pem $(srcdir)/SSSD_test - SSSD_test_cert_x509_%.pem: SSSD_test_cert_req_%.pem $(openssl_ca_config) SSSD_test_CA.pem - $(OPENSSL) ca -config ${openssl_ca_config} -batch -notext -keyfile $(openssl_ca_key) -in $< -days 200 -extensions usr_cert -out $@ - -+SSSD_test_cert_pkcs12_0006.pem: SSSD_test_cert_x509_0006.pem $(srcdir)/SSSD_test_cert_key_0001.pem $(pwdfile) -+ $(OPENSSL) pkcs12 -export -in SSSD_test_cert_x509_0006.pem -inkey $(srcdir)/SSSD_test_cert_key_0001.pem -nodes -passout file:$(pwdfile) -out $@ -+ - SSSD_test_cert_pkcs12_%.pem: SSSD_test_cert_x509_%.pem $(srcdir)/SSSD_test_cert_key_%.pem $(pwdfile) - $(OPENSSL) pkcs12 -export -in SSSD_test_cert_x509_$*.pem -inkey $(srcdir)/SSSD_test_cert_key_$*.pem -nodes -passout file:$(pwdfile) -out $@ - -@@ -130,6 +142,18 @@ softhsm2_ocsp.conf: - @echo "objectstore.backend = file" >> $@ - @echo "slots.removable = true" >> $@ - -+softhsm2_2certs_same_id: softhsm2_2certs_same_id.conf SSSD_test_cert_x509_0001.pem SSSD_test_cert_x509_0006.pem -+ mkdir $@ -+ SOFTHSM2_CONF=./$< $(SOFTHSM2_UTIL) --init-token --label "SSSD Test Token" --pin 123456 --so-pin 123456 --free -+ GNUTLS_PIN=123456 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --write --no-mark-private --load-certificate=SSSD_test_cert_x509_0006.pem --login --label 'SSSD test cert 0006' --id '11111111' -+ GNUTLS_PIN=123456 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --write --no-mark-private --load-certificate=SSSD_test_cert_x509_0001.pem --login --label 'SSSD test cert 0001' --id '11111111' -+ GNUTLS_PIN=123456 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --write --load-privkey=$(srcdir)/SSSD_test_cert_key_0001.pem --login --label 'SSSD test cert 0001' --id '11111111' -+ -+softhsm2_2certs_same_id.conf: -+ @echo "directories.tokendir = "$(abs_top_builddir)"/src/tests/test_CA/softhsm2_2certs_same_id" > $@ -+ @echo "objectstore.backend = file" >> $@ -+ @echo "slots.removable = true" >> $@ -+ - CLEANFILES = \ - index.txt index.txt.attr \ - index.txt.attr.old index.txt.old \ -diff --git a/src/tests/test_CA/SSSD_test_cert_0006.config b/src/tests/test_CA/SSSD_test_cert_0006.config -new file mode 100644 -index 000000000..762de55cd ---- /dev/null -+++ b/src/tests/test_CA/SSSD_test_cert_0006.config -@@ -0,0 +1,20 @@ -+# This certificate is used in -+# - src/tests/cmocka/test_pam_srv.c -+# and should use the same key-pair as SSSD_test_cert_0001 -+[ req ] -+distinguished_name = req_distinguished_name -+prompt = no -+ -+[ req_distinguished_name ] -+O = SSSD -+OU = SSSD test -+CN = SSSD test cert 0006 -+ -+[ req_exts ] -+basicConstraints = CA:FALSE -+nsCertType = client, email -+nsComment = "SSSD test Certificate" -+subjectKeyIdentifier = hash -+keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment -+extendedKeyUsage = clientAuth, emailProtection -+subjectAltName = email:sssd-devel@lists.fedorahosted.org,URI:https://github.com/SSSD/sssd// --- -2.21.3 - diff --git a/SOURCES/0017-data_provider_be-Add-random-offset-default.patch b/SOURCES/0017-data_provider_be-Add-random-offset-default.patch deleted file mode 100644 index 7574eec..0000000 --- a/SOURCES/0017-data_provider_be-Add-random-offset-default.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 1e9abd508ea5627465d528788645d4dbe53d7d31 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pawe=C5=82=20Po=C5=82awski?= <ppolawsk@redhat.com> -Date: Wed, 2 Dec 2020 03:00:26 +0100 -Subject: [PATCH 17/18] data_provider_be: Add random offset default - -Replace hardcoded default value of 30 with more meaningful -OFFLINE_TIMEOUT_RANDOM_OFFSET define. - -This value is used to calculate task timeout during offline -status checking by formula (from SSSD MAN page): - -new_interval = (old_interval * 2) + random_offset - -As it is explicite mentioned in documentation it should -be expressed in the code similar way. - -Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com> ---- - src/providers/data_provider_be.c | 11 ++++++++--- - 1 file changed, 8 insertions(+), 3 deletions(-) - -diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c -index 4c10d6b48..10421c6b4 100644 ---- a/src/providers/data_provider_be.c -+++ b/src/providers/data_provider_be.c -@@ -51,6 +51,7 @@ - #define ONLINE_CB_RETRY 3 - #define ONLINE_CB_RETRY_MAX_DELAY 4 - -+#define OFFLINE_TIMEOUT_RANDOM_OFFSET 30 - #define OFFLINE_TIMEOUT_DEFAULT 60 - #define OFFLINE_TIMEOUT_MAX_DEFAULT 3600 - -@@ -152,9 +153,13 @@ void be_mark_offline(struct be_ctx *ctx) - offline_timeout = get_offline_timeout(ctx); - offline_timeout_max = get_offline_timeout_max(ctx); - -- ret = be_ptask_create_sync(ctx, ctx, -- offline_timeout, offline_timeout, -- offline_timeout, 30, offline_timeout, -+ ret = be_ptask_create_sync(ctx, -+ ctx, -+ offline_timeout, -+ offline_timeout, -+ offline_timeout, -+ OFFLINE_TIMEOUT_RANDOM_OFFSET, -+ offline_timeout, - offline_timeout_max, - try_to_go_online, - ctx, "Check if online (periodic)", --- -2.21.3 - diff --git a/SOURCES/0018-data_provider_be-MAN-page-update.patch b/SOURCES/0018-data_provider_be-MAN-page-update.patch deleted file mode 100644 index 15e4168..0000000 --- a/SOURCES/0018-data_provider_be-MAN-page-update.patch +++ /dev/null @@ -1,59 +0,0 @@ -From 171b664ec4a7c94583b35597bd7e1e72bf89d217 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pawe=C5=82=20Po=C5=82awski?= <ppolawsk@redhat.com> -Date: Wed, 2 Dec 2020 03:10:50 +0100 -Subject: [PATCH 18/18] data_provider_be: MAN page update - -Updated description of parameters: -* offline_timeout -* offline_timeout_max - -MAN page now explains that in some circumstances -corelation of offline_timeout and offline_timeout_max values -may lead to offline checking interval not incrementing. -This is a false positive error as in fact the value -just saturates almost instantly. - -Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com> ---- - src/man/sssd.conf.5.xml | 14 ++++++++++++-- - 1 file changed, 12 insertions(+), 2 deletions(-) - -diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml -index d637e2eaa..8b330de58 100644 ---- a/src/man/sssd.conf.5.xml -+++ b/src/man/sssd.conf.5.xml -@@ -739,12 +739,12 @@ - offline_timeout + random_offset - </para> - <para> -- The random offset can increment up to 30 seconds. -+ The random offset value is from 0 to 30. - After each unsuccessful attempt to go online, - the new interval is recalculated by the following: - </para> - <para> -- new_interval = old_interval*2 + random_offset -+ new_interval = (old_interval * 2) + random_offset - </para> - <para> - Note that the maximum length of each interval -@@ -769,6 +769,16 @@ - <para> - A value of 0 disables the incrementing behaviour. - </para> -+ <para> -+ The value of this parameter should be set in correlation -+ to offline_timeout parameter value. -+ </para> -+ <para> -+ With offline_timeout set to 60 (default value) there is no point -+ in setting offlinet_timeout_max to less than 120 as it will -+ saturate instantly. General rule here should be to set -+ offline_timeout_max to at least 4 times offline_timeout. -+ </para> - <para> - Although a value between 0 and offline_timeout may be - specified, it has the effect of overriding the --- -2.21.3 - diff --git a/SOURCES/0019-logs-review.patch b/SOURCES/0019-logs-review.patch deleted file mode 100644 index 54fc132..0000000 --- a/SOURCES/0019-logs-review.patch +++ /dev/null @@ -1,3410 +0,0 @@ -From 69ef1cf763fca6b2c7174ddacf3f510c73cc27e6 Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov <atikhono@redhat.com> -Date: Mon, 28 Dec 2020 19:36:48 +0100 -Subject: [PATCH] Squashed commit of the following: - -commit bd2f38abe95645b9b16b12d12dac6008b0d2a03b -Author: Alexey Tikhonov <atikhono@redhat.com> -Date: Tue Dec 15 18:47:25 2020 +0100 - - UTIL: find_domain_by_object_name_ex() changed log level - - It's up to user of this function to judge if fail to parse fqname is - a critical error. - - Reviewed-by: Pawel Polawski <ppolawsk@redhat.com> - Reviewed-by: Sumit Bose <sbose@redhat.com> - -commit 0db68a1f95612fcbad18ca8107a4b170f446dd59 -Author: Alexey Tikhonov <atikhono@redhat.com> -Date: Tue Dec 15 17:26:09 2020 +0100 - - LDAP: sdap_save_grpmem(): log level changed - - There are legitimate reasons when sdap_save_grpmem() can be called - with `ignore_group_members = true` - - Reviewed-by: Pawel Polawski <ppolawsk@redhat.com> - Reviewed-by: Sumit Bose <sbose@redhat.com> - -commit 00e3ac4a4f9b6c8da27daa3ed8c18664c99256bb -Author: Alexey Tikhonov <atikhono@redhat.com> -Date: Sun Dec 13 23:21:37 2020 +0100 - - LDAP: reduce log level in case of fail to store members of missing group (it might be built-in skipped intentionally) - - Reviewed-by: Pawel Polawski <ppolawsk@redhat.com> - Reviewed-by: Sumit Bose <sbose@redhat.com> - -commit dba7de0db3cbaee43ef06a1b7c847fbcf48f3708 -Author: Alexey Tikhonov <atikhono@redhat.com> -Date: Sun Dec 13 22:37:44 2020 +0100 - - SYSDB: changed logging in sysdb_get_real_name() - - Missing cache entry isn't an error. - - Reviewed-by: Pawel Polawski <ppolawsk@redhat.com> - Reviewed-by: Sumit Bose <sbose@redhat.com> - -commit e86599ba079611ed324ff1493a7173d11c1a7961 -Author: Alexey Tikhonov <atikhono@redhat.com> -Date: Sun Dec 13 22:22:36 2020 +0100 - - IPA: changed logging in ipa_get_subdom_acct_send() - - Frontends do not know what kind of lookup the backends support - so it is expected that they might send unsupported requests. - - Reviewed-by: Pawel Polawski <ppolawsk@redhat.com> - Reviewed-by: Sumit Bose <sbose@redhat.com> - -commit bf873598a9d4ac8256b20859c0d92fb509861b6b -Author: Alexey Tikhonov <atikhono@redhat.com> -Date: Sun Dec 13 20:29:07 2020 +0100 - - IPA: ignore failed group search in certain cases - - It's currently expected to see those messages with sudo or HBAC rules in play. - - Reviewed-by: Pawel Polawski <ppolawsk@redhat.com> - Reviewed-by: Sumit Bose <sbose@redhat.com> - -commit 60b17be9e4f4865fe1774076808a6c783a7ec906 -Author: Alexey Tikhonov <atikhono@redhat.com> -Date: Sun Dec 13 19:36:56 2020 +0100 - - SYSDB: changed log level in sysdb_update_members_ex() - - Fail to add already existing member isn't critical. - - Reviewed-by: Pawel Polawski <ppolawsk@redhat.com> - Reviewed-by: Sumit Bose <sbose@redhat.com> - -commit 9390af3c2d1b33e2b5ded0ea0c6c436b9776cedc -Author: Alexey Tikhonov <atikhono@redhat.com> -Date: Sat Dec 12 21:29:06 2020 +0100 - - IPA: reduce log level in apply_subdomain_homedir() - - Missing UID for SYSDB_GROUP_CLASS is not an error - (see commit message of e66517dcf63f1d4aaf866c22371dac7740ce0a48 for - additional details) - - Reviewed-by: Pawel Polawski <ppolawsk@redhat.com> - Reviewed-by: Sumit Bose <sbose@redhat.com> - -commit 9215cf4e2519d5f085bf97f26a74d499090e46e1 -Author: Alexey Tikhonov <atikhono@redhat.com> -Date: Sat Dec 12 20:46:40 2020 +0100 - - CERTMAP: removed stray debug message - - Reviewed-by: Pawel Polawski <ppolawsk@redhat.com> - Reviewed-by: Sumit Bose <sbose@redhat.com> - -commit 0986cf6ced8c4e09b8031d19eddffca679aca30c -Author: Alexey Tikhonov <atikhono@redhat.com> -Date: Thu Dec 3 21:06:31 2020 +0100 - - UTIL: fixed bug in server_setup() that prevented setting debug level to 0 explicitly - - Reviewed-by: Pawel Polawski <ppolawsk@redhat.com> - Reviewed-by: Sumit Bose <sbose@redhat.com> - -commit 644453f8d93540a91236683015f3418d29c6d95a -Author: Alexey Tikhonov <atikhono@redhat.com> -Date: Tue Dec 1 13:03:03 2020 +0100 - - LOGS: default log level changed to <= SSSDBG_OP_FAILURE - - :config: New default value of `debug_level` is 0x0070 - - Reviewed-by: Pawel Polawski <ppolawsk@redhat.com> - Reviewed-by: Sumit Bose <sbose@redhat.com> - -commit 4fe060abbe958c2f9b5aa44e489620063029aa0b -Author: Alexey Tikhonov <atikhono@redhat.com> -Date: Mon Nov 30 22:19:46 2020 +0100 - - FILES: reduced debug level in refresh_override_attrs() if case "No overrides, nothing to do" - - Reviewed-by: Pawel Polawski <ppolawsk@redhat.com> - Reviewed-by: Sumit Bose <sbose@redhat.com> - -commit 29f243fd5b256efe3c7f4e4f0940c7d0ae6b4fa1 -Author: Alexey Tikhonov <atikhono@redhat.com> -Date: Mon Nov 30 22:07:01 2020 +0100 - - AD: reduced log level in case check_if_pac_is_available() can't find user entry. This is typical situation when, for example, INITGROUPS lookup is executed for uncached user. - - Reviewed-by: Pawel Polawski <ppolawsk@redhat.com> - Reviewed-by: Sumit Bose <sbose@redhat.com> - -commit ed6ec569780ad8203c4990faed5a9f0dc27dd12b -Author: Alexey Tikhonov <atikhono@redhat.com> -Date: Mon Nov 30 21:13:28 2020 +0100 - - SDAP: reduced log level in case group without members - - Reviewed-by: Pawel Polawski <ppolawsk@redhat.com> - Reviewed-by: Sumit Bose <sbose@redhat.com> - -commit 26fdc3c8f0ae6493442ea291d9bf36ba148ef209 -Author: Alexey Tikhonov <atikhono@redhat.com> -Date: Mon Nov 30 21:06:19 2020 +0100 - - CACHE_REQ: reduced log level in cache_req_object_by_name_well_known() Non fqdn input isn't necessarily an error here. - - Reviewed-by: Pawel Polawski <ppolawsk@redhat.com> - Reviewed-by: Sumit Bose <sbose@redhat.com> - -commit a7b145b99b9f71ad3d02251fff5b587041c9f1ab -Author: Alexey Tikhonov <atikhono@redhat.com> -Date: Mon Nov 30 20:27:44 2020 +0100 - - LDAP: reduced log level in hosts_get_done() - - Absent host in LDAP server isn't SSSD failure. - - Reviewed-by: Pawel Polawski <ppolawsk@redhat.com> - Reviewed-by: Sumit Bose <sbose@redhat.com> - -commit 6e3b4d745fc8d2de14d69aa30bc21aa549a435f8 -Author: Alexey Tikhonov <atikhono@redhat.com> -Date: Mon Nov 30 16:45:51 2020 +0100 - - SBUS: reduced log level in case of unexpected signal - - Most probably module is not fully initialized yet. - - Reviewed-by: Pawel Polawski <ppolawsk@redhat.com> - Reviewed-by: Sumit Bose <sbose@redhat.com> - -commit 90dae38d7442757b8a51f91a6ba3fb83f99320a1 -Author: Alexey Tikhonov <atikhono@redhat.com> -Date: Mon Nov 30 11:39:56 2020 +0100 - - RESPONDER: reduce log level in sss_parse_inp_done() in case of "Unknown domain" since this might be search by UPN - - Reviewed-by: Pawel Polawski <ppolawsk@redhat.com> - Reviewed-by: Sumit Bose <sbose@redhat.com> - -commit 69aa3e8c4b82a06e45ba59eb1c17af252aa971ce -Author: Alexey Tikhonov <atikhono@redhat.com> -Date: Mon Nov 30 01:05:52 2020 +0100 - - DP: do not log failure in case provider doesn't support check_online method - - Reviewed-by: Pawel Polawski <ppolawsk@redhat.com> - Reviewed-by: Sumit Bose <sbose@redhat.com> - -commit 1af89925e62cccacb2957f55b16988a5e71fe5e1 -Author: Alexey Tikhonov <atikhono@redhat.com> -Date: Mon Nov 30 00:28:08 2020 +0100 - - IPA: corrected confusing message - - Log message like: - ``` - sysdb_getpwnam() got more users than expected. Expected [1], got [0] - ``` - looks a bit confusing. - - Reviewed-by: Pawel Polawski <ppolawsk@redhat.com> - Reviewed-by: Sumit Bose <sbose@redhat.com> - -commit a419b7e673d2de571d873b79be31b1ae2fa89832 -Author: Alexey Tikhonov <atikhono@redhat.com> -Date: Mon Nov 30 00:13:31 2020 +0100 - - SSS_IFACE: corrected misleading return code - - Reviewed-by: Pawel Polawski <ppolawsk@redhat.com> - Reviewed-by: Sumit Bose <sbose@redhat.com> - -commit 99e44d9db41f5bb56281ed65d815c32139195931 -Author: Alexey Tikhonov <atikhono@redhat.com> -Date: Sun Nov 29 22:55:07 2020 +0100 - - LDAP: added missed \n in log message - - Reviewed-by: Pawel Polawski <ppolawsk@redhat.com> - Reviewed-by: Sumit Bose <sbose@redhat.com> - -commit 52dc85540e621b00f358fea94e2e390d580948d8 -Author: Alexey Tikhonov <atikhono@redhat.com> -Date: Sun Nov 29 21:42:08 2020 +0100 - - SYSDB: reduce log level in sysdb_update_members_ex() in case failed attempt to DEL unexisting attribute - - Reviewed-by: Pawel Polawski <ppolawsk@redhat.com> - Reviewed-by: Sumit Bose <sbose@redhat.com> - -commit a7b6413d9fb870f51f09955bdceee01952442c63 -Author: Alexey Tikhonov <atikhono@redhat.com> -Date: Sun Nov 29 21:32:46 2020 +0100 - - UTIL: sss_ldb_error_to_errno() improved - - LDB_ERR_NO_SUCH_ATTRIBUTE error code was added to mapping and log level - for unknown error code was reduced. - - Reviewed-by: Pawel Polawski <ppolawsk@redhat.com> - Reviewed-by: Sumit Bose <sbose@redhat.com> - -commit ac22859006b5658017b2720ca3e02d34c5beecdd -Author: Alexey Tikhonov <atikhono@redhat.com> -Date: Sun Nov 29 17:03:58 2020 +0100 - - PAM: reduce log level in may_do_cert_auth() - - Reduce log level in may_do_cert_auth() as this is not a critical failure - - Reviewed-by: Pawel Polawski <ppolawsk@redhat.com> - Reviewed-by: Sumit Bose <sbose@redhat.com> - -commit 5068655a67f88cb1730f28689c5effee264321ad -Author: Alexey Tikhonov <atikhono@redhat.com> -Date: Fri Nov 27 21:45:53 2020 +0100 - - UTIL: few debug message corrections - - Reviewed-by: Pawel Polawski <ppolawsk@redhat.com> - Reviewed-by: Sumit Bose <sbose@redhat.com> - -commit 3cbd0465b52f9bbb7e20b0b12e154f51bab0866e -Author: Alexey Tikhonov <atikhono@redhat.com> -Date: Fri Nov 27 21:12:16 2020 +0100 - - PAM: few debug message corrections - - Reviewed-by: Pawel Polawski <ppolawsk@redhat.com> - Reviewed-by: Sumit Bose <sbose@redhat.com> - -commit f028253ff87bf11ed034ad5acf1f67e8863bed60 -Author: Alexey Tikhonov <atikhono@redhat.com> -Date: Fri Nov 27 20:59:13 2020 +0100 - - NSS: few debug message corrections - - Reviewed-by: Pawel Polawski <ppolawsk@redhat.com> - Reviewed-by: Sumit Bose <sbose@redhat.com> - -commit f457a1a69240381ad7637a09dc66c1aeb78e1d18 -Author: Alexey Tikhonov <atikhono@redhat.com> -Date: Fri Nov 27 20:33:11 2020 +0100 - - IFP: few debug message corrections - - Reviewed-by: Pawel Polawski <ppolawsk@redhat.com> - Reviewed-by: Sumit Bose <sbose@redhat.com> - -commit 058644f2ef6d1958db657d371158d2df7798dd49 -Author: Alexey Tikhonov <atikhono@redhat.com> -Date: Fri Nov 27 20:21:55 2020 +0100 - - RESPONDER: few debug message corrections - - Reviewed-by: Pawel Polawski <ppolawsk@redhat.com> - Reviewed-by: Sumit Bose <sbose@redhat.com> - -commit 01ba32f250a0e51771471c52440c11f6f05f2a48 -Author: Alexey Tikhonov <atikhono@redhat.com> -Date: Fri Nov 27 20:15:22 2020 +0100 - - CACHE_REQ: debug message correction - - Reviewed-by: Pawel Polawski <ppolawsk@redhat.com> - Reviewed-by: Sumit Bose <sbose@redhat.com> - -commit 018c08acbb3bbb836c9acefaf5c384eb9231a60a -Author: Alexey Tikhonov <atikhono@redhat.com> -Date: Fri Nov 27 20:05:06 2020 +0100 - - AUTOFS: few debug message corrections - - Reviewed-by: Pawel Polawski <ppolawsk@redhat.com> - Reviewed-by: Sumit Bose <sbose@redhat.com> - -commit fb052a4c9843ce518a7202d842c43631f8bbfd2d -Author: Alexey Tikhonov <atikhono@redhat.com> -Date: Fri Nov 27 19:57:00 2020 +0100 - - RESOLV: debug message correction - - Reviewed-by: Pawel Polawski <ppolawsk@redhat.com> - Reviewed-by: Sumit Bose <sbose@redhat.com> - -commit d91409df456f9ad7aad39d0cad0ed053cf1f3653 -Author: Alexey Tikhonov <atikhono@redhat.com> -Date: Fri Nov 27 19:49:14 2020 +0100 - - PROXY: few debug message corrections - - Reviewed-by: Pawel Polawski <ppolawsk@redhat.com> - Reviewed-by: Sumit Bose <sbose@redhat.com> - -commit ff8f44ce2d2eedb098d980793a949f7f7e55576a -Author: Alexey Tikhonov <atikhono@redhat.com> -Date: Fri Nov 20 19:46:28 2020 +0100 - - LDAP: few debug message corrections - - Reviewed-by: Pawel Polawski <ppolawsk@redhat.com> - Reviewed-by: Sumit Bose <sbose@redhat.com> - -commit 9244820af59ba6b947cf9aa1269d03bb6f2e4f38 -Author: Alexey Tikhonov <atikhono@redhat.com> -Date: Fri Nov 20 19:22:36 2020 +0100 - - KRB5: few debug message corrections - - Reviewed-by: Pawel Polawski <ppolawsk@redhat.com> - Reviewed-by: Sumit Bose <sbose@redhat.com> - -commit 667b983aaee380c50d50ef07542b004e60041581 -Author: Alexey Tikhonov <atikhono@redhat.com> -Date: Thu Nov 19 18:31:28 2020 +0100 - - IPA: few debug message corrections - - Reviewed-by: Pawel Polawski <ppolawsk@redhat.com> - Reviewed-by: Sumit Bose <sbose@redhat.com> - -commit 2f70695a874dcb84d4b86773138a5a6b6259958f -Author: Alexey Tikhonov <atikhono@redhat.com> -Date: Wed Nov 18 22:12:21 2020 +0100 - - DP: few debug message corrections - - Reviewed-by: Pawel Polawski <ppolawsk@redhat.com> - Reviewed-by: Sumit Bose <sbose@redhat.com> - -commit d6f6f053d7a97a220b52ce92fd653eef8cec5a74 -Author: Alexey Tikhonov <atikhono@redhat.com> -Date: Wed Nov 18 21:37:38 2020 +0100 - - AD: few debug message corrections - - Reviewed-by: Pawel Polawski <ppolawsk@redhat.com> - Reviewed-by: Sumit Bose <sbose@redhat.com> - -commit 85d8adc4d24f09e47f2a9c0fa595d90c61036b18 -Author: Alexey Tikhonov <atikhono@redhat.com> -Date: Wed Nov 18 19:09:33 2020 +0100 - - P11_CHILD: severity level of few debug messages adjusted - - Severity level of few debug messages was adjusted and journal message - in case of disabled certificate verification was added. - - Reviewed-by: Pawel Polawski <ppolawsk@redhat.com> - Reviewed-by: Sumit Bose <sbose@redhat.com> - -commit fe0530ef96baa8fd39ce6b87c0c760e17c5eb6f8 -Author: Alexey Tikhonov <atikhono@redhat.com> -Date: Wed Nov 18 16:28:43 2020 +0100 - - MONITOR: severity level of few debug messages adjusted - - Reviewed-by: Pawel Polawski <ppolawsk@redhat.com> - Reviewed-by: Sumit Bose <sbose@redhat.com> - -commit daa5454f870a5436a554091a1333cc8be0cbc566 -Author: Alexey Tikhonov <atikhono@redhat.com> -Date: Wed Nov 18 16:02:23 2020 +0100 - - SYSDB:views: few debug message corrections - - Reviewed-by: Pawel Polawski <ppolawsk@redhat.com> - Reviewed-by: Sumit Bose <sbose@redhat.com> - -commit 82dc14b027f9115cabafce71d2b385d5c7d1dd4f -Author: Alexey Tikhonov <atikhono@redhat.com> -Date: Wed Nov 18 15:56:46 2020 +0100 - - SYSDB:upgrade: debug message corrected - - Reviewed-by: Pawel Polawski <ppolawsk@redhat.com> - Reviewed-by: Sumit Bose <sbose@redhat.com> - -commit e731368ed9cea9b35d0ae654e1534084c6ef4642 -Author: Alexey Tikhonov <atikhono@redhat.com> -Date: Wed Nov 18 15:50:08 2020 +0100 - - SYSDB:service: severity level of few debug messages adjusted - - Reviewed-by: Pawel Polawski <ppolawsk@redhat.com> - Reviewed-by: Sumit Bose <sbose@redhat.com> - -commit f55c9599068c43037a8b666af92ba9b8a044f735 -Author: Alexey Tikhonov <atikhono@redhat.com> -Date: Wed Nov 18 15:32:21 2020 +0100 - - SYSDB:selinux: debug message severity level was adjusted - - Reviewed-by: Pawel Polawski <ppolawsk@redhat.com> - Reviewed-by: Sumit Bose <sbose@redhat.com> - -commit 744582419abfd6e5665315748d44e732f1d56f13 -Author: Alexey Tikhonov <atikhono@redhat.com> -Date: Wed Nov 18 15:30:45 2020 +0100 - - SYSDB:search: few debug messages were corrected - - Reviewed-by: Pawel Polawski <ppolawsk@redhat.com> - Reviewed-by: Sumit Bose <sbose@redhat.com> - -commit 033c31a2a4994367edea1ded8303a0d2dbc59b1c -Author: Alexey Tikhonov <atikhono@redhat.com> -Date: Wed Nov 18 15:19:46 2020 +0100 - - SYSDB:ops: few debug messages were corrected - - Reviewed-by: Pawel Polawski <ppolawsk@redhat.com> - Reviewed-by: Sumit Bose <sbose@redhat.com> - -commit a73df70ee0bcc8f1b80a2e20132592724bd5f675 -Author: Alexey Tikhonov <atikhono@redhat.com> -Date: Wed Nov 18 13:19:25 2020 +0100 - - SYSDB:ipnetworks: severity level of few debug messages adjusted - - Reviewed-by: Pawel Polawski <ppolawsk@redhat.com> - Reviewed-by: Sumit Bose <sbose@redhat.com> - -commit b4acf71d0a81aeeb2754645d2798ce1e927121f3 -Author: Alexey Tikhonov <atikhono@redhat.com> -Date: Mon Nov 16 21:18:14 2020 +0100 - - SYSDB:iphosts: severity level of few debug messages adjusted - - Reviewed-by: Pawel Polawski <ppolawsk@redhat.com> - Reviewed-by: Sumit Bose <sbose@redhat.com> - -commit d8af1db84b48193a546bbeec84a7dd7e2b132244 -Author: Alexey Tikhonov <atikhono@redhat.com> -Date: Mon Nov 16 20:05:12 2020 +0100 - - SYSDB:sudo: changed debug message to be consistent - - Reviewed-by: Pawel Polawski <ppolawsk@redhat.com> - Reviewed-by: Sumit Bose <sbose@redhat.com> - -commit df723cb98b406b0262f04d0e43e8e5bf0030074f -Author: Alexey Tikhonov <atikhono@redhat.com> -Date: Mon Nov 16 19:10:41 2020 +0100 - - SYSDB: wrong debug message corrected - - Reviewed-by: Pawel Polawski <ppolawsk@redhat.com> - Reviewed-by: Sumit Bose <sbose@redhat.com> - -commit e350d917e6d48c1d13502ab2849d3e2a0815215e -Author: Alexey Tikhonov <atikhono@redhat.com> -Date: Mon Nov 16 18:13:26 2020 +0100 - - SYSDB:autofs: cosmetic updates - - Reviewed-by: Pawel Polawski <ppolawsk@redhat.com> - Reviewed-by: Sumit Bose <sbose@redhat.com> ---- - src/db/sysdb.c | 2 +- - src/db/sysdb_autofs.c | 4 +- - src/db/sysdb_iphosts.c | 10 ++--- - src/db/sysdb_ipnetworks.c | 6 +-- - src/db/sysdb_ops.c | 37 ++++++++++++------ - src/db/sysdb_search.c | 17 ++++++--- - src/db/sysdb_selinux.c | 2 +- - src/db/sysdb_services.c | 6 +-- - src/db/sysdb_sudo.c | 3 +- - src/db/sysdb_upgrade.c | 2 +- - src/db/sysdb_views.c | 6 +-- - src/lib/certmap/sss_certmap_krb5_match.c | 1 - - src/man/include/debug_levels.xml | 3 +- - src/man/include/debug_levels_tools.xml | 3 +- - src/monitor/monitor.c | 14 +++---- - src/p11_child/p11_child_common.c | 2 +- - src/p11_child/p11_child_common_utils.c | 3 ++ - src/p11_child/p11_child_openssl.c | 4 +- - src/providers/ad/ad_cldap_ping.c | 2 +- - src/providers/ad/ad_common.c | 7 ++-- - src/providers/ad/ad_dyndns.c | 6 +-- - src/providers/ad/ad_gpo.c | 16 +++++--- - src/providers/ad/ad_machine_pw_renewal.c | 7 ++-- - src/providers/ad/ad_pac.c | 6 ++- - src/providers/ad/ad_subdomains.c | 2 +- - src/providers/be_dyndns.c | 3 +- - src/providers/be_ptask.c | 2 +- - src/providers/be_refresh.c | 3 +- - src/providers/data_provider/dp.c | 4 +- - src/providers/data_provider/dp_target_sudo.c | 10 +++-- - src/providers/data_provider_be.c | 5 +-- - src/providers/data_provider_fo.c | 2 +- - src/providers/data_provider_opts.c | 6 +-- - src/providers/data_provider_req.h | 1 + - src/providers/files/files_ops.c | 2 +- - src/providers/ipa/ipa_access.c | 2 +- - src/providers/ipa/ipa_common.c | 5 +-- - src/providers/ipa/ipa_hbac_common.c | 2 +- - src/providers/ipa/ipa_hbac_services.c | 4 +- - src/providers/ipa/ipa_hbac_users.c | 4 +- - src/providers/ipa/ipa_id.c | 2 +- - src/providers/ipa/ipa_init.c | 4 +- - src/providers/ipa/ipa_s2n_exop.c | 3 +- - src/providers/ipa/ipa_selinux.c | 4 +- - src/providers/ipa/ipa_session.c | 4 +- - src/providers/ipa/ipa_subdomains_ext_groups.c | 3 +- - src/providers/ipa/ipa_subdomains_id.c | 38 +++++++++++++------ - src/providers/ipa/ipa_subdomains_server.c | 11 +++--- - src/providers/ipa/ipa_sudo.c | 14 +++---- - src/providers/ipa/ipa_sudo_async.c | 10 ++--- - src/providers/ipa/ipa_sudo_conversion.c | 6 +-- - src/providers/ipa/ipa_views.c | 4 +- - src/providers/krb5/krb5_access.c | 3 +- - src/providers/krb5/krb5_auth.c | 4 +- - src/providers/krb5/krb5_child.c | 25 ++++++------ - src/providers/krb5/krb5_child_handler.c | 4 +- - src/providers/krb5/krb5_common.c | 6 +-- - .../krb5/krb5_delayed_online_authentication.c | 4 +- - src/providers/krb5/krb5_renew_tgt.c | 4 +- - src/providers/krb5/krb5_utils.c | 2 +- - src/providers/ldap/ldap_auth.c | 12 +++--- - src/providers/ldap/ldap_child.c | 2 +- - src/providers/ldap/ldap_init.c | 4 +- - src/providers/ldap/ldap_options.c | 8 ++-- - src/providers/ldap/sdap.c | 28 +++++++++----- - src/providers/ldap/sdap_access.c | 11 +++--- - src/providers/ldap/sdap_async.c | 9 +++-- - src/providers/ldap/sdap_async_autofs.c | 2 +- - src/providers/ldap/sdap_async_connection.c | 6 +-- - src/providers/ldap/sdap_async_groups.c | 27 ++++++++----- - src/providers/ldap/sdap_async_initgroups.c | 6 ++- - src/providers/ldap/sdap_async_initgroups_ad.c | 2 +- - src/providers/ldap/sdap_async_sudo.c | 4 +- - src/providers/ldap/sdap_child_helpers.c | 6 +-- - src/providers/ldap/sdap_hostid.c | 2 +- - src/providers/ldap/sdap_id_op.c | 2 +- - src/providers/proxy/proxy_auth.c | 6 +-- - src/providers/proxy/proxy_child.c | 8 ++-- - src/providers/proxy/proxy_client.c | 2 +- - src/providers/proxy/proxy_id.c | 6 +-- - src/resolv/async_resolv.c | 2 +- - src/responder/autofs/autofssrv.c | 2 +- - src/responder/autofs/autofssrv_cmd.c | 6 +-- - src/responder/common/cache_req/cache_req.c | 2 +- - .../plugins/cache_req_object_by_name.c | 4 +- - src/responder/common/responder_common.c | 4 +- - src/responder/common/responder_get_domains.c | 2 +- - src/responder/common/responder_iface.c | 4 +- - src/responder/ifp/ifp_iface/ifp_iface.c | 2 +- - src/responder/ifp/ifpsrv.c | 8 ++-- - src/responder/ifp/ifpsrv_util.c | 2 +- - src/responder/nss/nss_cmd.c | 20 +++++----- - src/responder/nss/nss_iface.c | 4 +- - src/responder/nss/nss_protocol_netgr.c | 2 +- - src/responder/nss/nsssrv.c | 2 +- - src/responder/pam/pamsrv_cmd.c | 2 +- - src/responder/pam/pamsrv_p11.c | 4 +- - src/sbus/router/sbus_router_handler.c | 3 +- - src/sss_iface/sss_iface.c | 4 +- - src/util/child_common.c | 2 +- - src/util/debug.h | 4 +- - src/util/domain_info_utils.c | 2 +- - src/util/server.c | 15 +++++--- - src/util/sss_sockets.c | 2 +- - src/util/string_utils.c | 2 +- - src/util/util_errors.c | 3 +- - 106 files changed, 364 insertions(+), 279 deletions(-) - -diff --git a/src/db/sysdb.c b/src/db/sysdb.c -index d0052d99b..d78991e36 100644 ---- a/src/db/sysdb.c -+++ b/src/db/sysdb.c -@@ -1489,7 +1489,7 @@ errno_t sysdb_attrs_primary_name(struct sysdb_ctx *sysdb, - * decide which name is correct. - */ - DEBUG(SSSDBG_CRIT_FAILURE, -- "Cannot save entry. Unable to determine groupname\n"); -+ "Can't match the name to the RDN\n"); - ret = EINVAL; - goto done; - } -diff --git a/src/db/sysdb_autofs.c b/src/db/sysdb_autofs.c -index 413b00722..1febdaec5 100644 ---- a/src/db/sysdb_autofs.c -+++ b/src/db/sysdb_autofs.c -@@ -243,14 +243,14 @@ sysdb_get_map_byname(TALLOC_CTX *mem_ctx, - "Error looking up autofs map [%s]\n", safe_map_name); - goto done; - } else if (ret == ENOENT) { -- DEBUG(SSSDBG_TRACE_FUNC, "No such map\n"); -+ DEBUG(SSSDBG_TRACE_FUNC, "No such map [%s]\n", safe_map_name); - *_map = NULL; - goto done; - } - - if (count != 1) { - DEBUG(SSSDBG_CRIT_FAILURE, -- "More than one map named %s\n", safe_map_name); -+ "More than one map named [%s]\n", safe_map_name); - goto done; - } - -diff --git a/src/db/sysdb_iphosts.c b/src/db/sysdb_iphosts.c -index b82279787..d3ee8f1a9 100644 ---- a/src/db/sysdb_iphosts.c -+++ b/src/db/sysdb_iphosts.c -@@ -222,14 +222,14 @@ sysdb_store_host(struct sss_domain_info *domain, - * sort it out. - */ - for (j = 0; j < res->count; j++) { -- DEBUG(SSSDBG_TRACE_FUNC, -+ DEBUG(SSSDBG_CRIT_FAILURE, - "Corrupt cache entry [%s] detected. Deleting\n", - ldb_dn_canonical_string(tmp_ctx, - res->msgs[j]->dn)); - - ret = sysdb_delete_entry(sysdb, res->msgs[j]->dn, true); - if (ret != EOK) { -- DEBUG(SSSDBG_MINOR_FAILURE, -+ DEBUG(SSSDBG_OP_FAILURE, - "Could not delete corrupt cache entry [%s]\n", - ldb_dn_canonical_string(tmp_ctx, - res->msgs[j]->dn)); -@@ -262,7 +262,7 @@ sysdb_store_host(struct sss_domain_info *domain, - - ret = sysdb_delete_entry(sysdb, res->msgs[0]->dn, true); - if (ret != EOK) { -- DEBUG(SSSDBG_MINOR_FAILURE, -+ DEBUG(SSSDBG_OP_FAILURE, - "Could not delete cache entry [%s]\n", - ldb_dn_canonical_string(tmp_ctx, - res->msgs[0]->dn)); -@@ -298,7 +298,7 @@ sysdb_store_host(struct sss_domain_info *domain, - - ret = sysdb_delete_entry(sysdb, res->msgs[i]->dn, true); - if (ret != EOK) { -- DEBUG(SSSDBG_MINOR_FAILURE, -+ DEBUG(SSSDBG_OP_FAILURE, - "Could not delete corrupt cache entry [%s]\n", - ldb_dn_canonical_string(tmp_ctx, - res->msgs[i]->dn)); -@@ -318,7 +318,7 @@ sysdb_store_host(struct sss_domain_info *domain, - /* Delete the entry from the previous pass */ - ret = sysdb_delete_entry(sysdb, update_dn, true); - if (ret != EOK) { -- DEBUG(SSSDBG_MINOR_FAILURE, -+ DEBUG(SSSDBG_OP_FAILURE, - "Could not delete cache entry [%s]\n", - ldb_dn_canonical_string(tmp_ctx, - update_dn)); -diff --git a/src/db/sysdb_ipnetworks.c b/src/db/sysdb_ipnetworks.c -index 326f984b7..9da4d9b23 100644 ---- a/src/db/sysdb_ipnetworks.c -+++ b/src/db/sysdb_ipnetworks.c -@@ -261,7 +261,7 @@ sysdb_store_ipnetwork(struct sss_domain_info *domain, - - ret = sysdb_delete_entry(sysdb, res->msgs[0]->dn, true); - if (ret != EOK) { -- DEBUG(SSSDBG_MINOR_FAILURE, -+ DEBUG(SSSDBG_OP_FAILURE, - "Could not delete cache entry [%s]\n", - ldb_dn_canonical_string(tmp_ctx, - res->msgs[0]->dn)); -@@ -296,7 +296,7 @@ sysdb_store_ipnetwork(struct sss_domain_info *domain, - - ret = sysdb_delete_entry(sysdb, res->msgs[i]->dn, true); - if (ret != EOK) { -- DEBUG(SSSDBG_MINOR_FAILURE, -+ DEBUG(SSSDBG_OP_FAILURE, - "Could not delete corrupt cache entry [%s]\n", - ldb_dn_canonical_string(tmp_ctx, - res->msgs[i]->dn)); -@@ -315,7 +315,7 @@ sysdb_store_ipnetwork(struct sss_domain_info *domain, - /* Delete the entry from the previous pass */ - ret = sysdb_delete_entry(sysdb, update_dn, true); - if (ret != EOK) { -- DEBUG(SSSDBG_MINOR_FAILURE, -+ DEBUG(SSSDBG_OP_FAILURE, - "Could not delete cache entry [%s]\n", - ldb_dn_canonical_string(tmp_ctx, - update_dn)); -diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c -index 3412b9cd1..585708abe 100644 ---- a/src/db/sysdb_ops.c -+++ b/src/db/sysdb_ops.c -@@ -157,7 +157,7 @@ static int sysdb_delete_cache_entry(struct ldb_context *ldb, - /* fall through */ - SSS_ATTRIBUTE_FALLTHROUGH; - default: -- DEBUG(SSSDBG_CRIT_FAILURE, "LDB Error: %s(%d)\nError Message: [%s]\n", -+ DEBUG(SSSDBG_CRIT_FAILURE, "LDB Error: %s (%d); error message: [%s]\n", - ldb_strerror(ret), ret, ldb_errstring(ldb)); - return sysdb_error_to_errno(ret); - } -@@ -3420,7 +3420,7 @@ int sysdb_search_custom(TALLOC_CTX *mem_ctx, - goto done; - } - if (!ldb_dn_validate(basedn)) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Failed to create DN.\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, "Syntactically invalid subtree DN.\n"); - ret = EINVAL; - goto done; - } -@@ -3463,7 +3463,7 @@ int sysdb_search_custom_by_name(TALLOC_CTX *mem_ctx, - goto done; - } - if (!ldb_dn_validate(basedn)) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Failed to create DN.\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, "Syntactically invalid DN.\n"); - ret = EINVAL; - goto done; - } -@@ -3545,7 +3545,7 @@ errno_t sysdb_search_by_orig_dn(TALLOC_CTX *mem_ctx, - default: - DEBUG(SSSDBG_CRIT_FAILURE, - "Trying to perform a search by orig_dn using a " -- "non-supported type\n"); -+ "non-supported type %d\n", type); - ret = EINVAL; - goto done; - } -@@ -3690,8 +3690,9 @@ int sysdb_delete_custom(struct sss_domain_info *domain, - break; - - default: -- DEBUG(SSSDBG_CRIT_FAILURE, "LDB Error: %s(%d)\nError Message: [%s]\n", -- ldb_strerror(ret), ret, ldb_errstring(domain->sysdb->ldb)); -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ "ldb_delete failed: %s (%d); error Message: [%s]\n", -+ ldb_strerror(ret), ret, ldb_errstring(domain->sysdb->ldb)); - ret = sysdb_error_to_errno(ret); - break; - } -@@ -4927,9 +4928,15 @@ static errno_t sysdb_update_members_ex(struct sss_domain_info *domain, - ret = sysdb_add_group_member(domain, add_groups[i], - member, type, is_dn); - if (ret != EOK) { -- DEBUG(SSSDBG_CRIT_FAILURE, -- "Could not add member [%s] to group [%s]. " -- "Skipping.\n", member, add_groups[i]); -+ if (ret != EEXIST) { -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ "Could not add member [%s] to group [%s]. " -+ "Skipping.\n", member, add_groups[i]); -+ } else { -+ DEBUG(SSSDBG_FUNC_DATA, -+ "Group [%s] already has member [%s]. Skipping.\n", -+ add_groups[i], member); -+ } - /* Continue on, we should try to finish the rest */ - } - } -@@ -4941,9 +4948,15 @@ static errno_t sysdb_update_members_ex(struct sss_domain_info *domain, - ret = sysdb_remove_group_member(domain, del_groups[i], - member, type, is_dn); - if (ret != EOK) { -- DEBUG(SSSDBG_CRIT_FAILURE, -- "Could not remove member [%s] from group [%s]. " -- "Skipping\n", member, del_groups[i]); -+ if (ret != ENOENT) { -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ "Could not remove member [%s] from group [%s]. " -+ "Skipping\n", member, del_groups[i]); -+ } else { -+ DEBUG(SSSDBG_FUNC_DATA, -+ "No member [%s] in group [%s]. " -+ "Skipping\n", member, del_groups[i]); -+ } - /* Continue on, we should try to finish the rest */ - } - } -diff --git a/src/db/sysdb_search.c b/src/db/sysdb_search.c -index 4ff65c1ae..0cd8321cb 100644 ---- a/src/db/sysdb_search.c -+++ b/src/db/sysdb_search.c -@@ -2393,7 +2393,7 @@ errno_t sysdb_get_direct_parents(TALLOC_CTX *mem_ctx, - } else if (mtype == SYSDB_MEMBER_GROUP) { - dn = sysdb_group_strdn(tmp_ctx, dom->name, name); - } else { -- DEBUG(SSSDBG_CRIT_FAILURE, "Unknown member type\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, "Unknown member type %d\n", mtype); - ret = EINVAL; - goto done; - } -@@ -2453,13 +2453,14 @@ errno_t sysdb_get_direct_parents(TALLOC_CTX *mem_ctx, - tmp_str = ldb_msg_find_attr_as_string(direct_sysdb_groups[i], - SYSDB_NAME, NULL); - if (!tmp_str) { -+ DEBUG(SSSDBG_CRIT_FAILURE, "A group with no name?\n"); - /* This should never happen, but if it does, just continue */ - continue; - } - - direct_parents[pi] = talloc_strdup(direct_parents, tmp_str); - if (!direct_parents[pi]) { -- DEBUG(SSSDBG_CRIT_FAILURE, "A group with no name?\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strdup() failed\n"); - ret = EIO; - goto done; - } -@@ -2522,8 +2523,13 @@ errno_t sysdb_get_real_name(TALLOC_CTX *mem_ctx, - } - if (ret != EOK) { - /* User cannot be found in cache */ -- DEBUG(SSSDBG_OP_FAILURE, "Cannot find user [%s] in cache\n", -- name_or_upn_or_sid); -+ if (ret != ENOENT) { -+ DEBUG(SSSDBG_OP_FAILURE, "Failed to find user [%s] in cache: %d\n", -+ name_or_upn_or_sid, ret); -+ } else { -+ DEBUG(SSSDBG_TRACE_FUNC, "User [%s] is missing in cache\n", -+ name_or_upn_or_sid); -+ } - goto done; - } - } else if (res->count == 1) { -@@ -2537,7 +2543,8 @@ errno_t sysdb_get_real_name(TALLOC_CTX *mem_ctx, - - cname = ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL); - if (!cname) { -- DEBUG(SSSDBG_CRIT_FAILURE, "A user with no name?\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ "User '%s' without a name?\n", name_or_upn_or_sid); - ret = ENOENT; - goto done; - } -diff --git a/src/db/sysdb_selinux.c b/src/db/sysdb_selinux.c -index 88ac88786..535411950 100644 ---- a/src/db/sysdb_selinux.c -+++ b/src/db/sysdb_selinux.c -@@ -234,7 +234,7 @@ errno_t sysdb_delete_usermaps(struct sss_domain_info *domain) - ret = sysdb_delete_recursive(sysdb, dn, true); - talloc_free(dn); - if (ret != EOK) { -- DEBUG(SSSDBG_CRIT_FAILURE, "sysdb_delete_recursive failed.\n"); -+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_delete_recursive failed.\n"); - return ret; - } - -diff --git a/src/db/sysdb_services.c b/src/db/sysdb_services.c -index 8118fef00..ac17f4704 100644 ---- a/src/db/sysdb_services.c -+++ b/src/db/sysdb_services.c -@@ -252,7 +252,7 @@ sysdb_store_service(struct sss_domain_info *domain, - - ret = sysdb_delete_entry(sysdb, res->msgs[0]->dn, true); - if (ret != EOK) { -- DEBUG(SSSDBG_MINOR_FAILURE, -+ DEBUG(SSSDBG_OP_FAILURE, - "Could not delete cache entry [%s]\n", - ldb_dn_canonical_string(tmp_ctx, - res->msgs[0]->dn)); -@@ -290,7 +290,7 @@ sysdb_store_service(struct sss_domain_info *domain, - - ret = sysdb_delete_entry(sysdb, res->msgs[i]->dn, true); - if (ret != EOK) { -- DEBUG(SSSDBG_MINOR_FAILURE, -+ DEBUG(SSSDBG_OP_FAILURE, - "Could not delete corrupt cache entry [%s]\n", - ldb_dn_canonical_string(tmp_ctx, - res->msgs[i]->dn)); -@@ -310,7 +310,7 @@ sysdb_store_service(struct sss_domain_info *domain, - /* Delete the entry from the previous pass */ - ret = sysdb_delete_entry(sysdb, update_dn, true); - if (ret != EOK) { -- DEBUG(SSSDBG_MINOR_FAILURE, -+ DEBUG(SSSDBG_OP_FAILURE, - "Could not delete cache entry [%s]\n", - ldb_dn_canonical_string(tmp_ctx, - update_dn)); -diff --git a/src/db/sysdb_sudo.c b/src/db/sysdb_sudo.c -index 03eec9c70..1626b612d 100644 ---- a/src/db/sysdb_sudo.c -+++ b/src/db/sysdb_sudo.c -@@ -480,7 +480,8 @@ sysdb_get_sudo_user_info(TALLOC_CTX *mem_ctx, - sss_get_cased_name(sysdb_groupnames, groupname, - domain->case_sensitive); - if (sysdb_groupnames[num_groups] == NULL) { -- DEBUG(SSSDBG_MINOR_FAILURE, "Cannot strdup %s\n", groupname); -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ "sss_get_cased_name() failed for '%s'\n", groupname); - continue; - } - num_groups++; -diff --git a/src/db/sysdb_upgrade.c b/src/db/sysdb_upgrade.c -index 03a0e6173..99213260c 100644 ---- a/src/db/sysdb_upgrade.c -+++ b/src/db/sysdb_upgrade.c -@@ -2455,7 +2455,7 @@ int sysdb_upgrade_19(struct sysdb_ctx *sysdb, const char **ver) - - ret = add_object_category(sysdb->ldb, ctx); - if (ret != EOK) { -- DEBUG(SSSDBG_CRIT_FAILURE, "add_object_category failed.\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, "add_object_category failed: %d\n", ret); - goto done; - } - -diff --git a/src/db/sysdb_views.c b/src/db/sysdb_views.c -index 00da74047..269dab70f 100644 ---- a/src/db/sysdb_views.c -+++ b/src/db/sysdb_views.c -@@ -556,12 +556,12 @@ errno_t sysdb_store_override(struct sss_domain_info *domain, - if (ret == ENOENT) { - DEBUG(SSSDBG_CRIT_FAILURE, "Object to override does not exists.\n"); - } else { -- DEBUG(SSSDBG_OP_FAILURE, "sysdb_search_entry failed.\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, "sysdb_search_entry failed.\n"); - } - goto done; - } - if (count != 1) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Base searched returned more than one object.\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, "Base search returned more than one object.\n"); - ret = EINVAL; - goto done; - } -@@ -660,7 +660,7 @@ errno_t sysdb_store_override(struct sss_domain_info *domain, - SYSDB_OVERRIDE_GROUP_CLASS); - break; - default: -- DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected object type.\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected object type %d.\n", type); - ret = EINVAL; - goto done; - } -diff --git a/src/lib/certmap/sss_certmap_krb5_match.c b/src/lib/certmap/sss_certmap_krb5_match.c -index 640930747..ab566ac99 100644 ---- a/src/lib/certmap/sss_certmap_krb5_match.c -+++ b/src/lib/certmap/sss_certmap_krb5_match.c -@@ -220,7 +220,6 @@ static int parse_krb5_get_eku_value(TALLOC_CTX *mem_ctx, - - for (c = 0; eku_list[c] != NULL; c++) { - for (k = 0; sss_ext_key_usage[k].name != NULL; k++) { --CM_DEBUG(ctx, "[%s][%s].", eku_list[c], sss_ext_key_usage[k].name); - if (strcasecmp(eku_list[c], sss_ext_key_usage[k].name) == 0) { - comp->eku_oid_list[e] = talloc_strdup(comp->eku_oid_list, - sss_ext_key_usage[k].oid); -diff --git a/src/man/include/debug_levels.xml b/src/man/include/debug_levels.xml -index b5e13ba3e..0d9cc17be 100644 ---- a/src/man/include/debug_levels.xml -+++ b/src/man/include/debug_levels.xml -@@ -100,6 +100,7 @@ - introduced in 1.7.0. - </para> - <para> -- <emphasis>Default</emphasis>: 0 -+ <emphasis>Default</emphasis>: 0x0070 (i.e. fatal, critical and serious -+ failures; corresponds to setting 2 in decimal notation) - </para> - </listitem> -diff --git a/src/man/include/debug_levels_tools.xml b/src/man/include/debug_levels_tools.xml -index b592d50fc..46a3c7d29 100644 ---- a/src/man/include/debug_levels_tools.xml -+++ b/src/man/include/debug_levels_tools.xml -@@ -81,6 +81,7 @@ - introduced in 1.7.0. - </para> - <para> -- <emphasis>Default</emphasis>: 0 -+ <emphasis>Default</emphasis>: 0x0070 (i.e. fatal, critical and serious -+ failures; corresponds to setting 2 in decimal notation) - </para> - </listitem> -diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c -index d9da05a51..9c2381c81 100644 ---- a/src/monitor/monitor.c -+++ b/src/monitor/monitor.c -@@ -1435,7 +1435,7 @@ static void monitor_quit(struct mt_ctx *mt_ctx, int ret) - DEBUG(SSSDBG_CRIT_FAILURE, - "Child [%s] terminated with a signal\n", svc->name); - } else { -- DEBUG(SSSDBG_FATAL_FAILURE, -+ DEBUG(SSSDBG_CRIT_FAILURE, - "Child [%s] did not exit cleanly\n", svc->name); - /* Forcibly kill this child */ - kill(-svc->pid, SIGKILL); -@@ -2059,7 +2059,7 @@ static void monitor_sbus_connected(struct tevent_req *req) - - ret = sbus_connection_add_path_map(ctx->sbus_conn, paths); - if (ret != EOK) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to add paths [%d]: %s\n", -+ DEBUG(SSSDBG_FATAL_FAILURE, "Unable to add paths [%d]: %s\n", - ret, sss_strerror(ret)); - goto done; - } -@@ -2271,7 +2271,7 @@ static void mt_svc_restart(struct tevent_context *ev, - add_new_provider(svc->mt_ctx, svc->name, svc->restarts + 1); - } else { - /* Invalid type? */ -- DEBUG(SSSDBG_CRIT_FAILURE, -+ DEBUG(SSSDBG_FATAL_FAILURE, - "BUG: Invalid child process type [%d]\n", svc->type); - } - -@@ -2580,14 +2580,14 @@ int main(int argc, const char *argv[]) - switch (ret) { - case EPERM: - case EACCES: -- DEBUG(SSSDBG_CRIT_FAILURE, -+ DEBUG(SSSDBG_FATAL_FAILURE, - CONF_FILE_PERM_ERROR_MSG, config_file); -- sss_log(SSS_LOG_ALERT, CONF_FILE_PERM_ERROR_MSG, config_file); -+ sss_log(SSS_LOG_CRIT, CONF_FILE_PERM_ERROR_MSG, config_file); - break; - default: -- DEBUG(SSSDBG_CRIT_FAILURE, -+ DEBUG(SSSDBG_FATAL_FAILURE, - "SSSD couldn't load the configuration database.\n"); -- sss_log(SSS_LOG_ALERT, -+ sss_log(SSS_LOG_CRIT, - "SSSD couldn't load the configuration database [%d]: %s.\n", - ret, strerror(ret)); - break; -diff --git a/src/p11_child/p11_child_common.c b/src/p11_child/p11_child_common.c -index f17de1a9e..704ced4b6 100644 ---- a/src/p11_child/p11_child_common.c -+++ b/src/p11_child/p11_child_common.c -@@ -125,7 +125,7 @@ static errno_t p11c_recv_data(TALLOC_CTX *mem_ctx, int fd, char **pin) - - str = talloc_strndup(mem_ctx, (char *) buf, len); - if (str == NULL) { -- DEBUG(SSSDBG_OP_FAILURE, "talloc_strndup failed.\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strndup failed.\n"); - return ENOMEM; - } - -diff --git a/src/p11_child/p11_child_common_utils.c b/src/p11_child/p11_child_common_utils.c -index 50cfebb4c..c5f324625 100644 ---- a/src/p11_child/p11_child_common_utils.c -+++ b/src/p11_child/p11_child_common_utils.c -@@ -107,6 +107,9 @@ errno_t parse_cert_verify_opts(TALLOC_CTX *mem_ctx, const char *verify_opts, - "Found 'no_verification' option, " - "disabling verification completely. " - "This should not be used in production.\n"); -+ sss_log(SSS_LOG_CRIT, -+ "Smart card certificate verification disabled completely. " -+ "This should not be used in production."); - cert_verify_opts->do_verification = false; - } else if (strncasecmp(opts[c], OCSP_DEFAUL_RESPONDER, - OCSP_DEFAUL_RESPONDER_LEN) == 0) { -diff --git a/src/p11_child/p11_child_openssl.c b/src/p11_child/p11_child_openssl.c -index d81a1a9ea..879b05b65 100644 ---- a/src/p11_child/p11_child_openssl.c -+++ b/src/p11_child/p11_child_openssl.c -@@ -226,7 +226,7 @@ static char *get_issuer_subject_str(TALLOC_CTX *mem_ctx, X509 *cert) - - bio_mem = BIO_new(BIO_s_mem()); - if (bio_mem == NULL) { -- DEBUG(SSSDBG_OP_FAILURE, "BIO_new failed.\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, "BIO_new failed.\n"); - return NULL; - } - -@@ -591,7 +591,7 @@ errno_t init_p11_ctx(TALLOC_CTX *mem_ctx, const char *ca_db, - ret = SSL_library_init(); - #endif - if (ret != 1) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Failed to initialize OpenSSL.\n"); -+ DEBUG(SSSDBG_FATAL_FAILURE, "Failed to initialize OpenSSL.\n"); - return EIO; - } - -diff --git a/src/providers/ad/ad_cldap_ping.c b/src/providers/ad/ad_cldap_ping.c -index ab234f4d7..7722af98a 100644 ---- a/src/providers/ad/ad_cldap_ping.c -+++ b/src/providers/ad/ad_cldap_ping.c -@@ -467,7 +467,7 @@ ad_cldap_ping_domain_send(TALLOC_CTX *mem_ctx, - domains[0] = discovery_domain; - domains[1] = NULL; - if (domains[0] == NULL) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory!"); -+ DEBUG(SSSDBG_CRIT_FAILURE, "Bad argument (discovery_domain)"); - ret = ENOMEM; - goto done; - } -diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c -index 624313942..eaa920ca0 100644 ---- a/src/providers/ad/ad_common.c -+++ b/src/providers/ad/ad_common.c -@@ -1072,15 +1072,14 @@ ad_resolve_callback(void *private_data, struct fo_server *server) - } - - if (!service->gc->uri) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Failed to append to URI\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, "NULL GC URI\n"); - ret = ENOMEM; - goto done; - } - DEBUG(SSSDBG_CONF_SETTINGS, "Constructed GC uri '%s'\n", service->gc->uri); - - if (service->gc->sockaddr == NULL) { -- DEBUG(SSSDBG_CRIT_FAILURE, -- "resolv_get_sockaddr_address failed.\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, "NULL GC sockaddr\n"); - ret = EIO; - goto done; - } -@@ -1100,7 +1099,7 @@ ad_resolve_callback(void *private_data, struct fo_server *server) - done: - if (ret != EOK) { - DEBUG(SSSDBG_CRIT_FAILURE, -- "Error: [%s]\n", strerror(ret)); -+ "Error: %d [%s]\n", ret, strerror(ret)); - } - talloc_free(tmp_ctx); - return; -diff --git a/src/providers/ad/ad_dyndns.c b/src/providers/ad/ad_dyndns.c -index 71ef16c0b..19fc8acef 100644 ---- a/src/providers/ad/ad_dyndns.c -+++ b/src/providers/ad/ad_dyndns.c -@@ -63,7 +63,7 @@ errno_t ad_dyndns_init(struct be_ctx *be_ctx, - */ - ret = ad_get_dyndns_options(be_ctx, ad_opts); - if (ret != EOK) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Could not set AD options\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, "Could not get AD dyndns options\n"); - return ret; - } - -@@ -209,8 +209,8 @@ static void ad_dyndns_update_connect_done(struct tevent_req *subreq) - - ret = ldap_url_parse(ctx->service->sdap->uri, &lud); - if (ret != LDAP_SUCCESS) { -- DEBUG(SSSDBG_CRIT_FAILURE, -- "Failed to parse ldap URI (%s)!\n", ctx->service->sdap->uri); -+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to parse ldap URI '%s': %d\n", -+ ctx->service->sdap->uri, ret); - ret = EINVAL; - goto done; - } -diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c -index 0eb5416ac..b15e0f345 100644 ---- a/src/providers/ad/ad_gpo.c -+++ b/src/providers/ad/ad_gpo.c -@@ -671,7 +671,9 @@ ad_gpo_ace_includes_client_sid(const char *user_sid, - - err = sss_idmap_sid_to_smb_sid(idmap_ctx, user_sid, &user_dom_sid); - if (err != IDMAP_SUCCESS) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Failed to initialize idmap context.\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ "sss_idmap_sid_to_smb_sid() failed for user_sid '%s': %d\n", -+ user_sid, err); - return EFAULT; - } - -@@ -684,7 +686,9 @@ ad_gpo_ace_includes_client_sid(const char *user_sid, - - err = sss_idmap_sid_to_smb_sid(idmap_ctx, host_sid, &host_dom_sid); - if (err != IDMAP_SUCCESS) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Failed to initialize idmap context.\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ "sss_idmap_sid_to_smb_sid() failed for host_sid '%s': %d\n", -+ host_sid, err); - return EFAULT; - } - -@@ -698,7 +702,9 @@ ad_gpo_ace_includes_client_sid(const char *user_sid, - for (i = 0; i < group_size; i++) { - err = sss_idmap_sid_to_smb_sid(idmap_ctx, group_sids[i], &group_dom_sid); - if (err != IDMAP_SUCCESS) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Failed to initialize idmap context.\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ "sss_idmap_sid_to_smb_sid() failed for group_sid '%s': %d\n", -+ group_sids[i], err); - return EFAULT; - } - included = ad_gpo_dom_sid_equal(&ace_dom_sid, group_dom_sid); -@@ -4777,14 +4783,14 @@ gpo_fork_child(struct tevent_req *req) - if (ret == -1) { - ret = errno; - DEBUG(SSSDBG_CRIT_FAILURE, -- "pipe failed [%d][%s].\n", errno, strerror(errno)); -+ "pipe (from) failed [%d][%s].\n", errno, strerror(errno)); - goto fail; - } - ret = pipe(pipefd_to_child); - if (ret == -1) { - ret = errno; - DEBUG(SSSDBG_CRIT_FAILURE, -- "pipe failed [%d][%s].\n", errno, strerror(errno)); -+ "pipe (to) failed [%d][%s].\n", errno, strerror(errno)); - goto fail; - } - -diff --git a/src/providers/ad/ad_machine_pw_renewal.c b/src/providers/ad/ad_machine_pw_renewal.c -index ce9bbe6f3..6e7137a86 100644 ---- a/src/providers/ad/ad_machine_pw_renewal.c -+++ b/src/providers/ad/ad_machine_pw_renewal.c -@@ -171,14 +171,14 @@ ad_machine_account_password_renewal_send(TALLOC_CTX *mem_ctx, - if (ret == -1) { - ret = errno; - DEBUG(SSSDBG_CRIT_FAILURE, -- "pipe failed [%d][%s].\n", ret, strerror(ret)); -+ "pipe (from) failed [%d][%s].\n", ret, strerror(ret)); - goto done; - } - ret = pipe(pipefd_to_child); - if (ret == -1) { - ret = errno; - DEBUG(SSSDBG_CRIT_FAILURE, -- "pipe failed [%d][%s].\n", ret, strerror(ret)); -+ "pipe (to) failed [%d][%s].\n", ret, strerror(ret)); - goto done; - } - -@@ -354,7 +354,8 @@ errno_t ad_machine_account_password_renewal_init(struct be_ctx *be_ctx, - } - - if (opt_list_size != 2) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Wrong number of renewal options.\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, "Wrong number of renewal options %d\n", -+ opt_list_size); - ret = EINVAL; - goto done; - } -diff --git a/src/providers/ad/ad_pac.c b/src/providers/ad/ad_pac.c -index 80424b44e..aff47304e 100644 ---- a/src/providers/ad/ad_pac.c -+++ b/src/providers/ad/ad_pac.c -@@ -120,7 +120,11 @@ errno_t check_if_pac_is_available(TALLOC_CTX *mem_ctx, - - ret = find_user_entry(mem_ctx, dom, ar, &msg); - if (ret != EOK) { -- DEBUG(SSSDBG_OP_FAILURE, "find_user_entry failed.\n"); -+ if (ret == ENOENT) { -+ DEBUG(SSSDBG_FUNC_DATA, "find_user_entry didn't find user entry.\n"); -+ } else { -+ DEBUG(SSSDBG_OP_FAILURE, "find_user_entry failed.\n"); -+ } - return ret; - } - -diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c -index 4c457b7e5..f5b0be6c2 100644 ---- a/src/providers/ad/ad_subdomains.c -+++ b/src/providers/ad/ad_subdomains.c -@@ -299,7 +299,7 @@ ad_subdom_ad_ctx_new(struct be_ctx *be_ctx, - - subdom_conf_path = subdomain_create_conf_path(id_ctx, subdom); - if (subdom_conf_path == NULL) { -- DEBUG(SSSDBG_CRIT_FAILURE, "subdom_conf_path failed\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, "subdomain_create_conf_path failed\n"); - return ENOMEM; - } - -diff --git a/src/providers/be_dyndns.c b/src/providers/be_dyndns.c -index 2de3b11bb..1a304db37 100644 ---- a/src/providers/be_dyndns.c -+++ b/src/providers/be_dyndns.c -@@ -1111,7 +1111,8 @@ be_nsupdate_args(TALLOC_CTX *mem_ctx, - argc++; - break; - default: -- DEBUG(SSSDBG_CRIT_FAILURE, "Unknown nsupdate auth type\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ "Unknown nsupdate auth type %d\n", auth_type); - goto fail; - } - -diff --git a/src/providers/be_ptask.c b/src/providers/be_ptask.c -index fb80909a0..fab9e21b8 100644 ---- a/src/providers/be_ptask.c -+++ b/src/providers/be_ptask.c -@@ -251,7 +251,7 @@ static void be_ptask_schedule(struct be_ptask *task, - task->timer = tevent_add_timer(task->ev, task, tv, be_ptask_execute, task); - if (task->timer == NULL) { - /* nothing we can do about it */ -- DEBUG(SSSDBG_CRIT_FAILURE, "FATAL: Unable to schedule task [%s]\n", -+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to schedule task [%s]\n", - task->name); - be_ptask_disable(task); - } -diff --git a/src/providers/be_refresh.c b/src/providers/be_refresh.c -index 01cbf03e2..fdddf8bca 100644 ---- a/src/providers/be_refresh.c -+++ b/src/providers/be_refresh.c -@@ -125,7 +125,8 @@ static errno_t be_refresh_get_values(TALLOC_CTX *mem_ctx, - base_dn = sysdb_netgroup_base_dn(mem_ctx, domain); - break; - default: -- DEBUG(SSSDBG_CRIT_FAILURE, "Uknown or unsupported refresh type\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ "Uknown or unsupported refresh type %d\n", type); - return ERR_INTERNAL; - break; - } -diff --git a/src/providers/data_provider/dp.c b/src/providers/data_provider/dp.c -index 0858c43d2..90324d74d 100644 ---- a/src/providers/data_provider/dp.c -+++ b/src/providers/data_provider/dp.c -@@ -109,7 +109,7 @@ dp_init_interface(struct data_provider *provider) - - ret = sbus_connection_add_path_map(provider->sbus_conn, paths); - if (ret != EOK) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to add paths [%d]: %s\n", -+ DEBUG(SSSDBG_FATAL_FAILURE, "Unable to add paths [%d]: %s\n", - ret, sss_strerror(ret)); - } - -@@ -196,7 +196,7 @@ dp_init_send(TALLOC_CTX *mem_ctx, - (sbus_server_on_connection_cb)dp_client_init, - (sbus_server_on_connection_data)state->provider); - if (subreq == NULL) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create subrequest!\n"); -+ DEBUG(SSSDBG_FATAL_FAILURE, "Unable to create subrequest!\n"); - ret = ENOMEM; - goto done; - } -diff --git a/src/providers/data_provider/dp_target_sudo.c b/src/providers/data_provider/dp_target_sudo.c -index db14039c4..59e2358cc 100644 ---- a/src/providers/data_provider/dp_target_sudo.c -+++ b/src/providers/data_provider/dp_target_sudo.c -@@ -42,13 +42,13 @@ static errno_t dp_sudo_parse_message(TALLOC_CTX *mem_ctx, - - ret = sbus_iterator_read_u(read_iter, &dp_flags); - if (ret != EOK) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Failed, to parse the message!\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to parse the message (flags)!\n"); - return ret; - } - - ret = sbus_iterator_read_u(read_iter, &sudo_type); - if (ret != EOK) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Failed, to parse the message!\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to parse the message (type)!\n"); - return ret; - } - -@@ -66,13 +66,15 @@ static errno_t dp_sudo_parse_message(TALLOC_CTX *mem_ctx, - /* read rules_num */ - ret = sbus_iterator_read_u(read_iter, &num_rules); - if (ret != EOK) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Failed, to parse the message!\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ "Failed to parse the message (num rules)!\n"); - return ret; - } - - ret = sbus_iterator_read_as(mem_ctx, read_iter, &rules); - if (ret != EOK) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Failed, to parse the message!\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ "Failed to parse the message (rules)!\n"); - return ret; - } - break; -diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c -index 10421c6b4..f059a3f96 100644 ---- a/src/providers/data_provider_be.c -+++ b/src/providers/data_provider_be.c -@@ -407,7 +407,7 @@ static void check_if_online(struct be_ctx *be_ctx, int delay) - check_if_online_delayed, be_ctx); - - if (time_event == NULL) { -- DEBUG(SSSDBG_OP_FAILURE, -+ DEBUG(SSSDBG_CRIT_FAILURE, - "Scheduling check_if_online_delayed failed.\n"); - goto failed; - } -@@ -420,7 +420,6 @@ static void check_if_online(struct be_ctx *be_ctx, int delay) - - failed: - be_ctx->check_online_ref_count--; -- DEBUG(SSSDBG_CRIT_FAILURE, "Failed to run a check_online test.\n"); - - if (be_ctx->check_online_ref_count == 0) { - reset_fo(be_ctx); -@@ -629,7 +628,7 @@ static void dp_initialized(struct tevent_req *req) - - ret = be_register_monitor_iface(be_ctx->mon_conn, be_ctx); - if (ret != EOK) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to register monitor interface " -+ DEBUG(SSSDBG_FATAL_FAILURE, "Unable to register monitor interface " - "[%d]: %s\n", ret, sss_strerror(ret)); - goto done; - } -diff --git a/src/providers/data_provider_fo.c b/src/providers/data_provider_fo.c -index 8dc09f5b2..0dfbb04b0 100644 ---- a/src/providers/data_provider_fo.c -+++ b/src/providers/data_provider_fo.c -@@ -651,7 +651,7 @@ errno_t be_resolve_server_process(struct tevent_req *subreq, - srvaddr = fo_get_server_hostent(state->srv); - if (!srvaddr) { - DEBUG(SSSDBG_CRIT_FAILURE, -- "FATAL: No hostent available for server (%s)\n", -+ "No hostent available for server (%s)\n", - fo_get_server_str_name(state->srv)); - return EFAULT; - } -diff --git a/src/providers/data_provider_opts.c b/src/providers/data_provider_opts.c -index 9db43fc40..bb543ae4f 100644 ---- a/src/providers/data_provider_opts.c -+++ b/src/providers/data_provider_opts.c -@@ -233,7 +233,7 @@ static int dp_copy_options_ex(TALLOC_CTX *memctx, - } - if (ret != EOK) { - DEBUG(SSSDBG_CRIT_FAILURE, -- "Failed to retrieve value for option (%s)\n", -+ "Failed to copy value for option (%s)\n", - opts[i].opt_name); - goto done; - } -@@ -249,7 +249,7 @@ static int dp_copy_options_ex(TALLOC_CTX *memctx, - } - if (ret != EOK) { - DEBUG(SSSDBG_CRIT_FAILURE, -- "Failed to retrieve value for option (%s)\n", -+ "Failed to copy value for option (%s)\n", - opts[i].opt_name); - goto done; - } -@@ -265,7 +265,7 @@ static int dp_copy_options_ex(TALLOC_CTX *memctx, - } - if (ret != EOK) { - DEBUG(SSSDBG_CRIT_FAILURE, -- "Failed to retrieve value for option (%s)\n", -+ "Failed to copy value for option (%s)\n", - opts[i].opt_name); - goto done; - } -diff --git a/src/providers/data_provider_req.h b/src/providers/data_provider_req.h -index f2e05797f..75f7f9713 100644 ---- a/src/providers/data_provider_req.h -+++ b/src/providers/data_provider_req.h -@@ -39,6 +39,7 @@ - #define BE_REQ_USER_AND_GROUP 0x0012 - #define BE_REQ_BY_UUID 0x0013 - #define BE_REQ_BY_CERT 0x0014 -+#define BE_REQ__LAST BE_REQ_BY_CERT /* must be equal to max REQ number */ - #define BE_REQ_TYPE_MASK 0x00FF - - /** -diff --git a/src/providers/files/files_ops.c b/src/providers/files/files_ops.c -index 59fc20692..54d2b4164 100644 ---- a/src/providers/files/files_ops.c -+++ b/src/providers/files/files_ops.c -@@ -395,7 +395,7 @@ static errno_t refresh_override_attrs(struct files_id_ctx *id_ctx, - override_attrs, &count, &msgs); - if (ret != EOK) { - if (ret == ENOENT) { -- DEBUG(SSSDBG_OP_FAILURE, "No overrides, nothing to do.\n"); -+ DEBUG(SSSDBG_TRACE_FUNC, "No overrides, nothing to do.\n"); - ret = EOK; - } else { - DEBUG(SSSDBG_OP_FAILURE, "sysdb_search_entry failed.\n"); -diff --git a/src/providers/ipa/ipa_access.c b/src/providers/ipa/ipa_access.c -index 375b6f885..4a6727c97 100644 ---- a/src/providers/ipa/ipa_access.c -+++ b/src/providers/ipa/ipa_access.c -@@ -671,7 +671,7 @@ static void ipa_pam_access_handler_done(struct tevent_req *subreq) - talloc_free(subreq); - - if (ret == ENOENT) { -- DEBUG(SSSDBG_CRIT_FAILURE, "No HBAC rules find, denying access\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, "No HBAC rules found, denying access\n"); - state->pd->pam_status = PAM_PERM_DENIED; - goto done; - } else if (ret != EOK) { -diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c -index 1211ba4c9..8cadb9249 100644 ---- a/src/providers/ipa/ipa_common.c -+++ b/src/providers/ipa/ipa_common.c -@@ -781,8 +781,7 @@ int ipa_get_auth_options(struct ipa_options *ipa_opts, - dp_opt_get_string(ipa_opts->auth, - KRB5_REALM)); - if (value == NULL) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Cannot set %s!\n", -- ipa_opts->auth[KRB5_FAST_PRINCIPAL].opt_name); -+ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf() failed\n"); - ret = ENOMEM; - goto done; - } -@@ -851,7 +850,7 @@ static void ipa_resolve_callback(void *private_data, struct fo_server *server) - srvaddr = fo_get_server_hostent(server); - if (!srvaddr) { - DEBUG(SSSDBG_CRIT_FAILURE, -- "FATAL: No hostent available for server (%s)\n", -+ "No hostent available for server (%s)\n", - fo_get_server_str_name(server)); - talloc_free(tmp_ctx); - return; -diff --git a/src/providers/ipa/ipa_hbac_common.c b/src/providers/ipa/ipa_hbac_common.c -index 31e53d24d..1fee41a36 100644 ---- a/src/providers/ipa/ipa_hbac_common.c -+++ b/src/providers/ipa/ipa_hbac_common.c -@@ -423,7 +423,7 @@ hbac_eval_user_element(TALLOC_CTX *mem_ctx, - ret = sysdb_initgroups(tmp_ctx, domain, username, &res); - if (ret != EOK) { - DEBUG(SSSDBG_CRIT_FAILURE, -- "sysdb_asq_search failed [%d]: %s\n", ret, sss_strerror(ret)); -+ "sysdb_initgroups() failed [%d]: %s\n", ret, sss_strerror(ret)); - goto done; - } - -diff --git a/src/providers/ipa/ipa_hbac_services.c b/src/providers/ipa/ipa_hbac_services.c -index 79088ff66..387e915cd 100644 ---- a/src/providers/ipa/ipa_hbac_services.c -+++ b/src/providers/ipa/ipa_hbac_services.c -@@ -487,7 +487,7 @@ hbac_service_attrs_to_rule(TALLOC_CTX *mem_ctx, - /* Original DN matched a single service. Get the service name */ - name = ldb_msg_find_attr_as_string(msgs[0], IPA_CN, NULL); - if (name == NULL) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Attribute is missing!\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, "Attribute IPA_CN is missing!\n"); - ret = EFAULT; - goto done; - } -@@ -523,7 +523,7 @@ hbac_service_attrs_to_rule(TALLOC_CTX *mem_ctx, - /* Original DN matched a single group. Get the groupname */ - name = ldb_msg_find_attr_as_string(msgs[0], IPA_CN, NULL); - if (name == NULL) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Attribute is missing!\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, "Attribute IPA_CN is missing!\n"); - ret = EFAULT; - goto done; - } -diff --git a/src/providers/ipa/ipa_hbac_users.c b/src/providers/ipa/ipa_hbac_users.c -index 2801a3162..25850eac0 100644 ---- a/src/providers/ipa/ipa_hbac_users.c -+++ b/src/providers/ipa/ipa_hbac_users.c -@@ -124,7 +124,7 @@ get_ipa_groupname(TALLOC_CTX *mem_ctx, - if (strcasecmp("cn", account_comp_name) != 0) { - /* The third component name is not "cn" */ - DEBUG(SSSDBG_CRIT_FAILURE, -- "Expected cn in second component, got %s\n", account_comp_name); -+ "Expected cn in third component, got %s\n", account_comp_name); - ret = ERR_UNEXPECTED_ENTRY_TYPE; - goto done; - } -@@ -135,7 +135,7 @@ get_ipa_groupname(TALLOC_CTX *mem_ctx, - account_comp_val->length) != 0) { - /* The third component value is not "accounts" */ - DEBUG(SSSDBG_CRIT_FAILURE, -- "Expected cn accounts second component, got %s\n", -+ "Expected accounts third component, got %s\n", - (const char *) account_comp_val->data); - ret = ERR_UNEXPECTED_ENTRY_TYPE; - goto done; -diff --git a/src/providers/ipa/ipa_id.c b/src/providers/ipa/ipa_id.c -index 9253514a3..2cbe0c9c7 100644 ---- a/src/providers/ipa/ipa_id.c -+++ b/src/providers/ipa/ipa_id.c -@@ -266,7 +266,7 @@ ipa_initgr_get_overrides_send(TALLOC_CTX *memctx, - } - state->groups_id_attr = talloc_strdup(state, groups_id_attr); - if (state->groups_id_attr == NULL) { -- DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strdup failed.\n"); - ret = ENOMEM; - goto done; - } -diff --git a/src/providers/ipa/ipa_init.c b/src/providers/ipa/ipa_init.c -index a4d58e3bd..afdd6fdd0 100644 ---- a/src/providers/ipa/ipa_init.c -+++ b/src/providers/ipa/ipa_init.c -@@ -317,10 +317,10 @@ static errno_t ipa_init_client_mode(struct be_ctx *be_ctx, - ret = sysdb_get_view_name(ipa_id_ctx, be_ctx->domain->sysdb, - &ipa_id_ctx->view_name); - if (ret == ENOENT) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Cannot find view name in the cache. " -+ DEBUG(SSSDBG_MINOR_FAILURE, "Cannot find view name in the cache. " - "Will do online lookup later.\n"); - } else if (ret != EOK) { -- DEBUG(SSSDBG_OP_FAILURE, "sysdb_get_view_name() failed [%d]: %s\n", -+ DEBUG(SSSDBG_CRIT_FAILURE, "sysdb_get_view_name() failed [%d]: %s\n", - ret, sss_strerror(ret)); - return ret; - } -diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c -index c3e1acb48..fb93c6233 100644 ---- a/src/providers/ipa/ipa_s2n_exop.c -+++ b/src/providers/ipa/ipa_s2n_exop.c -@@ -2224,7 +2224,8 @@ static void ipa_s2n_get_user_done(struct tevent_req *subreq) - - break; - default: -- DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected request type.\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ "Unexpected request type %d.\n", state->request_type); - ret = EINVAL; - goto done; - } -diff --git a/src/providers/ipa/ipa_selinux.c b/src/providers/ipa/ipa_selinux.c -index 5cb02de86..760349134 100644 ---- a/src/providers/ipa/ipa_selinux.c -+++ b/src/providers/ipa/ipa_selinux.c -@@ -681,7 +681,7 @@ static errno_t selinux_fork_child(struct selinux_child_state *state) - if (ret == -1) { - ret = errno; - DEBUG(SSSDBG_CRIT_FAILURE, -- "pipe failed [%d][%s].\n", errno, sss_strerror(errno)); -+ "pipe (from) failed [%d][%s].\n", errno, sss_strerror(errno)); - return ret; - } - -@@ -689,7 +689,7 @@ static errno_t selinux_fork_child(struct selinux_child_state *state) - if (ret == -1) { - ret = errno; - DEBUG(SSSDBG_CRIT_FAILURE, -- "pipe failed [%d][%s].\n", errno, sss_strerror(errno)); -+ "pipe (to) failed [%d][%s].\n", errno, sss_strerror(errno)); - return ret; - } - -diff --git a/src/providers/ipa/ipa_session.c b/src/providers/ipa/ipa_session.c -index 6672cb349..935393ccd 100644 ---- a/src/providers/ipa/ipa_session.c -+++ b/src/providers/ipa/ipa_session.c -@@ -570,7 +570,7 @@ ipa_pam_session_handler_done(struct tevent_req *subreq) - talloc_free(subreq); - - if (ret == ENOENT) { -- DEBUG(SSSDBG_IMPORTANT_INFO, "No Desktop Profile rules found\n"); -+ DEBUG(SSSDBG_FUNC_DATA, "No Desktop Profile rules found\n"); - if (!state->session_ctx->no_rules_found) { - state->session_ctx->no_rules_found = true; - state->session_ctx->last_request = time(NULL); -@@ -668,7 +668,7 @@ ipa_pam_session_handler_get_deskprofile_user_info(TALLOC_CTX *mem_ctx, - - if (res->count != 1) { - DEBUG(SSSDBG_CRIT_FAILURE, -- "sysdb_getpwnam() got more users than expected. " -+ "sysdb_getpwnam() returned unexpected amount of users. " - "Expected [%d], got [%d]\n", 1, res->count); - ret = EINVAL; - goto done; -diff --git a/src/providers/ipa/ipa_subdomains_ext_groups.c b/src/providers/ipa/ipa_subdomains_ext_groups.c -index c730c3317..790ae9d16 100644 ---- a/src/providers/ipa/ipa_subdomains_ext_groups.c -+++ b/src/providers/ipa/ipa_subdomains_ext_groups.c -@@ -840,7 +840,8 @@ static void ipa_add_ad_memberships_get_next(struct tevent_req *req) - } - - if (missing_groups) { -- DEBUG(SSSDBG_CRIT_FAILURE, "There are unresolved external group " -+ /* this might be HBAC or sudo rule */ -+ DEBUG(SSSDBG_FUNC_DATA, "There are unresolved external group " - "memberships even after all groups " - "have been looked up on the LDAP " - "server.\n"); -diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c -index 36f32fae8..46d496258 100644 ---- a/src/providers/ipa/ipa_subdomains_id.c -+++ b/src/providers/ipa/ipa_subdomains_id.c -@@ -506,7 +506,13 @@ struct tevent_req *ipa_get_subdom_acct_send(TALLOC_CTX *memctx, - break; - default: - ret = EINVAL; -- DEBUG(SSSDBG_OP_FAILURE, "Invalid sub-domain request type.\n"); -+ if (state->entry_type > BE_REQ__LAST) { -+ DEBUG(SSSDBG_OP_FAILURE, "Invalid sub-domain request type %d.\n", -+ state->entry_type); -+ } else { -+ DEBUG(SSSDBG_TRACE_FUNC, "Unhandled sub-domain request type %d.\n", -+ state->entry_type); -+ } - } - if (ret != EOK) goto fail; - -@@ -1027,6 +1033,9 @@ apply_subdomain_homedir(TALLOC_CTX *mem_ctx, struct sss_domain_info *dom, - const char *homedir = NULL; - struct ldb_message_element *msg_el = NULL; - size_t c; -+ const char *category = NULL; -+ size_t length = 0; -+ bool user_class = true; - - msg_el = ldb_msg_find_element(msg, SYSDB_OBJECTCATEGORY); - if (msg_el == NULL) { -@@ -1039,12 +1048,15 @@ apply_subdomain_homedir(TALLOC_CTX *mem_ctx, struct sss_domain_info *dom, - * case of a MPG group lookup if SYSDB_OBJECTCATEGORY is SYSDB_GROUP_CLASS. - */ - for (c = 0; c < msg_el->num_values; c++) { -- if (strncmp(SYSDB_USER_CLASS, (const char *)msg_el->values[c].data, -- msg_el->values[c].length) == 0 -- || (sss_domain_is_mpg(dom) -- && strncmp(SYSDB_GROUP_CLASS, -- (const char *)msg_el->values[c].data, -- msg_el->values[c].length) == 0)) { -+ category = (const char *)msg_el->values[c].data; -+ length = msg_el->values[c].length; -+ if (strncmp(SYSDB_USER_CLASS, category, length) == 0) { -+ user_class = true; -+ break; -+ } -+ if (sss_domain_is_mpg(dom) -+ && strncmp(SYSDB_GROUP_CLASS, category, length) == 0) { -+ user_class = false; - break; - } - } -@@ -1064,8 +1076,12 @@ apply_subdomain_homedir(TALLOC_CTX *mem_ctx, struct sss_domain_info *dom, - - uid = ldb_msg_find_attr_as_uint64(msg, SYSDB_UIDNUM, 0); - if (uid == 0) { -- DEBUG(SSSDBG_OP_FAILURE, "UID for user [%s] is not known.\n", -- fqname); -+ if (user_class) { -+ DEBUG(SSSDBG_OP_FAILURE, "UID for user [%s] is unknown\n", fqname); -+ } else { -+ DEBUG(SSSDBG_TRACE_INTERNAL, -+ "No UID for object [%s], perhaps mpg\n", fqname); -+ } - ret = ENOENT; - goto done; - } -@@ -1309,7 +1325,7 @@ ipa_get_ad_acct_ad_part_done(struct tevent_req *subreq) - - state->object_sid = talloc_strdup(state, sid); - if (state->object_sid == NULL) { -- DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strdup failed.\n"); - ret = ENOMEM; - goto fail; - } -@@ -1521,7 +1537,7 @@ static errno_t ipa_get_ad_apply_override_step(struct tevent_req *req) - - state->ar->filter_value = talloc_strdup(state->ar, obj_name); - if (state->ar->filter_value == NULL) { -- DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strdup failed.\n"); - return ENOMEM; - } - state->ar->filter_type = BE_FILTER_NAME; -diff --git a/src/providers/ipa/ipa_subdomains_server.c b/src/providers/ipa/ipa_subdomains_server.c -index fcdd05322..deb2c2cee 100644 ---- a/src/providers/ipa/ipa_subdomains_server.c -+++ b/src/providers/ipa/ipa_subdomains_server.c -@@ -513,7 +513,7 @@ static void ipa_getkeytab_exec(const char *ccache, - - gkt_env[0] = talloc_asprintf(NULL, "KRB5CCNAME=%s", ccache); - if (gkt_env[0] == NULL) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Failed to format KRB5CCNAME\n"); -+ DEBUG(SSSDBG_FATAL_FAILURE, "Failed to format KRB5CCNAME\n"); - exit(1); - } - -@@ -522,7 +522,7 @@ static void ipa_getkeytab_exec(const char *ccache, - ret = unlink(keytab_path); - if (ret == -1) { - ret = errno; -- DEBUG(SSSDBG_CRIT_FAILURE, -+ DEBUG(SSSDBG_FATAL_FAILURE, - "Failed to unlink the temporary ccname [%d][%s]\n", - ret, sss_strerror(ret)); - exit(1); -@@ -533,12 +533,12 @@ static void ipa_getkeytab_exec(const char *ccache, - "-r", "-s", server, "-p", principal, "-k", keytab_path, NULL, - gkt_env); - -- DEBUG(SSSDBG_CRIT_FAILURE, -+ DEBUG(SSSDBG_FATAL_FAILURE, - "execle returned %d, this shouldn't happen!\n", ret); - - /* The child should never end up here */ - ret = errno; -- DEBUG(SSSDBG_CRIT_FAILURE, -+ DEBUG(SSSDBG_FATAL_FAILURE, - "execle failed [%d][%s].\n", ret, sss_strerror(ret)); - exit(1); - } -@@ -748,7 +748,8 @@ static errno_t ipa_server_trusted_dom_setup_1way(struct tevent_req *req) - - state->new_keytab = talloc_asprintf(state, "%sXXXXXX", state->keytab); - if (state->new_keytab == NULL) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Cannot set up ipa_get_keytab\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ "Cannot set up ipa_get_keytab. talloc_asprintf() failed\n"); - return ENOMEM; - } - -diff --git a/src/providers/ipa/ipa_sudo.c b/src/providers/ipa/ipa_sudo.c -index 931770922..1b881d085 100644 ---- a/src/providers/ipa/ipa_sudo.c -+++ b/src/providers/ipa/ipa_sudo.c -@@ -223,7 +223,7 @@ ipa_sudo_init_ipa_schema(TALLOC_CTX *mem_ctx, - ipa_sudorule_map, IPA_OPTS_SUDORULE, - &sudo_ctx->sudorule_map); - if (ret != EOK) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse attribute map " -+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse attribute map (rule) " - "[%d]: %s\n", ret, sss_strerror(ret)); - goto done; - } -@@ -232,7 +232,7 @@ ipa_sudo_init_ipa_schema(TALLOC_CTX *mem_ctx, - ipa_sudocmdgroup_map, IPA_OPTS_SUDOCMDGROUP, - &sudo_ctx->sudocmdgroup_map); - if (ret != EOK) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse attribute map " -+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse attribute map (cmdgroup) " - "[%d]: %s\n", ret, sss_strerror(ret)); - goto done; - } -@@ -241,7 +241,7 @@ ipa_sudo_init_ipa_schema(TALLOC_CTX *mem_ctx, - ipa_sudocmd_map, IPA_OPTS_SUDOCMD, - &sudo_ctx->sudocmd_map); - if (ret != EOK) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse attribute map " -+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse attribute map (cmd) " - "[%d]: %s\n", ret, sss_strerror(ret)); - goto done; - } -@@ -250,16 +250,16 @@ ipa_sudo_init_ipa_schema(TALLOC_CTX *mem_ctx, - CONFDB_SUDO_THRESHOLD, CONFDB_DEFAULT_SUDO_THRESHOLD, - &sudo_ctx->sudocmd_threshold); - if (ret != EOK) { -- DEBUG(SSSDBG_OP_FAILURE, "Could not parse sudo search base\n"); -- return ret; -+ DEBUG(SSSDBG_CRIT_FAILURE, "Could not get sudo threshold\n"); -+ goto done; - } - - ret = sdap_parse_search_base(sudo_ctx, sudo_ctx->sdap_opts->basic, - SDAP_SUDO_SEARCH_BASE, - &sudo_ctx->sudo_sb); - if (ret != EOK) { -- DEBUG(SSSDBG_OP_FAILURE, "Could not parse sudo search base\n"); -- return ret; -+ DEBUG(SSSDBG_CRIT_FAILURE, "Could not parse sudo search base\n"); -+ goto done; - } - - ret = ipa_sudo_ptask_setup(be_ctx, sudo_ctx); -diff --git a/src/providers/ipa/ipa_sudo_async.c b/src/providers/ipa/ipa_sudo_async.c -index 1d7a69814..c531ecbf9 100644 ---- a/src/providers/ipa/ipa_sudo_async.c -+++ b/src/providers/ipa/ipa_sudo_async.c -@@ -520,7 +520,7 @@ ipa_sudo_fetch_addtl_cmdgroups_done(struct tevent_req *subreq) - goto done; - } - -- DEBUG(SSSDBG_IMPORTANT_INFO, "Received %zu additional command groups\n", -+ DEBUG(SSSDBG_FUNC_DATA, "Received %zu additional command groups\n", - num_attrs); - - ret = ipa_sudo_filter_rules_bycmdgroups(state, state->domain, attrs, -@@ -609,7 +609,7 @@ ipa_sudo_fetch_rules_done(struct tevent_req *subreq) - goto done; - } - -- DEBUG(SSSDBG_IMPORTANT_INFO, "Received %zu sudo rules\n", num_attrs); -+ DEBUG(SSSDBG_FUNC_DATA, "Received %zu sudo rules\n", num_attrs); - - ret = ipa_sudo_conv_rules(state->conv, attrs, num_attrs); - if (ret != EOK) { -@@ -689,7 +689,7 @@ ipa_sudo_fetch_cmdgroups_done(struct tevent_req *subreq) - goto done; - } - -- DEBUG(SSSDBG_IMPORTANT_INFO, "Received %zu sudo command groups\n", -+ DEBUG(SSSDBG_FUNC_DATA, "Received %zu sudo command groups\n", - num_attrs); - - ret = ipa_sudo_conv_cmdgroups(state->conv, attrs, num_attrs); -@@ -769,7 +769,7 @@ ipa_sudo_fetch_cmds_done(struct tevent_req *subreq) - goto done; - } - -- DEBUG(SSSDBG_IMPORTANT_INFO, "Received %zu sudo commands\n", num_attrs); -+ DEBUG(SSSDBG_FUNC_DATA, "Received %zu sudo commands\n", num_attrs); - - ret = ipa_sudo_conv_cmds(state->conv, attrs, num_attrs); - if (ret != EOK) { -@@ -1109,7 +1109,7 @@ done: - if (in_transaction) { - sret = sysdb_transaction_cancel(state->sysdb); - if (sret != EOK) { -- DEBUG(SSSDBG_OP_FAILURE, "Could not cancel transaction\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, "Could not cancel transaction\n"); - } - } - -diff --git a/src/providers/ipa/ipa_sudo_conversion.c b/src/providers/ipa/ipa_sudo_conversion.c -index b5fc49379..bd1ec72b3 100644 ---- a/src/providers/ipa/ipa_sudo_conversion.c -+++ b/src/providers/ipa/ipa_sudo_conversion.c -@@ -801,7 +801,7 @@ convert_host(TALLOC_CTX *mem_ctx, - *skip_entry = true; - return NULL; - } else if (ret != EOK) { -- DEBUG(SSSDBG_OP_FAILURE, "ipa_get_rdn() failed on value %s [%d]: %s\n", -+ DEBUG(SSSDBG_CRIT_FAILURE, "ipa_get_rdn() failed on value %s [%d]: %s\n", - value, ret, sss_strerror(ret)); - return NULL; - } -@@ -841,7 +841,7 @@ convert_user(TALLOC_CTX *mem_ctx, - *skip_entry = true; - return NULL; - } else if (ret != EOK) { -- DEBUG(SSSDBG_OP_FAILURE, "ipa_get_rdn() failed on value %s [%d]: %s\n", -+ DEBUG(SSSDBG_CRIT_FAILURE, "ipa_get_rdn() failed on value %s [%d]: %s\n", - value, ret, sss_strerror(ret)); - return NULL; - } -@@ -904,7 +904,7 @@ convert_group(TALLOC_CTX *mem_ctx, - *skip_entry = true; - return NULL; - } else if (ret != EOK) { -- DEBUG(SSSDBG_OP_FAILURE, "ipa_get_rdn() failed on value %s [%d]: %s\n", -+ DEBUG(SSSDBG_CRIT_FAILURE, "ipa_get_rdn() failed on value %s [%d]: %s\n", - value, ret, sss_strerror(ret)); - return NULL; - } -diff --git a/src/providers/ipa/ipa_views.c b/src/providers/ipa/ipa_views.c -index 2a918bdc8..e1090d03b 100644 ---- a/src/providers/ipa/ipa_views.c -+++ b/src/providers/ipa/ipa_views.c -@@ -232,7 +232,7 @@ static errno_t get_dp_id_data_for_xyz(TALLOC_CTX *mem_ctx, const char *val, - ar->filter_value = talloc_strdup(ar, val); - ar->domain = talloc_strdup(ar, domain_name); - if (ar->filter_value == NULL || ar->domain == NULL) { -- DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strdup failed.\n"); - talloc_free(ar); - return ENOMEM; - } -@@ -471,7 +471,7 @@ static void ipa_get_ad_override_done(struct tevent_req *subreq) - - ret = ipa_get_ad_override_qualify_name(state); - if (ret != EOK) { -- DEBUG(SSSDBG_OP_FAILURE, "Cannot qualify object name\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, "Cannot qualify object name\n"); - goto fail; - } - -diff --git a/src/providers/krb5/krb5_access.c b/src/providers/krb5/krb5_access.c -index be9068c0f..2ae5abe14 100644 ---- a/src/providers/krb5/krb5_access.c -+++ b/src/providers/krb5/krb5_access.c -@@ -78,7 +78,8 @@ struct tevent_req *krb5_access_send(TALLOC_CTX *mem_ctx, - } - - if (pd->cmd != SSS_PAM_ACCT_MGMT) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected pam task.\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ "Unexpected pam task %d.\n", pd->cmd); - ret = EINVAL; - goto done; - } -diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c -index a1c0b3640..699c2467b 100644 ---- a/src/providers/krb5/krb5_auth.c -+++ b/src/providers/krb5/krb5_auth.c -@@ -499,7 +499,7 @@ struct tevent_req *krb5_auth_send(TALLOC_CTX *mem_ctx, - /* handle empty password gracefully */ - if (authtok_type == SSS_AUTHTOK_TYPE_EMPTY) { - DEBUG(SSSDBG_CRIT_FAILURE, -- "Illegal zero-length authtok for user [%s]\n", -+ "Illegal empty authtok for user [%s]\n", - pd->user); - state->pam_status = PAM_AUTH_ERR; - state->dp_err = DP_ERR_OK; -@@ -854,7 +854,7 @@ static void krb5_auth_done(struct tevent_req *subreq) - ret = EOK; - goto done; - default: -- DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected PAM task\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected PAM task %d\n", pd->cmd); - ret = EINVAL; - goto done; - } -diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c -index cab7b27a2..06fdf7156 100644 ---- a/src/providers/krb5/krb5_child.c -+++ b/src/providers/krb5/krb5_child.c -@@ -258,7 +258,7 @@ static void sss_krb5_expire_callback_func(krb5_context context, void *data, - - blob = talloc_array(kr->pd, uint32_t, 2); - if (blob == NULL) { -- DEBUG(SSSDBG_CRIT_FAILURE, "talloc_size failed.\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_array failed.\n"); - return; - } - -@@ -525,7 +525,8 @@ static krb5_error_code tokeninfo_matches(TALLOC_CTX *mem_ctx, - out_token, out_pin); - break; - default: -- DEBUG(SSSDBG_CRIT_FAILURE, "Unsupported authtok type.\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ "Unsupported authtok type %d\n", sss_authtok_get_type(auth_tok)); - } - - return EINVAL; -@@ -1087,7 +1088,7 @@ static errno_t pack_response_packet(TALLOC_CTX *mem_ctx, errno_t error, - - buf = talloc_array(mem_ctx, uint8_t, size); - if (!buf) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Insufficient memory to create message.\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_array failed\n"); - return ENOMEM; - } - -@@ -1958,13 +1959,12 @@ static errno_t changepw_child(struct krb5_req *kr, bool prelim) - &msg_len, &msg); - if (ret != EOK) { - DEBUG(SSSDBG_CRIT_FAILURE, -- "pack_user_info_chpass_error failed.\n"); -+ "pack_user_info_chpass_error failed [%d]\n", ret); - } else { - ret = pam_add_response(kr->pd, SSS_PAM_USER_INFO, msg_len, - msg); - if (ret != EOK) { -- DEBUG(SSSDBG_CRIT_FAILURE, -- "pam_add_response failed.\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, "pam_add_response failed.\n"); - } - } - return kerr; -@@ -2036,13 +2036,12 @@ static errno_t changepw_child(struct krb5_req *kr, bool prelim) - &user_resp_len, &user_resp); - if (ret != EOK) { - DEBUG(SSSDBG_CRIT_FAILURE, -- "pack_user_info_chpass_error failed.\n"); -+ "pack_user_info_chpass_error failed [%d]\n", ret); - } else { - ret = pam_add_response(kr->pd, SSS_PAM_USER_INFO, user_resp_len, - user_resp); - if (ret != EOK) { -- DEBUG(SSSDBG_CRIT_FAILURE, -- "pam_add_response failed.\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, "pam_add_response failed.\n"); - } - } - } -@@ -2448,7 +2447,7 @@ static errno_t unpack_buffer(uint8_t *buf, size_t size, - - pd = create_pam_data(kr); - if (pd == NULL) { -- DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero failed.\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, "create_pam_data failed.\n"); - return ENOMEM; - } - kr->pd = pd; -@@ -3110,7 +3109,7 @@ static int k5c_setup(struct krb5_req *kr, uint32_t offline) - - kr->creds = calloc(1, sizeof(krb5_creds)); - if (kr->creds == NULL) { -- DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero failed.\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, "calloc failed.\n"); - return ENOMEM; - } - -@@ -3345,7 +3344,7 @@ int main(int argc, const char *argv[]) - - kr = talloc_zero(NULL, struct krb5_req); - if (kr == NULL) { -- DEBUG(SSSDBG_CRIT_FAILURE, "talloc failed.\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero failed.\n"); - ret = ENOMEM; - goto done; - } -@@ -3403,7 +3402,7 @@ int main(int argc, const char *argv[]) - - ret = k5c_setup(kr, offline); - if (ret != EOK) { -- DEBUG(SSSDBG_CRIT_FAILURE, "krb5_child_setup failed.\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, "k5c_setup failed.\n"); - goto done; - } - -diff --git a/src/providers/krb5/krb5_child_handler.c b/src/providers/krb5/krb5_child_handler.c -index 37f4304e8..01777e22b 100644 ---- a/src/providers/krb5/krb5_child_handler.c -+++ b/src/providers/krb5/krb5_child_handler.c -@@ -449,14 +449,14 @@ static errno_t fork_child(struct tevent_req *req) - if (ret == -1) { - ret = errno; - DEBUG(SSSDBG_CRIT_FAILURE, -- "pipe failed [%d][%s].\n", errno, strerror(errno)); -+ "pipe (from) failed [%d][%s].\n", errno, strerror(errno)); - goto fail; - } - ret = pipe(pipefd_to_child); - if (ret == -1) { - ret = errno; - DEBUG(SSSDBG_CRIT_FAILURE, -- "pipe failed [%d][%s].\n", errno, strerror(errno)); -+ "pipe (to) failed [%d][%s].\n", errno, strerror(errno)); - goto fail; - } - -diff --git a/src/providers/krb5/krb5_common.c b/src/providers/krb5/krb5_common.c -index 5c11c347b..316603946 100644 ---- a/src/providers/krb5/krb5_common.c -+++ b/src/providers/krb5/krb5_common.c -@@ -793,7 +793,7 @@ static void krb5_resolve_callback(void *private_data, struct fo_server *server) - - krb5_service = talloc_get_type(private_data, struct krb5_service); - if (!krb5_service) { -- DEBUG(SSSDBG_CRIT_FAILURE, "FATAL: Bad private_data\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, "Bad private_data\n"); - return; - } - -@@ -1110,7 +1110,7 @@ void remove_krb5_info_files_callback(void *pvt) - ctx->kdc_service_name); - if (ret != EOK) { - DEBUG(SSSDBG_CRIT_FAILURE, -- "be_fo_run_callbacks_at_next_request failed, " -+ "be_fo_run_callbacks_at_next_request(kdc_service_name) failed, " - "krb5 info files will not be removed, because " - "it is unclear if they will be recreated properly.\n"); - return; -@@ -1120,7 +1120,7 @@ void remove_krb5_info_files_callback(void *pvt) - ctx->kpasswd_service_name); - if (ret != EOK) { - DEBUG(SSSDBG_CRIT_FAILURE, -- "be_fo_run_callbacks_at_next_request failed, " -+ "be_fo_run_callbacks_at_next_request(kpasswd_service_name) failed, " - "krb5 info files will not be removed, because " - "it is unclear if they will be recreated properly.\n"); - return; -diff --git a/src/providers/krb5/krb5_delayed_online_authentication.c b/src/providers/krb5/krb5_delayed_online_authentication.c -index 8572d1249..07d375b9d 100644 ---- a/src/providers/krb5/krb5_delayed_online_authentication.c -+++ b/src/providers/krb5/krb5_delayed_online_authentication.c -@@ -173,7 +173,7 @@ static errno_t authenticate_stored_users( - ret = hash_lookup(uid_table, &key, &value); - - if (ret == HASH_SUCCESS) { -- DEBUG(SSSDBG_CRIT_FAILURE, "User [%s] is still logged in, " -+ DEBUG(SSSDBG_FUNC_DATA, "User [%s] is still logged in, " - "trying online authentication.\n", pd->user); - - auth_data = talloc_zero(deferred_auth_ctx->be_ctx, -@@ -193,7 +193,7 @@ static errno_t authenticate_stored_users( - } - } - } else { -- DEBUG(SSSDBG_CRIT_FAILURE, "User [%s] is not logged in anymore, " -+ DEBUG(SSSDBG_FUNC_DATA, "User [%s] is not logged in anymore, " - "discarding online authentication.\n", pd->user); - talloc_free(pd); - } -diff --git a/src/providers/krb5/krb5_renew_tgt.c b/src/providers/krb5/krb5_renew_tgt.c -index 8b2159e92..d79e7c367 100644 ---- a/src/providers/krb5/krb5_renew_tgt.c -+++ b/src/providers/krb5/krb5_renew_tgt.c -@@ -405,7 +405,7 @@ static errno_t check_ccache_files(struct renew_tgt_ctx *renew_tgt_ctx) - - base_dn = sysdb_user_base_dn(tmp_ctx, renew_tgt_ctx->be_ctx->domain); - if (base_dn == NULL) { -- DEBUG(SSSDBG_OP_FAILURE, "sysdb_base_dn failed.\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, "sysdb_base_dn failed.\n"); - ret = ENOMEM; - goto done; - } -@@ -440,7 +440,7 @@ static errno_t check_ccache_files(struct renew_tgt_ctx *renew_tgt_ctx) - - ret = sss_parse_internal_fqname(tmp_ctx, user_name, NULL, &user_dom); - if (ret != EOK) { -- DEBUG(SSSDBG_OP_FAILURE, -+ DEBUG(SSSDBG_CRIT_FAILURE, - "Cannot parse internal fqname [%d]: %s\n", - ret, sss_strerror(ret)); - goto done; -diff --git a/src/providers/krb5/krb5_utils.c b/src/providers/krb5/krb5_utils.c -index e3f8f2140..43056ba28 100644 ---- a/src/providers/krb5/krb5_utils.c -+++ b/src/providers/krb5/krb5_utils.c -@@ -287,7 +287,7 @@ char *expand_ccname_template(TALLOC_CTX *mem_ctx, struct krb5child_req *kr, - name = sss_output_name(tmp_ctx, kr->pd->user, case_sensitive, 0); - if (name == NULL) { - DEBUG(SSSDBG_CRIT_FAILURE, -- "sss_get_cased_name failed\n"); -+ "sss_output_name failed\n"); - goto done; - } - -diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c -index 89ff4ece0..42ef962b4 100644 ---- a/src/providers/ldap/ldap_auth.c -+++ b/src/providers/ldap/ldap_auth.c -@@ -64,7 +64,7 @@ static errno_t add_expired_warning(struct pam_data *pd, long exp_time) - - data = talloc_array(pd, uint32_t, 2); - if (data == NULL) { -- DEBUG(SSSDBG_CRIT_FAILURE, "talloc_size failed.\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_array failed.\n"); - return ENOMEM; - } - -@@ -249,7 +249,8 @@ errno_t check_pwexpire_policy(enum pwexpire pw_expire_type, - ret = EOK; - break; - default: -- DEBUG(SSSDBG_CRIT_FAILURE, "Unknown password expiration type.\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ "Unknown password expiration type %d.\n", pw_expire_type); - ret = EINVAL; - } - -@@ -1355,9 +1356,10 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq) - case PWEXPIRE_NONE: - break; - default: -- DEBUG(SSSDBG_CRIT_FAILURE, "Unknown password expiration type.\n"); -- state->pd->pam_status = PAM_SYSTEM_ERR; -- goto done; -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ "Unknown password expiration type %d.\n", pw_expire_type); -+ state->pd->pam_status = PAM_SYSTEM_ERR; -+ goto done; - } - } - -diff --git a/src/providers/ldap/ldap_child.c b/src/providers/ldap/ldap_child.c -index 84941c6e4..8580e2785 100644 ---- a/src/providers/ldap/ldap_child.c -+++ b/src/providers/ldap/ldap_child.c -@@ -223,7 +223,7 @@ static int lc_verify_keytab_ex(const char *principal, - /* This should never happen. The API docs for this function - * specify only success for this function - */ -- DEBUG(SSSDBG_CRIT_FAILURE,"Could not free keytab entry contents\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, "Could not free keytab entry contents\n"); - /* This is non-fatal, so we'll continue here */ - } - -diff --git a/src/providers/ldap/ldap_init.c b/src/providers/ldap/ldap_init.c -index cd589a7c0..2ad8680a1 100644 ---- a/src/providers/ldap/ldap_init.c -+++ b/src/providers/ldap/ldap_init.c -@@ -43,8 +43,8 @@ struct ldap_init_ctx { - }; - - /* Please use this only for short lists */ --errno_t check_order_list_for_duplicates(char **list, -- bool case_sensitive) -+static errno_t check_order_list_for_duplicates(char **list, -+ bool case_sensitive) - { - size_t c; - size_t d; -diff --git a/src/providers/ldap/ldap_options.c b/src/providers/ldap/ldap_options.c -index d06d3980e..bb51785fb 100644 ---- a/src/providers/ldap/ldap_options.c -+++ b/src/providers/ldap/ldap_options.c -@@ -408,14 +408,15 @@ int ldap_get_options(TALLOC_CTX *memctx, - sss_erase_talloc_mem_securely(cleartext); - talloc_free(cleartext); - if (ret != EOK) { -- DEBUG(SSSDBG_CRIT_FAILURE, "dp_opt_set_string failed.\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, "dp_opt_set_blob(authtok) failed.\n"); - goto done; - } - - ret = dp_opt_set_string(opts->basic, SDAP_DEFAULT_AUTHTOK_TYPE, - "password"); - if (ret != EOK) { -- DEBUG(SSSDBG_CRIT_FAILURE, "dp_opt_set_string failed.\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ "dp_opt_set_string(authtok_type) failed.\n"); - goto done; - } - } -@@ -629,7 +630,8 @@ int ldap_get_autofs_options(TALLOC_CTX *memctx, - default_entry_map = rfc2307bis_autofs_entry_map; - break; - default: -- DEBUG(SSSDBG_CRIT_FAILURE, "Unknown LDAP schema!\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ "Unknown LDAP schema %d!\n", opts->schema_type); - return EINVAL; - } - -diff --git a/src/providers/ldap/sdap.c b/src/providers/ldap/sdap.c -index 7cb00480d..32c0144b9 100644 ---- a/src/providers/ldap/sdap.c -+++ b/src/providers/ldap/sdap.c -@@ -371,7 +371,7 @@ int sdap_get_map(TALLOC_CTX *memctx, - - if (map[i].def_name && !map[i].name) { - DEBUG(SSSDBG_CRIT_FAILURE, -- "Failed to retrieve value for %s\n", map[i].opt_name); -+ "Failed to process value for %s\n", map[i].opt_name); - talloc_zfree(map); - return EINVAL; - } -@@ -532,7 +532,8 @@ int sdap_parse_entry(TALLOC_CTX *memctx, - if (!vals) { - ldap_get_option(sh->ldap, LDAP_OPT_RESULT_CODE, &lerrno); - if (lerrno != LDAP_SUCCESS) { -- DEBUG(SSSDBG_CRIT_FAILURE, "LDAP Library error: %d(%s)\n", -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ "ldap_get_values_len() failed: %d(%s)\n", - lerrno, sss_ldap_err2string(lerrno)); - ret = EIO; - goto done; -@@ -613,7 +614,7 @@ int sdap_parse_entry(TALLOC_CTX *memctx, - - ldap_get_option(sh->ldap, LDAP_OPT_RESULT_CODE, &lerrno); - if (lerrno) { -- DEBUG(SSSDBG_CRIT_FAILURE, "LDAP Library error: %d(%s)\n", -+ DEBUG(SSSDBG_CRIT_FAILURE, "ldap_get_option() failed: %d(%s)\n", - lerrno, sss_ldap_err2string(lerrno)); - ret = EIO; - goto done; -@@ -884,7 +885,8 @@ errno_t setup_tls_config(struct dp_option *basic_opts) - ldap_opt_x_tls_require_cert = LDAP_OPT_X_TLS_HARD; - } - else { -- DEBUG(SSSDBG_CRIT_FAILURE, "Unknown value for tls_reqcert.\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ "Unknown value for tls_reqcert '%s'.\n", tls_opt); - return EINVAL; - } - /* LDAP_OPT_X_TLS_REQUIRE_CERT has to be set as a global option, -@@ -893,7 +895,8 @@ errno_t setup_tls_config(struct dp_option *basic_opts) - &ldap_opt_x_tls_require_cert); - if (ret != LDAP_OPT_SUCCESS) { - DEBUG(SSSDBG_CRIT_FAILURE, -- "ldap_set_option failed: %s\n", sss_ldap_err2string(ret)); -+ "ldap_set_option(req_cert) failed: %s\n", -+ sss_ldap_err2string(ret)); - return EIO; - } - } -@@ -903,7 +906,8 @@ errno_t setup_tls_config(struct dp_option *basic_opts) - ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, tls_opt); - if (ret != LDAP_OPT_SUCCESS) { - DEBUG(SSSDBG_CRIT_FAILURE, -- "ldap_set_option failed: %s\n", sss_ldap_err2string(ret)); -+ "ldap_set_option(cacertfile) failed: %s\n", -+ sss_ldap_err2string(ret)); - return EIO; - } - } -@@ -913,7 +917,8 @@ errno_t setup_tls_config(struct dp_option *basic_opts) - ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTDIR, tls_opt); - if (ret != LDAP_OPT_SUCCESS) { - DEBUG(SSSDBG_CRIT_FAILURE, -- "ldap_set_option failed: %s\n", sss_ldap_err2string(ret)); -+ "ldap_set_option(cacertdir) failed: %s\n", -+ sss_ldap_err2string(ret)); - return EIO; - } - } -@@ -923,7 +928,8 @@ errno_t setup_tls_config(struct dp_option *basic_opts) - ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_CERTFILE, tls_opt); - if (ret != LDAP_OPT_SUCCESS) { - DEBUG(SSSDBG_CRIT_FAILURE, -- "ldap_set_option failed: %s\n", sss_ldap_err2string(ret)); -+ "ldap_set_option(certfile) failed: %s\n", -+ sss_ldap_err2string(ret)); - return EIO; - } - } -@@ -933,7 +939,8 @@ errno_t setup_tls_config(struct dp_option *basic_opts) - ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_KEYFILE, tls_opt); - if (ret != LDAP_OPT_SUCCESS) { - DEBUG(SSSDBG_CRIT_FAILURE, -- "ldap_set_option failed: %s\n", sss_ldap_err2string(ret)); -+ "ldap_set_option(keyfile) failed: %s\n", -+ sss_ldap_err2string(ret)); - return EIO; - } - } -@@ -943,7 +950,8 @@ errno_t setup_tls_config(struct dp_option *basic_opts) - ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_CIPHER_SUITE, tls_opt); - if (ret != LDAP_OPT_SUCCESS) { - DEBUG(SSSDBG_CRIT_FAILURE, -- "ldap_set_option failed: %s\n", sss_ldap_err2string(ret)); -+ "ldap_set_option(cipher) failed: %s\n", -+ sss_ldap_err2string(ret)); - return EIO; - } - } -diff --git a/src/providers/ldap/sdap_access.c b/src/providers/ldap/sdap_access.c -index dd04ec512..8add97ba8 100644 ---- a/src/providers/ldap/sdap_access.c -+++ b/src/providers/ldap/sdap_access.c -@@ -317,7 +317,8 @@ static errno_t sdap_access_check_next_rule(struct sdap_access_req_ctx *state, - - default: - DEBUG(SSSDBG_CRIT_FAILURE, -- "Unexpected access rule type. Access denied.\n"); -+ "Unexpected access rule type %d. Access denied.\n", -+ state->access_ctx->access_rule[state->current_rule]); - ret = ERR_ACCESS_DENIED; - } - -@@ -1220,13 +1221,13 @@ static errno_t sdap_save_user_cache_bool(struct sss_domain_info *domain, - attrs = sysdb_new_attrs(NULL); - if (attrs == NULL) { - ret = ENOMEM; -- DEBUG(SSSDBG_CRIT_FAILURE, "Could not set up attrs\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, "Could not create attrs\n"); - goto done; - } - - ret = sysdb_attrs_add_bool(attrs, attr_name, value); - if (ret != EOK) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Could not set up attrs\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, "Could not set up attr value\n"); - goto done; - } - -@@ -1787,7 +1788,7 @@ errno_t sdap_access_ppolicy_step(struct tevent_req *req) - false); - - if (subreq == NULL) { -- DEBUG(SSSDBG_CRIT_FAILURE, "sdap_access_ppolicy_send failed.\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, "sdap_get_generic_send failed.\n"); - ret = ENOMEM; - goto done; - } -@@ -1913,7 +1914,7 @@ static void sdap_access_ppolicy_step_done(struct tevent_req *subreq) - ret = sdap_access_decide_offline(state->cached_access); - } else { - DEBUG(SSSDBG_CRIT_FAILURE, -- "sdap_get_generic_send() returned error [%d][%s]\n", -+ "sdap_id_op_done() returned error [%d][%s]\n", - ret, sss_strerror(ret)); - } - -diff --git a/src/providers/ldap/sdap_async.c b/src/providers/ldap/sdap_async.c -index 68d5d44f8..cc77fb249 100644 ---- a/src/providers/ldap/sdap_async.c -+++ b/src/providers/ldap/sdap_async.c -@@ -749,7 +749,7 @@ sdap_modify_send(TALLOC_CTX *mem_ctx, - - ret = ldap_modify_ext(state->sh->ldap, dn, mods, NULL, NULL, &msgid); - if (ret != EOK) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Failed to send operation!\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, "ldap_modify_ext() failed [%d]\n", ret); - goto done; - } - -@@ -2120,7 +2120,7 @@ static int sdap_x_deref_create_control(struct sdap_handle *sh, - - ret = ldap_create_deref_control_value(sh->ldap, ds, &derefval); - if (ret != LDAP_SUCCESS) { -- DEBUG(SSSDBG_CRIT_FAILURE, "sss_ldap_control_create failed: %s\n", -+ DEBUG(SSSDBG_CRIT_FAILURE, "ldap_create_deref_control_value failed: %s\n", - ldap_err2string(ret)); - return ret; - } -@@ -2129,7 +2129,7 @@ static int sdap_x_deref_create_control(struct sdap_handle *sh, - 1, &derefval, 1, ctrl); - ldap_memfree(derefval.bv_val); - if (ret != EOK) { -- DEBUG(SSSDBG_CRIT_FAILURE, "sss_ldap_control_create failed\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, "sdap_control_create failed %d\n", ret); - return ret; - } - -@@ -2875,7 +2875,8 @@ static void sdap_deref_search_done(struct tevent_req *subreq) - &state->reply_count, &state->reply); - break; - default: -- DEBUG(SSSDBG_CRIT_FAILURE, "Unknown deref method\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ "Unknown deref method %d\n", state->deref_type); - tevent_req_error(req, EINVAL); - return; - } -diff --git a/src/providers/ldap/sdap_async_autofs.c b/src/providers/ldap/sdap_async_autofs.c -index eaca0324e..ae2fa33e1 100644 ---- a/src/providers/ldap/sdap_async_autofs.c -+++ b/src/providers/ldap/sdap_async_autofs.c -@@ -720,7 +720,7 @@ sdap_autofs_setautomntent_send(TALLOC_CTX *memctx, - dp_opt_get_int(state->opts->basic, - SDAP_SEARCH_TIMEOUT)); - if (!subreq) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, "sdap_get_automntmap_send failed\n"); - ret = ENOMEM; - goto fail; - } -diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c -index 5f69cedcc..eead3f119 100644 ---- a/src/providers/ldap/sdap_async_connection.c -+++ b/src/providers/ldap/sdap_async_connection.c -@@ -694,10 +694,10 @@ static struct tevent_req *simple_bind_send(TALLOC_CTX *memctx, - LDAP_OPT_RESULT_CODE, &ldap_err); - if (ret != LDAP_OPT_SUCCESS) { - DEBUG(SSSDBG_CRIT_FAILURE, -- "ldap_bind failed (couldn't get ldap error)\n"); -+ "ldap_sasl_bind failed (couldn't get ldap error)\n"); - ret = LDAP_LOCAL_ERROR; - } else { -- DEBUG(SSSDBG_CRIT_FAILURE, "ldap_bind failed (%d)[%s]\n", -+ DEBUG(SSSDBG_CRIT_FAILURE, "ldap_sasl_bind failed (%d)[%s]\n", - ldap_err, sss_ldap_err2string(ldap_err)); - ret = ldap_err; - } -@@ -988,7 +988,7 @@ static struct tevent_req *sasl_bind_send(TALLOC_CTX *memctx, - (*sdap_sasl_interact), state); - if (ret != LDAP_SUCCESS) { - DEBUG(SSSDBG_CRIT_FAILURE, -- "ldap_sasl_bind failed (%d)[%s]\n", -+ "ldap_sasl_interactive_bind_s failed (%d)[%s]\n", - ret, sss_ldap_err2string(ret)); - - optret = sss_ldap_get_diagnostic_msg(state, state->sh->ldap, -diff --git a/src/providers/ldap/sdap_async_groups.c b/src/providers/ldap/sdap_async_groups.c -index 5dbfd73c4..16c4a5f37 100644 ---- a/src/providers/ldap/sdap_async_groups.c -+++ b/src/providers/ldap/sdap_async_groups.c -@@ -883,10 +883,7 @@ static int sdap_save_grpmem(TALLOC_CTX *memctx, - const char *check_name; - - if (dom->ignore_group_members) { -- DEBUG(SSSDBG_CRIT_FAILURE, -- "Group members are ignored, nothing to do. If you see this " \ -- "message it might indicate an error in the group processing " \ -- "logic.\n"); -+ DEBUG(SSSDBG_TRACE_FUNC, "Group members are ignored, nothing to do.\n"); - return EOK; - } - -@@ -978,7 +975,12 @@ static int sdap_save_grpmem(TALLOC_CTX *memctx, - ret = sysdb_remove_attrs(group_dom, group_name, SYSDB_MEMBER_GROUP, - discard_const(remove_attrs)); - if (ret != EOK) { -- DEBUG(SSSDBG_OP_FAILURE, "sysdb_remove_attrs failed.\n"); -+ if (ret != ENOENT) { -+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_remove_attrs failed.\n"); -+ } else { -+ DEBUG(SSSDBG_MINOR_FAILURE, -+ "sysdb_remove_attrs failed for missing entry\n"); -+ } - goto fail; - } - } else { -@@ -1014,7 +1016,7 @@ static int sdap_save_grpmem(TALLOC_CTX *memctx, - return EOK; - - fail: -- DEBUG(SSSDBG_OP_FAILURE, -+ DEBUG(SSSDBG_MINOR_FAILURE, - "Failed to save members of group %s\n", group_name); - return ret; - } -@@ -1130,8 +1132,13 @@ static int sdap_save_groups(TALLOC_CTX *memctx, - /* Do not fail completely on errors. - * Just report the failure to save and go on */ - if (ret) { -- DEBUG(SSSDBG_OP_FAILURE, -- "Failed to store group %d members.\n", i); -+ if (ret != ENOENT) { -+ DEBUG(SSSDBG_OP_FAILURE, -+ "Failed to store group %d members: %d\n", i, ret); -+ } else { -+ DEBUG(SSSDBG_FUNC_DATA, -+ "Can't save members of missing group %d\n", i); -+ } - } else { - DEBUG(SSSDBG_TRACE_ALL, "Group %d members processed!\n", i); - } -@@ -1270,7 +1277,7 @@ sdap_process_group_send(TALLOC_CTX *memctx, - - /* Group without members */ - if (el->num_values == 0) { -- DEBUG(SSSDBG_OP_FAILURE, "No Members. Done!\n"); -+ DEBUG(SSSDBG_FUNC_DATA, "No Members. Done!\n"); - ret = EOK; - goto done; - } -@@ -2249,7 +2256,7 @@ static void sdap_nested_done(struct tevent_req *subreq) - - if (hash_count(state->missing_external) == 0) { - /* No external members. Processing complete */ -- DEBUG(SSSDBG_TRACE_INTERNAL, "No external members, done"); -+ DEBUG(SSSDBG_TRACE_INTERNAL, "No external members, done\n"); - tevent_req_done(req); - return; - } -diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c -index 4b5b36403..bf8f9482b 100644 ---- a/src/providers/ldap/sdap_async_initgroups.c -+++ b/src/providers/ldap/sdap_async_initgroups.c -@@ -345,7 +345,7 @@ int sdap_initgr_common_store(struct sysdb_ctx *sysdb, - add_groups, ldap_groups, - ldap_groups_count); - if (ret != EOK) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Adding incomplete users failed\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, "Adding incomplete groups failed\n"); - goto done; - } - } -@@ -1043,6 +1043,10 @@ static void sdap_initgr_nested_search(struct tevent_req *subreq) - state->groups[state->groups_cur] = talloc_steal(state->groups, - groups[0]); - state->groups_cur++; -+ } else if (count == 0) { -+ /* this might be HBAC or sudo rule */ -+ DEBUG(SSSDBG_FUNC_DATA, "Object %s not found. Skipping\n", -+ state->group_dns[state->cur]); - } else { - DEBUG(SSSDBG_OP_FAILURE, - "Search for group %s, returned %zu results. Skipping\n", -diff --git a/src/providers/ldap/sdap_async_initgroups_ad.c b/src/providers/ldap/sdap_async_initgroups_ad.c -index eb3e779ed..80ac4c1f4 100644 ---- a/src/providers/ldap/sdap_async_initgroups_ad.c -+++ b/src/providers/ldap/sdap_async_initgroups_ad.c -@@ -378,7 +378,7 @@ static void sdap_ad_resolve_sids_done(struct tevent_req *subreq) - /* Group was not found, we will ignore the error and continue with - * next group. This may happen for example if the group is built-in, - * but a custom search base is provided. */ -- DEBUG(SSSDBG_CRIT_FAILURE, -+ DEBUG(SSSDBG_MINOR_FAILURE, - "Unable to resolve SID %s - will try next sid.\n", - state->current_sid); - } else if (ret != EOK || sdap_error != EOK || dp_error != DP_ERR_OK) { -diff --git a/src/providers/ldap/sdap_async_sudo.c b/src/providers/ldap/sdap_async_sudo.c -index 5473e1df8..28b65b639 100644 ---- a/src/providers/ldap/sdap_async_sudo.c -+++ b/src/providers/ldap/sdap_async_sudo.c -@@ -111,7 +111,7 @@ static void sdap_sudo_load_sudoers_done(struct tevent_req *subreq) - return; - } - -- DEBUG(SSSDBG_IMPORTANT_INFO, "Received %zu sudo rules\n", -+ DEBUG(SSSDBG_FUNC_DATA, "Received %zu sudo rules\n", - state->num_rules); - - tevent_req_done(req); -@@ -665,7 +665,7 @@ done: - if (in_transaction) { - sret = sysdb_transaction_cancel(state->sysdb); - if (sret != EOK) { -- DEBUG(SSSDBG_OP_FAILURE, "Could not cancel transaction\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, "Could not cancel transaction\n"); - } - } - -diff --git a/src/providers/ldap/sdap_child_helpers.c b/src/providers/ldap/sdap_child_helpers.c -index 9d25aea8b..480efc41b 100644 ---- a/src/providers/ldap/sdap_child_helpers.c -+++ b/src/providers/ldap/sdap_child_helpers.c -@@ -95,14 +95,14 @@ static errno_t sdap_fork_child(struct tevent_context *ev, - if (ret == -1) { - ret = errno; - DEBUG(SSSDBG_CRIT_FAILURE, -- "pipe failed [%d][%s].\n", ret, strerror(ret)); -+ "pipe(from) failed [%d][%s].\n", ret, strerror(ret)); - goto fail; - } - ret = pipe(pipefd_to_child); - if (ret == -1) { - ret = errno; - DEBUG(SSSDBG_CRIT_FAILURE, -- "pipe failed [%d][%s].\n", ret, strerror(ret)); -+ "pipe(to) failed [%d][%s].\n", ret, strerror(ret)); - goto fail; - } - -@@ -332,7 +332,7 @@ struct tevent_req *sdap_get_tgt_send(TALLOC_CTX *mem_ctx, - - ret = set_tgt_child_timeout(req, ev, timeout); - if (ret != EOK) { -- DEBUG(SSSDBG_CRIT_FAILURE, "activate_child_timeout_handler failed.\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, "set_tgt_child_timeout failed.\n"); - goto fail; - } - -diff --git a/src/providers/ldap/sdap_hostid.c b/src/providers/ldap/sdap_hostid.c -index d90a83854..ae8caaddb 100644 ---- a/src/providers/ldap/sdap_hostid.c -+++ b/src/providers/ldap/sdap_hostid.c -@@ -166,7 +166,7 @@ hosts_get_done(struct tevent_req *subreq) - } - - if (state->count == 0) { -- DEBUG(SSSDBG_OP_FAILURE, -+ DEBUG(SSSDBG_FUNC_DATA, - "No host with name [%s] found.\n", state->name); - - ret = sysdb_delete_ssh_host(state->domain, state->name); -diff --git a/src/providers/ldap/sdap_id_op.c b/src/providers/ldap/sdap_id_op.c -index 6c803f31d..b8d76f8a5 100644 ---- a/src/providers/ldap/sdap_id_op.c -+++ b/src/providers/ldap/sdap_id_op.c -@@ -563,7 +563,7 @@ static void sdap_id_op_connect_done(struct tevent_req *subreq) - "is enabled.\n"); - } else { - /* be is going offline as there is no more servers to try */ -- DEBUG(SSSDBG_CRIT_FAILURE, -+ DEBUG(SSSDBG_OP_FAILURE, - "Failed to connect, going offline (%d [%s])\n", - ret, strerror(ret)); - is_offline = true; -diff --git a/src/providers/proxy/proxy_auth.c b/src/providers/proxy/proxy_auth.c -index 926ce98f4..0e6fc8ea8 100644 ---- a/src/providers/proxy/proxy_auth.c -+++ b/src/providers/proxy/proxy_auth.c -@@ -68,7 +68,7 @@ static struct tevent_req *proxy_child_send(TALLOC_CTX *mem_ctx, - - req = tevent_req_create(mem_ctx, &state, struct proxy_child_ctx); - if (req == NULL) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Could not send PAM request to child\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); - return NULL; - } - -@@ -391,7 +391,7 @@ static void proxy_child_init_done(struct tevent_req *subreq) { - */ - sig_ctx = talloc_zero(child_ctx->auth_ctx, struct proxy_child_sig_ctx); - if(sig_ctx == NULL) { -- DEBUG(SSSDBG_CRIT_FAILURE, "tevent_add_signal failed.\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero failed.\n"); - tevent_req_error(req, ENOMEM); - return; - } -@@ -753,7 +753,7 @@ proxy_pam_handler_send(TALLOC_CTX *mem_ctx, - pd->pam_status = PAM_SUCCESS; - goto immediately; - default: -- DEBUG(SSSDBG_CRIT_FAILURE, "Unsupported PAM task.\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, "Unsupported PAM task %d\n", pd->cmd); - pd->pam_status = PAM_MODULE_UNKNOWN; - goto immediately; - } -diff --git a/src/providers/proxy/proxy_child.c b/src/providers/proxy/proxy_child.c -index dc06f4669..bb96ec0f4 100644 ---- a/src/providers/proxy/proxy_child.c -+++ b/src/providers/proxy/proxy_child.c -@@ -270,7 +270,7 @@ static errno_t call_pam_stack(const char *pam_target, struct pam_data *pd) - } - break; - default: -- DEBUG(SSSDBG_CRIT_FAILURE, "unknown PAM call\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, "unknown PAM call %d\n", pd->cmd); - pam_status=PAM_ABORT; - } - -@@ -383,13 +383,13 @@ proxy_cli_init(struct pc_ctx *ctx) - ret = sss_iface_connect_address(ctx, ctx->ev, sbus_cliname, sbus_address, - NULL, &ctx->conn); - if (ret != EOK) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to connect to %s\n", sbus_address); -+ DEBUG(SSSDBG_FATAL_FAILURE, "Unable to connect to %s\n", sbus_address); - goto done; - } - - ret = sbus_connection_add_path_map(ctx->conn, paths); - if (ret != EOK) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to add paths [%d]: %s\n", -+ DEBUG(SSSDBG_FATAL_FAILURE, "Unable to add paths [%d]: %s\n", - ret, sss_strerror(ret)); - goto done; - } -@@ -580,7 +580,7 @@ int main(int argc, const char *argv[]) - return 3; - } - -- DEBUG(SSSDBG_CRIT_FAILURE, -+ DEBUG(SSSDBG_IMPORTANT_INFO, - "Proxy child for domain [%s] started!\n", domain); - - /* loop on main */ -diff --git a/src/providers/proxy/proxy_client.c b/src/providers/proxy/proxy_client.c -index 09ebf3bda..5a4fbcde1 100644 ---- a/src/providers/proxy/proxy_client.c -+++ b/src/providers/proxy/proxy_client.c -@@ -116,7 +116,7 @@ proxy_client_init(struct sbus_connection *conn, - - ret = sbus_connection_add_path_map(conn, paths); - if (ret != EOK) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to add paths [%d]: %s\n", -+ DEBUG(SSSDBG_FATAL_FAILURE, "Unable to add paths [%d]: %s\n", - ret, sss_strerror(ret)); - } - -diff --git a/src/providers/proxy/proxy_id.c b/src/providers/proxy/proxy_id.c -index 82394862c..f36386089 100644 ---- a/src/providers/proxy/proxy_id.c -+++ b/src/providers/proxy/proxy_id.c -@@ -170,7 +170,7 @@ handle_getpw_result(enum nss_status status, struct passwd *pwd, - switch (status) { - case NSS_STATUS_NOTFOUND: - -- DEBUG(SSSDBG_MINOR_FAILURE, "User not found.\n"); -+ DEBUG(SSSDBG_TRACE_FUNC, "User not found.\n"); - *del_user = true; - break; - -@@ -979,9 +979,7 @@ static int get_gr_name(struct proxy_id_ctx *ctx, - grp = talloc(tmpctx, struct group); - if (!grp) { - ret = ENOMEM; -- DEBUG(SSSDBG_CRIT_FAILURE, -- "proxy -> getgrnam_r failed for '%s': [%d] %s\n", -- i_name, ret, strerror(ret)); -+ DEBUG(SSSDBG_CRIT_FAILURE, "talloc() failed\n"); - goto done; - } - -diff --git a/src/resolv/async_resolv.c b/src/resolv/async_resolv.c -index 07f05ff17..294a4b882 100644 ---- a/src/resolv/async_resolv.c -+++ b/src/resolv/async_resolv.c -@@ -177,7 +177,7 @@ add_timeout_timer(struct tevent_context *ev, struct resolv_ctx *ctx) - ctx->timeout_watcher = tevent_add_timer(ev, ctx, tv, check_fd_timeouts, - ctx); - if (ctx->timeout_watcher == NULL) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, "tevent_add_timer() failed\n"); - } - } - -diff --git a/src/responder/autofs/autofssrv.c b/src/responder/autofs/autofssrv.c -index a802ed5d0..27de1b44a 100644 ---- a/src/responder/autofs/autofssrv.c -+++ b/src/responder/autofs/autofssrv.c -@@ -85,7 +85,7 @@ autofs_register_service_iface(struct autofs_ctx *autofs_ctx, - - ret = sbus_connection_add_path(rctx->mon_conn, SSS_BUS_PATH, &iface_svc); - if (ret != EOK) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to register service interface" -+ DEBUG(SSSDBG_FATAL_FAILURE, "Unable to register service interface" - "[%d]: %s\n", ret, sss_strerror(ret)); - } - -diff --git a/src/responder/autofs/autofssrv_cmd.c b/src/responder/autofs/autofssrv_cmd.c -index 6d51e75ac..7c8090993 100644 ---- a/src/responder/autofs/autofssrv_cmd.c -+++ b/src/responder/autofs/autofssrv_cmd.c -@@ -477,7 +477,7 @@ sss_autofs_cmd_setautomntent(struct cli_ctx *cli_ctx) - autofs_ctx->rctx->ncache, 0, NULL, - cmd_ctx->mapname); - if (req == NULL) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create tevent request\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, "cache_req_autofs_map_by_name_send failed\n"); - ret = ENOMEM; - goto done; - } -@@ -685,7 +685,7 @@ sss_autofs_cmd_getautomntent(struct cli_ctx *cli_ctx) - - req = autofs_setent_send(cli_ctx, cli_ctx->ev, autofs_ctx, cmd_ctx->mapname); - if (req == NULL) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create tevent request\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, "autofs_setent_send failed\n"); - ret = ENOMEM; - goto done; - } -@@ -886,7 +886,7 @@ sss_autofs_cmd_getautomntbyname(struct cli_ctx *cli_ctx) - cmd_ctx->mapname, - cmd_ctx->keyname); - if (req == NULL) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create tevent request\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, "cache_req_autofs_entry_by_name_send failed\n"); - ret = ENOMEM; - goto done; - } -diff --git a/src/responder/common/cache_req/cache_req.c b/src/responder/common/cache_req/cache_req.c -index 0c8538414..c6902f842 100644 ---- a/src/responder/common/cache_req/cache_req.c -+++ b/src/responder/common/cache_req/cache_req.c -@@ -1187,7 +1187,7 @@ static errno_t cache_req_process_input(TALLOC_CTX *mem_ctx, - subreq = sss_parse_inp_send(mem_ctx, cr->rctx, default_domain, - cr->data->name.input); - if (subreq == NULL) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create tevent request!\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, "sss_parse_inp_send() failed\n"); - return ENOMEM; - } - -diff --git a/src/responder/common/cache_req/plugins/cache_req_object_by_name.c b/src/responder/common/cache_req/plugins/cache_req_object_by_name.c -index a740fbb8d..83d00f775 100644 ---- a/src/responder/common/cache_req/plugins/cache_req_object_by_name.c -+++ b/src/responder/common/cache_req/plugins/cache_req_object_by_name.c -@@ -47,8 +47,8 @@ cache_req_object_by_name_well_known(TALLOC_CTX *mem_ctx, - } - - if (domname == NULL || name == NULL) { -- CACHE_REQ_DEBUG(SSSDBG_OP_FAILURE, cr, "Unable to split [%s] in " -- "name and odmain part. Skipping detection of " -+ CACHE_REQ_DEBUG(SSSDBG_FUNC_DATA, cr, "Unable to split [%s] in " -+ "name and domain part. Skipping detection of " - "well-known name.\n", data->name.input); - return ENOENT; - } -diff --git a/src/responder/common/responder_common.c b/src/responder/common/responder_common.c -index e8d298546..7061d018a 100644 ---- a/src/responder/common/responder_common.c -+++ b/src/responder/common/responder_common.c -@@ -116,7 +116,7 @@ static errno_t get_client_cred(struct cli_ctx *cctx) - if (ret != EOK) { - ret = errno; - DEBUG(SSSDBG_CRIT_FAILURE, -- "getsock failed [%d][%s].\n", ret, strerror(ret)); -+ "getsockopt failed [%d][%s].\n", ret, strerror(ret)); - return ret; - } - if (client_cred_len != sizeof(struct ucred)) { -@@ -805,7 +805,7 @@ sss_dp_on_reconnect(struct sbus_connection *conn, - SSS_BUS_PATH, - be_conn->cli_name); - if (req == NULL) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create tevent request!\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, "sbus_call_dp_client_Register_send() failed\n"); - return; - } - -diff --git a/src/responder/common/responder_get_domains.c b/src/responder/common/responder_get_domains.c -index 10939600d..e551b0fff 100644 ---- a/src/responder/common/responder_get_domains.c -+++ b/src/responder/common/responder_get_domains.c -@@ -630,7 +630,7 @@ static void sss_parse_inp_done(struct tevent_req *subreq) - state->rawinp, - &state->domname, &state->name); - if (ret == EAGAIN && state->domname != NULL && state->name == NULL) { -- DEBUG(SSSDBG_OP_FAILURE, -+ DEBUG(SSSDBG_FUNC_DATA, - "Unknown domain in [%s]\n", state->rawinp); - state->error = ERR_DOMAIN_NOT_FOUND; - } else if (ret != EOK) { -diff --git a/src/responder/common/responder_iface.c b/src/responder/common/responder_iface.c -index 911cd6cc0..aaa765950 100644 ---- a/src/responder/common/responder_iface.c -+++ b/src/responder/common/responder_iface.c -@@ -127,7 +127,7 @@ sss_resp_register_sbus_iface(struct sbus_connection *conn, - - ret = sbus_connection_add_path_map(conn, paths); - if (ret != EOK) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to add paths [%d]: %s\n", -+ DEBUG(SSSDBG_FATAL_FAILURE, "Unable to add paths [%d]: %s\n", - ret, sss_strerror(ret)); - } - -@@ -151,7 +151,7 @@ sss_resp_register_service_iface(struct resp_ctx *rctx) - - ret = sbus_connection_add_path(rctx->mon_conn, SSS_BUS_PATH, &iface_svc); - if (ret != EOK) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to register service interface" -+ DEBUG(SSSDBG_FATAL_FAILURE, "Unable to register service interface" - "[%d]: %s\n", ret, sss_strerror(ret)); - } - -diff --git a/src/responder/ifp/ifp_iface/ifp_iface.c b/src/responder/ifp/ifp_iface/ifp_iface.c -index a3385091b..833cf6843 100644 ---- a/src/responder/ifp/ifp_iface/ifp_iface.c -+++ b/src/responder/ifp/ifp_iface/ifp_iface.c -@@ -264,7 +264,7 @@ ifp_register_sbus_interface(struct sbus_connection *conn, - - ret = sbus_connection_add_path_map(conn, paths); - if (ret != EOK) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to add paths [%d]: %s\n", -+ DEBUG(SSSDBG_FATAL_FAILURE, "Unable to add paths [%d]: %s\n", - ret, sss_strerror(ret)); - } - -diff --git a/src/responder/ifp/ifpsrv.c b/src/responder/ifp/ifpsrv.c -index 17d7692d3..7407ee07b 100644 ---- a/src/responder/ifp/ifpsrv.c -+++ b/src/responder/ifp/ifpsrv.c -@@ -67,7 +67,7 @@ sysbus_init(TALLOC_CTX *mem_ctx, - sysbus = sbus_connect_system(mem_ctx, ev, dbus_name, - &ifp_ctx->rctx->last_request_time); - if (sysbus == NULL) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to connect to system bus!\n"); -+ DEBUG(SSSDBG_FATAL_FAILURE, "Unable to connect to system bus!\n"); - return ERR_NO_SYSBUS; - } - -@@ -75,13 +75,13 @@ sysbus_init(TALLOC_CTX *mem_ctx, - - ret = ifp_register_sbus_interface(sysbus, ifp_ctx); - if (ret != EOK) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Could not register interfaces\n"); -+ DEBUG(SSSDBG_FATAL_FAILURE, "Could not register interfaces\n"); - goto done; - } - - ret = ifp_register_nodes(ifp_ctx, sysbus); - if (ret != EOK) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Could not register nodes factories\n"); -+ DEBUG(SSSDBG_FATAL_FAILURE, "Could not register nodes factories\n"); - goto done; - } - -@@ -148,7 +148,7 @@ ifp_register_service_iface(struct ifp_ctx *ifp_ctx, - - ret = sbus_connection_add_path(rctx->mon_conn, SSS_BUS_PATH, &iface_svc); - if (ret != EOK) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to register service interface" -+ DEBUG(SSSDBG_FATAL_FAILURE, "Unable to register service interface" - "[%d]: %s\n", ret, sss_strerror(ret)); - } - -diff --git a/src/responder/ifp/ifpsrv_util.c b/src/responder/ifp/ifpsrv_util.c -index ebc4c2118..3b3df7bc0 100644 ---- a/src/responder/ifp/ifpsrv_util.c -+++ b/src/responder/ifp/ifpsrv_util.c -@@ -341,7 +341,7 @@ immediately: - list_ctx->paths = talloc_realloc(list_ctx, list_ctx->paths, const char *, - list_ctx->paths_max + 1); - if (list_ctx->paths == NULL) { -- DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero_array() failed\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_realloc() failed\n"); - ret = ENOMEM; - goto done; - } -diff --git a/src/responder/nss/nss_cmd.c b/src/responder/nss/nss_cmd.c -index eac955b4a..844776c5f 100644 ---- a/src/responder/nss/nss_cmd.c -+++ b/src/responder/nss/nss_cmd.c -@@ -121,7 +121,7 @@ static errno_t nss_getby_name(struct cli_ctx *cli_ctx, - subreq = nss_get_object_send(cmd_ctx, cli_ctx->ev, cli_ctx, - data, memcache, rawname, 0); - if (subreq == NULL) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create tevent request!\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, "nss_get_object_send() failed\n"); - ret = ENOMEM; - goto done; - } -@@ -187,7 +187,7 @@ static errno_t nss_getby_id(struct cli_ctx *cli_ctx, - subreq = nss_get_object_send(cmd_ctx, cli_ctx->ev, cli_ctx, - data, memcache, NULL, id); - if (subreq == NULL) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create tevent request!\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, "nss_get_object_send() failed\n"); - ret = ENOMEM; - goto done; - } -@@ -240,7 +240,7 @@ static errno_t nss_getby_svc(struct cli_ctx *cli_ctx, - subreq = nss_get_object_send(cmd_ctx, cli_ctx->ev, cli_ctx, - data, SSS_MC_NONE, NULL, 0); - if (subreq == NULL) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create tevent request!\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, "nss_get_object_send() failed\n"); - return ENOMEM; - } - -@@ -376,7 +376,7 @@ static errno_t nss_getby_cert(struct cli_ctx *cli_ctx, - subreq = nss_get_object_send(cmd_ctx, cli_ctx->ev, cli_ctx, - data, SSS_MC_NONE, NULL, 0); - if (subreq == NULL) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create tevent request!\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, "nss_get_object_send() failed\n"); - ret = ENOMEM; - goto done; - } -@@ -433,7 +433,7 @@ static errno_t nss_getby_sid(struct cli_ctx *cli_ctx, - subreq = nss_get_object_send(cmd_ctx, cli_ctx->ev, cli_ctx, - data, SSS_MC_NONE, NULL, 0); - if (subreq == NULL) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create tevent request!\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, "nss_get_object_send() failed\n"); - ret = ENOMEM; - goto done; - } -@@ -488,7 +488,7 @@ static errno_t nss_getby_addr(struct cli_ctx *cli_ctx, - subreq = nss_get_object_send(cmd_ctx, cli_ctx->ev, cli_ctx, - data, memcache, NULL, 0); - if (subreq == NULL) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create tevent request!\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, "nss_get_object_send() failed\n"); - ret = ENOMEM; - goto done; - } -@@ -640,7 +640,7 @@ static errno_t nss_setent(struct cli_ctx *cli_ctx, - - subreq = nss_setent_send(cli_ctx, cli_ctx->ev, cli_ctx, type, enum_ctx); - if (subreq == NULL) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create tevent request!\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, "nss_setent_send() failed\n"); - return ENOMEM; - } - -@@ -697,7 +697,7 @@ static errno_t nss_getent(struct cli_ctx *cli_ctx, - - subreq = nss_setent_send(cli_ctx, cli_ctx->ev, cli_ctx, type, enum_ctx); - if (subreq == NULL) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create setent request!\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, "nss_setent_send() failed\n"); - ret = ENOMEM; - goto done; - } -@@ -829,7 +829,7 @@ static errno_t sss_nss_setnetgrent(struct cli_ctx *cli_ctx, - subreq = nss_setnetgrent_send(cli_ctx, cli_ctx->ev, cli_ctx, type, - nss_ctx->netgrent, state_ctx->netgroup); - if (subreq == NULL) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create tevent request!\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, "nss_setnetgrent_send() failed\n"); - ret = ENOMEM; - goto done; - } -@@ -904,7 +904,7 @@ static errno_t nss_getnetgrent(struct cli_ctx *cli_ctx, - cmd_ctx->nss_ctx->netgrent, - cmd_ctx->state_ctx->netgroup); - if (subreq == NULL) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create tevent request!\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, "nss_setnetgrent_send() failed\n"); - return ENOMEM; - } - -diff --git a/src/responder/nss/nss_iface.c b/src/responder/nss/nss_iface.c -index a47b35fca..ab2ba926d 100644 ---- a/src/responder/nss/nss_iface.c -+++ b/src/responder/nss/nss_iface.c -@@ -67,7 +67,7 @@ nss_update_initgr_memcache(struct nss_ctx *nctx, - ret = sysdb_initgroups(tmp_ctx, dom, fq_name, &res); - if (ret != EOK && ret != ENOENT) { - DEBUG(SSSDBG_CRIT_FAILURE, -- "Failed to make request to our cache! [%d][%s]\n", -+ "sysdb_initgroups() failed [%d][%s]\n", - ret, strerror(ret)); - goto done; - } -@@ -234,7 +234,7 @@ nss_register_backend_iface(struct sbus_connection *conn, - - ret = sbus_connection_add_path(conn, SSS_BUS_PATH, &iface); - if (ret != EOK) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to register service interface" -+ DEBUG(SSSDBG_FATAL_FAILURE, "Unable to register service interface" - "[%d]: %s\n", ret, sss_strerror(ret)); - } - -diff --git a/src/responder/nss/nss_protocol_netgr.c b/src/responder/nss/nss_protocol_netgr.c -index 1e9959c72..274d43007 100644 ---- a/src/responder/nss/nss_protocol_netgr.c -+++ b/src/responder/nss/nss_protocol_netgr.c -@@ -159,7 +159,7 @@ nss_protocol_fill_netgrent(struct nss_ctx *nss_ctx, - ret = nss_protocol_fill_netgr_member(packet, entry, &rp); - break; - default: -- DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected value type!\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected value type %d!\n", entry->type); - ret = ERR_INTERNAL; - break; - } -diff --git a/src/responder/nss/nsssrv.c b/src/responder/nss/nsssrv.c -index 31a2750b1..e80104e3d 100644 ---- a/src/responder/nss/nsssrv.c -+++ b/src/responder/nss/nsssrv.c -@@ -347,7 +347,7 @@ nss_register_service_iface(struct nss_ctx *nss_ctx, - - ret = sbus_connection_add_path(rctx->mon_conn, SSS_BUS_PATH, &iface_svc); - if (ret != EOK) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to register service interface" -+ DEBUG(SSSDBG_FATAL_FAILURE, "Unable to register service interface" - "[%d]: %s\n", ret, sss_strerror(ret)); - } - -diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c -index d3f092b2b..c526f665b 100644 ---- a/src/responder/pam/pamsrv_cmd.c -+++ b/src/responder/pam/pamsrv_cmd.c -@@ -138,7 +138,7 @@ static void inform_user(struct pam_data* pd, const char *pam_message) - ret = pack_user_info_msg(pd, pam_message, &msg_len, &msg); - if (ret != EOK) { - DEBUG(SSSDBG_CRIT_FAILURE, -- "pack_user_info_account_expired failed.\n"); -+ "pack_user_info_msg failed.\n"); - } else { - ret = pam_add_response(pd, SSS_PAM_USER_INFO, msg_len, msg); - if (ret != EOK) { -diff --git a/src/responder/pam/pamsrv_p11.c b/src/responder/pam/pamsrv_p11.c -index e1fd72e64..bf285c264 100644 ---- a/src/responder/pam/pamsrv_p11.c -+++ b/src/responder/pam/pamsrv_p11.c -@@ -425,7 +425,7 @@ bool may_do_cert_auth(struct pam_ctx *pctx, struct pam_data *pd) - } - } - if (pctx->smartcard_services[c] == NULL) { -- DEBUG(SSSDBG_CRIT_FAILURE, -+ DEBUG(SSSDBG_CONF_SETTINGS, - "Smartcard authentication for service [%s] not supported.\n", - pd->service); - return false; -@@ -810,7 +810,7 @@ struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx, - } else if (pd->cmd == SSS_PAM_PREAUTH) { - extra_args[arg_c++] = "--pre"; - } else { -- DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected PAM command [%d}.\n", pd->cmd); -+ DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected PAM command [%d].\n", pd->cmd); - ret = EINVAL; - goto done; - } -diff --git a/src/sbus/router/sbus_router_handler.c b/src/sbus/router/sbus_router_handler.c -index 91a84c51b..a92cf524b 100644 ---- a/src/sbus/router/sbus_router_handler.c -+++ b/src/sbus/router/sbus_router_handler.c -@@ -239,7 +239,8 @@ sbus_signal_handler(struct sbus_connection *conn, - list = sbus_router_listeners_lookup(router->listeners, meta->interface, - meta->member); - if (list == NULL) { -- DEBUG(SSSDBG_CRIT_FAILURE, "We do not listen to this signal!\n"); -+ /* Most probably not fully initialized yet */ -+ DEBUG(SSSDBG_FUNC_DATA, "We do not listen to this signal!\n"); - return DBUS_HANDLER_RESULT_NOT_YET_HANDLED; - } - -diff --git a/src/sss_iface/sss_iface.c b/src/sss_iface/sss_iface.c -index e20c14fea..ed70e30eb 100644 ---- a/src/sss_iface/sss_iface.c -+++ b/src/sss_iface/sss_iface.c -@@ -116,8 +116,8 @@ sss_iface_connect_address(TALLOC_CTX *mem_ctx, - - conn = sbus_connect_private(mem_ctx, ev, address, - conn_name, last_request_time); -- if (conn == NULL) { -- return ENOMEM; -+ if (conn == NULL) { /* most probably sbus_dbus_connect_address() failed */ -+ return EFAULT; - } - - *_conn = conn; -diff --git a/src/util/child_common.c b/src/util/child_common.c -index 5cac725ca..7e8c30552 100644 ---- a/src/util/child_common.c -+++ b/src/util/child_common.c -@@ -768,7 +768,7 @@ void exec_child_ex(TALLOC_CTX *mem_ctx, - binary, extra_argv, extra_args_only, - &argv); - if (ret != EOK) { -- DEBUG(SSSDBG_CRIT_FAILURE, "prepare_child_argv.\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, "prepare_child_argv() failed.\n"); - exit(EXIT_FAILURE); - } - -diff --git a/src/util/debug.h b/src/util/debug.h -index 20db0f5e4..43d36720f 100644 ---- a/src/util/debug.h -+++ b/src/util/debug.h -@@ -91,8 +91,8 @@ int get_fd_from_debug_file(void); - /* enables all debug levels; - 0x0800 isn't used for historical reasons: 0x1FFF0 - 0x0800 = 0x1F7F0 - */ --#define SSSDBG_MASK_ALL 0x1F7F0 --#define SSSDBG_DEFAULT SSSDBG_FATAL_FAILURE -+#define SSSDBG_MASK_ALL 0x1F7F0 -+#define SSSDBG_DEFAULT (SSSDBG_FATAL_FAILURE|SSSDBG_CRIT_FAILURE|SSSDBG_OP_FAILURE) - - #define SSSDBG_TIMESTAMP_UNRESOLVED -1 - #define SSSDBG_TIMESTAMP_DEFAULT 1 -diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c -index 4d4726daa..57157861e 100644 ---- a/src/util/domain_info_utils.c -+++ b/src/util/domain_info_utils.c -@@ -207,7 +207,7 @@ find_domain_by_object_name_ex(struct sss_domain_info *domain, - ret = sss_parse_internal_fqname(tmp_ctx, object_name, - NULL, &domainname); - if (ret != EOK) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse name '%s' [%d]: %s\n", -+ DEBUG(SSSDBG_MINOR_FAILURE, "Unable to parse name '%s' [%d]: %s\n", - object_name, ret, sss_strerror(ret)); - goto done; - } -diff --git a/src/util/server.c b/src/util/server.c -index b27cbc155..869ed62a6 100644 ---- a/src/util/server.c -+++ b/src/util/server.c -@@ -374,7 +374,7 @@ static void te_server_hup(struct tevent_context *ev, - struct logrotate_ctx *lctx = - talloc_get_type(private_data, struct logrotate_ctx); - -- DEBUG(SSSDBG_CRIT_FAILURE, "Received SIGHUP. Rotating logfiles.\n"); -+ DEBUG(SSSDBG_IMPORTANT_INFO, "Received SIGHUP. Rotating logfiles.\n"); - - ret = server_common_rotate_logs(lctx->confdb, lctx->confdb_path); - if (ret != EOK) { -@@ -462,6 +462,7 @@ int server_setup(const char *name, int flags, - int watchdog_interval; - pid_t my_pid; - char *pidfile_name; -+ int cfg_debug_level = SSSDBG_INVALID; - - my_pid = getpid(); - ret = setpgid(my_pid, my_pid); -@@ -588,20 +589,20 @@ int server_setup(const char *name, int flags, - /* set debug level if any in conf_entry */ - ret = confdb_get_int(ctx->confdb_ctx, conf_entry, - CONFDB_SERVICE_DEBUG_LEVEL, -- SSSDBG_UNRESOLVED, -- &debug_level); -+ SSSDBG_INVALID, -+ &cfg_debug_level); - if (ret != EOK) { - DEBUG(SSSDBG_FATAL_FAILURE, "Error reading from confdb (%d) " - "[%s]\n", ret, strerror(ret)); - return ret; - } - -- if (debug_level == SSSDBG_UNRESOLVED) { -+ if (cfg_debug_level == SSSDBG_INVALID) { - /* Check for the `debug` alias */ - ret = confdb_get_int(ctx->confdb_ctx, conf_entry, - CONFDB_SERVICE_DEBUG_LEVEL_ALIAS, - SSSDBG_DEFAULT, -- &debug_level); -+ &cfg_debug_level); - if (ret != EOK) { - DEBUG(SSSDBG_FATAL_FAILURE, "Error reading from confdb (%d) " - "[%s]\n", ret, strerror(ret)); -@@ -609,7 +610,7 @@ int server_setup(const char *name, int flags, - } - } - -- debug_level = debug_convert_old_level(debug_level); -+ debug_level = debug_convert_old_level(cfg_debug_level); - } - - /* same for debug timestamps */ -@@ -678,6 +679,8 @@ int server_setup(const char *name, int flags, - return ret; - } - } -+ DEBUG(SSSDBG_IMPORTANT_INFO, -+ "Starting with debug level = %#.4x\n", debug_level); - - /* Setup the internal watchdog */ - ret = confdb_get_int(ctx->confdb_ctx, conf_entry, -diff --git a/src/util/sss_sockets.c b/src/util/sss_sockets.c -index c6504ae13..8944e2c4e 100644 ---- a/src/util/sss_sockets.c -+++ b/src/util/sss_sockets.c -@@ -322,7 +322,7 @@ struct tevent_req *sssd_async_socket_init_send(TALLOC_CTX *mem_ctx, - - ret = set_fcntl_flags(state->sd, FD_CLOEXEC, O_NONBLOCK); - if (ret != EOK) { -- DEBUG(SSSDBG_CRIT_FAILURE, "settting fd flags failed.\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, "setting fd flags failed.\n"); - goto fail; - } - -diff --git a/src/util/string_utils.c b/src/util/string_utils.c -index 1215ec96a..f54395a59 100644 ---- a/src/util/string_utils.c -+++ b/src/util/string_utils.c -@@ -90,7 +90,7 @@ errno_t guid_blob_to_string_buf(const uint8_t *blob, char *str_buf, - int ret; - - if (blob == NULL || str_buf == NULL || buf_size < GUID_STR_BUF_SIZE) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Buffer too small.\n"); -+ DEBUG(SSSDBG_OP_FAILURE, "Buffer too small.\n"); - return EINVAL; - } - -diff --git a/src/util/util_errors.c b/src/util/util_errors.c -index 05a66d293..b5c7419a9 100644 ---- a/src/util/util_errors.c -+++ b/src/util/util_errors.c -@@ -165,6 +165,7 @@ errno_t sss_ldb_error_to_errno(int ldberr) - case LDB_ERR_OPERATIONS_ERROR: - return EIO; - case LDB_ERR_NO_SUCH_OBJECT: -+ case LDB_ERR_NO_SUCH_ATTRIBUTE: - return ENOENT; - case LDB_ERR_BUSY: - return EBUSY; -@@ -174,7 +175,7 @@ errno_t sss_ldb_error_to_errno(int ldberr) - case LDB_ERR_INVALID_ATTRIBUTE_SYNTAX: - return EINVAL; - default: -- DEBUG(SSSDBG_CRIT_FAILURE, -+ DEBUG(SSSDBG_MINOR_FAILURE, - "LDB returned unexpected error: [%i]\n", - ldberr); - return EFAULT; --- -2.21.3 - diff --git a/SOURCES/0020-sss_format.h-include-config.h.patch b/SOURCES/0020-sss_format.h-include-config.h.patch deleted file mode 100644 index e237096..0000000 --- a/SOURCES/0020-sss_format.h-include-config.h.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 45f2eb57dc9068cba13099cab90f1be3f3455442 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com> -Date: Fri, 2 Oct 2020 14:04:24 +0200 -Subject: [PATCH 20/27] sss_format.h: include config.h - -config.h is required for the definitions to work correctly. Compilation -will fail if sss_format.h is included in a file that does not include -directly or indirectly config.h - -Reviewed-by: Robbie Harwood <rharwood@redhat.com> -Reviewed-by: Sumit Bose <sbose@redhat.com> ---- - src/util/sss_format.h | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/src/util/sss_format.h b/src/util/sss_format.h -index 5cf080842..9a3041704 100644 ---- a/src/util/sss_format.h -+++ b/src/util/sss_format.h -@@ -27,6 +27,8 @@ - #ifndef __SSS_FORMAT_H__ - #define __SSS_FORMAT_H__ - -+#include "config.h" -+ - #include <inttypes.h> - - /* key_serial_t is defined in keyutils.h as typedef int32_t */ --- -2.21.3 - diff --git a/SOURCES/0021-packet-add-sss_packet_set_body.patch b/SOURCES/0021-packet-add-sss_packet_set_body.patch deleted file mode 100644 index 5311316..0000000 --- a/SOURCES/0021-packet-add-sss_packet_set_body.patch +++ /dev/null @@ -1,59 +0,0 @@ -From 3b0e48c33c6b43688ff46fed576266cfe6362595 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com> -Date: Thu, 8 Oct 2020 13:25:17 +0200 -Subject: [PATCH 21/27] packet: add sss_packet_set_body - -Reviewed-by: Robbie Harwood <rharwood@redhat.com> -Reviewed-by: Sumit Bose <sbose@redhat.com> ---- - src/responder/common/responder_packet.c | 19 +++++++++++++++++++ - src/responder/common/responder_packet.h | 5 +++++ - 2 files changed, 24 insertions(+) - -diff --git a/src/responder/common/responder_packet.c b/src/responder/common/responder_packet.c -index ab15b1dac..f56d92276 100644 ---- a/src/responder/common/responder_packet.c -+++ b/src/responder/common/responder_packet.c -@@ -302,6 +302,25 @@ void sss_packet_get_body(struct sss_packet *packet, uint8_t **body, size_t *blen - *blen = sss_packet_get_len(packet) - SSS_NSS_HEADER_SIZE; - } - -+errno_t sss_packet_set_body(struct sss_packet *packet, -+ uint8_t *body, -+ size_t blen) -+{ -+ uint8_t *pbody; -+ size_t plen; -+ errno_t ret; -+ -+ ret = sss_packet_grow(packet, blen); -+ if (ret != EOK) { -+ return ret; -+ } -+ -+ sss_packet_get_body(packet, &pbody, &plen); -+ memcpy(pbody, body, blen); -+ -+ return EOK; -+} -+ - void sss_packet_set_error(struct sss_packet *packet, int error) - { - SAFEALIGN_SETMEM_UINT32(packet->buffer + SSS_PACKET_ERR_OFFSET, error, -diff --git a/src/responder/common/responder_packet.h b/src/responder/common/responder_packet.h -index afceb4aae..509a22a9a 100644 ---- a/src/responder/common/responder_packet.h -+++ b/src/responder/common/responder_packet.h -@@ -42,4 +42,9 @@ uint32_t sss_packet_get_status(struct sss_packet *packet); - void sss_packet_get_body(struct sss_packet *packet, uint8_t **body, size_t *blen); - void sss_packet_set_error(struct sss_packet *packet, int error); - -+/* Grow packet and set its body. */ -+errno_t sss_packet_set_body(struct sss_packet *packet, -+ uint8_t *body, -+ size_t blen); -+ - #endif /* __SSSSRV_PACKET_H__ */ --- -2.21.3 - diff --git a/SOURCES/0022-domain-store-hostname-and-keytab-path.patch b/SOURCES/0022-domain-store-hostname-and-keytab-path.patch deleted file mode 100644 index 27628e6..0000000 --- a/SOURCES/0022-domain-store-hostname-and-keytab-path.patch +++ /dev/null @@ -1,119 +0,0 @@ -From 6715b31f2e12c7f76cfb477551cee46e697c7d51 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com> -Date: Thu, 8 Oct 2020 13:25:58 +0200 -Subject: [PATCH 22/27] domain: store hostname and keytab path - -Reviewed-by: Robbie Harwood <rharwood@redhat.com> -Reviewed-by: Sumit Bose <sbose@redhat.com> ---- - src/confdb/confdb.c | 45 +++++++++++++++++++++++++++++++++++++++ - src/confdb/confdb.h | 6 ++++++ - src/db/sysdb_subdomains.c | 12 +++++++++++ - 3 files changed, 63 insertions(+) - -diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c -index d2fc018fd..f981ddf1e 100644 ---- a/src/confdb/confdb.c -+++ b/src/confdb/confdb.c -@@ -871,6 +871,35 @@ done: - return ret; - } - -+static char *confdb_get_domain_hostname(TALLOC_CTX *mem_ctx, -+ struct ldb_result *res, -+ const char *provider) -+{ -+ char sys[HOST_NAME_MAX + 1] = {'\0'}; -+ const char *opt = NULL; -+ int ret; -+ -+ if (strcasecmp(provider, "ad") == 0) { -+ opt = ldb_msg_find_attr_as_string(res->msgs[0], "ad_hostname", NULL); -+ } else if (strcasecmp(provider, "ipa") == 0) { -+ opt = ldb_msg_find_attr_as_string(res->msgs[0], "ipa_hostname", NULL); -+ } -+ -+ if (opt != NULL) { -+ return talloc_strdup(mem_ctx, opt); -+ } -+ -+ ret = gethostname(sys, sizeof(sys)); -+ if (ret != 0) { -+ ret = errno; -+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get hostname [%d]: %s\n", ret, -+ sss_strerror(ret)); -+ return NULL; -+ } -+ -+ return talloc_strdup(mem_ctx, sys); -+} -+ - static int confdb_get_domain_internal(struct confdb_ctx *cdb, - TALLOC_CTX *mem_ctx, - const char *name, -@@ -1536,6 +1565,22 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb, - goto done; - } - -+ domain->hostname = confdb_get_domain_hostname(domain, res, domain->provider); -+ if (domain->hostname == NULL) { -+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get domain hostname\n"); -+ goto done; -+ } -+ -+ domain->krb5_keytab = NULL; -+ tmp = ldb_msg_find_attr_as_string(res->msgs[0], "krb5_keytab", NULL); -+ if (tmp != NULL) { -+ domain->krb5_keytab = talloc_strdup(domain, tmp); -+ if (domain->krb5_keytab == NULL) { -+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get domain keytab!\n"); -+ goto done; -+ } -+ } -+ - domain->has_views = false; - domain->view_name = NULL; - -diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h -index fd6d76cde..54e3f7380 100644 ---- a/src/confdb/confdb.h -+++ b/src/confdb/confdb.h -@@ -425,6 +425,12 @@ struct sss_domain_info { - /* Do not use the _output_fqnames property directly in new code, but rather - * use sss_domain_info_{get,set}_output_fqnames(). */ - bool output_fqnames; -+ -+ /* Hostname associated with this domain. */ -+ const char *hostname; -+ -+ /* Keytab used by this domain. */ -+ const char *krb5_keytab; - }; - - /** -diff --git a/src/db/sysdb_subdomains.c b/src/db/sysdb_subdomains.c -index d256817a6..5b42f9bdc 100644 ---- a/src/db/sysdb_subdomains.c -+++ b/src/db/sysdb_subdomains.c -@@ -125,6 +125,18 @@ struct sss_domain_info *new_subdomain(TALLOC_CTX *mem_ctx, - } - } - -+ dom->hostname = talloc_strdup(dom, parent->hostname); -+ if (dom->hostname == NULL && parent->hostname != NULL) { -+ DEBUG(SSSDBG_OP_FAILURE, "Failed to copy hostname.\n"); -+ goto fail; -+ } -+ -+ dom->krb5_keytab = talloc_strdup(dom, parent->krb5_keytab); -+ if (dom->krb5_keytab == NULL && parent->krb5_keytab != NULL) { -+ DEBUG(SSSDBG_OP_FAILURE, "Failed to copy krb5_keytab.\n"); -+ goto fail; -+ } -+ - dom->enumerate = enumerate; - dom->fqnames = true; - dom->mpg_mode = mpg_mode; --- -2.21.3 - diff --git a/SOURCES/0023-cache_req-add-helper-to-call-user-by-upn-search.patch b/SOURCES/0023-cache_req-add-helper-to-call-user-by-upn-search.patch deleted file mode 100644 index 168f8b6..0000000 --- a/SOURCES/0023-cache_req-add-helper-to-call-user-by-upn-search.patch +++ /dev/null @@ -1,70 +0,0 @@ -From a3e2677f919c6b1b1649ad80cc3435b4bb2efc0d Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com> -Date: Thu, 10 Dec 2020 19:28:58 +0100 -Subject: [PATCH 23/27] cache_req: add helper to call user by upn search - -Reviewed-by: Robbie Harwood <rharwood@redhat.com> -Reviewed-by: Sumit Bose <sbose@redhat.com> ---- - src/responder/common/cache_req/cache_req.h | 13 +++++++++++ - .../cache_req/plugins/cache_req_user_by_upn.c | 23 +++++++++++++++++++ - 2 files changed, 36 insertions(+) - -diff --git a/src/responder/common/cache_req/cache_req.h b/src/responder/common/cache_req/cache_req.h -index d36cb2d3b..d301a076e 100644 ---- a/src/responder/common/cache_req/cache_req.h -+++ b/src/responder/common/cache_req/cache_req.h -@@ -277,6 +277,19 @@ cache_req_user_by_name_attrs_send(TALLOC_CTX *mem_ctx, - #define cache_req_user_by_name_attrs_recv(mem_ctx, req, _result) \ - cache_req_single_domain_recv(mem_ctx, req, _result) - -+struct tevent_req * -+cache_req_user_by_upn_send(TALLOC_CTX *mem_ctx, -+ struct tevent_context *ev, -+ struct resp_ctx *rctx, -+ struct sss_nc_ctx *ncache, -+ int cache_refresh_percent, -+ enum cache_req_dom_type req_dom_type, -+ const char *domain, -+ const char *upn); -+ -+#define cache_req_user_by_upn_recv(mem_ctx, req, _result) \ -+ cache_req_single_domain_recv(mem_ctx, req, _result); -+ - struct tevent_req * - cache_req_user_by_id_send(TALLOC_CTX *mem_ctx, - struct tevent_context *ev, -diff --git a/src/responder/common/cache_req/plugins/cache_req_user_by_upn.c b/src/responder/common/cache_req/plugins/cache_req_user_by_upn.c -index e08ab70ae..037994c8c 100644 ---- a/src/responder/common/cache_req/plugins/cache_req_user_by_upn.c -+++ b/src/responder/common/cache_req/plugins/cache_req_user_by_upn.c -@@ -133,3 +133,26 @@ const struct cache_req_plugin cache_req_user_by_upn = { - .dp_get_domain_send_fn = NULL, - .dp_get_domain_recv_fn = NULL, - }; -+ -+struct tevent_req * -+cache_req_user_by_upn_send(TALLOC_CTX *mem_ctx, -+ struct tevent_context *ev, -+ struct resp_ctx *rctx, -+ struct sss_nc_ctx *ncache, -+ int cache_refresh_percent, -+ enum cache_req_dom_type req_dom_type, -+ const char *domain, -+ const char *upn) -+{ -+ struct cache_req_data *data; -+ -+ data = cache_req_data_name(mem_ctx, CACHE_REQ_USER_BY_UPN, upn); -+ if (data == NULL) { -+ return NULL; -+ } -+ -+ return cache_req_steal_data_and_send(mem_ctx, ev, rctx, ncache, -+ cache_refresh_percent, -+ req_dom_type, domain, -+ data); -+} --- -2.21.3 - diff --git a/SOURCES/0024-pam-fix-typo-in-debug-message.patch b/SOURCES/0024-pam-fix-typo-in-debug-message.patch deleted file mode 100644 index 25167e1..0000000 --- a/SOURCES/0024-pam-fix-typo-in-debug-message.patch +++ /dev/null @@ -1,27 +0,0 @@ -From dcc42015f7ada1c4e4daed17e2c8087e29cb7616 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com> -Date: Thu, 1 Oct 2020 14:02:44 +0200 -Subject: [PATCH 24/27] pam: fix typo in debug message - -Reviewed-by: Robbie Harwood <rharwood@redhat.com> -Reviewed-by: Sumit Bose <sbose@redhat.com> ---- - src/responder/pam/pamsrv_cmd.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c -index 1d0251497..acbfc0c39 100644 ---- a/src/responder/pam/pamsrv_cmd.c -+++ b/src/responder/pam/pamsrv_cmd.c -@@ -1941,7 +1941,7 @@ static void pam_check_user_search_next(struct tevent_req *req) - talloc_zfree(req); - if (ret != EOK && ret != ENOENT) { - DEBUG(SSSDBG_OP_FAILURE, "Cache lookup failed, trying to get fresh " -- "data from the backened.\n"); -+ "data from the backend.\n"); - } - - DEBUG(SSSDBG_TRACE_ALL, "PAM initgroups scheme [%s].\n", --- -2.21.3 - diff --git a/SOURCES/0025-pam-add-pam_gssapi_services-option.patch b/SOURCES/0025-pam-add-pam_gssapi_services-option.patch deleted file mode 100644 index 7c90067..0000000 --- a/SOURCES/0025-pam-add-pam_gssapi_services-option.patch +++ /dev/null @@ -1,280 +0,0 @@ -From d63172f1277c5ed166a22f04d144bf85ded4757c Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com> -Date: Fri, 9 Oct 2020 13:03:54 +0200 -Subject: [PATCH 25/27] pam: add pam_gssapi_services option - -:config: Added `pam_gssapi_services` to list PAM services - that can authenticate using GSSAPI - -Reviewed-by: Robbie Harwood <rharwood@redhat.com> -Reviewed-by: Sumit Bose <sbose@redhat.com> ---- - src/confdb/confdb.c | 12 +++++++++++ - src/confdb/confdb.h | 4 ++++ - src/config/SSSDConfig/sssdoptions.py | 1 + - src/config/SSSDConfigTest.py | 6 ++++-- - src/config/cfg_rules.ini | 3 +++ - src/config/etc/sssd.api.conf | 2 ++ - src/db/sysdb_subdomains.c | 13 ++++++++++++ - src/man/sssd.conf.5.xml | 30 ++++++++++++++++++++++++++++ - src/responder/pam/pamsrv.c | 21 +++++++++++++++++++ - src/responder/pam/pamsrv.h | 3 +++ - 10 files changed, 93 insertions(+), 2 deletions(-) - -diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c -index f981ddf1e..7f1956d6d 100644 ---- a/src/confdb/confdb.c -+++ b/src/confdb/confdb.c -@@ -1581,6 +1581,18 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb, - } - } - -+ tmp = ldb_msg_find_attr_as_string(res->msgs[0], CONFDB_PAM_GSSAPI_SERVICES, -+ "-"); -+ if (tmp != NULL) { -+ ret = split_on_separator(domain, tmp, ',', true, true, -+ &domain->gssapi_services, NULL); -+ if (ret != 0) { -+ DEBUG(SSSDBG_FATAL_FAILURE, -+ "Cannot parse %s\n", CONFDB_PAM_GSSAPI_SERVICES); -+ goto done; -+ } -+ } -+ - domain->has_views = false; - domain->view_name = NULL; - -diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h -index 54e3f7380..7a3bc8bb5 100644 ---- a/src/confdb/confdb.h -+++ b/src/confdb/confdb.h -@@ -144,6 +144,7 @@ - #define CONFDB_PAM_P11_ALLOWED_SERVICES "pam_p11_allowed_services" - #define CONFDB_PAM_P11_URI "p11_uri" - #define CONFDB_PAM_INITGROUPS_SCHEME "pam_initgroups_scheme" -+#define CONFDB_PAM_GSSAPI_SERVICES "pam_gssapi_services" - - /* SUDO */ - #define CONFDB_SUDO_CONF_ENTRY "config/sudo" -@@ -431,6 +432,9 @@ struct sss_domain_info { - - /* Keytab used by this domain. */ - const char *krb5_keytab; -+ -+ /* List of PAM services that are allowed to authenticate with GSSAPI. */ -+ char **gssapi_services; - }; - - /** -diff --git a/src/config/SSSDConfig/sssdoptions.py b/src/config/SSSDConfig/sssdoptions.py -index de96db6f4..f59fe8d9f 100644 ---- a/src/config/SSSDConfig/sssdoptions.py -+++ b/src/config/SSSDConfig/sssdoptions.py -@@ -104,6 +104,7 @@ class SSSDOptions(object): - 'p11_wait_for_card_timeout': _('Additional timeout to wait for a card if requested'), - 'p11_uri': _('PKCS#11 URI to restrict the selection of devices for Smartcard authentication'), - 'pam_initgroups_scheme' : _('When shall the PAM responder force an initgroups request'), -+ 'pam_gssapi_services' : _('List of PAM services that are allowed to authenticate with GSSAPI.'), - - # [sudo] - 'sudo_timed': _('Whether to evaluate the time-based attributes in sudo rules'), -diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py -index 323be5ed3..21fffe1b6 100755 ---- a/src/config/SSSDConfigTest.py -+++ b/src/config/SSSDConfigTest.py -@@ -653,7 +653,8 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase): - 'full_name_format', - 're_expression', - 'cached_auth_timeout', -- 'auto_private_groups'] -+ 'auto_private_groups', -+ 'pam_gssapi_services'] - - self.assertTrue(type(options) == dict, - "Options should be a dictionary") -@@ -1030,7 +1031,8 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase): - 'full_name_format', - 're_expression', - 'cached_auth_timeout', -- 'auto_private_groups'] -+ 'auto_private_groups', -+ 'pam_gssapi_services'] - - self.assertTrue(type(options) == dict, - "Options should be a dictionary") -diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini -index 773afd8bb..c6dfd5648 100644 ---- a/src/config/cfg_rules.ini -+++ b/src/config/cfg_rules.ini -@@ -139,6 +139,7 @@ option = pam_p11_allowed_services - option = p11_wait_for_card_timeout - option = p11_uri - option = pam_initgroups_scheme -+option = pam_gssapi_services - - [rule/allowed_sudo_options] - validator = ini_allowed_options -@@ -437,6 +438,7 @@ option = wildcard_limit - option = full_name_format - option = re_expression - option = auto_private_groups -+option = pam_gssapi_services - - #Entry cache timeouts - option = entry_cache_user_timeout -@@ -831,6 +833,7 @@ option = ad_backup_server - option = ad_site - option = use_fully_qualified_names - option = auto_private_groups -+option = pam_gssapi_services - - [rule/sssd_checks] - validator = sssd_checks -diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf -index 623160ffd..f46f3c46d 100644 ---- a/src/config/etc/sssd.api.conf -+++ b/src/config/etc/sssd.api.conf -@@ -80,6 +80,7 @@ pam_p11_allowed_services = str, None, false - p11_wait_for_card_timeout = int, None, false - p11_uri = str, None, false - pam_initgroups_scheme = str, None, false -+pam_gssapi_services = str, None, false - - [sudo] - # sudo service -@@ -199,6 +200,7 @@ cached_auth_timeout = int, None, false - full_name_format = str, None, false - re_expression = str, None, false - auto_private_groups = str, None, false -+pam_gssapi_services = str, None, false - - #Entry cache timeouts - entry_cache_user_timeout = int, None, false -diff --git a/src/db/sysdb_subdomains.c b/src/db/sysdb_subdomains.c -index 5b42f9bdc..bfc6df0f5 100644 ---- a/src/db/sysdb_subdomains.c -+++ b/src/db/sysdb_subdomains.c -@@ -184,6 +184,8 @@ struct sss_domain_info *new_subdomain(TALLOC_CTX *mem_ctx, - dom->homedir_substr = parent->homedir_substr; - dom->override_gid = parent->override_gid; - -+ dom->gssapi_services = parent->gssapi_services; -+ - if (parent->sysdb == NULL) { - DEBUG(SSSDBG_OP_FAILURE, "Missing sysdb context in parent domain.\n"); - goto fail; -@@ -241,6 +243,17 @@ check_subdom_config_file(struct confdb_ctx *confdb, - sd_conf_path, CONFDB_DOMAIN_FQ, - subdomain->fqnames ? "TRUE" : "FALSE"); - -+ /* allow to set pam_gssapi_services */ -+ ret = confdb_get_string_as_list(confdb, subdomain, sd_conf_path, -+ CONFDB_PAM_GSSAPI_SERVICES, -+ &subdomain->gssapi_services); -+ if (ret != EOK && ret != ENOENT) { -+ DEBUG(SSSDBG_OP_FAILURE, -+ "Failed to get %s option for the subdomain: %s\n", -+ CONFDB_PAM_GSSAPI_SERVICES, subdomain->name); -+ goto done; -+ } -+ - ret = EOK; - done: - talloc_free(tmp_ctx); -diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml -index d247400bf..db9dd4677 100644 ---- a/src/man/sssd.conf.5.xml -+++ b/src/man/sssd.conf.5.xml -@@ -1706,6 +1706,35 @@ p11_uri = library-description=OpenSC%20smartcard%20framework;slot-id=2 - </para> - </listitem> - </varlistentry> -+ <varlistentry> -+ <term>pam_gssapi_services</term> -+ <listitem> -+ <para> -+ Comma separated list of PAM services that are -+ allowed to try GSSAPI authentication using -+ pam_sss_gss.so module. -+ </para> -+ <para> -+ To disable GSSAPI authentication, set this option -+ to <quote>-</quote> (dash). -+ </para> -+ <para> -+ Note: This option can also be set per-domain which -+ overwrites the value in [pam] section. It can also -+ be set for trusted domain which overwrites the value -+ in the domain section. -+ </para> -+ <para> -+ Example: -+ <programlisting> -+pam_gssapi_services = sudo, sudo-i -+ </programlisting> -+ </para> -+ <para> -+ Default: - (GSSAPI authentication is disabled) -+ </para> -+ </listitem> -+ </varlistentry> - </variablelist> - </refsect2> - -@@ -3780,6 +3809,7 @@ ldap_user_extra_attrs = phone:telephoneNumber - <para>ad_backup_server,</para> - <para>ad_site,</para> - <para>use_fully_qualified_names</para> -+ <para>pam_gssapi_services</para> - <para> - For more details about these options see their individual description - in the manual page. -diff --git a/src/responder/pam/pamsrv.c b/src/responder/pam/pamsrv.c -index 1f1ee608b..0492569c7 100644 ---- a/src/responder/pam/pamsrv.c -+++ b/src/responder/pam/pamsrv.c -@@ -327,6 +327,27 @@ static int pam_process_init(TALLOC_CTX *mem_ctx, - } - } - -+ ret = confdb_get_string(pctx->rctx->cdb, pctx, CONFDB_PAM_CONF_ENTRY, -+ CONFDB_PAM_GSSAPI_SERVICES, "-", &tmpstr); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_FATAL_FAILURE, -+ "Failed to determine gssapi services.\n"); -+ goto done; -+ } -+ DEBUG(SSSDBG_TRACE_INTERNAL, "Found value [%s] for option [%s].\n", tmpstr, -+ CONFDB_PAM_GSSAPI_SERVICES); -+ -+ if (tmpstr != NULL) { -+ ret = split_on_separator(pctx, tmpstr, ',', true, true, -+ &pctx->gssapi_services, NULL); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_MINOR_FAILURE, -+ "split_on_separator() failed [%d]: [%s].\n", ret, -+ sss_strerror(ret)); -+ goto done; -+ } -+ } -+ - /* The responder is initialized. Now tell it to the monitor. */ - ret = sss_monitor_service_init(rctx, rctx->ev, SSS_BUS_PAM, - SSS_PAM_SBUS_SERVICE_NAME, -diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h -index 24d307a14..730dee288 100644 ---- a/src/responder/pam/pamsrv.h -+++ b/src/responder/pam/pamsrv.h -@@ -62,6 +62,9 @@ struct pam_ctx { - int num_prompting_config_sections; - - enum pam_initgroups_scheme initgroups_scheme; -+ -+ /* List of PAM services that are allowed to authenticate with GSSAPI. */ -+ char **gssapi_services; - }; - - struct pam_auth_req { --- -2.21.3 - diff --git a/SOURCES/0026-pam-add-pam_gssapi_check_upn-option.patch b/SOURCES/0026-pam-add-pam_gssapi_check_upn-option.patch deleted file mode 100644 index 6e59705..0000000 --- a/SOURCES/0026-pam-add-pam_gssapi_check_upn-option.patch +++ /dev/null @@ -1,250 +0,0 @@ -From fffe3169bb490c4b010b168c639aa6f9b2ec0c52 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com> -Date: Thu, 10 Dec 2020 22:05:30 +0100 -Subject: [PATCH 26/27] pam: add pam_gssapi_check_upn option - -:config: Added `pam_gssapi_check_upn` to enforce authentication - only with principal that can be associated with target user. - -Reviewed-by: Robbie Harwood <rharwood@redhat.com> -Reviewed-by: Sumit Bose <sbose@redhat.com> ---- - src/confdb/confdb.c | 10 ++++++++++ - src/confdb/confdb.h | 2 ++ - src/config/SSSDConfig/sssdoptions.py | 1 + - src/config/SSSDConfigTest.py | 6 ++++-- - src/config/cfg_rules.ini | 3 +++ - src/config/etc/sssd.api.conf | 2 ++ - src/db/sysdb_subdomains.c | 12 ++++++++++++ - src/man/sssd.conf.5.xml | 26 ++++++++++++++++++++++++++ - src/responder/pam/pamsrv.c | 9 +++++++++ - src/responder/pam/pamsrv.h | 1 + - 10 files changed, 70 insertions(+), 2 deletions(-) - -diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c -index 7f1956d6d..2881ce5da 100644 ---- a/src/confdb/confdb.c -+++ b/src/confdb/confdb.c -@@ -1593,6 +1593,16 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb, - } - } - -+ tmp = ldb_msg_find_attr_as_string(res->msgs[0], CONFDB_PAM_GSSAPI_CHECK_UPN, -+ NULL); -+ if (tmp != NULL) { -+ domain->gssapi_check_upn = talloc_strdup(domain, tmp); -+ if (domain->gssapi_check_upn == NULL) { -+ ret = ENOMEM; -+ goto done; -+ } -+ } -+ - domain->has_views = false; - domain->view_name = NULL; - -diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h -index 7a3bc8bb5..036f9ecad 100644 ---- a/src/confdb/confdb.h -+++ b/src/confdb/confdb.h -@@ -145,6 +145,7 @@ - #define CONFDB_PAM_P11_URI "p11_uri" - #define CONFDB_PAM_INITGROUPS_SCHEME "pam_initgroups_scheme" - #define CONFDB_PAM_GSSAPI_SERVICES "pam_gssapi_services" -+#define CONFDB_PAM_GSSAPI_CHECK_UPN "pam_gssapi_check_upn" - - /* SUDO */ - #define CONFDB_SUDO_CONF_ENTRY "config/sudo" -@@ -435,6 +436,7 @@ struct sss_domain_info { - - /* List of PAM services that are allowed to authenticate with GSSAPI. */ - char **gssapi_services; -+ char *gssapi_check_upn; /* true | false | NULL */ - }; - - /** -diff --git a/src/config/SSSDConfig/sssdoptions.py b/src/config/SSSDConfig/sssdoptions.py -index f59fe8d9f..5da52a937 100644 ---- a/src/config/SSSDConfig/sssdoptions.py -+++ b/src/config/SSSDConfig/sssdoptions.py -@@ -105,6 +105,7 @@ class SSSDOptions(object): - 'p11_uri': _('PKCS#11 URI to restrict the selection of devices for Smartcard authentication'), - 'pam_initgroups_scheme' : _('When shall the PAM responder force an initgroups request'), - 'pam_gssapi_services' : _('List of PAM services that are allowed to authenticate with GSSAPI.'), -+ 'pam_gssapi_check_upn' : _('Whether to match authenticated UPN with target user'), - - # [sudo] - 'sudo_timed': _('Whether to evaluate the time-based attributes in sudo rules'), -diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py -index 21fffe1b6..ea4e4f6c9 100755 ---- a/src/config/SSSDConfigTest.py -+++ b/src/config/SSSDConfigTest.py -@@ -654,7 +654,8 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase): - 're_expression', - 'cached_auth_timeout', - 'auto_private_groups', -- 'pam_gssapi_services'] -+ 'pam_gssapi_services', -+ 'pam_gssapi_check_upn'] - - self.assertTrue(type(options) == dict, - "Options should be a dictionary") -@@ -1032,7 +1033,8 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase): - 're_expression', - 'cached_auth_timeout', - 'auto_private_groups', -- 'pam_gssapi_services'] -+ 'pam_gssapi_services', -+ 'pam_gssapi_check_upn'] - - self.assertTrue(type(options) == dict, - "Options should be a dictionary") -diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini -index c6dfd5648..6642c6321 100644 ---- a/src/config/cfg_rules.ini -+++ b/src/config/cfg_rules.ini -@@ -140,6 +140,7 @@ option = p11_wait_for_card_timeout - option = p11_uri - option = pam_initgroups_scheme - option = pam_gssapi_services -+option = pam_gssapi_check_upn - - [rule/allowed_sudo_options] - validator = ini_allowed_options -@@ -439,6 +440,7 @@ option = full_name_format - option = re_expression - option = auto_private_groups - option = pam_gssapi_services -+option = pam_gssapi_check_upn - - #Entry cache timeouts - option = entry_cache_user_timeout -@@ -834,6 +836,7 @@ option = ad_site - option = use_fully_qualified_names - option = auto_private_groups - option = pam_gssapi_services -+option = pam_gssapi_check_upn - - [rule/sssd_checks] - validator = sssd_checks -diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf -index f46f3c46d..d3cad7380 100644 ---- a/src/config/etc/sssd.api.conf -+++ b/src/config/etc/sssd.api.conf -@@ -81,6 +81,7 @@ p11_wait_for_card_timeout = int, None, false - p11_uri = str, None, false - pam_initgroups_scheme = str, None, false - pam_gssapi_services = str, None, false -+pam_gssapi_check_upn = bool, None, false - - [sudo] - # sudo service -@@ -201,6 +202,7 @@ full_name_format = str, None, false - re_expression = str, None, false - auto_private_groups = str, None, false - pam_gssapi_services = str, None, false -+pam_gssapi_check_upn = bool, None, false - - #Entry cache timeouts - entry_cache_user_timeout = int, None, false -diff --git a/src/db/sysdb_subdomains.c b/src/db/sysdb_subdomains.c -index bfc6df0f5..03ba12164 100644 ---- a/src/db/sysdb_subdomains.c -+++ b/src/db/sysdb_subdomains.c -@@ -254,6 +254,18 @@ check_subdom_config_file(struct confdb_ctx *confdb, - goto done; - } - -+ /* allow to set pam_gssapi_check_upn */ -+ ret = confdb_get_string(confdb, subdomain, sd_conf_path, -+ CONFDB_PAM_GSSAPI_CHECK_UPN, -+ subdomain->parent->gssapi_check_upn, -+ &subdomain->gssapi_check_upn); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_OP_FAILURE, -+ "Failed to get %s option for the subdomain: %s\n", -+ CONFDB_PAM_GSSAPI_CHECK_UPN, subdomain->name); -+ goto done; -+ } -+ - ret = EOK; - done: - talloc_free(tmp_ctx); -diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml -index db9dd4677..d637e2eaa 100644 ---- a/src/man/sssd.conf.5.xml -+++ b/src/man/sssd.conf.5.xml -@@ -1735,6 +1735,31 @@ pam_gssapi_services = sudo, sudo-i - </para> - </listitem> - </varlistentry> -+ <varlistentry> -+ <term>pam_gssapi_check_upn</term> -+ <listitem> -+ <para> -+ If True, SSSD will require that the Kerberos user -+ principal that successfully authenticated through -+ GSSAPI can be associated with the user who is being -+ authenticated. Authentication will fail if the check -+ fails. -+ </para> -+ <para> -+ If False, every user that is able to obtained -+ required service ticket will be authenticated. -+ </para> -+ <para> -+ Note: This option can also be set per-domain which -+ overwrites the value in [pam] section. It can also -+ be set for trusted domain which overwrites the value -+ in the domain section. -+ </para> -+ <para> -+ Default: True -+ </para> -+ </listitem> -+ </varlistentry> - </variablelist> - </refsect2> - -@@ -3810,6 +3835,7 @@ ldap_user_extra_attrs = phone:telephoneNumber - <para>ad_site,</para> - <para>use_fully_qualified_names</para> - <para>pam_gssapi_services</para> -+ <para>pam_gssapi_check_upn</para> - <para> - For more details about these options see their individual description - in the manual page. -diff --git a/src/responder/pam/pamsrv.c b/src/responder/pam/pamsrv.c -index 0492569c7..0db2824ff 100644 ---- a/src/responder/pam/pamsrv.c -+++ b/src/responder/pam/pamsrv.c -@@ -348,6 +348,15 @@ static int pam_process_init(TALLOC_CTX *mem_ctx, - } - } - -+ ret = confdb_get_bool(pctx->rctx->cdb, CONFDB_PAM_CONF_ENTRY, -+ CONFDB_PAM_GSSAPI_CHECK_UPN, true, -+ &pctx->gssapi_check_upn); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_FATAL_FAILURE, "Failed to read %s [%d]: %s\n", -+ CONFDB_PAM_GSSAPI_CHECK_UPN, ret, sss_strerror(ret)); -+ goto done; -+ } -+ - /* The responder is initialized. Now tell it to the monitor. */ - ret = sss_monitor_service_init(rctx, rctx->ev, SSS_BUS_PAM, - SSS_PAM_SBUS_SERVICE_NAME, -diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h -index 730dee288..bf4dd75b0 100644 ---- a/src/responder/pam/pamsrv.h -+++ b/src/responder/pam/pamsrv.h -@@ -65,6 +65,7 @@ struct pam_ctx { - - /* List of PAM services that are allowed to authenticate with GSSAPI. */ - char **gssapi_services; -+ bool gssapi_check_upn; - }; - - struct pam_auth_req { --- -2.21.3 - diff --git a/SOURCES/0027-pam-add-pam_sss_gss-module-for-gssapi-authentication.patch b/SOURCES/0027-pam-add-pam_sss_gss-module-for-gssapi-authentication.patch deleted file mode 100644 index baa7927..0000000 --- a/SOURCES/0027-pam-add-pam_sss_gss-module-for-gssapi-authentication.patch +++ /dev/null @@ -1,1866 +0,0 @@ -From d09aa174b04a825979f31c61b05239de088a732f Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com> -Date: Tue, 7 Jul 2020 11:05:37 +0200 -Subject: [PATCH 27/27] pam: add pam_sss_gss module for gssapi authentication - -:feature: New PAM module `pam_sss_gss` for authentication using GSSAPI -:packaging: Added `pam_sss_gss.so` PAM module and `pam_sss_gss.8` manual page - -Reviewed-by: Robbie Harwood <rharwood@redhat.com> -Reviewed-by: Sumit Bose <sbose@redhat.com> ---- - Makefile.am | 33 +- - configure.ac | 1 + - contrib/sssd.spec.in | 2 + - src/external/libgssapi_krb5.m4 | 8 + - src/man/Makefile.am | 4 +- - src/man/pam_sss_gss.8.xml | 209 ++++++++ - src/responder/pam/pamsrv.h | 4 + - src/responder/pam/pamsrv_cmd.c | 2 + - src/responder/pam/pamsrv_gssapi.c | 792 +++++++++++++++++++++++++++++ - src/sss_client/pam_sss_gss.c | 588 +++++++++++++++++++++ - src/sss_client/pam_sss_gss.exports | 4 + - src/sss_client/sss_cli.h | 8 + - src/tests/dlopen-tests.c | 1 + - 13 files changed, 1653 insertions(+), 3 deletions(-) - create mode 100644 src/external/libgssapi_krb5.m4 - create mode 100644 src/man/pam_sss_gss.8.xml - create mode 100644 src/responder/pam/pamsrv_gssapi.c - create mode 100644 src/sss_client/pam_sss_gss.c - create mode 100644 src/sss_client/pam_sss_gss.exports - -diff --git a/Makefile.am b/Makefile.am -index 430b4e842..1c82776ab 100644 ---- a/Makefile.am -+++ b/Makefile.am -@@ -1585,12 +1585,14 @@ sssd_pam_SOURCES = \ - src/responder/pam/pamsrv_cmd.c \ - src/responder/pam/pamsrv_p11.c \ - src/responder/pam/pamsrv_dp.c \ -+ src/responder/pam/pamsrv_gssapi.c \ - src/responder/pam/pam_prompting_config.c \ - src/sss_client/pam_sss_prompt_config.c \ - src/responder/pam/pam_helpers.c \ - $(SSSD_RESPONDER_OBJ) - sssd_pam_CFLAGS = \ - $(AM_CFLAGS) \ -+ $(GSSAPI_KRB5_CFLAGS) \ - $(NULL) - sssd_pam_LDADD = \ - $(LIBADD_DL) \ -@@ -1599,6 +1601,7 @@ sssd_pam_LDADD = \ - $(SELINUX_LIBS) \ - $(PAM_LIBS) \ - $(SYSTEMD_DAEMON_LIBS) \ -+ $(GSSAPI_KRB5_LIBS) \ - libsss_certmap.la \ - $(SSSD_INTERNAL_LTLIBS) \ - libsss_iface.la \ -@@ -2710,6 +2713,7 @@ pam_srv_tests_SOURCES = \ - src/sss_client/pam_message.c \ - src/responder/pam/pamsrv_cmd.c \ - src/responder/pam/pamsrv_p11.c \ -+ src/responder/pam/pamsrv_gssapi.c \ - src/responder/pam/pam_helpers.c \ - src/responder/pam/pamsrv_dp.c \ - src/responder/pam/pam_LOCAL_domain.c \ -@@ -2721,6 +2725,7 @@ pam_srv_tests_CFLAGS = \ - -I$(abs_builddir)/src \ - $(AM_CFLAGS) \ - $(CMOCKA_CFLAGS) \ -+ $(GSSAPI_KRB5_CFLAGS) \ - $(NULL) - pam_srv_tests_LDFLAGS = \ - -Wl,-wrap,sss_packet_get_body \ -@@ -2736,6 +2741,7 @@ pam_srv_tests_LDADD = \ - $(SSSD_LIBS) \ - $(SSSD_INTERNAL_LTLIBS) \ - $(SYSTEMD_DAEMON_LIBS) \ -+ $(GSSAPI_KRB5_LIBS) \ - libsss_test_common.la \ - libsss_idmap.la \ - libsss_certmap.la \ -@@ -4149,6 +4155,28 @@ pam_sss_la_LDFLAGS = \ - -avoid-version \ - -Wl,--version-script,$(srcdir)/src/sss_client/sss_pam.exports - -+pamlib_LTLIBRARIES += pam_sss_gss.la -+pam_sss_gss_la_SOURCES = \ -+ src/sss_client/pam_sss_gss.c \ -+ src/sss_client/common.c \ -+ $(NULL) -+ -+pam_sss_gss_la_CFLAGS = \ -+ $(AM_CFLAGS) \ -+ $(GSSAPI_KRB5_CFLAGS) \ -+ $(NULL) -+ -+pam_sss_gss_la_LIBADD = \ -+ $(CLIENT_LIBS) \ -+ $(PAM_LIBS) \ -+ $(GSSAPI_KRB5_LIBS) \ -+ $(NULL) -+ -+pam_sss_gss_la_LDFLAGS = \ -+ -module \ -+ -avoid-version \ -+ -Wl,--version-script,$(srcdir)/src/sss_client/pam_sss_gss.exports -+ - if BUILD_SUDO - - libsss_sudo_la_SOURCES = \ -@@ -4187,7 +4215,10 @@ endif - - dist_noinst_DATA += \ - src/sss_client/sss_nss.exports \ -- src/sss_client/sss_pam.exports -+ src/sss_client/sss_pam.exports \ -+ src/sss_client/pam_sss_gss.exports \ -+ $(NULL) -+ - if BUILD_SUDO - dist_noinst_DATA += src/sss_client/sss_sudo.exports - endif -diff --git a/configure.ac b/configure.ac -index 0d24c4b35..75dc81d53 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -182,6 +182,7 @@ m4_include([src/external/libldb.m4]) - m4_include([src/external/libdhash.m4]) - m4_include([src/external/libcollection.m4]) - m4_include([src/external/libini_config.m4]) -+m4_include([src/external/libgssapi_krb5.m4]) - m4_include([src/external/pam.m4]) - m4_include([src/external/ldap.m4]) - m4_include([src/external/libpcre.m4]) -diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in -index ed81da535..f7e5ce133 100644 ---- a/contrib/sssd.spec.in -+++ b/contrib/sssd.spec.in -@@ -1166,6 +1166,7 @@ done - %license src/sss_client/COPYING src/sss_client/COPYING.LESSER - /%{_lib}/libnss_sss.so.2 - /%{_lib}/security/pam_sss.so -+/%{_lib}/security/pam_sss_gss.so - %{_libdir}/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so - %{_libdir}/krb5/plugins/authdata/sssd_pac_plugin.so - %if (0%{?with_cifs_utils_plugin} == 1) -@@ -1178,6 +1179,7 @@ done - %dir %{_libdir}/%{name}/modules - %{_libdir}/%{name}/modules/sssd_krb5_localauth_plugin.so - %{_mandir}/man8/pam_sss.8* -+%{_mandir}/man8/pam_sss_gss.8* - %{_mandir}/man8/sssd_krb5_locator_plugin.8* - - %files -n libsss_sudo -diff --git a/src/external/libgssapi_krb5.m4 b/src/external/libgssapi_krb5.m4 -new file mode 100644 -index 000000000..67f3c464d ---- /dev/null -+++ b/src/external/libgssapi_krb5.m4 -@@ -0,0 +1,8 @@ -+AC_SUBST(GSSAPI_KRB5_CFLAGS) -+AC_SUBST(GSSAPI_KRB5_LIBS) -+ -+PKG_CHECK_MODULES(GSSAPI_KRB5, -+ krb5-gssapi, -+ , -+ AC_MSG_ERROR("Please install krb5-devel") -+ ) -diff --git a/src/man/Makefile.am b/src/man/Makefile.am -index 351ab8015..c6890a792 100644 ---- a/src/man/Makefile.am -+++ b/src/man/Makefile.am -@@ -69,8 +69,8 @@ man_MANS = \ - sssd.8 sssd.conf.5 sssd-ldap.5 sssd-ldap-attributes.5 \ - sssd-krb5.5 sssd-simple.5 sss-certmap.5 \ - sssd_krb5_locator_plugin.8 \ -- pam_sss.8 sss_obfuscate.8 sss_cache.8 sss_debuglevel.8 sss_seed.8 \ -- sss_override.8 idmap_sss.8 sssctl.8 sssd-session-recording.5 \ -+ pam_sss.8 pam_sss_gss.8 sss_obfuscate.8 sss_cache.8 sss_debuglevel.8 \ -+ sss_seed.8 sss_override.8 idmap_sss.8 sssctl.8 sssd-session-recording.5 \ - $(NULL) - - if BUILD_LOCAL_PROVIDER -diff --git a/src/man/pam_sss_gss.8.xml b/src/man/pam_sss_gss.8.xml -new file mode 100644 -index 000000000..ce5b11bff ---- /dev/null -+++ b/src/man/pam_sss_gss.8.xml -@@ -0,0 +1,209 @@ -+<?xml version="1.0" encoding="UTF-8"?> -+<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN" -+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> -+<reference> -+<title>SSSD Manual pages -+ -+ -+ -+ -+ pam_sss_gss -+ 8 -+ -+ -+ -+ pam_sss_gss -+ PAM module for SSSD GSSAPI authentication -+ -+ -+ -+ -+ pam_sss_gss.so -+ -+ debug -+ -+ -+ -+ -+ -+ DESCRIPTION -+ -+ pam_sss_gss.so authenticates user -+ over GSSAPI in cooperation with SSSD. -+ -+ -+ This module will try to authenticate the user using the GSSAPI -+ hostbased service name host@hostname which translates to -+ host/hostname@REALM Kerberos principal. The -+ REALM part of the Kerberos principal name is -+ derived by Kerberos internal mechanisms and it can be set explicitly -+ in configuration of [domain_realm] section in /etc/krb5.conf. -+ -+ -+ SSSD is used to provide desired service name and to validate the -+ user's credentials using GSSAPI calls. If the service ticket is -+ already present in the Kerberos credentials cache or if user's -+ ticket granting ticket can be used to get the correct service ticket -+ then the user will be authenticated. -+ -+ -+ If is True (default) then SSSD -+ requires that the credentials used to obtain the service tickets can -+ be associated with the user. This means that the principal that owns -+ the Kerberos credentials must match with the user principal name as -+ defined in LDAP. -+ -+ -+ To enable GSSAPI authentication in SSSD, set -+ option in [pam] or domain -+ section of sssd.conf. The service credentials need to be stored -+ in SSSD's keytab (it is already present if you use ipa or ad -+ provider). The keytab location can be set with -+ option. See -+ -+ sssd.conf -+ 5 -+ and -+ -+ sssd-krb5 -+ 5 -+ for more details on these options. -+ -+ -+ -+ -+ OPTIONS -+ -+ -+ -+ -+ -+ -+ Print debugging information. -+ -+ -+ -+ -+ -+ -+ MODULE TYPES PROVIDED -+ Only the module type is provided. -+ -+ -+ -+ RETURN VALUES -+ -+ -+ PAM_SUCCESS -+ -+ -+ The PAM operation finished successfully. -+ -+ -+ -+ -+ PAM_USER_UNKNOWN -+ -+ -+ The user is not known to the authentication service or -+ the GSSAPI authentication is not supported. -+ -+ -+ -+ -+ PAM_AUTH_ERR -+ -+ -+ Authentication failure. -+ -+ -+ -+ -+ PAM_AUTHINFO_UNAVAIL -+ -+ -+ Unable to access the authentication information. -+ This might be due to a network or hardware failure. -+ -+ -+ -+ -+ PAM_SYSTEM_ERR -+ -+ -+ A system error occurred. The SSSD log files may contain -+ additional information about the error. -+ -+ -+ -+ -+ -+ -+ -+ EXAMPLES -+ -+ The main use case is to provide password-less authentication in -+ sudo but without the need to disable authentication completely. -+ To achieve this, first enable GSSAPI authentication for sudo in -+ sssd.conf: -+ -+ -+[domain/MYDOMAIN] -+pam_gssapi_services = sudo, sudo-i -+ -+ -+ And then enable the module in desired PAM stack -+ (e.g. /etc/pam.d/sudo and /etc/pam.d/sudo-i). -+ -+ -+... -+auth sufficient pam_sss_gss.so -+... -+ -+ -+ -+ -+ TROUBLESHOOTING -+ -+ SSSD logs, pam_sss_gss debug output and syslog may contain helpful -+ information about the error. Here are some common issues: -+ -+ -+ 1. I have KRB5CCNAME environment variable set and the authentication -+ does not work: Depending on your sudo version, it is possible that -+ sudo does not pass this variable to the PAM environment. Try adding -+ KRB5CCNAME to in /etc/sudoers or in your -+ LDAP sudo rules default options. -+ -+ -+ 2. Authentication does not work and syslog contains "Server not -+ found in Kerberos database": Kerberos is probably not able to -+ resolve correct realm for the service ticket based on the hostname. -+ Try adding the hostname directly to -+ in /etc/krb5.conf like so: -+ -+ -+ 3. Authentication does not work and syslog contains "No Kerberos -+ credentials available": You don't have any credentials that can be -+ used to obtain the required service ticket. Use kinit or autheticate -+ over SSSD to acquire those credentials. -+ -+ -+ 4. Authentication does not work and SSSD sssd-pam log contains "User -+ with UPN [$UPN] was not found." or "UPN [$UPN] does not match target -+ user [$username].": You are using credentials that can not be mapped -+ to the user that is being authenticated. Try to use kswitch to -+ select different principal, make sure you authenticated with SSSD or -+ consider disabling . -+ -+ -+[domain_realm] -+.myhostname = MYREALM -+ -+ -+ -+ -+ -+ -+ -diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h -index bf4dd75b0..355329691 100644 ---- a/src/responder/pam/pamsrv.h -+++ b/src/responder/pam/pamsrv.h -@@ -145,4 +145,8 @@ errno_t pam_eval_prompting_config(struct pam_ctx *pctx, struct pam_data *pd); - - enum pam_initgroups_scheme pam_initgroups_string_to_enum(const char *str); - const char *pam_initgroup_enum_to_string(enum pam_initgroups_scheme scheme); -+ -+int pam_cmd_gssapi_init(struct cli_ctx *cli_ctx); -+int pam_cmd_gssapi_sec_ctx(struct cli_ctx *cctx); -+ - #endif /* __PAMSRV_H__ */ -diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c -index acbfc0c39..9ea488be4 100644 ---- a/src/responder/pam/pamsrv_cmd.c -+++ b/src/responder/pam/pamsrv_cmd.c -@@ -2401,6 +2401,8 @@ struct sss_cmd_table *get_pam_cmds(void) - {SSS_PAM_CHAUTHTOK, pam_cmd_chauthtok}, - {SSS_PAM_CHAUTHTOK_PRELIM, pam_cmd_chauthtok_prelim}, - {SSS_PAM_PREAUTH, pam_cmd_preauth}, -+ {SSS_GSSAPI_INIT, pam_cmd_gssapi_init}, -+ {SSS_GSSAPI_SEC_CTX, pam_cmd_gssapi_sec_ctx}, - {SSS_CLI_NULL, NULL} - }; - -diff --git a/src/responder/pam/pamsrv_gssapi.c b/src/responder/pam/pamsrv_gssapi.c -new file mode 100644 -index 000000000..099675e1c ---- /dev/null -+++ b/src/responder/pam/pamsrv_gssapi.c -@@ -0,0 +1,792 @@ -+/* -+ Authors: -+ Pavel Březina -+ -+ Copyright (C) 2020 Red Hat -+ -+ This program is free software; you can redistribute it and/or modify -+ it under the terms of the GNU General Public License as published by -+ the Free Software Foundation; either version 3 of the License, or -+ (at your option) any later version. -+ -+ This program is distributed in the hope that it will be useful, -+ but WITHOUT ANY WARRANTY; without even the implied warranty of -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ GNU General Public License for more details. -+ -+ You should have received a copy of the GNU General Public License -+ along with this program. If not, see . -+*/ -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#include "confdb/confdb.h" -+#include "db/sysdb.h" -+#include "responder/common/responder_packet.h" -+#include "responder/common/responder.h" -+#include "responder/common/cache_req/cache_req.h" -+#include "responder/pam/pamsrv.h" -+#include "sss_client/sss_cli.h" -+#include "util/util.h" -+#include "util/sss_utf8.h" -+ -+static errno_t read_str(size_t body_len, -+ uint8_t *body, -+ size_t *pctr, -+ const char **_str) -+{ -+ size_t i; -+ -+ for (i = *pctr; i < body_len && body[i] != 0; i++) { -+ /* counting */ -+ } -+ -+ if (i >= body_len) { -+ return EINVAL; -+ } -+ -+ if (!sss_utf8_check(&body[*pctr], i - *pctr)) { -+ DEBUG(SSSDBG_CRIT_FAILURE, "Body is not UTF-8 string!\n"); -+ return EINVAL; -+ } -+ -+ *_str = (const char *)&body[*pctr]; -+ *pctr = i + 1; -+ -+ return EOK; -+} -+ -+static bool pam_gssapi_should_check_upn(struct pam_ctx *pam_ctx, -+ struct sss_domain_info *domain) -+{ -+ if (domain->gssapi_check_upn != NULL) { -+ if (strcasecmp(domain->gssapi_check_upn, "true") == 0) { -+ return true; -+ } -+ -+ if (strcasecmp(domain->gssapi_check_upn, "false") == 0) { -+ return false; -+ } -+ -+ DEBUG(SSSDBG_MINOR_FAILURE, "Invalid value for %s: %s\n", -+ CONFDB_PAM_GSSAPI_CHECK_UPN, domain->gssapi_check_upn); -+ return false; -+ } -+ -+ return pam_ctx->gssapi_check_upn; -+} -+ -+static bool pam_gssapi_allowed(struct pam_ctx *pam_ctx, -+ struct sss_domain_info *domain, -+ const char *service) -+{ -+ char **list = pam_ctx->gssapi_services; -+ -+ if (domain->gssapi_services != NULL) { -+ list = domain->gssapi_services; -+ } -+ -+ if (strcmp(service, "-") == 0) { -+ /* Dash is used as a "not set" value to allow to explicitly disable -+ * gssapi auth for specific domain. Disallow this service to be safe. -+ */ -+ DEBUG(SSSDBG_TRACE_FUNC, "Dash - was used as a PAM service name. " -+ "GSSAPI authentication is not allowed.\n"); -+ return false; -+ } -+ -+ return string_in_list(service, list, true); -+} -+ -+static char *pam_gssapi_target(TALLOC_CTX *mem_ctx, -+ struct sss_domain_info *domain) -+{ -+ return talloc_asprintf(mem_ctx, "host@%s", domain->hostname); -+} -+ -+static const char *pam_gssapi_get_upn(struct cache_req_result *result) -+{ -+ if (result->count == 0) { -+ return NULL; -+ } -+ -+ /* Canonical UPN should be available if the user has kinited through SSSD. -+ * Use it as a hint for GSSAPI. Default to empty string so it may be -+ * more easily transffered over the wire. */ -+ return ldb_msg_find_attr_as_string(result->msgs[0], SYSDB_CANONICAL_UPN, ""); -+} -+ -+static const char *pam_gssapi_get_name(struct cache_req_result *result) -+{ -+ if (result->count == 0) { -+ return NULL; -+ } -+ -+ /* Return username known to SSSD to make sure we authenticated as the same -+ * user after GSSAPI handshake. */ -+ return ldb_msg_find_attr_as_string(result->msgs[0], SYSDB_NAME, NULL); -+} -+ -+static errno_t pam_gssapi_init_parse(struct cli_protocol *pctx, -+ const char **_service, -+ const char **_username) -+{ -+ size_t body_len; -+ size_t pctr = 0; -+ uint8_t *body; -+ errno_t ret; -+ -+ sss_packet_get_body(pctx->creq->in, &body, &body_len); -+ if (body == NULL) { -+ DEBUG(SSSDBG_CRIT_FAILURE, "Invalid input\n"); -+ return EINVAL; -+ } -+ -+ ret = read_str(body_len, body, &pctr, _service); -+ if (ret != EOK) { -+ return ret; -+ } -+ -+ ret = read_str(body_len, body, &pctr, _username); -+ if (ret != EOK) { -+ return ret; -+ } -+ -+ return EOK; -+} -+ -+static errno_t pam_gssapi_init_reply(struct cli_protocol *pctx, -+ const char *domain, -+ const char *target, -+ const char *upn, -+ const char *username) -+{ -+ size_t reply_len; -+ size_t body_len; -+ size_t pctr; -+ uint8_t *body; -+ errno_t ret; -+ -+ ret = sss_packet_new(pctx->creq, 0, sss_packet_get_cmd(pctx->creq->in), -+ &pctx->creq->out); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create a new packet [%d]; %s\n", -+ ret, sss_strerror(ret)); -+ return ret; -+ } -+ -+ reply_len = strlen(username) + 1; -+ reply_len += strlen(domain) + 1; -+ reply_len += strlen(target) + 1; -+ reply_len += strlen(upn) + 1; -+ -+ ret = sss_packet_grow(pctx->creq->out, reply_len); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create response: %s\n", -+ sss_strerror(ret)); -+ return ret; -+ } -+ -+ sss_packet_get_body(pctx->creq->out, &body, &body_len); -+ -+ pctr = 0; -+ SAFEALIGN_SETMEM_STRING(&body[pctr], username, strlen(username) + 1, &pctr); -+ SAFEALIGN_SETMEM_STRING(&body[pctr], domain, strlen(domain) + 1, &pctr); -+ SAFEALIGN_SETMEM_STRING(&body[pctr], target, strlen(target) + 1, &pctr); -+ SAFEALIGN_SETMEM_STRING(&body[pctr], upn, strlen(upn) + 1, &pctr); -+ -+ return EOK; -+} -+ -+struct gssapi_init_state { -+ struct cli_ctx *cli_ctx; -+ const char *username; -+ const char *service; -+}; -+ -+static void pam_cmd_gssapi_init_done(struct tevent_req *req); -+ -+int pam_cmd_gssapi_init(struct cli_ctx *cli_ctx) -+{ -+ struct gssapi_init_state *state; -+ struct cli_protocol *pctx; -+ struct tevent_req *req; -+ const char *username; -+ const char *service; -+ const char *attrs[] = { SYSDB_NAME, SYSDB_CANONICAL_UPN, NULL }; -+ errno_t ret; -+ -+ state = talloc_zero(cli_ctx, struct gssapi_init_state); -+ if (state == NULL) { -+ return ENOMEM; -+ } -+ -+ pctx = talloc_get_type(cli_ctx->protocol_ctx, struct cli_protocol); -+ -+ ret = pam_gssapi_init_parse(pctx, &service, &username); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse input [%d]: %s\n", -+ ret, sss_strerror(ret)); -+ goto done; -+ } -+ -+ state->cli_ctx = cli_ctx; -+ state->service = service; -+ state->username = username; -+ -+ DEBUG(SSSDBG_TRACE_ALL, -+ "Requesting GSSAPI authentication of [%s] in service [%s]\n", -+ username, service); -+ -+ req = cache_req_user_by_name_attrs_send(cli_ctx, cli_ctx->ev, cli_ctx->rctx, -+ cli_ctx->rctx->ncache, 0, -+ NULL, username, attrs); -+ if (req == NULL) { -+ DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory!\n"); -+ ret = ENOMEM; -+ goto done; -+ } -+ -+ tevent_req_set_callback(req, pam_cmd_gssapi_init_done, state); -+ -+ ret = EOK; -+ -+done: -+ if (ret != EOK) { -+ sss_cmd_send_error(cli_ctx, ret); -+ sss_cmd_done(cli_ctx, NULL); -+ } -+ -+ return EOK; -+} -+ -+static void pam_cmd_gssapi_init_done(struct tevent_req *req) -+{ -+ struct gssapi_init_state *state; -+ struct cache_req_result *result; -+ struct cli_protocol *pctx; -+ struct pam_ctx *pam_ctx; -+ const char *username; -+ const char *upn; -+ char *target; -+ errno_t ret; -+ -+ state = tevent_req_callback_data(req, struct gssapi_init_state); -+ pctx = talloc_get_type(state->cli_ctx->protocol_ctx, struct cli_protocol); -+ pam_ctx = talloc_get_type(state->cli_ctx->rctx->pvt_ctx, struct pam_ctx); -+ -+ ret = cache_req_user_by_name_attrs_recv(state, req, &result); -+ talloc_zfree(req); -+ if (ret == ENOENT || ret == ERR_DOMAIN_NOT_FOUND) { -+ ret = ENOENT; -+ goto done; -+ } else if (ret != EOK) { -+ goto done; -+ } -+ -+ if (!pam_gssapi_allowed(pam_ctx, result->domain, state->service)) { -+ ret = ENOTSUP; -+ goto done; -+ } -+ -+ username = pam_gssapi_get_name(result); -+ if (username == NULL) { -+ /* User with no name? */ -+ ret = ERR_INTERNAL; -+ goto done; -+ } -+ -+ upn = pam_gssapi_get_upn(result); -+ if (upn == NULL) { -+ /* UPN hint may be an empty string, but not NULL. */ -+ ret = ERR_INTERNAL; -+ goto done; -+ } -+ -+ target = pam_gssapi_target(state, result->domain); -+ if (target == NULL) { -+ ret = ENOMEM; -+ goto done; -+ } -+ -+ DEBUG(SSSDBG_TRACE_FUNC, -+ "Trying GSSAPI auth: User[%s], Domain[%s], UPN[%s], Target[%s]\n", -+ username, result->domain->name, upn, target); -+ -+ ret = pam_gssapi_init_reply(pctx, result->domain->name, target, upn, -+ username); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to construct reply [%d]: %s\n", -+ ret, sss_strerror(ret)); -+ goto done; -+ } -+ -+done: -+ DEBUG(SSSDBG_TRACE_FUNC, "Returning [%d]: %s\n", ret, sss_strerror(ret)); -+ -+ if (ret == EOK) { -+ sss_packet_set_error(pctx->creq->out, EOK); -+ } else { -+ sss_cmd_send_error(state->cli_ctx, ret); -+ } -+ -+ sss_cmd_done(state->cli_ctx, state); -+} -+ -+static void gssapi_log_status(int type, OM_uint32 status_code) -+{ -+ OM_uint32 message_context = 0; -+ gss_buffer_desc buf; -+ OM_uint32 minor; -+ -+ do { -+ gss_display_status(&minor, status_code, type, GSS_C_NO_OID, -+ &message_context, &buf); -+ DEBUG(SSSDBG_OP_FAILURE, "GSSAPI: %.*s\n", (int)buf.length, -+ (char *)buf.value); -+ gss_release_buffer(&minor, &buf); -+ } while (message_context != 0); -+} -+ -+static void gssapi_log_error(OM_uint32 major, OM_uint32 minor) -+{ -+ gssapi_log_status(GSS_C_GSS_CODE, major); -+ gssapi_log_status(GSS_C_MECH_CODE, minor); -+} -+ -+static char *gssapi_get_name(TALLOC_CTX *mem_ctx, gss_name_t gss_name) -+{ -+ gss_buffer_desc buf; -+ OM_uint32 major; -+ OM_uint32 minor; -+ char *exported; -+ -+ major = gss_display_name(&minor, gss_name, &buf, NULL); -+ if (major != GSS_S_COMPLETE) { -+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to export name\n"); -+ return NULL; -+ } -+ -+ exported = talloc_strndup(mem_ctx, buf.value, buf.length); -+ gss_release_buffer(&minor, &buf); -+ -+ if (exported == NULL) { -+ DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory!\n"); -+ return NULL; -+ } -+ -+ return exported; -+} -+ -+struct gssapi_state { -+ struct cli_ctx *cli_ctx; -+ struct sss_domain_info *domain; -+ const char *username; -+ -+ char *authenticated_upn; -+ bool established; -+ gss_ctx_id_t ctx; -+}; -+ -+int gssapi_state_destructor(struct gssapi_state *state) -+{ -+ OM_uint32 minor; -+ -+ gss_delete_sec_context(&minor, &state->ctx, NULL); -+ -+ return 0; -+} -+ -+static struct gssapi_state *gssapi_get_state(struct cli_ctx *cli_ctx, -+ const char *username, -+ struct sss_domain_info *domain) -+{ -+ struct gssapi_state *state; -+ -+ state = talloc_get_type(cli_ctx->state_ctx, struct gssapi_state); -+ if (state != NULL) { -+ return state; -+ } -+ -+ state = talloc_zero(cli_ctx, struct gssapi_state); -+ if (state == NULL) { -+ return NULL; -+ } -+ -+ state->username = talloc_strdup(state, username); -+ if (state == NULL) { -+ talloc_free(state); -+ return NULL; -+ } -+ -+ state->domain = domain; -+ state->cli_ctx = cli_ctx; -+ state->ctx = GSS_C_NO_CONTEXT; -+ talloc_set_destructor(state, gssapi_state_destructor); -+ -+ cli_ctx->state_ctx = state; -+ -+ return state; -+} -+ -+static errno_t gssapi_get_creds(const char *keytab, -+ const char *target, -+ gss_cred_id_t *_creds) -+{ -+ gss_key_value_set_desc cstore = {0, NULL}; -+ gss_key_value_element_desc el; -+ gss_buffer_desc name_buf; -+ gss_name_t name = GSS_C_NO_NAME; -+ OM_uint32 major; -+ OM_uint32 minor; -+ errno_t ret; -+ -+ if (keytab != NULL) { -+ el.key = "keytab"; -+ el.value = keytab; -+ cstore.count = 1; -+ cstore.elements = ⪙ -+ } -+ -+ if (target != NULL) { -+ name_buf.value = discard_const(target); -+ name_buf.length = strlen(target); -+ -+ major = gss_import_name(&minor, &name_buf, GSS_C_NT_HOSTBASED_SERVICE, -+ &name); -+ if (GSS_ERROR(major)) { -+ DEBUG(SSSDBG_OP_FAILURE, "Could not import name [%s] " -+ "[maj:0x%x, min:0x%x]\n", target, major, minor); -+ -+ gssapi_log_error(major, minor); -+ -+ ret = EIO; -+ goto done; -+ } -+ } -+ -+ major = gss_acquire_cred_from(&minor, name, GSS_C_INDEFINITE, -+ GSS_C_NO_OID_SET, GSS_C_ACCEPT, &cstore, -+ _creds, NULL, NULL); -+ if (GSS_ERROR(major)) { -+ DEBUG(SSSDBG_OP_FAILURE, "Unable to read credentials from [%s] " -+ "[maj:0x%x, min:0x%x]\n", keytab ? keytab : "default", -+ major, minor); -+ -+ gssapi_log_error(major, minor); -+ -+ ret = EIO; -+ goto done; -+ } -+ -+ ret = EOK; -+ -+done: -+ gss_release_name(&minor, &name); -+ -+ return ret; -+} -+ -+static errno_t -+gssapi_handshake(struct gssapi_state *state, -+ struct cli_protocol *pctx, -+ const char *keytab, -+ const char *target, -+ uint8_t *gss_data, -+ size_t gss_data_len) -+{ -+ OM_uint32 flags = GSS_C_MUTUAL_FLAG; -+ gss_buffer_desc output = GSS_C_EMPTY_BUFFER; -+ gss_buffer_desc input; -+ gss_name_t client_name; -+ gss_cred_id_t creds; -+ OM_uint32 ret_flags; -+ gss_OID mech_type; -+ OM_uint32 major; -+ OM_uint32 minor; -+ errno_t ret; -+ -+ input.value = gss_data; -+ input.length = gss_data_len; -+ -+ ret = gssapi_get_creds(keytab, target, &creds); -+ if (ret != EOK) { -+ return ret; -+ } -+ -+ major = gss_accept_sec_context(&minor, &state->ctx, creds, -+ &input, NULL, &client_name, &mech_type, -+ &output, &ret_flags, NULL, NULL); -+ if (major == GSS_S_CONTINUE_NEEDED || output.length > 0) { -+ ret = sss_packet_set_body(pctx->creq->out, output.value, output.length); -+ if (ret != EOK) { -+ goto done; -+ } -+ } -+ -+ if (GSS_ERROR(major)) { -+ DEBUG(SSSDBG_OP_FAILURE, "Unable to establish GSS context " -+ "[maj:0x%x, min:0x%x]\n", major, minor); -+ -+ gssapi_log_error(major, minor); -+ ret = EIO; -+ goto done; -+ } -+ -+ if (major == GSS_S_CONTINUE_NEEDED) { -+ ret = EOK; -+ goto done; -+ } else if (major != GSS_S_COMPLETE) { -+ DEBUG(SSSDBG_OP_FAILURE, "Unable to establish GSS context, unexpected " -+ "value: 0x%x\n", major); -+ ret = EIO; -+ goto done; -+ } -+ -+ if ((ret_flags & flags) != flags) { -+ DEBUG(SSSDBG_MINOR_FAILURE, -+ "Negotiated context does not support requested flags\n"); -+ state->established = false; -+ ret = EIO; -+ goto done; -+ } -+ -+ state->authenticated_upn = gssapi_get_name(state, client_name); -+ if (state->authenticated_upn == NULL) { -+ state->established = false; -+ ret = ENOMEM; -+ goto done; -+ } -+ -+ DEBUG(SSSDBG_TRACE_FUNC, "Security context established with [%s]\n", -+ state->authenticated_upn); -+ -+ state->established = true; -+ ret = EOK; -+ -+done: -+ gss_release_cred(&minor, &creds); -+ gss_release_buffer(&minor, &output); -+ -+ return ret; -+} -+ -+static errno_t pam_cmd_gssapi_sec_ctx_parse(struct cli_protocol *pctx, -+ const char **_pam_service, -+ const char **_username, -+ const char **_domain, -+ uint8_t **_gss_data, -+ size_t *_gss_data_len) -+{ -+ size_t body_len; -+ uint8_t *body; -+ size_t pctr; -+ errno_t ret; -+ -+ sss_packet_get_body(pctx->creq->in, &body, &body_len); -+ if (body == NULL) { -+ DEBUG(SSSDBG_CRIT_FAILURE, "Invalid input\n"); -+ return EINVAL; -+ } -+ -+ pctr = 0; -+ ret = read_str(body_len, body, &pctr, _pam_service); -+ if (ret != EOK) { -+ return ret; -+ } -+ -+ ret = read_str(body_len, body, &pctr, _username); -+ if (ret != EOK) { -+ return ret; -+ } -+ -+ ret = read_str(body_len, body, &pctr, _domain); -+ if (ret != EOK) { -+ return ret; -+ } -+ -+ *_gss_data = (pctr == body_len) ? NULL : body + pctr; -+ *_gss_data_len = body_len - pctr; -+ -+ return EOK; -+} -+ -+static void pam_cmd_gssapi_sec_ctx_done(struct tevent_req *req); -+ -+int -+pam_cmd_gssapi_sec_ctx(struct cli_ctx *cli_ctx) -+{ -+ struct sss_domain_info *domain; -+ struct gssapi_state *state; -+ struct cli_protocol *pctx; -+ struct pam_ctx *pam_ctx; -+ struct tevent_req *req; -+ const char *pam_service; -+ const char *domain_name; -+ const char *username; -+ char *target; -+ size_t gss_data_len; -+ uint8_t *gss_data; -+ errno_t ret; -+ -+ pctx = talloc_get_type(cli_ctx->protocol_ctx, struct cli_protocol); -+ pam_ctx = talloc_get_type(cli_ctx->rctx->pvt_ctx, struct pam_ctx); -+ -+ ret = sss_packet_new(pctx->creq, 0, sss_packet_get_cmd(pctx->creq->in), -+ &pctx->creq->out); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create a new packet [%d]; %s\n", -+ ret, sss_strerror(ret)); -+ return ret; -+ } -+ -+ ret = pam_cmd_gssapi_sec_ctx_parse(pctx, &pam_service, &username, -+ &domain_name, &gss_data, &gss_data_len); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_OP_FAILURE, "Unable to parse input data [%d]: %s\n", -+ ret, sss_strerror(ret)); -+ goto done; -+ } -+ -+ domain = find_domain_by_name(cli_ctx->rctx->domains, domain_name, false); -+ if (domain == NULL) { -+ ret = EINVAL; -+ goto done; -+ } -+ -+ if (!pam_gssapi_allowed(pam_ctx, domain, pam_service)) { -+ ret = ENOTSUP; -+ goto done; -+ } -+ -+ target = pam_gssapi_target(cli_ctx, domain); -+ if (target == NULL) { -+ ret = ENOMEM; -+ goto done; -+ } -+ -+ state = gssapi_get_state(cli_ctx, username, domain); -+ if (state == NULL) { -+ ret = ENOMEM; -+ goto done; -+ } -+ -+ if (strcmp(username, state->username) != 0 || state->domain != domain) { -+ /* This should not happen, but be paranoid. */ -+ DEBUG(SSSDBG_CRIT_FAILURE, "Different input user then who initiated " -+ "the request!\n"); -+ ret = EPERM; -+ goto done; -+ } -+ -+ if (state->established) { -+ DEBUG(SSSDBG_MINOR_FAILURE, -+ "Security context is already established\n"); -+ ret = EPERM; -+ goto done; -+ } -+ -+ ret = gssapi_handshake(state, pctx, domain->krb5_keytab, target, gss_data, -+ gss_data_len); -+ if (ret != EOK || !state->established) { -+ goto done; -+ } -+ -+ if (!pam_gssapi_should_check_upn(pam_ctx, domain)) { -+ /* We are done. */ -+ goto done; -+ } -+ -+ /* We have established the security context. Now check the the principal -+ * used for authorization can be associated with the user. We have -+ * already done initgroups before so we could just search the sysdb -+ * directly, but use cache req to avoid looking up a possible expired -+ * object if the handshake took longer. */ -+ -+ DEBUG(SSSDBG_TRACE_FUNC, "Checking that target user matches UPN\n"); -+ -+ req = cache_req_user_by_upn_send(cli_ctx, cli_ctx->ev, cli_ctx->rctx, -+ cli_ctx->rctx->ncache, 0, DOM_TYPE_POSIX, -+ domain->name, state->authenticated_upn); -+ if (req == NULL) { -+ DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory!\n"); -+ ret = ENOMEM; -+ goto done; -+ } -+ -+ tevent_req_set_callback(req, pam_cmd_gssapi_sec_ctx_done, state); -+ -+ return EOK; -+ -+done: -+ DEBUG(SSSDBG_TRACE_FUNC, "Returning [%d]: %s\n", ret, sss_strerror(ret)); -+ -+ if (ret == EOK) { -+ sss_packet_set_error(pctx->creq->out, EOK); -+ } else { -+ sss_cmd_send_error(cli_ctx, ret); -+ } -+ -+ sss_cmd_done(cli_ctx, NULL); -+ return EOK; -+} -+ -+static void pam_cmd_gssapi_sec_ctx_done(struct tevent_req *req) -+{ -+ struct gssapi_state *state; -+ struct cache_req_result *result; -+ struct cli_protocol *pctx; -+ const char *name; -+ errno_t ret; -+ -+ state = tevent_req_callback_data(req, struct gssapi_state); -+ pctx = talloc_get_type(state->cli_ctx->protocol_ctx, struct cli_protocol); -+ -+ ret = cache_req_user_by_upn_recv(state, req, &result); -+ talloc_zfree(req); -+ if (ret == ENOENT || ret == ERR_DOMAIN_NOT_FOUND) { -+ /* We have no match. Return failure. */ -+ DEBUG(SSSDBG_TRACE_FUNC, "User with UPN [%s] was not found. " -+ "Authentication failed.\n", state->authenticated_upn); -+ ret = EACCES; -+ goto done; -+ } else if (ret != EOK) { -+ /* Generic error. Return failure. */ -+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to lookup user by UPN [%d]: %s\n", -+ ret, sss_strerror(ret)); -+ goto done; -+ } -+ -+ /* Check that username match. */ -+ name = ldb_msg_find_attr_as_string(result->msgs[0], SYSDB_NAME, NULL); -+ if (name == NULL || strcmp(name, state->username) != 0) { -+ DEBUG(SSSDBG_TRACE_FUNC, "UPN [%s] does not match target user [%s]. " -+ "Authentication failed.\n", state->authenticated_upn, -+ state->username); -+ ret = EACCES; -+ goto done; -+ } -+ -+ DEBUG(SSSDBG_TRACE_FUNC, "User [%s] match UPN [%s]. Authentication was " -+ "successful.\n", state->username, state->authenticated_upn); -+ -+ ret = EOK; -+ -+done: -+ DEBUG(SSSDBG_TRACE_FUNC, "Returning [%d]: %s\n", ret, sss_strerror(ret)); -+ -+ if (ret == EOK) { -+ sss_packet_set_error(pctx->creq->out, EOK); -+ } else { -+ sss_cmd_send_error(state->cli_ctx, ret); -+ } -+ -+ sss_cmd_done(state->cli_ctx, state); -+} -diff --git a/src/sss_client/pam_sss_gss.c b/src/sss_client/pam_sss_gss.c -new file mode 100644 -index 000000000..cd38db7da ---- /dev/null -+++ b/src/sss_client/pam_sss_gss.c -@@ -0,0 +1,588 @@ -+/* -+ Authors: -+ Pavel Březina -+ -+ Copyright (C) 2020 Red Hat -+ -+ This program is free software; you can redistribute it and/or modify -+ it under the terms of the GNU General Public License as published by -+ the Free Software Foundation; either version 3 of the License, or -+ (at your option) any later version. -+ -+ This program is distributed in the hope that it will be useful, -+ but WITHOUT ANY WARRANTY; without even the implied warranty of -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ GNU General Public License for more details. -+ -+ You should have received a copy of the GNU General Public License -+ along with this program. If not, see . -+*/ -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#include "util/sss_format.h" -+#include "sss_client/sss_cli.h" -+ -+bool debug_enabled; -+ -+#define TRACE(pamh, fmt, ...) do { \ -+ if (debug_enabled) { \ -+ pam_info(pamh, "pam_sss_gss: " fmt, ## __VA_ARGS__); \ -+ } \ -+} while (0) -+ -+#define ERROR(pamh, fmt, ...) do { \ -+ if (debug_enabled) { \ -+ pam_error(pamh, "pam_sss_gss: " fmt, ## __VA_ARGS__); \ -+ pam_syslog(pamh, LOG_ERR, fmt, ## __VA_ARGS__); \ -+ } \ -+} while (0) -+ -+static bool switch_euid(pam_handle_t *pamh, uid_t current, uid_t desired) -+{ -+ int ret; -+ -+ TRACE(pamh, "Switching euid from %" SPRIuid " to %" SPRIuid, current, -+ desired); -+ -+ if (current == desired) { -+ return true; -+ } -+ -+ ret = seteuid(desired); -+ if (ret != 0) { -+ ERROR(pamh, "Unable to set euid to %" SPRIuid, desired); -+ return false; -+ } -+ -+ return true; -+} -+ -+static const char *get_item_as_string(pam_handle_t *pamh, int item) -+{ -+ const char *str; -+ int ret; -+ -+ ret = pam_get_item(pamh, item, (void *)&str); -+ if (ret != PAM_SUCCESS || str == NULL || str[0] == '\0') { -+ return NULL; -+ } -+ -+ return str; -+} -+ -+static errno_t string_to_gss_name(pam_handle_t *pamh, -+ const char *target, -+ gss_OID type, -+ gss_name_t *_name) -+{ -+ gss_buffer_desc name_buf; -+ OM_uint32 major; -+ OM_uint32 minor; -+ -+ name_buf.value = (void *)(uintptr_t)target; -+ name_buf.length = strlen(target); -+ major = gss_import_name(&minor, &name_buf, type, _name); -+ if (GSS_ERROR(major)) { -+ ERROR(pamh, "Could not convert target to GSS name"); -+ return EIO; -+ } -+ -+ return EOK; -+} -+ -+static void gssapi_log_status(pam_handle_t *pamh, -+ int type, -+ OM_uint32 status_code) -+{ -+ gss_buffer_desc buf; -+ OM_uint32 message_context; -+ OM_uint32 minor; -+ -+ message_context = 0; -+ do { -+ gss_display_status(&minor, status_code, type, GSS_C_NO_OID, -+ &message_context, &buf); -+ ERROR(pamh, "GSSAPI: %.*s", (int)buf.length, (char *)buf.value); -+ gss_release_buffer(&minor, &buf); -+ } while (message_context != 0); -+} -+ -+static void gssapi_log_error(pam_handle_t *pamh, -+ OM_uint32 major, -+ OM_uint32 minor) -+{ -+ gssapi_log_status(pamh, GSS_C_GSS_CODE, major); -+ gssapi_log_status(pamh, GSS_C_MECH_CODE, minor); -+} -+ -+static errno_t gssapi_get_creds(pam_handle_t *pamh, -+ const char *ccache, -+ const char *target, -+ const char *upn, -+ gss_cred_id_t *_creds) -+{ -+ gss_key_value_set_desc cstore = {0, NULL}; -+ gss_key_value_element_desc el; -+ gss_name_t name = GSS_C_NO_NAME; -+ OM_uint32 major; -+ OM_uint32 minor; -+ errno_t ret; -+ -+ if (upn != NULL && upn[0] != '\0') { -+ TRACE(pamh, "Acquiring credentials for principal [%s]", upn); -+ ret = string_to_gss_name(pamh, upn, GSS_C_NT_USER_NAME, &name); -+ if (ret != EOK) { -+ goto done; -+ } -+ } else { -+ TRACE(pamh, "Acquiring credentials, principal name will be derived"); -+ } -+ -+ if (ccache != NULL) { -+ el.key = "ccache"; -+ el.value = ccache; -+ cstore.count = 1; -+ cstore.elements = ⪙ -+ } -+ -+ major = gss_acquire_cred_from(&minor, name, GSS_C_INDEFINITE, -+ GSS_C_NO_OID_SET, GSS_C_INITIATE, -+ &cstore, _creds, NULL, NULL); -+ if (GSS_ERROR(major)) { -+ /* TODO: Do not hardcode the error code. */ -+ if (minor == 2529639053 && name != GSS_C_NO_NAME) { -+ /* Hint principal was not found. Try again and let GSSAPI choose. */ -+ TRACE(pamh, "Principal [%s] was not found in ccache", upn); -+ ret = gssapi_get_creds(pamh, ccache, target, NULL, _creds); -+ goto done; -+ } else { -+ ERROR(pamh, "Unable to read credentials from [%s] " -+ "[maj:0x%x, min:0x%x]", ccache == NULL ? "default" : ccache, -+ major, minor); -+ -+ gssapi_log_error(pamh, major, minor); -+ ret = EIO; -+ goto done; -+ } -+ } -+ -+ ret = EOK; -+ -+done: -+ gss_release_name(&minor, &name); -+ -+ return ret; -+} -+ -+static errno_t sssd_gssapi_init_send(pam_handle_t *pamh, -+ const char *pam_service, -+ const char *pam_user, -+ uint8_t **_reply, -+ size_t *_reply_len) -+{ -+ struct sss_cli_req_data req_data; -+ size_t service_len; -+ size_t user_len; -+ uint8_t *data; -+ errno_t ret; -+ int ret_errno; -+ -+ if (pam_service == NULL || pam_user == NULL) { -+ return EINVAL; -+ } -+ -+ service_len = strlen(pam_service) + 1; -+ user_len = strlen(pam_user) + 1; -+ -+ req_data.len = (service_len + user_len) * sizeof(char); -+ data = (uint8_t*)malloc(req_data.len); -+ if (data == NULL) { -+ return ENOMEM; -+ } -+ -+ memcpy(data, pam_service, service_len); -+ memcpy(data + service_len, pam_user, user_len); -+ -+ req_data.data = data; -+ -+ ret = sss_pam_make_request(SSS_GSSAPI_INIT, &req_data, _reply, _reply_len, -+ &ret_errno); -+ free(data); -+ if (ret != PAM_SUCCESS) { -+ if (ret_errno == ENOTSUP) { -+ TRACE(pamh, "GSSAPI authentication is not supported for user %s " -+ "and service %s", pam_user, pam_service); -+ return ret_errno; -+ } -+ -+ ERROR(pamh, "Communication error [%d, %d]: %s; %s", ret, ret_errno, -+ pam_strerror(pamh, ret), strerror(ret_errno)); -+ -+ return (ret_errno != EOK) ? ret_errno : EIO; -+ } -+ -+ return ret_errno; -+} -+ -+static errno_t sssd_gssapi_init_recv(uint8_t *reply, -+ size_t reply_len, -+ char **_username, -+ char **_domain, -+ char **_target, -+ char **_upn) -+{ -+ char *username = NULL; -+ char *domain = NULL; -+ char *target = NULL; -+ char *upn = NULL; -+ const char *buf; -+ size_t pctr = 0; -+ size_t dlen; -+ errno_t ret; -+ -+ username = malloc(reply_len * sizeof(char)); -+ domain = malloc(reply_len * sizeof(char)); -+ target = malloc(reply_len * sizeof(char)); -+ upn = malloc(reply_len * sizeof(char)); -+ if (username == NULL || domain == NULL || target == NULL || upn == NULL) { -+ return ENOMEM; -+ } -+ -+ buf = (const char*)reply; -+ -+ dlen = reply_len; -+ ret = sss_readrep_copy_string(buf, &pctr, &reply_len, &dlen, &username, -+ NULL); -+ if (ret != EOK) { -+ goto done; -+ } -+ -+ dlen = reply_len; -+ ret = sss_readrep_copy_string(buf, &pctr, &reply_len, &dlen, &domain, NULL); -+ if (ret != EOK) { -+ goto done; -+ } -+ -+ dlen = reply_len; -+ ret = sss_readrep_copy_string(buf, &pctr, &reply_len, &dlen, &target, NULL); -+ if (ret != EOK) { -+ goto done; -+ } -+ -+ dlen = reply_len; -+ ret = sss_readrep_copy_string(buf, &pctr, &reply_len, &dlen, &upn, NULL); -+ if (ret != EOK) { -+ goto done; -+ } -+ -+ *_username = username; -+ *_domain = domain; -+ *_target = target; -+ *_upn = upn; -+ -+done: -+ if (ret != EOK) { -+ free(username); -+ free(domain); -+ free(target); -+ free(upn); -+ } -+ -+ return ret; -+} -+ -+static errno_t sssd_gssapi_init(pam_handle_t *pamh, -+ const char *pam_service, -+ const char *pam_user, -+ char **_username, -+ char **_domain, -+ char **_target, -+ char **_upn) -+{ -+ size_t reply_len; -+ uint8_t *reply; -+ errno_t ret; -+ -+ ret = sssd_gssapi_init_send(pamh, pam_service, pam_user, &reply, -+ &reply_len); -+ if (ret != EOK) { -+ return ret; -+ } -+ -+ ret = sssd_gssapi_init_recv(reply, reply_len, _username, _domain, _target, -+ _upn); -+ free(reply); -+ -+ return ret; -+} -+ -+static errno_t sssd_establish_sec_ctx_send(pam_handle_t *pamh, -+ const char *pam_service, -+ const char *username, -+ const char *domain, -+ const void *gss_data, -+ size_t gss_data_len, -+ void **_reply, -+ size_t *_reply_len) -+{ -+ struct sss_cli_req_data req_data; -+ size_t username_len; -+ size_t service_len; -+ size_t domain_len; -+ uint8_t *data; -+ int ret_errno; -+ int ret; -+ -+ service_len = strlen(pam_service) + 1; -+ username_len = strlen(username) + 1; -+ domain_len = strlen(domain) + 1; -+ -+ req_data.len = (service_len + username_len + domain_len) * sizeof(char) -+ + gss_data_len; -+ data = malloc(req_data.len); -+ if (data == NULL) { -+ return ENOMEM; -+ } -+ -+ memcpy(data, pam_service, service_len); -+ memcpy(data + service_len, username, username_len); -+ memcpy(data + service_len + username_len, domain, domain_len); -+ memcpy(data + service_len + username_len + domain_len, gss_data, -+ gss_data_len); -+ -+ req_data.data = data; -+ ret = sss_pam_make_request(SSS_GSSAPI_SEC_CTX, &req_data, (uint8_t**)_reply, -+ _reply_len, &ret_errno); -+ free(data); -+ if (ret != PAM_SUCCESS) { -+ /* ENOTSUP should not happend here so let's keep it as generic error. */ -+ ERROR(pamh, "Communication error [%d, %d]: %s; %s", ret, ret_errno, -+ pam_strerror(pamh, ret), strerror(ret_errno)); -+ -+ return (ret_errno != EOK) ? ret_errno : EIO; -+ } -+ -+ return ret_errno; -+} -+ -+static int sssd_establish_sec_ctx(pam_handle_t *pamh, -+ const char *ccache, -+ const char *pam_service, -+ const char *username, -+ const char *domain, -+ const char *target, -+ const char *upn) -+{ -+ gss_ctx_id_t ctx = GSS_C_NO_CONTEXT; -+ gss_buffer_desc input = GSS_C_EMPTY_BUFFER; -+ gss_buffer_desc output = GSS_C_EMPTY_BUFFER; -+ OM_uint32 flags = GSS_C_MUTUAL_FLAG; -+ gss_name_t gss_name; -+ gss_cred_id_t creds; -+ OM_uint32 ret_flags; -+ OM_uint32 major; -+ OM_uint32 minor; -+ int ret; -+ -+ ret = gssapi_get_creds(pamh, ccache, target, upn, &creds); -+ if (ret != EOK) { -+ return ret; -+ } -+ -+ ret = string_to_gss_name(pamh, target, GSS_C_NT_HOSTBASED_SERVICE, &gss_name); -+ if (ret != 0) { -+ return ret; -+ } -+ -+ do { -+ major = gss_init_sec_context(&minor, creds, &ctx, -+ gss_name, GSS_C_NO_OID, flags, 0, NULL, -+ &input, NULL, &output, -+ &ret_flags, NULL); -+ -+ free(input.value); -+ memset(&input, 0, sizeof(gss_buffer_desc)); -+ -+ if (GSS_ERROR(major)) { -+ ERROR(pamh, "Unable to establish GSS context [maj:0x%x, min:0x%x]", -+ major, minor); -+ gssapi_log_error(pamh, major, minor); -+ ret = EIO; -+ goto done; -+ } else if (major == GSS_S_CONTINUE_NEEDED || output.length > 0) { -+ ret = sssd_establish_sec_ctx_send(pamh, pam_service, -+ username, domain, -+ output.value, output.length, -+ &input.value, &input.length); -+ gss_release_buffer(NULL, &output); -+ if (ret != EOK) { -+ goto done; -+ } -+ } -+ } while (major != GSS_S_COMPLETE); -+ -+ if ((ret_flags & flags) != flags) { -+ ERROR(pamh, "Negotiated context does not support requested flags\n"); -+ ret = EIO; -+ goto done; -+ } -+ -+ ret = EOK; -+ -+done: -+ gss_delete_sec_context(&minor, &ctx, NULL); -+ gss_release_name(&minor, &gss_name); -+ -+ return ret; -+} -+ -+static int errno_to_pam(pam_handle_t *pamh, errno_t ret) -+{ -+ switch (ret) { -+ case EOK: -+ TRACE(pamh, "Authentication successful"); -+ return PAM_SUCCESS; -+ case ENOENT: -+ TRACE(pamh, "User not found"); -+ return PAM_USER_UNKNOWN; -+ case ENOTSUP: -+ TRACE(pamh, "GSSAPI authentication is not enabled " -+ "for given user and service"); -+ return PAM_USER_UNKNOWN; -+ case ESSS_NO_SOCKET: -+ TRACE(pamh, "SSSD socket does not exist"); -+ return PAM_AUTHINFO_UNAVAIL; -+ case EPERM: -+ TRACE(pamh, "Authentication failed"); -+ return PAM_AUTH_ERR; -+ default: -+ TRACE(pamh, "System error [%d]: %s", -+ ret, strerror(ret)); -+ return PAM_SYSTEM_ERR; -+ } -+} -+ -+int pam_sm_authenticate(pam_handle_t *pamh, -+ int flags, -+ int argc, -+ const char **argv) -+{ -+ const char *pam_service; -+ const char *pam_user; -+ const char *ccache; -+ char *username = NULL; -+ char *domain = NULL; -+ char *target = NULL; -+ char *upn = NULL; -+ uid_t uid; -+ uid_t euid; -+ errno_t ret; -+ -+ debug_enabled = false; -+ for (int i = 0; i < argc; i++) { -+ if (strcmp(argv[i], "debug") == 0) { -+ debug_enabled = true; -+ break; -+ } -+ } -+ -+ -+ /* Get non-default ccache if specified, may be NULL. */ -+ ccache = getenv("KRB5CCNAME"); -+ -+ uid = getuid(); -+ euid = geteuid(); -+ -+ /* Read PAM data. */ -+ pam_service = get_item_as_string(pamh, PAM_SERVICE); -+ pam_user = get_item_as_string(pamh, PAM_USER); -+ if (pam_service == NULL || pam_user == NULL) { -+ ERROR(pamh, "Unable to get PAM data!"); -+ ret = EINVAL; -+ goto done; -+ } -+ -+ /* Initialize GSSAPI authentication with SSSD. Get user domain -+ * and target GSS service name. */ -+ TRACE(pamh, "Initializing GSSAPI authentication with SSSD"); -+ ret = sssd_gssapi_init(pamh, pam_service, pam_user, &username, &domain, -+ &target, &upn); -+ if (ret != EOK) { -+ goto done; -+ } -+ -+ /* PAM is often called from set-user-id applications (sudo, su). we want to -+ * make sure that we access credentials of the caller (real uid). */ -+ if (!switch_euid(pamh, euid, uid)) { -+ ret = EFAULT; -+ goto done; -+ } -+ -+ /* Authenticate the user by estabilishing security context. Authorization is -+ * expected to be done by other modules through pam_access. */ -+ TRACE(pamh, "Trying to establish security context"); -+ TRACE(pamh, "SSSD User name: %s", username); -+ TRACE(pamh, "User domain: %s", domain); -+ TRACE(pamh, "User principal: %s", upn); -+ TRACE(pamh, "Target name: %s", target); -+ TRACE(pamh, "Using ccache: %s", ccache == NULL ? "default" : ccache); -+ ret = sssd_establish_sec_ctx(pamh, ccache, pam_service, -+ username, domain, target, upn); -+ -+ /* Restore original euid. */ -+ if (!switch_euid(pamh, uid, euid)) { -+ ret = EFAULT; -+ goto done; -+ } -+ -+done: -+ sss_pam_close_fd(); -+ free(domain); -+ free(target); -+ free(upn); -+ -+ return errno_to_pam(pamh, ret); -+} -+ -+int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv) -+{ -+ return PAM_IGNORE; -+} -+ -+int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv) -+{ -+ return PAM_IGNORE; -+} -+ -+int pam_sm_open_session(pam_handle_t *pamh, -+ int flags, -+ int argc, -+ const char **argv) -+{ -+ return PAM_IGNORE; -+} -+ -+int pam_sm_close_session(pam_handle_t *pamh, -+ int flags, -+ int argc, -+ const char **argv) -+{ -+ return PAM_IGNORE; -+} -+ -+int pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv) -+{ -+ return PAM_IGNORE; -+} -diff --git a/src/sss_client/pam_sss_gss.exports b/src/sss_client/pam_sss_gss.exports -new file mode 100644 -index 000000000..9afa106be ---- /dev/null -+++ b/src/sss_client/pam_sss_gss.exports -@@ -0,0 +1,4 @@ -+{ -+ global: -+ *; -+}; -diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h -index d897f43b7..2c3c71bc4 100644 ---- a/src/sss_client/sss_cli.h -+++ b/src/sss_client/sss_cli.h -@@ -233,6 +233,8 @@ enum sss_cli_command { - * an authentication request to find - * out which authentication methods - * are available for the given user. */ -+ SSS_GSSAPI_INIT = 0x00FA, /**< Initialize GSSAPI authentication. */ -+ SSS_GSSAPI_SEC_CTX = 0x00FB, /**< Establish GSSAPI security ctx. */ - - /* PAC responder calls */ - SSS_PAC_ADD_PAC_USER = 0x0101, -@@ -721,4 +723,10 @@ errno_t sss_readrep_copy_string(const char *in, - char **out, - size_t *size); - -+enum pam_gssapi_cmd { -+ PAM_GSSAPI_GET_NAME, -+ PAM_GSSAPI_INIT, -+ PAM_GSSAPI_SENTINEL -+}; -+ - #endif /* _SSSCLI_H */ -diff --git a/src/tests/dlopen-tests.c b/src/tests/dlopen-tests.c -index ccf52abe9..bffa02188 100644 ---- a/src/tests/dlopen-tests.c -+++ b/src/tests/dlopen-tests.c -@@ -47,6 +47,7 @@ struct so { - { "libnss_sss.so", { LIBPFX"libnss_sss.so", NULL } }, - { "libsss_certmap.so", { LIBPFX"libsss_certmap.so", NULL } }, - { "pam_sss.so", { LIBPFX"pam_sss.so", NULL } }, -+ { "pam_sss_gss.so", { LIBPFX"pam_sss_gss.so", NULL } }, - #ifdef BUILD_WITH_LIBSECRET - { "libsss_secrets.so", { LIBPFX"libsss_secrets.so", NULL } }, - #endif /* BUILD_WITH_LIBSECRET */ --- -2.21.3 - diff --git a/SOURCES/0028-cache_req-allow-cache_req-to-return-ERR_OFFLINE-if-a.patch b/SOURCES/0028-cache_req-allow-cache_req-to-return-ERR_OFFLINE-if-a.patch deleted file mode 100644 index dae8746..0000000 --- a/SOURCES/0028-cache_req-allow-cache_req-to-return-ERR_OFFLINE-if-a.patch +++ /dev/null @@ -1,100 +0,0 @@ -From 3f0ba4c2dcf9126b0f94bca4a056b516759d25c1 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20B=C5=99ezina?= -Date: Fri, 6 Mar 2020 12:49:04 +0100 -Subject: [PATCH 13/18] cache_req: allow cache_req to return ERR_OFFLINE if all - dp request failed - -Reviewed-by: Alexey Tikhonov ---- - src/responder/common/cache_req/cache_req.c | 13 +++++++++++++ - src/responder/common/cache_req/cache_req.h | 4 ++++ - src/responder/common/cache_req/cache_req_data.c | 12 ++++++++++++ - src/responder/common/cache_req/cache_req_private.h | 3 +++ - 4 files changed, 32 insertions(+) - -diff --git a/src/responder/common/cache_req/cache_req.c b/src/responder/common/cache_req/cache_req.c -index afb0e7cda..0c8538414 100644 ---- a/src/responder/common/cache_req/cache_req.c -+++ b/src/responder/common/cache_req/cache_req.c -@@ -974,6 +974,13 @@ static void cache_req_search_domains_done(struct tevent_req *subreq) - case ERR_ID_OUTSIDE_RANGE: - case ENOENT: - if (state->check_next == false) { -+ if (state->cr->data->propogate_offline_status && !state->dp_success) { -+ /* Not found and data provider request failed so we were -+ * unable to fetch the data. */ -+ ret = ERR_OFFLINE; -+ goto done; -+ } -+ - /* Not found. */ - ret = ENOENT; - goto done; -@@ -1002,6 +1009,12 @@ done: - case EAGAIN: - break; - default: -+ if (ret == ENOENT && state->cr->data->propogate_offline_status -+ && !state->dp_success) { -+ /* Not found and data provider request failed so we were -+ * unable to fetch the data. */ -+ ret = ERR_OFFLINE; -+ } - tevent_req_error(req, ret); - break; - } -diff --git a/src/responder/common/cache_req/cache_req.h b/src/responder/common/cache_req/cache_req.h -index 72d4abe5e..d36cb2d3b 100644 ---- a/src/responder/common/cache_req/cache_req.h -+++ b/src/responder/common/cache_req/cache_req.h -@@ -171,6 +171,10 @@ void - cache_req_data_set_requested_domains(struct cache_req_data *data, - char **requested_domains); - -+void -+cache_req_data_set_propogate_offline_status(struct cache_req_data *data, -+ bool propogate_offline_status); -+ - enum cache_req_type - cache_req_data_get_type(struct cache_req_data *data); - -diff --git a/src/responder/common/cache_req/cache_req_data.c b/src/responder/common/cache_req/cache_req_data.c -index 14c4ad14f..fe9f3db29 100644 ---- a/src/responder/common/cache_req/cache_req_data.c -+++ b/src/responder/common/cache_req/cache_req_data.c -@@ -455,6 +455,18 @@ cache_req_data_set_requested_domains(struct cache_req_data *data, - data->requested_domains = requested_domains; - } - -+void -+cache_req_data_set_propogate_offline_status(struct cache_req_data *data, -+ bool propogate_offline_status) -+{ -+ if (data == NULL) { -+ DEBUG(SSSDBG_CRIT_FAILURE, "cache_req_data should never be NULL\n"); -+ return; -+ } -+ -+ data->propogate_offline_status = propogate_offline_status; -+} -+ - enum cache_req_type - cache_req_data_get_type(struct cache_req_data *data) - { -diff --git a/src/responder/common/cache_req/cache_req_private.h b/src/responder/common/cache_req/cache_req_private.h -index bfca688b9..2d52e7600 100644 ---- a/src/responder/common/cache_req/cache_req_private.h -+++ b/src/responder/common/cache_req/cache_req_private.h -@@ -103,6 +103,9 @@ struct cache_req_data { - - /* if set, only search in the listed domains */ - char **requested_domains; -+ -+ /* if set, ERR_OFFLINE is returned if data provider is offline */ -+ bool propogate_offline_status; - }; - - struct tevent_req * --- -2.21.3 - diff --git a/SOURCES/0029-autofs-return-ERR_OFFLINE-if-we-fail-to-get-informat.patch b/SOURCES/0029-autofs-return-ERR_OFFLINE-if-we-fail-to-get-informat.patch deleted file mode 100644 index f29ff36..0000000 --- a/SOURCES/0029-autofs-return-ERR_OFFLINE-if-we-fail-to-get-informat.patch +++ /dev/null @@ -1,58 +0,0 @@ -From e50258da70b67ff1b0f928e2e7875bc2fa32dfde Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20B=C5=99ezina?= -Date: Fri, 6 Mar 2020 13:12:46 +0100 -Subject: [PATCH 14/18] autofs: return ERR_OFFLINE if we fail to get - information from backend and cache is empty - -Resolves: -https://github.com/SSSD/sssd/issues/3413 - -Reviewed-by: Alexey Tikhonov ---- - .../common/cache_req/plugins/cache_req_autofs_entry_by_name.c | 2 ++ - .../common/cache_req/plugins/cache_req_autofs_map_by_name.c | 2 ++ - .../common/cache_req/plugins/cache_req_autofs_map_entries.c | 2 ++ - 3 files changed, 6 insertions(+) - -diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c b/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c -index cb674add6..55c9fc8b0 100644 ---- a/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c -+++ b/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c -@@ -142,6 +142,8 @@ cache_req_autofs_entry_by_name_send(TALLOC_CTX *mem_ctx, - return NULL; - } - -+ cache_req_data_set_propogate_offline_status(data, true); -+ - return cache_req_steal_data_and_send(mem_ctx, ev, rctx, ncache, - cache_refresh_percent, - CACHE_REQ_POSIX_DOM, domain, -diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c b/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c -index 3c08eaf4f..823eb3595 100644 ---- a/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c -+++ b/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c -@@ -136,6 +136,8 @@ cache_req_autofs_map_by_name_send(TALLOC_CTX *mem_ctx, - return NULL; - } - -+ cache_req_data_set_propogate_offline_status(data, true); -+ - return cache_req_steal_data_and_send(mem_ctx, ev, rctx, ncache, - cache_refresh_percent, - CACHE_REQ_POSIX_DOM, domain, -diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c b/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c -index 1b5645fa0..3e47b1321 100644 ---- a/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c -+++ b/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c -@@ -168,6 +168,8 @@ cache_req_autofs_map_entries_send(TALLOC_CTX *mem_ctx, - return NULL; - } - -+ cache_req_data_set_propogate_offline_status(data, true); -+ - return cache_req_steal_data_and_send(mem_ctx, ev, rctx, ncache, - cache_refresh_percent, - CACHE_REQ_POSIX_DOM, domain, --- -2.21.3 - diff --git a/SOURCES/0030-autofs-translate-ERR_OFFLINE-to-EHOSTDOWN.patch b/SOURCES/0030-autofs-translate-ERR_OFFLINE-to-EHOSTDOWN.patch deleted file mode 100644 index c605483..0000000 --- a/SOURCES/0030-autofs-translate-ERR_OFFLINE-to-EHOSTDOWN.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 9098108a7142513fa04afdf92a2c1b3ac002c56e Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20B=C5=99ezina?= -Date: Fri, 6 Mar 2020 13:44:56 +0100 -Subject: [PATCH 15/18] autofs: translate ERR_OFFLINE to EHOSTDOWN - -So we do not publish internal error code. - -Resolves: -https://github.com/SSSD/sssd/issues/3413 - -Reviewed-by: Alexey Tikhonov ---- - src/sss_client/common.c | 15 ++++++++++++--- - 1 file changed, 12 insertions(+), 3 deletions(-) - -diff --git a/src/sss_client/common.c b/src/sss_client/common.c -index 902438c86..d29332939 100644 ---- a/src/sss_client/common.c -+++ b/src/sss_client/common.c -@@ -44,6 +44,7 @@ - #define _(STRING) dgettext (PACKAGE, STRING) - #include "sss_cli.h" - #include "common_private.h" -+#include "util/util_errors.h" - - #if HAVE_PTHREAD - #include -@@ -1054,9 +1055,17 @@ int sss_autofs_make_request(enum sss_cli_command cmd, - uint8_t **repbuf, size_t *replen, - int *errnop) - { -- return sss_cli_make_request_with_checks(cmd, rd, SSS_CLI_SOCKET_TIMEOUT, -- repbuf, replen, errnop, -- SSS_AUTOFS_SOCKET_NAME); -+ enum sss_status status; -+ -+ status = sss_cli_make_request_with_checks(cmd, rd, SSS_CLI_SOCKET_TIMEOUT, -+ repbuf, replen, errnop, -+ SSS_AUTOFS_SOCKET_NAME); -+ -+ if (*errnop == ERR_OFFLINE) { -+ *errnop = EHOSTDOWN; -+ } -+ -+ return status; - } - - int sss_ssh_make_request(enum sss_cli_command cmd, --- -2.21.3 - diff --git a/SOURCES/0031-autofs-disable-fast-reply.patch b/SOURCES/0031-autofs-disable-fast-reply.patch deleted file mode 100644 index 8706aec..0000000 --- a/SOURCES/0031-autofs-disable-fast-reply.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 34c519a4851194164befc150df8e768431e66405 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20B=C5=99ezina?= -Date: Tue, 22 Sep 2020 11:04:25 +0200 -Subject: [PATCH 16/18] autofs: disable fast reply - -If the backend is offline when autofs starts and reads auto.master map -we don't want to wait 60 seconds before the offline flag is reset. We -need to allow autofs to retry the call much sooner. - -Resolves: -https://github.com/SSSD/sssd/issues/3413 - -Reviewed-by: Alexey Tikhonov ---- - .../common/cache_req/plugins/cache_req_autofs_entry_by_name.c | 2 +- - .../common/cache_req/plugins/cache_req_autofs_map_by_name.c | 2 +- - .../common/cache_req/plugins/cache_req_autofs_map_entries.c | 2 +- - 3 files changed, 3 insertions(+), 3 deletions(-) - -diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c b/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c -index 55c9fc8b0..cd2085187 100644 ---- a/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c -+++ b/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c -@@ -84,7 +84,7 @@ cache_req_autofs_entry_by_name_dp_send(TALLOC_CTX *mem_ctx, - - return sbus_call_dp_autofs_GetEntry_send(mem_ctx, be_conn->conn, - be_conn->bus_name, SSS_BUS_PATH, -- DP_FAST_REPLY, data->name.name, -+ 0, data->name.name, - data->autofs_entry_name); - } - -diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c b/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c -index 823eb3595..9d9bc3a97 100644 ---- a/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c -+++ b/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c -@@ -81,7 +81,7 @@ cache_req_autofs_map_by_name_dp_send(TALLOC_CTX *mem_ctx, - - return sbus_call_dp_autofs_GetMap_send(mem_ctx, be_conn->conn, - be_conn->bus_name, SSS_BUS_PATH, -- DP_FAST_REPLY, data->name.name); -+ 0, data->name.name); - } - - bool -diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c b/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c -index 3e47b1321..ee0156b6a 100644 ---- a/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c -+++ b/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c -@@ -113,7 +113,7 @@ cache_req_autofs_map_entries_dp_send(TALLOC_CTX *mem_ctx, - - return sbus_call_dp_autofs_Enumerate_send(mem_ctx, be_conn->conn, - be_conn->bus_name, SSS_BUS_PATH, -- DP_FAST_REPLY, data->name.name); -+ 0, data->name.name); - } - - bool --- -2.21.3 - diff --git a/SOURCES/0032-autofs-correlate-errors-for-different-protocol-versi.patch b/SOURCES/0032-autofs-correlate-errors-for-different-protocol-versi.patch deleted file mode 100644 index 9188a5e..0000000 --- a/SOURCES/0032-autofs-correlate-errors-for-different-protocol-versi.patch +++ /dev/null @@ -1,168 +0,0 @@ -From 8a22d4ad45f5fc8e888be693539495093c2b3c35 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20B=C5=99ezina?= -Date: Wed, 4 Nov 2020 14:20:10 +0100 -Subject: [PATCH 17/18] autofs: correlate errors for different protocol - versions - -Reviewed-by: Alexey Tikhonov ---- - src/sss_client/autofs/autofs_test_client.c | 12 ++++++++ - src/sss_client/autofs/sss_autofs.c | 35 +++++++++++++++++++--- - src/sss_client/autofs/sss_autofs.exports | 9 +++--- - src/sss_client/autofs/sss_autofs_private.h | 5 ++++ - 4 files changed, 53 insertions(+), 8 deletions(-) - -diff --git a/src/sss_client/autofs/autofs_test_client.c b/src/sss_client/autofs/autofs_test_client.c -index c5358233f..4b285151e 100644 ---- a/src/sss_client/autofs/autofs_test_client.c -+++ b/src/sss_client/autofs/autofs_test_client.c -@@ -45,10 +45,14 @@ int main(int argc, const char *argv[]) - char *value = NULL; - char *pc_key = NULL; - int pc_setent = 0; -+ int pc_protocol = 1; -+ unsigned int protocol; -+ unsigned int requested_protocol = 1; - struct poptOption long_options[] = { - POPT_AUTOHELP - { "by-name", 'n', POPT_ARG_STRING, &pc_key, 0, "Request map by name", NULL }, - { "only-setent", 's', POPT_ARG_VAL, &pc_setent, 1, "Run only setent, do not enumerate", NULL }, -+ { "protocol", 'p', POPT_ARG_INT, &pc_protocol, 0, "Protocol version", NULL }, - POPT_TABLEEND - }; - poptContext pc = NULL; -@@ -69,6 +73,14 @@ int main(int argc, const char *argv[]) - - poptFreeContext(pc); - -+ requested_protocol = pc_protocol; -+ protocol = _sss_auto_protocol_version(requested_protocol); -+ if (protocol != requested_protocol) { -+ fprintf(stderr, "Unsupported protocol version: %d -> %d\n", -+ requested_protocol, protocol); -+ exit(EXIT_FAILURE); -+ } -+ - ret = _sss_setautomntent(mapname, &ctx); - if (ret) { - fprintf(stderr, "setautomntent failed [%d]: %s\n", -diff --git a/src/sss_client/autofs/sss_autofs.c b/src/sss_client/autofs/sss_autofs.c -index 482ff2c40..ef27cf895 100644 ---- a/src/sss_client/autofs/sss_autofs.c -+++ b/src/sss_client/autofs/sss_autofs.c -@@ -20,6 +20,7 @@ - - #include - #include -+#include - - #include "sss_client/autofs/sss_autofs_private.h" - #include "sss_client/sss_cli.h" -@@ -33,6 +34,32 @@ - /* How many entries shall _sss_getautomntent_r retrieve at once */ - #define GETAUTOMNTENT_MAX_ENTRIES 512 - -+static atomic_uint _protocol = 0; -+ -+unsigned int _sss_auto_protocol_version(unsigned int requested) -+{ -+ switch (requested) { -+ case 0: -+ /* EHOSTDOWN will be translated to ENOENT */ -+ _protocol = 0; -+ return 0; -+ default: -+ /* There is no other protocol version at this point. */ -+ _protocol = 1; -+ return 1; -+ } -+} -+ -+/* Returns correct errno based on autofs version expectations. */ -+static errno_t errnop_to_errno(int errnop) -+{ -+ if (errnop == EHOSTDOWN && _protocol == 0) { -+ return ENOENT; -+ } -+ -+ return errnop; -+} -+ - struct automtent { - char *mapname; - size_t cursor; -@@ -93,7 +120,7 @@ _sss_setautomntent(const char *mapname, void **context) - &repbuf, &replen, &errnop); - if (ret != SSS_STATUS_SUCCESS) { - free(name); -- ret = errnop; -+ ret = errnop_to_errno(errnop); - goto out; - } - -@@ -310,7 +337,7 @@ _sss_getautomntent_r(char **key, char **value, void *context) - &repbuf, &replen, &errnop); - free(data); - if (ret != SSS_STATUS_SUCCESS) { -- ret = errnop; -+ ret = errnop_to_errno(errnop); - goto out; - } - -@@ -408,7 +435,7 @@ _sss_getautomntbyname_r(const char *key, char **value, void *context) - &repbuf, &replen, &errnop); - free(data); - if (ret != SSS_STATUS_SUCCESS) { -- ret = errnop; -+ ret = errnop_to_errno(errnop); - goto out; - } - -@@ -467,7 +494,7 @@ _sss_endautomntent(void **context) - ret = sss_autofs_make_request(SSS_AUTOFS_ENDAUTOMNTENT, - NULL, NULL, NULL, &errnop); - if (ret != SSS_STATUS_SUCCESS) { -- ret = errnop; -+ ret = errnop_to_errno(errnop); - goto out; - } - -diff --git a/src/sss_client/autofs/sss_autofs.exports b/src/sss_client/autofs/sss_autofs.exports -index f9ce8f5b2..ec61f715e 100644 ---- a/src/sss_client/autofs/sss_autofs.exports -+++ b/src/sss_client/autofs/sss_autofs.exports -@@ -2,10 +2,11 @@ EXPORTED { - - # public functions - global: -- _sss_setautomntent; -- _sss_getautomntent_r; -- _sss_getautomntbyname_r; -- _sss_endautomntent; -+ _sss_auto_protocol_version; -+ _sss_setautomntent; -+ _sss_getautomntent_r; -+ _sss_getautomntbyname_r; -+ _sss_endautomntent; - - # everything else is local - local: -diff --git a/src/sss_client/autofs/sss_autofs_private.h b/src/sss_client/autofs/sss_autofs_private.h -index 6459c1cc7..7fd49db1d 100644 ---- a/src/sss_client/autofs/sss_autofs_private.h -+++ b/src/sss_client/autofs/sss_autofs_private.h -@@ -21,6 +21,11 @@ - #include - #include "util/util.h" - -+/** -+ * Choose an autofs protocol version to be used between autofs and sss_autofs. -+ */ -+unsigned int _sss_auto_protocol_version(unsigned int requested); -+ - /** - * Selects a map for processing. - */ --- -2.21.3 - diff --git a/SOURCES/0033-configure-check-for-stdatomic.h.patch b/SOURCES/0033-configure-check-for-stdatomic.h.patch deleted file mode 100644 index 699c3f6..0000000 --- a/SOURCES/0033-configure-check-for-stdatomic.h.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 075519bceca7a8f4fa28a0b7c538f2f50d552d13 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20B=C5=99ezina?= -Date: Thu, 26 Nov 2020 14:56:08 +0100 -Subject: [PATCH 18/18] configure: check for stdatomic.h - -Recent autofs patches adds dependency on automic_uint/_Atomic type from C11 -standard. This is supported in both gcc and clang for a long time now. - -Reviewed-by: Alexey Tikhonov ---- - configure.ac | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/configure.ac b/configure.ac -index 1af1d1785..0d24c4b35 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -42,6 +42,7 @@ m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES]) - AM_CONDITIONAL([HAVE_GCC], [test "$ac_cv_prog_gcc" = yes]) - - AC_CHECK_HEADERS(stdint.h dlfcn.h) -+AC_CHECK_HEADERS([stdatomic.h],,AC_MSG_ERROR([C11 atomic types are not supported])) - AC_CONFIG_HEADER(config.h) - - AC_CHECK_TYPES([errno_t], [], [], [[#include ]]) --- -2.21.3 - diff --git a/SOURCES/0034-cache_req-ignore-autofs-not-configured-error.patch b/SOURCES/0034-cache_req-ignore-autofs-not-configured-error.patch deleted file mode 100644 index 5181137..0000000 --- a/SOURCES/0034-cache_req-ignore-autofs-not-configured-error.patch +++ /dev/null @@ -1,131 +0,0 @@ -From 2499bd145f566bfd73b8c7e284b910dd2b36c6d1 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20B=C5=99ezina?= -Date: Fri, 15 Jan 2021 12:04:38 +0100 -Subject: [PATCH] cache_req: ignore autofs not configured error - -Otherwise we return ERR_OFFLINE for domains where autofs provider is not -set (such as implicit files domain) which is undesirable. - -Steps to reproduce: -1. Enable implicit files domains and LDAP domain with autofs configured -2. Setup NFS server to export `/exports` with `/exports/home/test` -3. Add autofs mount points: -``` -dn: ou=mount,dc=ldap,dc=vm -ou: mount -objectClass: organizationalUnit -objectClass: top - -dn: nisMapName=auto.master,ou=mount,dc=ldap,dc=vm -objectClass: nisMap -objectClass: top -nisMapName: auto.master - -dn: cn=/export/home,nisMapName=auto.master,ou=mount,dc=ldap,dc=vm -objectClass: nisObject -objectClass: top -cn: /export/home -nisMapEntry: auto.home -nisMapName: auto.master - -dn: nisMapName=auto.home,ou=mount,dc=ldap,dc=vm -objectClass: nisMap -objectClass: top -nisMapName: auto.home - -dn: cn=/,nisMapName=auto.home,ou=mount,dc=ldap,dc=vm -objectClass: nisObject -objectClass: top -cn: / -nisMapEntry: -fstype=nfs,rw master.ldap.vm:/export/home/& -nisMapName: auto.home -``` -4. Run SSSD and autofs -5. cd to /exports/home/test - -The directory will not be mounted with the new autofs protocol. It -will succeed with the old protocol. In both versions, you'll see -that SSSD returned ERR_OFFLINE: - -``` -(2021-01-15 11:44:48): [be[implicit_files]] [sbus_issue_request_done] (0x0040): sssd.DataProvider.Autofs.GetEntry: Error [1432158215]: DP target is not configured -... -(2021-01-15 11:44:49): [autofs] [cache_req_search_cache] (0x0400): CR #3: Looking up [auto.home:test] in cache -(2021-01-15 11:44:49): [autofs] [cache_req_search_cache] (0x0400): CR #3: Object [auto.home:test] was not found in cache -(2021-01-15 11:44:49): [autofs] [cache_req_search_ncache_add_to_domain] (0x2000): CR #3: This request type does not support negative cache -(2021-01-15 11:44:49): [autofs] [cache_req_process_result] (0x0400): CR #3: Finished: Error 1432158212: SSSD is offline -``` - -Reviewed-by: Alexey Tikhonov ---- - .../cache_req/plugins/cache_req_autofs_entry_by_name.c | 10 +++++++++- - .../cache_req/plugins/cache_req_autofs_map_by_name.c | 10 +++++++++- - .../cache_req/plugins/cache_req_autofs_map_entries.c | 10 +++++++++- - 3 files changed, 27 insertions(+), 3 deletions(-) - -diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c b/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c -index cd2085187..f411fd351 100644 ---- a/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c -+++ b/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c -@@ -92,7 +92,15 @@ bool - cache_req_autofs_entry_by_name_dp_recv(struct tevent_req *subreq, - struct cache_req *cr) - { -- return sbus_call_dp_autofs_GetEntry_recv(subreq) == EOK; -+ errno_t ret; -+ -+ ret = sbus_call_dp_autofs_GetEntry_recv(subreq); -+ -+ if (ret == ERR_MISSING_DP_TARGET) { -+ ret = EOK; -+ } -+ -+ return ret == EOK; - } - - const struct cache_req_plugin cache_req_autofs_entry_by_name = { -diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c b/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c -index 9d9bc3a97..c22cf0c8e 100644 ---- a/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c -+++ b/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c -@@ -88,7 +88,15 @@ bool - cache_req_autofs_map_by_name_dp_recv(struct tevent_req *subreq, - struct cache_req *cr) - { -- return sbus_call_dp_autofs_GetMap_recv(subreq) == EOK; -+ errno_t ret; -+ -+ ret = sbus_call_dp_autofs_GetMap_recv(subreq); -+ -+ if (ret == ERR_MISSING_DP_TARGET) { -+ ret = EOK; -+ } -+ -+ return ret == EOK; - } - - const struct cache_req_plugin cache_req_autofs_map_by_name = { -diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c b/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c -index ee0156b6a..4d9db6595 100644 ---- a/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c -+++ b/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c -@@ -120,7 +120,15 @@ bool - cache_req_autofs_map_entries_dp_recv(struct tevent_req *subreq, - struct cache_req *cr) - { -- return sbus_call_dp_autofs_Enumerate_recv(subreq) == EOK; -+ errno_t ret; -+ -+ ret = sbus_call_dp_autofs_Enumerate_recv(subreq); -+ -+ if (ret == ERR_MISSING_DP_TARGET) { -+ ret = EOK; -+ } -+ -+ return ret == EOK; - } - - const struct cache_req_plugin cache_req_autofs_map_entries = { --- -2.21.3 - diff --git a/SOURCES/0035-simple-fix-memory-leak-while-reloading-lists.patch b/SOURCES/0035-simple-fix-memory-leak-while-reloading-lists.patch deleted file mode 100644 index 5cd16fa..0000000 --- a/SOURCES/0035-simple-fix-memory-leak-while-reloading-lists.patch +++ /dev/null @@ -1,100 +0,0 @@ -From 19c2c641e669ee1c08d6706c132625dc30e64609 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Tue, 12 Jan 2021 16:40:56 +0100 -Subject: [PATCH] simple: fix memory leak while reloading lists - -The simple access provider will reload the access and deny lists at -runtime to make sure that users and groups from domains which are -discovered at runtime are properly processed. - -While reloading the lists the original lists are not freed and an -intermediate list wasn't removed as well. - -Resolves: https://github.com/SSSD/sssd/issues/5456 - -:fixes: Memory leak in the simple access provider - -Reviewed-by: Alexey Tikhonov ---- - src/providers/simple/simple_access.c | 28 +++++++++++++++++++++------- - 1 file changed, 21 insertions(+), 7 deletions(-) - -diff --git a/src/providers/simple/simple_access.c b/src/providers/simple/simple_access.c -index 1868569b1..49226adf2 100644 ---- a/src/providers/simple/simple_access.c -+++ b/src/providers/simple/simple_access.c -@@ -117,17 +117,13 @@ int simple_access_obtain_filter_lists(struct simple_ctx *ctx) - const char *name; - const char *option; - char **orig_list; -- char ***ctx_list; -+ char **ctx_list; - } lists[] = {{"Allow users", CONFDB_SIMPLE_ALLOW_USERS, NULL, NULL}, - {"Deny users", CONFDB_SIMPLE_DENY_USERS, NULL, NULL}, - {"Allow groups", CONFDB_SIMPLE_ALLOW_GROUPS, NULL, NULL}, - {"Deny groups", CONFDB_SIMPLE_DENY_GROUPS, NULL, NULL}, - {NULL, NULL, NULL, NULL}}; - -- lists[0].ctx_list = &ctx->allow_users; -- lists[1].ctx_list = &ctx->deny_users; -- lists[2].ctx_list = &ctx->allow_groups; -- lists[3].ctx_list = &ctx->deny_groups; - - ret = sysdb_master_domain_update(bectx->domain); - if (ret != EOK) { -@@ -141,7 +137,6 @@ int simple_access_obtain_filter_lists(struct simple_ctx *ctx) - lists[i].option, &lists[i].orig_list); - if (ret == ENOENT) { - DEBUG(SSSDBG_FUNC_DATA, "%s list is empty.\n", lists[i].name); -- *lists[i].ctx_list = NULL; - continue; - } else if (ret != EOK) { - DEBUG(SSSDBG_CRIT_FAILURE, "confdb_get_string_as_list failed.\n"); -@@ -149,7 +144,8 @@ int simple_access_obtain_filter_lists(struct simple_ctx *ctx) - } - - ret = simple_access_parse_names(ctx, bectx, lists[i].orig_list, -- lists[i].ctx_list); -+ &lists[i].ctx_list); -+ talloc_free(lists[i].orig_list); - if (ret != EOK) { - DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse %s list [%d]: %s\n", - lists[i].name, ret, sss_strerror(ret)); -@@ -157,6 +153,18 @@ int simple_access_obtain_filter_lists(struct simple_ctx *ctx) - } - } - -+ talloc_free(ctx->allow_users); -+ ctx->allow_users = talloc_steal(ctx, lists[0].ctx_list); -+ -+ talloc_free(ctx->deny_users); -+ ctx->deny_users = talloc_steal(ctx, lists[1].ctx_list); -+ -+ talloc_free(ctx->allow_groups); -+ ctx->allow_groups = talloc_steal(ctx, lists[2].ctx_list); -+ -+ talloc_free(ctx->deny_groups); -+ ctx->deny_groups = talloc_steal(ctx, lists[3].ctx_list); -+ - if (!ctx->allow_users && - !ctx->allow_groups && - !ctx->deny_users && -@@ -165,9 +173,15 @@ int simple_access_obtain_filter_lists(struct simple_ctx *ctx) - "No rules supplied for simple access provider. " - "Access will be granted for all users.\n"); - } -+ -+ - return EOK; - - failed: -+ for (i = 0; lists[i].name != NULL; i++) { -+ talloc_free(lists[i].ctx_list); -+ } -+ - return ret; - } - --- -2.21.3 - diff --git a/SOURCES/0036-SBUS-do-not-try-to-del-non-existing-sender.patch b/SOURCES/0036-SBUS-do-not-try-to-del-non-existing-sender.patch deleted file mode 100644 index d432682..0000000 --- a/SOURCES/0036-SBUS-do-not-try-to-del-non-existing-sender.patch +++ /dev/null @@ -1,38 +0,0 @@ -From bdf461c7577c458d7b2a785b2007c0ccae73e3f7 Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Mon, 11 Jan 2021 18:28:02 +0100 -Subject: [PATCH] SBUS: do not try to del non existing sender -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Resolves: https://github.com/SSSD/sssd/issues/5425 - -Reviewed-by: Pavel Březina ---- - src/sbus/request/sbus_request_sender.c | 9 +++++---- - 1 file changed, 5 insertions(+), 4 deletions(-) - -diff --git a/src/sbus/request/sbus_request_sender.c b/src/sbus/request/sbus_request_sender.c -index cecb188b0..39cdec064 100644 ---- a/src/sbus/request/sbus_request_sender.c -+++ b/src/sbus/request/sbus_request_sender.c -@@ -101,10 +101,11 @@ void - sbus_senders_delete(hash_table_t *table, - const char *name) - { -- DEBUG(SSSDBG_TRACE_INTERNAL, "Removing identity of sender [%s]\n", -- name); -- -- sss_ptr_hash_delete(table, name, true); -+ if (sss_ptr_hash_has_key(table, name)) { -+ DEBUG(SSSDBG_TRACE_INTERNAL, "Removing identity of sender [%s]\n", -+ name); -+ sss_ptr_hash_delete(table, name, true); -+ } - } - - errno_t --- -2.21.3 - diff --git a/SOURCES/0037-pamsrv_gssapi-fix-implicit-conversion-warning.patch b/SOURCES/0037-pamsrv_gssapi-fix-implicit-conversion-warning.patch deleted file mode 100644 index cb06e15..0000000 --- a/SOURCES/0037-pamsrv_gssapi-fix-implicit-conversion-warning.patch +++ /dev/null @@ -1,34 +0,0 @@ -From c0ae6d34ff7c170ca0e6d0faa8a2daf9a77becb7 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20B=C5=99ezina?= -Date: Fri, 8 Jan 2021 14:00:47 +0100 -Subject: [PATCH] pamsrv_gssapi: fix implicit conversion warning -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -src/responder/pam/pamsrv_gssapi.c: In function ‘pam_cmd_gssapi_sec_ctx’: -src/responder/pam/pamsrv_gssapi.c:716:64: error: implicit conversion from ‘enum sss_domain_type’ to ‘enum cache_req_dom_type’ [-Werror=enum-conversion] - 716 | cli_ctx->rctx->ncache, 0, DOM_TYPE_POSIX, - -Reviewed-by: Alexey Tikhonov ---- - src/responder/pam/pamsrv_gssapi.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/src/responder/pam/pamsrv_gssapi.c b/src/responder/pam/pamsrv_gssapi.c -index 099675e1c..2d05c7888 100644 ---- a/src/responder/pam/pamsrv_gssapi.c -+++ b/src/responder/pam/pamsrv_gssapi.c -@@ -713,7 +713,8 @@ pam_cmd_gssapi_sec_ctx(struct cli_ctx *cli_ctx) - DEBUG(SSSDBG_TRACE_FUNC, "Checking that target user matches UPN\n"); - - req = cache_req_user_by_upn_send(cli_ctx, cli_ctx->ev, cli_ctx->rctx, -- cli_ctx->rctx->ncache, 0, DOM_TYPE_POSIX, -+ cli_ctx->rctx->ncache, 0, -+ CACHE_REQ_POSIX_DOM, - domain->name, state->authenticated_upn); - if (req == NULL) { - DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory!\n"); --- -2.21.3 - diff --git a/SOURCES/0038-gssapi-default-pam_gssapi_services-to-NULL-in-domain.patch b/SOURCES/0038-gssapi-default-pam_gssapi_services-to-NULL-in-domain.patch deleted file mode 100644 index d4ea08c..0000000 --- a/SOURCES/0038-gssapi-default-pam_gssapi_services-to-NULL-in-domain.patch +++ /dev/null @@ -1,34 +0,0 @@ -From cc173629f30fbc885ee90e52a205554b118e0ee6 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20B=C5=99ezina?= -Date: Mon, 11 Jan 2021 13:11:39 +0100 -Subject: [PATCH 38/39] gssapi: default pam_gssapi_services to NULL in domain - section - -We need to distinguish when the option is not set in domain section and when -it is is explicitly disabled. Now if it is not set, domain->gssapi_services -is NULL and we'll use value from the pam section. - -Without this change, the value in the pam section is ignored. - -Reviewed-by: Alexey Tikhonov -Reviewed-by: Sumit Bose ---- - src/confdb/confdb.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c -index 2881ce5da..befcfff2d 100644 ---- a/src/confdb/confdb.c -+++ b/src/confdb/confdb.c -@@ -1582,7 +1582,7 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb, - } - - tmp = ldb_msg_find_attr_as_string(res->msgs[0], CONFDB_PAM_GSSAPI_SERVICES, -- "-"); -+ NULL); - if (tmp != NULL) { - ret = split_on_separator(domain, tmp, ',', true, true, - &domain->gssapi_services, NULL); --- -2.21.3 - diff --git a/SOURCES/0039-pam_sss_gssapi-fix-coverity-issues.patch b/SOURCES/0039-pam_sss_gssapi-fix-coverity-issues.patch deleted file mode 100644 index cd37baf..0000000 --- a/SOURCES/0039-pam_sss_gssapi-fix-coverity-issues.patch +++ /dev/null @@ -1,133 +0,0 @@ -From 111b8b4d62a4fe192c075e6f6bfacb408e6074b3 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20B=C5=99ezina?= -Date: Tue, 12 Jan 2021 13:50:11 +0100 -Subject: [PATCH 39/39] pam_sss_gssapi: fix coverity issues -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -``` -1. Defect type: RESOURCE_LEAK -7. sssd-2.4.0/src/sss_client/pam_sss_gss.c:556: leaked_storage: Variable "username" going out of scope leaks the storage it points to. -Expand -2. Defect type: RESOURCE_LEAK -3. sssd-2.4.0/src/sss_client/pam_sss_gss.c:321: leaked_storage: Variable "reply" going out of scope leaks the storage it points to. -Expand -3. Defect type: RESOURCE_LEAK -7. sssd-2.4.0/src/sss_client/pam_sss_gss.c:260: leaked_storage: Variable "username" going out of scope leaks the storage it points to. -Expand -4. Defect type: RESOURCE_LEAK -6. sssd-2.4.0/src/sss_client/pam_sss_gss.c:260: leaked_storage: Variable "upn" going out of scope leaks the storage it points to. -Expand -5. Defect type: RESOURCE_LEAK -7. sssd-2.4.0/src/sss_client/pam_sss_gss.c:260: leaked_storage: Variable "target" going out of scope leaks the storage it points to. -Expand -6. Defect type: RESOURCE_LEAK -7. sssd-2.4.0/src/sss_client/pam_sss_gss.c:260: leaked_storage: Variable "domain" going out of scope leaks the storage it points to. - -1. Defect type: CLANG_WARNING -1. sssd-2.4.0/src/sss_client/pam_sss_gss.c:260:16: warning[unix.Malloc]: Potential leak of memory pointed to by 'username' -Expand -2. Defect type: CLANG_WARNING -1. sssd-2.4.0/src/sss_client/pam_sss_gss.c:260:16: warning[unix.Malloc]: Potential leak of memory pointed to by 'upn' -Expand -3. Defect type: CLANG_WARNING -1. sssd-2.4.0/src/sss_client/pam_sss_gss.c:260:16: warning[unix.Malloc]: Potential leak of memory pointed to by 'target' -Expand -4. Defect type: CLANG_WARNING -1. sssd-2.4.0/src/sss_client/pam_sss_gss.c:260:16: warning[unix.Malloc]: Potential leak of memory pointed to by 'domain' -``` - -Also fix compilation warning -``` -../src/sss_client/pam_sss_gss.c:339:5: warning: ‘reply’ may be used uninitialized in this function [-Wmaybe-uninitialized] - 339 | free(reply); - | ^~~~~~~~~~~ -../src/sss_client/pam_sss_gss.c:328:14: note: ‘reply’ was declared here - 328 | uint8_t *reply; - | ^~~~~ -../src/sss_client/pam_sss_gss.c:270:11: warning: ‘reply_len’ may be used uninitialized in this function [-Wmaybe-uninitialized] - 270 | upn = malloc(reply_len * sizeof(char)); - | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -../src/sss_client/pam_sss_gss.c:327:12: note: ‘reply_len’ was declared here - 327 | size_t reply_len; - | ^~~~~~~~~ -``` - -Reviewed-by: Alexey Tikhonov -Reviewed-by: Sumit Bose ---- - src/sss_client/pam_sss_gss.c | 22 ++++++++++++++++++---- - 1 file changed, 18 insertions(+), 4 deletions(-) - -diff --git a/src/sss_client/pam_sss_gss.c b/src/sss_client/pam_sss_gss.c -index cd38db7da..51be36ece 100644 ---- a/src/sss_client/pam_sss_gss.c -+++ b/src/sss_client/pam_sss_gss.c -@@ -195,6 +195,8 @@ static errno_t sssd_gssapi_init_send(pam_handle_t *pamh, - struct sss_cli_req_data req_data; - size_t service_len; - size_t user_len; -+ size_t reply_len; -+ uint8_t *reply = NULL; - uint8_t *data; - errno_t ret; - int ret_errno; -@@ -217,7 +219,7 @@ static errno_t sssd_gssapi_init_send(pam_handle_t *pamh, - - req_data.data = data; - -- ret = sss_pam_make_request(SSS_GSSAPI_INIT, &req_data, _reply, _reply_len, -+ ret = sss_pam_make_request(SSS_GSSAPI_INIT, &req_data, &reply, &reply_len, - &ret_errno); - free(data); - if (ret != PAM_SUCCESS) { -@@ -233,6 +235,16 @@ static errno_t sssd_gssapi_init_send(pam_handle_t *pamh, - return (ret_errno != EOK) ? ret_errno : EIO; - } - -+ if (ret_errno == EOK) { -+ *_reply = reply; -+ *_reply_len = reply_len; -+ } else { -+ /* We got PAM_SUCCESS therefore the communication with SSSD was -+ * successful and we have received a reply buffer. We just don't care -+ * about it, we are only interested in the error code. */ -+ free(reply); -+ } -+ - return ret_errno; - } - -@@ -257,7 +269,8 @@ static errno_t sssd_gssapi_init_recv(uint8_t *reply, - target = malloc(reply_len * sizeof(char)); - upn = malloc(reply_len * sizeof(char)); - if (username == NULL || domain == NULL || target == NULL || upn == NULL) { -- return ENOMEM; -+ ret = ENOMEM; -+ goto done; - } - - buf = (const char*)reply; -@@ -311,8 +324,8 @@ static errno_t sssd_gssapi_init(pam_handle_t *pamh, - char **_target, - char **_upn) - { -- size_t reply_len; -- uint8_t *reply; -+ size_t reply_len = 0; -+ uint8_t *reply = NULL; - errno_t ret; - - ret = sssd_gssapi_init_send(pamh, pam_service, pam_user, &reply, -@@ -549,6 +562,7 @@ int pam_sm_authenticate(pam_handle_t *pamh, - - done: - sss_pam_close_fd(); -+ free(username); - free(domain); - free(target); - free(upn); --- -2.21.3 - diff --git a/SOURCES/0040-sudo-runas-do-not-add-to-external-groups-in-IPA.patch b/SOURCES/0040-sudo-runas-do-not-add-to-external-groups-in-IPA.patch deleted file mode 100644 index ca3d905..0000000 --- a/SOURCES/0040-sudo-runas-do-not-add-to-external-groups-in-IPA.patch +++ /dev/null @@ -1,40 +0,0 @@ -From cd48ef5071741443e3b84e100a4d4d28e3578e4f Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Mon, 25 Jan 2021 15:14:05 +0200 -Subject: [PATCH] sudo runas: do not add '%' to external groups in IPA -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -When IPA allows to add AD users and groups directly to sudo rules -(FreeIPA 4.9.1 or later), external groups will already have '%' prefix. -Thus, we don't need to add additional '%'. - -Resolves: https://github.com/SSSD/sssd/issues/5475 -Signed-off-by: Alexander Bokovoy - -Reviewed-by: Pavel Březina ---- - src/providers/ipa/ipa_sudo_conversion.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/src/providers/ipa/ipa_sudo_conversion.c b/src/providers/ipa/ipa_sudo_conversion.c -index cfb41d8b0..1bfee096d 100644 ---- a/src/providers/ipa/ipa_sudo_conversion.c -+++ b/src/providers/ipa/ipa_sudo_conversion.c -@@ -939,6 +939,12 @@ convert_runasextusergroup(TALLOC_CTX *mem_ctx, - const char *value, - bool *skip_entry) - { -+ if (value == NULL) -+ return NULL; -+ -+ if (value[0] == '%') -+ return talloc_strdup(mem_ctx, value); -+ - return talloc_asprintf(mem_ctx, "%%%s", value); - } - --- -2.21.3 - diff --git a/SOURCES/0041-responders-add-callback-to-schedule_get_domains_task.patch b/SOURCES/0041-responders-add-callback-to-schedule_get_domains_task.patch deleted file mode 100644 index e61ec25..0000000 --- a/SOURCES/0041-responders-add-callback-to-schedule_get_domains_task.patch +++ /dev/null @@ -1,199 +0,0 @@ -From e07eeea7df55ede36ac0978ac904c1bb11188265 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Wed, 20 Jan 2021 17:48:44 +0100 -Subject: [PATCH 41/42] responders: add callback to schedule_get_domains_task() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -To allow responders to run dedicated code at the end of the initial -getDomains request a callback is added. - -Resolves: https://github.com/SSSD/sssd/issues/5469 - -Reviewed-by: Tomáš Halman ---- - src/responder/autofs/autofssrv.c | 2 +- - src/responder/common/responder.h | 5 ++++- - src/responder/common/responder_get_domains.c | 12 +++++++++++- - src/responder/ifp/ifpsrv.c | 2 +- - src/responder/nss/nsssrv.c | 3 ++- - src/responder/pac/pacsrv.c | 2 +- - src/responder/pam/pamsrv.c | 3 ++- - src/responder/ssh/sshsrv.c | 2 +- - src/responder/sudo/sudosrv.c | 2 +- - src/tests/cmocka/test_responder_common.c | 2 +- - 10 files changed, 25 insertions(+), 10 deletions(-) - -diff --git a/src/responder/autofs/autofssrv.c b/src/responder/autofs/autofssrv.c -index 27de1b44a..130eaf775 100644 ---- a/src/responder/autofs/autofssrv.c -+++ b/src/responder/autofs/autofssrv.c -@@ -142,7 +142,7 @@ autofs_process_init(TALLOC_CTX *mem_ctx, - goto fail; - } - -- ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL); -+ ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL, NULL, NULL); - if (ret != EOK) { - DEBUG(SSSDBG_FATAL_FAILURE, "schedule_get_domains_tasks failed.\n"); - goto fail; -diff --git a/src/responder/common/responder.h b/src/responder/common/responder.h -index f83ba1bc0..ff0559c08 100644 ---- a/src/responder/common/responder.h -+++ b/src/responder/common/responder.h -@@ -366,10 +366,13 @@ errno_t sss_dp_get_account_domain_recv(TALLOC_CTX *mem_ctx, - struct tevent_req *req, - char **_domain); - -+typedef void (get_domains_callback_fn_t)(void *); - errno_t schedule_get_domains_task(TALLOC_CTX *mem_ctx, - struct tevent_context *ev, - struct resp_ctx *rctx, -- struct sss_nc_ctx *optional_ncache); -+ struct sss_nc_ctx *optional_ncache, -+ get_domains_callback_fn_t *callback, -+ void *callback_pvt); - - errno_t csv_string_to_uid_array(TALLOC_CTX *mem_ctx, const char *csv_string, - bool allow_sss_loop, -diff --git a/src/responder/common/responder_get_domains.c b/src/responder/common/responder_get_domains.c -index e551b0fff..12b6e9028 100644 ---- a/src/responder/common/responder_get_domains.c -+++ b/src/responder/common/responder_get_domains.c -@@ -430,6 +430,8 @@ static errno_t check_last_request(struct resp_ctx *rctx, const char *hint) - struct get_domains_state { - struct resp_ctx *rctx; - struct sss_nc_ctx *optional_ncache; -+ get_domains_callback_fn_t *callback; -+ void *callback_pvt; - }; - - static void get_domains_at_startup_done(struct tevent_req *req) -@@ -462,6 +464,10 @@ static void get_domains_at_startup_done(struct tevent_req *req) - } - } - -+ if (state->callback != NULL) { -+ state->callback(state->callback_pvt); -+ } -+ - talloc_free(state); - return; - } -@@ -489,7 +495,9 @@ static void get_domains_at_startup(struct tevent_context *ev, - errno_t schedule_get_domains_task(TALLOC_CTX *mem_ctx, - struct tevent_context *ev, - struct resp_ctx *rctx, -- struct sss_nc_ctx *optional_ncache) -+ struct sss_nc_ctx *optional_ncache, -+ get_domains_callback_fn_t *callback, -+ void *callback_pvt) - { - struct tevent_immediate *imm; - struct get_domains_state *state; -@@ -500,6 +508,8 @@ errno_t schedule_get_domains_task(TALLOC_CTX *mem_ctx, - } - state->rctx = rctx; - state->optional_ncache = optional_ncache; -+ state->callback = callback; -+ state->callback_pvt = callback_pvt; - - imm = tevent_create_immediate(mem_ctx); - if (imm == NULL) { -diff --git a/src/responder/ifp/ifpsrv.c b/src/responder/ifp/ifpsrv.c -index 7407ee07b..ee1452728 100644 ---- a/src/responder/ifp/ifpsrv.c -+++ b/src/responder/ifp/ifpsrv.c -@@ -266,7 +266,7 @@ int ifp_process_init(TALLOC_CTX *mem_ctx, - return EIO; - } - -- ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL); -+ ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL, NULL, NULL); - if (ret != EOK) { - DEBUG(SSSDBG_FATAL_FAILURE, - "schedule_get_domains_tasks failed.\n"); -diff --git a/src/responder/nss/nsssrv.c b/src/responder/nss/nsssrv.c -index e80104e3d..2b7958e80 100644 ---- a/src/responder/nss/nsssrv.c -+++ b/src/responder/nss/nsssrv.c -@@ -557,7 +557,8 @@ int nss_process_init(TALLOC_CTX *mem_ctx, - } - responder_set_fd_limit(fd_limit); - -- ret = schedule_get_domains_task(rctx, rctx->ev, rctx, nctx->rctx->ncache); -+ ret = schedule_get_domains_task(rctx, rctx->ev, rctx, nctx->rctx->ncache, -+ NULL, NULL); - if (ret != EOK) { - DEBUG(SSSDBG_FATAL_FAILURE, "schedule_get_domains_tasks failed.\n"); - goto fail; -diff --git a/src/responder/pac/pacsrv.c b/src/responder/pac/pacsrv.c -index 217f83c26..96935150b 100644 ---- a/src/responder/pac/pacsrv.c -+++ b/src/responder/pac/pacsrv.c -@@ -129,7 +129,7 @@ int pac_process_init(TALLOC_CTX *mem_ctx, - goto fail; - } - -- ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL); -+ ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL, NULL, NULL); - if (ret != EOK) { - DEBUG(SSSDBG_FATAL_FAILURE, "schedule_get_domains_tasks failed.\n"); - goto fail; -diff --git a/src/responder/pam/pamsrv.c b/src/responder/pam/pamsrv.c -index de1620e82..8b1ce2e92 100644 ---- a/src/responder/pam/pamsrv.c -+++ b/src/responder/pam/pamsrv.c -@@ -246,7 +246,8 @@ static int pam_process_init(TALLOC_CTX *mem_ctx, - } - responder_set_fd_limit(fd_limit); - -- ret = schedule_get_domains_task(rctx, rctx->ev, rctx, pctx->rctx->ncache); -+ ret = schedule_get_domains_task(rctx, rctx->ev, rctx, pctx->rctx->ncache, -+ NULL, NULL); - if (ret != EOK) { - DEBUG(SSSDBG_FATAL_FAILURE, "schedule_get_domains_tasks failed.\n"); - goto done; -diff --git a/src/responder/ssh/sshsrv.c b/src/responder/ssh/sshsrv.c -index 6072a702c..e79a0438c 100644 ---- a/src/responder/ssh/sshsrv.c -+++ b/src/responder/ssh/sshsrv.c -@@ -126,7 +126,7 @@ int ssh_process_init(TALLOC_CTX *mem_ctx, - goto fail; - } - -- ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL); -+ ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL, NULL, NULL); - if (ret != EOK) { - DEBUG(SSSDBG_FATAL_FAILURE, "schedule_get_domains_tasks failed.\n"); - goto fail; -diff --git a/src/responder/sudo/sudosrv.c b/src/responder/sudo/sudosrv.c -index 5951b17b1..dc4a44b2f 100644 ---- a/src/responder/sudo/sudosrv.c -+++ b/src/responder/sudo/sudosrv.c -@@ -102,7 +102,7 @@ int sudo_process_init(TALLOC_CTX *mem_ctx, - goto fail; - } - -- ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL); -+ ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL, NULL, NULL); - if (ret != EOK) { - DEBUG(SSSDBG_FATAL_FAILURE, "schedule_get_domains_tasks failed.\n"); - goto fail; -diff --git a/src/tests/cmocka/test_responder_common.c b/src/tests/cmocka/test_responder_common.c -index 5fc0d712d..29356253b 100644 ---- a/src/tests/cmocka/test_responder_common.c -+++ b/src/tests/cmocka/test_responder_common.c -@@ -265,7 +265,7 @@ void test_schedule_get_domains_task(void **state) - ret = schedule_get_domains_task(dummy_ncache_ptr, - parse_inp_ctx->rctx->ev, - parse_inp_ctx->rctx, -- dummy_ncache_ptr); -+ dummy_ncache_ptr, NULL, NULL); - assert_int_equal(ret, EOK); - - ret = test_ev_loop(parse_inp_ctx->tctx); --- -2.21.3 - diff --git a/SOURCES/0042-pam-refresh-certificate-maps-at-the-end-of-initial-d.patch b/SOURCES/0042-pam-refresh-certificate-maps-at-the-end-of-initial-d.patch deleted file mode 100644 index 882f567..0000000 --- a/SOURCES/0042-pam-refresh-certificate-maps-at-the-end-of-initial-d.patch +++ /dev/null @@ -1,64 +0,0 @@ -From cb936e92041d63f79a74c30bae8140c74a18dbc0 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Wed, 20 Jan 2021 18:25:04 +0100 -Subject: [PATCH 42/42] pam: refresh certificate maps at the end of initial - domains lookup -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -During startup SSSD's responders send a getDomains request to all -backends to refresh some domain related needed by the responders. - -The PAM responder specifically needs the certificate mapping and -matching rules when Smartcard authentication is enable. Currently the -rules are not refreshed at the end of the initial request but the code -assumed that the related structures are initialized after the request -finished. - -To avoid a race condition this patch adds a callback to the end of the -request to make sure the rules are properly refreshed even if they are -already initialized before. - -Resolves: https://github.com/SSSD/sssd/issues/5469 - -Reviewed-by: Tomáš Halman ---- - src/responder/pam/pamsrv.c | 14 +++++++++++++- - 1 file changed, 13 insertions(+), 1 deletion(-) - -diff --git a/src/responder/pam/pamsrv.c b/src/responder/pam/pamsrv.c -index 8b1ce2e92..65370662d 100644 ---- a/src/responder/pam/pamsrv.c -+++ b/src/responder/pam/pamsrv.c -@@ -154,6 +154,18 @@ static errno_t get_app_services(struct pam_ctx *pctx) - return EOK; - } - -+static void pam_get_domains_callback(void *pvt) -+{ -+ struct pam_ctx *pctx; -+ int ret; -+ -+ pctx = talloc_get_type(pvt, struct pam_ctx); -+ ret = p11_refresh_certmap_ctx(pctx, pctx->rctx->domains); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_OP_FAILURE, "p11_refresh_certmap_ctx failed.\n"); -+ } -+} -+ - static int pam_process_init(TALLOC_CTX *mem_ctx, - struct tevent_context *ev, - struct confdb_ctx *cdb, -@@ -247,7 +259,7 @@ static int pam_process_init(TALLOC_CTX *mem_ctx, - responder_set_fd_limit(fd_limit); - - ret = schedule_get_domains_task(rctx, rctx->ev, rctx, pctx->rctx->ncache, -- NULL, NULL); -+ pam_get_domains_callback, pctx); - if (ret != EOK) { - DEBUG(SSSDBG_FATAL_FAILURE, "schedule_get_domains_tasks failed.\n"); - goto done; --- -2.21.3 - diff --git a/SOURCES/0043-SBUS-set-sbus_name-before-dp_init_send.patch b/SOURCES/0043-SBUS-set-sbus_name-before-dp_init_send.patch deleted file mode 100644 index eb99c88..0000000 --- a/SOURCES/0043-SBUS-set-sbus_name-before-dp_init_send.patch +++ /dev/null @@ -1,134 +0,0 @@ -From 0c6924b8d474daf35ee30d74e5496957e503b206 Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Wed, 20 Jan 2021 15:40:34 +0100 -Subject: [PATCH] SBUS: set sbus_name before dp_init_send() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Some async task might access sbus_name before dp_initialized() was executed - -Resolves: https://github.com/SSSD/sssd/issues/5466 - -Reviewed-by: Pavel Březina ---- - src/providers/data_provider/dp.c | 21 ++++----------------- - src/providers/data_provider/dp.h | 6 +++--- - src/providers/data_provider_be.c | 12 ++++++++++-- - 3 files changed, 17 insertions(+), 22 deletions(-) - -diff --git a/src/providers/data_provider/dp.c b/src/providers/data_provider/dp.c -index 90324d74d..64fe847b2 100644 ---- a/src/providers/data_provider/dp.c -+++ b/src/providers/data_provider/dp.c -@@ -134,7 +134,6 @@ static int dp_destructor(struct data_provider *provider) - struct dp_init_state { - struct be_ctx *be_ctx; - struct data_provider *provider; -- char *sbus_name; - }; - - static void dp_init_done(struct tevent_req *subreq); -@@ -144,7 +143,8 @@ dp_init_send(TALLOC_CTX *mem_ctx, - struct tevent_context *ev, - struct be_ctx *be_ctx, - uid_t uid, -- gid_t gid) -+ gid_t gid, -+ const char *sbus_name) - { - struct dp_init_state *state; - struct tevent_req *subreq; -@@ -177,13 +177,6 @@ dp_init_send(TALLOC_CTX *mem_ctx, - state->provider->gid = gid; - state->provider->be_ctx = be_ctx; - -- state->sbus_name = sss_iface_domain_bus(state, be_ctx->domain); -- if (state->sbus_name == NULL) { -- DEBUG(SSSDBG_FATAL_FAILURE, "Could not get sbus backend name.\n"); -- ret = ENOMEM; -- goto done; -- } -- - /* Initialize data provider bus. Data provider can receive client - * registration and other D-Bus methods. However no data provider - * request will be executed as long as the modules and targets -@@ -192,7 +185,7 @@ dp_init_send(TALLOC_CTX *mem_ctx, - talloc_set_destructor(state->provider, dp_destructor); - - subreq = sbus_server_create_and_connect_send(state->provider, ev, -- state->sbus_name, NULL, sbus_address, true, 1000, uid, gid, -+ sbus_name, NULL, sbus_address, true, 1000, uid, gid, - (sbus_server_on_connection_cb)dp_client_init, - (sbus_server_on_connection_data)state->provider); - if (subreq == NULL) { -@@ -270,16 +263,10 @@ done: - } - - errno_t dp_init_recv(TALLOC_CTX *mem_ctx, -- struct tevent_req *req, -- const char **_sbus_name) -+ struct tevent_req *req) - { -- struct dp_init_state *state; -- state = tevent_req_data(req, struct dp_init_state); -- - TEVENT_REQ_RETURN_ON_ERROR(req); - -- *_sbus_name = talloc_steal(mem_ctx, state->sbus_name); -- - return EOK; - } - -diff --git a/src/providers/data_provider/dp.h b/src/providers/data_provider/dp.h -index a8b6e9f3a..95c6588ad 100644 ---- a/src/providers/data_provider/dp.h -+++ b/src/providers/data_provider/dp.h -@@ -122,11 +122,11 @@ dp_init_send(TALLOC_CTX *mem_ctx, - struct tevent_context *ev, - struct be_ctx *be_ctx, - uid_t uid, -- gid_t gid); -+ gid_t gid, -+ const char *sbus_name); - - errno_t dp_init_recv(TALLOC_CTX *mem_ctx, -- struct tevent_req *req, -- const char **_sbus_name); -+ struct tevent_req *req); - - bool _dp_target_enabled(struct data_provider *provider, - const char *module_name, -diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c -index f059a3f96..8458146ea 100644 ---- a/src/providers/data_provider_be.c -+++ b/src/providers/data_provider_be.c -@@ -565,7 +565,15 @@ errno_t be_process_init(TALLOC_CTX *mem_ctx, - goto done; - } - -- req = dp_init_send(be_ctx, be_ctx->ev, be_ctx, be_ctx->uid, be_ctx->gid); -+ be_ctx->sbus_name = sss_iface_domain_bus(be_ctx, be_ctx->domain); -+ if (be_ctx->sbus_name == NULL) { -+ DEBUG(SSSDBG_FATAL_FAILURE, "Could not get sbus backend name.\n"); -+ ret = ENOMEM; -+ goto done; -+ } -+ -+ req = dp_init_send(be_ctx, be_ctx->ev, be_ctx, be_ctx->uid, be_ctx->gid, -+ be_ctx->sbus_name); - if (req == NULL) { - ret = ENOMEM; - goto done; -@@ -612,7 +620,7 @@ static void dp_initialized(struct tevent_req *req) - - be_ctx = tevent_req_callback_data(req, struct be_ctx); - -- ret = dp_init_recv(be_ctx, req, &be_ctx->sbus_name); -+ ret = dp_init_recv(be_ctx, req); - talloc_zfree(req); - if (ret != EOK) { - goto done; --- -2.21.3 - diff --git a/SOURCES/0044-pam_sss_gss-support-authentication-indicators.patch b/SOURCES/0044-pam_sss_gss-support-authentication-indicators.patch deleted file mode 100644 index 91d15c4..0000000 --- a/SOURCES/0044-pam_sss_gss-support-authentication-indicators.patch +++ /dev/null @@ -1,655 +0,0 @@ -From c2e8879189ecbbdfdd4b42395319a4cd91cb569f Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Fri, 12 Feb 2021 20:02:52 +0100 -Subject: [PATCH] pam_sss_gss: support authentication indicators (upstream -patch 5ce7ced269c7b3dd8f75122a50f539083b5697ae by Alexander Bokovoy) - -MIT Kerberos allows to associate authentication indicators with the -issued ticket based on the way how the TGT was obtained. The indicators -present in the TGT then copied to service tickets. There are two ways to -check the authentication indicators: - - - when KDC issues a service ticket, a policy at KDC side can reject the - ticket issuance based on a lack of certain indicator - - - when a server application presented with a service ticket from a - client, it can verify that this ticket contains intended - authentication indicators before authorizing access from the client. - -Add support to validate presence of a specific (set of) authentication -indicator(s) in pam_sss_gss when validating a user's TGT. - -This concept can be used to only allow access to a PAM service when user -is in possession of a ticket obtained using some of pre-authentication -mechanisms that require multiple factors: smart-cards (PKINIT), 2FA -tokens (otp/radius), etc. - -Patch by: Alexander Bokovoy - -Reviewed by: Sumit Bose - -Adapted to 8.4 branch by: Alexey Tikhonov ---- - src/confdb/confdb.c | 13 ++ - src/confdb/confdb.h | 3 + - src/config/SSSDConfig/sssdoptions.py | 2 + - src/config/SSSDConfigTest.py | 6 +- - src/config/cfg_rules.ini | 3 + - src/config/etc/sssd.api.conf | 2 + - src/db/sysdb_subdomains.c | 12 ++ - src/man/pam_sss_gss.8.xml | 13 ++ - src/man/sssd.conf.5.xml | 64 +++++++ - src/responder/pam/pamsrv.c | 21 +++ - src/responder/pam/pamsrv.h | 2 + - src/responder/pam/pamsrv_gssapi.c | 250 +++++++++++++++++++++++++++ - 12 files changed, 389 insertions(+), 2 deletions(-) - -diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c -index befcfff..cca7615 100644 ---- a/src/confdb/confdb.c -+++ b/src/confdb/confdb.c -@@ -1603,6 +1603,19 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb, - } - } - -+ tmp = ldb_msg_find_attr_as_string(res->msgs[0], -+ CONFDB_PAM_GSSAPI_INDICATORS_MAP, -+ NULL); -+ if (tmp != NULL && tmp[0] != '\0') { -+ ret = split_on_separator(domain, tmp, ',', true, true, -+ &domain->gssapi_indicators_map, NULL); -+ if (ret != 0) { -+ DEBUG(SSSDBG_FATAL_FAILURE, -+ "Cannot parse %s\n", CONFDB_PAM_GSSAPI_INDICATORS_MAP); -+ goto done; -+ } -+ } -+ - domain->has_views = false; - domain->view_name = NULL; - -diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h -index 036f9ec..a2be227 100644 ---- a/src/confdb/confdb.h -+++ b/src/confdb/confdb.h -@@ -146,6 +146,7 @@ - #define CONFDB_PAM_INITGROUPS_SCHEME "pam_initgroups_scheme" - #define CONFDB_PAM_GSSAPI_SERVICES "pam_gssapi_services" - #define CONFDB_PAM_GSSAPI_CHECK_UPN "pam_gssapi_check_upn" -+#define CONFDB_PAM_GSSAPI_INDICATORS_MAP "pam_gssapi_indicators_map" - - /* SUDO */ - #define CONFDB_SUDO_CONF_ENTRY "config/sudo" -@@ -437,6 +438,8 @@ struct sss_domain_info { - /* List of PAM services that are allowed to authenticate with GSSAPI. */ - char **gssapi_services; - char *gssapi_check_upn; /* true | false | NULL */ -+ /* List of indicators associated with the specific PAM service */ -+ char **gssapi_indicators_map; - }; - - /** -diff --git a/src/config/SSSDConfig/sssdoptions.py b/src/config/SSSDConfig/sssdoptions.py -index 5da52a9..0d849bc 100644 ---- a/src/config/SSSDConfig/sssdoptions.py -+++ b/src/config/SSSDConfig/sssdoptions.py -@@ -106,6 +106,8 @@ class SSSDOptions(object): - 'pam_initgroups_scheme' : _('When shall the PAM responder force an initgroups request'), - 'pam_gssapi_services' : _('List of PAM services that are allowed to authenticate with GSSAPI.'), - 'pam_gssapi_check_upn' : _('Whether to match authenticated UPN with target user'), -+ 'pam_gssapi_indicators_map' : _('List of pairs : that ' -+ 'must be enforced for PAM access with GSSAPI authentication'), - - # [sudo] - 'sudo_timed': _('Whether to evaluate the time-based attributes in sudo rules'), -diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py -index ea4e4f6..d0422df 100755 ---- a/src/config/SSSDConfigTest.py -+++ b/src/config/SSSDConfigTest.py -@@ -655,7 +655,8 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase): - 'cached_auth_timeout', - 'auto_private_groups', - 'pam_gssapi_services', -- 'pam_gssapi_check_upn'] -+ 'pam_gssapi_check_upn', -+ 'pam_gssapi_indicators_map'] - - self.assertTrue(type(options) == dict, - "Options should be a dictionary") -@@ -1034,7 +1035,8 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase): - 'cached_auth_timeout', - 'auto_private_groups', - 'pam_gssapi_services', -- 'pam_gssapi_check_upn'] -+ 'pam_gssapi_check_upn', -+ 'pam_gssapi_indicators_map'] - - self.assertTrue(type(options) == dict, - "Options should be a dictionary") -diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini -index 6642c63..872ceba 100644 ---- a/src/config/cfg_rules.ini -+++ b/src/config/cfg_rules.ini -@@ -141,6 +141,7 @@ option = p11_uri - option = pam_initgroups_scheme - option = pam_gssapi_services - option = pam_gssapi_check_upn -+option = pam_gssapi_indicators_map - - [rule/allowed_sudo_options] - validator = ini_allowed_options -@@ -441,6 +442,7 @@ option = re_expression - option = auto_private_groups - option = pam_gssapi_services - option = pam_gssapi_check_upn -+option = pam_gssapi_indicators_map - - #Entry cache timeouts - option = entry_cache_user_timeout -@@ -837,6 +839,7 @@ option = use_fully_qualified_names - option = auto_private_groups - option = pam_gssapi_services - option = pam_gssapi_check_upn -+option = pam_gssapi_indicators_map - - [rule/sssd_checks] - validator = sssd_checks -diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf -index d3cad73..49ced63 100644 ---- a/src/config/etc/sssd.api.conf -+++ b/src/config/etc/sssd.api.conf -@@ -82,6 +82,7 @@ p11_uri = str, None, false - pam_initgroups_scheme = str, None, false - pam_gssapi_services = str, None, false - pam_gssapi_check_upn = bool, None, false -+pam_gssapi_indicators_map = str, None, false - - [sudo] - # sudo service -@@ -203,6 +204,7 @@ re_expression = str, None, false - auto_private_groups = str, None, false - pam_gssapi_services = str, None, false - pam_gssapi_check_upn = bool, None, false -+pam_gssapi_indicators_map = str, None, false - - #Entry cache timeouts - entry_cache_user_timeout = int, None, false -diff --git a/src/db/sysdb_subdomains.c b/src/db/sysdb_subdomains.c -index 03ba121..2243872 100644 ---- a/src/db/sysdb_subdomains.c -+++ b/src/db/sysdb_subdomains.c -@@ -185,6 +185,7 @@ struct sss_domain_info *new_subdomain(TALLOC_CTX *mem_ctx, - dom->override_gid = parent->override_gid; - - dom->gssapi_services = parent->gssapi_services; -+ dom->gssapi_indicators_map = parent->gssapi_indicators_map; - - if (parent->sysdb == NULL) { - DEBUG(SSSDBG_OP_FAILURE, "Missing sysdb context in parent domain.\n"); -@@ -266,6 +267,17 @@ check_subdom_config_file(struct confdb_ctx *confdb, - goto done; - } - -+ /* allow to set pam_gssapi_indicators_map */ -+ ret = confdb_get_string_as_list(confdb, subdomain, sd_conf_path, -+ CONFDB_PAM_GSSAPI_INDICATORS_MAP, -+ &subdomain->gssapi_indicators_map); -+ if (ret != EOK && ret != ENOENT) { -+ DEBUG(SSSDBG_OP_FAILURE, -+ "Failed to get %s option for the subdomain: %s\n", -+ CONFDB_PAM_GSSAPI_INDICATORS_MAP, subdomain->name); -+ goto done; -+ } -+ - ret = EOK; - done: - talloc_free(tmp_ctx); -diff --git a/src/man/pam_sss_gss.8.xml b/src/man/pam_sss_gss.8.xml -index ce5b11b..a83369d 100644 ---- a/src/man/pam_sss_gss.8.xml -+++ b/src/man/pam_sss_gss.8.xml -@@ -70,6 +70,19 @@ - 5 - for more details on these options. - -+ -+ Some Kerberos deployments allow to assocate authentication -+ indicators with a particular pre-authentication method used to -+ obtain the ticket granting ticket by the user. -+ pam_sss_gss.so allows to enforce presence of -+ authentication indicators in the service tickets before a particular -+ PAM service can be accessed. -+ -+ -+ If is set in the [pam] or -+ domain section of sssd.conf, then SSSD will perform a check of the -+ presence of any configured indicators in the service ticket. -+ - - - -diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml -index 8b330de..3a9955b 100644 ---- a/src/man/sssd.conf.5.xml -+++ b/src/man/sssd.conf.5.xml -@@ -1770,6 +1770,70 @@ pam_gssapi_services = sudo, sudo-i - - - -+ -+ pam_gssapi_indicators_map -+ -+ -+ Comma separated list of authentication indicators required -+ to be present in a Kerberos ticket to access a PAM service -+ that is allowed to try GSSAPI authentication using -+ pam_sss_gss.so module. -+ -+ -+ Each element of the list can be either an authentication indicator -+ name or a pair service:indicator. Indicators not -+ prefixed with the PAM service name will be required to access any -+ PAM service configured to be used with -+ . A resulting list of indicators -+ per PAM service is then checked against indicators in the Kerberos -+ ticket during authentication by pam_sss_gss.so. Any indicator from the -+ ticket that matches the resulting list of indicators for the PAM service -+ would grant access. If none of the indicators in the list match, access -+ will be denied. If the resulting list of indicators for the PAM service -+ is empty, the check will not prevent the access. -+ -+ -+ To disable GSSAPI authentication indicator check, set this option -+ to - (dash). To disable the check for a specific PAM -+ service, add service:-. -+ -+ -+ Note: This option can also be set per-domain which -+ overwrites the value in [pam] section. It can also -+ be set for trusted domain which overwrites the value -+ in the domain section. -+ -+ -+ Following authentication indicators are supported by IPA Kerberos deployments: -+ -+ -+ pkinit -- pre-authentication using X.509 certificates -- whether stored in files or on smart cards. -+ -+ -+ hardened -- SPAKE pre-authentication or any pre-authentication wrapped in a FAST channel. -+ -+ -+ radius -- pre-authentication with the help of a RADIUS server. -+ -+ -+ otp -- pre-authentication using integrated two-factor authentication (2FA or one-time password, OTP) in IPA. -+ -+ -+ -+ -+ Example: to require access to SUDO services only -+ for users which obtained their Kerberos tickets -+ with a X.509 certificate pre-authentication -+ (PKINIT), set -+ -+pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit -+ -+ -+ -+ Default: not set (use of authentication indicators is not required) -+ -+ -+ - - - -diff --git a/src/responder/pam/pamsrv.c b/src/responder/pam/pamsrv.c -index 3904c09..9b4d6c1 100644 ---- a/src/responder/pam/pamsrv.c -+++ b/src/responder/pam/pamsrv.c -@@ -370,6 +370,27 @@ static int pam_process_init(TALLOC_CTX *mem_ctx, - goto done; - } - -+ ret = confdb_get_string(pctx->rctx->cdb, pctx, CONFDB_PAM_CONF_ENTRY, -+ CONFDB_PAM_GSSAPI_INDICATORS_MAP, "-", &tmpstr); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_FATAL_FAILURE, -+ "Failed to determine gssapi services.\n"); -+ goto done; -+ } -+ DEBUG(SSSDBG_TRACE_INTERNAL, "Found value [%s] for option [%s].\n", tmpstr, -+ CONFDB_PAM_GSSAPI_INDICATORS_MAP); -+ -+ if (tmpstr != NULL) { -+ ret = split_on_separator(pctx, tmpstr, ',', true, true, -+ &pctx->gssapi_indicators_map, NULL); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_MINOR_FAILURE, -+ "split_on_separator() failed [%d]: [%s].\n", ret, -+ sss_strerror(ret)); -+ goto done; -+ } -+ } -+ - /* The responder is initialized. Now tell it to the monitor. */ - ret = sss_monitor_service_init(rctx, rctx->ev, SSS_BUS_PAM, - SSS_PAM_SBUS_SERVICE_NAME, -diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h -index 3553296..383c7be 100644 ---- a/src/responder/pam/pamsrv.h -+++ b/src/responder/pam/pamsrv.h -@@ -65,6 +65,8 @@ struct pam_ctx { - - /* List of PAM services that are allowed to authenticate with GSSAPI. */ - char **gssapi_services; -+ /* List of authentication indicators associated with a PAM service */ -+ char **gssapi_indicators_map; - bool gssapi_check_upn; - }; - -diff --git a/src/responder/pam/pamsrv_gssapi.c b/src/responder/pam/pamsrv_gssapi.c -index 2d05c78..e4da4c4 100644 ---- a/src/responder/pam/pamsrv_gssapi.c -+++ b/src/responder/pam/pamsrv_gssapi.c -@@ -24,6 +24,7 @@ - #include - #include - #include -+#include - #include - #include - -@@ -83,6 +84,117 @@ static bool pam_gssapi_should_check_upn(struct pam_ctx *pam_ctx, - return pam_ctx->gssapi_check_upn; - } - -+static int pam_gssapi_check_indicators(TALLOC_CTX *mem_ctx, -+ const char *pam_service, -+ char **gssapi_indicators_map, -+ char **indicators) -+{ -+ char *authind = NULL; -+ size_t pam_len = strlen(pam_service); -+ char **map = gssapi_indicators_map; -+ char **result = NULL; -+ int res; -+ -+ authind = talloc_strdup(mem_ctx, ""); -+ if (authind == NULL) { -+ return ENOMEM; -+ } -+ -+ for (int i = 0; map[i]; i++) { -+ if (map[i][0] == '-') { -+ DEBUG(SSSDBG_TRACE_FUNC, -+ "Indicators aren't used for [%s]\n", -+ pam_service); -+ talloc_free(authind); -+ return EOK; -+ } -+ if (!strchr(map[i], ':')) { -+ authind = talloc_asprintf_append(authind, "%s ", map[i]); -+ if (authind == NULL) { -+ /* Since we allocate on pam_ctx, caller will free it */ -+ return ENOMEM; -+ } -+ continue; -+ } -+ -+ res = strncmp(map[i], pam_service, pam_len); -+ if (res == 0) { -+ if (strlen(map[i]) > pam_len) { -+ if (map[i][pam_len] != ':') { -+ /* different PAM service, skip it */ -+ continue; -+ } -+ -+ if (map[i][pam_len + 1] == '-') { -+ DEBUG(SSSDBG_TRACE_FUNC, -+ "Indicators aren't used for [%s]\n", -+ pam_service); -+ talloc_free(authind); -+ return EOK; -+ } -+ -+ authind = talloc_asprintf_append(authind, "%s ", -+ map[i] + (pam_len + 1)); -+ if (authind == NULL) { -+ /* Since we allocate on pam_ctx, caller will free it */ -+ return ENOMEM; -+ } -+ } else { -+ DEBUG(SSSDBG_MINOR_FAILURE, "Invalid value for %s: [%s]\n", -+ CONFDB_PAM_GSSAPI_INDICATORS_MAP, map[i]); -+ talloc_free(authind); -+ return EINVAL; -+ } -+ } -+ } -+ -+ res = ENOENT; -+ map = NULL; -+ -+ if (authind[0] == '\0') { -+ /* empty list of per-service indicators -> skip */ -+ goto done; -+ } -+ -+ /* trim a space after the final indicator -+ * to prevent split_on_separator() to fail */ -+ authind[strlen(authind) - 1] = '\0'; -+ -+ res = split_on_separator(mem_ctx, authind, ' ', true, true, -+ &map, NULL); -+ if (res != 0) { -+ DEBUG(SSSDBG_FATAL_FAILURE, -+ "Cannot parse list of indicators: [%s]\n", authind); -+ res = EINVAL; -+ goto done; -+ } -+ -+ res = diff_string_lists(mem_ctx, indicators, map, NULL, NULL, &result); -+ if (res != 0) { -+ DEBUG(SSSDBG_FATAL_FAILURE,"Cannot diff lists of indicators\n"); -+ res = EINVAL; -+ goto done; -+ } -+ -+ if (result && result[0] != NULL) { -+ for (int i = 0; result[i]; i++) { -+ DEBUG(SSSDBG_TRACE_FUNC, -+ "indicator [%s] is allowed for PAM service [%s]\n", -+ result[i], pam_service); -+ } -+ res = EOK; -+ goto done; -+ } -+ -+ res = EPERM; -+ -+done: -+ talloc_free(result); -+ talloc_free(authind); -+ talloc_free(map); -+ return res; -+} -+ - static bool pam_gssapi_allowed(struct pam_ctx *pam_ctx, - struct sss_domain_info *domain, - const char *service) -@@ -385,12 +497,126 @@ static char *gssapi_get_name(TALLOC_CTX *mem_ctx, gss_name_t gss_name) - return exported; - } - -+#define AUTH_INDICATORS_TAG "auth-indicators" -+ -+static char **gssapi_get_indicators(TALLOC_CTX *mem_ctx, gss_name_t gss_name) -+{ -+ gss_buffer_set_t attrs = GSS_C_NO_BUFFER_SET; -+ int is_mechname; -+ OM_uint32 major; -+ OM_uint32 minor; -+ gss_buffer_desc value = GSS_C_EMPTY_BUFFER; -+ gss_buffer_desc display_value = GSS_C_EMPTY_BUFFER; -+ char *exported = NULL; -+ char **map = NULL; -+ int res; -+ -+ major = gss_inquire_name(&minor, gss_name, &is_mechname, NULL, &attrs); -+ if (major != GSS_S_COMPLETE) { -+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to inquire name\n"); -+ return NULL; -+ } -+ -+ if (attrs == GSS_C_NO_BUFFER_SET) { -+ DEBUG(SSSDBG_TRACE_FUNC, "No krb5 attributes in the ticket\n"); -+ return NULL; -+ } -+ -+ exported = talloc_strdup(mem_ctx, ""); -+ if (exported == NULL) { -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ "Unable to pre-allocate indicators\n"); -+ goto done; -+ } -+ -+ for (int i = 0; i < attrs->count; i++) { -+ int authenticated = 0; -+ int complete = 0; -+ int more = -1; -+ -+ /* skip anything but auth-indicators */ -+ if (strncmp(AUTH_INDICATORS_TAG, attrs->elements[i].value, -+ sizeof(AUTH_INDICATORS_TAG) - 1) != 0) -+ continue; -+ -+ /* retrieve all indicators */ -+ while (more != 0) { -+ value.value = NULL; -+ display_value.value = NULL; -+ -+ major = gss_get_name_attribute(&minor, gss_name, -+ &attrs->elements[i], -+ &authenticated, -+ &complete, &value, -+ &display_value, -+ &more); -+ if (major != GSS_S_COMPLETE) { -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ "Unable to retrieve an attribute\n"); -+ goto done; -+ } -+ -+ if ((value.value != NULL) && authenticated) { -+ DEBUG(SSSDBG_TRACE_FUNC, -+ "attribute's [%.*s] value [%.*s] authenticated\n", -+ (int) attrs->elements[i].length, -+ (char*) attrs->elements[i].value, -+ (int) value.length, -+ (char*) value.value); -+ exported = talloc_asprintf_append(exported, "%.*s ", -+ (int) value.length, -+ (char*) value.value); -+ } -+ -+ if (exported == NULL) { -+ /* Since we allocate on mem_ctx, caller will free -+ * the previous version of 'exported' */ -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ "Unable to collect an attribute value\n"); -+ goto done; -+ } -+ (void) gss_release_buffer(&minor, &value); -+ (void) gss_release_buffer(&minor, &display_value); -+ } -+ } -+ -+ if (exported[0] != '\0') { -+ /* trim a space after the final indicator -+ * to prevent split_on_separator() to fail */ -+ exported[strlen(exported) - 1] = '\0'; -+ } else { -+ /* empty list */ -+ goto done; -+ } -+ -+ res = split_on_separator(mem_ctx, exported, ' ', true, true, -+ &map, NULL); -+ if (res != 0) { -+ DEBUG(SSSDBG_FATAL_FAILURE, -+ "Cannot parse list of indicators: [%s]\n", exported); -+ goto done; -+ } else { -+ DEBUG(SSSDBG_TRACE_FUNC, "authentication indicators: [%s]\n", -+ exported); -+ } -+ -+done: -+ (void) gss_release_buffer(&minor, &value); -+ (void) gss_release_buffer(&minor, &display_value); -+ (void) gss_release_buffer_set(&minor, &attrs); -+ -+ talloc_free(exported); -+ return map; -+} -+ -+ - struct gssapi_state { - struct cli_ctx *cli_ctx; - struct sss_domain_info *domain; - const char *username; - - char *authenticated_upn; -+ char **auth_indicators; - bool established; - gss_ctx_id_t ctx; - }; -@@ -568,6 +794,8 @@ gssapi_handshake(struct gssapi_state *state, - DEBUG(SSSDBG_TRACE_FUNC, "Security context established with [%s]\n", - state->authenticated_upn); - -+ state->auth_indicators = gssapi_get_indicators(state, client_name); -+ - state->established = true; - ret = EOK; - -@@ -632,6 +860,7 @@ pam_cmd_gssapi_sec_ctx(struct cli_ctx *cli_ctx) - const char *domain_name; - const char *username; - char *target; -+ char **indicators_map = NULL; - size_t gss_data_len; - uint8_t *gss_data; - errno_t ret; -@@ -699,6 +928,27 @@ pam_cmd_gssapi_sec_ctx(struct cli_ctx *cli_ctx) - goto done; - } - -+ /* Use map for auth-indicators from the domain, if defined and -+ * fallback to the [pam] section otherwise */ -+ indicators_map = domain->gssapi_indicators_map ? -+ domain->gssapi_indicators_map : -+ (pam_ctx->gssapi_indicators_map ? -+ pam_ctx->gssapi_indicators_map : NULL); -+ if (indicators_map != NULL) { -+ ret = pam_gssapi_check_indicators(state, -+ pam_service, -+ indicators_map, -+ state->auth_indicators); -+ DEBUG(SSSDBG_TRACE_FUNC, -+ "Check if acquired service ticket has req. indicators: %d\n", -+ ret); -+ if ((ret == EPERM) || (ret == ENOMEM) || (ret == EINVAL)) { -+ /* skip further checks if denied or no memory, -+ * ENOENT means the check is not applicable */ -+ goto done; -+ } -+ } -+ - if (!pam_gssapi_should_check_upn(pam_ctx, domain)) { - /* We are done. */ - goto done; --- -2.21.3 - diff --git a/SOURCES/0045-sudo-do-not-search-by-low-usn-value-to-improve-perfo.patch b/SOURCES/0045-sudo-do-not-search-by-low-usn-value-to-improve-perfo.patch deleted file mode 100644 index af99e4f..0000000 --- a/SOURCES/0045-sudo-do-not-search-by-low-usn-value-to-improve-perfo.patch +++ /dev/null @@ -1,121 +0,0 @@ -From b100efbfabd96dcfb2825777b75b9a9dfaacb937 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20B=C5=99ezina?= -Date: Fri, 29 Jan 2021 12:41:28 +0100 -Subject: [PATCH] sudo: do not search by low usn value to improve performance - -This is a follow up on these two commits. - -- 819d70ef6e6fa0e736ebd60a7f8a26f672927d57 -- 6815844daa7701c76e31addbbdff74656cd30bea - -The first one improved the search filter little bit to achieve better -performance, however it also changed the behavior: we started to search -for `usn >= 1` in the filter if no usn number was known. - -This caused issues on OpenLDAP server which was fixed by the second patch. -However, the fix was wrong and searching by this meaningfully low number -can cause performance issues depending on how the filter is optimized and -evaluated on the server. - -Now we omit the usn attribute from the filter if there is no meaningful value. - -How to test: -1. Setup LDAP with no sudo rules defined -2. Make sure that the LDAP server does not support USN or use the following diff - to enforce modifyTimestamp (last USN is always available from rootDSE) -```diff - -Reviewed-by: Alexey Tikhonov ---- - src/providers/ldap/sdap.c | 4 ++-- - src/providers/ldap/sdap_sudo_refresh.c | 6 ++++-- - src/providers/ldap/sdap_sudo_shared.c | 21 ++++++--------------- - 3 files changed, 12 insertions(+), 19 deletions(-) - -diff --git a/src/providers/ldap/sdap.c b/src/providers/ldap/sdap.c -index 32c0144b9..c853e4dc1 100644 ---- a/src/providers/ldap/sdap.c -+++ b/src/providers/ldap/sdap.c -@@ -1391,7 +1391,7 @@ int sdap_get_server_opts_from_rootdse(TALLOC_CTX *memctx, - last_usn_name = opts->gen_map[SDAP_AT_LAST_USN].name; - entry_usn_name = opts->gen_map[SDAP_AT_ENTRY_USN].name; - if (rootdse) { -- if (last_usn_name) { -+ if (false) { - ret = sysdb_attrs_get_string(rootdse, - last_usn_name, &last_usn_value); - if (ret != EOK) { -@@ -1500,7 +1500,7 @@ int sdap_get_server_opts_from_rootdse(TALLOC_CTX *memctx, - } - } - -- if (!last_usn_name) { -+ if (true) { - DEBUG(SSSDBG_FUNC_DATA, - "No known USN scheme is supported by this server!\n"); - if (!entry_usn_name) { -diff --git a/src/providers/ldap/sdap_sudo_refresh.c b/src/providers/ldap/sdap_sudo_refresh.c -index ddcb23781..83f944ccf 100644 ---- a/src/providers/ldap/sdap_sudo_refresh.c -+++ b/src/providers/ldap/sdap_sudo_refresh.c -@@ -181,8 +181,10 @@ struct tevent_req *sdap_sudo_smart_refresh_send(TALLOC_CTX *mem_ctx, - state->sysdb = id_ctx->be->domain->sysdb; - - /* Download all rules from LDAP that are newer than usn */ -- if (srv_opts == NULL || srv_opts->max_sudo_value == 0) { -- DEBUG(SSSDBG_TRACE_FUNC, "USN value is unknown, assuming zero.\n"); -+ if (srv_opts == NULL || srv_opts->max_sudo_value == NULL -+ || strcmp(srv_opts->max_sudo_value, "0") == 0) { -+ DEBUG(SSSDBG_TRACE_FUNC, "USN value is unknown, assuming zero and " -+ "omitting it from the filter.\n"); - usn = "0"; - search_filter = talloc_asprintf(state, "(%s=%s)", - map[SDAP_AT_SUDO_OC].name, -diff --git a/src/providers/ldap/sdap_sudo_shared.c b/src/providers/ldap/sdap_sudo_shared.c -index 4f09957ea..75d1bc3d8 100644 ---- a/src/providers/ldap/sdap_sudo_shared.c -+++ b/src/providers/ldap/sdap_sudo_shared.c -@@ -129,25 +129,17 @@ sdap_sudo_ptask_setup_generic(struct be_ctx *be_ctx, - static char * - sdap_sudo_new_usn(TALLOC_CTX *mem_ctx, - unsigned long usn, -- const char *leftover, -- bool supports_usn) -+ const char *leftover) - { - const char *str = leftover == NULL ? "" : leftover; - char *newusn; - -- /* This is a fresh start and server uses modifyTimestamp. We need to -- * provide proper datetime value. */ -- if (!supports_usn && usn == 0) { -- newusn = talloc_strdup(mem_ctx, "00000101000000Z"); -- if (newusn == NULL) { -- DEBUG(SSSDBG_MINOR_FAILURE, "Unable to change USN value (OOM)!\n"); -- return NULL; -- } -- -- return newusn; -+ /* Current largest USN is unknown so we keep "0" to indicate it. */ -+ if (usn == 0) { -+ return talloc_strdup(mem_ctx, "0"); - } - -- /* We increment USN number so that we can later use simplify filter -+ /* We increment USN number so that we can later use simplified filter - * (just usn >= last+1 instead of usn >= last && usn != last). - */ - usn++; -@@ -219,8 +211,7 @@ sdap_sudo_set_usn(struct sdap_server_opts *srv_opts, - srv_opts->last_usn = usn_number; - } - -- newusn = sdap_sudo_new_usn(srv_opts, srv_opts->last_usn, timezone, -- srv_opts->supports_usn); -+ newusn = sdap_sudo_new_usn(srv_opts, srv_opts->last_usn, timezone); - if (newusn == NULL) { - return; - } --- -2.21.3 - diff --git a/SOURCES/0046-ldap-fix-modifytimestamp-debugging-leftovers.patch b/SOURCES/0046-ldap-fix-modifytimestamp-debugging-leftovers.patch deleted file mode 100644 index ae6dfb7..0000000 --- a/SOURCES/0046-ldap-fix-modifytimestamp-debugging-leftovers.patch +++ /dev/null @@ -1,34 +0,0 @@ -From fff02bbf7967d291ccb019fae741e6591ed8fd41 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20B=C5=99ezina?= -Date: Fri, 12 Feb 2021 15:30:59 +0100 -Subject: [PATCH] ldap: fix modifytimestamp debugging leftovers - ---- - src/providers/ldap/sdap.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/providers/ldap/sdap.c b/src/providers/ldap/sdap.c -index c853e4dc1..32c0144b9 100644 ---- a/src/providers/ldap/sdap.c -+++ b/src/providers/ldap/sdap.c -@@ -1391,7 +1391,7 @@ int sdap_get_server_opts_from_rootdse(TALLOC_CTX *memctx, - last_usn_name = opts->gen_map[SDAP_AT_LAST_USN].name; - entry_usn_name = opts->gen_map[SDAP_AT_ENTRY_USN].name; - if (rootdse) { -- if (false) { -+ if (last_usn_name) { - ret = sysdb_attrs_get_string(rootdse, - last_usn_name, &last_usn_value); - if (ret != EOK) { -@@ -1500,7 +1500,7 @@ int sdap_get_server_opts_from_rootdse(TALLOC_CTX *memctx, - } - } - -- if (true) { -+ if (!last_usn_name) { - DEBUG(SSSDBG_FUNC_DATA, - "No known USN scheme is supported by this server!\n"); - if (!entry_usn_name) { --- -2.21.3 - diff --git a/SOURCES/0047-ssh-restore-default-debug-level.patch b/SOURCES/0047-ssh-restore-default-debug-level.patch deleted file mode 100644 index 7b29783..0000000 --- a/SOURCES/0047-ssh-restore-default-debug-level.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 2d26c95d78cf43798b54ac8c478b8a9ee41cab39 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Wed, 3 Feb 2021 18:28:29 +0100 -Subject: [PATCH] ssh: restore default debug level - -The recent change of the default debug level for the main SSSD -components affected the ssh helpers sss_ssh_authorizedkeys and -sss_ssh_knownhostsproxy as well. - -To avoid any confusion about unexpected debug messages this patch -restores to original value for the two helpers. - -Resolves: https://github.com/SSSD/sssd/issues/5488 - -Reviewed-by: Alexey Tikhonov ---- - src/sss_client/ssh/sss_ssh_authorizedkeys.c | 2 +- - src/sss_client/ssh/sss_ssh_knownhostsproxy.c | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/sss_client/ssh/sss_ssh_authorizedkeys.c b/src/sss_client/ssh/sss_ssh_authorizedkeys.c -index 8e80f9663..877c00299 100644 ---- a/src/sss_client/ssh/sss_ssh_authorizedkeys.c -+++ b/src/sss_client/ssh/sss_ssh_authorizedkeys.c -@@ -32,7 +32,7 @@ - int main(int argc, const char **argv) - { - TALLOC_CTX *mem_ctx = NULL; -- int pc_debug = SSSDBG_DEFAULT; -+ int pc_debug = SSSDBG_FATAL_FAILURE; - const char *pc_domain = NULL; - const char *pc_user = NULL; - struct poptOption long_options[] = { -diff --git a/src/sss_client/ssh/sss_ssh_knownhostsproxy.c b/src/sss_client/ssh/sss_ssh_knownhostsproxy.c -index ad6af81d8..1102fd4ab 100644 ---- a/src/sss_client/ssh/sss_ssh_knownhostsproxy.c -+++ b/src/sss_client/ssh/sss_ssh_knownhostsproxy.c -@@ -174,7 +174,7 @@ connect_proxy_command(char **args) - int main(int argc, const char **argv) - { - TALLOC_CTX *mem_ctx = NULL; -- int pc_debug = SSSDBG_DEFAULT; -+ int pc_debug = SSSDBG_FATAL_FAILURE; - int pc_port = 22; - const char *pc_domain = NULL; - const char *pc_host = NULL; --- -2.21.3 - diff --git a/SOURCES/0048-pot-update-pot-files.patch b/SOURCES/0048-pot-update-pot-files.patch deleted file mode 100644 index 8e1141a..0000000 --- a/SOURCES/0048-pot-update-pot-files.patch +++ /dev/null @@ -1,2230 +0,0 @@ -From 6add2ef311815a25598e1ec90d28119636976e21 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20B=C5=99ezina?= -Date: Fri, 5 Feb 2021 11:59:35 +0100 -Subject: [PATCH] pot: update pot files - ---- - po/sssd.pot | 860 ++++++++++++++++++++++++++-------------------------- - 1 file changed, 436 insertions(+), 424 deletions(-) - -diff --git a/po/sssd.pot b/po/sssd.pot -index 669c22846..19f6994ff 100644 ---- a/po/sssd.pot -+++ b/po/sssd.pot -@@ -8,7 +8,7 @@ msgid "" - msgstr "" - "Project-Id-Version: PACKAGE VERSION\n" - "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" --"POT-Creation-Date: 2020-10-12 12:21+0200\n" -+"POT-Creation-Date: 2021-02-05 11:58+0100\n" - "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" - "Last-Translator: FULL NAME \n" - "Language-Team: LANGUAGE \n" -@@ -153,7 +153,7 @@ msgid "Entry cache background update timeout length (seconds)" - msgstr "" - - #: src/config/SSSDConfig/sssdoptions.py:61 --#: src/config/SSSDConfig/sssdoptions.py:115 -+#: src/config/SSSDConfig/sssdoptions.py:117 - msgid "Negative cache timeout length (seconds)" - msgstr "" - -@@ -329,1653 +329,1665 @@ msgstr "" - msgid "When shall the PAM responder force an initgroups request" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:109 -+#: src/config/SSSDConfig/sssdoptions.py:107 -+msgid "List of PAM services that are allowed to authenticate with GSSAPI." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:108 -+msgid "Whether to match authenticated UPN with target user" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:111 - msgid "Whether to evaluate the time-based attributes in sudo rules" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:110 -+#: src/config/SSSDConfig/sssdoptions.py:112 - msgid "If true, SSSD will switch back to lower-wins ordering logic" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:111 -+#: src/config/SSSDConfig/sssdoptions.py:113 - msgid "" - "Maximum number of rules that can be refreshed at once. If this is exceeded, " - "full refresh is performed." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:118 -+#: src/config/SSSDConfig/sssdoptions.py:120 - msgid "Whether to hash host names and addresses in the known_hosts file" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:119 -+#: src/config/SSSDConfig/sssdoptions.py:121 - msgid "" - "How many seconds to keep a host in the known_hosts file after its host keys " - "were requested" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:121 -+#: src/config/SSSDConfig/sssdoptions.py:123 - msgid "Path to storage of trusted CA certificates" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:122 -+#: src/config/SSSDConfig/sssdoptions.py:124 - msgid "Allow to generate ssh-keys from certificates" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:123 -+#: src/config/SSSDConfig/sssdoptions.py:125 - msgid "" - "Use the following matching rules to filter the certificates for ssh-key " - "generation" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:127 -+#: src/config/SSSDConfig/sssdoptions.py:129 - msgid "List of UIDs or user names allowed to access the PAC responder" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:128 -+#: src/config/SSSDConfig/sssdoptions.py:130 - msgid "How long the PAC data is considered valid" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:131 -+#: src/config/SSSDConfig/sssdoptions.py:133 - msgid "List of user attributes the InfoPipe is allowed to publish" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:134 -+#: src/config/SSSDConfig/sssdoptions.py:136 - msgid "The provider where the secrets will be stored in" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:135 -+#: src/config/SSSDConfig/sssdoptions.py:137 - msgid "The maximum allowed number of nested containers" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:136 -+#: src/config/SSSDConfig/sssdoptions.py:138 - msgid "The maximum number of secrets that can be stored" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:137 -+#: src/config/SSSDConfig/sssdoptions.py:139 - msgid "The maximum number of secrets that can be stored per UID" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:138 -+#: src/config/SSSDConfig/sssdoptions.py:140 - msgid "The maximum payload size of a secret in kilobytes" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:140 -+#: src/config/SSSDConfig/sssdoptions.py:142 - msgid "The URL Custodia server is listening on" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:141 -+#: src/config/SSSDConfig/sssdoptions.py:143 - msgid "The method to use when authenticating to a Custodia server" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:142 -+#: src/config/SSSDConfig/sssdoptions.py:144 - msgid "" - "The name of the headers that will be added into a HTTP request with the " - "value defined in auth_header_value" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:144 -+#: src/config/SSSDConfig/sssdoptions.py:146 - msgid "The value sssd-secrets would use for auth_header_name" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:145 -+#: src/config/SSSDConfig/sssdoptions.py:147 - msgid "" - "The list of the headers to forward to the Custodia server together with the " - "request" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:146 -+#: src/config/SSSDConfig/sssdoptions.py:148 - msgid "" - "The username to use when authenticating to a Custodia server using basic_auth" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:147 -+#: src/config/SSSDConfig/sssdoptions.py:149 - msgid "" - "The password to use when authenticating to a Custodia server using basic_auth" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:148 -+#: src/config/SSSDConfig/sssdoptions.py:150 - msgid "If true peer's certificate is verified if proxy_url uses https protocol" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:149 -+#: src/config/SSSDConfig/sssdoptions.py:151 - msgid "" - "If false peer's certificate may contain different hostname than proxy_url " - "when https protocol is used" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:151 -+#: src/config/SSSDConfig/sssdoptions.py:153 - msgid "Path to directory where certificate authority certificates are stored" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:152 -+#: src/config/SSSDConfig/sssdoptions.py:154 - msgid "Path to file containing server's CA certificate" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:153 -+#: src/config/SSSDConfig/sssdoptions.py:155 - msgid "Path to file containing client's certificate" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:154 -+#: src/config/SSSDConfig/sssdoptions.py:156 - msgid "Path to file containing client's private key" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:157 -+#: src/config/SSSDConfig/sssdoptions.py:159 - msgid "" - "One of the following strings specifying the scope of session recording: none " - "- No users are recorded. some - Users/groups specified by users and groups " - "options are recorded. all - All users are recorded." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:160 -+#: src/config/SSSDConfig/sssdoptions.py:162 - msgid "" - "A comma-separated list of users which should have session recording enabled. " - "Matches user names as returned by NSS. I.e. after the possible space " - "replacement, case changes, etc." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:162 -+#: src/config/SSSDConfig/sssdoptions.py:164 - msgid "" - "A comma-separated list of groups, members of which should have session " - "recording enabled. Matches group names as returned by NSS. I.e. after the " - "possible space replacement, case changes, etc." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:165 -+#: src/config/SSSDConfig/sssdoptions.py:167 - msgid "" - "A comma-separated list of users to be excluded from recording, only when " - "scope=all" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:166 -+#: src/config/SSSDConfig/sssdoptions.py:168 - msgid "" - "A comma-separated list of groups, members of which should be excluded from " - "recording, only when scope=all. " - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:170 -+#: src/config/SSSDConfig/sssdoptions.py:172 - msgid "Identity provider" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:171 -+#: src/config/SSSDConfig/sssdoptions.py:173 - msgid "Authentication provider" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:172 -+#: src/config/SSSDConfig/sssdoptions.py:174 - msgid "Access control provider" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:173 -+#: src/config/SSSDConfig/sssdoptions.py:175 - msgid "Password change provider" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:174 -+#: src/config/SSSDConfig/sssdoptions.py:176 - msgid "SUDO provider" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:175 -+#: src/config/SSSDConfig/sssdoptions.py:177 - msgid "Autofs provider" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:176 -+#: src/config/SSSDConfig/sssdoptions.py:178 - msgid "Host identity provider" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:177 -+#: src/config/SSSDConfig/sssdoptions.py:179 - msgid "SELinux provider" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:178 -+#: src/config/SSSDConfig/sssdoptions.py:180 - msgid "Session management provider" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:179 -+#: src/config/SSSDConfig/sssdoptions.py:181 - msgid "Resolver provider" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:182 -+#: src/config/SSSDConfig/sssdoptions.py:184 - msgid "Whether the domain is usable by the OS or by applications" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:183 -+#: src/config/SSSDConfig/sssdoptions.py:185 - msgid "Enable or disable the domain" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:184 -+#: src/config/SSSDConfig/sssdoptions.py:186 - msgid "Minimum user ID" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:185 -+#: src/config/SSSDConfig/sssdoptions.py:187 - msgid "Maximum user ID" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:186 -+#: src/config/SSSDConfig/sssdoptions.py:188 - msgid "Enable enumerating all users/groups" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:187 -+#: src/config/SSSDConfig/sssdoptions.py:189 - msgid "Cache credentials for offline login" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:188 -+#: src/config/SSSDConfig/sssdoptions.py:190 - msgid "Display users/groups in fully-qualified form" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:189 -+#: src/config/SSSDConfig/sssdoptions.py:191 - msgid "Don't include group members in group lookups" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:190 --#: src/config/SSSDConfig/sssdoptions.py:200 --#: src/config/SSSDConfig/sssdoptions.py:201 -+#: src/config/SSSDConfig/sssdoptions.py:192 - #: src/config/SSSDConfig/sssdoptions.py:202 - #: src/config/SSSDConfig/sssdoptions.py:203 - #: src/config/SSSDConfig/sssdoptions.py:204 - #: src/config/SSSDConfig/sssdoptions.py:205 - #: src/config/SSSDConfig/sssdoptions.py:206 -+#: src/config/SSSDConfig/sssdoptions.py:207 -+#: src/config/SSSDConfig/sssdoptions.py:208 - msgid "Entry cache timeout length (seconds)" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:191 -+#: src/config/SSSDConfig/sssdoptions.py:193 - msgid "" - "Restrict or prefer a specific address family when performing DNS lookups" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:192 -+#: src/config/SSSDConfig/sssdoptions.py:194 - msgid "How long to keep cached entries after last successful login (days)" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:193 -+#: src/config/SSSDConfig/sssdoptions.py:195 - msgid "" - "How long should SSSD talk to single DNS server before trying next server " - "(miliseconds)" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:195 -+#: src/config/SSSDConfig/sssdoptions.py:197 - msgid "How long should keep trying to resolve single DNS query (seconds)" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:196 -+#: src/config/SSSDConfig/sssdoptions.py:198 - msgid "How long to wait for replies from DNS when resolving servers (seconds)" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:197 -+#: src/config/SSSDConfig/sssdoptions.py:199 - msgid "The domain part of service discovery DNS query" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:198 -+#: src/config/SSSDConfig/sssdoptions.py:200 - msgid "Override GID value from the identity provider with this value" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:199 -+#: src/config/SSSDConfig/sssdoptions.py:201 - msgid "Treat usernames as case sensitive" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:207 -+#: src/config/SSSDConfig/sssdoptions.py:209 - msgid "How often should expired entries be refreshed in background" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:208 -+#: src/config/SSSDConfig/sssdoptions.py:210 - msgid "Whether to automatically update the client's DNS entry" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:209 --#: src/config/SSSDConfig/sssdoptions.py:239 -+#: src/config/SSSDConfig/sssdoptions.py:211 -+#: src/config/SSSDConfig/sssdoptions.py:241 - msgid "The TTL to apply to the client's DNS entry after updating it" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:210 --#: src/config/SSSDConfig/sssdoptions.py:240 -+#: src/config/SSSDConfig/sssdoptions.py:212 -+#: src/config/SSSDConfig/sssdoptions.py:242 - msgid "The interface whose IP should be used for dynamic DNS updates" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:211 -+#: src/config/SSSDConfig/sssdoptions.py:213 - msgid "How often to periodically update the client's DNS entry" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:212 -+#: src/config/SSSDConfig/sssdoptions.py:214 - msgid "Whether the provider should explicitly update the PTR record as well" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:213 -+#: src/config/SSSDConfig/sssdoptions.py:215 - msgid "Whether the nsupdate utility should default to using TCP" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:214 -+#: src/config/SSSDConfig/sssdoptions.py:216 - msgid "What kind of authentication should be used to perform the DNS update" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:215 -+#: src/config/SSSDConfig/sssdoptions.py:217 - msgid "Override the DNS server used to perform the DNS update" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:216 -+#: src/config/SSSDConfig/sssdoptions.py:218 - msgid "Control enumeration of trusted domains" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:217 -+#: src/config/SSSDConfig/sssdoptions.py:219 - msgid "How often should subdomains list be refreshed" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:218 -+#: src/config/SSSDConfig/sssdoptions.py:220 - msgid "List of options that should be inherited into a subdomain" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:219 -+#: src/config/SSSDConfig/sssdoptions.py:221 - msgid "Default subdomain homedir value" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:220 -+#: src/config/SSSDConfig/sssdoptions.py:222 - msgid "How long can cached credentials be used for cached authentication" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:221 -+#: src/config/SSSDConfig/sssdoptions.py:223 - msgid "Whether to automatically create private groups for users" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:222 -+#: src/config/SSSDConfig/sssdoptions.py:224 - msgid "Display a warning N days before the password expires." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:223 -+#: src/config/SSSDConfig/sssdoptions.py:225 - msgid "" - "Various tags stored by the realmd configuration service for this domain." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:224 -+#: src/config/SSSDConfig/sssdoptions.py:226 - msgid "" - "The provider which should handle fetching of subdomains. This value should " - "be always the same as id_provider." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:226 -+#: src/config/SSSDConfig/sssdoptions.py:228 - msgid "" - "How many seconds to keep a host ssh key after refresh. IE how long to cache " - "the host key for." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:228 -+#: src/config/SSSDConfig/sssdoptions.py:230 - msgid "" - "If 2-Factor-Authentication (2FA) is used and credentials should be saved " - "this value determines the minimal length the first authentication factor " - "(long term password) must have to be saved as SHA512 hash into the cache." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:234 -+#: src/config/SSSDConfig/sssdoptions.py:236 - msgid "IPA domain" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:235 -+#: src/config/SSSDConfig/sssdoptions.py:237 - msgid "IPA server address" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:236 -+#: src/config/SSSDConfig/sssdoptions.py:238 - msgid "Address of backup IPA server" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:237 -+#: src/config/SSSDConfig/sssdoptions.py:239 - msgid "IPA client hostname" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:238 -+#: src/config/SSSDConfig/sssdoptions.py:240 - msgid "Whether to automatically update the client's DNS entry in FreeIPA" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:241 -+#: src/config/SSSDConfig/sssdoptions.py:243 - msgid "Search base for HBAC related objects" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:242 -+#: src/config/SSSDConfig/sssdoptions.py:244 - msgid "" - "The amount of time between lookups of the HBAC rules against the IPA server" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:243 -+#: src/config/SSSDConfig/sssdoptions.py:245 - msgid "" - "The amount of time in seconds between lookups of the SELinux maps against " - "the IPA server" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:245 -+#: src/config/SSSDConfig/sssdoptions.py:247 - msgid "If set to false, host argument given by PAM will be ignored" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:246 -+#: src/config/SSSDConfig/sssdoptions.py:248 - msgid "The automounter location this IPA client is using" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:247 -+#: src/config/SSSDConfig/sssdoptions.py:249 - msgid "Search base for object containing info about IPA domain" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:248 -+#: src/config/SSSDConfig/sssdoptions.py:250 - msgid "Search base for objects containing info about ID ranges" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:249 --#: src/config/SSSDConfig/sssdoptions.py:303 -+#: src/config/SSSDConfig/sssdoptions.py:251 -+#: src/config/SSSDConfig/sssdoptions.py:305 - msgid "Enable DNS sites - location based service discovery" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:250 -+#: src/config/SSSDConfig/sssdoptions.py:252 - msgid "Search base for view containers" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:251 -+#: src/config/SSSDConfig/sssdoptions.py:253 - msgid "Objectclass for view containers" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:252 -+#: src/config/SSSDConfig/sssdoptions.py:254 - msgid "Attribute with the name of the view" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:253 -+#: src/config/SSSDConfig/sssdoptions.py:255 - msgid "Objectclass for override objects" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:254 -+#: src/config/SSSDConfig/sssdoptions.py:256 - msgid "Attribute with the reference to the original object" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:255 -+#: src/config/SSSDConfig/sssdoptions.py:257 - msgid "Objectclass for user override objects" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:256 -+#: src/config/SSSDConfig/sssdoptions.py:258 - msgid "Objectclass for group override objects" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:257 -+#: src/config/SSSDConfig/sssdoptions.py:259 - msgid "Search base for Desktop Profile related objects" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:258 -+#: src/config/SSSDConfig/sssdoptions.py:260 - msgid "" - "The amount of time in seconds between lookups of the Desktop Profile rules " - "against the IPA server" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:260 -+#: src/config/SSSDConfig/sssdoptions.py:262 - msgid "" - "The amount of time in minutes between lookups of Desktop Profiles rules " - "against the IPA server when the last request did not find any rule" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:263 -+#: src/config/SSSDConfig/sssdoptions.py:265 - msgid "The LDAP attribute that contains FQDN of the host." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:264 --#: src/config/SSSDConfig/sssdoptions.py:287 -+#: src/config/SSSDConfig/sssdoptions.py:266 -+#: src/config/SSSDConfig/sssdoptions.py:289 - msgid "The object class of a host entry in LDAP." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:265 -+#: src/config/SSSDConfig/sssdoptions.py:267 - msgid "Use the given string as search base for host objects." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:266 -+#: src/config/SSSDConfig/sssdoptions.py:268 - msgid "The LDAP attribute that contains the host's SSH public keys." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:267 -+#: src/config/SSSDConfig/sssdoptions.py:269 - msgid "The LDAP attribute that contains NIS domain name of the netgroup." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:268 -+#: src/config/SSSDConfig/sssdoptions.py:270 - msgid "The LDAP attribute that contains the names of the netgroup's members." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:269 -+#: src/config/SSSDConfig/sssdoptions.py:271 - msgid "" - "The LDAP attribute that lists FQDNs of hosts and host groups that are " - "members of the netgroup." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:271 -+#: src/config/SSSDConfig/sssdoptions.py:273 - msgid "" - "The LDAP attribute that lists hosts and host groups that are direct members " - "of the netgroup." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:273 -+#: src/config/SSSDConfig/sssdoptions.py:275 - msgid "The LDAP attribute that lists netgroup's memberships." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:274 -+#: src/config/SSSDConfig/sssdoptions.py:276 - msgid "" - "The LDAP attribute that lists system users and groups that are direct " - "members of the netgroup." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:276 -+#: src/config/SSSDConfig/sssdoptions.py:278 - msgid "The LDAP attribute that corresponds to the netgroup name." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:277 -+#: src/config/SSSDConfig/sssdoptions.py:279 - msgid "The object class of a netgroup entry in LDAP." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:278 -+#: src/config/SSSDConfig/sssdoptions.py:280 - msgid "" - "The LDAP attribute that contains the UUID/GUID of an LDAP netgroup object." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:279 -+#: src/config/SSSDConfig/sssdoptions.py:281 - msgid "" - "The LDAP attribute that contains whether or not is user map enabled for " - "usage." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:281 -+#: src/config/SSSDConfig/sssdoptions.py:283 - msgid "The LDAP attribute that contains host category such as 'all'." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:282 -+#: src/config/SSSDConfig/sssdoptions.py:284 - msgid "" - "The LDAP attribute that contains all hosts / hostgroups this rule match " - "against." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:284 -+#: src/config/SSSDConfig/sssdoptions.py:286 - msgid "" - "The LDAP attribute that contains all users / groups this rule match against." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:286 -+#: src/config/SSSDConfig/sssdoptions.py:288 - msgid "The LDAP attribute that contains the name of SELinux usermap." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:288 -+#: src/config/SSSDConfig/sssdoptions.py:290 - msgid "" - "The LDAP attribute that contains DN of HBAC rule which can be used for " - "matching instead of memberUser and memberHost." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:290 -+#: src/config/SSSDConfig/sssdoptions.py:292 - msgid "The LDAP attribute that contains SELinux user string itself." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:291 -+#: src/config/SSSDConfig/sssdoptions.py:293 - msgid "The LDAP attribute that contains user category such as 'all'." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:292 -+#: src/config/SSSDConfig/sssdoptions.py:294 - msgid "The LDAP attribute that contains unique ID of the user map." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:293 -+#: src/config/SSSDConfig/sssdoptions.py:295 - msgid "" - "The option denotes that the SSSD is running on IPA server and should perform " - "lookups of users and groups from trusted domains differently." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:295 -+#: src/config/SSSDConfig/sssdoptions.py:297 - msgid "Use the given string as search base for trusted domains." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:298 -+#: src/config/SSSDConfig/sssdoptions.py:300 - msgid "Active Directory domain" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:299 -+#: src/config/SSSDConfig/sssdoptions.py:301 - msgid "Enabled Active Directory domains" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:300 -+#: src/config/SSSDConfig/sssdoptions.py:302 - msgid "Active Directory server address" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:301 -+#: src/config/SSSDConfig/sssdoptions.py:303 - msgid "Active Directory backup server address" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:302 -+#: src/config/SSSDConfig/sssdoptions.py:304 - msgid "Active Directory client hostname" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:304 --#: src/config/SSSDConfig/sssdoptions.py:497 -+#: src/config/SSSDConfig/sssdoptions.py:306 -+#: src/config/SSSDConfig/sssdoptions.py:500 - msgid "LDAP filter to determine access privileges" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:305 -+#: src/config/SSSDConfig/sssdoptions.py:307 - msgid "Whether to use the Global Catalog for lookups" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:306 -+#: src/config/SSSDConfig/sssdoptions.py:308 - msgid "Operation mode for GPO-based access control" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:307 -+#: src/config/SSSDConfig/sssdoptions.py:309 - msgid "" - "The amount of time between lookups of the GPO policy files against the AD " - "server" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:308 -+#: src/config/SSSDConfig/sssdoptions.py:310 - msgid "" - "PAM service names that map to the GPO (Deny)InteractiveLogonRight policy " - "settings" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:310 -+#: src/config/SSSDConfig/sssdoptions.py:312 - msgid "" - "PAM service names that map to the GPO (Deny)RemoteInteractiveLogonRight " - "policy settings" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:312 -+#: src/config/SSSDConfig/sssdoptions.py:314 - msgid "" - "PAM service names that map to the GPO (Deny)NetworkLogonRight policy settings" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:313 -+#: src/config/SSSDConfig/sssdoptions.py:315 - msgid "" - "PAM service names that map to the GPO (Deny)BatchLogonRight policy settings" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:314 -+#: src/config/SSSDConfig/sssdoptions.py:316 - msgid "" - "PAM service names that map to the GPO (Deny)ServiceLogonRight policy settings" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:315 -+#: src/config/SSSDConfig/sssdoptions.py:317 - msgid "PAM service names for which GPO-based access is always granted" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:316 -+#: src/config/SSSDConfig/sssdoptions.py:318 - msgid "PAM service names for which GPO-based access is always denied" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:317 -+#: src/config/SSSDConfig/sssdoptions.py:319 - msgid "" - "Default logon right (or permit/deny) to use for unmapped PAM service names" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:318 -+#: src/config/SSSDConfig/sssdoptions.py:320 - msgid "a particular site to be used by the client" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:319 -+#: src/config/SSSDConfig/sssdoptions.py:321 - msgid "" - "Maximum age in days before the machine account password should be renewed" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:321 -+#: src/config/SSSDConfig/sssdoptions.py:323 - msgid "Option for tuning the machine account renewal task" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:322 -+#: src/config/SSSDConfig/sssdoptions.py:324 - msgid "Whether to update the machine account password in the Samba database" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:324 -+#: src/config/SSSDConfig/sssdoptions.py:326 - msgid "Use LDAPS port for LDAP and Global Catalog requests" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:325 -+#: src/config/SSSDConfig/sssdoptions.py:327 - msgid "Do not filter domain local groups from other domains" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:328 --#: src/config/SSSDConfig/sssdoptions.py:329 -+#: src/config/SSSDConfig/sssdoptions.py:330 -+#: src/config/SSSDConfig/sssdoptions.py:331 - msgid "Kerberos server address" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:330 -+#: src/config/SSSDConfig/sssdoptions.py:332 - msgid "Kerberos backup server address" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:331 -+#: src/config/SSSDConfig/sssdoptions.py:333 - msgid "Kerberos realm" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:332 -+#: src/config/SSSDConfig/sssdoptions.py:334 - msgid "Authentication timeout" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:333 -+#: src/config/SSSDConfig/sssdoptions.py:335 - msgid "Whether to create kdcinfo files" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:334 -+#: src/config/SSSDConfig/sssdoptions.py:336 - msgid "Where to drop krb5 config snippets" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:337 -+#: src/config/SSSDConfig/sssdoptions.py:339 - msgid "Directory to store credential caches" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:338 -+#: src/config/SSSDConfig/sssdoptions.py:340 - msgid "Location of the user's credential cache" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:339 -+#: src/config/SSSDConfig/sssdoptions.py:341 - msgid "Location of the keytab to validate credentials" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:340 -+#: src/config/SSSDConfig/sssdoptions.py:342 - msgid "Enable credential validation" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:341 -+#: src/config/SSSDConfig/sssdoptions.py:343 - msgid "Store password if offline for later online authentication" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:342 -+#: src/config/SSSDConfig/sssdoptions.py:344 - msgid "Renewable lifetime of the TGT" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:343 -+#: src/config/SSSDConfig/sssdoptions.py:345 - msgid "Lifetime of the TGT" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:344 -+#: src/config/SSSDConfig/sssdoptions.py:346 - msgid "Time between two checks for renewal" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:345 -+#: src/config/SSSDConfig/sssdoptions.py:347 - msgid "Enables FAST" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:346 -+#: src/config/SSSDConfig/sssdoptions.py:348 - msgid "Selects the principal to use for FAST" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:347 -+#: src/config/SSSDConfig/sssdoptions.py:349 - msgid "Enables principal canonicalization" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:348 -+#: src/config/SSSDConfig/sssdoptions.py:350 - msgid "Enables enterprise principals" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:349 --msgid "A mapping from user names to Kerberos principal names" -+#: src/config/SSSDConfig/sssdoptions.py:351 -+msgid "Enables using of subdomains realms for authentication" - msgstr "" - - #: src/config/SSSDConfig/sssdoptions.py:352 --#: src/config/SSSDConfig/sssdoptions.py:353 --msgid "Server where the change password service is running if not on the KDC" -+msgid "A mapping from user names to Kerberos principal names" - msgstr "" - -+#: src/config/SSSDConfig/sssdoptions.py:355 - #: src/config/SSSDConfig/sssdoptions.py:356 -+msgid "Server where the change password service is running if not on the KDC" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:359 - msgid "ldap_uri, The URI of the LDAP server" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:357 -+#: src/config/SSSDConfig/sssdoptions.py:360 - msgid "ldap_backup_uri, The URI of the LDAP server" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:358 -+#: src/config/SSSDConfig/sssdoptions.py:361 - msgid "The default base DN" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:359 -+#: src/config/SSSDConfig/sssdoptions.py:362 - msgid "The Schema Type in use on the LDAP server, rfc2307" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:360 -+#: src/config/SSSDConfig/sssdoptions.py:363 - msgid "Mode used to change user password" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:361 -+#: src/config/SSSDConfig/sssdoptions.py:364 - msgid "The default bind DN" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:362 -+#: src/config/SSSDConfig/sssdoptions.py:365 - msgid "The type of the authentication token of the default bind DN" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:363 -+#: src/config/SSSDConfig/sssdoptions.py:366 - msgid "The authentication token of the default bind DN" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:364 -+#: src/config/SSSDConfig/sssdoptions.py:367 - msgid "Length of time to attempt connection" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:365 -+#: src/config/SSSDConfig/sssdoptions.py:368 - msgid "Length of time to attempt synchronous LDAP operations" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:366 -+#: src/config/SSSDConfig/sssdoptions.py:369 - msgid "Length of time between attempts to reconnect while offline" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:367 -+#: src/config/SSSDConfig/sssdoptions.py:370 - msgid "Use only the upper case for realm names" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:368 -+#: src/config/SSSDConfig/sssdoptions.py:371 - msgid "File that contains CA certificates" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:369 -+#: src/config/SSSDConfig/sssdoptions.py:372 - msgid "Path to CA certificate directory" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:370 -+#: src/config/SSSDConfig/sssdoptions.py:373 - msgid "File that contains the client certificate" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:371 -+#: src/config/SSSDConfig/sssdoptions.py:374 - msgid "File that contains the client key" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:372 -+#: src/config/SSSDConfig/sssdoptions.py:375 - msgid "List of possible ciphers suites" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:373 -+#: src/config/SSSDConfig/sssdoptions.py:376 - msgid "Require TLS certificate verification" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:374 -+#: src/config/SSSDConfig/sssdoptions.py:377 - msgid "Specify the sasl mechanism to use" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:375 -+#: src/config/SSSDConfig/sssdoptions.py:378 - msgid "Specify the sasl authorization id to use" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:376 -+#: src/config/SSSDConfig/sssdoptions.py:379 - msgid "Specify the sasl authorization realm to use" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:377 -+#: src/config/SSSDConfig/sssdoptions.py:380 - msgid "Specify the minimal SSF for LDAP sasl authorization" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:378 -+#: src/config/SSSDConfig/sssdoptions.py:381 - msgid "Specify the maximal SSF for LDAP sasl authorization" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:379 -+#: src/config/SSSDConfig/sssdoptions.py:382 - msgid "Kerberos service keytab" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:380 -+#: src/config/SSSDConfig/sssdoptions.py:383 - msgid "Use Kerberos auth for LDAP connection" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:381 -+#: src/config/SSSDConfig/sssdoptions.py:384 - msgid "Follow LDAP referrals" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:382 -+#: src/config/SSSDConfig/sssdoptions.py:385 - msgid "Lifetime of TGT for LDAP connection" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:383 -+#: src/config/SSSDConfig/sssdoptions.py:386 - msgid "How to dereference aliases" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:384 -+#: src/config/SSSDConfig/sssdoptions.py:387 - msgid "Service name for DNS service lookups" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:385 -+#: src/config/SSSDConfig/sssdoptions.py:388 - msgid "The number of records to retrieve in a single LDAP query" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:386 -+#: src/config/SSSDConfig/sssdoptions.py:389 - msgid "The number of members that must be missing to trigger a full deref" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:387 -+#: src/config/SSSDConfig/sssdoptions.py:390 - msgid "" - "Whether the LDAP library should perform a reverse lookup to canonicalize the " - "host name during a SASL bind" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:389 -+#: src/config/SSSDConfig/sssdoptions.py:392 - msgid "" - "Allows to retain local users as members of an LDAP group for servers that " - "use the RFC2307 schema." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:392 -+#: src/config/SSSDConfig/sssdoptions.py:395 - msgid "entryUSN attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:393 -+#: src/config/SSSDConfig/sssdoptions.py:396 - msgid "lastUSN attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:395 -+#: src/config/SSSDConfig/sssdoptions.py:398 - msgid "How long to retain a connection to the LDAP server before disconnecting" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:398 -+#: src/config/SSSDConfig/sssdoptions.py:401 - msgid "Disable the LDAP paging control" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:399 -+#: src/config/SSSDConfig/sssdoptions.py:402 - msgid "Disable Active Directory range retrieval" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:402 -+#: src/config/SSSDConfig/sssdoptions.py:405 - msgid "Length of time to wait for a search request" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:403 -+#: src/config/SSSDConfig/sssdoptions.py:406 - msgid "Length of time to wait for a enumeration request" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:404 -+#: src/config/SSSDConfig/sssdoptions.py:407 - msgid "Length of time between enumeration updates" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:405 -+#: src/config/SSSDConfig/sssdoptions.py:408 - msgid "Length of time between cache cleanups" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:406 -+#: src/config/SSSDConfig/sssdoptions.py:409 - msgid "Require TLS for ID lookups" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:407 -+#: src/config/SSSDConfig/sssdoptions.py:410 - msgid "Use ID-mapping of objectSID instead of pre-set IDs" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:408 -+#: src/config/SSSDConfig/sssdoptions.py:411 - msgid "Base DN for user lookups" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:409 -+#: src/config/SSSDConfig/sssdoptions.py:412 - msgid "Scope of user lookups" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:410 -+#: src/config/SSSDConfig/sssdoptions.py:413 - msgid "Filter for user lookups" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:411 -+#: src/config/SSSDConfig/sssdoptions.py:414 - msgid "Objectclass for users" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:412 -+#: src/config/SSSDConfig/sssdoptions.py:415 - msgid "Username attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:413 -+#: src/config/SSSDConfig/sssdoptions.py:416 - msgid "UID attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:414 -+#: src/config/SSSDConfig/sssdoptions.py:417 - msgid "Primary GID attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:415 -+#: src/config/SSSDConfig/sssdoptions.py:418 - msgid "GECOS attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:416 -+#: src/config/SSSDConfig/sssdoptions.py:419 - msgid "Home directory attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:417 -+#: src/config/SSSDConfig/sssdoptions.py:420 - msgid "Shell attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:418 -+#: src/config/SSSDConfig/sssdoptions.py:421 - msgid "UUID attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:419 --#: src/config/SSSDConfig/sssdoptions.py:457 -+#: src/config/SSSDConfig/sssdoptions.py:422 -+#: src/config/SSSDConfig/sssdoptions.py:460 - msgid "objectSID attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:420 -+#: src/config/SSSDConfig/sssdoptions.py:423 - msgid "Active Directory primary group attribute for ID-mapping" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:421 -+#: src/config/SSSDConfig/sssdoptions.py:424 - msgid "User principal attribute (for Kerberos)" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:422 -+#: src/config/SSSDConfig/sssdoptions.py:425 - msgid "Full Name" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:423 -+#: src/config/SSSDConfig/sssdoptions.py:426 - msgid "memberOf attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:424 -+#: src/config/SSSDConfig/sssdoptions.py:427 - msgid "Modification time attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:425 -+#: src/config/SSSDConfig/sssdoptions.py:428 - msgid "shadowLastChange attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:426 -+#: src/config/SSSDConfig/sssdoptions.py:429 - msgid "shadowMin attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:427 -+#: src/config/SSSDConfig/sssdoptions.py:430 - msgid "shadowMax attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:428 -+#: src/config/SSSDConfig/sssdoptions.py:431 - msgid "shadowWarning attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:429 -+#: src/config/SSSDConfig/sssdoptions.py:432 - msgid "shadowInactive attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:430 -+#: src/config/SSSDConfig/sssdoptions.py:433 - msgid "shadowExpire attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:431 -+#: src/config/SSSDConfig/sssdoptions.py:434 - msgid "shadowFlag attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:432 -+#: src/config/SSSDConfig/sssdoptions.py:435 - msgid "Attribute listing authorized PAM services" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:433 -+#: src/config/SSSDConfig/sssdoptions.py:436 - msgid "Attribute listing authorized server hosts" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:434 -+#: src/config/SSSDConfig/sssdoptions.py:437 - msgid "Attribute listing authorized server rhosts" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:435 -+#: src/config/SSSDConfig/sssdoptions.py:438 - msgid "krbLastPwdChange attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:436 -+#: src/config/SSSDConfig/sssdoptions.py:439 - msgid "krbPasswordExpiration attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:437 -+#: src/config/SSSDConfig/sssdoptions.py:440 - msgid "Attribute indicating that server side password policies are active" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:438 -+#: src/config/SSSDConfig/sssdoptions.py:441 - msgid "accountExpires attribute of AD" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:439 -+#: src/config/SSSDConfig/sssdoptions.py:442 - msgid "userAccountControl attribute of AD" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:440 -+#: src/config/SSSDConfig/sssdoptions.py:443 - msgid "nsAccountLock attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:441 -+#: src/config/SSSDConfig/sssdoptions.py:444 - msgid "loginDisabled attribute of NDS" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:442 -+#: src/config/SSSDConfig/sssdoptions.py:445 - msgid "loginExpirationTime attribute of NDS" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:443 -+#: src/config/SSSDConfig/sssdoptions.py:446 - msgid "loginAllowedTimeMap attribute of NDS" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:444 -+#: src/config/SSSDConfig/sssdoptions.py:447 - msgid "SSH public key attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:445 -+#: src/config/SSSDConfig/sssdoptions.py:448 - msgid "attribute listing allowed authentication types for a user" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:446 -+#: src/config/SSSDConfig/sssdoptions.py:449 - msgid "attribute containing the X509 certificate of the user" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:447 -+#: src/config/SSSDConfig/sssdoptions.py:450 - msgid "attribute containing the email address of the user" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:448 -+#: src/config/SSSDConfig/sssdoptions.py:451 - msgid "A list of extra attributes to download along with the user entry" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:450 -+#: src/config/SSSDConfig/sssdoptions.py:453 - msgid "Base DN for group lookups" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:451 -+#: src/config/SSSDConfig/sssdoptions.py:454 - msgid "Objectclass for groups" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:452 -+#: src/config/SSSDConfig/sssdoptions.py:455 - msgid "Group name" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:453 -+#: src/config/SSSDConfig/sssdoptions.py:456 - msgid "Group password" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:454 -+#: src/config/SSSDConfig/sssdoptions.py:457 - msgid "GID attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:455 -+#: src/config/SSSDConfig/sssdoptions.py:458 - msgid "Group member attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:456 -+#: src/config/SSSDConfig/sssdoptions.py:459 - msgid "Group UUID attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:458 -+#: src/config/SSSDConfig/sssdoptions.py:461 - msgid "Modification time attribute for groups" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:459 -+#: src/config/SSSDConfig/sssdoptions.py:462 - msgid "Type of the group and other flags" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:460 -+#: src/config/SSSDConfig/sssdoptions.py:463 - msgid "The LDAP group external member attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:461 -+#: src/config/SSSDConfig/sssdoptions.py:464 - msgid "Maximum nesting level SSSD will follow" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:462 -+#: src/config/SSSDConfig/sssdoptions.py:465 - msgid "Filter for group lookups" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:463 -+#: src/config/SSSDConfig/sssdoptions.py:466 - msgid "Scope of group lookups" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:465 -+#: src/config/SSSDConfig/sssdoptions.py:468 - msgid "Base DN for netgroup lookups" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:466 -+#: src/config/SSSDConfig/sssdoptions.py:469 - msgid "Objectclass for netgroups" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:467 -+#: src/config/SSSDConfig/sssdoptions.py:470 - msgid "Netgroup name" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:468 -+#: src/config/SSSDConfig/sssdoptions.py:471 - msgid "Netgroups members attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:469 -+#: src/config/SSSDConfig/sssdoptions.py:472 - msgid "Netgroup triple attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:470 -+#: src/config/SSSDConfig/sssdoptions.py:473 - msgid "Modification time attribute for netgroups" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:472 -+#: src/config/SSSDConfig/sssdoptions.py:475 - msgid "Base DN for service lookups" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:473 -+#: src/config/SSSDConfig/sssdoptions.py:476 - msgid "Objectclass for services" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:474 -+#: src/config/SSSDConfig/sssdoptions.py:477 - msgid "Service name attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:475 -+#: src/config/SSSDConfig/sssdoptions.py:478 - msgid "Service port attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:476 -+#: src/config/SSSDConfig/sssdoptions.py:479 - msgid "Service protocol attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:478 -+#: src/config/SSSDConfig/sssdoptions.py:481 - msgid "Lower bound for ID-mapping" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:479 -+#: src/config/SSSDConfig/sssdoptions.py:482 - msgid "Upper bound for ID-mapping" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:480 -+#: src/config/SSSDConfig/sssdoptions.py:483 - msgid "Number of IDs for each slice when ID-mapping" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:481 -+#: src/config/SSSDConfig/sssdoptions.py:484 - msgid "Use autorid-compatible algorithm for ID-mapping" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:482 -+#: src/config/SSSDConfig/sssdoptions.py:485 - msgid "Name of the default domain for ID-mapping" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:483 -+#: src/config/SSSDConfig/sssdoptions.py:486 - msgid "SID of the default domain for ID-mapping" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:484 -+#: src/config/SSSDConfig/sssdoptions.py:487 - msgid "Number of secondary slices" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:486 -+#: src/config/SSSDConfig/sssdoptions.py:489 - msgid "Whether to use Token-Groups" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:487 -+#: src/config/SSSDConfig/sssdoptions.py:490 - msgid "Set lower boundary for allowed IDs from the LDAP server" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:488 -+#: src/config/SSSDConfig/sssdoptions.py:491 - msgid "Set upper boundary for allowed IDs from the LDAP server" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:489 -+#: src/config/SSSDConfig/sssdoptions.py:492 - msgid "DN for ppolicy queries" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:490 -+#: src/config/SSSDConfig/sssdoptions.py:493 - msgid "How many maximum entries to fetch during a wildcard request" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:491 -+#: src/config/SSSDConfig/sssdoptions.py:494 - msgid "Set libldap debug level" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:494 -+#: src/config/SSSDConfig/sssdoptions.py:497 - msgid "Policy to evaluate the password expiration" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:498 -+#: src/config/SSSDConfig/sssdoptions.py:501 - msgid "Which attributes shall be used to evaluate if an account is expired" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:499 -+#: src/config/SSSDConfig/sssdoptions.py:502 - msgid "Which rules should be used to evaluate access control" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:502 -+#: src/config/SSSDConfig/sssdoptions.py:505 - msgid "URI of an LDAP server where password changes are allowed" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:503 -+#: src/config/SSSDConfig/sssdoptions.py:506 - msgid "URI of a backup LDAP server where password changes are allowed" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:504 -+#: src/config/SSSDConfig/sssdoptions.py:507 - msgid "DNS service name for LDAP password change server" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:505 -+#: src/config/SSSDConfig/sssdoptions.py:508 - msgid "" - "Whether to update the ldap_user_shadow_last_change attribute after a " - "password change" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:509 -+#: src/config/SSSDConfig/sssdoptions.py:512 - msgid "Base DN for sudo rules lookups" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:510 -+#: src/config/SSSDConfig/sssdoptions.py:513 - msgid "Automatic full refresh period" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:511 -+#: src/config/SSSDConfig/sssdoptions.py:514 - msgid "Automatic smart refresh period" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:512 -+#: src/config/SSSDConfig/sssdoptions.py:515 - msgid "Whether to filter rules by hostname, IP addresses and network" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:513 -+#: src/config/SSSDConfig/sssdoptions.py:516 - msgid "" - "Hostnames and/or fully qualified domain names of this machine to filter sudo " - "rules" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:514 -+#: src/config/SSSDConfig/sssdoptions.py:517 - msgid "IPv4 or IPv6 addresses or network of this machine to filter sudo rules" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:515 -+#: src/config/SSSDConfig/sssdoptions.py:518 - msgid "Whether to include rules that contains netgroup in host attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:516 -+#: src/config/SSSDConfig/sssdoptions.py:519 - msgid "" - "Whether to include rules that contains regular expression in host attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:517 -+#: src/config/SSSDConfig/sssdoptions.py:520 - msgid "Object class for sudo rules" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:518 -+#: src/config/SSSDConfig/sssdoptions.py:521 - msgid "Name of attribute that is used as object class for sudo rules" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:519 -+#: src/config/SSSDConfig/sssdoptions.py:522 - msgid "Sudo rule name" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:520 -+#: src/config/SSSDConfig/sssdoptions.py:523 - msgid "Sudo rule command attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:521 -+#: src/config/SSSDConfig/sssdoptions.py:524 - msgid "Sudo rule host attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:522 -+#: src/config/SSSDConfig/sssdoptions.py:525 - msgid "Sudo rule user attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:523 -+#: src/config/SSSDConfig/sssdoptions.py:526 - msgid "Sudo rule option attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:524 -+#: src/config/SSSDConfig/sssdoptions.py:527 - msgid "Sudo rule runas attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:525 -+#: src/config/SSSDConfig/sssdoptions.py:528 - msgid "Sudo rule runasuser attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:526 -+#: src/config/SSSDConfig/sssdoptions.py:529 - msgid "Sudo rule runasgroup attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:527 -+#: src/config/SSSDConfig/sssdoptions.py:530 - msgid "Sudo rule notbefore attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:528 -+#: src/config/SSSDConfig/sssdoptions.py:531 - msgid "Sudo rule notafter attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:529 -+#: src/config/SSSDConfig/sssdoptions.py:532 - msgid "Sudo rule order attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:532 -+#: src/config/SSSDConfig/sssdoptions.py:535 - msgid "Object class for automounter maps" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:533 -+#: src/config/SSSDConfig/sssdoptions.py:536 - msgid "Automounter map name attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:534 -+#: src/config/SSSDConfig/sssdoptions.py:537 - msgid "Object class for automounter map entries" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:535 -+#: src/config/SSSDConfig/sssdoptions.py:538 - msgid "Automounter map entry key attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:536 -+#: src/config/SSSDConfig/sssdoptions.py:539 - msgid "Automounter map entry value attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:537 -+#: src/config/SSSDConfig/sssdoptions.py:540 - msgid "Base DN for automounter map lookups" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:538 -+#: src/config/SSSDConfig/sssdoptions.py:541 - msgid "The name of the automount master map in LDAP." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:541 -+#: src/config/SSSDConfig/sssdoptions.py:544 - msgid "Base DN for IP hosts lookups" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:542 -+#: src/config/SSSDConfig/sssdoptions.py:545 - msgid "Object class for IP hosts" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:543 -+#: src/config/SSSDConfig/sssdoptions.py:546 - msgid "IP host name attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:544 -+#: src/config/SSSDConfig/sssdoptions.py:547 - msgid "IP host number (address) attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:545 -+#: src/config/SSSDConfig/sssdoptions.py:548 - msgid "IP host entryUSN attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:546 -+#: src/config/SSSDConfig/sssdoptions.py:549 - msgid "Base DN for IP networks lookups" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:547 -+#: src/config/SSSDConfig/sssdoptions.py:550 - msgid "Object class for IP networks" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:548 -+#: src/config/SSSDConfig/sssdoptions.py:551 - msgid "IP network name attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:549 -+#: src/config/SSSDConfig/sssdoptions.py:552 - msgid "IP network number (address) attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:550 -+#: src/config/SSSDConfig/sssdoptions.py:553 - msgid "IP network entryUSN attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:553 -+#: src/config/SSSDConfig/sssdoptions.py:556 - msgid "Comma separated list of allowed users" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:554 -+#: src/config/SSSDConfig/sssdoptions.py:557 - msgid "Comma separated list of prohibited users" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:555 -+#: src/config/SSSDConfig/sssdoptions.py:558 - msgid "" - "Comma separated list of groups that are allowed to log in. This applies only " - "to groups within this SSSD domain. Local groups are not evaluated." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:557 -+#: src/config/SSSDConfig/sssdoptions.py:560 - msgid "" - "Comma separated list of groups that are explicitly denied access. This " - "applies only to groups within this SSSD domain. Local groups are not " - "evaluated." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:561 -+#: src/config/SSSDConfig/sssdoptions.py:564 - msgid "Base for home directories" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:562 -+#: src/config/SSSDConfig/sssdoptions.py:565 - msgid "Indicate if a home directory should be created for new users." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:563 -+#: src/config/SSSDConfig/sssdoptions.py:566 - msgid "Indicate if a home directory should be removed for deleted users." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:564 -+#: src/config/SSSDConfig/sssdoptions.py:567 - msgid "Specify the default permissions on a newly created home directory." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:565 -+#: src/config/SSSDConfig/sssdoptions.py:568 - msgid "The skeleton directory." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:566 -+#: src/config/SSSDConfig/sssdoptions.py:569 - msgid "The mail spool directory." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:567 -+#: src/config/SSSDConfig/sssdoptions.py:570 - msgid "The command that is run after a user is removed." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:570 -+#: src/config/SSSDConfig/sssdoptions.py:573 - msgid "The number of preforked proxy children." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:573 -+#: src/config/SSSDConfig/sssdoptions.py:576 - msgid "The name of the NSS library to use" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:574 -+#: src/config/SSSDConfig/sssdoptions.py:577 - msgid "The name of the NSS library to use for hosts and networks lookups" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:575 -+#: src/config/SSSDConfig/sssdoptions.py:578 - msgid "Whether to look up canonical group name from cache if possible" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:578 -+#: src/config/SSSDConfig/sssdoptions.py:581 - msgid "PAM stack to use" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:581 -+#: src/config/SSSDConfig/sssdoptions.py:584 - msgid "Path of passwd file sources." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:582 -+#: src/config/SSSDConfig/sssdoptions.py:585 - msgid "Path of group file sources." - msgstr "" - --#: src/monitor/monitor.c:2376 -+#: src/monitor/monitor.c:2381 - msgid "Become a daemon (default)" - msgstr "" - --#: src/monitor/monitor.c:2378 -+#: src/monitor/monitor.c:2383 - msgid "Run interactive (not a daemon)" - msgstr "" - --#: src/monitor/monitor.c:2381 -+#: src/monitor/monitor.c:2386 - msgid "Disable netlink interface" - msgstr "" - --#: src/monitor/monitor.c:2383 src/tools/sssctl/sssctl_config.c:77 -+#: src/monitor/monitor.c:2388 src/tools/sssctl/sssctl_config.c:77 - #: src/tools/sssctl/sssctl_logs.c:310 - msgid "Specify a non-default config file" - msgstr "" - --#: src/monitor/monitor.c:2385 -+#: src/monitor/monitor.c:2390 - msgid "Refresh the configuration database, then exit" - msgstr "" - --#: src/monitor/monitor.c:2388 -+#: src/monitor/monitor.c:2393 - msgid "Similar to --genconf, but only refreshes the given section" - msgstr "" - --#: src/monitor/monitor.c:2391 -+#: src/monitor/monitor.c:2396 - msgid "Print version number and exit" - msgstr "" - --#: src/monitor/monitor.c:2537 -+#: src/monitor/monitor.c:2542 - msgid "SSSD is already running\n" - msgstr "" - --#: src/providers/krb5/krb5_child.c:3260 src/providers/ldap/ldap_child.c:638 -+#: src/providers/krb5/krb5_child.c:3274 src/providers/ldap/ldap_child.c:638 - msgid "Debug level" - msgstr "" - --#: src/providers/krb5/krb5_child.c:3262 src/providers/ldap/ldap_child.c:640 -+#: src/providers/krb5/krb5_child.c:3276 src/providers/ldap/ldap_child.c:640 - msgid "Add debug timestamps" - msgstr "" - --#: src/providers/krb5/krb5_child.c:3264 src/providers/ldap/ldap_child.c:642 -+#: src/providers/krb5/krb5_child.c:3278 src/providers/ldap/ldap_child.c:642 - msgid "Show timestamps with microseconds" - msgstr "" - --#: src/providers/krb5/krb5_child.c:3266 src/providers/ldap/ldap_child.c:644 -+#: src/providers/krb5/krb5_child.c:3280 src/providers/ldap/ldap_child.c:644 - msgid "An open file descriptor for the debug logs" - msgstr "" - --#: src/providers/krb5/krb5_child.c:3269 src/providers/ldap/ldap_child.c:646 -+#: src/providers/krb5/krb5_child.c:3283 src/providers/ldap/ldap_child.c:646 - msgid "Send the debug output to stderr directly." - msgstr "" - --#: src/providers/krb5/krb5_child.c:3272 -+#: src/providers/krb5/krb5_child.c:3286 - msgid "The user to create FAST ccache as" - msgstr "" - --#: src/providers/krb5/krb5_child.c:3274 -+#: src/providers/krb5/krb5_child.c:3288 - msgid "The group to create FAST ccache as" - msgstr "" - --#: src/providers/krb5/krb5_child.c:3276 -+#: src/providers/krb5/krb5_child.c:3290 - msgid "Kerberos realm to use" - msgstr "" - --#: src/providers/krb5/krb5_child.c:3278 -+#: src/providers/krb5/krb5_child.c:3292 - msgid "Requested lifetime of the ticket" - msgstr "" - --#: src/providers/krb5/krb5_child.c:3280 -+#: src/providers/krb5/krb5_child.c:3294 - msgid "Requested renewable lifetime of the ticket" - msgstr "" - --#: src/providers/krb5/krb5_child.c:3282 -+#: src/providers/krb5/krb5_child.c:3296 - msgid "FAST options ('never', 'try', 'demand')" - msgstr "" - --#: src/providers/krb5/krb5_child.c:3285 -+#: src/providers/krb5/krb5_child.c:3299 - msgid "Specifies the server principal to use for FAST" - msgstr "" - --#: src/providers/krb5/krb5_child.c:3287 -+#: src/providers/krb5/krb5_child.c:3301 - msgid "Requests canonicalization of the principal name" - msgstr "" - --#: src/providers/krb5/krb5_child.c:3289 -+#: src/providers/krb5/krb5_child.c:3303 - msgid "Use custom version of krb5_get_init_creds_password" - msgstr "" - --#: src/providers/data_provider_be.c:699 -+#: src/providers/data_provider_be.c:711 - msgid "Domain of the information provider (mandatory)" - msgstr "" - --#: src/sss_client/common.c:1079 -+#: src/sss_client/common.c:1088 - msgid "Privileged socket has wrong ownership or permissions." - msgstr "" - --#: src/sss_client/common.c:1082 -+#: src/sss_client/common.c:1091 - msgid "Public socket has wrong ownership or permissions." - msgstr "" - --#: src/sss_client/common.c:1085 -+#: src/sss_client/common.c:1094 - msgid "Unexpected format of the server credential message." - msgstr "" - --#: src/sss_client/common.c:1088 -+#: src/sss_client/common.c:1097 - msgid "SSSD is not run by root." - msgstr "" - --#: src/sss_client/common.c:1091 -+#: src/sss_client/common.c:1100 - msgid "SSSD socket does not exist." - msgstr "" - --#: src/sss_client/common.c:1094 -+#: src/sss_client/common.c:1103 - msgid "Cannot get stat of SSSD socket." - msgstr "" - --#: src/sss_client/common.c:1099 -+#: src/sss_client/common.c:1108 - msgid "An error occurred, but no description can be found." - msgstr "" - --#: src/sss_client/common.c:1105 -+#: src/sss_client/common.c:1114 - msgid "Unexpected error while looking for an error description" - msgstr "" - -@@ -1983,88 +1995,88 @@ msgstr "" - msgid "Permission denied. " - msgstr "" - --#: src/sss_client/pam_sss.c:69 src/sss_client/pam_sss.c:781 --#: src/sss_client/pam_sss.c:792 -+#: src/sss_client/pam_sss.c:69 src/sss_client/pam_sss.c:785 -+#: src/sss_client/pam_sss.c:796 - msgid "Server message: " - msgstr "" - --#: src/sss_client/pam_sss.c:299 -+#: src/sss_client/pam_sss.c:303 - msgid "Passwords do not match" - msgstr "" - --#: src/sss_client/pam_sss.c:487 -+#: src/sss_client/pam_sss.c:491 - msgid "Password reset by root is not supported." - msgstr "" - --#: src/sss_client/pam_sss.c:528 -+#: src/sss_client/pam_sss.c:532 - msgid "Authenticated with cached credentials" - msgstr "" - --#: src/sss_client/pam_sss.c:529 -+#: src/sss_client/pam_sss.c:533 - msgid ", your cached password will expire at: " - msgstr "" - --#: src/sss_client/pam_sss.c:559 -+#: src/sss_client/pam_sss.c:563 - #, c-format - msgid "Your password has expired. You have %1$d grace login(s) remaining." - msgstr "" - --#: src/sss_client/pam_sss.c:605 -+#: src/sss_client/pam_sss.c:609 - #, c-format - msgid "Your password will expire in %1$d %2$s." - msgstr "" - --#: src/sss_client/pam_sss.c:654 -+#: src/sss_client/pam_sss.c:658 - msgid "Authentication is denied until: " - msgstr "" - --#: src/sss_client/pam_sss.c:675 -+#: src/sss_client/pam_sss.c:679 - msgid "System is offline, password change not possible" - msgstr "" - --#: src/sss_client/pam_sss.c:690 -+#: src/sss_client/pam_sss.c:694 - msgid "" - "After changing the OTP password, you need to log out and back in order to " - "acquire a ticket" - msgstr "" - --#: src/sss_client/pam_sss.c:778 src/sss_client/pam_sss.c:791 -+#: src/sss_client/pam_sss.c:782 src/sss_client/pam_sss.c:795 - msgid "Password change failed. " - msgstr "" - --#: src/sss_client/pam_sss.c:2015 -+#: src/sss_client/pam_sss.c:2044 - msgid "New Password: " - msgstr "" - --#: src/sss_client/pam_sss.c:2016 -+#: src/sss_client/pam_sss.c:2045 - msgid "Reenter new Password: " - msgstr "" - --#: src/sss_client/pam_sss.c:2178 src/sss_client/pam_sss.c:2181 -+#: src/sss_client/pam_sss.c:2207 src/sss_client/pam_sss.c:2210 - msgid "First Factor: " - msgstr "" - --#: src/sss_client/pam_sss.c:2179 src/sss_client/pam_sss.c:2353 -+#: src/sss_client/pam_sss.c:2208 src/sss_client/pam_sss.c:2382 - msgid "Second Factor (optional): " - msgstr "" - --#: src/sss_client/pam_sss.c:2182 src/sss_client/pam_sss.c:2356 -+#: src/sss_client/pam_sss.c:2211 src/sss_client/pam_sss.c:2385 - msgid "Second Factor: " - msgstr "" - --#: src/sss_client/pam_sss.c:2200 -+#: src/sss_client/pam_sss.c:2229 - msgid "Password: " - msgstr "" - --#: src/sss_client/pam_sss.c:2352 src/sss_client/pam_sss.c:2355 -+#: src/sss_client/pam_sss.c:2381 src/sss_client/pam_sss.c:2384 - msgid "First Factor (Current Password): " - msgstr "" - --#: src/sss_client/pam_sss.c:2359 -+#: src/sss_client/pam_sss.c:2388 - msgid "Current Password: " - msgstr "" - --#: src/sss_client/pam_sss.c:2716 -+#: src/sss_client/pam_sss.c:2745 - msgid "Password expired. Change your password now." - msgstr "" - -@@ -3181,18 +3193,18 @@ msgstr "" - msgid " - no env -\n" - msgstr "" - --#: src/util/util.h:82 -+#: src/util/util.h:86 - msgid "The user ID to run the server as" - msgstr "" - --#: src/util/util.h:84 -+#: src/util/util.h:88 - msgid "The group ID to run the server as" - msgstr "" - --#: src/util/util.h:92 -+#: src/util/util.h:96 - msgid "Informs that the responder has been socket-activated" - msgstr "" - --#: src/util/util.h:94 -+#: src/util/util.h:98 - msgid "Informs that the responder has been dbus-activated" - msgstr "" --- -2.21.3 - diff --git a/SOURCES/0049-Update-the-translations-for-the-2.4.1-release.patch b/SOURCES/0049-Update-the-translations-for-the-2.4.1-release.patch deleted file mode 100644 index 8e6c364..0000000 --- a/SOURCES/0049-Update-the-translations-for-the-2.4.1-release.patch +++ /dev/null @@ -1,6893 +0,0 @@ -From b38701b9ebdfe1291e0d9f7aa6ff814f9b42b51a Mon Sep 17 00:00:00 2001 -From: Weblate -Date: Fri, 5 Feb 2021 12:01:46 +0100 -Subject: [PATCH] Update the translations for the 2.4.1 release - ---- - po/fr.po | 860 ++++++++++++++++++++++++++-------------------------- - po/ja.po | 860 ++++++++++++++++++++++++++-------------------------- - po/zh_CN.po | 860 ++++++++++++++++++++++++++-------------------------- - 3 files changed, 1308 insertions(+), 1272 deletions(-) - -diff --git a/po/fr.po b/po/fr.po -index eded3659c..e2e906d35 100644 ---- a/po/fr.po -+++ b/po/fr.po -@@ -15,7 +15,7 @@ msgid "" - msgstr "" - "Project-Id-Version: PACKAGE VERSION\n" - "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" --"POT-Creation-Date: 2020-10-12 12:21+0200\n" -+"POT-Creation-Date: 2021-02-05 11:58+0100\n" - "PO-Revision-Date: 2020-08-04 05:55+0000\n" - "Last-Translator: Jean-Baptiste Holcroft \n" - "Language-Team: French \n" - "Language-Team: Japanese (http://www.transifex.com/projects/p/sssd/language/" -@@ -175,7 +175,7 @@ msgid "Entry cache background update timeout length (seconds)" - msgstr "エントリーキャッシュのバックグラウンド更新のタイムアウト時間(秒)" - - #: src/config/SSSDConfig/sssdoptions.py:61 --#: src/config/SSSDConfig/sssdoptions.py:115 -+#: src/config/SSSDConfig/sssdoptions.py:117 - msgid "Negative cache timeout length (seconds)" - msgstr "ネガティブキャッシュのタイムアウト(秒)" - -@@ -360,15 +360,23 @@ msgstr "スマートカード認証向けのデバイスの選択を PKCS#11 URI - msgid "When shall the PAM responder force an initgroups request" - msgstr "PAM レスポンダーが initgroups リクエストを強制するとき" - --#: src/config/SSSDConfig/sssdoptions.py:109 -+#: src/config/SSSDConfig/sssdoptions.py:107 -+msgid "List of PAM services that are allowed to authenticate with GSSAPI." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:108 -+msgid "Whether to match authenticated UPN with target user" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:111 - msgid "Whether to evaluate the time-based attributes in sudo rules" - msgstr "sudo ルールにおいて時間による属性を評価するかどうか" - --#: src/config/SSSDConfig/sssdoptions.py:110 -+#: src/config/SSSDConfig/sssdoptions.py:112 - msgid "If true, SSSD will switch back to lower-wins ordering logic" - msgstr "正しい場合、SSSD は小さい番号が優先される順位付けのロジックへ戻ります" - --#: src/config/SSSDConfig/sssdoptions.py:111 -+#: src/config/SSSDConfig/sssdoptions.py:113 - msgid "" - "Maximum number of rules that can be refreshed at once. If this is exceeded, " - "full refresh is performed." -@@ -376,105 +384,105 @@ msgstr "" - "一度にリフレッシュ可能なルールの最大数。最大数を超えると、フルリフレッシュが" - "実行されます。" - --#: src/config/SSSDConfig/sssdoptions.py:118 -+#: src/config/SSSDConfig/sssdoptions.py:120 - msgid "Whether to hash host names and addresses in the known_hosts file" - msgstr "known_hosts ファイルにおいてホスト名とアドレスをハッシュ化するかどうか" - --#: src/config/SSSDConfig/sssdoptions.py:119 -+#: src/config/SSSDConfig/sssdoptions.py:121 - msgid "" - "How many seconds to keep a host in the known_hosts file after its host keys " - "were requested" - msgstr "ホスト鍵が要求された後 known_hosts ファイルにホストを保持する秒数" - --#: src/config/SSSDConfig/sssdoptions.py:121 -+#: src/config/SSSDConfig/sssdoptions.py:123 - msgid "Path to storage of trusted CA certificates" - msgstr "信頼された CA 証明書のストレージへのパス" - --#: src/config/SSSDConfig/sssdoptions.py:122 -+#: src/config/SSSDConfig/sssdoptions.py:124 - msgid "Allow to generate ssh-keys from certificates" - msgstr "証明書からの ssh-key の生成を許可します" - --#: src/config/SSSDConfig/sssdoptions.py:123 -+#: src/config/SSSDConfig/sssdoptions.py:125 - msgid "" - "Use the following matching rules to filter the certificates for ssh-key " - "generation" - msgstr "" - "以下の一致するルールを使用して、ssh-key 生成用の証明書をフィルタリングします" - --#: src/config/SSSDConfig/sssdoptions.py:127 -+#: src/config/SSSDConfig/sssdoptions.py:129 - msgid "List of UIDs or user names allowed to access the PAC responder" - msgstr "PAC レスポンダーへのアクセスが許可された UID またはユーザー名の一覧" - --#: src/config/SSSDConfig/sssdoptions.py:128 -+#: src/config/SSSDConfig/sssdoptions.py:130 - msgid "How long the PAC data is considered valid" - msgstr "PAC データが有効とされる期間" - --#: src/config/SSSDConfig/sssdoptions.py:131 -+#: src/config/SSSDConfig/sssdoptions.py:133 - msgid "List of user attributes the InfoPipe is allowed to publish" - msgstr "InfoPipe がパブリッシュを許可されたユーザー属性の一覧" - --#: src/config/SSSDConfig/sssdoptions.py:134 -+#: src/config/SSSDConfig/sssdoptions.py:136 - msgid "The provider where the secrets will be stored in" - msgstr "シークレットが保存されるプロバイダー" - --#: src/config/SSSDConfig/sssdoptions.py:135 -+#: src/config/SSSDConfig/sssdoptions.py:137 - msgid "The maximum allowed number of nested containers" - msgstr "ネストされたコンテナーの最大許可数" - --#: src/config/SSSDConfig/sssdoptions.py:136 -+#: src/config/SSSDConfig/sssdoptions.py:138 - msgid "The maximum number of secrets that can be stored" - msgstr "保存可能なシークレットの最大数" - --#: src/config/SSSDConfig/sssdoptions.py:137 -+#: src/config/SSSDConfig/sssdoptions.py:139 - msgid "The maximum number of secrets that can be stored per UID" - msgstr "UID ごとに保存可能なシークレットの最大数" - --#: src/config/SSSDConfig/sssdoptions.py:138 -+#: src/config/SSSDConfig/sssdoptions.py:140 - msgid "The maximum payload size of a secret in kilobytes" - msgstr "キロバイトでのシークレットの最大ペイロードサイズ" - --#: src/config/SSSDConfig/sssdoptions.py:140 -+#: src/config/SSSDConfig/sssdoptions.py:142 - msgid "The URL Custodia server is listening on" - msgstr "URL Custodia サーバーはリッスンしています" - --#: src/config/SSSDConfig/sssdoptions.py:141 -+#: src/config/SSSDConfig/sssdoptions.py:143 - msgid "The method to use when authenticating to a Custodia server" - msgstr "Custodia サーバーへの認証時に使用する方法" - --#: src/config/SSSDConfig/sssdoptions.py:142 -+#: src/config/SSSDConfig/sssdoptions.py:144 - msgid "" - "The name of the headers that will be added into a HTTP request with the " - "value defined in auth_header_value" - msgstr "" - "auth_header_value で値が定義され、HTTP リクエストに追加されるヘッダーの名前" - --#: src/config/SSSDConfig/sssdoptions.py:144 -+#: src/config/SSSDConfig/sssdoptions.py:146 - msgid "The value sssd-secrets would use for auth_header_name" - msgstr "sssd-secrets の値は、auth_header_name で使用します" - --#: src/config/SSSDConfig/sssdoptions.py:145 -+#: src/config/SSSDConfig/sssdoptions.py:147 - msgid "" - "The list of the headers to forward to the Custodia server together with the " - "request" - msgstr "要求と共に Custodia サーバーへ転送するヘッダーの一覧" - --#: src/config/SSSDConfig/sssdoptions.py:146 -+#: src/config/SSSDConfig/sssdoptions.py:148 - msgid "" - "The username to use when authenticating to a Custodia server using basic_auth" - msgstr "basic_auth を使った Custodia サーバーへの認証時に使用するユーザー名" - --#: src/config/SSSDConfig/sssdoptions.py:147 -+#: src/config/SSSDConfig/sssdoptions.py:149 - msgid "" - "The password to use when authenticating to a Custodia server using basic_auth" - msgstr "basic_auth を使った Custodia サーバーへの認証時に使用するパスワード" - --#: src/config/SSSDConfig/sssdoptions.py:148 -+#: src/config/SSSDConfig/sssdoptions.py:150 - msgid "If true peer's certificate is verified if proxy_url uses https protocol" - msgstr "" - "proxy_url が https protocol を使用する場合に、正しいピアの証明書が検証される" - "かどうか" - --#: src/config/SSSDConfig/sssdoptions.py:149 -+#: src/config/SSSDConfig/sssdoptions.py:151 - msgid "" - "If false peer's certificate may contain different hostname than proxy_url " - "when https protocol is used" -@@ -482,23 +490,23 @@ msgstr "" - "https プロトコルが使用される場合に、間違ったピアの証明書が proxy_url 以外の異" - "なるホスト名を含むかどうか" - --#: src/config/SSSDConfig/sssdoptions.py:151 -+#: src/config/SSSDConfig/sssdoptions.py:153 - msgid "Path to directory where certificate authority certificates are stored" - msgstr "CA 証明書が保存されているディレクトリーへのパス" - --#: src/config/SSSDConfig/sssdoptions.py:152 -+#: src/config/SSSDConfig/sssdoptions.py:154 - msgid "Path to file containing server's CA certificate" - msgstr "サーバーの CA 証明書を含むファイルへのパス" - --#: src/config/SSSDConfig/sssdoptions.py:153 -+#: src/config/SSSDConfig/sssdoptions.py:155 - msgid "Path to file containing client's certificate" - msgstr "クライアントの証明書を含むファイルへのパス" - --#: src/config/SSSDConfig/sssdoptions.py:154 -+#: src/config/SSSDConfig/sssdoptions.py:156 - msgid "Path to file containing client's private key" - msgstr "クライアントの秘密鍵を含むファイルへのパス" - --#: src/config/SSSDConfig/sssdoptions.py:157 -+#: src/config/SSSDConfig/sssdoptions.py:159 - msgid "" - "One of the following strings specifying the scope of session recording: none " - "- No users are recorded. some - Users/groups specified by users and groups " -@@ -508,7 +516,7 @@ msgstr "" - "いません。some: ユーザーとグループオプションによって指定されているユーザー/グ" - "ループが記録されています。all: すべてのユーザーが記録されます。" - --#: src/config/SSSDConfig/sssdoptions.py:160 -+#: src/config/SSSDConfig/sssdoptions.py:162 - msgid "" - "A comma-separated list of users which should have session recording enabled. " - "Matches user names as returned by NSS. I.e. after the possible space " -@@ -518,7 +526,7 @@ msgstr "" - "返すユーザー名にマッチします。つまり、スペースの置換、大文字小文字の変更など" - "の可能性がある場合には、その後になります。" - --#: src/config/SSSDConfig/sssdoptions.py:162 -+#: src/config/SSSDConfig/sssdoptions.py:164 - msgid "" - "A comma-separated list of groups, members of which should have session " - "recording enabled. Matches group names as returned by NSS. I.e. after the " -@@ -528,112 +536,112 @@ msgstr "" - "トです。NSS が返すグループ名にマッチします。つまり、スペースの置換、大文字小" - "文字の変更などの可能性がある場合には、その後になります。" - --#: src/config/SSSDConfig/sssdoptions.py:165 -+#: src/config/SSSDConfig/sssdoptions.py:167 - msgid "" - "A comma-separated list of users to be excluded from recording, only when " - "scope=all" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:166 -+#: src/config/SSSDConfig/sssdoptions.py:168 - msgid "" - "A comma-separated list of groups, members of which should be excluded from " - "recording, only when scope=all. " - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:170 -+#: src/config/SSSDConfig/sssdoptions.py:172 - msgid "Identity provider" - msgstr "アイデンティティープロバイダー" - --#: src/config/SSSDConfig/sssdoptions.py:171 -+#: src/config/SSSDConfig/sssdoptions.py:173 - msgid "Authentication provider" - msgstr "認証プロバイダー" - --#: src/config/SSSDConfig/sssdoptions.py:172 -+#: src/config/SSSDConfig/sssdoptions.py:174 - msgid "Access control provider" - msgstr "アクセス制御プロバイダー" - --#: src/config/SSSDConfig/sssdoptions.py:173 -+#: src/config/SSSDConfig/sssdoptions.py:175 - msgid "Password change provider" - msgstr "パスワード変更プロバイダー" - --#: src/config/SSSDConfig/sssdoptions.py:174 -+#: src/config/SSSDConfig/sssdoptions.py:176 - msgid "SUDO provider" - msgstr "SUDO プロバイダー" - --#: src/config/SSSDConfig/sssdoptions.py:175 -+#: src/config/SSSDConfig/sssdoptions.py:177 - msgid "Autofs provider" - msgstr "Autofs プロバイダー" - --#: src/config/SSSDConfig/sssdoptions.py:176 -+#: src/config/SSSDConfig/sssdoptions.py:178 - msgid "Host identity provider" - msgstr "ホスト識別プロバイダー" - --#: src/config/SSSDConfig/sssdoptions.py:177 -+#: src/config/SSSDConfig/sssdoptions.py:179 - msgid "SELinux provider" - msgstr "SELinux プロバイダー" - --#: src/config/SSSDConfig/sssdoptions.py:178 -+#: src/config/SSSDConfig/sssdoptions.py:180 - msgid "Session management provider" - msgstr "セッションマネージャーのプロバイダー" - --#: src/config/SSSDConfig/sssdoptions.py:179 -+#: src/config/SSSDConfig/sssdoptions.py:181 - msgid "Resolver provider" - msgstr "リゾルバープロバイダ" - --#: src/config/SSSDConfig/sssdoptions.py:182 -+#: src/config/SSSDConfig/sssdoptions.py:184 - msgid "Whether the domain is usable by the OS or by applications" - msgstr "OS またはアプリケーションがドメインを使用できるかどうか" - --#: src/config/SSSDConfig/sssdoptions.py:183 -+#: src/config/SSSDConfig/sssdoptions.py:185 - #, fuzzy - msgid "Enable or disable the domain" - msgstr "暗黙のファイルドメインを有効化または無効化する" - --#: src/config/SSSDConfig/sssdoptions.py:184 -+#: src/config/SSSDConfig/sssdoptions.py:186 - msgid "Minimum user ID" - msgstr "最小ユーザー ID" - --#: src/config/SSSDConfig/sssdoptions.py:185 -+#: src/config/SSSDConfig/sssdoptions.py:187 - msgid "Maximum user ID" - msgstr "最大ユーザー ID" - --#: src/config/SSSDConfig/sssdoptions.py:186 -+#: src/config/SSSDConfig/sssdoptions.py:188 - msgid "Enable enumerating all users/groups" - msgstr "すべてのユーザー・グループの列挙を有効にする" - --#: src/config/SSSDConfig/sssdoptions.py:187 -+#: src/config/SSSDConfig/sssdoptions.py:189 - msgid "Cache credentials for offline login" - msgstr "オフラインログインのためにクレデンシャルをキャッシュする" - --#: src/config/SSSDConfig/sssdoptions.py:188 -+#: src/config/SSSDConfig/sssdoptions.py:190 - msgid "Display users/groups in fully-qualified form" - msgstr "ユーザー・グループを完全修飾形式で表示する" - --#: src/config/SSSDConfig/sssdoptions.py:189 -+#: src/config/SSSDConfig/sssdoptions.py:191 - msgid "Don't include group members in group lookups" - msgstr "グループ検索にグループメンバーを含めない" - --#: src/config/SSSDConfig/sssdoptions.py:190 --#: src/config/SSSDConfig/sssdoptions.py:200 --#: src/config/SSSDConfig/sssdoptions.py:201 -+#: src/config/SSSDConfig/sssdoptions.py:192 - #: src/config/SSSDConfig/sssdoptions.py:202 - #: src/config/SSSDConfig/sssdoptions.py:203 - #: src/config/SSSDConfig/sssdoptions.py:204 - #: src/config/SSSDConfig/sssdoptions.py:205 - #: src/config/SSSDConfig/sssdoptions.py:206 -+#: src/config/SSSDConfig/sssdoptions.py:207 -+#: src/config/SSSDConfig/sssdoptions.py:208 - msgid "Entry cache timeout length (seconds)" - msgstr "エントリーキャッシュのタイムアウト長(秒)" - --#: src/config/SSSDConfig/sssdoptions.py:191 -+#: src/config/SSSDConfig/sssdoptions.py:193 - msgid "" - "Restrict or prefer a specific address family when performing DNS lookups" - msgstr "DNS 検索を実行する時に特定のアドレスファミリーを制限または優先します" - --#: src/config/SSSDConfig/sssdoptions.py:192 -+#: src/config/SSSDConfig/sssdoptions.py:194 - msgid "How long to keep cached entries after last successful login (days)" - msgstr "最終ログイン成功時からキャッシュエントリーを保持する日数" - --#: src/config/SSSDConfig/sssdoptions.py:193 -+#: src/config/SSSDConfig/sssdoptions.py:195 - msgid "" - "How long should SSSD talk to single DNS server before trying next server " - "(miliseconds)" -@@ -641,99 +649,99 @@ msgstr "" - "次のサーバーを試行するまでに SSSD が単一の DNS サーバーと通信する時間 (ミリ" - "秒)" - --#: src/config/SSSDConfig/sssdoptions.py:195 -+#: src/config/SSSDConfig/sssdoptions.py:197 - msgid "How long should keep trying to resolve single DNS query (seconds)" - msgstr "単一の DNS クエリーの解決を試行する時間 (秒)" - --#: src/config/SSSDConfig/sssdoptions.py:196 -+#: src/config/SSSDConfig/sssdoptions.py:198 - msgid "How long to wait for replies from DNS when resolving servers (seconds)" - msgstr "サーバーを名前解決する時に DNS から応答を待つ時間(秒)" - --#: src/config/SSSDConfig/sssdoptions.py:197 -+#: src/config/SSSDConfig/sssdoptions.py:199 - msgid "The domain part of service discovery DNS query" - msgstr "サービス検索 DNS クエリーのドメイン部分" - --#: src/config/SSSDConfig/sssdoptions.py:198 -+#: src/config/SSSDConfig/sssdoptions.py:200 - msgid "Override GID value from the identity provider with this value" - msgstr "識別プロバイダーからの GID 値をこの値で上書きする" - --#: src/config/SSSDConfig/sssdoptions.py:199 -+#: src/config/SSSDConfig/sssdoptions.py:201 - msgid "Treat usernames as case sensitive" - msgstr "ユーザー名が大文字小文字を区別するよう取り扱う" - --#: src/config/SSSDConfig/sssdoptions.py:207 -+#: src/config/SSSDConfig/sssdoptions.py:209 - msgid "How often should expired entries be refreshed in background" - msgstr "期限切れのエントリーがバックグラウンドで更新される頻度" - --#: src/config/SSSDConfig/sssdoptions.py:208 -+#: src/config/SSSDConfig/sssdoptions.py:210 - msgid "Whether to automatically update the client's DNS entry" - msgstr "自動的にクライアントの DNS エントリーを更新するかどうか" - --#: src/config/SSSDConfig/sssdoptions.py:209 --#: src/config/SSSDConfig/sssdoptions.py:239 -+#: src/config/SSSDConfig/sssdoptions.py:211 -+#: src/config/SSSDConfig/sssdoptions.py:241 - msgid "The TTL to apply to the client's DNS entry after updating it" - msgstr "クライアントの DNS 項目を更新後、適用する TTL" - --#: src/config/SSSDConfig/sssdoptions.py:210 --#: src/config/SSSDConfig/sssdoptions.py:240 -+#: src/config/SSSDConfig/sssdoptions.py:212 -+#: src/config/SSSDConfig/sssdoptions.py:242 - msgid "The interface whose IP should be used for dynamic DNS updates" - msgstr "動的 DNS 更新のために使用される IP のインターフェース" - --#: src/config/SSSDConfig/sssdoptions.py:211 -+#: src/config/SSSDConfig/sssdoptions.py:213 - msgid "How often to periodically update the client's DNS entry" - msgstr "どのくらい定期的にクライアントの DNS エントリーを更新するか" - --#: src/config/SSSDConfig/sssdoptions.py:212 -+#: src/config/SSSDConfig/sssdoptions.py:214 - msgid "Whether the provider should explicitly update the PTR record as well" - msgstr "" - "プロバイダーが同じように PTR レコードを明示的に更新する必要があるかどうか" - --#: src/config/SSSDConfig/sssdoptions.py:213 -+#: src/config/SSSDConfig/sssdoptions.py:215 - msgid "Whether the nsupdate utility should default to using TCP" - msgstr "nsupdate ユーティリティーが標準で TCP を使用するかどうか" - --#: src/config/SSSDConfig/sssdoptions.py:214 -+#: src/config/SSSDConfig/sssdoptions.py:216 - msgid "What kind of authentication should be used to perform the DNS update" - msgstr "DNS 更新を実行するために使用すべき認証の種類" - --#: src/config/SSSDConfig/sssdoptions.py:215 -+#: src/config/SSSDConfig/sssdoptions.py:217 - msgid "Override the DNS server used to perform the DNS update" - msgstr "DNS の更新を実行する際に使用する DNS サーバーを上書き" - --#: src/config/SSSDConfig/sssdoptions.py:216 -+#: src/config/SSSDConfig/sssdoptions.py:218 - msgid "Control enumeration of trusted domains" - msgstr "信頼されたドメインの列挙を制御" - --#: src/config/SSSDConfig/sssdoptions.py:217 -+#: src/config/SSSDConfig/sssdoptions.py:219 - msgid "How often should subdomains list be refreshed" - msgstr "サブドメインの一覧のリフレッシュ回数" - --#: src/config/SSSDConfig/sssdoptions.py:218 -+#: src/config/SSSDConfig/sssdoptions.py:220 - msgid "List of options that should be inherited into a subdomain" - msgstr "サブドメインに継承すべきオプションの一覧" - --#: src/config/SSSDConfig/sssdoptions.py:219 -+#: src/config/SSSDConfig/sssdoptions.py:221 - msgid "Default subdomain homedir value" - msgstr "デフォルトのサブドメインホームディレクトリーの値" - --#: src/config/SSSDConfig/sssdoptions.py:220 -+#: src/config/SSSDConfig/sssdoptions.py:222 - msgid "How long can cached credentials be used for cached authentication" - msgstr "証明書キャッシュを認証キャッシュに使用できる期間" - --#: src/config/SSSDConfig/sssdoptions.py:221 -+#: src/config/SSSDConfig/sssdoptions.py:223 - msgid "Whether to automatically create private groups for users" - msgstr "ユーザーにプライベートグループを自動的に作成するかどうか" - --#: src/config/SSSDConfig/sssdoptions.py:222 -+#: src/config/SSSDConfig/sssdoptions.py:224 - msgid "Display a warning N days before the password expires." - msgstr "Display a warning N days before the password expires." - --#: src/config/SSSDConfig/sssdoptions.py:223 -+#: src/config/SSSDConfig/sssdoptions.py:225 - msgid "" - "Various tags stored by the realmd configuration service for this domain." - msgstr "このドメインのための realmd 設定サービスによって格納された様々なタグ。" - --#: src/config/SSSDConfig/sssdoptions.py:224 -+#: src/config/SSSDConfig/sssdoptions.py:226 - msgid "" - "The provider which should handle fetching of subdomains. This value should " - "be always the same as id_provider." -@@ -741,7 +749,7 @@ msgstr "" - "サブドメインの取得を処理する必要のあるプロバイダー。この値は常に id_provider " - "と同じでなければなりません。" - --#: src/config/SSSDConfig/sssdoptions.py:226 -+#: src/config/SSSDConfig/sssdoptions.py:228 - msgid "" - "How many seconds to keep a host ssh key after refresh. IE how long to cache " - "the host key for." -@@ -749,7 +757,7 @@ msgstr "" - "リフレッシュ後にホストの ssh 鍵を保持するには何秒かかるか。IE ホストキーを何" - "秒キャッシュするか。" - --#: src/config/SSSDConfig/sssdoptions.py:228 -+#: src/config/SSSDConfig/sssdoptions.py:230 - msgid "" - "If 2-Factor-Authentication (2FA) is used and credentials should be saved " - "this value determines the minimal length the first authentication factor " -@@ -759,95 +767,95 @@ msgstr "" - "この値は、最初の認証要素 (長期パスワード) を SHA512 ハッシュとしてキャッシュ" - "に保存する必要がある最小の長さを決定します。" - --#: src/config/SSSDConfig/sssdoptions.py:234 -+#: src/config/SSSDConfig/sssdoptions.py:236 - msgid "IPA domain" - msgstr "IPA ドメイン" - --#: src/config/SSSDConfig/sssdoptions.py:235 -+#: src/config/SSSDConfig/sssdoptions.py:237 - msgid "IPA server address" - msgstr "IPA サーバーのアドレス" - --#: src/config/SSSDConfig/sssdoptions.py:236 -+#: src/config/SSSDConfig/sssdoptions.py:238 - msgid "Address of backup IPA server" - msgstr "バックアップ IPA サーバーのアドレス" - --#: src/config/SSSDConfig/sssdoptions.py:237 -+#: src/config/SSSDConfig/sssdoptions.py:239 - msgid "IPA client hostname" - msgstr "IPA クライアントのホスト名" - --#: src/config/SSSDConfig/sssdoptions.py:238 -+#: src/config/SSSDConfig/sssdoptions.py:240 - msgid "Whether to automatically update the client's DNS entry in FreeIPA" - msgstr "FreeIPA にあるクライアントの DNS エントリーを自動的に更新するかどうか" - --#: src/config/SSSDConfig/sssdoptions.py:241 -+#: src/config/SSSDConfig/sssdoptions.py:243 - msgid "Search base for HBAC related objects" - msgstr "HBAC 関連オブジェクトの検索ベース" - --#: src/config/SSSDConfig/sssdoptions.py:242 -+#: src/config/SSSDConfig/sssdoptions.py:244 - msgid "" - "The amount of time between lookups of the HBAC rules against the IPA server" - msgstr "IPA サーバーに対する HBAC ルールを検索している間の合計時間" - --#: src/config/SSSDConfig/sssdoptions.py:243 -+#: src/config/SSSDConfig/sssdoptions.py:245 - msgid "" - "The amount of time in seconds between lookups of the SELinux maps against " - "the IPA server" - msgstr "IPA サーバーに対する SELinux マップの検索の間の秒単位の合計時間" - --#: src/config/SSSDConfig/sssdoptions.py:245 -+#: src/config/SSSDConfig/sssdoptions.py:247 - msgid "If set to false, host argument given by PAM will be ignored" - msgstr "もし偽に設定されていると、PAM により渡されたホスト引数は無視されます" - --#: src/config/SSSDConfig/sssdoptions.py:246 -+#: src/config/SSSDConfig/sssdoptions.py:248 - msgid "The automounter location this IPA client is using" - msgstr "この IPA クライアントが使用している automounter の場所" - --#: src/config/SSSDConfig/sssdoptions.py:247 -+#: src/config/SSSDConfig/sssdoptions.py:249 - msgid "Search base for object containing info about IPA domain" - msgstr "IPA ドメインに関する情報を含むオブジェクトに対する検索ベース" - --#: src/config/SSSDConfig/sssdoptions.py:248 -+#: src/config/SSSDConfig/sssdoptions.py:250 - msgid "Search base for objects containing info about ID ranges" - msgstr "ID 範囲に関する情報を含むオブジェクトに対する検索ベース" - --#: src/config/SSSDConfig/sssdoptions.py:249 --#: src/config/SSSDConfig/sssdoptions.py:303 -+#: src/config/SSSDConfig/sssdoptions.py:251 -+#: src/config/SSSDConfig/sssdoptions.py:305 - msgid "Enable DNS sites - location based service discovery" - msgstr "DNS サイトの有効化 - 位置ベースのサービス検索" - --#: src/config/SSSDConfig/sssdoptions.py:250 -+#: src/config/SSSDConfig/sssdoptions.py:252 - msgid "Search base for view containers" - msgstr "ビューコンテナーの検索ベース" - --#: src/config/SSSDConfig/sssdoptions.py:251 -+#: src/config/SSSDConfig/sssdoptions.py:253 - msgid "Objectclass for view containers" - msgstr "ビューコンテナーのオブジェクトクラス" - --#: src/config/SSSDConfig/sssdoptions.py:252 -+#: src/config/SSSDConfig/sssdoptions.py:254 - msgid "Attribute with the name of the view" - msgstr "ビューの名前の属性" - --#: src/config/SSSDConfig/sssdoptions.py:253 -+#: src/config/SSSDConfig/sssdoptions.py:255 - msgid "Objectclass for override objects" - msgstr "上書きされたオブジェクトのオブジェクトクラス" - --#: src/config/SSSDConfig/sssdoptions.py:254 -+#: src/config/SSSDConfig/sssdoptions.py:256 - msgid "Attribute with the reference to the original object" - msgstr "オリジナルオブジェクトを参照する属性" - --#: src/config/SSSDConfig/sssdoptions.py:255 -+#: src/config/SSSDConfig/sssdoptions.py:257 - msgid "Objectclass for user override objects" - msgstr "ユーザーが上書きするオブジェクトのオブジェクトクラス" - --#: src/config/SSSDConfig/sssdoptions.py:256 -+#: src/config/SSSDConfig/sssdoptions.py:258 - msgid "Objectclass for group override objects" - msgstr "グループが上書きするオブジェクトのオブジェクトクラス" - --#: src/config/SSSDConfig/sssdoptions.py:257 -+#: src/config/SSSDConfig/sssdoptions.py:259 - msgid "Search base for Desktop Profile related objects" - msgstr "デスクトッププロファイルに関連するオブジェクトの検索ベース" - --#: src/config/SSSDConfig/sssdoptions.py:258 -+#: src/config/SSSDConfig/sssdoptions.py:260 - msgid "" - "The amount of time in seconds between lookups of the Desktop Profile rules " - "against the IPA server" -@@ -855,7 +863,7 @@ msgstr "" - "IPA サーバーに対するデスクトッププロファイルルールを検索している間の秒単位の" - "合計時間" - --#: src/config/SSSDConfig/sssdoptions.py:260 -+#: src/config/SSSDConfig/sssdoptions.py:262 - msgid "" - "The amount of time in minutes between lookups of Desktop Profiles rules " - "against the IPA server when the last request did not find any rule" -@@ -863,32 +871,32 @@ msgstr "" - "最後の要求がルールを何も見つけなかった場合の IPA サーバーに対するデスクトップ" - "プロファイルル ールを検索している間の分単位の合計時間" - --#: src/config/SSSDConfig/sssdoptions.py:263 -+#: src/config/SSSDConfig/sssdoptions.py:265 - msgid "The LDAP attribute that contains FQDN of the host." - msgstr "ホストの FQDN を含む LDAP 属性。" - --#: src/config/SSSDConfig/sssdoptions.py:264 --#: src/config/SSSDConfig/sssdoptions.py:287 -+#: src/config/SSSDConfig/sssdoptions.py:266 -+#: src/config/SSSDConfig/sssdoptions.py:289 - msgid "The object class of a host entry in LDAP." - msgstr "LDAP にあるホストエントリーのオブジェクトクラスです。" - --#: src/config/SSSDConfig/sssdoptions.py:265 -+#: src/config/SSSDConfig/sssdoptions.py:267 - msgid "Use the given string as search base for host objects." - msgstr "ホストオブジェクトの検索ベースとして与えられた文字列を使用します。" - --#: src/config/SSSDConfig/sssdoptions.py:266 -+#: src/config/SSSDConfig/sssdoptions.py:268 - msgid "The LDAP attribute that contains the host's SSH public keys." - msgstr "ホストの SSH 公開鍵を含む LDAP 属性です。" - --#: src/config/SSSDConfig/sssdoptions.py:267 -+#: src/config/SSSDConfig/sssdoptions.py:269 - msgid "The LDAP attribute that contains NIS domain name of the netgroup." - msgstr "ネットグループの NIS ドメイン名を含む LDAP 属性。" - --#: src/config/SSSDConfig/sssdoptions.py:268 -+#: src/config/SSSDConfig/sssdoptions.py:270 - msgid "The LDAP attribute that contains the names of the netgroup's members." - msgstr "The LDAP attribute that contains the names of the netgroup's members." - --#: src/config/SSSDConfig/sssdoptions.py:269 -+#: src/config/SSSDConfig/sssdoptions.py:271 - msgid "" - "The LDAP attribute that lists FQDNs of hosts and host groups that are " - "members of the netgroup." -@@ -896,7 +904,7 @@ msgstr "" - "ネットグループのメンバーであるホストとホストグループの FQDN を一覧表示する " - "LDAP 属性。" - --#: src/config/SSSDConfig/sssdoptions.py:271 -+#: src/config/SSSDConfig/sssdoptions.py:273 - msgid "" - "The LDAP attribute that lists hosts and host groups that are direct members " - "of the netgroup." -@@ -904,11 +912,11 @@ msgstr "" - "ネットグループの直接のメンバーであるホストとホストグループを一覧表示する " - "LDAP 属性。" - --#: src/config/SSSDConfig/sssdoptions.py:273 -+#: src/config/SSSDConfig/sssdoptions.py:275 - msgid "The LDAP attribute that lists netgroup's memberships." - msgstr "ネットグループのメンバーシップを一覧表示する LDAP 属性。" - --#: src/config/SSSDConfig/sssdoptions.py:274 -+#: src/config/SSSDConfig/sssdoptions.py:276 - msgid "" - "The LDAP attribute that lists system users and groups that are direct " - "members of the netgroup." -@@ -916,45 +924,45 @@ msgstr "" - "ネットグループの直接のメンバーであるシステムユーザーとグループを一覧表示する " - "LDAP 属性。" - --#: src/config/SSSDConfig/sssdoptions.py:276 -+#: src/config/SSSDConfig/sssdoptions.py:278 - msgid "The LDAP attribute that corresponds to the netgroup name." - msgstr "ネットワークグループ名に対応する LDAP 属性です。" - --#: src/config/SSSDConfig/sssdoptions.py:277 -+#: src/config/SSSDConfig/sssdoptions.py:279 - msgid "The object class of a netgroup entry in LDAP." - msgstr "LDAP にあるネットワークグループエントリーのオブジェクトクラスです。" - --#: src/config/SSSDConfig/sssdoptions.py:278 -+#: src/config/SSSDConfig/sssdoptions.py:280 - msgid "" - "The LDAP attribute that contains the UUID/GUID of an LDAP netgroup object." - msgstr "LDAP ネットグループオブジェクトの UUID/GUID を含む LDAP 属性。" - --#: src/config/SSSDConfig/sssdoptions.py:279 -+#: src/config/SSSDConfig/sssdoptions.py:281 - msgid "" - "The LDAP attribute that contains whether or not is user map enabled for " - "usage." - msgstr "使用のためにユーザーマップが有効になっているかどうかを含む LDAP 属性。" - --#: src/config/SSSDConfig/sssdoptions.py:281 -+#: src/config/SSSDConfig/sssdoptions.py:283 - msgid "The LDAP attribute that contains host category such as 'all'." - msgstr "'all' などのホストカテゴリを含む LDAP 属性。" - --#: src/config/SSSDConfig/sssdoptions.py:282 -+#: src/config/SSSDConfig/sssdoptions.py:284 - msgid "" - "The LDAP attribute that contains all hosts / hostgroups this rule match " - "against." - msgstr "このルールがマッチするすべてのホスト/ホストグループを含む LDAP 属性。" - --#: src/config/SSSDConfig/sssdoptions.py:284 -+#: src/config/SSSDConfig/sssdoptions.py:286 - msgid "" - "The LDAP attribute that contains all users / groups this rule match against." - msgstr "このルールがマッチするすべてのユーザー/グループを含む LDAP 属性。" - --#: src/config/SSSDConfig/sssdoptions.py:286 -+#: src/config/SSSDConfig/sssdoptions.py:288 - msgid "The LDAP attribute that contains the name of SELinux usermap." - msgstr "SELinux usermap の名前を含む LDAP 属性。" - --#: src/config/SSSDConfig/sssdoptions.py:288 -+#: src/config/SSSDConfig/sssdoptions.py:290 - msgid "" - "The LDAP attribute that contains DN of HBAC rule which can be used for " - "matching instead of memberUser and memberHost." -@@ -962,19 +970,19 @@ msgstr "" - "memberUser および memberHost の代わりにマッチングに使用できる HBAC ルールの " - "DN を含む LDAP 属性。" - --#: src/config/SSSDConfig/sssdoptions.py:290 -+#: src/config/SSSDConfig/sssdoptions.py:292 - msgid "The LDAP attribute that contains SELinux user string itself." - msgstr "SELinuxのユーザー文字列そのものを含む LDAP 属性。" - --#: src/config/SSSDConfig/sssdoptions.py:291 -+#: src/config/SSSDConfig/sssdoptions.py:293 - msgid "The LDAP attribute that contains user category such as 'all'." - msgstr "'all' などのユーザーカテゴリーを含む LDAP 属性。" - --#: src/config/SSSDConfig/sssdoptions.py:292 -+#: src/config/SSSDConfig/sssdoptions.py:294 - msgid "The LDAP attribute that contains unique ID of the user map." - msgstr "ユーザーマップの一意の ID を含む LDAP 属性。" - --#: src/config/SSSDConfig/sssdoptions.py:293 -+#: src/config/SSSDConfig/sssdoptions.py:295 - msgid "" - "The option denotes that the SSSD is running on IPA server and should perform " - "lookups of users and groups from trusted domains differently." -@@ -983,58 +991,58 @@ msgstr "" - "からのユーザーとグループの検索を異なる方法で実行する必要があることを示しま" - "す。" - --#: src/config/SSSDConfig/sssdoptions.py:295 -+#: src/config/SSSDConfig/sssdoptions.py:297 - msgid "Use the given string as search base for trusted domains." - msgstr "" - "信頼されたドメインに対する検索ベースとして、与えられた文字列を使用します。" - --#: src/config/SSSDConfig/sssdoptions.py:298 -+#: src/config/SSSDConfig/sssdoptions.py:300 - msgid "Active Directory domain" - msgstr "Active Directory ドメイン" - --#: src/config/SSSDConfig/sssdoptions.py:299 -+#: src/config/SSSDConfig/sssdoptions.py:301 - msgid "Enabled Active Directory domains" - msgstr "有効化された Active Directory ドメイン" - --#: src/config/SSSDConfig/sssdoptions.py:300 -+#: src/config/SSSDConfig/sssdoptions.py:302 - msgid "Active Directory server address" - msgstr "Active Directory サーバーアドレス" - --#: src/config/SSSDConfig/sssdoptions.py:301 -+#: src/config/SSSDConfig/sssdoptions.py:303 - msgid "Active Directory backup server address" - msgstr "Active Directory バックアップサーバーのアドレス" - --#: src/config/SSSDConfig/sssdoptions.py:302 -+#: src/config/SSSDConfig/sssdoptions.py:304 - msgid "Active Directory client hostname" - msgstr "Active Directory クライアントホスト名" - --#: src/config/SSSDConfig/sssdoptions.py:304 --#: src/config/SSSDConfig/sssdoptions.py:497 -+#: src/config/SSSDConfig/sssdoptions.py:306 -+#: src/config/SSSDConfig/sssdoptions.py:500 - msgid "LDAP filter to determine access privileges" - msgstr "アクセス権限を決めるための LDAP フィルター" - --#: src/config/SSSDConfig/sssdoptions.py:305 -+#: src/config/SSSDConfig/sssdoptions.py:307 - msgid "Whether to use the Global Catalog for lookups" - msgstr "検索にグローバルカタログを使用するかどうか" - --#: src/config/SSSDConfig/sssdoptions.py:306 -+#: src/config/SSSDConfig/sssdoptions.py:308 - msgid "Operation mode for GPO-based access control" - msgstr "グローバルカタログベースのアクセス制御に対するオペレーションモード" - --#: src/config/SSSDConfig/sssdoptions.py:307 -+#: src/config/SSSDConfig/sssdoptions.py:309 - msgid "" - "The amount of time between lookups of the GPO policy files against the AD " - "server" - msgstr "AD サーバーに対する GPO ポリシーファイルを検索している間の合計時間" - --#: src/config/SSSDConfig/sssdoptions.py:308 -+#: src/config/SSSDConfig/sssdoptions.py:310 - msgid "" - "PAM service names that map to the GPO (Deny)InteractiveLogonRight policy " - "settings" - msgstr "" - "GPO (Deny)InteractiveLogonRight のポリシー設定にマッピングした PAM サービス名" - --#: src/config/SSSDConfig/sssdoptions.py:310 -+#: src/config/SSSDConfig/sssdoptions.py:312 - msgid "" - "PAM service names that map to the GPO (Deny)RemoteInteractiveLogonRight " - "policy settings" -@@ -1042,270 +1050,274 @@ msgstr "" - "GPO (Deny)RemoteInteractiveLogonRight のポリシー設定にマッピングした PAM サー" - "ビス名" - --#: src/config/SSSDConfig/sssdoptions.py:312 -+#: src/config/SSSDConfig/sssdoptions.py:314 - msgid "" - "PAM service names that map to the GPO (Deny)NetworkLogonRight policy settings" - msgstr "" - "GPO (Deny)NetworkLogonRight のポリシー設定にマッピングした PAM サービス名" - --#: src/config/SSSDConfig/sssdoptions.py:313 -+#: src/config/SSSDConfig/sssdoptions.py:315 - msgid "" - "PAM service names that map to the GPO (Deny)BatchLogonRight policy settings" - msgstr "" - "GPO (Deny)BatchLogonRight のポリシー設定にマッピングした PAM サービス名" - --#: src/config/SSSDConfig/sssdoptions.py:314 -+#: src/config/SSSDConfig/sssdoptions.py:316 - msgid "" - "PAM service names that map to the GPO (Deny)ServiceLogonRight policy settings" - msgstr "(Deny)ServiceLogonRight のポリシー設定にマッピングした PAM サービス名" - --#: src/config/SSSDConfig/sssdoptions.py:315 -+#: src/config/SSSDConfig/sssdoptions.py:317 - msgid "PAM service names for which GPO-based access is always granted" - msgstr "GPO ベースのアクセスが常に許可される PAM サービス名" - --#: src/config/SSSDConfig/sssdoptions.py:316 -+#: src/config/SSSDConfig/sssdoptions.py:318 - msgid "PAM service names for which GPO-based access is always denied" - msgstr "GPO ベースのアクセスが常に拒否される PAM サービス名" - --#: src/config/SSSDConfig/sssdoptions.py:317 -+#: src/config/SSSDConfig/sssdoptions.py:319 - msgid "" - "Default logon right (or permit/deny) to use for unmapped PAM service names" - msgstr "" - "マッピングされていない PAM サービス名に使用するデフォルトのログオン権利 (また" - "は許可/拒否)" - --#: src/config/SSSDConfig/sssdoptions.py:318 -+#: src/config/SSSDConfig/sssdoptions.py:320 - msgid "a particular site to be used by the client" - msgstr "クライアントが使用する特定のサイト" - --#: src/config/SSSDConfig/sssdoptions.py:319 -+#: src/config/SSSDConfig/sssdoptions.py:321 - msgid "" - "Maximum age in days before the machine account password should be renewed" - msgstr "マシンアカウントのパスワードの更新が必要となるまでの最大日数" - --#: src/config/SSSDConfig/sssdoptions.py:321 -+#: src/config/SSSDConfig/sssdoptions.py:323 - msgid "Option for tuning the machine account renewal task" - msgstr "マシンアカウントの更新タスクをチューニングするオプション" - --#: src/config/SSSDConfig/sssdoptions.py:322 -+#: src/config/SSSDConfig/sssdoptions.py:324 - msgid "Whether to update the machine account password in the Samba database" - msgstr "Samba データベースのマシンアカウントパスワードを更新するかどうか" - --#: src/config/SSSDConfig/sssdoptions.py:324 -+#: src/config/SSSDConfig/sssdoptions.py:326 - msgid "Use LDAPS port for LDAP and Global Catalog requests" - msgstr "LDAP およびグローバルカタログのリクエストに LDAPS ポートを使用する" - --#: src/config/SSSDConfig/sssdoptions.py:325 -+#: src/config/SSSDConfig/sssdoptions.py:327 - msgid "Do not filter domain local groups from other domains" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:328 --#: src/config/SSSDConfig/sssdoptions.py:329 -+#: src/config/SSSDConfig/sssdoptions.py:330 -+#: src/config/SSSDConfig/sssdoptions.py:331 - msgid "Kerberos server address" - msgstr "Kerberos サーバーのアドレス" - --#: src/config/SSSDConfig/sssdoptions.py:330 -+#: src/config/SSSDConfig/sssdoptions.py:332 - msgid "Kerberos backup server address" - msgstr "Kerberos バックアップサーバーのアドレス" - --#: src/config/SSSDConfig/sssdoptions.py:331 -+#: src/config/SSSDConfig/sssdoptions.py:333 - msgid "Kerberos realm" - msgstr "Kerberos レルム" - --#: src/config/SSSDConfig/sssdoptions.py:332 -+#: src/config/SSSDConfig/sssdoptions.py:334 - msgid "Authentication timeout" - msgstr "認証のタイムアウト" - --#: src/config/SSSDConfig/sssdoptions.py:333 -+#: src/config/SSSDConfig/sssdoptions.py:335 - msgid "Whether to create kdcinfo files" - msgstr "kdcinfo ファイルを作成するかどうか" - --#: src/config/SSSDConfig/sssdoptions.py:334 -+#: src/config/SSSDConfig/sssdoptions.py:336 - msgid "Where to drop krb5 config snippets" - msgstr "krb5 設定スニペットを削除する場所" - --#: src/config/SSSDConfig/sssdoptions.py:337 -+#: src/config/SSSDConfig/sssdoptions.py:339 - msgid "Directory to store credential caches" - msgstr "クレデンシャルのキャッシュを保存するディレクトリー" - --#: src/config/SSSDConfig/sssdoptions.py:338 -+#: src/config/SSSDConfig/sssdoptions.py:340 - msgid "Location of the user's credential cache" - msgstr "ユーザーのクレデンシャルキャッシュの位置" - --#: src/config/SSSDConfig/sssdoptions.py:339 -+#: src/config/SSSDConfig/sssdoptions.py:341 - msgid "Location of the keytab to validate credentials" - msgstr "クレデンシャルを検証するキーテーブルの場所" - --#: src/config/SSSDConfig/sssdoptions.py:340 -+#: src/config/SSSDConfig/sssdoptions.py:342 - msgid "Enable credential validation" - msgstr "クレデンシャルの検証を有効にする" - --#: src/config/SSSDConfig/sssdoptions.py:341 -+#: src/config/SSSDConfig/sssdoptions.py:343 - msgid "Store password if offline for later online authentication" - msgstr "後からオンライン認証するためにオフラインの場合にパスワードを保存します" - --#: src/config/SSSDConfig/sssdoptions.py:342 -+#: src/config/SSSDConfig/sssdoptions.py:344 - msgid "Renewable lifetime of the TGT" - msgstr "更新可能な TGT の有効期間" - --#: src/config/SSSDConfig/sssdoptions.py:343 -+#: src/config/SSSDConfig/sssdoptions.py:345 - msgid "Lifetime of the TGT" - msgstr "TGT の有効期間" - --#: src/config/SSSDConfig/sssdoptions.py:344 -+#: src/config/SSSDConfig/sssdoptions.py:346 - msgid "Time between two checks for renewal" - msgstr "更新を確認する間隔" - --#: src/config/SSSDConfig/sssdoptions.py:345 -+#: src/config/SSSDConfig/sssdoptions.py:347 - msgid "Enables FAST" - msgstr "FAST を有効にする" - --#: src/config/SSSDConfig/sssdoptions.py:346 -+#: src/config/SSSDConfig/sssdoptions.py:348 - msgid "Selects the principal to use for FAST" - msgstr "FAST に使用するプリンシパルを選択する" - --#: src/config/SSSDConfig/sssdoptions.py:347 -+#: src/config/SSSDConfig/sssdoptions.py:349 - msgid "Enables principal canonicalization" - msgstr "プリンシパル正規化を有効にする" - --#: src/config/SSSDConfig/sssdoptions.py:348 -+#: src/config/SSSDConfig/sssdoptions.py:350 - msgid "Enables enterprise principals" - msgstr "エンタープライズ・プリンシパルの有効化" - --#: src/config/SSSDConfig/sssdoptions.py:349 -+#: src/config/SSSDConfig/sssdoptions.py:351 -+msgid "Enables using of subdomains realms for authentication" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:352 - msgid "A mapping from user names to Kerberos principal names" - msgstr "ユーザー名から Kerberos プリンシパル名までのマッピング" - --#: src/config/SSSDConfig/sssdoptions.py:352 --#: src/config/SSSDConfig/sssdoptions.py:353 -+#: src/config/SSSDConfig/sssdoptions.py:355 -+#: src/config/SSSDConfig/sssdoptions.py:356 - msgid "Server where the change password service is running if not on the KDC" - msgstr "KDC になければ、パスワード変更サービスが実行されているサーバー" - --#: src/config/SSSDConfig/sssdoptions.py:356 -+#: src/config/SSSDConfig/sssdoptions.py:359 - msgid "ldap_uri, The URI of the LDAP server" - msgstr "ldap_uri, LDAP サーバーの URI" - --#: src/config/SSSDConfig/sssdoptions.py:357 -+#: src/config/SSSDConfig/sssdoptions.py:360 - msgid "ldap_backup_uri, The URI of the LDAP server" - msgstr "ldap_backup_uri, LDAP サーバーの URI" - --#: src/config/SSSDConfig/sssdoptions.py:358 -+#: src/config/SSSDConfig/sssdoptions.py:361 - msgid "The default base DN" - msgstr "デフォルトのベース DN" - --#: src/config/SSSDConfig/sssdoptions.py:359 -+#: src/config/SSSDConfig/sssdoptions.py:362 - msgid "The Schema Type in use on the LDAP server, rfc2307" - msgstr "LDAP サーバーにおいて使用中のスキーマ形式、rfc2307" - --#: src/config/SSSDConfig/sssdoptions.py:360 -+#: src/config/SSSDConfig/sssdoptions.py:363 - msgid "Mode used to change user password" - msgstr "ユーザーのパスワードの変更にモードを使用しました" - --#: src/config/SSSDConfig/sssdoptions.py:361 -+#: src/config/SSSDConfig/sssdoptions.py:364 - msgid "The default bind DN" - msgstr "デフォルトのバインド DN" - --#: src/config/SSSDConfig/sssdoptions.py:362 -+#: src/config/SSSDConfig/sssdoptions.py:365 - msgid "The type of the authentication token of the default bind DN" - msgstr "デフォルトのバインド DN の認証トークンの種類" - --#: src/config/SSSDConfig/sssdoptions.py:363 -+#: src/config/SSSDConfig/sssdoptions.py:366 - msgid "The authentication token of the default bind DN" - msgstr "デフォルトのバインド DN の認証トークン" - --#: src/config/SSSDConfig/sssdoptions.py:364 -+#: src/config/SSSDConfig/sssdoptions.py:367 - msgid "Length of time to attempt connection" - msgstr "接続を試行する時間" - --#: src/config/SSSDConfig/sssdoptions.py:365 -+#: src/config/SSSDConfig/sssdoptions.py:368 - msgid "Length of time to attempt synchronous LDAP operations" - msgstr "LDAP 同期操作を試行する時間" - --#: src/config/SSSDConfig/sssdoptions.py:366 -+#: src/config/SSSDConfig/sssdoptions.py:369 - msgid "Length of time between attempts to reconnect while offline" - msgstr "オフラインの間に再接続を試行する時間" - --#: src/config/SSSDConfig/sssdoptions.py:367 -+#: src/config/SSSDConfig/sssdoptions.py:370 - msgid "Use only the upper case for realm names" - msgstr "レルム名に対して大文字のみを使用する" - --#: src/config/SSSDConfig/sssdoptions.py:368 -+#: src/config/SSSDConfig/sssdoptions.py:371 - msgid "File that contains CA certificates" - msgstr "CA 証明書を含むファイル" - --#: src/config/SSSDConfig/sssdoptions.py:369 -+#: src/config/SSSDConfig/sssdoptions.py:372 - msgid "Path to CA certificate directory" - msgstr "CA 証明書のディレクトリーのパス" - --#: src/config/SSSDConfig/sssdoptions.py:370 -+#: src/config/SSSDConfig/sssdoptions.py:373 - msgid "File that contains the client certificate" - msgstr "クライアント証明書を含むファイル" - --#: src/config/SSSDConfig/sssdoptions.py:371 -+#: src/config/SSSDConfig/sssdoptions.py:374 - msgid "File that contains the client key" - msgstr "クライアントの鍵を含むファイル" - --#: src/config/SSSDConfig/sssdoptions.py:372 -+#: src/config/SSSDConfig/sssdoptions.py:375 - msgid "List of possible ciphers suites" - msgstr "利用可能な暗号の一覧" - --#: src/config/SSSDConfig/sssdoptions.py:373 -+#: src/config/SSSDConfig/sssdoptions.py:376 - msgid "Require TLS certificate verification" - msgstr "TLS 証明書の検証を要求する" - --#: src/config/SSSDConfig/sssdoptions.py:374 -+#: src/config/SSSDConfig/sssdoptions.py:377 - msgid "Specify the sasl mechanism to use" - msgstr "使用する SASL メカニズムを指定する" - --#: src/config/SSSDConfig/sssdoptions.py:375 -+#: src/config/SSSDConfig/sssdoptions.py:378 - msgid "Specify the sasl authorization id to use" - msgstr "使用する SASL 認可 ID を指定する" - --#: src/config/SSSDConfig/sssdoptions.py:376 -+#: src/config/SSSDConfig/sssdoptions.py:379 - msgid "Specify the sasl authorization realm to use" - msgstr "使用する SASL 認可レルムを指定する" - --#: src/config/SSSDConfig/sssdoptions.py:377 -+#: src/config/SSSDConfig/sssdoptions.py:380 - msgid "Specify the minimal SSF for LDAP sasl authorization" - msgstr "LDAP SASL 認可の最小 SSF を指定する" - --#: src/config/SSSDConfig/sssdoptions.py:378 -+#: src/config/SSSDConfig/sssdoptions.py:381 - msgid "Specify the maximal SSF for LDAP sasl authorization" - msgstr "LDAP SASL 認可の最大 SSF を指定する" - --#: src/config/SSSDConfig/sssdoptions.py:379 -+#: src/config/SSSDConfig/sssdoptions.py:382 - msgid "Kerberos service keytab" - msgstr "Kerberos サービスのキーテーブル" - --#: src/config/SSSDConfig/sssdoptions.py:380 -+#: src/config/SSSDConfig/sssdoptions.py:383 - msgid "Use Kerberos auth for LDAP connection" - msgstr "LDAP 接続に対して Kerberos 認証を使用する" - --#: src/config/SSSDConfig/sssdoptions.py:381 -+#: src/config/SSSDConfig/sssdoptions.py:384 - msgid "Follow LDAP referrals" - msgstr "LDAP リフェラルにしたがう" - --#: src/config/SSSDConfig/sssdoptions.py:382 -+#: src/config/SSSDConfig/sssdoptions.py:385 - msgid "Lifetime of TGT for LDAP connection" - msgstr "LDAP 接続の TGT の有効期間" - --#: src/config/SSSDConfig/sssdoptions.py:383 -+#: src/config/SSSDConfig/sssdoptions.py:386 - msgid "How to dereference aliases" - msgstr "エイリアスを参照解決する方法" - --#: src/config/SSSDConfig/sssdoptions.py:384 -+#: src/config/SSSDConfig/sssdoptions.py:387 - msgid "Service name for DNS service lookups" - msgstr "DNS サービス検索のサービス名" - --#: src/config/SSSDConfig/sssdoptions.py:385 -+#: src/config/SSSDConfig/sssdoptions.py:388 - msgid "The number of records to retrieve in a single LDAP query" - msgstr "単一の LDAP クエリーにおいて取得するレコード数" - --#: src/config/SSSDConfig/sssdoptions.py:386 -+#: src/config/SSSDConfig/sssdoptions.py:389 - msgid "The number of members that must be missing to trigger a full deref" - msgstr "完全な参照解決を引き起こすために欠けている必要があるメンバーの数" - --#: src/config/SSSDConfig/sssdoptions.py:387 -+#: src/config/SSSDConfig/sssdoptions.py:390 - msgid "" - "Whether the LDAP library should perform a reverse lookup to canonicalize the " - "host name during a SASL bind" -@@ -1313,7 +1325,7 @@ msgstr "" - "LDAP ライブラリーが SASL バインド中にホスト名を正規化するために逆引きを実行す" - "るかどうか" - --#: src/config/SSSDConfig/sssdoptions.py:389 -+#: src/config/SSSDConfig/sssdoptions.py:392 - msgid "" - "Allows to retain local users as members of an LDAP group for servers that " - "use the RFC2307 schema." -@@ -1321,412 +1333,412 @@ msgstr "" - "RFC2307 スキーマを使用するサーバーの LDAP グループのメンバーとしてローカル" - "ユーザーを保持することができます。" - --#: src/config/SSSDConfig/sssdoptions.py:392 -+#: src/config/SSSDConfig/sssdoptions.py:395 - msgid "entryUSN attribute" - msgstr "entryUSN 属性" - --#: src/config/SSSDConfig/sssdoptions.py:393 -+#: src/config/SSSDConfig/sssdoptions.py:396 - msgid "lastUSN attribute" - msgstr "lastUSN 属性" - --#: src/config/SSSDConfig/sssdoptions.py:395 -+#: src/config/SSSDConfig/sssdoptions.py:398 - msgid "How long to retain a connection to the LDAP server before disconnecting" - msgstr "LDAP サーバーを切断する前に接続を保持する時間" - --#: src/config/SSSDConfig/sssdoptions.py:398 -+#: src/config/SSSDConfig/sssdoptions.py:401 - msgid "Disable the LDAP paging control" - msgstr "LDAP ページング制御を無効化する" - --#: src/config/SSSDConfig/sssdoptions.py:399 -+#: src/config/SSSDConfig/sssdoptions.py:402 - msgid "Disable Active Directory range retrieval" - msgstr "Active Directory 範囲の取得の無効化" - --#: src/config/SSSDConfig/sssdoptions.py:402 -+#: src/config/SSSDConfig/sssdoptions.py:405 - msgid "Length of time to wait for a search request" - msgstr "検索要求を待つ時間" - --#: src/config/SSSDConfig/sssdoptions.py:403 -+#: src/config/SSSDConfig/sssdoptions.py:406 - msgid "Length of time to wait for a enumeration request" - msgstr "列挙の要求を待つ時間" - --#: src/config/SSSDConfig/sssdoptions.py:404 -+#: src/config/SSSDConfig/sssdoptions.py:407 - msgid "Length of time between enumeration updates" - msgstr "列挙の更新間隔" - --#: src/config/SSSDConfig/sssdoptions.py:405 -+#: src/config/SSSDConfig/sssdoptions.py:408 - msgid "Length of time between cache cleanups" - msgstr "キャッシュをクリーンアップする間隔" - --#: src/config/SSSDConfig/sssdoptions.py:406 -+#: src/config/SSSDConfig/sssdoptions.py:409 - msgid "Require TLS for ID lookups" - msgstr "ID 検索に TLS を要求する" - --#: src/config/SSSDConfig/sssdoptions.py:407 -+#: src/config/SSSDConfig/sssdoptions.py:410 - msgid "Use ID-mapping of objectSID instead of pre-set IDs" - msgstr "事前設定済み ID の代わりに objectSID の ID マッピングを使用します" - --#: src/config/SSSDConfig/sssdoptions.py:408 -+#: src/config/SSSDConfig/sssdoptions.py:411 - msgid "Base DN for user lookups" - msgstr "ユーザー検索のベース DN" - --#: src/config/SSSDConfig/sssdoptions.py:409 -+#: src/config/SSSDConfig/sssdoptions.py:412 - msgid "Scope of user lookups" - msgstr "ユーザー検索の範囲" - --#: src/config/SSSDConfig/sssdoptions.py:410 -+#: src/config/SSSDConfig/sssdoptions.py:413 - msgid "Filter for user lookups" - msgstr "ユーザー検索のフィルター" - --#: src/config/SSSDConfig/sssdoptions.py:411 -+#: src/config/SSSDConfig/sssdoptions.py:414 - msgid "Objectclass for users" - msgstr "ユーザーのオブジェクトクラス" - --#: src/config/SSSDConfig/sssdoptions.py:412 -+#: src/config/SSSDConfig/sssdoptions.py:415 - msgid "Username attribute" - msgstr "ユーザー名の属性" - --#: src/config/SSSDConfig/sssdoptions.py:413 -+#: src/config/SSSDConfig/sssdoptions.py:416 - msgid "UID attribute" - msgstr "UID の属性" - --#: src/config/SSSDConfig/sssdoptions.py:414 -+#: src/config/SSSDConfig/sssdoptions.py:417 - msgid "Primary GID attribute" - msgstr "プライマリー GID の属性" - --#: src/config/SSSDConfig/sssdoptions.py:415 -+#: src/config/SSSDConfig/sssdoptions.py:418 - msgid "GECOS attribute" - msgstr "GECOS の属性" - --#: src/config/SSSDConfig/sssdoptions.py:416 -+#: src/config/SSSDConfig/sssdoptions.py:419 - msgid "Home directory attribute" - msgstr "ホームディレクトリーの属性" - --#: src/config/SSSDConfig/sssdoptions.py:417 -+#: src/config/SSSDConfig/sssdoptions.py:420 - msgid "Shell attribute" - msgstr "シェルの属性" - --#: src/config/SSSDConfig/sssdoptions.py:418 -+#: src/config/SSSDConfig/sssdoptions.py:421 - msgid "UUID attribute" - msgstr "UUID 属性" - --#: src/config/SSSDConfig/sssdoptions.py:419 --#: src/config/SSSDConfig/sssdoptions.py:457 -+#: src/config/SSSDConfig/sssdoptions.py:422 -+#: src/config/SSSDConfig/sssdoptions.py:460 - msgid "objectSID attribute" - msgstr "objectSID 属性" - --#: src/config/SSSDConfig/sssdoptions.py:420 -+#: src/config/SSSDConfig/sssdoptions.py:423 - msgid "Active Directory primary group attribute for ID-mapping" - msgstr "ID マッピングの Active Directory プライマリーグループ属性" - --#: src/config/SSSDConfig/sssdoptions.py:421 -+#: src/config/SSSDConfig/sssdoptions.py:424 - msgid "User principal attribute (for Kerberos)" - msgstr "ユーザープリンシパルの属性(Kerberos 用)" - --#: src/config/SSSDConfig/sssdoptions.py:422 -+#: src/config/SSSDConfig/sssdoptions.py:425 - msgid "Full Name" - msgstr "氏名" - --#: src/config/SSSDConfig/sssdoptions.py:423 -+#: src/config/SSSDConfig/sssdoptions.py:426 - msgid "memberOf attribute" - msgstr "memberOf 属性" - --#: src/config/SSSDConfig/sssdoptions.py:424 -+#: src/config/SSSDConfig/sssdoptions.py:427 - msgid "Modification time attribute" - msgstr "変更日時の属性" - --#: src/config/SSSDConfig/sssdoptions.py:425 -+#: src/config/SSSDConfig/sssdoptions.py:428 - msgid "shadowLastChange attribute" - msgstr "shadowLastChange 属性" - --#: src/config/SSSDConfig/sssdoptions.py:426 -+#: src/config/SSSDConfig/sssdoptions.py:429 - msgid "shadowMin attribute" - msgstr "shadowMin 属性" - --#: src/config/SSSDConfig/sssdoptions.py:427 -+#: src/config/SSSDConfig/sssdoptions.py:430 - msgid "shadowMax attribute" - msgstr "shadowMax 属性" - --#: src/config/SSSDConfig/sssdoptions.py:428 -+#: src/config/SSSDConfig/sssdoptions.py:431 - msgid "shadowWarning attribute" - msgstr "shadowWarning 属性" - --#: src/config/SSSDConfig/sssdoptions.py:429 -+#: src/config/SSSDConfig/sssdoptions.py:432 - msgid "shadowInactive attribute" - msgstr "shadowInactive 属性" - --#: src/config/SSSDConfig/sssdoptions.py:430 -+#: src/config/SSSDConfig/sssdoptions.py:433 - msgid "shadowExpire attribute" - msgstr "shadowExpire 属性" - --#: src/config/SSSDConfig/sssdoptions.py:431 -+#: src/config/SSSDConfig/sssdoptions.py:434 - msgid "shadowFlag attribute" - msgstr "shadowFlag 属性" - --#: src/config/SSSDConfig/sssdoptions.py:432 -+#: src/config/SSSDConfig/sssdoptions.py:435 - msgid "Attribute listing authorized PAM services" - msgstr "認可された PAM サービスを一覧化する属性" - --#: src/config/SSSDConfig/sssdoptions.py:433 -+#: src/config/SSSDConfig/sssdoptions.py:436 - msgid "Attribute listing authorized server hosts" - msgstr "認可されたサーバーホストを一覧化する属性" - --#: src/config/SSSDConfig/sssdoptions.py:434 -+#: src/config/SSSDConfig/sssdoptions.py:437 - msgid "Attribute listing authorized server rhosts" - msgstr "認可されたサーバー rhosts を一覧化する属性" - --#: src/config/SSSDConfig/sssdoptions.py:435 -+#: src/config/SSSDConfig/sssdoptions.py:438 - msgid "krbLastPwdChange attribute" - msgstr "krbLastPwdChange 属性" - --#: src/config/SSSDConfig/sssdoptions.py:436 -+#: src/config/SSSDConfig/sssdoptions.py:439 - msgid "krbPasswordExpiration attribute" - msgstr "krbPasswordExpiration 属性" - --#: src/config/SSSDConfig/sssdoptions.py:437 -+#: src/config/SSSDConfig/sssdoptions.py:440 - msgid "Attribute indicating that server side password policies are active" - msgstr "サーバー側パスワードポリシーが有効であることを意味する属性" - --#: src/config/SSSDConfig/sssdoptions.py:438 -+#: src/config/SSSDConfig/sssdoptions.py:441 - msgid "accountExpires attribute of AD" - msgstr "AD の accountExpires 属性" - --#: src/config/SSSDConfig/sssdoptions.py:439 -+#: src/config/SSSDConfig/sssdoptions.py:442 - msgid "userAccountControl attribute of AD" - msgstr "AD の userAccountControl 属性" - --#: src/config/SSSDConfig/sssdoptions.py:440 -+#: src/config/SSSDConfig/sssdoptions.py:443 - msgid "nsAccountLock attribute" - msgstr "nsAccountLock 属性" - --#: src/config/SSSDConfig/sssdoptions.py:441 -+#: src/config/SSSDConfig/sssdoptions.py:444 - msgid "loginDisabled attribute of NDS" - msgstr "NDS の loginDisabled 属性" - --#: src/config/SSSDConfig/sssdoptions.py:442 -+#: src/config/SSSDConfig/sssdoptions.py:445 - msgid "loginExpirationTime attribute of NDS" - msgstr "NDS の loginExpirationTime 属性" - --#: src/config/SSSDConfig/sssdoptions.py:443 -+#: src/config/SSSDConfig/sssdoptions.py:446 - msgid "loginAllowedTimeMap attribute of NDS" - msgstr "NDS の loginAllowedTimeMap 属性" - --#: src/config/SSSDConfig/sssdoptions.py:444 -+#: src/config/SSSDConfig/sssdoptions.py:447 - msgid "SSH public key attribute" - msgstr "SSH 公開鍵の属性" - --#: src/config/SSSDConfig/sssdoptions.py:445 -+#: src/config/SSSDConfig/sssdoptions.py:448 - msgid "attribute listing allowed authentication types for a user" - msgstr "ユーザー用に許可された認証タイプを一覧化する属性" - --#: src/config/SSSDConfig/sssdoptions.py:446 -+#: src/config/SSSDConfig/sssdoptions.py:449 - msgid "attribute containing the X509 certificate of the user" - msgstr "ユーザーの X509 証明書を含む属性" - --#: src/config/SSSDConfig/sssdoptions.py:447 -+#: src/config/SSSDConfig/sssdoptions.py:450 - msgid "attribute containing the email address of the user" - msgstr "ユーザーの電子メールアドレスを含む属性" - --#: src/config/SSSDConfig/sssdoptions.py:448 -+#: src/config/SSSDConfig/sssdoptions.py:451 - msgid "A list of extra attributes to download along with the user entry" - msgstr "ユーザーエントリーと共にダウンロードする追加的な属性の一覧" - --#: src/config/SSSDConfig/sssdoptions.py:450 -+#: src/config/SSSDConfig/sssdoptions.py:453 - msgid "Base DN for group lookups" - msgstr "グループ検索のベース DN" - --#: src/config/SSSDConfig/sssdoptions.py:451 -+#: src/config/SSSDConfig/sssdoptions.py:454 - msgid "Objectclass for groups" - msgstr "グループのオブジェクトクラス" - --#: src/config/SSSDConfig/sssdoptions.py:452 -+#: src/config/SSSDConfig/sssdoptions.py:455 - msgid "Group name" - msgstr "グループ名" - --#: src/config/SSSDConfig/sssdoptions.py:453 -+#: src/config/SSSDConfig/sssdoptions.py:456 - msgid "Group password" - msgstr "グループのパスワード" - --#: src/config/SSSDConfig/sssdoptions.py:454 -+#: src/config/SSSDConfig/sssdoptions.py:457 - msgid "GID attribute" - msgstr "GID 属性" - --#: src/config/SSSDConfig/sssdoptions.py:455 -+#: src/config/SSSDConfig/sssdoptions.py:458 - msgid "Group member attribute" - msgstr "グループメンバー属性" - --#: src/config/SSSDConfig/sssdoptions.py:456 -+#: src/config/SSSDConfig/sssdoptions.py:459 - msgid "Group UUID attribute" - msgstr "グループ UUID 属性" - --#: src/config/SSSDConfig/sssdoptions.py:458 -+#: src/config/SSSDConfig/sssdoptions.py:461 - msgid "Modification time attribute for groups" - msgstr "グループの変更日時の属性" - --#: src/config/SSSDConfig/sssdoptions.py:459 -+#: src/config/SSSDConfig/sssdoptions.py:462 - msgid "Type of the group and other flags" - msgstr "グループおよび他のフラグのタイプ" - --#: src/config/SSSDConfig/sssdoptions.py:460 -+#: src/config/SSSDConfig/sssdoptions.py:463 - msgid "The LDAP group external member attribute" - msgstr "LDAP グループの外部メンバーの属性" - --#: src/config/SSSDConfig/sssdoptions.py:461 -+#: src/config/SSSDConfig/sssdoptions.py:464 - msgid "Maximum nesting level SSSD will follow" - msgstr "SSSD が従う最大ネストレベル" - --#: src/config/SSSDConfig/sssdoptions.py:462 -+#: src/config/SSSDConfig/sssdoptions.py:465 - msgid "Filter for group lookups" - msgstr "グループ検索のフィルター" - --#: src/config/SSSDConfig/sssdoptions.py:463 -+#: src/config/SSSDConfig/sssdoptions.py:466 - msgid "Scope of group lookups" - msgstr "グループ検索の範囲" - --#: src/config/SSSDConfig/sssdoptions.py:465 -+#: src/config/SSSDConfig/sssdoptions.py:468 - msgid "Base DN for netgroup lookups" - msgstr "ネットグループ検索のベース DN" - --#: src/config/SSSDConfig/sssdoptions.py:466 -+#: src/config/SSSDConfig/sssdoptions.py:469 - msgid "Objectclass for netgroups" - msgstr "ネットグループのオブジェクトクラス" - --#: src/config/SSSDConfig/sssdoptions.py:467 -+#: src/config/SSSDConfig/sssdoptions.py:470 - msgid "Netgroup name" - msgstr "ネットグループ名" - --#: src/config/SSSDConfig/sssdoptions.py:468 -+#: src/config/SSSDConfig/sssdoptions.py:471 - msgid "Netgroups members attribute" - msgstr "ネットグループメンバーの属性" - --#: src/config/SSSDConfig/sssdoptions.py:469 -+#: src/config/SSSDConfig/sssdoptions.py:472 - msgid "Netgroup triple attribute" - msgstr "ネットグループの三つ組の属性" - --#: src/config/SSSDConfig/sssdoptions.py:470 -+#: src/config/SSSDConfig/sssdoptions.py:473 - msgid "Modification time attribute for netgroups" - msgstr "ネットグループの変更日時の属性" - --#: src/config/SSSDConfig/sssdoptions.py:472 -+#: src/config/SSSDConfig/sssdoptions.py:475 - msgid "Base DN for service lookups" - msgstr "サービス検索のベース DN" - --#: src/config/SSSDConfig/sssdoptions.py:473 -+#: src/config/SSSDConfig/sssdoptions.py:476 - msgid "Objectclass for services" - msgstr "サービスのオブジェクトクラス" - --#: src/config/SSSDConfig/sssdoptions.py:474 -+#: src/config/SSSDConfig/sssdoptions.py:477 - msgid "Service name attribute" - msgstr "サービス名の属性" - --#: src/config/SSSDConfig/sssdoptions.py:475 -+#: src/config/SSSDConfig/sssdoptions.py:478 - msgid "Service port attribute" - msgstr "サービスポートの属性" - --#: src/config/SSSDConfig/sssdoptions.py:476 -+#: src/config/SSSDConfig/sssdoptions.py:479 - msgid "Service protocol attribute" - msgstr "サービスプロトコルの属性" - --#: src/config/SSSDConfig/sssdoptions.py:478 -+#: src/config/SSSDConfig/sssdoptions.py:481 - msgid "Lower bound for ID-mapping" - msgstr "ID マッピングの下限" - --#: src/config/SSSDConfig/sssdoptions.py:479 -+#: src/config/SSSDConfig/sssdoptions.py:482 - msgid "Upper bound for ID-mapping" - msgstr "ID マッピングの上限" - --#: src/config/SSSDConfig/sssdoptions.py:480 -+#: src/config/SSSDConfig/sssdoptions.py:483 - msgid "Number of IDs for each slice when ID-mapping" - msgstr "ID マッピングするとき、各スライスに対する ID の数" - --#: src/config/SSSDConfig/sssdoptions.py:481 -+#: src/config/SSSDConfig/sssdoptions.py:484 - msgid "Use autorid-compatible algorithm for ID-mapping" - msgstr "ID マッピングに対する autorid 互換アルゴリズムを使用します" - --#: src/config/SSSDConfig/sssdoptions.py:482 -+#: src/config/SSSDConfig/sssdoptions.py:485 - msgid "Name of the default domain for ID-mapping" - msgstr "ID マッピングに対するデフォルトドメインの名前" - --#: src/config/SSSDConfig/sssdoptions.py:483 -+#: src/config/SSSDConfig/sssdoptions.py:486 - msgid "SID of the default domain for ID-mapping" - msgstr "ID マッピングに対するデフォルトドメインの SID" - --#: src/config/SSSDConfig/sssdoptions.py:484 -+#: src/config/SSSDConfig/sssdoptions.py:487 - msgid "Number of secondary slices" - msgstr "セカンダリースライスの数" - --#: src/config/SSSDConfig/sssdoptions.py:486 -+#: src/config/SSSDConfig/sssdoptions.py:489 - msgid "Whether to use Token-Groups" - msgstr "Token-Group を使うかどうか" - --#: src/config/SSSDConfig/sssdoptions.py:487 -+#: src/config/SSSDConfig/sssdoptions.py:490 - msgid "Set lower boundary for allowed IDs from the LDAP server" - msgstr "LDAP サーバーから許可される ID の下限の設定" - --#: src/config/SSSDConfig/sssdoptions.py:488 -+#: src/config/SSSDConfig/sssdoptions.py:491 - msgid "Set upper boundary for allowed IDs from the LDAP server" - msgstr "LDAP サーバーから許可される ID の上限の設定" - --#: src/config/SSSDConfig/sssdoptions.py:489 -+#: src/config/SSSDConfig/sssdoptions.py:492 - msgid "DN for ppolicy queries" - msgstr "ppolicy クエリーの DN" - --#: src/config/SSSDConfig/sssdoptions.py:490 -+#: src/config/SSSDConfig/sssdoptions.py:493 - msgid "How many maximum entries to fetch during a wildcard request" - msgstr "ワイルドカードの要求の間に取得する最大エントリーの数" - --#: src/config/SSSDConfig/sssdoptions.py:491 -+#: src/config/SSSDConfig/sssdoptions.py:494 - msgid "Set libldap debug level" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:494 -+#: src/config/SSSDConfig/sssdoptions.py:497 - msgid "Policy to evaluate the password expiration" - msgstr "パスワード失効の評価のポリシー" - --#: src/config/SSSDConfig/sssdoptions.py:498 -+#: src/config/SSSDConfig/sssdoptions.py:501 - msgid "Which attributes shall be used to evaluate if an account is expired" - msgstr "どの属性がアカウントが失効しているかを評価するために使用されるか" - --#: src/config/SSSDConfig/sssdoptions.py:499 -+#: src/config/SSSDConfig/sssdoptions.py:502 - msgid "Which rules should be used to evaluate access control" - msgstr "どのルールがアクセス制御を評価するために使用されるか" - --#: src/config/SSSDConfig/sssdoptions.py:502 -+#: src/config/SSSDConfig/sssdoptions.py:505 - msgid "URI of an LDAP server where password changes are allowed" - msgstr "パスワードの変更が許可される LDAP サーバーの URI" - --#: src/config/SSSDConfig/sssdoptions.py:503 -+#: src/config/SSSDConfig/sssdoptions.py:506 - msgid "URI of a backup LDAP server where password changes are allowed" - msgstr "パスワードの変更が許可されるバックアップ LDAP サーバーの URI" - --#: src/config/SSSDConfig/sssdoptions.py:504 -+#: src/config/SSSDConfig/sssdoptions.py:507 - msgid "DNS service name for LDAP password change server" - msgstr "LDAP パスワードの変更サーバーの DNS サービス名" - --#: src/config/SSSDConfig/sssdoptions.py:505 -+#: src/config/SSSDConfig/sssdoptions.py:508 - msgid "" - "Whether to update the ldap_user_shadow_last_change attribute after a " - "password change" - msgstr "パスワード変更後 ldap_user_shadow_last_change 属性を更新するかどうか" - --#: src/config/SSSDConfig/sssdoptions.py:509 -+#: src/config/SSSDConfig/sssdoptions.py:512 - msgid "Base DN for sudo rules lookups" - msgstr "sudo ルール検索のベース DN" - --#: src/config/SSSDConfig/sssdoptions.py:510 -+#: src/config/SSSDConfig/sssdoptions.py:513 - msgid "Automatic full refresh period" - msgstr "自動的な完全更新間隔" - --#: src/config/SSSDConfig/sssdoptions.py:511 -+#: src/config/SSSDConfig/sssdoptions.py:514 - msgid "Automatic smart refresh period" - msgstr "自動的なスマート更新間隔" - --#: src/config/SSSDConfig/sssdoptions.py:512 -+#: src/config/SSSDConfig/sssdoptions.py:515 - msgid "Whether to filter rules by hostname, IP addresses and network" - msgstr "" - "ホスト名、IP アドレスおよびネットワークによるフィルタールールを使用するかどう" - "か" - --#: src/config/SSSDConfig/sssdoptions.py:513 -+#: src/config/SSSDConfig/sssdoptions.py:516 - msgid "" - "Hostnames and/or fully qualified domain names of this machine to filter sudo " - "rules" -@@ -1734,150 +1746,150 @@ msgstr "" - "sudo ルールをフィルターするこのマシンのホスト名および/または完全修飾ドメイン" - "名" - --#: src/config/SSSDConfig/sssdoptions.py:514 -+#: src/config/SSSDConfig/sssdoptions.py:517 - msgid "IPv4 or IPv6 addresses or network of this machine to filter sudo rules" - msgstr "" - "sudo ルールをフィルターするこのマシンの IPv4 または IPv6 アドレスまたはネット" - "ワーク" - --#: src/config/SSSDConfig/sssdoptions.py:515 -+#: src/config/SSSDConfig/sssdoptions.py:518 - msgid "Whether to include rules that contains netgroup in host attribute" - msgstr "ホスト属性にネットワークグループを含むルールを含めるかどうか" - --#: src/config/SSSDConfig/sssdoptions.py:516 -+#: src/config/SSSDConfig/sssdoptions.py:519 - msgid "" - "Whether to include rules that contains regular expression in host attribute" - msgstr "ホスト属性に正規表現を含むルールを含めるかどうか" - --#: src/config/SSSDConfig/sssdoptions.py:517 -+#: src/config/SSSDConfig/sssdoptions.py:520 - msgid "Object class for sudo rules" - msgstr "sudo ルールのオブジェクトクラス" - --#: src/config/SSSDConfig/sssdoptions.py:518 -+#: src/config/SSSDConfig/sssdoptions.py:521 - msgid "Name of attribute that is used as object class for sudo rules" - msgstr "sudo ルールのオブジェクトクラスとして使用される属性の名前" - --#: src/config/SSSDConfig/sssdoptions.py:519 -+#: src/config/SSSDConfig/sssdoptions.py:522 - msgid "Sudo rule name" - msgstr "sudo ルール名" - --#: src/config/SSSDConfig/sssdoptions.py:520 -+#: src/config/SSSDConfig/sssdoptions.py:523 - msgid "Sudo rule command attribute" - msgstr "sudo ルールのコマンドの属性" - --#: src/config/SSSDConfig/sssdoptions.py:521 -+#: src/config/SSSDConfig/sssdoptions.py:524 - msgid "Sudo rule host attribute" - msgstr "sudo ルールのホストの属性" - --#: src/config/SSSDConfig/sssdoptions.py:522 -+#: src/config/SSSDConfig/sssdoptions.py:525 - msgid "Sudo rule user attribute" - msgstr "sudo ルールのユーザーの属性" - --#: src/config/SSSDConfig/sssdoptions.py:523 -+#: src/config/SSSDConfig/sssdoptions.py:526 - msgid "Sudo rule option attribute" - msgstr "sudo ルールのオプションの属性" - --#: src/config/SSSDConfig/sssdoptions.py:524 -+#: src/config/SSSDConfig/sssdoptions.py:527 - msgid "Sudo rule runas attribute" - msgstr "sudo ルールの runas の属性" - --#: src/config/SSSDConfig/sssdoptions.py:525 -+#: src/config/SSSDConfig/sssdoptions.py:528 - msgid "Sudo rule runasuser attribute" - msgstr "sudo ルールの runasuser の属性" - --#: src/config/SSSDConfig/sssdoptions.py:526 -+#: src/config/SSSDConfig/sssdoptions.py:529 - msgid "Sudo rule runasgroup attribute" - msgstr "sudo ルールの runasgroup の属性" - --#: src/config/SSSDConfig/sssdoptions.py:527 -+#: src/config/SSSDConfig/sssdoptions.py:530 - msgid "Sudo rule notbefore attribute" - msgstr "sudo ルールの notbefore の属性" - --#: src/config/SSSDConfig/sssdoptions.py:528 -+#: src/config/SSSDConfig/sssdoptions.py:531 - msgid "Sudo rule notafter attribute" - msgstr "sudo ルールの notafter の属性" - --#: src/config/SSSDConfig/sssdoptions.py:529 -+#: src/config/SSSDConfig/sssdoptions.py:532 - msgid "Sudo rule order attribute" - msgstr "sudo ルールの order の属性" - --#: src/config/SSSDConfig/sssdoptions.py:532 -+#: src/config/SSSDConfig/sssdoptions.py:535 - msgid "Object class for automounter maps" - msgstr "automounter マップのオブジェクトクラス" - --#: src/config/SSSDConfig/sssdoptions.py:533 -+#: src/config/SSSDConfig/sssdoptions.py:536 - msgid "Automounter map name attribute" - msgstr "オートマウントのマップ名の属性" - --#: src/config/SSSDConfig/sssdoptions.py:534 -+#: src/config/SSSDConfig/sssdoptions.py:537 - msgid "Object class for automounter map entries" - msgstr "automounter マップエントリーのオブジェクトクラス" - --#: src/config/SSSDConfig/sssdoptions.py:535 -+#: src/config/SSSDConfig/sssdoptions.py:538 - msgid "Automounter map entry key attribute" - msgstr "automounter マップエントリーの鍵属性" - --#: src/config/SSSDConfig/sssdoptions.py:536 -+#: src/config/SSSDConfig/sssdoptions.py:539 - msgid "Automounter map entry value attribute" - msgstr "automounter マップエントリーの値属性" - --#: src/config/SSSDConfig/sssdoptions.py:537 -+#: src/config/SSSDConfig/sssdoptions.py:540 - msgid "Base DN for automounter map lookups" - msgstr "automonter のマップ検索のベース DN" - --#: src/config/SSSDConfig/sssdoptions.py:538 -+#: src/config/SSSDConfig/sssdoptions.py:541 - msgid "The name of the automount master map in LDAP." - msgstr "LDAP のオートマウントマスターマップの名前。" - --#: src/config/SSSDConfig/sssdoptions.py:541 -+#: src/config/SSSDConfig/sssdoptions.py:544 - msgid "Base DN for IP hosts lookups" - msgstr "IP ホストのルックアップのためのベース DN" - --#: src/config/SSSDConfig/sssdoptions.py:542 -+#: src/config/SSSDConfig/sssdoptions.py:545 - msgid "Object class for IP hosts" - msgstr "IP ホストのオブジェクトクラス" - --#: src/config/SSSDConfig/sssdoptions.py:543 -+#: src/config/SSSDConfig/sssdoptions.py:546 - msgid "IP host name attribute" - msgstr "IP ホスト名属性" - --#: src/config/SSSDConfig/sssdoptions.py:544 -+#: src/config/SSSDConfig/sssdoptions.py:547 - msgid "IP host number (address) attribute" - msgstr "IP ホスト番号 (アドレス) 属性" - --#: src/config/SSSDConfig/sssdoptions.py:545 -+#: src/config/SSSDConfig/sssdoptions.py:548 - msgid "IP host entryUSN attribute" - msgstr "IP ホストエントリー USN 属性" - --#: src/config/SSSDConfig/sssdoptions.py:546 -+#: src/config/SSSDConfig/sssdoptions.py:549 - msgid "Base DN for IP networks lookups" - msgstr "IP ネットワーク検索のためのベース DN" - --#: src/config/SSSDConfig/sssdoptions.py:547 -+#: src/config/SSSDConfig/sssdoptions.py:550 - msgid "Object class for IP networks" - msgstr "IP ネットワークのオブジェクトクラス" - --#: src/config/SSSDConfig/sssdoptions.py:548 -+#: src/config/SSSDConfig/sssdoptions.py:551 - msgid "IP network name attribute" - msgstr "IP ネットワーク名属性" - --#: src/config/SSSDConfig/sssdoptions.py:549 -+#: src/config/SSSDConfig/sssdoptions.py:552 - msgid "IP network number (address) attribute" - msgstr "IP ネットワーク番号 (アドレス) 属性" - --#: src/config/SSSDConfig/sssdoptions.py:550 -+#: src/config/SSSDConfig/sssdoptions.py:553 - msgid "IP network entryUSN attribute" - msgstr "IP ネットワークエントリー USN 属性" - --#: src/config/SSSDConfig/sssdoptions.py:553 -+#: src/config/SSSDConfig/sssdoptions.py:556 - msgid "Comma separated list of allowed users" - msgstr "許可ユーザーのカンマ区切り一覧" - --#: src/config/SSSDConfig/sssdoptions.py:554 -+#: src/config/SSSDConfig/sssdoptions.py:557 - msgid "Comma separated list of prohibited users" - msgstr "禁止ユーザーのカンマ区切り一覧" - --#: src/config/SSSDConfig/sssdoptions.py:555 -+#: src/config/SSSDConfig/sssdoptions.py:558 - msgid "" - "Comma separated list of groups that are allowed to log in. This applies only " - "to groups within this SSSD domain. Local groups are not evaluated." -@@ -1885,7 +1897,7 @@ msgstr "" - "Comma separated list of groups that are allowed to log in. This applies only " - "to groups within this SSSD domain. Local groups are not evaluated." - --#: src/config/SSSDConfig/sssdoptions.py:557 -+#: src/config/SSSDConfig/sssdoptions.py:560 - msgid "" - "Comma separated list of groups that are explicitly denied access. This " - "applies only to groups within this SSSD domain. Local groups are not " -@@ -1895,186 +1907,186 @@ msgstr "" - "applies only to groups within this SSSD domain. Local groups are not " - "evaluated." - --#: src/config/SSSDConfig/sssdoptions.py:561 -+#: src/config/SSSDConfig/sssdoptions.py:564 - msgid "Base for home directories" - msgstr "ホームディレクトリーのベース" - --#: src/config/SSSDConfig/sssdoptions.py:562 -+#: src/config/SSSDConfig/sssdoptions.py:565 - msgid "Indicate if a home directory should be created for new users." - msgstr "" - "新しいユーザーのためにホームディレクトリーを作成するかどうかを示します。" - --#: src/config/SSSDConfig/sssdoptions.py:563 -+#: src/config/SSSDConfig/sssdoptions.py:566 - msgid "Indicate if a home directory should be removed for deleted users." - msgstr "削除されたユーザーのホームディレクトリーを削除するかどうかを示します。" - --#: src/config/SSSDConfig/sssdoptions.py:564 -+#: src/config/SSSDConfig/sssdoptions.py:567 - msgid "Specify the default permissions on a newly created home directory." - msgstr "" - "新しく作成したホームディレクトリーのデフォルトのパーミッションを指定します。" - --#: src/config/SSSDConfig/sssdoptions.py:565 -+#: src/config/SSSDConfig/sssdoptions.py:568 - msgid "The skeleton directory." - msgstr "スケルトンディレクトリー。" - --#: src/config/SSSDConfig/sssdoptions.py:566 -+#: src/config/SSSDConfig/sssdoptions.py:569 - msgid "The mail spool directory." - msgstr "メールスプールディレクトリー。" - --#: src/config/SSSDConfig/sssdoptions.py:567 -+#: src/config/SSSDConfig/sssdoptions.py:570 - msgid "The command that is run after a user is removed." - msgstr "ユーザーが削除された後に実行されるコマンド。" - --#: src/config/SSSDConfig/sssdoptions.py:570 -+#: src/config/SSSDConfig/sssdoptions.py:573 - msgid "The number of preforked proxy children." - msgstr "事前にフォークされた子プロキシーの数。" - --#: src/config/SSSDConfig/sssdoptions.py:573 -+#: src/config/SSSDConfig/sssdoptions.py:576 - msgid "The name of the NSS library to use" - msgstr "使用する NSS ライブラリーの名前" - --#: src/config/SSSDConfig/sssdoptions.py:574 -+#: src/config/SSSDConfig/sssdoptions.py:577 - msgid "The name of the NSS library to use for hosts and networks lookups" - msgstr "ホストやネットワークの検索に使用する NSS ライブラリの名前" - --#: src/config/SSSDConfig/sssdoptions.py:575 -+#: src/config/SSSDConfig/sssdoptions.py:578 - msgid "Whether to look up canonical group name from cache if possible" - msgstr "可能ならばキャッシュから正規化されたグループ名を検索するかどうか" - --#: src/config/SSSDConfig/sssdoptions.py:578 -+#: src/config/SSSDConfig/sssdoptions.py:581 - msgid "PAM stack to use" - msgstr "使用する PAM スタック" - --#: src/config/SSSDConfig/sssdoptions.py:581 -+#: src/config/SSSDConfig/sssdoptions.py:584 - msgid "Path of passwd file sources." - msgstr "passwd ファイルソースへのパス" - --#: src/config/SSSDConfig/sssdoptions.py:582 -+#: src/config/SSSDConfig/sssdoptions.py:585 - msgid "Path of group file sources." - msgstr "グループファイルソースへのパス" - --#: src/monitor/monitor.c:2376 -+#: src/monitor/monitor.c:2381 - msgid "Become a daemon (default)" - msgstr "デーモンとして実行(デフォルト)" - --#: src/monitor/monitor.c:2378 -+#: src/monitor/monitor.c:2383 - msgid "Run interactive (not a daemon)" - msgstr "対話的に実行(デーモンではない)" - --#: src/monitor/monitor.c:2381 -+#: src/monitor/monitor.c:2386 - msgid "Disable netlink interface" - msgstr "netlink インターフェースを無効にする" - --#: src/monitor/monitor.c:2383 src/tools/sssctl/sssctl_config.c:77 -+#: src/monitor/monitor.c:2388 src/tools/sssctl/sssctl_config.c:77 - #: src/tools/sssctl/sssctl_logs.c:310 - msgid "Specify a non-default config file" - msgstr "非標準の設定ファイルの指定" - --#: src/monitor/monitor.c:2385 -+#: src/monitor/monitor.c:2390 - msgid "Refresh the configuration database, then exit" - msgstr "設定データベースをリフレッシュし、その後終了します" - --#: src/monitor/monitor.c:2388 -+#: src/monitor/monitor.c:2393 - msgid "Similar to --genconf, but only refreshes the given section" - msgstr "--genconf と似ていますが、任意のセクションのみをリフレッシュします" - --#: src/monitor/monitor.c:2391 -+#: src/monitor/monitor.c:2396 - msgid "Print version number and exit" - msgstr "バージョン番号を表示して終了する" - --#: src/monitor/monitor.c:2537 -+#: src/monitor/monitor.c:2542 - msgid "SSSD is already running\n" - msgstr "SSSD はすでに実行中です\n" - --#: src/providers/krb5/krb5_child.c:3260 src/providers/ldap/ldap_child.c:638 -+#: src/providers/krb5/krb5_child.c:3274 src/providers/ldap/ldap_child.c:638 - msgid "Debug level" - msgstr "デバッグレベル" - --#: src/providers/krb5/krb5_child.c:3262 src/providers/ldap/ldap_child.c:640 -+#: src/providers/krb5/krb5_child.c:3276 src/providers/ldap/ldap_child.c:640 - msgid "Add debug timestamps" - msgstr "デバッグのタイムスタンプを追加する" - --#: src/providers/krb5/krb5_child.c:3264 src/providers/ldap/ldap_child.c:642 -+#: src/providers/krb5/krb5_child.c:3278 src/providers/ldap/ldap_child.c:642 - msgid "Show timestamps with microseconds" - msgstr "タイムスタンプをミリ秒単位で表示する" - --#: src/providers/krb5/krb5_child.c:3266 src/providers/ldap/ldap_child.c:644 -+#: src/providers/krb5/krb5_child.c:3280 src/providers/ldap/ldap_child.c:644 - msgid "An open file descriptor for the debug logs" - msgstr "デバッグログのオープンファイルディスクリプター" - --#: src/providers/krb5/krb5_child.c:3269 src/providers/ldap/ldap_child.c:646 -+#: src/providers/krb5/krb5_child.c:3283 src/providers/ldap/ldap_child.c:646 - msgid "Send the debug output to stderr directly." - msgstr "デバッグ出力を stderr に直接送信します。" - --#: src/providers/krb5/krb5_child.c:3272 -+#: src/providers/krb5/krb5_child.c:3286 - msgid "The user to create FAST ccache as" - msgstr "次のように FAST ccache を作成するユーザー" - --#: src/providers/krb5/krb5_child.c:3274 -+#: src/providers/krb5/krb5_child.c:3288 - msgid "The group to create FAST ccache as" - msgstr "次のように FAST ccache を作成するグループ" - --#: src/providers/krb5/krb5_child.c:3276 -+#: src/providers/krb5/krb5_child.c:3290 - msgid "Kerberos realm to use" - msgstr "使用する Kerberos レルム" - --#: src/providers/krb5/krb5_child.c:3278 -+#: src/providers/krb5/krb5_child.c:3292 - msgid "Requested lifetime of the ticket" - msgstr "チケットの要求された有効期間" - --#: src/providers/krb5/krb5_child.c:3280 -+#: src/providers/krb5/krb5_child.c:3294 - msgid "Requested renewable lifetime of the ticket" - msgstr "チケットの要求された更新可能な有効期間" - --#: src/providers/krb5/krb5_child.c:3282 -+#: src/providers/krb5/krb5_child.c:3296 - msgid "FAST options ('never', 'try', 'demand')" - msgstr "FAST のオプション ('never'、'try'、'demand')" - --#: src/providers/krb5/krb5_child.c:3285 -+#: src/providers/krb5/krb5_child.c:3299 - msgid "Specifies the server principal to use for FAST" - msgstr "FAST で使用するサーバープリンシパルを指定します" - --#: src/providers/krb5/krb5_child.c:3287 -+#: src/providers/krb5/krb5_child.c:3301 - msgid "Requests canonicalization of the principal name" - msgstr "プリンシパル名の正規化を要求します" - --#: src/providers/krb5/krb5_child.c:3289 -+#: src/providers/krb5/krb5_child.c:3303 - msgid "Use custom version of krb5_get_init_creds_password" - msgstr "krb5_get_init_creds_password のカスタムバージョンを使用します" - --#: src/providers/data_provider_be.c:699 -+#: src/providers/data_provider_be.c:711 - msgid "Domain of the information provider (mandatory)" - msgstr "情報プロバイダーのドメイン (必須)" - --#: src/sss_client/common.c:1079 -+#: src/sss_client/common.c:1088 - msgid "Privileged socket has wrong ownership or permissions." - msgstr "特権ソケットの所有者またはパーミッションが誤っています。" - --#: src/sss_client/common.c:1082 -+#: src/sss_client/common.c:1091 - msgid "Public socket has wrong ownership or permissions." - msgstr "公開ソケットの所有者またはパーミッションが誤っています。" - --#: src/sss_client/common.c:1085 -+#: src/sss_client/common.c:1094 - msgid "Unexpected format of the server credential message." - msgstr "サーバーのクレデンシャルメッセージの予期しない形式です。" - --#: src/sss_client/common.c:1088 -+#: src/sss_client/common.c:1097 - msgid "SSSD is not run by root." - msgstr "SSSD は root により実行されません。" - --#: src/sss_client/common.c:1091 -+#: src/sss_client/common.c:1100 - msgid "SSSD socket does not exist." - msgstr "SSSD ソケットは存在しません。" - --#: src/sss_client/common.c:1094 -+#: src/sss_client/common.c:1103 - msgid "Cannot get stat of SSSD socket." - msgstr "SSSD ソケットの統計を取得できません。" - --#: src/sss_client/common.c:1099 -+#: src/sss_client/common.c:1108 - msgid "An error occurred, but no description can be found." - msgstr "エラーが発生しましたが、説明がありませんでした。" - --#: src/sss_client/common.c:1105 -+#: src/sss_client/common.c:1114 - msgid "Unexpected error while looking for an error description" - msgstr "エラーの説明を検索中に予期しないエラーが発生しました" - -@@ -2082,46 +2094,46 @@ msgstr "エラーの説明を検索中に予期しないエラーが発生しま - msgid "Permission denied. " - msgstr "パーミッションが拒否されました。" - --#: src/sss_client/pam_sss.c:69 src/sss_client/pam_sss.c:781 --#: src/sss_client/pam_sss.c:792 -+#: src/sss_client/pam_sss.c:69 src/sss_client/pam_sss.c:785 -+#: src/sss_client/pam_sss.c:796 - msgid "Server message: " - msgstr "サーバーのメッセージ: " - --#: src/sss_client/pam_sss.c:299 -+#: src/sss_client/pam_sss.c:303 - msgid "Passwords do not match" - msgstr "パスワードが一致しません" - --#: src/sss_client/pam_sss.c:487 -+#: src/sss_client/pam_sss.c:491 - msgid "Password reset by root is not supported." - msgstr "root によるパスワードのリセットはサポートされません。" - --#: src/sss_client/pam_sss.c:528 -+#: src/sss_client/pam_sss.c:532 - msgid "Authenticated with cached credentials" - msgstr "キャッシュされているクレデンシャルを用いて認証されました" - --#: src/sss_client/pam_sss.c:529 -+#: src/sss_client/pam_sss.c:533 - msgid ", your cached password will expire at: " - msgstr "、キャッシュされたパスワードが失効します: " - --#: src/sss_client/pam_sss.c:559 -+#: src/sss_client/pam_sss.c:563 - #, c-format - msgid "Your password has expired. You have %1$d grace login(s) remaining." - msgstr "パスワードの期限が切れています。あと %1$d 回ログインできます。" - --#: src/sss_client/pam_sss.c:605 -+#: src/sss_client/pam_sss.c:609 - #, c-format - msgid "Your password will expire in %1$d %2$s." - msgstr "あなたのパスワードは %1$d %2$s に期限切れになります。" - --#: src/sss_client/pam_sss.c:654 -+#: src/sss_client/pam_sss.c:658 - msgid "Authentication is denied until: " - msgstr "次まで認証が拒否されます: " - --#: src/sss_client/pam_sss.c:675 -+#: src/sss_client/pam_sss.c:679 - msgid "System is offline, password change not possible" - msgstr "システムがオフラインです、パスワード変更ができません" - --#: src/sss_client/pam_sss.c:690 -+#: src/sss_client/pam_sss.c:694 - msgid "" - "After changing the OTP password, you need to log out and back in order to " - "acquire a ticket" -@@ -2129,43 +2141,43 @@ msgstr "" - "OTP パスワードの変更後、チケットを取得するためにログアウト後に再びログインす" - "る必要があります" - --#: src/sss_client/pam_sss.c:778 src/sss_client/pam_sss.c:791 -+#: src/sss_client/pam_sss.c:782 src/sss_client/pam_sss.c:795 - msgid "Password change failed. " - msgstr "パスワードの変更に失敗しました。" - --#: src/sss_client/pam_sss.c:2015 -+#: src/sss_client/pam_sss.c:2044 - msgid "New Password: " - msgstr "新しいパスワード: " - --#: src/sss_client/pam_sss.c:2016 -+#: src/sss_client/pam_sss.c:2045 - msgid "Reenter new Password: " - msgstr "新しいパスワードの再入力: " - --#: src/sss_client/pam_sss.c:2178 src/sss_client/pam_sss.c:2181 -+#: src/sss_client/pam_sss.c:2207 src/sss_client/pam_sss.c:2210 - msgid "First Factor: " - msgstr "1 番目の要素: " - --#: src/sss_client/pam_sss.c:2179 src/sss_client/pam_sss.c:2353 -+#: src/sss_client/pam_sss.c:2208 src/sss_client/pam_sss.c:2382 - msgid "Second Factor (optional): " - msgstr "2 番目の要素 (オプション): " - --#: src/sss_client/pam_sss.c:2182 src/sss_client/pam_sss.c:2356 -+#: src/sss_client/pam_sss.c:2211 src/sss_client/pam_sss.c:2385 - msgid "Second Factor: " - msgstr "2 番目の要素: " - --#: src/sss_client/pam_sss.c:2200 -+#: src/sss_client/pam_sss.c:2229 - msgid "Password: " - msgstr "パスワード: " - --#: src/sss_client/pam_sss.c:2352 src/sss_client/pam_sss.c:2355 -+#: src/sss_client/pam_sss.c:2381 src/sss_client/pam_sss.c:2384 - msgid "First Factor (Current Password): " - msgstr "1 番目の要素 (現在のパスワード): " - --#: src/sss_client/pam_sss.c:2359 -+#: src/sss_client/pam_sss.c:2388 - msgid "Current Password: " - msgstr "現在のパスワード: " - --#: src/sss_client/pam_sss.c:2716 -+#: src/sss_client/pam_sss.c:2745 - msgid "Password expired. Change your password now." - msgstr "パスワードの期限が切れました。いますぐパスワードを変更してください。" - -@@ -3356,18 +3368,18 @@ msgstr "PAM 環境:\n" - msgid " - no env -\n" - msgstr " - no env -\n" - --#: src/util/util.h:82 -+#: src/util/util.h:86 - msgid "The user ID to run the server as" - msgstr "次のようにサーバーを実行するユーザー ID" - --#: src/util/util.h:84 -+#: src/util/util.h:88 - msgid "The group ID to run the server as" - msgstr "次のようにサーバーを実行するグループ ID" - --#: src/util/util.h:92 -+#: src/util/util.h:96 - msgid "Informs that the responder has been socket-activated" - msgstr "レスポンダーがソケットでアクティベートされたと知らせます" - --#: src/util/util.h:94 -+#: src/util/util.h:98 - msgid "Informs that the responder has been dbus-activated" - msgstr "レスポンダーが dbus でアクティベートされたと知らせます" -diff --git a/po/zh_CN.po b/po/zh_CN.po -index 1d195436a..ee38f25e3 100644 ---- a/po/zh_CN.po -+++ b/po/zh_CN.po -@@ -11,7 +11,7 @@ msgid "" - msgstr "" - "Project-Id-Version: PACKAGE VERSION\n" - "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" --"POT-Creation-Date: 2020-10-12 12:21+0200\n" -+"POT-Creation-Date: 2021-02-05 11:58+0100\n" - "PO-Revision-Date: 2020-08-20 14:29+0000\n" - "Last-Translator: Charles Lee \n" - "Language-Team: Chinese (Simplified) -Date: Fri, 19 Feb 2021 16:57:31 +0100 -Subject: [PATCH] pot: update pot files - ---- - po/sssd.pot | 744 ++++++++++++++++++++++++++-------------------------- - 1 file changed, 375 insertions(+), 369 deletions(-) - -diff --git a/po/sssd.pot b/po/sssd.pot -index 19f6994ff..075f908a8 100644 ---- a/po/sssd.pot -+++ b/po/sssd.pot -@@ -8,7 +8,7 @@ msgid "" - msgstr "" - "Project-Id-Version: PACKAGE VERSION\n" - "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" --"POT-Creation-Date: 2021-02-05 11:58+0100\n" -+"POT-Creation-Date: 2021-02-19 16:47+0100\n" - "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" - "Last-Translator: FULL NAME \n" - "Language-Team: LANGUAGE \n" -@@ -153,7 +153,7 @@ msgid "Entry cache background update timeout length (seconds)" - msgstr "" - - #: src/config/SSSDConfig/sssdoptions.py:61 --#: src/config/SSSDConfig/sssdoptions.py:117 -+#: src/config/SSSDConfig/sssdoptions.py:119 - msgid "Negative cache timeout length (seconds)" - msgstr "" - -@@ -337,1532 +337,1538 @@ msgstr "" - msgid "Whether to match authenticated UPN with target user" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:111 -+#: src/config/SSSDConfig/sssdoptions.py:109 -+msgid "" -+"List of pairs : that must be enforced " -+"for PAM access with GSSAPI authentication" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:113 - msgid "Whether to evaluate the time-based attributes in sudo rules" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:112 -+#: src/config/SSSDConfig/sssdoptions.py:114 - msgid "If true, SSSD will switch back to lower-wins ordering logic" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:113 -+#: src/config/SSSDConfig/sssdoptions.py:115 - msgid "" - "Maximum number of rules that can be refreshed at once. If this is exceeded, " - "full refresh is performed." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:120 -+#: src/config/SSSDConfig/sssdoptions.py:122 - msgid "Whether to hash host names and addresses in the known_hosts file" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:121 -+#: src/config/SSSDConfig/sssdoptions.py:123 - msgid "" - "How many seconds to keep a host in the known_hosts file after its host keys " - "were requested" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:123 -+#: src/config/SSSDConfig/sssdoptions.py:125 - msgid "Path to storage of trusted CA certificates" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:124 -+#: src/config/SSSDConfig/sssdoptions.py:126 - msgid "Allow to generate ssh-keys from certificates" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:125 -+#: src/config/SSSDConfig/sssdoptions.py:127 - msgid "" - "Use the following matching rules to filter the certificates for ssh-key " - "generation" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:129 -+#: src/config/SSSDConfig/sssdoptions.py:131 - msgid "List of UIDs or user names allowed to access the PAC responder" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:130 -+#: src/config/SSSDConfig/sssdoptions.py:132 - msgid "How long the PAC data is considered valid" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:133 -+#: src/config/SSSDConfig/sssdoptions.py:135 - msgid "List of user attributes the InfoPipe is allowed to publish" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:136 -+#: src/config/SSSDConfig/sssdoptions.py:138 - msgid "The provider where the secrets will be stored in" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:137 -+#: src/config/SSSDConfig/sssdoptions.py:139 - msgid "The maximum allowed number of nested containers" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:138 -+#: src/config/SSSDConfig/sssdoptions.py:140 - msgid "The maximum number of secrets that can be stored" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:139 -+#: src/config/SSSDConfig/sssdoptions.py:141 - msgid "The maximum number of secrets that can be stored per UID" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:140 -+#: src/config/SSSDConfig/sssdoptions.py:142 - msgid "The maximum payload size of a secret in kilobytes" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:142 -+#: src/config/SSSDConfig/sssdoptions.py:144 - msgid "The URL Custodia server is listening on" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:143 -+#: src/config/SSSDConfig/sssdoptions.py:145 - msgid "The method to use when authenticating to a Custodia server" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:144 -+#: src/config/SSSDConfig/sssdoptions.py:146 - msgid "" - "The name of the headers that will be added into a HTTP request with the " - "value defined in auth_header_value" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:146 -+#: src/config/SSSDConfig/sssdoptions.py:148 - msgid "The value sssd-secrets would use for auth_header_name" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:147 -+#: src/config/SSSDConfig/sssdoptions.py:149 - msgid "" - "The list of the headers to forward to the Custodia server together with the " - "request" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:148 -+#: src/config/SSSDConfig/sssdoptions.py:150 - msgid "" - "The username to use when authenticating to a Custodia server using basic_auth" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:149 -+#: src/config/SSSDConfig/sssdoptions.py:151 - msgid "" - "The password to use when authenticating to a Custodia server using basic_auth" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:150 -+#: src/config/SSSDConfig/sssdoptions.py:152 - msgid "If true peer's certificate is verified if proxy_url uses https protocol" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:151 -+#: src/config/SSSDConfig/sssdoptions.py:153 - msgid "" - "If false peer's certificate may contain different hostname than proxy_url " - "when https protocol is used" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:153 -+#: src/config/SSSDConfig/sssdoptions.py:155 - msgid "Path to directory where certificate authority certificates are stored" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:154 -+#: src/config/SSSDConfig/sssdoptions.py:156 - msgid "Path to file containing server's CA certificate" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:155 -+#: src/config/SSSDConfig/sssdoptions.py:157 - msgid "Path to file containing client's certificate" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:156 -+#: src/config/SSSDConfig/sssdoptions.py:158 - msgid "Path to file containing client's private key" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:159 -+#: src/config/SSSDConfig/sssdoptions.py:161 - msgid "" - "One of the following strings specifying the scope of session recording: none " - "- No users are recorded. some - Users/groups specified by users and groups " - "options are recorded. all - All users are recorded." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:162 -+#: src/config/SSSDConfig/sssdoptions.py:164 - msgid "" - "A comma-separated list of users which should have session recording enabled. " - "Matches user names as returned by NSS. I.e. after the possible space " - "replacement, case changes, etc." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:164 -+#: src/config/SSSDConfig/sssdoptions.py:166 - msgid "" - "A comma-separated list of groups, members of which should have session " - "recording enabled. Matches group names as returned by NSS. I.e. after the " - "possible space replacement, case changes, etc." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:167 -+#: src/config/SSSDConfig/sssdoptions.py:169 - msgid "" - "A comma-separated list of users to be excluded from recording, only when " - "scope=all" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:168 -+#: src/config/SSSDConfig/sssdoptions.py:170 - msgid "" - "A comma-separated list of groups, members of which should be excluded from " - "recording, only when scope=all. " - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:172 -+#: src/config/SSSDConfig/sssdoptions.py:174 - msgid "Identity provider" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:173 -+#: src/config/SSSDConfig/sssdoptions.py:175 - msgid "Authentication provider" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:174 -+#: src/config/SSSDConfig/sssdoptions.py:176 - msgid "Access control provider" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:175 -+#: src/config/SSSDConfig/sssdoptions.py:177 - msgid "Password change provider" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:176 -+#: src/config/SSSDConfig/sssdoptions.py:178 - msgid "SUDO provider" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:177 -+#: src/config/SSSDConfig/sssdoptions.py:179 - msgid "Autofs provider" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:178 -+#: src/config/SSSDConfig/sssdoptions.py:180 - msgid "Host identity provider" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:179 -+#: src/config/SSSDConfig/sssdoptions.py:181 - msgid "SELinux provider" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:180 -+#: src/config/SSSDConfig/sssdoptions.py:182 - msgid "Session management provider" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:181 -+#: src/config/SSSDConfig/sssdoptions.py:183 - msgid "Resolver provider" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:184 -+#: src/config/SSSDConfig/sssdoptions.py:186 - msgid "Whether the domain is usable by the OS or by applications" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:185 -+#: src/config/SSSDConfig/sssdoptions.py:187 - msgid "Enable or disable the domain" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:186 -+#: src/config/SSSDConfig/sssdoptions.py:188 - msgid "Minimum user ID" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:187 -+#: src/config/SSSDConfig/sssdoptions.py:189 - msgid "Maximum user ID" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:188 -+#: src/config/SSSDConfig/sssdoptions.py:190 - msgid "Enable enumerating all users/groups" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:189 -+#: src/config/SSSDConfig/sssdoptions.py:191 - msgid "Cache credentials for offline login" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:190 -+#: src/config/SSSDConfig/sssdoptions.py:192 - msgid "Display users/groups in fully-qualified form" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:191 -+#: src/config/SSSDConfig/sssdoptions.py:193 - msgid "Don't include group members in group lookups" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:192 --#: src/config/SSSDConfig/sssdoptions.py:202 --#: src/config/SSSDConfig/sssdoptions.py:203 -+#: src/config/SSSDConfig/sssdoptions.py:194 - #: src/config/SSSDConfig/sssdoptions.py:204 - #: src/config/SSSDConfig/sssdoptions.py:205 - #: src/config/SSSDConfig/sssdoptions.py:206 - #: src/config/SSSDConfig/sssdoptions.py:207 - #: src/config/SSSDConfig/sssdoptions.py:208 -+#: src/config/SSSDConfig/sssdoptions.py:209 -+#: src/config/SSSDConfig/sssdoptions.py:210 - msgid "Entry cache timeout length (seconds)" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:193 -+#: src/config/SSSDConfig/sssdoptions.py:195 - msgid "" - "Restrict or prefer a specific address family when performing DNS lookups" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:194 -+#: src/config/SSSDConfig/sssdoptions.py:196 - msgid "How long to keep cached entries after last successful login (days)" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:195 -+#: src/config/SSSDConfig/sssdoptions.py:197 - msgid "" - "How long should SSSD talk to single DNS server before trying next server " - "(miliseconds)" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:197 -+#: src/config/SSSDConfig/sssdoptions.py:199 - msgid "How long should keep trying to resolve single DNS query (seconds)" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:198 -+#: src/config/SSSDConfig/sssdoptions.py:200 - msgid "How long to wait for replies from DNS when resolving servers (seconds)" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:199 -+#: src/config/SSSDConfig/sssdoptions.py:201 - msgid "The domain part of service discovery DNS query" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:200 -+#: src/config/SSSDConfig/sssdoptions.py:202 - msgid "Override GID value from the identity provider with this value" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:201 -+#: src/config/SSSDConfig/sssdoptions.py:203 - msgid "Treat usernames as case sensitive" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:209 -+#: src/config/SSSDConfig/sssdoptions.py:211 - msgid "How often should expired entries be refreshed in background" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:210 -+#: src/config/SSSDConfig/sssdoptions.py:212 - msgid "Whether to automatically update the client's DNS entry" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:211 --#: src/config/SSSDConfig/sssdoptions.py:241 -+#: src/config/SSSDConfig/sssdoptions.py:213 -+#: src/config/SSSDConfig/sssdoptions.py:243 - msgid "The TTL to apply to the client's DNS entry after updating it" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:212 --#: src/config/SSSDConfig/sssdoptions.py:242 -+#: src/config/SSSDConfig/sssdoptions.py:214 -+#: src/config/SSSDConfig/sssdoptions.py:244 - msgid "The interface whose IP should be used for dynamic DNS updates" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:213 -+#: src/config/SSSDConfig/sssdoptions.py:215 - msgid "How often to periodically update the client's DNS entry" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:214 -+#: src/config/SSSDConfig/sssdoptions.py:216 - msgid "Whether the provider should explicitly update the PTR record as well" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:215 -+#: src/config/SSSDConfig/sssdoptions.py:217 - msgid "Whether the nsupdate utility should default to using TCP" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:216 -+#: src/config/SSSDConfig/sssdoptions.py:218 - msgid "What kind of authentication should be used to perform the DNS update" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:217 -+#: src/config/SSSDConfig/sssdoptions.py:219 - msgid "Override the DNS server used to perform the DNS update" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:218 -+#: src/config/SSSDConfig/sssdoptions.py:220 - msgid "Control enumeration of trusted domains" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:219 -+#: src/config/SSSDConfig/sssdoptions.py:221 - msgid "How often should subdomains list be refreshed" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:220 -+#: src/config/SSSDConfig/sssdoptions.py:222 - msgid "List of options that should be inherited into a subdomain" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:221 -+#: src/config/SSSDConfig/sssdoptions.py:223 - msgid "Default subdomain homedir value" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:222 -+#: src/config/SSSDConfig/sssdoptions.py:224 - msgid "How long can cached credentials be used for cached authentication" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:223 -+#: src/config/SSSDConfig/sssdoptions.py:225 - msgid "Whether to automatically create private groups for users" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:224 -+#: src/config/SSSDConfig/sssdoptions.py:226 - msgid "Display a warning N days before the password expires." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:225 -+#: src/config/SSSDConfig/sssdoptions.py:227 - msgid "" - "Various tags stored by the realmd configuration service for this domain." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:226 -+#: src/config/SSSDConfig/sssdoptions.py:228 - msgid "" - "The provider which should handle fetching of subdomains. This value should " - "be always the same as id_provider." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:228 -+#: src/config/SSSDConfig/sssdoptions.py:230 - msgid "" - "How many seconds to keep a host ssh key after refresh. IE how long to cache " - "the host key for." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:230 -+#: src/config/SSSDConfig/sssdoptions.py:232 - msgid "" - "If 2-Factor-Authentication (2FA) is used and credentials should be saved " - "this value determines the minimal length the first authentication factor " - "(long term password) must have to be saved as SHA512 hash into the cache." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:236 -+#: src/config/SSSDConfig/sssdoptions.py:238 - msgid "IPA domain" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:237 -+#: src/config/SSSDConfig/sssdoptions.py:239 - msgid "IPA server address" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:238 -+#: src/config/SSSDConfig/sssdoptions.py:240 - msgid "Address of backup IPA server" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:239 -+#: src/config/SSSDConfig/sssdoptions.py:241 - msgid "IPA client hostname" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:240 -+#: src/config/SSSDConfig/sssdoptions.py:242 - msgid "Whether to automatically update the client's DNS entry in FreeIPA" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:243 -+#: src/config/SSSDConfig/sssdoptions.py:245 - msgid "Search base for HBAC related objects" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:244 -+#: src/config/SSSDConfig/sssdoptions.py:246 - msgid "" - "The amount of time between lookups of the HBAC rules against the IPA server" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:245 -+#: src/config/SSSDConfig/sssdoptions.py:247 - msgid "" - "The amount of time in seconds between lookups of the SELinux maps against " - "the IPA server" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:247 -+#: src/config/SSSDConfig/sssdoptions.py:249 - msgid "If set to false, host argument given by PAM will be ignored" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:248 -+#: src/config/SSSDConfig/sssdoptions.py:250 - msgid "The automounter location this IPA client is using" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:249 -+#: src/config/SSSDConfig/sssdoptions.py:251 - msgid "Search base for object containing info about IPA domain" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:250 -+#: src/config/SSSDConfig/sssdoptions.py:252 - msgid "Search base for objects containing info about ID ranges" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:251 --#: src/config/SSSDConfig/sssdoptions.py:305 -+#: src/config/SSSDConfig/sssdoptions.py:253 -+#: src/config/SSSDConfig/sssdoptions.py:307 - msgid "Enable DNS sites - location based service discovery" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:252 -+#: src/config/SSSDConfig/sssdoptions.py:254 - msgid "Search base for view containers" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:253 -+#: src/config/SSSDConfig/sssdoptions.py:255 - msgid "Objectclass for view containers" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:254 -+#: src/config/SSSDConfig/sssdoptions.py:256 - msgid "Attribute with the name of the view" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:255 -+#: src/config/SSSDConfig/sssdoptions.py:257 - msgid "Objectclass for override objects" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:256 -+#: src/config/SSSDConfig/sssdoptions.py:258 - msgid "Attribute with the reference to the original object" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:257 -+#: src/config/SSSDConfig/sssdoptions.py:259 - msgid "Objectclass for user override objects" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:258 -+#: src/config/SSSDConfig/sssdoptions.py:260 - msgid "Objectclass for group override objects" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:259 -+#: src/config/SSSDConfig/sssdoptions.py:261 - msgid "Search base for Desktop Profile related objects" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:260 -+#: src/config/SSSDConfig/sssdoptions.py:262 - msgid "" - "The amount of time in seconds between lookups of the Desktop Profile rules " - "against the IPA server" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:262 -+#: src/config/SSSDConfig/sssdoptions.py:264 - msgid "" - "The amount of time in minutes between lookups of Desktop Profiles rules " - "against the IPA server when the last request did not find any rule" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:265 -+#: src/config/SSSDConfig/sssdoptions.py:267 - msgid "The LDAP attribute that contains FQDN of the host." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:266 --#: src/config/SSSDConfig/sssdoptions.py:289 -+#: src/config/SSSDConfig/sssdoptions.py:268 -+#: src/config/SSSDConfig/sssdoptions.py:291 - msgid "The object class of a host entry in LDAP." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:267 -+#: src/config/SSSDConfig/sssdoptions.py:269 - msgid "Use the given string as search base for host objects." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:268 -+#: src/config/SSSDConfig/sssdoptions.py:270 - msgid "The LDAP attribute that contains the host's SSH public keys." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:269 -+#: src/config/SSSDConfig/sssdoptions.py:271 - msgid "The LDAP attribute that contains NIS domain name of the netgroup." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:270 -+#: src/config/SSSDConfig/sssdoptions.py:272 - msgid "The LDAP attribute that contains the names of the netgroup's members." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:271 -+#: src/config/SSSDConfig/sssdoptions.py:273 - msgid "" - "The LDAP attribute that lists FQDNs of hosts and host groups that are " - "members of the netgroup." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:273 -+#: src/config/SSSDConfig/sssdoptions.py:275 - msgid "" - "The LDAP attribute that lists hosts and host groups that are direct members " - "of the netgroup." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:275 -+#: src/config/SSSDConfig/sssdoptions.py:277 - msgid "The LDAP attribute that lists netgroup's memberships." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:276 -+#: src/config/SSSDConfig/sssdoptions.py:278 - msgid "" - "The LDAP attribute that lists system users and groups that are direct " - "members of the netgroup." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:278 -+#: src/config/SSSDConfig/sssdoptions.py:280 - msgid "The LDAP attribute that corresponds to the netgroup name." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:279 -+#: src/config/SSSDConfig/sssdoptions.py:281 - msgid "The object class of a netgroup entry in LDAP." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:280 -+#: src/config/SSSDConfig/sssdoptions.py:282 - msgid "" - "The LDAP attribute that contains the UUID/GUID of an LDAP netgroup object." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:281 -+#: src/config/SSSDConfig/sssdoptions.py:283 - msgid "" - "The LDAP attribute that contains whether or not is user map enabled for " - "usage." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:283 -+#: src/config/SSSDConfig/sssdoptions.py:285 - msgid "The LDAP attribute that contains host category such as 'all'." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:284 -+#: src/config/SSSDConfig/sssdoptions.py:286 - msgid "" - "The LDAP attribute that contains all hosts / hostgroups this rule match " - "against." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:286 -+#: src/config/SSSDConfig/sssdoptions.py:288 - msgid "" - "The LDAP attribute that contains all users / groups this rule match against." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:288 -+#: src/config/SSSDConfig/sssdoptions.py:290 - msgid "The LDAP attribute that contains the name of SELinux usermap." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:290 -+#: src/config/SSSDConfig/sssdoptions.py:292 - msgid "" - "The LDAP attribute that contains DN of HBAC rule which can be used for " - "matching instead of memberUser and memberHost." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:292 -+#: src/config/SSSDConfig/sssdoptions.py:294 - msgid "The LDAP attribute that contains SELinux user string itself." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:293 -+#: src/config/SSSDConfig/sssdoptions.py:295 - msgid "The LDAP attribute that contains user category such as 'all'." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:294 -+#: src/config/SSSDConfig/sssdoptions.py:296 - msgid "The LDAP attribute that contains unique ID of the user map." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:295 -+#: src/config/SSSDConfig/sssdoptions.py:297 - msgid "" - "The option denotes that the SSSD is running on IPA server and should perform " - "lookups of users and groups from trusted domains differently." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:297 -+#: src/config/SSSDConfig/sssdoptions.py:299 - msgid "Use the given string as search base for trusted domains." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:300 -+#: src/config/SSSDConfig/sssdoptions.py:302 - msgid "Active Directory domain" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:301 -+#: src/config/SSSDConfig/sssdoptions.py:303 - msgid "Enabled Active Directory domains" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:302 -+#: src/config/SSSDConfig/sssdoptions.py:304 - msgid "Active Directory server address" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:303 -+#: src/config/SSSDConfig/sssdoptions.py:305 - msgid "Active Directory backup server address" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:304 -+#: src/config/SSSDConfig/sssdoptions.py:306 - msgid "Active Directory client hostname" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:306 --#: src/config/SSSDConfig/sssdoptions.py:500 -+#: src/config/SSSDConfig/sssdoptions.py:308 -+#: src/config/SSSDConfig/sssdoptions.py:502 - msgid "LDAP filter to determine access privileges" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:307 -+#: src/config/SSSDConfig/sssdoptions.py:309 - msgid "Whether to use the Global Catalog for lookups" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:308 -+#: src/config/SSSDConfig/sssdoptions.py:310 - msgid "Operation mode for GPO-based access control" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:309 -+#: src/config/SSSDConfig/sssdoptions.py:311 - msgid "" - "The amount of time between lookups of the GPO policy files against the AD " - "server" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:310 -+#: src/config/SSSDConfig/sssdoptions.py:312 - msgid "" - "PAM service names that map to the GPO (Deny)InteractiveLogonRight policy " - "settings" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:312 -+#: src/config/SSSDConfig/sssdoptions.py:314 - msgid "" - "PAM service names that map to the GPO (Deny)RemoteInteractiveLogonRight " - "policy settings" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:314 -+#: src/config/SSSDConfig/sssdoptions.py:316 - msgid "" - "PAM service names that map to the GPO (Deny)NetworkLogonRight policy settings" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:315 -+#: src/config/SSSDConfig/sssdoptions.py:317 - msgid "" - "PAM service names that map to the GPO (Deny)BatchLogonRight policy settings" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:316 -+#: src/config/SSSDConfig/sssdoptions.py:318 - msgid "" - "PAM service names that map to the GPO (Deny)ServiceLogonRight policy settings" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:317 -+#: src/config/SSSDConfig/sssdoptions.py:319 - msgid "PAM service names for which GPO-based access is always granted" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:318 -+#: src/config/SSSDConfig/sssdoptions.py:320 - msgid "PAM service names for which GPO-based access is always denied" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:319 -+#: src/config/SSSDConfig/sssdoptions.py:321 - msgid "" - "Default logon right (or permit/deny) to use for unmapped PAM service names" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:320 -+#: src/config/SSSDConfig/sssdoptions.py:322 - msgid "a particular site to be used by the client" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:321 -+#: src/config/SSSDConfig/sssdoptions.py:323 - msgid "" - "Maximum age in days before the machine account password should be renewed" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:323 -+#: src/config/SSSDConfig/sssdoptions.py:325 - msgid "Option for tuning the machine account renewal task" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:324 -+#: src/config/SSSDConfig/sssdoptions.py:326 - msgid "Whether to update the machine account password in the Samba database" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:326 -+#: src/config/SSSDConfig/sssdoptions.py:328 - msgid "Use LDAPS port for LDAP and Global Catalog requests" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:327 -+#: src/config/SSSDConfig/sssdoptions.py:329 - msgid "Do not filter domain local groups from other domains" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:330 --#: src/config/SSSDConfig/sssdoptions.py:331 -+#: src/config/SSSDConfig/sssdoptions.py:332 -+#: src/config/SSSDConfig/sssdoptions.py:333 - msgid "Kerberos server address" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:332 -+#: src/config/SSSDConfig/sssdoptions.py:334 - msgid "Kerberos backup server address" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:333 -+#: src/config/SSSDConfig/sssdoptions.py:335 - msgid "Kerberos realm" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:334 -+#: src/config/SSSDConfig/sssdoptions.py:336 - msgid "Authentication timeout" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:335 -+#: src/config/SSSDConfig/sssdoptions.py:337 - msgid "Whether to create kdcinfo files" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:336 -+#: src/config/SSSDConfig/sssdoptions.py:338 - msgid "Where to drop krb5 config snippets" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:339 -+#: src/config/SSSDConfig/sssdoptions.py:341 - msgid "Directory to store credential caches" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:340 -+#: src/config/SSSDConfig/sssdoptions.py:342 - msgid "Location of the user's credential cache" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:341 -+#: src/config/SSSDConfig/sssdoptions.py:343 - msgid "Location of the keytab to validate credentials" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:342 -+#: src/config/SSSDConfig/sssdoptions.py:344 - msgid "Enable credential validation" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:343 -+#: src/config/SSSDConfig/sssdoptions.py:345 - msgid "Store password if offline for later online authentication" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:344 -+#: src/config/SSSDConfig/sssdoptions.py:346 - msgid "Renewable lifetime of the TGT" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:345 -+#: src/config/SSSDConfig/sssdoptions.py:347 - msgid "Lifetime of the TGT" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:346 -+#: src/config/SSSDConfig/sssdoptions.py:348 - msgid "Time between two checks for renewal" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:347 -+#: src/config/SSSDConfig/sssdoptions.py:349 - msgid "Enables FAST" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:348 -+#: src/config/SSSDConfig/sssdoptions.py:350 - msgid "Selects the principal to use for FAST" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:349 -+#: src/config/SSSDConfig/sssdoptions.py:351 - msgid "Enables principal canonicalization" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:350 -+#: src/config/SSSDConfig/sssdoptions.py:352 - msgid "Enables enterprise principals" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:351 -+#: src/config/SSSDConfig/sssdoptions.py:353 - msgid "Enables using of subdomains realms for authentication" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:352 -+#: src/config/SSSDConfig/sssdoptions.py:354 - msgid "A mapping from user names to Kerberos principal names" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:355 --#: src/config/SSSDConfig/sssdoptions.py:356 -+#: src/config/SSSDConfig/sssdoptions.py:357 -+#: src/config/SSSDConfig/sssdoptions.py:358 - msgid "Server where the change password service is running if not on the KDC" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:359 -+#: src/config/SSSDConfig/sssdoptions.py:361 - msgid "ldap_uri, The URI of the LDAP server" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:360 -+#: src/config/SSSDConfig/sssdoptions.py:362 - msgid "ldap_backup_uri, The URI of the LDAP server" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:361 -+#: src/config/SSSDConfig/sssdoptions.py:363 - msgid "The default base DN" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:362 -+#: src/config/SSSDConfig/sssdoptions.py:364 - msgid "The Schema Type in use on the LDAP server, rfc2307" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:363 -+#: src/config/SSSDConfig/sssdoptions.py:365 - msgid "Mode used to change user password" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:364 -+#: src/config/SSSDConfig/sssdoptions.py:366 - msgid "The default bind DN" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:365 -+#: src/config/SSSDConfig/sssdoptions.py:367 - msgid "The type of the authentication token of the default bind DN" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:366 -+#: src/config/SSSDConfig/sssdoptions.py:368 - msgid "The authentication token of the default bind DN" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:367 -+#: src/config/SSSDConfig/sssdoptions.py:369 - msgid "Length of time to attempt connection" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:368 -+#: src/config/SSSDConfig/sssdoptions.py:370 - msgid "Length of time to attempt synchronous LDAP operations" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:369 -+#: src/config/SSSDConfig/sssdoptions.py:371 - msgid "Length of time between attempts to reconnect while offline" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:370 -+#: src/config/SSSDConfig/sssdoptions.py:372 - msgid "Use only the upper case for realm names" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:371 -+#: src/config/SSSDConfig/sssdoptions.py:373 - msgid "File that contains CA certificates" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:372 -+#: src/config/SSSDConfig/sssdoptions.py:374 - msgid "Path to CA certificate directory" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:373 -+#: src/config/SSSDConfig/sssdoptions.py:375 - msgid "File that contains the client certificate" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:374 -+#: src/config/SSSDConfig/sssdoptions.py:376 - msgid "File that contains the client key" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:375 -+#: src/config/SSSDConfig/sssdoptions.py:377 - msgid "List of possible ciphers suites" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:376 -+#: src/config/SSSDConfig/sssdoptions.py:378 - msgid "Require TLS certificate verification" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:377 -+#: src/config/SSSDConfig/sssdoptions.py:379 - msgid "Specify the sasl mechanism to use" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:378 -+#: src/config/SSSDConfig/sssdoptions.py:380 - msgid "Specify the sasl authorization id to use" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:379 -+#: src/config/SSSDConfig/sssdoptions.py:381 - msgid "Specify the sasl authorization realm to use" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:380 -+#: src/config/SSSDConfig/sssdoptions.py:382 - msgid "Specify the minimal SSF for LDAP sasl authorization" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:381 -+#: src/config/SSSDConfig/sssdoptions.py:383 - msgid "Specify the maximal SSF for LDAP sasl authorization" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:382 -+#: src/config/SSSDConfig/sssdoptions.py:384 - msgid "Kerberos service keytab" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:383 -+#: src/config/SSSDConfig/sssdoptions.py:385 - msgid "Use Kerberos auth for LDAP connection" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:384 -+#: src/config/SSSDConfig/sssdoptions.py:386 - msgid "Follow LDAP referrals" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:385 -+#: src/config/SSSDConfig/sssdoptions.py:387 - msgid "Lifetime of TGT for LDAP connection" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:386 -+#: src/config/SSSDConfig/sssdoptions.py:388 - msgid "How to dereference aliases" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:387 -+#: src/config/SSSDConfig/sssdoptions.py:389 - msgid "Service name for DNS service lookups" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:388 -+#: src/config/SSSDConfig/sssdoptions.py:390 - msgid "The number of records to retrieve in a single LDAP query" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:389 -+#: src/config/SSSDConfig/sssdoptions.py:391 - msgid "The number of members that must be missing to trigger a full deref" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:390 -+#: src/config/SSSDConfig/sssdoptions.py:392 - msgid "" - "Whether the LDAP library should perform a reverse lookup to canonicalize the " - "host name during a SASL bind" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:392 -+#: src/config/SSSDConfig/sssdoptions.py:394 - msgid "" - "Allows to retain local users as members of an LDAP group for servers that " - "use the RFC2307 schema." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:395 -+#: src/config/SSSDConfig/sssdoptions.py:397 - msgid "entryUSN attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:396 -+#: src/config/SSSDConfig/sssdoptions.py:398 - msgid "lastUSN attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:398 -+#: src/config/SSSDConfig/sssdoptions.py:400 - msgid "How long to retain a connection to the LDAP server before disconnecting" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:401 -+#: src/config/SSSDConfig/sssdoptions.py:403 - msgid "Disable the LDAP paging control" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:402 -+#: src/config/SSSDConfig/sssdoptions.py:404 - msgid "Disable Active Directory range retrieval" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:405 -+#: src/config/SSSDConfig/sssdoptions.py:407 - msgid "Length of time to wait for a search request" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:406 -+#: src/config/SSSDConfig/sssdoptions.py:408 - msgid "Length of time to wait for a enumeration request" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:407 -+#: src/config/SSSDConfig/sssdoptions.py:409 - msgid "Length of time between enumeration updates" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:408 -+#: src/config/SSSDConfig/sssdoptions.py:410 - msgid "Length of time between cache cleanups" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:409 -+#: src/config/SSSDConfig/sssdoptions.py:411 - msgid "Require TLS for ID lookups" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:410 -+#: src/config/SSSDConfig/sssdoptions.py:412 - msgid "Use ID-mapping of objectSID instead of pre-set IDs" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:411 -+#: src/config/SSSDConfig/sssdoptions.py:413 - msgid "Base DN for user lookups" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:412 -+#: src/config/SSSDConfig/sssdoptions.py:414 - msgid "Scope of user lookups" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:413 -+#: src/config/SSSDConfig/sssdoptions.py:415 - msgid "Filter for user lookups" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:414 -+#: src/config/SSSDConfig/sssdoptions.py:416 - msgid "Objectclass for users" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:415 -+#: src/config/SSSDConfig/sssdoptions.py:417 - msgid "Username attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:416 -+#: src/config/SSSDConfig/sssdoptions.py:418 - msgid "UID attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:417 -+#: src/config/SSSDConfig/sssdoptions.py:419 - msgid "Primary GID attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:418 -+#: src/config/SSSDConfig/sssdoptions.py:420 - msgid "GECOS attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:419 -+#: src/config/SSSDConfig/sssdoptions.py:421 - msgid "Home directory attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:420 -+#: src/config/SSSDConfig/sssdoptions.py:422 - msgid "Shell attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:421 -+#: src/config/SSSDConfig/sssdoptions.py:423 - msgid "UUID attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:422 --#: src/config/SSSDConfig/sssdoptions.py:460 -+#: src/config/SSSDConfig/sssdoptions.py:424 -+#: src/config/SSSDConfig/sssdoptions.py:462 - msgid "objectSID attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:423 -+#: src/config/SSSDConfig/sssdoptions.py:425 - msgid "Active Directory primary group attribute for ID-mapping" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:424 -+#: src/config/SSSDConfig/sssdoptions.py:426 - msgid "User principal attribute (for Kerberos)" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:425 -+#: src/config/SSSDConfig/sssdoptions.py:427 - msgid "Full Name" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:426 -+#: src/config/SSSDConfig/sssdoptions.py:428 - msgid "memberOf attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:427 -+#: src/config/SSSDConfig/sssdoptions.py:429 - msgid "Modification time attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:428 -+#: src/config/SSSDConfig/sssdoptions.py:430 - msgid "shadowLastChange attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:429 -+#: src/config/SSSDConfig/sssdoptions.py:431 - msgid "shadowMin attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:430 -+#: src/config/SSSDConfig/sssdoptions.py:432 - msgid "shadowMax attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:431 -+#: src/config/SSSDConfig/sssdoptions.py:433 - msgid "shadowWarning attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:432 -+#: src/config/SSSDConfig/sssdoptions.py:434 - msgid "shadowInactive attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:433 -+#: src/config/SSSDConfig/sssdoptions.py:435 - msgid "shadowExpire attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:434 -+#: src/config/SSSDConfig/sssdoptions.py:436 - msgid "shadowFlag attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:435 -+#: src/config/SSSDConfig/sssdoptions.py:437 - msgid "Attribute listing authorized PAM services" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:436 -+#: src/config/SSSDConfig/sssdoptions.py:438 - msgid "Attribute listing authorized server hosts" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:437 -+#: src/config/SSSDConfig/sssdoptions.py:439 - msgid "Attribute listing authorized server rhosts" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:438 -+#: src/config/SSSDConfig/sssdoptions.py:440 - msgid "krbLastPwdChange attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:439 -+#: src/config/SSSDConfig/sssdoptions.py:441 - msgid "krbPasswordExpiration attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:440 -+#: src/config/SSSDConfig/sssdoptions.py:442 - msgid "Attribute indicating that server side password policies are active" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:441 -+#: src/config/SSSDConfig/sssdoptions.py:443 - msgid "accountExpires attribute of AD" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:442 -+#: src/config/SSSDConfig/sssdoptions.py:444 - msgid "userAccountControl attribute of AD" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:443 -+#: src/config/SSSDConfig/sssdoptions.py:445 - msgid "nsAccountLock attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:444 -+#: src/config/SSSDConfig/sssdoptions.py:446 - msgid "loginDisabled attribute of NDS" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:445 -+#: src/config/SSSDConfig/sssdoptions.py:447 - msgid "loginExpirationTime attribute of NDS" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:446 -+#: src/config/SSSDConfig/sssdoptions.py:448 - msgid "loginAllowedTimeMap attribute of NDS" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:447 -+#: src/config/SSSDConfig/sssdoptions.py:449 - msgid "SSH public key attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:448 -+#: src/config/SSSDConfig/sssdoptions.py:450 - msgid "attribute listing allowed authentication types for a user" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:449 -+#: src/config/SSSDConfig/sssdoptions.py:451 - msgid "attribute containing the X509 certificate of the user" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:450 -+#: src/config/SSSDConfig/sssdoptions.py:452 - msgid "attribute containing the email address of the user" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:451 -+#: src/config/SSSDConfig/sssdoptions.py:453 - msgid "A list of extra attributes to download along with the user entry" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:453 -+#: src/config/SSSDConfig/sssdoptions.py:455 - msgid "Base DN for group lookups" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:454 -+#: src/config/SSSDConfig/sssdoptions.py:456 - msgid "Objectclass for groups" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:455 -+#: src/config/SSSDConfig/sssdoptions.py:457 - msgid "Group name" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:456 -+#: src/config/SSSDConfig/sssdoptions.py:458 - msgid "Group password" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:457 -+#: src/config/SSSDConfig/sssdoptions.py:459 - msgid "GID attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:458 -+#: src/config/SSSDConfig/sssdoptions.py:460 - msgid "Group member attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:459 -+#: src/config/SSSDConfig/sssdoptions.py:461 - msgid "Group UUID attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:461 -+#: src/config/SSSDConfig/sssdoptions.py:463 - msgid "Modification time attribute for groups" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:462 -+#: src/config/SSSDConfig/sssdoptions.py:464 - msgid "Type of the group and other flags" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:463 -+#: src/config/SSSDConfig/sssdoptions.py:465 - msgid "The LDAP group external member attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:464 -+#: src/config/SSSDConfig/sssdoptions.py:466 - msgid "Maximum nesting level SSSD will follow" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:465 -+#: src/config/SSSDConfig/sssdoptions.py:467 - msgid "Filter for group lookups" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:466 -+#: src/config/SSSDConfig/sssdoptions.py:468 - msgid "Scope of group lookups" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:468 -+#: src/config/SSSDConfig/sssdoptions.py:470 - msgid "Base DN for netgroup lookups" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:469 -+#: src/config/SSSDConfig/sssdoptions.py:471 - msgid "Objectclass for netgroups" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:470 -+#: src/config/SSSDConfig/sssdoptions.py:472 - msgid "Netgroup name" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:471 -+#: src/config/SSSDConfig/sssdoptions.py:473 - msgid "Netgroups members attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:472 -+#: src/config/SSSDConfig/sssdoptions.py:474 - msgid "Netgroup triple attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:473 -+#: src/config/SSSDConfig/sssdoptions.py:475 - msgid "Modification time attribute for netgroups" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:475 -+#: src/config/SSSDConfig/sssdoptions.py:477 - msgid "Base DN for service lookups" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:476 -+#: src/config/SSSDConfig/sssdoptions.py:478 - msgid "Objectclass for services" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:477 -+#: src/config/SSSDConfig/sssdoptions.py:479 - msgid "Service name attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:478 -+#: src/config/SSSDConfig/sssdoptions.py:480 - msgid "Service port attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:479 -+#: src/config/SSSDConfig/sssdoptions.py:481 - msgid "Service protocol attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:481 -+#: src/config/SSSDConfig/sssdoptions.py:483 - msgid "Lower bound for ID-mapping" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:482 -+#: src/config/SSSDConfig/sssdoptions.py:484 - msgid "Upper bound for ID-mapping" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:483 -+#: src/config/SSSDConfig/sssdoptions.py:485 - msgid "Number of IDs for each slice when ID-mapping" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:484 -+#: src/config/SSSDConfig/sssdoptions.py:486 - msgid "Use autorid-compatible algorithm for ID-mapping" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:485 -+#: src/config/SSSDConfig/sssdoptions.py:487 - msgid "Name of the default domain for ID-mapping" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:486 -+#: src/config/SSSDConfig/sssdoptions.py:488 - msgid "SID of the default domain for ID-mapping" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:487 -+#: src/config/SSSDConfig/sssdoptions.py:489 - msgid "Number of secondary slices" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:489 -+#: src/config/SSSDConfig/sssdoptions.py:491 - msgid "Whether to use Token-Groups" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:490 -+#: src/config/SSSDConfig/sssdoptions.py:492 - msgid "Set lower boundary for allowed IDs from the LDAP server" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:491 -+#: src/config/SSSDConfig/sssdoptions.py:493 - msgid "Set upper boundary for allowed IDs from the LDAP server" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:492 -+#: src/config/SSSDConfig/sssdoptions.py:494 - msgid "DN for ppolicy queries" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:493 -+#: src/config/SSSDConfig/sssdoptions.py:495 - msgid "How many maximum entries to fetch during a wildcard request" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:494 -+#: src/config/SSSDConfig/sssdoptions.py:496 - msgid "Set libldap debug level" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:497 -+#: src/config/SSSDConfig/sssdoptions.py:499 - msgid "Policy to evaluate the password expiration" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:501 -+#: src/config/SSSDConfig/sssdoptions.py:503 - msgid "Which attributes shall be used to evaluate if an account is expired" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:502 -+#: src/config/SSSDConfig/sssdoptions.py:504 - msgid "Which rules should be used to evaluate access control" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:505 -+#: src/config/SSSDConfig/sssdoptions.py:507 - msgid "URI of an LDAP server where password changes are allowed" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:506 -+#: src/config/SSSDConfig/sssdoptions.py:508 - msgid "URI of a backup LDAP server where password changes are allowed" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:507 -+#: src/config/SSSDConfig/sssdoptions.py:509 - msgid "DNS service name for LDAP password change server" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:508 -+#: src/config/SSSDConfig/sssdoptions.py:510 - msgid "" - "Whether to update the ldap_user_shadow_last_change attribute after a " - "password change" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:512 -+#: src/config/SSSDConfig/sssdoptions.py:514 - msgid "Base DN for sudo rules lookups" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:513 -+#: src/config/SSSDConfig/sssdoptions.py:515 - msgid "Automatic full refresh period" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:514 -+#: src/config/SSSDConfig/sssdoptions.py:516 - msgid "Automatic smart refresh period" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:515 -+#: src/config/SSSDConfig/sssdoptions.py:517 - msgid "Whether to filter rules by hostname, IP addresses and network" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:516 -+#: src/config/SSSDConfig/sssdoptions.py:518 - msgid "" - "Hostnames and/or fully qualified domain names of this machine to filter sudo " - "rules" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:517 -+#: src/config/SSSDConfig/sssdoptions.py:519 - msgid "IPv4 or IPv6 addresses or network of this machine to filter sudo rules" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:518 -+#: src/config/SSSDConfig/sssdoptions.py:520 - msgid "Whether to include rules that contains netgroup in host attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:519 -+#: src/config/SSSDConfig/sssdoptions.py:521 - msgid "" - "Whether to include rules that contains regular expression in host attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:520 -+#: src/config/SSSDConfig/sssdoptions.py:522 - msgid "Object class for sudo rules" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:521 -+#: src/config/SSSDConfig/sssdoptions.py:523 - msgid "Name of attribute that is used as object class for sudo rules" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:522 -+#: src/config/SSSDConfig/sssdoptions.py:524 - msgid "Sudo rule name" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:523 -+#: src/config/SSSDConfig/sssdoptions.py:525 - msgid "Sudo rule command attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:524 -+#: src/config/SSSDConfig/sssdoptions.py:526 - msgid "Sudo rule host attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:525 -+#: src/config/SSSDConfig/sssdoptions.py:527 - msgid "Sudo rule user attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:526 -+#: src/config/SSSDConfig/sssdoptions.py:528 - msgid "Sudo rule option attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:527 -+#: src/config/SSSDConfig/sssdoptions.py:529 - msgid "Sudo rule runas attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:528 -+#: src/config/SSSDConfig/sssdoptions.py:530 - msgid "Sudo rule runasuser attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:529 -+#: src/config/SSSDConfig/sssdoptions.py:531 - msgid "Sudo rule runasgroup attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:530 -+#: src/config/SSSDConfig/sssdoptions.py:532 - msgid "Sudo rule notbefore attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:531 -+#: src/config/SSSDConfig/sssdoptions.py:533 - msgid "Sudo rule notafter attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:532 -+#: src/config/SSSDConfig/sssdoptions.py:534 - msgid "Sudo rule order attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:535 -+#: src/config/SSSDConfig/sssdoptions.py:537 - msgid "Object class for automounter maps" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:536 -+#: src/config/SSSDConfig/sssdoptions.py:538 - msgid "Automounter map name attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:537 -+#: src/config/SSSDConfig/sssdoptions.py:539 - msgid "Object class for automounter map entries" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:538 -+#: src/config/SSSDConfig/sssdoptions.py:540 - msgid "Automounter map entry key attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:539 -+#: src/config/SSSDConfig/sssdoptions.py:541 - msgid "Automounter map entry value attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:540 -+#: src/config/SSSDConfig/sssdoptions.py:542 - msgid "Base DN for automounter map lookups" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:541 -+#: src/config/SSSDConfig/sssdoptions.py:543 - msgid "The name of the automount master map in LDAP." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:544 -+#: src/config/SSSDConfig/sssdoptions.py:546 - msgid "Base DN for IP hosts lookups" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:545 -+#: src/config/SSSDConfig/sssdoptions.py:547 - msgid "Object class for IP hosts" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:546 -+#: src/config/SSSDConfig/sssdoptions.py:548 - msgid "IP host name attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:547 -+#: src/config/SSSDConfig/sssdoptions.py:549 - msgid "IP host number (address) attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:548 -+#: src/config/SSSDConfig/sssdoptions.py:550 - msgid "IP host entryUSN attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:549 -+#: src/config/SSSDConfig/sssdoptions.py:551 - msgid "Base DN for IP networks lookups" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:550 -+#: src/config/SSSDConfig/sssdoptions.py:552 - msgid "Object class for IP networks" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:551 -+#: src/config/SSSDConfig/sssdoptions.py:553 - msgid "IP network name attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:552 -+#: src/config/SSSDConfig/sssdoptions.py:554 - msgid "IP network number (address) attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:553 -+#: src/config/SSSDConfig/sssdoptions.py:555 - msgid "IP network entryUSN attribute" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:556 -+#: src/config/SSSDConfig/sssdoptions.py:558 - msgid "Comma separated list of allowed users" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:557 -+#: src/config/SSSDConfig/sssdoptions.py:559 - msgid "Comma separated list of prohibited users" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:558 -+#: src/config/SSSDConfig/sssdoptions.py:560 - msgid "" - "Comma separated list of groups that are allowed to log in. This applies only " - "to groups within this SSSD domain. Local groups are not evaluated." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:560 -+#: src/config/SSSDConfig/sssdoptions.py:562 - msgid "" - "Comma separated list of groups that are explicitly denied access. This " - "applies only to groups within this SSSD domain. Local groups are not " - "evaluated." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:564 -+#: src/config/SSSDConfig/sssdoptions.py:566 - msgid "Base for home directories" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:565 -+#: src/config/SSSDConfig/sssdoptions.py:567 - msgid "Indicate if a home directory should be created for new users." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:566 -+#: src/config/SSSDConfig/sssdoptions.py:568 - msgid "Indicate if a home directory should be removed for deleted users." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:567 -+#: src/config/SSSDConfig/sssdoptions.py:569 - msgid "Specify the default permissions on a newly created home directory." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:568 -+#: src/config/SSSDConfig/sssdoptions.py:570 - msgid "The skeleton directory." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:569 -+#: src/config/SSSDConfig/sssdoptions.py:571 - msgid "The mail spool directory." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:570 -+#: src/config/SSSDConfig/sssdoptions.py:572 - msgid "The command that is run after a user is removed." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:573 -+#: src/config/SSSDConfig/sssdoptions.py:575 - msgid "The number of preforked proxy children." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:576 -+#: src/config/SSSDConfig/sssdoptions.py:578 - msgid "The name of the NSS library to use" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:577 -+#: src/config/SSSDConfig/sssdoptions.py:579 - msgid "The name of the NSS library to use for hosts and networks lookups" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:578 -+#: src/config/SSSDConfig/sssdoptions.py:580 - msgid "Whether to look up canonical group name from cache if possible" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:581 -+#: src/config/SSSDConfig/sssdoptions.py:583 - msgid "PAM stack to use" - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:584 -+#: src/config/SSSDConfig/sssdoptions.py:586 - msgid "Path of passwd file sources." - msgstr "" - --#: src/config/SSSDConfig/sssdoptions.py:585 -+#: src/config/SSSDConfig/sssdoptions.py:587 - msgid "Path of group file sources." - msgstr "" - --- -2.21.3 - diff --git a/SOURCES/0051-po-update-translations.patch b/SOURCES/0051-po-update-translations.patch deleted file mode 100644 index b9a1f3f..0000000 --- a/SOURCES/0051-po-update-translations.patch +++ /dev/null @@ -1,729 +0,0 @@ -From 341c5e358180d8297276a38f3cf6eb9dbbbc6c62 Mon Sep 17 00:00:00 2001 -From: Weblate -Date: Thu, 18 Mar 2021 11:39:24 +0100 -Subject: [PATCH] po: update translations - -Currently translated at 2.8% (21 of 726 strings) - -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fi/ - -Translated using Weblate (Finnish) - -Currently translated at 2.5% (68 of 2643 strings) - -Translation: SSSD/sssd-manpage -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/fi/ - -Translated using Weblate (Chinese (Simplified) (zh_CN)) - -Currently translated at 100.0% (726 of 726 strings) - -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/zh_CN/ - -Translated using Weblate (Japanese) - -Currently translated at 100.0% (726 of 726 strings) - -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ja/ - -Translated using Weblate (French) - -Currently translated at 100.0% (726 of 726 strings) - -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fr/ - -Translated using Weblate (Ukrainian) - -Currently translated at 100.0% (726 of 726 strings) - -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/uk/ - -Translated using Weblate (Polish) - -Currently translated at 100.0% (726 of 726 strings) - -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pl/ ---- - po/fr.po | 45 ++++++++++++++------- - po/ja.po | 111 ++++++++++++++++++++++++---------------------------- - po/zh_CN.po | 38 +++++++++--------- - 3 files changed, 102 insertions(+), 92 deletions(-) - -diff --git a/po/fr.po b/po/fr.po -index e2e906d35..5edfcfd16 100644 ---- a/po/fr.po -+++ b/po/fr.po -@@ -11,21 +11,22 @@ - # Ludek Janda , 2020. #zanata - # Pavel Brezina , 2020. #zanata - # Jean-Baptiste Holcroft , 2020. -+# Sundeep Anand , 2021. - msgid "" - msgstr "" - "Project-Id-Version: PACKAGE VERSION\n" - "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" - "POT-Creation-Date: 2021-02-05 11:58+0100\n" --"PO-Revision-Date: 2020-08-04 05:55+0000\n" --"Last-Translator: Jean-Baptiste Holcroft \n" -+"PO-Revision-Date: 2021-03-18 10:39+0000\n" -+"Last-Translator: Sundeep Anand \n" - "Language-Team: French \n" -+"sssd-master/fr/>\n" - "Language: fr\n" - "MIME-Version: 1.0\n" - "Content-Type: text/plain; charset=UTF-8\n" - "Content-Transfer-Encoding: 8bit\n" - "Plural-Forms: nplurals=2; plural=n > 1;\n" --"X-Generator: Weblate 4.1.1\n" -+"X-Generator: Weblate 4.5.1\n" - - #: src/config/SSSDConfig/sssdoptions.py:20 - #: src/config/SSSDConfig/sssdoptions.py:21 -@@ -259,18 +260,24 @@ msgid "" - "Size (in megabytes) of the data table allocated inside fast in-memory cache " - "for passwd requests" - msgstr "" -+"Taille (en mégaoctets) de la table de données allouée dans le cache en " -+"mémoire rapide pour les demandes de mots de passe" - - #: src/config/SSSDConfig/sssdoptions.py:76 - msgid "" - "Size (in megabytes) of the data table allocated inside fast in-memory cache " - "for group requests" - msgstr "" -+"Taille (en mégaoctets) de la table de données allouée dans le cache en " -+"mémoire rapide pour les requêtes de groupe" - - #: src/config/SSSDConfig/sssdoptions.py:77 - msgid "" - "Size (in megabytes) of the data table allocated inside fast in-memory cache " - "for initgroups requests" - msgstr "" -+"Taille (en mégaoctets) de la table de données allouée dans le cache en " -+"mémoire rapide pour les demandes d'initgroups" - - #: src/config/SSSDConfig/sssdoptions.py:78 - msgid "" -@@ -395,11 +402,11 @@ msgstr "Quand le répondeur de PAM doit-il forcer une demande d'initgroupes" - - #: src/config/SSSDConfig/sssdoptions.py:107 - msgid "List of PAM services that are allowed to authenticate with GSSAPI." --msgstr "" -+msgstr "Liste des services PAM qui sont autorisés à s'authentifier avec GSSAPI." - - #: src/config/SSSDConfig/sssdoptions.py:108 - msgid "Whether to match authenticated UPN with target user" --msgstr "" -+msgstr "S'il faut faire correspondre l'UPN authentifié avec l'utilisateur cible" - - #: src/config/SSSDConfig/sssdoptions.py:111 - msgid "Whether to evaluate the time-based attributes in sudo rules" -@@ -588,12 +595,16 @@ msgid "" - "A comma-separated list of users to be excluded from recording, only when " - "scope=all" - msgstr "" -+"Une liste d'utilisateurs à exclure de l'enregistrement, séparés par des " -+"virgules, uniquement lorsque scope=all" - - #: src/config/SSSDConfig/sssdoptions.py:168 - msgid "" - "A comma-separated list of groups, members of which should be excluded from " - "recording, only when scope=all. " - msgstr "" -+"Une liste de groupes séparés par des virgules, dont les membres doivent être " -+"exclus de l'enregistrement, uniquement lorsque scope=all. " - - #: src/config/SSSDConfig/sssdoptions.py:172 - msgid "Identity provider" -@@ -640,9 +651,8 @@ msgid "Whether the domain is usable by the OS or by applications" - msgstr "Si le domaine est utilisable par l'OS ou par des applications" - - #: src/config/SSSDConfig/sssdoptions.py:185 --#, fuzzy - msgid "Enable or disable the domain" --msgstr "Activer ou désactiver le domaine des fichiers implicites" -+msgstr "Activer ou désactiver le domaine" - - #: src/config/SSSDConfig/sssdoptions.py:186 - msgid "Minimum user ID" -@@ -1202,6 +1212,7 @@ msgstr "Utiliser le port LDAPS pour les requêtes LDAP et Catalogue global" - #: src/config/SSSDConfig/sssdoptions.py:327 - msgid "Do not filter domain local groups from other domains" - msgstr "" -+"Ne pas filtrer les groupes locaux d'un domaine à partir d'autres domaines" - - #: src/config/SSSDConfig/sssdoptions.py:330 - #: src/config/SSSDConfig/sssdoptions.py:331 -@@ -1280,7 +1291,7 @@ msgstr "Active les principals d'entreprise" - - #: src/config/SSSDConfig/sssdoptions.py:351 - msgid "Enables using of subdomains realms for authentication" --msgstr "" -+msgstr "Permet d'utiliser les domaines de sous-domaines pour l'authentification" - - #: src/config/SSSDConfig/sssdoptions.py:352 - msgid "A mapping from user names to Kerberos principal names" -@@ -1802,7 +1813,7 @@ msgstr "Combien d'entrées maximum à récupérer lors d'une demande de wildcard - - #: src/config/SSSDConfig/sssdoptions.py:494 - msgid "Set libldap debug level" --msgstr "" -+msgstr "Définir le niveau de débogage de libldap" - - #: src/config/SSSDConfig/sssdoptions.py:497 - msgid "Policy to evaluate the password expiration" -@@ -2368,14 +2379,16 @@ msgid "The path to the proxy command must be absolute\n" - msgstr "Le chemin vers la commande de proxy doit être absolue\n" - - #: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:326 --#, fuzzy, c-format -+#, c-format - msgid "sss_ssh_knownhostsproxy: unable to proxy data: %s\n" --msgstr "sss_ssh_knownhostsproxy : Impossible de résoudre le nom d'hôte %s\n" -+msgstr "" -+"sss_ssh_knownhostsproxy : impossible de transmettre des données par proxy : %" -+"s\n" - - #: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:330 --#, fuzzy, c-format -+#, c-format - msgid "sss_ssh_knownhostsproxy: connect to host %s port %d: %s\n" --msgstr "sss_ssh_knownhostsproxy : Impossible de résoudre le nom d'hôte %s\n" -+msgstr "sss_ssh_knownhostsproxy : se connecter à l'hôte %s port %d: %s\n" - - #: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:334 - #, c-format -@@ -3052,6 +3065,10 @@ msgid "" - "where the main config file is located. For example if the config is set to " - "\"/my/path/sssd.conf\", the snippet dir \"/my/path/conf.d\" is used)" - msgstr "" -+"Spécifiez un répertoire (dir) de snippet non par défaut (par défaut, il doit " -+"se trouver au même endroit que le fichier de configuration principal. Par " -+"exemple, si la configuration est définie sur \"/my/path/sssd.conf\", le " -+"répertoire d'extrait \"/my/path/conf.d\" sera utilisé)" - - #: src/tools/sssctl/sssctl_config.c:118 - #, c-format -diff --git a/po/ja.po b/po/ja.po -index 25b456e8d..1a5341757 100644 ---- a/po/ja.po -+++ b/po/ja.po -@@ -8,21 +8,22 @@ - # Keiko Moriguchi , 2019. #zanata - # Ludek Janda , 2020. #zanata - # Pavel Brezina , 2020. #zanata -+# Sundeep Anand , 2021. - msgid "" - msgstr "" - "Project-Id-Version: PACKAGE VERSION\n" - "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" - "POT-Creation-Date: 2021-02-05 11:58+0100\n" --"PO-Revision-Date: 2020-07-22 07:46-0400\n" --"Last-Translator: Copied by Zanata \n" --"Language-Team: Japanese (http://www.transifex.com/projects/p/sssd/language/" --"ja/)\n" -+"PO-Revision-Date: 2021-03-18 10:39+0000\n" -+"Last-Translator: Sundeep Anand \n" -+"Language-Team: Japanese \n" - "Language: ja\n" - "MIME-Version: 1.0\n" - "Content-Type: text/plain; charset=UTF-8\n" - "Content-Transfer-Encoding: 8bit\n" - "Plural-Forms: nplurals=1; plural=0;\n" --"X-Generator: Zanata 4.6.2\n" -+"X-Generator: Weblate 4.5.1\n" - - #: src/config/SSSDConfig/sssdoptions.py:20 - #: src/config/SSSDConfig/sssdoptions.py:21 -@@ -85,9 +86,7 @@ msgstr "" - msgid "" - "Indicates what is the syntax of the config file. SSSD 0.6.0 and later use " - "version 2." --msgstr "" --"Indicates what is the syntax of the config file. SSSD 0.6.0 and later use " --"version 2." -+msgstr "設定ファイルの構文を示します。SSSD 0.6.0 以降はバージョン 2 を使用します。" - - #: src/config/SSSDConfig/sssdoptions.py:39 - msgid "SSSD Services to start" -@@ -161,27 +160,25 @@ msgid "" - "this, and will fall back to polling resolv.conf every five seconds if " - "inotify cannot be used." - msgstr "" --"SSSD monitors the state of resolv.conf to identify when it needs to update " --"its internal DNS resolver. By default, we will attempt to use inotify for " --"this, and will fall back to polling resolv.conf every five seconds if " --"inotify cannot be used." -+"SSSD は、内部 DNSリゾルバーを更新する必要があるときを識別するために resolv.conf の状態を監視します。デフォルトでは、inotify " -+"の使用を試行します。また、inotify が使用できない場合は、5 秒ごとに resolv.conf のポーリングにフォールバックします。" - - #: src/config/SSSDConfig/sssdoptions.py:59 - msgid "Enumeration cache timeout length (seconds)" --msgstr "列挙キャッシュのタイムアウト(秒)" -+msgstr "列挙キャッシュのタイムアウト (秒)" - - #: src/config/SSSDConfig/sssdoptions.py:60 - msgid "Entry cache background update timeout length (seconds)" --msgstr "エントリーキャッシュのバックグラウンド更新のタイムアウト時間(秒)" -+msgstr "エントリーキャッシュのバックグラウンド更新のタイムアウト時間 (秒)" - - #: src/config/SSSDConfig/sssdoptions.py:61 - #: src/config/SSSDConfig/sssdoptions.py:117 - msgid "Negative cache timeout length (seconds)" --msgstr "ネガティブキャッシュのタイムアウト(秒)" -+msgstr "ネガティブキャッシュのタイムアウト (秒)" - - #: src/config/SSSDConfig/sssdoptions.py:62 - msgid "Files negative cache timeout length (seconds)" --msgstr "ファイルネガティブキャッシュのタイムアウト時間(秒)" -+msgstr "ファイルネガティブキャッシュのタイムアウト時間 (秒)" - - #: src/config/SSSDConfig/sssdoptions.py:63 - msgid "Users that SSSD should explicitly ignore" -@@ -243,19 +240,19 @@ msgstr "メモリー内のキャッシュレコードが有効な期間" - msgid "" - "Size (in megabytes) of the data table allocated inside fast in-memory cache " - "for passwd requests" --msgstr "" -+msgstr "パスワード要求の高速インメモリーキャッシュ内で割り当てられるデータテーブルのサイズ (メガバイト)" - - #: src/config/SSSDConfig/sssdoptions.py:76 - msgid "" - "Size (in megabytes) of the data table allocated inside fast in-memory cache " - "for group requests" --msgstr "" -+msgstr "グループ要求の高速インメモリーキャッシュ内で割り当てられるデータテーブルのサイズ (メガバイト)" - - #: src/config/SSSDConfig/sssdoptions.py:77 - msgid "" - "Size (in megabytes) of the data table allocated inside fast in-memory cache " - "for initgroups requests" --msgstr "" -+msgstr "initgroups 要求の高速インメモリーキャッシュ内で割り当てられるデータテーブルのサイズ (メガバイト)" - - #: src/config/SSSDConfig/sssdoptions.py:78 - msgid "" -@@ -277,13 +274,12 @@ msgid "" - "if they are requested beyond a percentage of the entry_cache_timeout value " - "for the domain." - msgstr "" --"The entry cache can be set to automatically update entries in the background " --"if they are requested beyond a percentage of the entry_cache_timeout value " --"for the domain." -+"エントリーキャッシュは、ドメインの entry_cache_timeout " -+"値のパーセントを超えるリクエストが行われた場合に、バックグラウンドでエントリーを自動的に更新するように設定できます。" - - #: src/config/SSSDConfig/sssdoptions.py:87 - msgid "How long to allow cached logins between online logins (days)" --msgstr "オンラインログイン中にキャッシュによるログインが許容される期間(日数)" -+msgstr "オンラインログイン中にキャッシュによるログインが許容される期間 (日数)" - - #: src/config/SSSDConfig/sssdoptions.py:88 - msgid "How many failed logins attempts are allowed when offline" -@@ -293,7 +289,7 @@ msgstr "オフラインの時に許容されるログイン試行失敗回数" - msgid "" - "How long (minutes) to deny login after offline_failed_login_attempts has " - "been reached" --msgstr "offline_failed_login_attempts に達した後にログインを拒否する時間(分)" -+msgstr "offline_failed_login_attempts に達した後にログインを拒否する時間 (分)" - - #: src/config/SSSDConfig/sssdoptions.py:91 - msgid "What kind of messages are displayed to the user during authentication" -@@ -362,11 +358,11 @@ msgstr "PAM レスポンダーが initgroups リクエストを強制すると - - #: src/config/SSSDConfig/sssdoptions.py:107 - msgid "List of PAM services that are allowed to authenticate with GSSAPI." --msgstr "" -+msgstr "GSSAPI での認証が許可される PAM サービスの一覧。" - - #: src/config/SSSDConfig/sssdoptions.py:108 - msgid "Whether to match authenticated UPN with target user" --msgstr "" -+msgstr "ターゲットユーザーと認証された UPN に一致するかどうか" - - #: src/config/SSSDConfig/sssdoptions.py:111 - msgid "Whether to evaluate the time-based attributes in sudo rules" -@@ -540,13 +536,13 @@ msgstr "" - msgid "" - "A comma-separated list of users to be excluded from recording, only when " - "scope=all" --msgstr "" -+msgstr "録画から除外されるユーザーのコンマ区切りリスト。scope=all の場合のみ" - - #: src/config/SSSDConfig/sssdoptions.py:168 - msgid "" - "A comma-separated list of groups, members of which should be excluded from " - "recording, only when scope=all. " --msgstr "" -+msgstr "scope=all の場合にのみ記録から除外されるべきメンバーから成るグループのコンマ区切りリスト。 " - - #: src/config/SSSDConfig/sssdoptions.py:172 - msgid "Identity provider" -@@ -593,9 +589,8 @@ msgid "Whether the domain is usable by the OS or by applications" - msgstr "OS またはアプリケーションがドメインを使用できるかどうか" - - #: src/config/SSSDConfig/sssdoptions.py:185 --#, fuzzy - msgid "Enable or disable the domain" --msgstr "暗黙のファイルドメインを有効化または無効化する" -+msgstr "ドメインを有効または無効にする" - - #: src/config/SSSDConfig/sssdoptions.py:186 - msgid "Minimum user ID" -@@ -630,7 +625,7 @@ msgstr "グループ検索にグループメンバーを含めない" - #: src/config/SSSDConfig/sssdoptions.py:207 - #: src/config/SSSDConfig/sssdoptions.py:208 - msgid "Entry cache timeout length (seconds)" --msgstr "エントリーキャッシュのタイムアウト長(秒)" -+msgstr "エントリーキャッシュのタイムアウト長 (秒)" - - #: src/config/SSSDConfig/sssdoptions.py:193 - msgid "" -@@ -655,7 +650,7 @@ msgstr "単一の DNS クエリーの解決を試行する時間 (秒)" - - #: src/config/SSSDConfig/sssdoptions.py:198 - msgid "How long to wait for replies from DNS when resolving servers (seconds)" --msgstr "サーバーを名前解決する時に DNS から応答を待つ時間(秒)" -+msgstr "サーバーを名前解決する時に DNS から応答を待つ時間 (秒)" - - #: src/config/SSSDConfig/sssdoptions.py:199 - msgid "The domain part of service discovery DNS query" -@@ -734,7 +729,7 @@ msgstr "ユーザーにプライベートグループを自動的に作成する - - #: src/config/SSSDConfig/sssdoptions.py:224 - msgid "Display a warning N days before the password expires." --msgstr "Display a warning N days before the password expires." -+msgstr "パスワードの期限が切れる N 日前の警告を表示します。" - - #: src/config/SSSDConfig/sssdoptions.py:225 - msgid "" -@@ -894,7 +889,7 @@ msgstr "ネットグループの NIS ドメイン名を含む LDAP 属性。" - - #: src/config/SSSDConfig/sssdoptions.py:270 - msgid "The LDAP attribute that contains the names of the netgroup's members." --msgstr "The LDAP attribute that contains the names of the netgroup's members." -+msgstr "ネットグループのメンバーの名前を含む LDAP 属性。" - - #: src/config/SSSDConfig/sssdoptions.py:271 - msgid "" -@@ -1105,7 +1100,7 @@ msgstr "LDAP およびグローバルカタログのリクエストに LDAPS ポ - - #: src/config/SSSDConfig/sssdoptions.py:327 - msgid "Do not filter domain local groups from other domains" --msgstr "" -+msgstr "他のドメインからのドメインローカルグループをフィルターしない" - - #: src/config/SSSDConfig/sssdoptions.py:330 - #: src/config/SSSDConfig/sssdoptions.py:331 -@@ -1182,7 +1177,7 @@ msgstr "エンタープライズ・プリンシパルの有効化" - - #: src/config/SSSDConfig/sssdoptions.py:351 - msgid "Enables using of subdomains realms for authentication" --msgstr "" -+msgstr "認証にサブドメインレルムの使用を有効化" - - #: src/config/SSSDConfig/sssdoptions.py:352 - msgid "A mapping from user names to Kerberos principal names" -@@ -1432,7 +1427,7 @@ msgstr "ID マッピングの Active Directory プライマリーグループ属 - - #: src/config/SSSDConfig/sssdoptions.py:424 - msgid "User principal attribute (for Kerberos)" --msgstr "ユーザープリンシパルの属性(Kerberos 用)" -+msgstr "ユーザープリンシパルの属性 (Kerberos 用)" - - #: src/config/SSSDConfig/sssdoptions.py:425 - msgid "Full Name" -@@ -1688,7 +1683,7 @@ msgstr "ワイルドカードの要求の間に取得する最大エントリー - - #: src/config/SSSDConfig/sssdoptions.py:494 - msgid "Set libldap debug level" --msgstr "" -+msgstr "libldap デバッグレベルの設定" - - #: src/config/SSSDConfig/sssdoptions.py:497 - msgid "Policy to evaluate the password expiration" -@@ -1893,9 +1888,7 @@ msgstr "禁止ユーザーのカンマ区切り一覧" - msgid "" - "Comma separated list of groups that are allowed to log in. This applies only " - "to groups within this SSSD domain. Local groups are not evaluated." --msgstr "" --"Comma separated list of groups that are allowed to log in. This applies only " --"to groups within this SSSD domain. Local groups are not evaluated." -+msgstr "ログインが許可されるグループのカンマ区切りの一覧。これは、SSSDドメイン内のグループにのみ適用されます。ローカルグループは評価されません。" - - #: src/config/SSSDConfig/sssdoptions.py:560 - msgid "" -@@ -1903,9 +1896,8 @@ msgid "" - "applies only to groups within this SSSD domain. Local groups are not " - "evaluated." - msgstr "" --"Comma separated list of groups that are explicitly denied access. This " --"applies only to groups within this SSSD domain. Local groups are not " --"evaluated." -+"排他的にアクセスが拒否されたグループのカンマ区切りの一覧。これは、この SSSD " -+"ドメイン内のグループにのみ適用されます。ローカルグループは評価されません。" - - #: src/config/SSSDConfig/sssdoptions.py:564 - msgid "Base for home directories" -@@ -1959,19 +1951,19 @@ msgstr "使用する PAM スタック" - - #: src/config/SSSDConfig/sssdoptions.py:584 - msgid "Path of passwd file sources." --msgstr "passwd ファイルソースへのパス" -+msgstr "passwd ファイルソースへのパス。" - - #: src/config/SSSDConfig/sssdoptions.py:585 - msgid "Path of group file sources." --msgstr "グループファイルソースへのパス" -+msgstr "グループファイルソースへのパス。" - - #: src/monitor/monitor.c:2381 - msgid "Become a daemon (default)" --msgstr "デーモンとして実行(デフォルト)" -+msgstr "デーモンとして実行 (デフォルト)" - - #: src/monitor/monitor.c:2383 - msgid "Run interactive (not a daemon)" --msgstr "対話的に実行(デーモンではない)" -+msgstr "対話的に実行 (デーモンではない)" - - #: src/monitor/monitor.c:2386 - msgid "Disable netlink interface" -@@ -2092,7 +2084,7 @@ msgstr "エラーの説明を検索中に予期しないエラーが発生しま - - #: src/sss_client/pam_sss.c:68 - msgid "Permission denied. " --msgstr "パーミッションが拒否されました。" -+msgstr "パーミッションが拒否されました。 " - - #: src/sss_client/pam_sss.c:69 src/sss_client/pam_sss.c:785 - #: src/sss_client/pam_sss.c:796 -@@ -2143,7 +2135,7 @@ msgstr "" - - #: src/sss_client/pam_sss.c:782 src/sss_client/pam_sss.c:795 - msgid "Password change failed. " --msgstr "パスワードの変更に失敗しました。" -+msgstr "パスワードの変更に失敗しました。 " - - #: src/sss_client/pam_sss.c:2044 - msgid "New Password: " -@@ -2236,14 +2228,14 @@ msgid "The path to the proxy command must be absolute\n" - msgstr "プロキシコマンドへのパスは絶対パスにする必要があります\n" - - #: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:326 --#, fuzzy, c-format -+#, c-format - msgid "sss_ssh_knownhostsproxy: unable to proxy data: %s\n" --msgstr "sss_ssh_knownhostsproxy: ホスト名 %s を解決できませんでした\n" -+msgstr "sss_ssh_knownhostsproxy: データをプロキシーできません: %s\n" - - #: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:330 --#, fuzzy, c-format -+#, c-format - msgid "sss_ssh_knownhostsproxy: connect to host %s port %d: %s\n" --msgstr "sss_ssh_knownhostsproxy: ホスト名 %s を解決できませんでした\n" -+msgstr "sss_ssh_knownhostsproxy: ホスト %s ポート %d に接続: %s\n" - - #: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:334 - #, c-format -@@ -2644,8 +2636,7 @@ msgid "" - "Set an attribute to a name/value pair. The format is attrname=value. For " - "multi-valued attributes, the command replaces the values already present" - msgstr "" --"名前/値のペアに属性を指定します。形式は attrname=value です。複数の値を持つ属" --"性の場合、コマンドがすでに存在する値に置き換えられます。" -+"名前/値のペアに属性を指定します。形式は attrname=value です。複数の値を持つ属性の場合、コマンドがすでに存在する値に置き換えられます" - - #: src/tools/sss_usermod.c:117 src/tools/sss_usermod.c:126 - #: src/tools/sss_usermod.c:135 -@@ -2660,9 +2651,7 @@ msgstr "変更するユーザーを指定してください\n" - msgid "" - "Cannot find user in local domain, modifying users is allowed only in local " - "domain\n" --msgstr "" --"ローカルドメインにユーザーを見つけられません。ユーザーの変更はローカルドメイ" --"ンにおいてのみ許可されます。\n" -+msgstr "ローカルドメインにユーザーを見つけられません。ユーザーの変更はローカルドメインにおいてのみ許可されます\n" - - #: src/tools/sss_usermod.c:322 - msgid "Could not modify user - check if group names are correct\n" -@@ -2841,7 +2830,7 @@ msgstr "SSSD は再起動が必要です。SSSD を今、再起動しますか?" - #: src/tools/sssctl/sssctl_cache.c:31 - #, c-format - msgid " %s is not present in cache.\n" --msgstr " %s はキャッシュにありません\n" -+msgstr " %s はキャッシュにありません。\n" - - #: src/tools/sssctl/sssctl_cache.c:33 - msgid "Name" -@@ -2904,6 +2893,8 @@ msgid "" - "where the main config file is located. For example if the config is set to " - "\"/my/path/sssd.conf\", the snippet dir \"/my/path/conf.d\" is used)" - msgstr "" -+"デフォルト以外のスニペットディレクトリーを指定します (デフォルトでは、メインの設定ファイルが存在する場所と同じ場所を検索します)。たとえば、設定が \"" -+"/my/path/sssd.conf\" に設定されている場合は、スニペット dir \"/my/path/conf.d\" が使用されます" - - #: src/tools/sssctl/sssctl_config.c:118 - #, c-format -diff --git a/po/zh_CN.po b/po/zh_CN.po -index ee38f25e3..e3f018d97 100644 ---- a/po/zh_CN.po -+++ b/po/zh_CN.po -@@ -7,13 +7,14 @@ - # Ludek Janda , 2020. #zanata - # Pavel Brezina , 2020. #zanata - # Charles Lee , 2020. -+# Sundeep Anand , 2021. - msgid "" - msgstr "" - "Project-Id-Version: PACKAGE VERSION\n" - "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" - "POT-Creation-Date: 2021-02-05 11:58+0100\n" --"PO-Revision-Date: 2020-08-20 14:29+0000\n" --"Last-Translator: Charles Lee \n" -+"PO-Revision-Date: 2021-03-18 10:39+0000\n" -+"Last-Translator: Sundeep Anand \n" - "Language-Team: Chinese (Simplified) \n" - "Language: zh_CN\n" -@@ -21,7 +22,7 @@ msgstr "" - "Content-Type: text/plain; charset=UTF-8\n" - "Content-Transfer-Encoding: 8bit\n" - "Plural-Forms: nplurals=1; plural=0;\n" --"X-Generator: Weblate 4.1.1\n" -+"X-Generator: Weblate 4.5.1\n" - - #: src/config/SSSDConfig/sssdoptions.py:20 - #: src/config/SSSDConfig/sssdoptions.py:21 -@@ -230,19 +231,19 @@ msgstr "内存缓存记录有效期的长度" - msgid "" - "Size (in megabytes) of the data table allocated inside fast in-memory cache " - "for passwd requests" --msgstr "" -+msgstr "为 passwd 请求在快速内存缓存(in-memory cache)中分配的数据表的大小(以 MB 为单位)" - - #: src/config/SSSDConfig/sssdoptions.py:76 - msgid "" - "Size (in megabytes) of the data table allocated inside fast in-memory cache " - "for group requests" --msgstr "" -+msgstr "为组请求在快速内存缓存(in-memory cache)中分配的数据表的大小(以 MB 为单位)" - - #: src/config/SSSDConfig/sssdoptions.py:77 - msgid "" - "Size (in megabytes) of the data table allocated inside fast in-memory cache " - "for initgroups requests" --msgstr "" -+msgstr "为 initgroups 请求在快速内存缓存(in-memory cache)中分配的数据表的大小(以 MB 为单位)" - - #: src/config/SSSDConfig/sssdoptions.py:78 - msgid "" -@@ -349,11 +350,11 @@ msgstr "什么时候 PAM 响应者要强制发起 initgroups 请求?" - - #: src/config/SSSDConfig/sssdoptions.py:107 - msgid "List of PAM services that are allowed to authenticate with GSSAPI." --msgstr "" -+msgstr "允许使用 GSSAPI 验证的 PAM 服务列表。" - - #: src/config/SSSDConfig/sssdoptions.py:108 - msgid "Whether to match authenticated UPN with target user" --msgstr "" -+msgstr "是否与目标用户匹配认证的 UPN" - - #: src/config/SSSDConfig/sssdoptions.py:111 - msgid "Whether to evaluate the time-based attributes in sudo rules" -@@ -517,13 +518,13 @@ msgstr "" - msgid "" - "A comma-separated list of users to be excluded from recording, only when " - "scope=all" --msgstr "" -+msgstr "要从记录中排除的用逗号分开的用户列表,仅当 scope=all 时" - - #: src/config/SSSDConfig/sssdoptions.py:168 - msgid "" - "A comma-separated list of groups, members of which should be excluded from " - "recording, only when scope=all. " --msgstr "" -+msgstr "用逗号分隔的组列表,其中的成员应不记录中排除,仅在 scope=all 时。 " - - #: src/config/SSSDConfig/sssdoptions.py:172 - msgid "Identity provider" -@@ -570,9 +571,8 @@ msgid "Whether the domain is usable by the OS or by applications" - msgstr "域是否可以被 OS 或应用程序使用" - - #: src/config/SSSDConfig/sssdoptions.py:185 --#, fuzzy - msgid "Enable or disable the domain" --msgstr "启用或禁用隐式文件域" -+msgstr "启用或禁用域" - - #: src/config/SSSDConfig/sssdoptions.py:186 - msgid "Minimum user ID" -@@ -1057,7 +1057,7 @@ msgstr "将 LDAPS 端口用于 LDAP 和 Global Catalog 请求" - - #: src/config/SSSDConfig/sssdoptions.py:327 - msgid "Do not filter domain local groups from other domains" --msgstr "" -+msgstr "不要从其它域过滤域本地组" - - #: src/config/SSSDConfig/sssdoptions.py:330 - #: src/config/SSSDConfig/sssdoptions.py:331 -@@ -1134,7 +1134,7 @@ msgstr "启用企业主体" - - #: src/config/SSSDConfig/sssdoptions.py:351 - msgid "Enables using of subdomains realms for authentication" --msgstr "" -+msgstr "启用使用子域域进行验证" - - #: src/config/SSSDConfig/sssdoptions.py:352 - msgid "A mapping from user names to Kerberos principal names" -@@ -1636,7 +1636,7 @@ msgstr "在通配符请求期间要提取多少个最大条目" - - #: src/config/SSSDConfig/sssdoptions.py:494 - msgid "Set libldap debug level" --msgstr "" -+msgstr "设置 libldap debug 级别" - - #: src/config/SSSDConfig/sssdoptions.py:497 - msgid "Policy to evaluate the password expiration" -@@ -2172,9 +2172,9 @@ msgid "The path to the proxy command must be absolute\n" - msgstr "到 proxy 命令的路径必须是绝对路径\n" - - #: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:326 --#, fuzzy, c-format -+#, c-format - msgid "sss_ssh_knownhostsproxy: unable to proxy data: %s\n" --msgstr "sss_ssh_knownhostsproxy:无法解析主机名 %s\n" -+msgstr "sss_ssh_knownhostsproxy:无法到代理数据:%s\n" - - #: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:330 - #, c-format -@@ -2812,6 +2812,8 @@ msgid "" - "where the main config file is located. For example if the config is set to " - "\"/my/path/sssd.conf\", the snippet dir \"/my/path/conf.d\" is used)" - msgstr "" -+"指定非默认 snippet dir(默认为在主配置文件所在的相同位置查找)。例如,如果配置被设置为 \"/my/path/sssd.conf\", " -+"snippet dir 为 \"/my/path/conf.d\" )" - - #: src/tools/sssctl/sssctl_config.c:118 - #, c-format -@@ -3009,7 +3011,7 @@ msgstr "无法获取服务器列表\n" - - #: src/tools/sssctl/sssctl_logs.c:46 - msgid "\n" --msgstr "" -+msgstr "\n" - - #: src/tools/sssctl/sssctl_logs.c:236 - msgid "Delete log files instead of truncating" --- -2.21.3 - diff --git a/SOURCES/0052-handle-large-service-tickets.patch b/SOURCES/0052-handle-large-service-tickets.patch deleted file mode 100644 index 3847a09..0000000 --- a/SOURCES/0052-handle-large-service-tickets.patch +++ /dev/null @@ -1,233 +0,0 @@ -From b6efe6b119b0c11314a324e8a2cf96fb74a9c983 Mon Sep 17 00:00:00 2001 -From: Sam Morris -Date: Tue, 6 Apr 2021 18:42:19 +0100 -Subject: [PATCH 1/6] responder/common/responder_packet: handle large service - tickets - -Resolves: https://github.com/SSSD/sssd/issues/5568 - -Reviewed-by: Alexey Tikhonov ---- - src/responder/common/responder_packet.c | 11 +++++++++++ - src/responder/common/responder_packet.h | 1 + - 2 files changed, 12 insertions(+) - -diff --git a/src/responder/common/responder_packet.c b/src/responder/common/responder_packet.c -index f56d92276..d091332b0 100644 ---- a/src/responder/common/responder_packet.c -+++ b/src/responder/common/responder_packet.c -@@ -229,6 +229,17 @@ int sss_packet_recv(struct sss_packet *packet, int fd) - if (ret != EOK) { - return ret; - } -+ /* Kerberos tickets can get pretty big; since Windows Server 2012, the -+ * limit is 48 KiB! -+ */ -+ } else if ((sss_packet_get_cmd(packet) == SSS_GSSAPI_SEC_CTX) -+ && packet->memsize < SSS_GSSAPI_PACKET_MAX_RECV_SIZE -+ && new_len < SSS_GSSAPI_PACKET_MAX_RECV_SIZE) { -+ sss_packet_set_len(packet, 0); -+ ret = sss_packet_grow(packet, new_len); -+ if (ret != EOK) { -+ return ret; -+ } - } else { - return EINVAL; - } -diff --git a/src/responder/common/responder_packet.h b/src/responder/common/responder_packet.h -index 509a22a9a..70bf1e8d3 100644 ---- a/src/responder/common/responder_packet.h -+++ b/src/responder/common/responder_packet.h -@@ -26,6 +26,7 @@ - - #define SSS_PACKET_MAX_RECV_SIZE 1024 - #define SSS_CERT_PACKET_MAX_RECV_SIZE ( 10 * SSS_PACKET_MAX_RECV_SIZE ) -+#define SSS_GSSAPI_PACKET_MAX_RECV_SIZE ( SSS_PACKET_MAX_RECV_SIZE + 48 * 1024 ) - - struct sss_packet; - --- -2.26.3 - - -From c6a76283580c25ff78b36b8b23efdabbdb3a2cc1 Mon Sep 17 00:00:00 2001 -From: Sam Morris -Date: Wed, 7 Apr 2021 14:21:34 +0100 -Subject: [PATCH 2/6] responder/common/responder_packet: reduce duplication of - code that handles larger-than-normal packets - -Reviewed-by: Alexey Tikhonov ---- - src/responder/common/responder_packet.c | 40 +++++++++++++------------ - 1 file changed, 21 insertions(+), 19 deletions(-) - -diff --git a/src/responder/common/responder_packet.c b/src/responder/common/responder_packet.c -index d091332b0..523c9ddd4 100644 ---- a/src/responder/common/responder_packet.c -+++ b/src/responder/common/responder_packet.c -@@ -216,25 +216,27 @@ int sss_packet_recv(struct sss_packet *packet, int fd) - - new_len = sss_packet_get_len(packet); - if (new_len > packet->memsize) { -- /* Allow certificate based requests to use larger buffer but not -- * larger than SSS_CERT_PACKET_MAX_RECV_SIZE. Due to the way -- * sss_packet_grow() works the packet len must be set to '0' first and -- * then grow to the expected size. */ -- if ((sss_packet_get_cmd(packet) == SSS_NSS_GETNAMEBYCERT -- || sss_packet_get_cmd(packet) == SSS_NSS_GETLISTBYCERT) -- && packet->memsize < SSS_CERT_PACKET_MAX_RECV_SIZE -- && new_len < SSS_CERT_PACKET_MAX_RECV_SIZE) { -- sss_packet_set_len(packet, 0); -- ret = sss_packet_grow(packet, new_len); -- if (ret != EOK) { -- return ret; -- } -- /* Kerberos tickets can get pretty big; since Windows Server 2012, the -- * limit is 48 KiB! -- */ -- } else if ((sss_packet_get_cmd(packet) == SSS_GSSAPI_SEC_CTX) -- && packet->memsize < SSS_GSSAPI_PACKET_MAX_RECV_SIZE -- && new_len < SSS_GSSAPI_PACKET_MAX_RECV_SIZE) { -+ enum sss_cli_command cmd = sss_packet_get_cmd(packet); -+ size_t max_recv_size; -+ -+ /* Allow certain packet types to use a larger buffer. */ -+ switch (cmd) { -+ case SSS_NSS_GETNAMEBYCERT: -+ case SSS_NSS_GETLISTBYCERT: -+ max_recv_size = SSS_CERT_PACKET_MAX_RECV_SIZE; -+ break; -+ -+ case SSS_GSSAPI_SEC_CTX: -+ max_recv_size = SSS_GSSAPI_PACKET_MAX_RECV_SIZE; -+ break; -+ -+ default: -+ max_recv_size = 0; -+ } -+ -+ /* Due to the way sss_packet_grow() works, the packet len must be set -+ * to 0 first, and then grown to the expected size. */ -+ if (max_recv_size && packet->memsize < max_recv_size && new_len < max_recv_size) { - sss_packet_set_len(packet, 0); - ret = sss_packet_grow(packet, new_len); - if (ret != EOK) { --- -2.26.3 - - -From 63f318f73c933dc2cb08cad2f911a52d2281c45b Mon Sep 17 00:00:00 2001 -From: Sam Morris -Date: Wed, 7 Apr 2021 14:22:25 +0100 -Subject: [PATCH 3/6] responder/common/responder_packet: add debug logging to - assist with errors caused by overlarge packets - -Reviewed-by: Alexey Tikhonov ---- - src/responder/common/responder_packet.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/src/responder/common/responder_packet.c b/src/responder/common/responder_packet.c -index 523c9ddd4..01a4e640e 100644 ---- a/src/responder/common/responder_packet.c -+++ b/src/responder/common/responder_packet.c -@@ -243,6 +243,9 @@ int sss_packet_recv(struct sss_packet *packet, int fd) - return ret; - } - } else { -+ DEBUG(SSSDBG_OP_FAILURE, -+ "Refusing to read overlarge packet from fd %d (length %zu bytes, cmd %#04x)", -+ fd, new_len, cmd); - return EINVAL; - } - } --- -2.26.3 - - -From 37d331774385b2b871ba76fcdef6ceafd776efce Mon Sep 17 00:00:00 2001 -From: Sam Morris -Date: Wed, 7 Apr 2021 14:23:03 +0100 -Subject: [PATCH 4/6] responder/common/responder_packet: further increase - packet size for SSS_GSSAPI_SEC_CTX - -Tokens can be 48 KiB in Windows Server 2012. Limiting to 128 KiB -provides extra overhead should that increase in the future. - -Reviewed-by: Alexey Tikhonov ---- - src/responder/common/responder_packet.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/responder/common/responder_packet.h b/src/responder/common/responder_packet.h -index 70bf1e8d3..fd991969b 100644 ---- a/src/responder/common/responder_packet.h -+++ b/src/responder/common/responder_packet.h -@@ -26,7 +26,7 @@ - - #define SSS_PACKET_MAX_RECV_SIZE 1024 - #define SSS_CERT_PACKET_MAX_RECV_SIZE ( 10 * SSS_PACKET_MAX_RECV_SIZE ) --#define SSS_GSSAPI_PACKET_MAX_RECV_SIZE ( SSS_PACKET_MAX_RECV_SIZE + 48 * 1024 ) -+#define SSS_GSSAPI_PACKET_MAX_RECV_SIZE ( 128 * 1024 ) - - struct sss_packet; - --- -2.26.3 - - -From 5c9fa75bd0ffa02e31cbbf19ee68134ed384229a Mon Sep 17 00:00:00 2001 -From: Sam Morris -Date: Wed, 7 Apr 2021 19:59:45 +0100 -Subject: [PATCH 5/6] responder/common/responder_packet: remove some - unnecessary checks before growing packet - -Reviewed-by: Alexey Tikhonov ---- - src/responder/common/responder_packet.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/responder/common/responder_packet.c b/src/responder/common/responder_packet.c -index 01a4e640e..c4b38f71b 100644 ---- a/src/responder/common/responder_packet.c -+++ b/src/responder/common/responder_packet.c -@@ -236,7 +236,7 @@ int sss_packet_recv(struct sss_packet *packet, int fd) - - /* Due to the way sss_packet_grow() works, the packet len must be set - * to 0 first, and then grown to the expected size. */ -- if (max_recv_size && packet->memsize < max_recv_size && new_len < max_recv_size) { -+ if (new_len < max_recv_size) { - sss_packet_set_len(packet, 0); - ret = sss_packet_grow(packet, new_len); - if (ret != EOK) { --- -2.26.3 - - -From b87619f9a917d6ed9ecdb5360c4bf242dce8e372 Mon Sep 17 00:00:00 2001 -From: Sam Morris -Date: Thu, 8 Apr 2021 19:09:33 +0100 -Subject: [PATCH 6/6] responder/common/responder_packet: allow packets of max - size - -Reviewed-by: Alexey Tikhonov ---- - src/responder/common/responder_packet.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/responder/common/responder_packet.c b/src/responder/common/responder_packet.c -index c4b38f71b..f2223c665 100644 ---- a/src/responder/common/responder_packet.c -+++ b/src/responder/common/responder_packet.c -@@ -236,7 +236,7 @@ int sss_packet_recv(struct sss_packet *packet, int fd) - - /* Due to the way sss_packet_grow() works, the packet len must be set - * to 0 first, and then grown to the expected size. */ -- if (new_len < max_recv_size) { -+ if (new_len <= max_recv_size) { - sss_packet_set_len(packet, 0); - ret = sss_packet_grow(packet, new_len); - if (ret != EOK) { --- -2.26.3 - diff --git a/SOURCES/0053-AD-GPO-respect-ad_gpo_implicit_deny-if-no-GPO-is-pre.patch b/SOURCES/0053-AD-GPO-respect-ad_gpo_implicit_deny-if-no-GPO-is-pre.patch deleted file mode 100644 index 71f3a00..0000000 --- a/SOURCES/0053-AD-GPO-respect-ad_gpo_implicit_deny-if-no-GPO-is-pre.patch +++ /dev/null @@ -1,46 +0,0 @@ -From e865b008aa8947efca0116deb95e29cc2309256f Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Tue, 30 Mar 2021 15:31:17 +0200 -Subject: [PATCH] AD GPO: respect ad_gpo_implicit_deny if no GPO is present -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Currently ad_gpo_implicit_deny=True is not applied if there is no GPO at -all for the given client. With this patch this case is handled as -expected as well. - -Resolves: https://github.com/SSSD/sssd/issues/5561 - -:fixes: `ad_gpo_implicit_deny` is now respected even if there are no - applicable GPOs present - -Reviewed-by: Pavel Březina ---- - src/providers/ad/ad_gpo.c | 10 +++++++++- - 1 file changed, 9 insertions(+), 1 deletion(-) - -diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c -index b15e0f345..4ef6a7219 100644 ---- a/src/providers/ad/ad_gpo.c -+++ b/src/providers/ad/ad_gpo.c -@@ -2472,7 +2472,15 @@ ad_gpo_process_gpo_done(struct tevent_req *subreq) - } - } - -- ret = EOK; -+ if (state->gpo_implicit_deny == true) { -+ DEBUG(SSSDBG_TRACE_FUNC, -+ "No applicable GPOs have been found and ad_gpo_implicit_deny" -+ " is set to 'true'. The user will be denied access.\n"); -+ ret = ERR_ACCESS_DENIED; -+ } else { -+ ret = EOK; -+ } -+ - goto done; - } - --- -2.26.3 - diff --git a/SOURCES/0054-sss_domain_info-add-not_found_counter.patch b/SOURCES/0054-sss_domain_info-add-not_found_counter.patch deleted file mode 100644 index 73653fb..0000000 --- a/SOURCES/0054-sss_domain_info-add-not_found_counter.patch +++ /dev/null @@ -1,64 +0,0 @@ -From 5d65411f1aa16af929ae2271ee4d3d9101728a67 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Wed, 14 Apr 2021 17:22:06 +0200 -Subject: [PATCH 54/55] sss_domain_info: add not_found_counter -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This new counter should be used to track how often a domain could not be -found while discovering the environment so that it can be deleted after -a number of failed attempts. - -Resolves: https://github.com/SSSD/sssd/issues/5528 - -Reviewed-by: Pavel Březina ---- - src/confdb/confdb.c | 1 + - src/confdb/confdb.h | 4 ++++ - src/db/sysdb_subdomains.c | 2 ++ - 3 files changed, 7 insertions(+) - -diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c -index cca76159b..c554edda0 100644 ---- a/src/confdb/confdb.c -+++ b/src/confdb/confdb.c -@@ -1620,6 +1620,7 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb, - domain->view_name = NULL; - - domain->state = DOM_ACTIVE; -+ domain->not_found_counter = 0; - - *_domain = domain; - ret = EOK; -diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h -index 81b68a0f1..c6c2514f8 100644 ---- a/src/confdb/confdb.h -+++ b/src/confdb/confdb.h -@@ -441,6 +441,10 @@ struct sss_domain_info { - char *gssapi_check_upn; /* true | false | NULL */ - /* List of indicators associated with the specific PAM service */ - char **gssapi_indicators_map; -+ -+ /* Counts how often the domain was not found during a refresh of the -+ * domain list */ -+ size_t not_found_counter; - }; - - /** -diff --git a/src/db/sysdb_subdomains.c b/src/db/sysdb_subdomains.c -index e2381c8af..348f242d0 100644 ---- a/src/db/sysdb_subdomains.c -+++ b/src/db/sysdb_subdomains.c -@@ -193,6 +193,8 @@ struct sss_domain_info *new_subdomain(TALLOC_CTX *mem_ctx, - dom->gssapi_services = parent->gssapi_services; - dom->gssapi_indicators_map = parent->gssapi_indicators_map; - -+ dom->not_found_counter = 0; -+ - if (parent->sysdb == NULL) { - DEBUG(SSSDBG_OP_FAILURE, "Missing sysdb context in parent domain.\n"); - goto fail; --- -2.26.3 - diff --git a/SOURCES/0055-AD-read-trusted-domains-from-local-domain-as-well.patch b/SOURCES/0055-AD-read-trusted-domains-from-local-domain-as-well.patch deleted file mode 100644 index c56e782..0000000 --- a/SOURCES/0055-AD-read-trusted-domains-from-local-domain-as-well.patch +++ /dev/null @@ -1,241 +0,0 @@ -From 95adf488f94f5968f6cfba9e3bef74c07c02ccff Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Tue, 16 Feb 2021 14:30:55 +0100 -Subject: [PATCH 55/55] AD: read trusted domains from local domain as well -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Currently SSSD only uses information stored in a domain controller of -the forest root domain to get the names of other trusted domains in the -forest. Depending on how the forest was created the forest root might -not have LDAP objects for all domains in the forest. It looks like a -typical case are child domains of other domains in the forest. - -As a start SSSD can now include trusted domains stored in the LDAP tree -of a local domain controller as well. In a long run it would make sense -to allow SSSD to explicitly search for domain by looking up DNS entries -and checking a potential domain controller with a CLDAP ping. - -Resolves: https://github.com/SSSD/sssd/issues/5528 - -:feature: Besides trusted domains known by the forest root, trusted - domains known by the local domain are used as well. - -Reviewed-by: Pavel Březina ---- - src/providers/ad/ad_subdomains.c | 105 +++++++++++++++++++++++++------ - 1 file changed, 86 insertions(+), 19 deletions(-) - -diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c -index f5b0be6c2..3eb49c93f 100644 ---- a/src/providers/ad/ad_subdomains.c -+++ b/src/providers/ad/ad_subdomains.c -@@ -45,6 +45,7 @@ - #define AD_AT_TRUST_TYPE "trustType" - #define AD_AT_TRUST_PARTNER "trustPartner" - #define AD_AT_TRUST_ATTRS "trustAttributes" -+#define AD_AT_DOMAIN_NAME "cn" - - /* trustType=2 denotes uplevel (NT5 and later) trusted domains. See - * http://msdn.microsoft.com/en-us/library/windows/desktop/ms680342%28v=vs.85%29.aspx -@@ -56,7 +57,6 @@ - */ - #define SLAVE_DOMAIN_FILTER_BASE "(objectclass=trustedDomain)(trustType=2)(!(msDS-TrustForestTrustInfo=*))" - #define SLAVE_DOMAIN_FILTER "(&"SLAVE_DOMAIN_FILTER_BASE")" --#define FOREST_ROOT_FILTER_FMT "(&"SLAVE_DOMAIN_FILTER_BASE"(cn=%s))" - - /* Attributes of schema objects. See e.g. - * https://docs.microsoft.com/en-us/windows/desktop/AD/characteristics-of-attributes -@@ -646,6 +646,10 @@ done: - return ret; - } - -+/* How many times we keep a domain not found during searches before it will be -+ * removed. */ -+#define MAX_NOT_FOUND 6 -+ - static errno_t ad_subdomains_refresh(struct be_ctx *be_ctx, - struct sdap_idmap_ctx *idmap_ctx, - struct sdap_options *opts, -@@ -706,6 +710,25 @@ static errno_t ad_subdomains_refresh(struct be_ctx *be_ctx, - } - - if (c >= num_subdomains) { -+ DEBUG(SSSDBG_CONF_SETTINGS, "Domain [%s] not in current list.\n", -+ dom->name); -+ /* Since the forest root might not have trustedDomain objects for -+ * each domain in the forest, especially e.g. for child-domains of -+ * child-domains, we cannot reliable say if a domain is still -+ * present or not. -+ * Maybe it would work to check the crossRef objects in -+ * CN=Partitions,CN=Configuration as well to understand if a -+ * domain is still known in the forest or not. -+ * For the time being we use a counter, if a domain was not found -+ * after multiple attempts it will be deleted. */ -+ -+ if (dom->not_found_counter++ < MAX_NOT_FOUND) { -+ DEBUG(SSSDBG_TRACE_ALL, -+ "Domain [%s] was not found [%zu] times.\n", dom->name, -+ dom->not_found_counter); -+ continue; -+ } -+ - /* ok this subdomain does not exist anymore, let's clean up */ - sss_domain_set_state(dom, DOM_DISABLED); - -@@ -740,6 +763,7 @@ static errno_t ad_subdomains_refresh(struct be_ctx *be_ctx, - /* terminate all requests for this subdomain so we can free it */ - dp_terminate_domain_requests(be_ctx->provider, dom->name); - talloc_zfree(sdom); -+ - } else { - /* ok let's try to update it */ - ret = ad_subdom_enumerates(domain, subdomains[c], &enumerate); -@@ -747,6 +771,7 @@ static errno_t ad_subdomains_refresh(struct be_ctx *be_ctx, - goto done; - } - -+ dom->not_found_counter = 0; - ret = ad_subdom_store(be_ctx->cdb, idmap_ctx, domain, - subdomains[c], enumerate); - if (ret) { -@@ -1307,10 +1332,9 @@ ad_get_root_domain_send(TALLOC_CTX *mem_ctx, - struct tevent_req *req; - struct sdap_options *opts; - errno_t ret; -- const char *filter; - const char *attrs[] = { AD_AT_FLATNAME, AD_AT_TRUST_PARTNER, - AD_AT_SID, AD_AT_TRUST_TYPE, -- AD_AT_TRUST_ATTRS, NULL }; -+ AD_AT_TRUST_ATTRS, AD_AT_DOMAIN_NAME, NULL }; - - req = tevent_req_create(mem_ctx, &state, struct ad_get_root_domain_state); - if (req == NULL) { -@@ -1335,15 +1359,10 @@ ad_get_root_domain_send(TALLOC_CTX *mem_ctx, - state->domain = domain; - state->forest = forest; - -- filter = talloc_asprintf(state, FOREST_ROOT_FILTER_FMT, forest); -- if (filter == NULL) { -- ret = ENOMEM; -- goto immediately; -- } -- - subreq = sdap_search_bases_return_first_send(state, ev, opts, sh, - opts->sdom->search_bases, -- NULL, false, 0, filter, attrs, -+ NULL, false, 0, -+ SLAVE_DOMAIN_FILTER, attrs, - NULL); - if (subreq == NULL) { - ret = ENOMEM; -@@ -1365,11 +1384,33 @@ immediately: - return req; - } - -+static struct sysdb_attrs *find_domain(size_t count, struct sysdb_attrs **reply, -+ const char *dom_name) -+{ -+ size_t c; -+ const char *name; -+ int ret; -+ -+ for (c = 0; c < count; c++) { -+ ret = sysdb_attrs_get_string(reply[c], AD_AT_DOMAIN_NAME, &name); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_OP_FAILURE, "Failed to find domain name, skipping"); -+ continue; -+ } -+ if (strcasecmp(name, dom_name) == 0) { -+ return reply[c]; -+ } -+ } -+ -+ return NULL; -+} -+ - static void ad_get_root_domain_done(struct tevent_req *subreq) - { - struct tevent_req *req; - struct ad_get_root_domain_state *state; - errno_t ret; -+ bool has_changes = false; - - req = tevent_req_callback_data(subreq, struct tevent_req); - state = tevent_req_data(req, struct ad_get_root_domain_state); -@@ -1384,7 +1425,37 @@ static void ad_get_root_domain_done(struct tevent_req *subreq) - goto done; - } - -- if (state->reply_count == 0) { -+ find_domain(state->reply_count, state->reply, state->forest); -+ -+ if (state->reply_count == 0 -+ || find_domain(state->reply_count, state->reply, -+ state->forest) == NULL) { -+ -+ if (state->reply_count > 0) { -+ /* refresh the other domains we have found before checking forest -+ * root */ -+ ret = ad_subdomains_refresh(state->be_ctx, state->idmap_ctx, -+ state->opts, -+ state->reply, state->reply_count, false, -+ &state->sd_ctx->last_refreshed, -+ &has_changes); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_OP_FAILURE, -+ "ad_subdomains_refresh failed [%d]: %s\n", -+ ret, sss_strerror(ret)); -+ goto done; -+ } -+ -+ if (has_changes) { -+ ret = ad_subdom_reinit(state->sd_ctx); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_OP_FAILURE, -+ "Could not reinitialize subdomains\n"); -+ goto done; -+ } -+ } -+ } -+ - DEBUG(SSSDBG_OP_FAILURE, - "No information provided for root domain, trying directly.\n"); - subreq = ad_check_domain_send(state, state->ev, state->be_ctx, -@@ -1397,11 +1468,6 @@ static void ad_get_root_domain_done(struct tevent_req *subreq) - } - tevent_req_set_callback(subreq, ad_check_root_domain_done, req); - return; -- } else if (state->reply_count > 1) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Multiple results for root domain search, " -- "domain list might be incomplete!\n"); -- ret = ERR_MALFORMED_ENTRY; -- goto done; - } - - ret = ad_get_root_domain_refresh(state); -@@ -1519,7 +1585,7 @@ ad_get_root_domain_refresh(struct ad_get_root_domain_state *state) - errno_t ret; - - ret = ad_subdomains_refresh(state->be_ctx, state->idmap_ctx, state->opts, -- state->reply, state->reply_count, true, -+ state->reply, state->reply_count, false, - &state->sd_ctx->last_refreshed, - &has_changes); - if (ret != EOK) { -@@ -1536,8 +1602,9 @@ ad_get_root_domain_refresh(struct ad_get_root_domain_state *state) - } - } - -- state->root_domain_attrs = state->reply[0]; -- root_domain = ads_get_root_domain(state->be_ctx, state->reply[0]); -+ state->root_domain_attrs = find_domain(state->reply_count, state->reply, -+ state->forest); -+ root_domain = ads_get_root_domain(state->be_ctx, state->root_domain_attrs); - if (root_domain == NULL) { - DEBUG(SSSDBG_OP_FAILURE, "Could not find the root domain\n"); - ret = EFAULT; --- -2.26.3 - diff --git a/SOURCES/0056-negcache-use-right-domain-in-nss_protocol_fill_initg.patch b/SOURCES/0056-negcache-use-right-domain-in-nss_protocol_fill_initg.patch deleted file mode 100644 index 91227f1..0000000 --- a/SOURCES/0056-negcache-use-right-domain-in-nss_protocol_fill_initg.patch +++ /dev/null @@ -1,109 +0,0 @@ -From 231d1118727b989a4af9911a45a465912fe659d6 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Fri, 12 Mar 2021 14:38:54 +0100 -Subject: [PATCH] negcache: use right domain in nss_protocol_fill_initgr() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -When checking if a group returned by an initgroups request is filtered -in the negative cache the domain of the user was used. This does not -work reliable if the user can be a member of groups from multiple -domains. - -With this patch th domain the group belongs to is determined and used -while checking the negative cache. - -Resolves: https://github.com/SSSD/sssd/issues/5534 - -Reviewed-by: Pavel Březina ---- - src/db/sysdb.c | 22 ++++++++++++++++++++++ - src/db/sysdb.h | 7 +++++++ - src/responder/nss/nss_protocol_grent.c | 8 +++++--- - 3 files changed, 34 insertions(+), 3 deletions(-) - -diff --git a/src/db/sysdb.c b/src/db/sysdb.c -index 693f687be..6001c49cb 100644 ---- a/src/db/sysdb.c -+++ b/src/db/sysdb.c -@@ -2139,3 +2139,25 @@ void ldb_debug_messages(void *context, enum ldb_debug_level level, - fmt, ap); - } - } -+ -+struct sss_domain_info *find_domain_by_msg(struct sss_domain_info *dom, -+ struct ldb_message *msg) -+{ -+ const char *name; -+ struct sss_domain_info *obj_dom = NULL; -+ -+ name = ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL); -+ if (name == NULL) { -+ DEBUG(SSSDBG_OP_FAILURE, -+ "Object does not have a name attribute.\n"); -+ return dom; -+ } -+ -+ obj_dom = find_domain_by_object_name(get_domains_head(dom), name); -+ if (obj_dom == NULL) { -+ DEBUG(SSSDBG_OP_FAILURE, "No domain found for [%s].\n", name); -+ return dom; -+ } -+ -+ return obj_dom; -+} -diff --git a/src/db/sysdb.h b/src/db/sysdb.h -index a00efa55f..37a2c4124 100644 ---- a/src/db/sysdb.h -+++ b/src/db/sysdb.h -@@ -1532,4 +1532,11 @@ errno_t sysdb_cert_derb64_to_ldap_filter(TALLOC_CTX *mem_ctx, - void ldb_debug_messages(void *context, enum ldb_debug_level level, - const char *fmt, va_list ap); - -+/* Try to detect the object domain from the object's SYSDB_NAME attribute and -+ * return the matching sss_domain_info. This should work reliable with user -+ * and group objects since fully-qualified names are used here. If the proper -+ * domain cannot be detected the given domain is returned. */ -+struct sss_domain_info *find_domain_by_msg(struct sss_domain_info *dom, -+ struct ldb_message *msg); -+ - #endif /* __SYS_DB_H__ */ -diff --git a/src/responder/nss/nss_protocol_grent.c b/src/responder/nss/nss_protocol_grent.c -index 135b392f7..f6e00eb10 100644 ---- a/src/responder/nss/nss_protocol_grent.c -+++ b/src/responder/nss/nss_protocol_grent.c -@@ -361,6 +361,7 @@ nss_protocol_fill_initgr(struct nss_ctx *nss_ctx, - struct cache_req_result *result) - { - struct sss_domain_info *domain; -+ struct sss_domain_info *grp_dom; - struct ldb_message *user; - struct ldb_message *msg; - struct ldb_message *primary_group_msg; -@@ -418,10 +419,11 @@ nss_protocol_fill_initgr(struct nss_ctx *nss_ctx, - num_results = 0; - for (i = 1; i < result->count; i++) { - msg = result->msgs[i]; -- gid = sss_view_ldb_msg_find_attr_as_uint64(domain, msg, SYSDB_GIDNUM, -+ grp_dom = find_domain_by_msg(domain, msg); -+ gid = sss_view_ldb_msg_find_attr_as_uint64(grp_dom, msg, SYSDB_GIDNUM, - 0); - posix = ldb_msg_find_attr_as_string(msg, SYSDB_POSIX, NULL); -- grp_name = sss_view_ldb_msg_find_attr_as_string(domain, msg, SYSDB_NAME, -+ grp_name = sss_view_ldb_msg_find_attr_as_string(grp_dom, msg, SYSDB_NAME, - NULL); - - if (gid == 0) { -@@ -435,7 +437,7 @@ nss_protocol_fill_initgr(struct nss_ctx *nss_ctx, - } - } - -- if (is_group_filtered(nss_ctx->rctx->ncache, domain, grp_name, gid)) { -+ if (is_group_filtered(nss_ctx->rctx->ncache, grp_dom, grp_name, gid)) { - continue; - } - --- -2.26.3 - diff --git a/SOURCES/0057-DEBUG-introduce-SSSDBG_TOOLS_DEFAULT.patch b/SOURCES/0057-DEBUG-introduce-SSSDBG_TOOLS_DEFAULT.patch deleted file mode 100644 index 4227dc5..0000000 --- a/SOURCES/0057-DEBUG-introduce-SSSDBG_TOOLS_DEFAULT.patch +++ /dev/null @@ -1,198 +0,0 @@ -From 0cddb67128edc86be4163489e29eaa3c4e123b7b Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Fri, 12 Mar 2021 19:27:12 +0100 -Subject: [PATCH] DEBUG: introduce SSSDBG_TOOLS_DEFAULT -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Resolves: https://github.com/SSSD/sssd/issues/5488 - -Reviewed-by: Tomáš Halman ---- - src/sss_client/ssh/sss_ssh_authorizedkeys.c | 2 +- - src/sss_client/ssh/sss_ssh_knownhostsproxy.c | 2 +- - src/tools/common/sss_tools.c | 2 +- - src/tools/sss_cache.c | 2 +- - src/tools/sss_groupadd.c | 2 +- - src/tools/sss_groupdel.c | 2 +- - src/tools/sss_groupmod.c | 2 +- - src/tools/sss_groupshow.c | 2 +- - src/tools/sss_seed.c | 2 +- - src/tools/sss_useradd.c | 2 +- - src/tools/sss_userdel.c | 2 +- - src/tools/sss_usermod.c | 2 +- - src/util/debug.h | 1 + - 13 files changed, 13 insertions(+), 12 deletions(-) - -diff --git a/src/sss_client/ssh/sss_ssh_authorizedkeys.c b/src/sss_client/ssh/sss_ssh_authorizedkeys.c -index e356f28c3..324e5e3a3 100644 ---- a/src/sss_client/ssh/sss_ssh_authorizedkeys.c -+++ b/src/sss_client/ssh/sss_ssh_authorizedkeys.c -@@ -32,7 +32,7 @@ - int main(int argc, const char **argv) - { - TALLOC_CTX *mem_ctx = NULL; -- int pc_debug = SSSDBG_FATAL_FAILURE; -+ int pc_debug = SSSDBG_TOOLS_DEFAULT; - const char *pc_domain = NULL; - const char *pc_user = NULL; - struct poptOption long_options[] = { -diff --git a/src/sss_client/ssh/sss_ssh_knownhostsproxy.c b/src/sss_client/ssh/sss_ssh_knownhostsproxy.c -index 3cd12b480..170ba30a3 100644 ---- a/src/sss_client/ssh/sss_ssh_knownhostsproxy.c -+++ b/src/sss_client/ssh/sss_ssh_knownhostsproxy.c -@@ -174,7 +174,7 @@ connect_proxy_command(char **args) - int main(int argc, const char **argv) - { - TALLOC_CTX *mem_ctx = NULL; -- int pc_debug = SSSDBG_FATAL_FAILURE; -+ int pc_debug = SSSDBG_TOOLS_DEFAULT; - int pc_port = 22; - const char *pc_domain = NULL; - const char *pc_host = NULL; -diff --git a/src/tools/common/sss_tools.c b/src/tools/common/sss_tools.c -index 368d09ae2..637e251f6 100644 ---- a/src/tools/common/sss_tools.c -+++ b/src/tools/common/sss_tools.c -@@ -56,7 +56,7 @@ static void sss_tool_common_opts(struct sss_tool_ctx *tool_ctx, - int *argc, const char **argv) - { - poptContext pc; -- int debug = SSSDBG_DEFAULT; -+ int debug = SSSDBG_TOOLS_DEFAULT; - int orig_argc = *argc; - int help = 0; - -diff --git a/src/tools/sss_cache.c b/src/tools/sss_cache.c -index cea900bf1..b5391b16d 100644 ---- a/src/tools/sss_cache.c -+++ b/src/tools/sss_cache.c -@@ -709,7 +709,7 @@ static errno_t init_context(int argc, const char *argv[], - struct cache_tool_ctx *ctx = NULL; - int idb = INVALIDATE_NONE; - struct input_values values = { 0 }; -- int debug = SSSDBG_DEFAULT; -+ int debug = SSSDBG_TOOLS_DEFAULT; - errno_t ret = EOK; - - poptContext pc = NULL; -diff --git a/src/tools/sss_groupadd.c b/src/tools/sss_groupadd.c -index f71d6dde7..91559116d 100644 ---- a/src/tools/sss_groupadd.c -+++ b/src/tools/sss_groupadd.c -@@ -34,7 +34,7 @@ - int main(int argc, const char **argv) - { - gid_t pc_gid = 0; -- int pc_debug = SSSDBG_DEFAULT; -+ int pc_debug = SSSDBG_TOOLS_DEFAULT; - struct poptOption long_options[] = { - POPT_AUTOHELP - { "debug",'\0', POPT_ARG_INT | POPT_ARGFLAG_DOC_HIDDEN, &pc_debug, -diff --git a/src/tools/sss_groupdel.c b/src/tools/sss_groupdel.c -index 5dcc2056d..e64441758 100644 ---- a/src/tools/sss_groupdel.c -+++ b/src/tools/sss_groupdel.c -@@ -33,7 +33,7 @@ - int main(int argc, const char **argv) - { - int ret = EXIT_SUCCESS; -- int pc_debug = SSSDBG_DEFAULT; -+ int pc_debug = SSSDBG_TOOLS_DEFAULT; - const char *pc_groupname = NULL; - struct tools_ctx *tctx = NULL; - -diff --git a/src/tools/sss_groupmod.c b/src/tools/sss_groupmod.c -index eddc7034a..8770b6684 100644 ---- a/src/tools/sss_groupmod.c -+++ b/src/tools/sss_groupmod.c -@@ -35,7 +35,7 @@ - int main(int argc, const char **argv) - { - gid_t pc_gid = 0; -- int pc_debug = SSSDBG_DEFAULT; -+ int pc_debug = SSSDBG_TOOLS_DEFAULT; - struct poptOption long_options[] = { - POPT_AUTOHELP - { "debug", '\0', POPT_ARG_INT | POPT_ARGFLAG_DOC_HIDDEN, &pc_debug, -diff --git a/src/tools/sss_groupshow.c b/src/tools/sss_groupshow.c -index 7b0fbe117..aa618eecb 100644 ---- a/src/tools/sss_groupshow.c -+++ b/src/tools/sss_groupshow.c -@@ -654,7 +654,7 @@ static void print_recursive(struct group_info **group_members, unsigned level) - int main(int argc, const char **argv) - { - int ret = EXIT_SUCCESS; -- int pc_debug = SSSDBG_DEFAULT; -+ int pc_debug = SSSDBG_TOOLS_DEFAULT; - bool pc_recursive = false; - const char *pc_groupname = NULL; - struct tools_ctx *tctx = NULL; -diff --git a/src/tools/sss_seed.c b/src/tools/sss_seed.c -index 1189604a3..17ba81956 100644 ---- a/src/tools/sss_seed.c -+++ b/src/tools/sss_seed.c -@@ -460,7 +460,7 @@ static int seed_init(TALLOC_CTX *mem_ctx, - struct seed_ctx **_sctx) - { - TALLOC_CTX *tmp_ctx = NULL; -- int pc_debug = SSSDBG_DEFAULT; -+ int pc_debug = SSSDBG_TOOLS_DEFAULT; - const char *pc_domain = NULL; - const char *pc_name = NULL; - uid_t pc_uid = 0; -diff --git a/src/tools/sss_useradd.c b/src/tools/sss_useradd.c -index ca2cbd6c1..fa1091ec8 100644 ---- a/src/tools/sss_useradd.c -+++ b/src/tools/sss_useradd.c -@@ -38,7 +38,7 @@ int main(int argc, const char **argv) - const char *pc_gecos = NULL; - const char *pc_home = NULL; - char *pc_shell = NULL; -- int pc_debug = SSSDBG_DEFAULT; -+ int pc_debug = SSSDBG_TOOLS_DEFAULT; - int pc_create_home = 0; - const char *pc_username = NULL; - const char *pc_skeldir = NULL; -diff --git a/src/tools/sss_userdel.c b/src/tools/sss_userdel.c -index bd703fd2e..60bb0f835 100644 ---- a/src/tools/sss_userdel.c -+++ b/src/tools/sss_userdel.c -@@ -125,7 +125,7 @@ int main(int argc, const char **argv) - struct tools_ctx *tctx = NULL; - const char *pc_username = NULL; - -- int pc_debug = SSSDBG_DEFAULT; -+ int pc_debug = SSSDBG_TOOLS_DEFAULT; - int pc_remove = 0; - int pc_force = 0; - int pc_kick = 0; -diff --git a/src/tools/sss_usermod.c b/src/tools/sss_usermod.c -index 6a818f13a..0f3230d27 100644 ---- a/src/tools/sss_usermod.c -+++ b/src/tools/sss_usermod.c -@@ -40,7 +40,7 @@ int main(int argc, const char **argv) - char *pc_gecos = NULL; - char *pc_home = NULL; - char *pc_shell = NULL; -- int pc_debug = SSSDBG_DEFAULT; -+ int pc_debug = SSSDBG_TOOLS_DEFAULT; - const char *pc_selinux_user = NULL; - struct poptOption long_options[] = { - POPT_AUTOHELP -diff --git a/src/util/debug.h b/src/util/debug.h -index a3adfe576..54a7e3934 100644 ---- a/src/util/debug.h -+++ b/src/util/debug.h -@@ -108,6 +108,7 @@ int rotate_debug_files(void); - #define SSSDBG_INVALID -1 - #define SSSDBG_UNRESOLVED 0 - #define SSSDBG_DEFAULT (SSSDBG_FATAL_FAILURE|SSSDBG_CRIT_FAILURE|SSSDBG_OP_FAILURE) -+#define SSSDBG_TOOLS_DEFAULT (SSSDBG_FATAL_FAILURE) - - - /** \def DEBUG(level, format, ...) --- -2.26.3 - diff --git a/SOURCES/0058-TOOLS-removed-unneeded-debug-message.patch b/SOURCES/0058-TOOLS-removed-unneeded-debug-message.patch deleted file mode 100644 index 36eb7d8..0000000 --- a/SOURCES/0058-TOOLS-removed-unneeded-debug-message.patch +++ /dev/null @@ -1,34 +0,0 @@ -From fbf33babe3fb52323f098aa300b51bf8fc5ee363 Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Wed, 19 May 2021 17:20:52 +0200 -Subject: [PATCH] TOOLS: removed unneeded debug message -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This message was logged before `sss_tool_init()` that sets debug level, -thus ignoring configured debug level. - -Since the same message is printed via `ERROR` on a next line, this log -message doesn't add any information and can be simply removed. - -Reviewed-by: Tomáš Halman ---- - src/tools/common/sss_tools.c | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/src/tools/common/sss_tools.c b/src/tools/common/sss_tools.c -index 637e251f6..806667f46 100644 ---- a/src/tools/common/sss_tools.c -+++ b/src/tools/common/sss_tools.c -@@ -512,7 +512,6 @@ int sss_tool_main(int argc, const char **argv, - - uid = getuid(); - if (uid != 0) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Running under %d, must be root\n", uid); - ERROR("%1$s must be run as root\n", argv[0]); - return EXIT_FAILURE; - } --- -2.26.3 - diff --git a/SOURCES/0059-TOOLS-replace-system-with-execvp.patch b/SOURCES/0059-TOOLS-replace-system-with-execvp.patch deleted file mode 100644 index 5717cee..0000000 --- a/SOURCES/0059-TOOLS-replace-system-with-execvp.patch +++ /dev/null @@ -1,277 +0,0 @@ -From 3861960837b996d959af504a937a03963dc21d62 Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Fri, 18 Jun 2021 13:17:19 +0200 -Subject: [PATCH] TOOLS: replace system() with execvp() to avoid execution of - user supplied command - -A flaw was found in SSSD, where the sssctl command was vulnerable -to shell command injection via the logs-fetch and cache-expire -subcommands. This flaw allows an attacker to trick the root user -into running a specially crafted sssctl command, such as via sudo, -to gain root access. The highest threat from this vulnerability is -to confidentiality, integrity, as well as system availability. - -:fixes: CVE-2021-3621 ---- - src/tools/sssctl/sssctl.c | 39 ++++++++++++++++------- - src/tools/sssctl/sssctl.h | 2 +- - src/tools/sssctl/sssctl_data.c | 57 +++++++++++----------------------- - src/tools/sssctl/sssctl_logs.c | 32 +++++++++++++++---- - 4 files changed, 73 insertions(+), 57 deletions(-) - -diff --git a/src/tools/sssctl/sssctl.c b/src/tools/sssctl/sssctl.c -index 2997dbf96..8adaf3091 100644 ---- a/src/tools/sssctl/sssctl.c -+++ b/src/tools/sssctl/sssctl.c -@@ -97,22 +97,36 @@ sssctl_prompt(const char *message, - return SSSCTL_PROMPT_ERROR; - } - --errno_t sssctl_run_command(const char *command) -+errno_t sssctl_run_command(const char *const argv[]) - { - int ret; -+ int wstatus; - -- DEBUG(SSSDBG_TRACE_FUNC, "Running %s\n", command); -+ DEBUG(SSSDBG_TRACE_FUNC, "Running '%s'\n", argv[0]); - -- ret = system(command); -+ ret = fork(); - if (ret == -1) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to execute %s\n", command); - ERROR("Error while executing external command\n"); - return EFAULT; -- } else if (WEXITSTATUS(ret) != 0) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Command %s failed with [%d]\n", -- command, WEXITSTATUS(ret)); -+ } -+ -+ if (ret == 0) { -+ /* cast is safe - see -+ https://pubs.opengroup.org/onlinepubs/9699919799/functions/exec.html -+ "The statement about argv[] and envp[] being constants ... " -+ */ -+ execvp(argv[0], discard_const_p(char * const, argv)); - ERROR("Error while executing external command\n"); -- return EIO; -+ _exit(1); -+ } else { -+ if (waitpid(ret, &wstatus, 0) == -1) { -+ ERROR("Error while executing external command '%s'\n", argv[0]); -+ return EFAULT; -+ } else if (WEXITSTATUS(wstatus) != 0) { -+ ERROR("Command '%s' failed with [%d]\n", -+ argv[0], WEXITSTATUS(wstatus)); -+ return EIO; -+ } - } - - return EOK; -@@ -132,11 +146,14 @@ static errno_t sssctl_manage_service(enum sssctl_svc_action action) - #elif defined(HAVE_SERVICE) - switch (action) { - case SSSCTL_SVC_START: -- return sssctl_run_command(SERVICE_PATH" sssd start"); -+ return sssctl_run_command( -+ (const char *[]){SERVICE_PATH, "sssd", "start", NULL}); - case SSSCTL_SVC_STOP: -- return sssctl_run_command(SERVICE_PATH" sssd stop"); -+ return sssctl_run_command( -+ (const char *[]){SERVICE_PATH, "sssd", "stop", NULL}); - case SSSCTL_SVC_RESTART: -- return sssctl_run_command(SERVICE_PATH" sssd restart"); -+ return sssctl_run_command( -+ (const char *[]){SERVICE_PATH, "sssd", "restart", NULL}); - } - #endif - -diff --git a/src/tools/sssctl/sssctl.h b/src/tools/sssctl/sssctl.h -index 0115b2457..599ef6519 100644 ---- a/src/tools/sssctl/sssctl.h -+++ b/src/tools/sssctl/sssctl.h -@@ -47,7 +47,7 @@ enum sssctl_prompt_result - sssctl_prompt(const char *message, - enum sssctl_prompt_result defval); - --errno_t sssctl_run_command(const char *command); -+errno_t sssctl_run_command(const char *const argv[]); /* argv[0] - command */ - bool sssctl_start_sssd(bool force); - bool sssctl_stop_sssd(bool force); - bool sssctl_restart_sssd(bool force); -diff --git a/src/tools/sssctl/sssctl_data.c b/src/tools/sssctl/sssctl_data.c -index 8d79b977f..bf2291341 100644 ---- a/src/tools/sssctl/sssctl_data.c -+++ b/src/tools/sssctl/sssctl_data.c -@@ -105,15 +105,15 @@ static errno_t sssctl_backup(bool force) - } - } - -- ret = sssctl_run_command("sss_override user-export " -- SSS_BACKUP_USER_OVERRIDES); -+ ret = sssctl_run_command((const char *[]){"sss_override", "user-export", -+ SSS_BACKUP_USER_OVERRIDES, NULL}); - if (ret != EOK) { - ERROR("Unable to export user overrides\n"); - return ret; - } - -- ret = sssctl_run_command("sss_override group-export " -- SSS_BACKUP_GROUP_OVERRIDES); -+ ret = sssctl_run_command((const char *[]){"sss_override", "group-export", -+ SSS_BACKUP_GROUP_OVERRIDES, NULL}); - if (ret != EOK) { - ERROR("Unable to export group overrides\n"); - return ret; -@@ -158,8 +158,8 @@ static errno_t sssctl_restore(bool force_start, bool force_restart) - } - - if (sssctl_backup_file_exists(SSS_BACKUP_USER_OVERRIDES)) { -- ret = sssctl_run_command("sss_override user-import " -- SSS_BACKUP_USER_OVERRIDES); -+ ret = sssctl_run_command((const char *[]){"sss_override", "user-import", -+ SSS_BACKUP_USER_OVERRIDES, NULL}); - if (ret != EOK) { - ERROR("Unable to import user overrides\n"); - return ret; -@@ -167,8 +167,8 @@ static errno_t sssctl_restore(bool force_start, bool force_restart) - } - - if (sssctl_backup_file_exists(SSS_BACKUP_USER_OVERRIDES)) { -- ret = sssctl_run_command("sss_override group-import " -- SSS_BACKUP_GROUP_OVERRIDES); -+ ret = sssctl_run_command((const char *[]){"sss_override", "group-import", -+ SSS_BACKUP_GROUP_OVERRIDES, NULL}); - if (ret != EOK) { - ERROR("Unable to import group overrides\n"); - return ret; -@@ -296,40 +296,19 @@ errno_t sssctl_cache_expire(struct sss_cmdline *cmdline, - void *pvt) - { - errno_t ret; -- char *cmd_args = NULL; -- const char *cachecmd = SSS_CACHE; -- char *cmd = NULL; -- int i; -- -- if (cmdline->argc == 0) { -- ret = sssctl_run_command(cachecmd); -- goto done; -- } - -- cmd_args = talloc_strdup(tool_ctx, ""); -- if (cmd_args == NULL) { -- ret = ENOMEM; -- goto done; -+ const char **args = talloc_array_size(tool_ctx, -+ sizeof(char *), -+ cmdline->argc + 2); -+ if (!args) { -+ return ENOMEM; - } -+ memcpy(&args[1], cmdline->argv, sizeof(char *) * cmdline->argc); -+ args[0] = SSS_CACHE; -+ args[cmdline->argc + 1] = NULL; - -- for (i = 0; i < cmdline->argc; i++) { -- cmd_args = talloc_strdup_append(cmd_args, cmdline->argv[i]); -- if (i != cmdline->argc - 1) { -- cmd_args = talloc_strdup_append(cmd_args, " "); -- } -- } -- -- cmd = talloc_asprintf(tool_ctx, "%s %s", cachecmd, cmd_args); -- if (cmd == NULL) { -- ret = ENOMEM; -- goto done; -- } -- -- ret = sssctl_run_command(cmd); -- --done: -- talloc_free(cmd_args); -- talloc_free(cmd); -+ ret = sssctl_run_command(args); - -+ talloc_free(args); - return ret; - } -diff --git a/src/tools/sssctl/sssctl_logs.c b/src/tools/sssctl/sssctl_logs.c -index 9ff2be05b..ebb2c4571 100644 ---- a/src/tools/sssctl/sssctl_logs.c -+++ b/src/tools/sssctl/sssctl_logs.c -@@ -31,6 +31,7 @@ - #include - #include - #include -+#include - - #include "util/util.h" - #include "tools/common/sss_process.h" -@@ -230,6 +231,7 @@ errno_t sssctl_logs_remove(struct sss_cmdline *cmdline, - { - struct sssctl_logs_opts opts = {0}; - errno_t ret; -+ glob_t globbuf; - - /* Parse command line. */ - struct poptOption options[] = { -@@ -253,8 +255,20 @@ errno_t sssctl_logs_remove(struct sss_cmdline *cmdline, - - sss_signal(SIGHUP); - } else { -+ globbuf.gl_offs = 4; -+ ret = glob(LOG_PATH"/*.log", GLOB_ERR|GLOB_DOOFFS, NULL, &globbuf); -+ if (ret != 0) { -+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to expand log files list\n"); -+ return ret; -+ } -+ globbuf.gl_pathv[0] = discard_const_p(char, "truncate"); -+ globbuf.gl_pathv[1] = discard_const_p(char, "--no-create"); -+ globbuf.gl_pathv[2] = discard_const_p(char, "--size"); -+ globbuf.gl_pathv[3] = discard_const_p(char, "0"); -+ - PRINT("Truncating log files...\n"); -- ret = sssctl_run_command("truncate --no-create --size 0 " LOG_FILES); -+ ret = sssctl_run_command((const char * const*)globbuf.gl_pathv); -+ globfree(&globbuf); - if (ret != EOK) { - ERROR("Unable to truncate log files\n"); - return ret; -@@ -269,8 +283,8 @@ errno_t sssctl_logs_fetch(struct sss_cmdline *cmdline, - void *pvt) - { - const char *file; -- const char *cmd; - errno_t ret; -+ glob_t globbuf; - - /* Parse command line. */ - ret = sss_tool_popt_ex(cmdline, NULL, SSS_TOOL_OPT_OPTIONAL, NULL, NULL, -@@ -280,13 +294,19 @@ errno_t sssctl_logs_fetch(struct sss_cmdline *cmdline, - return ret; - } - -- cmd = talloc_asprintf(tool_ctx, "tar -czf %s %s", file, LOG_FILES); -- if (cmd == NULL) { -- ERROR("Out of memory!"); -+ globbuf.gl_offs = 3; -+ ret = glob(LOG_PATH"/*.log", GLOB_ERR|GLOB_DOOFFS, NULL, &globbuf); -+ if (ret != 0) { -+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to expand log files list\n"); -+ return ret; - } -+ globbuf.gl_pathv[0] = discard_const_p(char, "tar"); -+ globbuf.gl_pathv[1] = discard_const_p(char, "-czf"); -+ globbuf.gl_pathv[2] = discard_const_p(char, file); - - PRINT("Archiving log files into %s...\n", file); -- ret = sssctl_run_command(cmd); -+ ret = sssctl_run_command((const char * const*)globbuf.gl_pathv); -+ globfree(&globbuf); - if (ret != EOK) { - ERROR("Unable to archive log files\n"); - return ret; --- -2.26.3 - diff --git a/SOURCES/0999-NOUPSTREAM-Default-to-root-if-sssd-user-is-not-spec b/SOURCES/0999-NOUPSTREAM-Default-to-root-if-sssd-user-is-not-spec deleted file mode 100644 index f24afe3..0000000 --- a/SOURCES/0999-NOUPSTREAM-Default-to-root-if-sssd-user-is-not-spec +++ /dev/null @@ -1,26 +0,0 @@ -From 8d38a4b28ab7af15406b244910f369ba1aff02db Mon Sep 17 00:00:00 2001 -From: Jakub Hrozek -Date: Thu, 30 Oct 2014 15:59:17 +0100 -Subject: [PATCH 93/93] NOUPSTREAM: Default to root if sssd user is not - specified - ---- - src/monitor/monitor.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c -index 0dea327213a1ad04b6f69c0ffb0fb87254420796..20b4aef4ee94fd42de1585d7d7c2e01ea01845ac 100644 ---- a/src/monitor/monitor.c -+++ b/src/monitor/monitor.c -@@ -925,7 +925,7 @@ static int get_service_user(struct mt_ctx *ctx) - - ret = confdb_get_string(ctx->cdb, ctx, CONFDB_MONITOR_CONF_ENTRY, - CONFDB_MONITOR_USER_RUNAS, -- SSSD_USER, &user_str); -+ "root", &user_str); - if (ret != EOK) { - DEBUG(SSSDBG_FATAL_FAILURE, "Failed to get the user to run as\n"); - return ret; --- -1.9.3 - diff --git a/SPECS/sssd.spec b/SPECS/sssd.spec index 95c25f5..fed7aa1 100644 --- a/SPECS/sssd.spec +++ b/SPECS/sssd.spec @@ -1,5 +1,5 @@ # we don't want to provide private python extension libs -%define __provides_exclude_from %{python3_sitearch}/.*\.so$|%{_libdir}/%{name}/modules/libwbclient.so.*$ +%define __provides_exclude_from %{python3_sitearch}/.*\.so$ # SSSD fails to build with -Wl,-z,defs %undefine _strict_symbol_defs_build @@ -17,88 +17,21 @@ %global enable_systemtap 1 %global enable_systemtap_opt --enable-systemtap -%global libwbc_alternatives_version 0.14 -%global libwbc_lib_version %{libwbc_alternatives_version}.0 -%global libwbc_alternatives_suffix %nil -%if 0%{?__isa_bits} == 64 -%global libwbc_alternatives_suffix -64 -%endif - Name: sssd -Version: 2.4.0 -Release: 9%{?dist}.2 +Version: 2.5.2 +Release: 2%{?dist} Group: Applications/System Summary: System Security Services Daemon License: GPLv3+ -URL: https://pagure.io/SSSD/sssd/ -Source0: https://releases.pagure.org/SSSD/sssd/%{name}-%{version}.tar.gz +URL: https://github.com/SSSD/sssd +Source0: https://github.com/SSSD/sssd/releases/download/%{version}/sssd-%{version}.tar.gz ### Patches ### -Patch0001: 0001-SYSDB-merge_res_sysdb_attrs-fixed-to-avoid-NULL-ptr-.patch -Patch0002: 0002-KCM-perf-improvements.patch -Patch0003: 0003-DEBUG-journal_send-was-made-static.patch -Patch0004: 0004-DEBUG-fixes-program-identifier-as-seen-in-syslog.patch -Patch0005: 0005-negcache-make-sure-domain-config-does-not-leak-into-.patch -Patch0006: 0006-utils-add-SSS_GND_SUBDOMAINS-flag-for-get_next_domai.patch -Patch0007: 0007-negcache-make-sure-short-names-are-added-to-sub-doma.patch -Patch0008: 0008-negcache-do-not-use-default_domain_suffix.patch -Patch0009: 0009-kcm-decode-base64-encoded-secret-on-upgrade-path.patch -Patch0010: 0010-nss-check-if-groups-are-filtered-during-initgroups.patch -Patch0011: 0011-ifp-fix-use-after-free.patch -Patch0012: 0012-ifp-fix-original-fix-use-after-free.patch -Patch0013: 0013-pam_sss-use-unique-id-for-gdm-choice-list.patch -Patch0014: 0014-authtok-add-label-to-Smartcard-token.patch -Patch0015: 0015-pam_sss-add-certificate-label-to-reply-to-pam_sss.patch -Patch0016: 0016-add-tests-multiple-certs-same-id.patch -Patch0017: 0017-data_provider_be-Add-random-offset-default.patch -Patch0018: 0018-data_provider_be-MAN-page-update.patch -Patch0019: 0019-logs-review.patch -Patch0020: 0020-sss_format.h-include-config.h.patch -Patch0021: 0021-packet-add-sss_packet_set_body.patch -Patch0022: 0022-domain-store-hostname-and-keytab-path.patch -Patch0023: 0023-cache_req-add-helper-to-call-user-by-upn-search.patch -Patch0024: 0024-pam-fix-typo-in-debug-message.patch -Patch0025: 0025-pam-add-pam_gssapi_services-option.patch -Patch0026: 0026-pam-add-pam_gssapi_check_upn-option.patch -Patch0027: 0027-pam-add-pam_sss_gss-module-for-gssapi-authentication.patch -Patch0028: 0028-cache_req-allow-cache_req-to-return-ERR_OFFLINE-if-a.patch -Patch0029: 0029-autofs-return-ERR_OFFLINE-if-we-fail-to-get-informat.patch -Patch0030: 0030-autofs-translate-ERR_OFFLINE-to-EHOSTDOWN.patch -Patch0031: 0031-autofs-disable-fast-reply.patch -Patch0032: 0032-autofs-correlate-errors-for-different-protocol-versi.patch -Patch0033: 0033-configure-check-for-stdatomic.h.patch -Patch0034: 0034-cache_req-ignore-autofs-not-configured-error.patch -Patch0035: 0035-simple-fix-memory-leak-while-reloading-lists.patch -Patch0036: 0036-SBUS-do-not-try-to-del-non-existing-sender.patch -Patch0037: 0037-pamsrv_gssapi-fix-implicit-conversion-warning.patch -Patch0038: 0038-gssapi-default-pam_gssapi_services-to-NULL-in-domain.patch -Patch0039: 0039-pam_sss_gssapi-fix-coverity-issues.patch -Patch0040: 0040-sudo-runas-do-not-add-to-external-groups-in-IPA.patch -Patch0041: 0041-responders-add-callback-to-schedule_get_domains_task.patch -Patch0042: 0042-pam-refresh-certificate-maps-at-the-end-of-initial-d.patch -Patch0043: 0043-SBUS-set-sbus_name-before-dp_init_send.patch -Patch0044: 0044-pam_sss_gss-support-authentication-indicators.patch -Patch0045: 0045-sudo-do-not-search-by-low-usn-value-to-improve-perfo.patch -Patch0046: 0046-ldap-fix-modifytimestamp-debugging-leftovers.patch -Patch0047: 0047-ssh-restore-default-debug-level.patch -Patch0048: 0048-pot-update-pot-files.patch -Patch0049: 0049-Update-the-translations-for-the-2.4.1-release.patch -Patch0050: 0050-pot-update-pot-files.patch -Patch0051: 0051-po-update-translations.patch -Patch0052: 0052-handle-large-service-tickets.patch -Patch0053: 0053-AD-GPO-respect-ad_gpo_implicit_deny-if-no-GPO-is-pre.patch -Patch0054: 0054-sss_domain_info-add-not_found_counter.patch -Patch0055: 0055-AD-read-trusted-domains-from-local-domain-as-well.patch -Patch0056: 0056-negcache-use-right-domain-in-nss_protocol_fill_initg.patch -Patch0057: 0057-DEBUG-introduce-SSSDBG_TOOLS_DEFAULT.patch -Patch0058: 0058-TOOLS-removed-unneeded-debug-message.patch -Patch0059: 0059-TOOLS-replace-system-with-execvp.patch +Patch0001: 0001-TOOLS-replace-system-with-execvp.patch +Patch0002: 0002-po-update-translations.patch ### Downstream Patches ### -#This patch should not be removed in RHEL-8 -Patch999: 0999-NOUPSTREAM-Default-to-root-if-sssd-user-is-not-spec - ### Dependencies ### Requires: sssd-common = %{version}-%{release} @@ -184,7 +117,6 @@ BuildRequires: systemtap-sdt-devel BuildRequires: libuuid-devel BuildRequires: jansson-devel BuildRequires: gdm-pam-extensions-devel -BuildRequires: po4a %description Provides a set of daemons to manage access to remote directories and @@ -203,6 +135,8 @@ License: GPLv3+ # Conflicts Conflicts: selinux-policy < 3.10.0-46 Conflicts: sssd < 1.10.0-8%{?dist}.beta2 +# sssd-libwbclient is removed from RHEL8 starting 8.5 that is based on sssd-2.5 +Obsoletes: sssd-libwbclient < 2.5.0 # Requires # Explicitly require RHEL-8.0 versions of the Samba libraries # in order to prevent untested combinations of a new SSSD and @@ -404,7 +338,6 @@ Requires: libsss_idmap = %{version}-%{release} Requires: libsss_certmap = %{version}-%{release} Recommends: bind-utils Recommends: adcli -Suggests: sssd-libwbclient = %{version}-%{release} Suggests: sssd-winbind-idmap = %{version}-%{release} %description ad @@ -547,27 +480,6 @@ Requires: libsss_simpleifp = %{version}-%{release} %description -n libsss_simpleifp-devel Provides library that simplifies D-Bus API for the SSSD InfoPipe responder. -%package libwbclient -Summary: The SSSD libwbclient implementation -Group: Applications/System -License: GPLv3+ and LGPLv3+ -Requires: libsss_nss_idmap = %{version}-%{release} -Conflicts: libwbclient < 4.2.0-0.2.rc2 -Conflicts: sssd-common < %{version}-%{release} - -%description libwbclient -The SSSD libwbclient implementation. - -%package libwbclient-devel -Summary: Development libraries for the SSSD libwbclient implementation -Group: Development/Libraries -License: GPLv3+ and LGPLv3+ -Requires: sssd-libwbclient = %{version}-%{release} -Conflicts: libwbclient-devel < 4.2.0-0.2.rc2 - -%description libwbclient-devel -Development libraries for the SSSD libwbclient implementation. - %package winbind-idmap Summary: SSSD's idmap_sss Backend for Winbind Group: Applications/System @@ -662,7 +574,6 @@ autoreconf -ivf --enable-nfsidmaplibdir=%{_libdir}/libnfsidmap \ --disable-static \ --with-crypto=libcrypto \ - --with-libwbclient \ --disable-rpath \ --with-initscript=systemd \ --with-syslog=journald \ @@ -677,7 +588,7 @@ autoreconf -ivf make %{?_smp_mflags} all docs make -C po ja.gmo make -C po fr.gmo -make -C po zh_CN.gmo +make -C po zh_CN.po %check export CK_TIMEOUT_MULTIPLIER=10 @@ -690,12 +601,6 @@ sed -i -e 's:/usr/bin/python:%{__python3}:' src/tools/sss_obfuscate make install DESTDIR=$RPM_BUILD_ROOT -if [ ! -f $RPM_BUILD_ROOT/%{_libdir}/%{name}/modules/libwbclient.so.%{libwbc_lib_version} ] -then - echo "Expected libwbclient version not found, please check if version has changed." - exit -1 -fi - # Prepare language files /usr/lib/rpm/find-lang.sh $RPM_BUILD_ROOT sssd @@ -894,7 +799,7 @@ done %dir %{_sysconfdir}/rwtab.d %config(noreplace) %{_sysconfdir}/rwtab.d/sssd %dir %{_datadir}/sssd -%{_sysconfdir}/pam.d/sssd-shadowutils +%config(noreplace) %{_sysconfdir}/pam.d/sssd-shadowutils %dir %{_libdir}/%{name}/conf %{_libdir}/%{name}/conf/sssd.conf @@ -1098,18 +1003,6 @@ done %defattr(-,root,root,-) %{python3_sitearch}/pyhbac.so -%files libwbclient -%defattr(-,root,root,-) -%dir %{_libdir}/%{name} -%dir %{_libdir}/%{name}/modules -%{_libdir}/%{name}/modules/libwbclient.so.* - -%files libwbclient-devel -%defattr(-,root,root,-) -%{_includedir}/wbclient_sssd.h -%{_libdir}/%{name}/modules/libwbclient.so -%{_libdir}/pkgconfig/wbclient_sssd.pc - %files winbind-idmap -f sssd_winbind_idmap.lang %dir %{_libdir}/samba/idmap %{_libdir}/samba/idmap/sss.so @@ -1250,42 +1143,68 @@ fi %posttrans common %systemd_postun_with_restart sssd.service -%posttrans libwbclient -%{_sbindir}/update-alternatives \ - --install %{_libdir}/libwbclient.so.%{libwbc_alternatives_version} \ - libwbclient.so.%{libwbc_alternatives_version}%{libwbc_alternatives_suffix} \ - %{_libdir}/%{name}/modules/libwbclient.so.%{libwbc_lib_version} 5 -/sbin/ldconfig - -%preun libwbclient -%{_sbindir}/update-alternatives \ - --remove libwbclient.so.%{libwbc_alternatives_version}%{libwbc_alternatives_suffix} \ - %{_libdir}/%{name}/modules/libwbclient.so.%{libwbc_lib_version} -/sbin/ldconfig - -%posttrans libwbclient-devel -%{_sbindir}/update-alternatives --install %{_libdir}/libwbclient.so \ - libwbclient.so%{libwbc_alternatives_suffix} \ - %{_libdir}/%{name}/modules/libwbclient.so 5 - -%preun libwbclient-devel -%{_sbindir}/update-alternatives --remove \ - libwbclient.so%{libwbc_alternatives_suffix} \ - %{_libdir}/%{name}/modules/libwbclient.so - %changelog -* Tue Jul 27 2021 Alexey Tikhonov - 2.4.0-9.2 -- Resolves: rhbz#1985456 - EMBARGOED CVE-2021-3621 sssd: shell command injection in sssctl [rhel-8.4.0.z] - -* Mon May 24 2021 Alexey Tikhonov - 2.4.0-9.1 -- Resolves: rhbz#1949170 - pam_sss_gss.so doesn't work with large kerberos tickets [rhel-8.4.0.z] -- Resolves: rhbz#1945656 - No gpo found and ad_gpo_implicit_deny set to True still permits user login [rhel-8.4.0.z] -- Resolves: rhbz#1945655 - SSSD not detecting subdomain from AD forest (RHEL 8.3) [rhel-8.4.0.z] -- Resolves: rhbz#1945654 - IPA missing secondary IPA Posix groups in latest sssd 1.16.5-10.el7_9.7 [rhel-8.4.0.z] -- Resolves: rhbz#1942438 - Wrong default debug level of sssd tools [rhel-8.4.0.z] - -* Fri Mar 19 2021 Alexey Tikhonov - 2.4.0-9 -- Resolves: rhbz#1899712 - [sssd] RHEL 8.4 Tier 0 Localization +* Mon Aug 02 2021 Alexey Tikhonov - 2.5.2-2 +- Resolves: rhbz#1975169 - EMBARGOED CVE-2021-3621 sssd: shell command injection in sssctl [rhel-8] +- Resolves: rhbz#1962042 - [sssd] RHEL 8.5 Tier 0 Localization + +* Mon Jul 12 2021 Alexey Tikhonov - 2.5.2-1 +- Resolves: rhbz#1947671 - Rebase SSSD for RHEL 8.5 +- Resolves: rhbz#1693379 - sssd_be and sss_cache too heavy on CPU +- Resolves: rhbz#1909373 - Missing search index for `originalADgidNumber` +- Resolves: rhbz#1954630 - [RFE] Improve debug messages by adding a unique tag for each request the backend is handling +- Resolves: rhbz#1936891 - SSSD Error Msg Improvement: Bad address +- Resolves: rhbz#1364596 - sssd still showing ipa user after removed from last group +- Resolves: rhbz#1979404 - Changes made to /etc/pam.d/sssd-shadowutils are overwritten back to default on sssd-common package upgrade + +* Mon Jun 21 2021 Alexey Tikhonov - 2.5.1-2 +- Resolves: rhbz#1974257 - 'debug_microseconds' config option is broken +- Resolves: rhbz#1936902 - SSSD Error Msg Improvement: Invalid argument +- Resolves: rhbz#1627112 - RFE: Kerberos ticket renewal for sssd-kcm (additional patches and rebuild) + +* Tue Jun 08 2021 Alexey Tikhonov - 2.5.1-1 +- Resolves: rhbz#1947671 - Rebase SSSD for RHEL 8.5 +- Resolves: rhbz#1942387 - Wrong default debug level of sssd tools +- Resolves: rhbz#1917444 - SSSD Error Msg Improvement: Server resolution failed: [2]: No such file or directory +- Resolves: rhbz#1917511 - SSSD Error Msg Improvement: Failed to resolve server 'server.example.com': Error reading file +- Resolves: rhbz#1917535 - sssd.conf man page: parameter dns_resolver_server_timeout and dns_resolver_op_timeout +- Resolves: rhbz#1940509 - [RFE] Health and Support Analyzer: Link frontend to backend requests +- Resolves: rhbz#1649464 - auto_private_groups not working as expected with posix ipa/ad trust +- Resolves: rhbz#1925514 - [RFE] Randomize the SUDO timeouts upon reconnection +- Resolves: rhbz#1961215 - Invalid sssd-kcm return code if requested operation is not found +- Resolves: rhbz#1837090 - SSSD fails nss_getby_name for IPA user with SID if the user has user private group +- Resolves: rhbz#1879869 - sudo commands incorrectly exports the KRB5CCNAME environment variable +- Resolves: rhbz#1962550 - sss_pac_make_request fails on systems joined to Active Directory. +- Resolves: rhbz#1737489 - [RFE] SSSD should honor default Kerberos settings (keytab name) in /etc/krb5.conf + +* Mon May 10 2021 Alexey Tikhonov - 2.5.0-1 +- Resolves: rhbz#1947671 - Rebase SSSD for RHEL 8.5 +- Resolves: rhbz#1930535 - [abrt] [faf] sssd: monitor_service_shutdown(): /usr/sbin/sssd killed by 11 +- Resolves: rhbz#1942387 - Wrong default debug level of sssd tools +- Resolves: rhbz#1945888 - Inconsistant debug level for connection logging +- Resolves: rhbz#1948657 - pam_sss_gss.so doesn't work with large kerberos tickets +- Resolves: rhbz#1949149 - [RFE] Poor man's backtrace +- Resolves: rhbz#1920500 - Authentication handshake (ldap_install_tls()) fails due to underlying openssl operation failing with EINTR +- Resolves: rhbz#1923964 - [RFE] SSSD Error Msg Improvement: write_krb5info_file failed, authentication might fail. +- Resolves: rhbz#1928648 - SSSD logs improvements: clarify which config option applies to each timeout in the logs +- Resolves: rhbz#1632159 - sssd-kcm starts successfully for non existent socket_path +- Resolves: rhbz#1627112 - RFE: Kerberos ticket renewal for sssd-kcm +- Resolves: rhbz#1925505 - [RFE] improve the sssd refresh timers for SUDO queries +- Resolves: rhbz#1925514 - [RFE] Randomize the SUDO timeouts upon reconnection +- Resolves: rhbz#1925561 - sssd-ldap(5) does not report how to disable the SUDO smart queries +- Resolves: rhbz#1925621 - document impact of indices and of scope on performance of LDAP queries +- Resolves: rhbz#1855320 - [RFE] RHEL8 sssd: inheritance of the case_sensitive parameter for subdomains. +- Resolves: rhbz#1925608 - [RFE] make 'random_offset' addon to 'offline_timeout' option configurable +- Resolves: rhbz#1447945 - man page / docs update required: if two certificate matching rules with the same priority match only one is used +- Resolves: rhbz#1703436 - sssd not thread-safe in innetgr() +- Resolves: rhbz#1713143 - SSSD does not translate the 2FA text labels("first factor" / "second factor") on GDM login and screensaver unlock screen +- Resolves: rhbz#1888977 - sss_override: Usage limitations clarification in man page +- Resolves: rhbz#1890177 - Clarify "single_prompt" option in "PROMPTING CONFIGURATION SECTION" section of sssd.conf man page +- Resolves: rhbz#1902280 - fix sss_cache to also reset cached timestamp +- Resolves: rhbz#1935683 - SSSD not detecting subdomain from AD forest (RHEL 8.3) +- Resolves: rhbz#1937919 - IPA missing secondary IPA Posix groups in latest sssd 1.16.5-10.el7_9.7 +- Resolves: rhbz#1944665 - No gpo found and ad_gpo_implicit_deny set to True still permits user login +- Resolves: rhbz#1919942 - sss_override does not take precedence over override_homedir directive * Fri Feb 12 2021 Alexey Tikhonov - 2.4.0-8 - Resolves: rhbz#1926622 - Add support to verify authentication indicators in pam_sss_gss @@ -1445,10 +1364,10 @@ fi * Thu Dec 19 2019 Michal Židek - 2.2.3-8 -* Resolves: rhbz#1785214 - server/be: SIGTERM handling is incorrect +* Resolves: rhbz#1785214 - server/be: SIGTERM handling is incorrect * Thu Dec 19 2019 Michal Židek - 2.2.3-7 -* Resolves: rhbz#1785193 - Watchdog implementation or usage is incorrect +* Resolves: rhbz#1785193 - Watchdog implementation or usage is incorrect * Sun Dec 15 2019 Michal Židek - 2.2.3-6 * Resolves: rhbz#1704199 - pcscd rejecting sssd ldap_child as unauthorized @@ -1504,7 +1423,7 @@ fi * Sun Aug 18 2019 Michal Židek - 2.2.0-13 - Resolves: rhbz#1669407 - MAN: Document that PAM stack contains the - systemd-user service in the account phase in RHEL-8 + systemd-user service in the account phase in RHEL-8 * Sun Aug 18 2019 Michal Židek - 2.2.0-12 - Resolves: rhbz#1448094 - sssd-kcm cannot handle big tickets @@ -1552,11 +1471,11 @@ fi * Fri Jun 14 2019 Michal Židek - 2.2.0-1 - Resolves: rhbz#1687281 - Rebase sssd in RHEL-8.1 to the latest upstream release + Rebase sssd in RHEL-8.1 to the latest upstream release * Wed Jun 12 2019 Michal Židek - 2.1.0-1 - Resolves: rhbz#1687281 - Rebase sssd in RHEL-8.1 to the latest upstream release + Rebase sssd in RHEL-8.1 to the latest upstream release * Thu May 30 2019 Michal Židek - 2.0.0-45 - Replace ARRAY_SIZE with N_ELEMENTS to reflect samba changes. This is @@ -1607,14 +1526,14 @@ fi * Mon Dec 17 2018 Michal Židek - 2.0.0-32 - Resolves: rhbz#1625670 - sssd needs to require a newer version of libtalloc - and libtevent to avoid an issue in GPO processing + and libtevent to avoid an issue in GPO processing * Sun Dec 16 2018 Michal Židek - 2.0.0-31 - Resolves: 1658813 - PKINIT with KCM does not work * Sun Dec 16 2018 Michal Židek - 2.0.0-30 - Resolves: 1657898 - SSSD must be cleared/restarted periodically in order to - retrieve AD users through IPA Trust + retrieve AD users through IPA Trust * Sun Dec 16 2018 Michal Židek - 2.0.0-29 - Resolves: rhbz#1655459 - [abrt] [faf] sssd: raise():