.copr/Makefile

+srpm:
+	dnf -y install git rpm-build dnf-plugins-core libldb-devel
+	./contrib/fedora/make_srpm.sh --output $(outdir)

.travis.yml

+language: c
+compiler: gcc
+sudo: required
+dist: trusty
+
+services:
+  - docker
+
+addons:
+  apt:
+    packages:
+    - bash
+    - tar
+    - bzip2
+
+env:
+  global:
+    # The next declaration is the encrypted COVERITY_SCAN_TOKEN, created
+    # via the "travis encrypt" command using the project repo's public key
+      - secure: "gD4XB/tAquGTUFGvQ4+a+K9EbemQtyZs0Py+r7+HAEQ7h/B+fwwRX1h5bGzMUjyCUJ88u28wdRZ0TNxIiEVXuSi/0Ia9BOvdS9YurXdpZc7ha1OpYnJd1tYwxGrgozKW9qXB3R6XZmlcxVGzIHF3fwK9a1p+rNDUihWhasqeAPFFI3IhQhwDIIxO3paRGvHHO0UNlw0+lpgsiQLYIYFWYjHqq2voZ1UlV4Ga7LSP1Yh8F38hDSMk7ykSLedsV1kqxh3zky8p5fLSbDRI1y7PLNBYD63LagUCEk1o3nF+hF0l3nRfEApFJKUhBfccgNc2mdXbBdDxDCnwiArbTXQNxI2Iml85UJ/I5/CS3uE437A3H7ZdvL51w2592JGNMEwq9pxGK3vxcN8g/Yn2Xoo1F2KTVHBexT44LEnS0ADRj5K8AfDsyIUz/rB9+N05k5WXtqcDWblpC5gfD0nk3WQnpmc8hjeI2B9RTFTa3ydA4I5wfABkGfNARH39RxK10d+b176U8x3z05p/PgyraAYKi2kFpA3ha5fw9o1CIqcd5OpUcIWrIo5+FG8hYgtcIG+65PSOHz6gGVZkpZyR4vqIuHIfw4jdi68d6LfoophdhjuFSDTuwgXXGQNjdaYQSpeoZ5Gm9hvHbasabqIBpOfDo/Yjq6up20byvmDaGtoeojI="
+
+before_install:
+  - ./.travis/travis-docker-build.sh
+
+script:
+  - docker run -e COVERITY_SCAN_TOKEN=$COVERITY_SCAN_TOKEN --rm sssd/sssd

.travis/travis-docker-build.sh

+#!/bin/bash
+
+set -e
+
+# Create an archive of the current checkout
+TARBALL=`mktemp -p . tarball-XXXXXX.tar.bz2`
+git ls-files |xargs tar cfj $TARBALL .git
+
+sudo docker build -f Dockerfile.deps -t sssd/sssd-deps .
+
+sudo docker build -t sssd/sssd --build-arg TARBALL=$TARBALL .
+
+rm -f $TARBALL
+
+exit 0

.travis/travis-tasks.sh

+#!/bin/bash
+
+#Exit on failures
+set -e
+
+pushd /builddir/
+
+# We have to define the _Float* types as those are not defined by coverity and as result
+# the codes linking agains those (pretty much anything linking against stdlib.h and math.h)
+# won't be covered.
+echo "#define _Float128 long double" > /tmp/coverity.h
+echo "#define _Float64x long double" >> /tmp/coverity.h
+echo "#define _Float64 double" >> /tmp/coverity.h
+echo "#define _Float32x double" >> /tmp/coverity.h
+echo "#define _Float32 float" >> /tmp/coverity.h
+
+# The coverity scan script returns an error despite succeeding...
+ CFLAGS="${CFLAGS:- -include /tmp/coverity.h}" \
+ TRAVIS_BRANCH="${TRAVIS_BRANCH:-master}" \
+ COVERITY_SCAN_PROJECT_NAME="${COVERITY_SCAN_PROJECT_NAME:-SSSD/sssd}" \
+ COVERITY_SCAN_NOTIFICATION_EMAIL="${COVERITY_SCAN_NOTIFICATION_EMAIL:-sssd-maint@redhat.com}" \
+ COVERITY_SCAN_BUILD_COMMAND_PREPEND="${COVERITY_SCAN_BUILD_COMMAND_PREPEND:-source contrib/fedora/bashrc_sssd && reconfig}" \
+ COVERITY_SCAN_BUILD_COMMAND="${COVERITY_SCAN_BUILD_COMMAND:-make all check TESTS= }" \
+ COVERITY_SCAN_BRANCH_PATTERN=${COVERITY_SCAN_BRANCH_PATTERN:-master} \
+ /usr/bin/travisci_build_coverity_scan.sh ||:
+
+popd #builddir

Dockerfile

+FROM sssd/sssd-deps
+
+MAINTAINER SSSD Maintainers <sssd-maint@redhat.com>
+
+ARG TARBALL
+
+RUN  echo -n | openssl s_client -connect scan.coverity.com:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | sudo tee -a /etc/ssl/certs/ca- && curl -s https://scan.coverity.com/scripts/travisci_build_coverity_scan.sh -o /usr/bin/travisci_build_coverity_scan.sh && chmod a+x /usr/bin/travisci_build_coverity_scan.sh
+
+ADD $TARBALL /builddir/
+
+ENTRYPOINT /builddir/.travis/travis-tasks.sh

Dockerfile.deps

+FROM fedora:latest
+
+MAINTAINER SSSD Maintainers <sssd-maint@redhat.com>
+
+ARG TARBALL
+
+RUN dnf -y install git openssl sudo curl wget ruby rubygems "rubygem(json)" wget rpm-build dnf-plugins-core libldb-devel && \
+    git clone --depth=50 --branch=master https://github.com/SSSD/sssd.git /tmp/sssd && \
+    cd /tmp/sssd && \
+    ./contrib/fedora/make_srpm.sh && \
+    dnf builddep -y rpmbuild/SRPMS/sssd-*.src.rpm && \
+    dnf -y clean all

Makefile.am

@@ -21,7 +21,7 @@ if HAVE_MANPAGES
 SUBDIRS += src/man
 endif
 
-SUBDIRS += . src/tests/cwrap src/tests/intg
+SUBDIRS += . src/tests/cwrap src/tests/intg src/tests/test_CA
 
 # Some old versions of automake don't define builddir
 builddir ?= .
@@ -175,7 +175,6 @@ endif
 if BUILD_SEMANAGE
 sssdlibexec_PROGRAMS += selinux_child
 endif
-if HAVE_NSS
 sssdlibexec_PROGRAMS += p11_child
 if SSSD_USER
 if HAVE_POLKIT_RULES_D
@@ -183,7 +182,6 @@ polkit_rulesdir = $(polkitdir)
 dist_polkit_rules_DATA = contrib/sssd-pcsc.rules
 endif
 endif
-endif
 if BUILD_SECRETS
 sssdlibexec_PROGRAMS += sssd_secrets
 endif
@@ -275,6 +273,7 @@ if HAVE_CMOCKA
         test_sbus_opath \
         test_fo_srv \
         pam-srv-tests \
+        ssh-srv-tests \
         test_ipa_subdom_util \
         test_tools_colondb \
         test_krb5_wait_queue \
@@ -477,10 +476,6 @@ dist_noinst_DATA = \
     contrib/ci/distro.sh \
     contrib/ci/misc.sh \
     contrib/ci/sssd.supp \
-    src/tests/cmocka/p11_nssdb/cert9.db \
-    src/tests/cmocka/p11_nssdb/key4.db \
-    src/tests/cmocka/p11_nssdb_2certs/cert9.db \
-    src/tests/cmocka/p11_nssdb_2certs/key4.db \
     $(SYSTEMTAP_PROBES) \
     $(NULL)
 
@@ -501,7 +496,6 @@ AM_CPPFLAGS = \
     $(LDB_CFLAGS) \
     $(DBUS_CFLAGS) \
     $(PCRE_CFLAGS) \
-    $(COLLECTION_CFLAGS) \
     $(INI_CONFIG_CFLAGS) \
     $(DHASH_CFLAGS) \
     $(LIBNL_CFLAGS) \
@@ -616,11 +610,7 @@ SSSD_LIBS = \
     $(POPT_LIBS) \
     $(LDB_LIBS) \
     $(DBUS_LIBS) \
-    $(PCRE_LIBS) \
-    $(INI_CONFIG_LIBS) \
-    $(COLLECTION_LIBS) \
     $(DHASH_LIBS) \
-    $(OPENLDAP_LIBS) \
     $(SELINUX_LIBS) \
     $(TDB_LIBS)
 
@@ -637,11 +627,7 @@ TOOLS_LIBS = \
     $(POPT_LIBS) \
     $(LDB_LIBS) \
     $(DBUS_LIBS) \
-    $(PCRE_LIBS) \
-    $(INI_CONFIG_LIBS) \
-    $(COLLECTION_LIBS) \
     $(DHASH_LIBS) \
-    $(OPENLDAP_LIBS) \
     $(TDB_LIBS)
 
 if BUILD_SELINUX
@@ -855,6 +841,7 @@ dist_noinst_HEADERS = \
     src/shared/io.h \
     src/shared/murmurhash3.h \
     src/shared/safealign.h \
+    src/p11_child/p11_child.h \
     $(NULL)
 
 
@@ -925,6 +912,7 @@ if HAVE_NSS
 
     SSS_CERT_SOURCES = \
         src/util/cert/cert_common.c \
+        src/util/cert/cert_common_p11_child.c \
         src/util/cert/nss/cert.c \
         $(NULL)
     SSS_CERT_CFLAGS = \
@@ -947,6 +935,7 @@ else
 
     SSS_CERT_SOURCES = \
         src/util/cert/cert_common.c \
+        src/util/cert/cert_common_p11_child.c \
         src/util/cert/libcrypto/cert.c \
         $(NULL)
     SSS_CERT_CFLAGS = \
@@ -984,6 +973,7 @@ libsss_cert_la_CFLAGS = \
 libsss_cert_la_LIBADD = \
     $(SSS_CERT_LIBS) \
     $(TALLOC_LIBS) \
+    $(TEVENT_LIBS) \
     libsss_crypt.la \
     libsss_debug.la \
     libsss_certmap.la \
@@ -1070,6 +1060,8 @@ libsss_util_la_LIBADD = \
     $(SSSD_LIBS) \
     $(SYSTEMD_LOGIN_LIBS) \
     $(UNICODE_LIBS) \
+    $(PCRE_LIBS) \
+    $(INI_CONFIG_LIBS) \
     libsss_debug.la \
     libsss_child.la \
     libsss_crypt.la \
@@ -1179,7 +1171,7 @@ libsss_nss_idmap_la_LIBADD = \
     $(NULL)
 libsss_nss_idmap_la_LDFLAGS = \
     -Wl,--version-script,$(srcdir)/src/sss_client/idmap/sss_nss_idmap.exports \
-    -version-info 4:0:4
+    -version-info 5:0:5
 
 dist_noinst_DATA += src/sss_client/idmap/sss_nss_idmap.exports
 
@@ -1526,7 +1518,6 @@ sssd_secrets_LDADD = \
     $(TDB_LIBS) \
     $(SSSD_LIBS) \
     $(SYSTEMD_DAEMON_LIBS) \
-    $(CARES_LIBS) \
     $(SSSD_INTERNAL_LTLIBS) \
     $(CURL_LIBS) \
     $(NULL)
@@ -1721,11 +1712,10 @@ sss_seed_LDADD = \
 
 sss_signal_SOURCES = \
     src/tools/sss_signal.c \
-    $(SSSD_TOOLS_OBJ) \
+    src/tools/common/sss_process.c
     $(NULL)
 sss_signal_LDADD = \
-    $(TOOLS_LIBS) \
-    $(SSSD_INTERNAL_LTLIBS) \
+    libsss_debug.la \
     $(NULL)
 
 sss_override_SOURCES = \
@@ -1756,6 +1746,7 @@ sssctl_SOURCES = \
     $(NULL)
 sssctl_LDADD = \
     $(TOOLS_LIBS) \
+    $(INI_CONFIG_LIBS) \
     $(SSSD_INTERNAL_LTLIBS) \
     $(PAM_LIBS) \
     $(PAM_MISC_LIBS) \
@@ -2015,6 +2006,7 @@ krb5_utils_tests_LDADD = \
     $(CARES_LIBS) \
     $(KRB5_LIBS) \
     $(CHECK_LIBS) \
+    $(PCRE_LIBS) \
     $(SSSD_INTERNAL_LTLIBS) \
     libsss_test_common.la
 
@@ -2294,6 +2286,7 @@ krb5_child_test_LDADD = \
     $(CARES_LIBS) \
     $(KRB5_LIBS) \
     $(CHECK_LIBS) \
+    $(PCRE_LIBS) \
     $(SSSD_INTERNAL_LTLIBS) \
     libsss_test_common.la
 
@@ -2396,9 +2389,7 @@ nss_srv_tests_LDADD = \
 EXTRA_pam_srv_tests_DEPENDENCIES = \
     $(ldblib_LTLIBRARIES) \
     $(NULL)
-if HAVE_NSS
 EXTRA_pam_srv_tests_DEPENDENCIES += p11_child
-endif
 pam_srv_tests_SOURCES = \
     $(TEST_MOCK_RESP_OBJ) \
     src/tests/cmocka/test_pam_srv.c \
@@ -2411,6 +2402,7 @@ pam_srv_tests_SOURCES = \
     $(NULL)
 pam_srv_tests_CFLAGS = \
     -U SSSD_LIBEXEC_PATH -DSSSD_LIBEXEC_PATH=\"$(abs_builddir)\" \
+    -I$(abs_builddir)/src \
     $(AM_CFLAGS) \
     $(NULL)
 pam_srv_tests_LDFLAGS = \
@@ -2431,6 +2423,39 @@ pam_srv_tests_LDADD = \
     libsss_certmap.la \
     $(NULL)
 
+EXTRA_ssh_srv_tests_DEPENDENCIES = \
+    $(ldblib_LTLIBRARIES) \
+    $(NULL)
+EXTRA_ssh_srv_tests_DEPENDENCIES += p11_child
+ssh_srv_tests_SOURCES = \
+    $(TEST_MOCK_RESP_OBJ) \
+    src/tests/cmocka/test_ssh_srv.c \
+    src/responder/ssh/ssh_cmd.c \
+    src/responder/ssh/ssh_known_hosts.c \
+    src/responder/ssh/ssh_protocol.c \
+    src/responder/ssh/ssh_reply.c \
+    src/util/cert/cert_common_p11_child.c \
+    $(NULL)
+ssh_srv_tests_CFLAGS = \
+    -U SSSD_LIBEXEC_PATH -DSSSD_LIBEXEC_PATH=\"$(abs_builddir)\" \
+    -I$(abs_builddir)/src \
+    $(AM_CFLAGS) \
+    $(NULL)
+ssh_srv_tests_LDFLAGS = \
+    -Wl,-wrap,sss_packet_get_body \
+    -Wl,-wrap,sss_packet_get_cmd \
+    -Wl,-wrap,sss_cmd_send_empty \
+    -Wl,-wrap,sss_cmd_done \
+    -Wl,-wrap,ssh_dp_send_req \
+    $(NULL)
+ssh_srv_tests_LDADD = \
+    $(CMOCKA_LIBS) \
+    $(SSSD_LIBS) \
+    $(SSSD_INTERNAL_LTLIBS) \
+    $(SYSTEMD_DAEMON_LIBS) \
+    libsss_test_common.la \
+    $(NULL)
+
 EXTRA_responder_get_domains_tests_DEPENDENCIES = \
      $(ldblib_LTLIBRARIES)
 responder_get_domains_tests_SOURCES = \
@@ -2606,6 +2631,7 @@ nestedgroups_tests_CFLAGS = \
     $(NULL)
 nestedgroups_tests_LDADD = \
     $(CMOCKA_LIBS) \
+    $(OPENLDAP_LIBS) \
     $(SSSD_LIBS) \
     $(SSSD_INTERNAL_LTLIBS) \
     libsss_idmap.la \
@@ -2743,6 +2769,7 @@ ad_gpo_tests_CFLAGS = \
     $(NULL)
 ad_gpo_tests_LDADD = \
     $(CMOCKA_LIBS) \
+    $(OPENLDAP_LIBS) \
     $(SSSD_LIBS) \
     $(SSSD_INTERNAL_LTLIBS) \
     $(NDR_NBT_LIBS) \
@@ -3283,9 +3310,12 @@ test_krb5_wait_queue_LDADD = \
 
 test_cert_utils_SOURCES = \
     src/tests/cmocka/test_cert_utils.c \
+    src/util/cert/cert_common_p11_child.c \
     $(NULL)
 test_cert_utils_CFLAGS = \
     $(AM_CFLAGS) \
+    -U SSSD_LIBEXEC_PATH -DSSSD_LIBEXEC_PATH=\"$(abs_builddir)\" \
+    -I$(abs_builddir)/src \
     $(CRYPTO_CFLAGS) \
     $(NULL)
 test_cert_utils_LDADD = \
@@ -3393,18 +3423,13 @@ test_ipa_dn_SOURCES = \
     src/providers/ipa/ipa_dn.c \
     src/tests/cmocka/test_ipa_dn.c \
     $(NULL)
-test_ipa_dn_CFLAGS = \
-    $(AM_CFLAGS) \
-    -DUNIT_TESTING \
-    $(NULL)
-test_ipa_dn_LDFLAGS = \
-    -Wl,-wrap,_tevent_add_timer \
-    $(NULL)
 test_ipa_dn_LDADD = \
     $(CMOCKA_LIBS) \
-    $(SSSD_LIBS) \
+    $(POPT_LIBS) \
+    $(LDB_LIBS) \
+    $(TEVENT_LIBS) \
+    $(TALLOC_LIBS) \
     $(SSSD_INTERNAL_LTLIBS) \
-    $(LIBADD_DL) \
     libsss_test_common.la \
     $(NULL)
 
@@ -3481,6 +3506,7 @@ sss_certmap_test_SOURCES = \
 sss_certmap_test_CFLAGS = \
     $(AM_CFLAGS) \
     $(NSS_CFLAGS) \
+    -I$(abs_builddir)/src \
     $(NULL)
 sss_certmap_test_LDADD = \
     $(CMOCKA_LIBS) \
@@ -4146,7 +4172,6 @@ krb5_child_CFLAGS = \
     $(AM_CFLAGS) \
     $(POPT_CFLAGS) \
     $(KRB5_CFLAGS) \
-    $(PCRE_CFLAGS) \
     $(SYSTEMD_LOGIN_CFLAGS) \
     $(NULL)
 krb5_child_LDADD = \
@@ -4156,7 +4181,6 @@ krb5_child_LDADD = \
     $(DHASH_LIBS) \
     $(KRB5_LIBS) \
     $(CLIENT_LIBS) \
-    $(PCRE_LIBS) \
     $(SYSTEMD_LOGIN_LIBS) \
     $(NULL)
 
@@ -4240,24 +4264,51 @@ proxy_child_LDADD = \
     $(SSSD_INTERNAL_LTLIBS)
 
 p11_child_SOURCES = \
-    src/p11_child/p11_child_nss.c \
+    src/p11_child/p11_child_common.c \
     src/util/atomic_io.c \
     src/util/util.c \
     src/util/util_ext.c \
     $(NULL)
+if HAVE_NSS
+p11_child_SOURCES += src/p11_child/p11_child_nss.c
+else
+p11_child_SOURCES += src/p11_child/p11_child_openssl.c
+endif
+
 p11_child_CFLAGS = \
     $(AM_CFLAGS) \
     $(POPT_CFLAGS) \
+    $(NULL)
+if HAVE_NSS
+p11_child_CFLAGS += \
     $(NSS_CFLAGS) \
     $(NULL)
+else
+p11_child_CFLAGS += \
+    $(P11_KIT_CFLAGS) \
+    $(CRYPTO_CFLAGS) \
+    $(SSL_CFLAGS) \
+    $(NULL)
+endif
+
 p11_child_LDADD = \
     libsss_debug.la \
     $(TALLOC_LIBS) \
     $(DHASH_LIBS) \
     $(POPT_LIBS) \
-    $(NSS_LIBS) \
     libsss_crypt.la \
     $(NULL)
+if HAVE_NSS
+p11_child_LDADD += \
+    $(NSS_LIBS) \
+    $(NULL)
+else
+p11_child_LDADD += \
+    $(P11_KIT_LIBS) \
+    $(CRYPTO_LIBS) \
+    $(SSL_LIBS) \
+    $(NULL)
+endif
 
 memberof_la_SOURCES = \
     src/ldb_modules/memberof.c \
@@ -4577,7 +4628,8 @@ dist_sssdapiplugin_DATA = \
     src/config/etc/sssd.api.d/sssd-ldap.conf \
     src/config/etc/sssd.api.d/sssd-local.conf \
     src/config/etc/sssd.api.d/sssd-proxy.conf \
-    src/config/etc/sssd.api.d/sssd-simple.conf
+    src/config/etc/sssd.api.d/sssd-simple.conf \
+    src/config/etc/sssd.api.d/sssd-files.conf
 
 edit_cmd = $(SED) \
         -e 's|@sbindir[@]|$(sbindir)|g' \
@@ -4749,6 +4801,7 @@ SSSD_USER_DIRS = \
     $(DESTDIR)$(gpocachepath) \
     $(DESTDIR)$(sssdconfdir) \
     $(DESTDIR)$(sssdconfdir)/conf.d \
+    $(DESTDIR)$(sssdconfdir)/pki \
     $(DESTDIR)$(sssddefaultconfdir) \
     $(DESTDIR)$(logpath) \
     $(DESTDIR)$(deskprofilepath) \
@@ -4786,7 +4839,8 @@ endif
             $(DESTDIR)$(pubconfpath) \
             $(DESTDIR)$(pubconfpath)/krb5.include.d $(DESTDIR)$(gpocachepath)
 	$(INSTALL) -d -m 0711 $(DESTDIR)$(sssdconfdir) \
-                          $(DESTDIR)$(sssdconfdir)/conf.d
+                          $(DESTDIR)$(sssdconfdir)/conf.d \
+                          $(DESTDIR)$(sssdconfdir)/pki
 if BUILD_SECRETS
 	$(MKDIR_P) $(DESTDIR)$(secdbpath)
 endif
@@ -4974,6 +5028,17 @@ endif
 
 CLEANFILES += *.X */*.X */*/*.X
 
+test_CA: test_CA.stamp
+
+test_CA.stamp: $(srcdir)/src/tests/test_CA/*
+	$(MAKE) -C src/tests/test_CA ca_all
+	touch $@
+
+if BUILD_TEST_CA
+BUILT_SOURCES += test_CA
+endif
+CLEANFILES += test_CA.stamp
+
 tests: all $(check_PROGRAMS)
 	(cd src/tests/cwrap && $(MAKE) $(AM_MAKEFLAGS) $@) || exit 1;
 

configure.ac

@@ -208,6 +208,7 @@ m4_include([src/external/libresolv.m4])
 m4_include([src/external/intgcheck.m4])
 m4_include([src/external/systemtap.m4])
 m4_include([src/external/service.m4])
+m4_include([src/external/test_ca.m4])
 
 if test x$with_secrets = xyes; then
     m4_include([src/external/libhttp_parser.m4])
@@ -328,7 +329,6 @@ them please use argument --without-python2-bindings when running configure.])])
     AM_PYTHON_CONFIG([python2])
     AM_CHECK_PYTHON_HEADERS([],
                             AC_MSG_ERROR([Could not find python2 headers]))
-    AM_CHECK_PYTHON_COMPAT
 
     AC_SUBST([py2execdir], [$pyexecdir])
     AC_SUBST([python2dir], [$pythondir])
@@ -355,7 +355,6 @@ them please use argument --without-python3-bindings when running configure.])])
     AM_PYTHON_CONFIG([python3])
     AM_CHECK_PYTHON_HEADERS([],
                             AC_MSG_ERROR([Could not find python3 headers]))
-    AM_CHECK_PYTHON_COMPAT
 
     AC_SUBST([py3execdir], [$pyexecdir])
     AC_SUBST([python3dir], [$pythondir])
@@ -394,6 +393,7 @@ fi
 
 if test x$cryptolib = xlibcrypto; then
     AM_CHECK_LIBCRYPTO
+    m4_include([src/external/p11-kit.m4])
 fi
 
 AM_CHECK_INOTIFY
@@ -483,6 +483,7 @@ AM_CONDITIONAL([HAVE_CHECK], [test x$have_check != x])
 AM_CHECK_CMOCKA
 AM_CHECK_UID_WRAPPER
 AM_CHECK_NSS_WRAPPER
+AM_CHECK_TEST_CA
 
 # Check if the user wants SSSD to be compiled with systemtap probes
 AM_CHECK_SYSTEMTAP
@@ -506,7 +507,7 @@ AC_CONFIG_FILES([Makefile contrib/sssd.spec src/examples/rwtab src/doxy.config
                  contrib/sssd-pcsc.rules
                  src/sysv/sssd src/sysv/gentoo/sssd src/sysv/SUSE/sssd
                  po/Makefile.in src/man/Makefile src/tests/cwrap/Makefile
-                 src/tests/intg/Makefile
+                 src/tests/intg/Makefile src/tests/test_CA/Makefile
                  src/lib/ipa_hbac/ipa_hbac.pc src/lib/ipa_hbac/ipa_hbac.doxy
                  src/lib/idmap/sss_idmap.pc src/lib/idmap/sss_idmap.doxy
                  src/lib/certmap/sss_certmap.pc src/lib/certmap/sss_certmap.doxy

contrib/ci/configure.sh

@@ -35,6 +35,7 @@ declare -a CONFIGURE_ARG_LIST=(
 if [[ "$DISTRO_BRANCH" == -redhat-redhatenterprise*-6.*- ||
       "$DISTRO_BRANCH" == -redhat-centos-6.*- ]]; then
     CONFIGURE_ARG_LIST+=(
+        "--with-smb-idmap-interface-version=5"
         "--disable-cifs-idmap-plugin"
         "--with-syslog=syslog"
         "--without-python3-bindings"
@@ -56,6 +57,24 @@ if [[ "$DISTRO_BRANCH" == -redhat-redhatenterprise*-7.*- ||
     )
 fi
 
+# Different versions of Debian might need different versions here but this is
+# sufficient to make the CI work
+if [[ "$DISTRO_BRANCH" == -debian-* ]]; then
+    CONFIGURE_ARG_LIST+=(
+        "--with-smb-idmap-interface-version=5"
+    )
+fi
+
+if [[ "$DISTRO_BRANCH" == -redhat-fedora-29* ||
+      "$DISTRO_BRANCH" == -redhat-fedora-3* ||
+      "$DISTRO_BRANCH" == -debian-* ||
+      "$DISTRO_BRANCH" == -redhat-redhatenterprise*-8.*- ||
+      "$DISTRO_BRANCH" == -redhat-centos-8.*- ]]; then
+    CONFIGURE_ARG_LIST+=(
+        "--with-crypto=libcrypto"
+    )
+fi
+
 declare -r -a CONFIGURE_ARG_LIST
 
 fi # _CONFIGURE_SH

contrib/ci/deps.sh

@@ -42,6 +42,7 @@ if [[ "$DISTRO_BRANCH" == -redhat-* ]]; then
         openldap-servers
         pytest
         python-ldap
+        python-psutil
         pyldb
         rpm-build
         uid_wrapper
@@ -50,6 +51,7 @@ if [[ "$DISTRO_BRANCH" == -redhat-* ]]; then
         krb5-server
         krb5-workstation
         dbus-python
+        python-pep8
     )
     _DEPS_LIST_SPEC=`
         sed -e 's/@PACKAGE_VERSION@/0/g' \
@@ -119,6 +121,7 @@ if [[ "$DISTRO_BRANCH" == -debian-* ]]; then
         python-ldap
         python-ldb
         python-requests
+        python-psutil
         ldap-utils
         slapd
         systemtap-sdt-dev
@@ -129,7 +132,13 @@ if [[ "$DISTRO_BRANCH" == -debian-* ]]; then
         krb5-admin-server
         krb5-user
         uuid-dev
+        dbus
         python-dbus
+        pep8
+        libssl-dev
+        gnutls-bin
+        softhsm2
+        libp11-kit-dev
     )
     DEPS_INTGCHECK_SATISFIED=true
 fi

contrib/ci/rpm-spec-builddeps

@@ -17,10 +17,13 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
+from __future__ import print_function
+
 import sys
 import re
 import rpm
 
+
 def usage(file):
     file.write(("Usage: %s SPEC\n" +
                 "Extract build dependencies from an RPM .spec file.\n") %
@@ -32,4 +35,4 @@ if len(sys.argv) != 2:
 
 spec = rpm.spec(sys.argv[1])
 for d in rpm.ds(spec.sourceHeader, 'requires'):
-    print d.DNEVR()[2:]
+    print(d.DNEVR()[2:])

contrib/ci/run

@@ -39,6 +39,19 @@ declare -r COVERAGE_MIN_LINES=15
 # Minimum percentage of code functions covered by tests
 declare -r COVERAGE_MIN_FUNCS=0
 
+# Those values are a sum up of the default warnings in all our
+# supported distros in our CI.
+# debian_testing: E121,E123,E126,E226,E24,E704,W503
+# fedora22:
+# fedora23:
+# fedora24: E121,E123,E126,E226,E24,E704
+# fedora25: E121,E123,E126,E226,E24,E704
+# fedora26: E121,E123,E126,E226,E24,E704
+# fedora27: E121,E123,E126,E226,E24,E704
+# fedora_rawhide: E121,E123,E126,E226,E24,E704
+# rhel6:
+# rhel7:
+declare PEP8_IGNORE="--ignore=E121,E123,E126,E226,E24,E704,W503"
 declare BASE_PFX=""
 declare DEPS=true
 declare BASE_DIR=`pwd`
@@ -379,6 +392,13 @@ export V=1
 if "$DEPS"; then
     stage install-deps  deps_install
 fi
+if [[ "$DISTRO_BRANCH" != redhat-* ]]; then
+    # Ignore "E722 do not use bare except" exceptions
+    # that are only raised on debian_testing machines.
+    PEP8_IGNORE+=",E722"
+fi
+stage pep8          find . -path ./src/config -prune -o \
+                           -name \*.py -exec pep8 $PEP8_IGNORE {} +
 stage autoreconf    autoreconf --install --force
 run_build debug     build_debug
 if "$RIGOROUS"; then

contrib/ci/sssd.supp

@@ -171,3 +171,53 @@
    fun:_cmocka_run_group_tests
    fun:main
 }
+
+# Leaks in bash if p11_child returns and error because due to libtool the
+# p11_child binary is not called directly during the unit tests but with the
+# help of a libtool wrapper
+{
+   bash-calling-p11-child-returning-error
+   Memcheck:Leak
+   ...
+   fun:malloc
+   fun:xmalloc
+   ...
+   fun:execute_command_internal
+   ...
+   fun:execute_command_internal
+   ...
+}
+
+{
+   bash-calling-p11-child-returning-error-debian
+   Memcheck:Free
+   fun:free
+   obj:/usr/bin/bash
+   fun:run_unwind_frame
+   fun:parse_and_execute
+   fun:command_substitute
+   obj:/usr/bin/bash
+   obj:/usr/bin/bash
+   ...
+}
+
+# Leak in sqlite3 used by the softhsm2 PKCS#11 module
+{
+   sqlite3.error
+   Memcheck:Leak
+   ...
+   fun:malloc
+   obj:/usr/lib64/libsqlite3.so.0.8.6
+   ...
+}
+
+# Leak found on debian
+{
+   set-default-locale-error-debian
+   Memcheck:Leak
+   ...
+   fun:malloc
+   fun:xmalloc
+   fun:set_default_locale
+   fun:main
+}

contrib/fedora/make_srpm.sh

@@ -26,6 +26,7 @@ usage(){
     echo -e "\t-d, --debug        Enable debugging."
     echo -e "\t-c, --clean        Remove directory rpmbuild and exit."
     echo -e "\t-P, --patches      Requires list of patches for SRPM."
+    echo -e "\t-o, --output       Moves the created srpm to a specific output directory."
     echo -e "\t-h, --help         Print this help and exit."
     echo -e "\t-?, --usage"
 
@@ -86,6 +87,11 @@ case $i in
     patches=("$@")
     break
     ;;
+    -o|--output)
+    shift
+    OUTPUT=("$@")
+    break
+    ;;
     -h|--help|-\?|--usage)
     usage
     ;;
@@ -164,3 +170,8 @@ add_patches "$RPMBUILD/SPECS/$PACKAGE_NAME.spec" \
 cd $RPMBUILD
 rpmbuild --define "_topdir $RPMBUILD" \
          -bs SPECS/$PACKAGE_NAME.spec
+
+if [ -n "$OUTPUT" ]; then
+    mv "$RPMBUILD/SRPMS/"*.src.rpm "$OUTPUT/"
+    echo "Package has been moved to the folder: $OUTPUT"
+fi

contrib/gdb/sssd_gdb_plugin.py

@@ -15,7 +15,8 @@ def gdb_printer_decorator(fn):
 
 
 def indent_string(s, indent):
-    return '\n'.join(["%s%s" % ("\t" * indent, part) for part in s.split('\n')])
+    return '\n'.join(["%s%s" % ("\t" * indent, part)
+                     for part in s.split('\n')])
 
 
 class StringPrinter(object):
@@ -31,7 +32,8 @@ class LdbDnPrinter(StringPrinter):
     " print an ldb dn "
 
     def as_string(self, indent=0):
-        ret = "{ <%s>\tlinearized:%s }" % (self.val.type, self.val['linearized'])
+        ret = "{ <%s>\tlinearized:%s }" % (self.val.type,
+                                           self.val['linearized'])
         return indent_string(ret, indent)
 
 
@@ -47,7 +49,8 @@ class LdbMessageElementPrinter(StringPrinter):
     " print a ldb message element "
 
     def as_string(self, indent=0):
-        ret = "flags = %(flags)s, name = %(name)s, num_values = %(num_values)s" % self.val
+        ret = "flags = %(flags)s, name = %(name)s, " \
+                "num_values = %(num_values)s" % self.val
         try:
             nvals = int(self.val['num_values'])
         except ValueError:
@@ -70,7 +73,8 @@ class LdbMessagePrinter(StringPrinter):
             return "num_elements is not numeric?"
 
         dn = LdbDnPrinter(self.val['dn'])
-        ret = "num_elements:\t%s\ndn:\t%s\nelements:\t" % (nels, dn.as_string(indent))
+        dn_str = dn.as_string(indent)
+        ret = "num_elements:\t%s\ndn:\t%s\nelements:\t" % (nels, dn_str)
 
         for i in range(nels):
             el = LdbMessageElementPrinter(self.val['elements'][i])
@@ -83,7 +87,8 @@ class LdbResultPrinter(StringPrinter):
     " print a ldb message element "
 
     def as_string(self, indent=0):
-        ret = "count = %(count)s, extended = %(extended)s, controls = %(controls)s, refs = %(refs)s" % self.val
+        ret = "count = %(count)s, extended = %(extended)s, " \
+                "controls = %(controls)s, refs = %(refs)s" % self.val
         try:
             count = int(self.val['count'])
         except ValueError:
@@ -193,4 +198,5 @@ class TeventBreak(gdb.Command):
 
         b = gdb.Breakpoint("*%s" % fnaddr)
 
+
 TeventBreak()

contrib/sssd.spec.in

@@ -78,6 +78,10 @@
     %global with_initscript --with-initscript=sysv
 %endif
 
+%if (0%{?fedora} > 28 || 0%{?rhel} > 7)
+    %global use_openssl 1
+%endif
+
 %global enable_experimental 1
 
 %if (0%{?enable_experimental} == 1)
@@ -127,6 +131,14 @@
     %global with_gdm_pam_extensions 0
 %endif
 
+# Do not try to detect the idmap version on RHEL6 to avoid conflicts between
+# samba and samba4 package
+%if (0%{?fedora} || 0%{?rhel} >= 7)
+    %global detect_idmap_version 1
+%else
+    %global with_idmap_version --with-smb-idmap-interface-version=5
+%endif
+
 Name: @PACKAGE_NAME@
 Version: @PACKAGE_VERSION@
 Release: 0@PRERELEASE_VERSION@%{?dist}
@@ -170,6 +182,7 @@ BuildRequires: autoconf
 BuildRequires: automake
 BuildRequires: libtool
 BuildRequires: m4
+BuildRequires: gcc
 BuildRequires: popt-devel
 BuildRequires: libtalloc-devel
 BuildRequires: libtevent-devel
@@ -209,6 +222,26 @@ BuildRequires: selinux-policy-targeted
 BuildRequires: libcmocka-devel >= 1.0.0
 BuildRequires: uid_wrapper
 BuildRequires: nss_wrapper
+
+# Test CA requires openssl independent if SSSD is build with NSS or openssl,
+# openssh is needed for ssh-keygen and NSS builds need nss-tools for certutil.
+# Currently only cmocka based tests use the test CA. If it is used elsewhere
+# you might want to move the following requires out of the if-block.
+# If SSSD is build with OpenSSL instead of NSS p11tool from the gnutls-utils
+# package and softhsm2-util from the softhsm package are needed to prepare the
+# data needed for the p11_child Smartcard tests. Since p11_child only looks at
+# slots with are flagged as 'removable' softhsm version 2.1.0 or higher is
+# needed.
+%if (0%{?use_openssl} == 1)
+BuildRequires: p11-kit-devel
+BuildRequires: openssl-devel
+BuildRequires: gnutls-utils
+BuildRequires: softhsm >= 2.1.0
+%endif
+
+BuildRequires: openssl
+BuildRequires: openssh
+BuildRequires: nss-tools
 %endif
 BuildRequires: libnl3-devel
 %if (0%{?use_systemd} == 1)
@@ -226,6 +259,9 @@ BuildRequires: nfs-utils-lib-devel
 
 BuildRequires: samba4-devel
 BuildRequires: libsmbclient-devel
+%if (0%{?detect_idmap_version} == 1)
+BuildRequires: samba-winbind
+%endif
 
 %if (0%{?enable_systemtap} == 1)
 BuildRequires: systemtap-sdt-devel
@@ -736,6 +772,9 @@ autoreconf -ivf
     --enable-pammoddir=/%{_lib}/security \
     --enable-nfsidmaplibdir=%{_libdir}/libnfsidmap \
     --disable-static \
+%if (0%{?use_openssl} == 1)
+    --with-crypto=libcrypto \
+%endif
     --disable-rpath \
 %if %{with sssd_user}
     --with-sssd-user=sssd \
@@ -748,6 +787,7 @@ autoreconf -ivf
     %{?enable_systemtap_opt} \
     %{?with_secret_responder} \
     %{?with_kcm_option} \
+    %{?with_idmap_version} \
     %{?experimental}
 
 make %{?_smp_mflags} all
@@ -980,6 +1020,9 @@ done
 %attr(750,sssd,sssd) %dir %{_var}/log/%{name}
 %attr(711,sssd,sssd) %dir %{_sysconfdir}/sssd
 %attr(711,sssd,sssd) %dir %{_sysconfdir}/sssd/conf.d
+%if (0%{?use_openssl} == 1)
+%attr(711,sssd,sssd) %dir %{_sysconfdir}/sssd/pki
+%endif
 %ghost %attr(0600,sssd,sssd) %config(noreplace) %{_sysconfdir}/sssd/sssd.conf
 %dir %{_sysconfdir}/logrotate.d
 %config(noreplace) %{_sysconfdir}/logrotate.d/sssd

debian/changelog

+sssd (1.16.2-1) UNRELEASED; urgency=medium
+
+  * New upstream release. (LP: #1778554)
+
+ -- Timo Aaltonen <tjaalton@debian.org>  Tue, 26 Jun 2018 11:15:02 +0300
+
 sssd (1.16.1-1) unstable; urgency=medium
 
   * New upstream release.

po/bg.po

@@ -8,8 +8,8 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n"
-"POT-Creation-Date: 2018-03-09 12:31+0100\n"
-"PO-Revision-Date: 2014-12-14 11:44-0500\n"
+"POT-Creation-Date: 2018-06-08 21:01+0200\n"
+"PO-Revision-Date: 2014-12-14 11:44+0000\n"
 "Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
 "Language-Team: Bulgarian (http://www.transifex.com/projects/p/sssd/language/"
 "bg/)\n"
@@ -18,7 +18,7 @@ msgstr ""
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=2; plural=(n != 1);\n"
-"X-Generator: Zanata 3.9.6\n"
+"X-Generator: Zanata 4.4.5\n"
 
 #: src/config/SSSDConfig/__init__.py.in:43
 #: src/config/SSSDConfig/__init__.py.in:44
@@ -415,9 +415,8 @@ msgid "SELinux provider"
 msgstr ""
 
 #: src/config/SSSDConfig/__init__.py.in:158
-#, fuzzy
 msgid "Session management provider"
-msgstr "Доставчик на смяна на парола"
+msgstr ""
 
 #: src/config/SSSDConfig/__init__.py.in:161
 msgid "Whether the domain is usable by the OS or by applications"
@@ -547,9 +546,8 @@ msgid "How long can cached credentials be used for cached authentication"
 msgstr ""
 
 #: src/config/SSSDConfig/__init__.py.in:198
-#, fuzzy
 msgid "Whether to automatically create private groups for users"
-msgstr "Дали автоматично да се обновява клиентския DNS запис във FreeIPA"
+msgstr ""
 
 #: src/config/SSSDConfig/__init__.py.in:201
 msgid "IPA domain"
@@ -1469,6 +1467,14 @@ msgstr ""
 msgid "PAM stack to use"
 msgstr ""
 
+#: src/config/SSSDConfig/__init__.py.in:479
+msgid "Path of passwd file sources."
+msgstr ""
+
+#: src/config/SSSDConfig/__init__.py.in:480
+msgid "Path of group file sources."
+msgstr ""
+
 #: src/monitor/monitor.c:2449
 msgid "Become a daemon (default)"
 msgstr "Продължава като демон (по подразбиране)"
@@ -1497,23 +1503,23 @@ msgstr ""
 msgid "SSSD is already running\n"
 msgstr ""
 
-#: src/providers/krb5/krb5_child.c:3216 src/providers/ldap/ldap_child.c:617
+#: src/providers/krb5/krb5_child.c:3216 src/providers/ldap/ldap_child.c:605
 msgid "Debug level"
 msgstr "Ниво на debug"
 
-#: src/providers/krb5/krb5_child.c:3218 src/providers/ldap/ldap_child.c:619
+#: src/providers/krb5/krb5_child.c:3218 src/providers/ldap/ldap_child.c:607
 msgid "Add debug timestamps"
 msgstr ""
 
-#: src/providers/krb5/krb5_child.c:3220 src/providers/ldap/ldap_child.c:621
+#: src/providers/krb5/krb5_child.c:3220 src/providers/ldap/ldap_child.c:609
 msgid "Show timestamps with microseconds"
 msgstr ""
 
-#: src/providers/krb5/krb5_child.c:3222 src/providers/ldap/ldap_child.c:623
+#: src/providers/krb5/krb5_child.c:3222 src/providers/ldap/ldap_child.c:611
 msgid "An open file descriptor for the debug logs"
 msgstr ""
 
-#: src/providers/krb5/krb5_child.c:3225 src/providers/ldap/ldap_child.c:625
+#: src/providers/krb5/krb5_child.c:3225 src/providers/ldap/ldap_child.c:613
 msgid "Send the debug output to stderr directly."
 msgstr ""
 
@@ -1659,9 +1665,8 @@ msgid "Password: "
 msgstr "Парола:"
 
 #: src/sss_client/pam_sss.c:2201 src/sss_client/pam_sss.c:2204
-#, fuzzy
 msgid "First Factor (Current Password): "
-msgstr "Текуща парола:"
+msgstr ""
 
 #: src/sss_client/pam_sss.c:2208
 msgid "Current Password: "
@@ -2554,9 +2559,8 @@ msgid "Unable to archive log files\n"
 msgstr ""
 
 #: src/tools/sssctl/sssctl_logs.c:317
-#, fuzzy
 msgid "Specify debug level you want to set"
-msgstr "Нивото на debug записи при работа"
+msgstr ""
 
 #: src/tools/sssctl/sssctl_sifp.c:28
 msgid ""

po/ca.po

@@ -14,8 +14,8 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n"
-"POT-Creation-Date: 2018-03-09 12:31+0100\n"
-"PO-Revision-Date: 2017-10-15 03:02-0400\n"
+"POT-Creation-Date: 2018-06-08 21:01+0200\n"
+"PO-Revision-Date: 2017-10-15 03:02+0000\n"
 "Last-Translator: Robert Antoni Buj Gelonch <rbuj@fedoraproject.org>\n"
 "Language-Team: Catalan (http://www.transifex.com/projects/p/sssd/language/"
 "ca/)\n"
@@ -24,7 +24,7 @@ msgstr ""
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=2; plural=(n != 1);\n"
-"X-Generator: Zanata 3.9.6\n"
+"X-Generator: Zanata 4.4.5\n"
 
 #: src/config/SSSDConfig/__init__.py.in:43
 #: src/config/SSSDConfig/__init__.py.in:44
@@ -360,11 +360,8 @@ msgid "The maximum number of secrets that can be stored"
 msgstr ""
 
 #: src/config/SSSDConfig/__init__.py.in:132
-#, fuzzy
 msgid "The maximum number of secrets that can be stored per UID"
 msgstr ""
-"El nombre de descriptors de fitxers que poden estar oberts per aquest "
-"contestador"
 
 #: src/config/SSSDConfig/__init__.py.in:133
 msgid "The maximum payload size of a secret in kilobytes"
@@ -463,9 +460,8 @@ msgid "SELinux provider"
 msgstr ""
 
 #: src/config/SSSDConfig/__init__.py.in:158
-#, fuzzy
 msgid "Session management provider"
-msgstr "Proveïdor de canvi de contrasenya"
+msgstr ""
 
 #: src/config/SSSDConfig/__init__.py.in:161
 msgid "Whether the domain is usable by the OS or by applications"
@@ -606,9 +602,8 @@ msgid "How long can cached credentials be used for cached authentication"
 msgstr ""
 
 #: src/config/SSSDConfig/__init__.py.in:198
-#, fuzzy
 msgid "Whether to automatically create private groups for users"
-msgstr "Si s'actualitza automàticament l'entrada DNS del client"
+msgstr ""
 
 #: src/config/SSSDConfig/__init__.py.in:201
 msgid "IPA domain"
@@ -707,26 +702,20 @@ msgid "Objectclass for group override objects"
 msgstr "Objectclass per als objectes de substitució de grup"
 
 #: src/config/SSSDConfig/__init__.py.in:223
-#, fuzzy
 msgid "Search base for Desktop Profile related objects"
-msgstr "Base de cerca per als objectes relacionats amb HBAC"
+msgstr ""
 
 #: src/config/SSSDConfig/__init__.py.in:224
-#, fuzzy
 msgid ""
 "The amount of time in seconds between lookups of the Desktop Profile rules "
 "against the IPA server"
 msgstr ""
-"Quantitat de temps en segons entre recerques de les assignacions SELinux "
-"contra el servidor IPA"
 
 #: src/config/SSSDConfig/__init__.py.in:225
-#, fuzzy
 msgid ""
 "The amount of time in minutes between lookups of Desktop Profiles rules "
 "against the IPA server when the last request did not find any rule"
 msgstr ""
-"Quantitat de temps entre recerques de les regles HBAC contra el servidor IPA"
 
 #: src/config/SSSDConfig/__init__.py.in:228
 msgid "Active Directory domain"
@@ -913,10 +902,8 @@ msgid "Enables enterprise principals"
 msgstr "Habilita els principals empresarials"
 
 #: src/config/SSSDConfig/__init__.py.in:272
-#, fuzzy
 msgid "A mapping from user names to Kerberos principal names"
 msgstr ""
-"Una assignació des dels noms dels usuaris als noms del principal de kerberos"
 
 #: src/config/SSSDConfig/__init__.py.in:275
 #: src/config/SSSDConfig/__init__.py.in:276
@@ -1206,9 +1193,8 @@ msgid "Attribute listing authorized server hosts"
 msgstr "L'atribut que llista els amfitrions dels servidors autoritzats"
 
 #: src/config/SSSDConfig/__init__.py.in:353
-#, fuzzy
 msgid "Attribute listing authorized server rhosts"
-msgstr "L'atribut que llista els amfitrions dels servidors autoritzats"
+msgstr ""
 
 #: src/config/SSSDConfig/__init__.py.in:354
 msgid "krbLastPwdChange attribute"
@@ -1310,9 +1296,8 @@ msgid "The LDAP group external member attribute"
 msgstr ""
 
 #: src/config/SSSDConfig/__init__.py.in:384
-#, fuzzy
 msgid "Maximum nesting level SSSD will follow"
-msgstr "Nivell màxim d'encadenament que seguirà l'SSSd"
+msgstr ""
 
 #: src/config/SSSDConfig/__init__.py.in:386
 msgid "Base DN for netgroup lookups"
@@ -1600,6 +1585,14 @@ msgstr ""
 msgid "PAM stack to use"
 msgstr "Pila PAM a utilitzar"
 
+#: src/config/SSSDConfig/__init__.py.in:479
+msgid "Path of passwd file sources."
+msgstr ""
+
+#: src/config/SSSDConfig/__init__.py.in:480
+msgid "Path of group file sources."
+msgstr ""
+
 #: src/monitor/monitor.c:2449
 msgid "Become a daemon (default)"
 msgstr "Esdevé un dimoni (per defecte)"
@@ -1628,23 +1621,23 @@ msgstr "Imprimeix el número de versió i surt"
 msgid "SSSD is already running\n"
 msgstr ""
 
-#: src/providers/krb5/krb5_child.c:3216 src/providers/ldap/ldap_child.c:617
+#: src/providers/krb5/krb5_child.c:3216 src/providers/ldap/ldap_child.c:605
 msgid "Debug level"
 msgstr "Nivell de depuració"
 
-#: src/providers/krb5/krb5_child.c:3218 src/providers/ldap/ldap_child.c:619
+#: src/providers/krb5/krb5_child.c:3218 src/providers/ldap/ldap_child.c:607
 msgid "Add debug timestamps"
 msgstr "Afegeix les marques temporals de depuració"
 
-#: src/providers/krb5/krb5_child.c:3220 src/providers/ldap/ldap_child.c:621
+#: src/providers/krb5/krb5_child.c:3220 src/providers/ldap/ldap_child.c:609
 msgid "Show timestamps with microseconds"
 msgstr "Mostra les marques temporals amb microsegons"
 
-#: src/providers/krb5/krb5_child.c:3222 src/providers/ldap/ldap_child.c:623
+#: src/providers/krb5/krb5_child.c:3222 src/providers/ldap/ldap_child.c:611
 msgid "An open file descriptor for the debug logs"
 msgstr "Un descriptor de fitxer obert pels registres de depuració"
 
-#: src/providers/krb5/krb5_child.c:3225 src/providers/ldap/ldap_child.c:625
+#: src/providers/krb5/krb5_child.c:3225 src/providers/ldap/ldap_child.c:613
 msgid "Send the debug output to stderr directly."
 msgstr "Envia directament la sortida de depuració al stderr."
 
@@ -1794,9 +1787,8 @@ msgid "Password: "
 msgstr "Contrasenya: "
 
 #: src/sss_client/pam_sss.c:2201 src/sss_client/pam_sss.c:2204
-#, fuzzy
 msgid "First Factor (Current Password): "
-msgstr "Contrasenya actual: "
+msgstr ""
 
 #: src/sss_client/pam_sss.c:2208
 msgid "Current Password: "
@@ -2727,9 +2719,8 @@ msgid "Unable to archive log files\n"
 msgstr ""
 
 #: src/tools/sssctl/sssctl_logs.c:317
-#, fuzzy
 msgid "Specify debug level you want to set"
-msgstr "Especifica el nivell de depuració que vulgueu establir\n"
+msgstr ""
 
 #: src/tools/sssctl/sssctl_sifp.c:28
 msgid ""
@@ -2969,6 +2960,3 @@ msgstr ""
 #: src/util/util.h:87
 msgid "Informs that the responder has been dbus-activated"
 msgstr ""
-
-#~ msgid "Only one argument expected\n"
-#~ msgstr "Tan sols s'esperava un argument\n"