[autobackport: sssd-2-9] SSSD on IPA should fail with short names

[sssd-bot]

This is an automatic backport of PR#8261 SSSD on IPA should fail with short names to branch sssd-2-9, created by @thalman.

Caution

@thalman The patches did not apply cleanly. It is necessary to resolve conflicts before merging this pull request. Commits that introduced conflict are marked with CONFLICT!.

You can push changes to this pull request

git remote add sssd-bot git@github.com:sssd-bot/sssd.git
git fetch sssd-bot refs/heads/SSSD-sssd-backport-pr8261-to-sssd-2-9
git checkout SSSD-sssd-backport-pr8261-to-sssd-2-9
git push sssd-bot SSSD-sssd-backport-pr8261-to-sssd-2-9 --force

---

Original commits
1b71104 - IPA: Fail with short names
4816096 - IPA: remove re-declaration of ipa_trusted_subdom_init
09f574f - IPA: remove CONFDB_DEFAULT_FULL_NAME_FORMAT_INTERNAL
8360424 - tests: SSSD must refuse to start on IPA with short names

Backported commits

• 59d103f - IPA: Fail with short names
• 2f9e568 - IPA: remove re-declaration of ipa_trusted_subdom_init
• 180c4bd - IPA: remove CONFDB_DEFAULT_FULL_NAME_FORMAT_INTERNAL
• f9092c9 - CONFLICT! tests: SSSD must refuse to start on IPA with short names

Conflicting Files Information (check for deleted and re-added files)

• CONFLICT! tests: SSSD must refuse to start on IPA with short names

On branch SSSD-sssd-backport-pr8261-to-sssd-2-9
You are currently cherry-picking commit 836042459.
  (fix conflicts and run "git cherry-pick --continue")
  (use "git cherry-pick --skip" to skip this patch)
  (use "git cherry-pick --abort" to cancel the cherry-pick operation)

Unmerged paths:
  (use "git add/rm <file>..." as appropriate to mark resolution)
	deleted by us:   src/tests/system/tests/test_ipa.py

no changes added to commit (use "git add" and/or "git commit -a")

---

Original Pull Request Body

SSSD should refuse to start when SSSD is in server mode and full_name_format is set to %1s$.

[gemini-code-assist]

Code Review

This pull request backports a change to make SSSD fail to start on an IPA server if full_name_format is configured for short names. The changes in the C source files are correct and implement the intended behavior effectively. A new test is also added to verify this behavior.

My main concern is with the new test file src/tests/system/tests/test_ipa.py. It appears to have been added as a result of a merge conflict resolution and contains a large number of tests unrelated to this change. This introduces a risk of test failures on this branch if those tests rely on features not present here. I've added a comment with a suggestion to only include the relevant test.

[thalman]

@sumit-bose , @madhuriupadhye, the test_ipa.py was not present in 2-9 branch. Please check the update. Other commits fit well.

[madhuriupadhye]

@sumit-bose , @madhuriupadhye, the test_ipa.py was not present in 2-9 branch. Please check the update. Other commits fit well.

Only branches where the file exists, so not in sssd-2-9.

[thalman]

@sumit-bose , @madhuriupadhye, the test_ipa.py was not present in 2-9 branch. Please check the update. Other commits fit well.

Only branches where the file exists, so not in sssd-2-9.

I understand that, but are we fine to create it like this or do you prefer something else?

[madhuriupadhye]

@sumit-bose , @madhuriupadhye, the test_ipa.py was not present in 2-9 branch. Please check the update. Other commits fit well.

Only branches where the file exists, so not in sssd-2-9.

I understand that, but are we fine to create it like this or do you prefer something else?

As I understand it, we won't backport the test code.

[sumit-bose]

@sumit-bose , @madhuriupadhye, the test_ipa.py was not present in 2-9 branch. Please check the update. Other commits fit well.

Only branches where the file exists, so not in sssd-2-9.

I understand that, but are we fine to create it like this or do you prefer something else?

As I understand it, we won't backport the test code.

Hi,

I'm confused, most of the backports are test code so far?

bye,
Sumit

[madhuriupadhye]

@sumit-bose , @madhuriupadhye, the test_ipa.py was not present in 2-9 branch. Please check the update. Other commits fit well.

Only branches where the file exists, so not in sssd-2-9.

I understand that, but are we fine to create it like this or do you prefer something else?

As I understand it, we won't backport the test code.

Hi,

I'm confused, most of the backports are test code so far?

bye,

Sumit

Yes, but only backport to branches where the test files exist.

[sumit-bose]

Yes, but only backport to branches where the test files exist.

Hi,

ok, so how to move forward? Just backport the feature and do not test it? Or break the rule and create the file in the backport or move the test to a different file which exists in the 2-9 branch?

bye,
Sumit

[madhuriupadhye]

Yes, but only backport to branches where the test files exist.

Hi,

ok, so how to move forward? Just backport the feature and do not test it? Or break the rule and create the file in the backport or move the test to a different file which exists in the 2-9 branch?

bye, Sumit

Skip the test - backport only the functional code changes.
The feature is straightforward (preventing SSSD startup with invalid config) and can be validated through manual testing and downstream QE, especially considering the low importance/trivial nature of this change.

[thalman]

OK, removing test now...

[sumit-bose]

Hi,

pity we lost the test, nevertheless, ACK.

bye,
Sumit

[sssd-bot]

The pull request was accepted by @sumit-bose with the following PR CI status:

---

🟢 CodeQL (success)
🟢 rpm-build:centos-stream-9-x86_64:upstream (success)
🟢 Build / make-distcheck (success)
🟢 ci / prepare (success)
🟢 ci / system (centos-9) (success)
🟢 Static code analysis / codeql (success)
🟢 Static code analysis / pre-commit (success)
🟢 Static code analysis / python-system-tests (success)

---

There are unsuccessful or unfinished checks. Make sure that the failures are not related to this pull request before merging.