sssd.git/src/providers/ad, branch mdbtest sssd with jhrozek's patches GPO: Do not ignore missing attrs for GPOs 2015-04-30T06:47:00+00:00 Lukas Slebodnik lslebodn@redhat.com 2015-04-29T07:17:18+00:00 03e5f1528184a558fd990e66f083157b404dce08 We don't want to skip over a GPO that might properly be denying users. [sssd[be[a.foo.com]]] [sdap_sd_search_send] (0x0400): Searching entry [cn={2BA15B73-9524-419F-B4B7-185E1F0D3DCF},cn=policies,cn=system,DC=foo,DC=com] using SD [sssd[be[a.foo.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=*)][cn={2BA15B73-9524-419F-B4B7-185E1F0D3DCF},cn=policies,cn=system,DC=lzb,DC=hq]. [sssd[be[a.foo.com]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] [sssd[be[a.foo.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Referral(10), 0000202B: RefErr: DSID-0310063C, data 0, 1 access points ref 1: 'lzb.hq' [sssd[be[a.foo.com]]] [sdap_get_generic_op_finished] (0x1000): Ref: ldap://foo.com/cn=%7B2BA15B73-9524-419F-B4B7-185E1F0D3DCF%7D,cn=policies,cn=system,DC=foo,DC=com [sssd[be[a.foo.com]]] [ad_gpo_get_gpo_attrs_done] (0x0040): no attrs found for GPO; try next GPO. Resolves: https://fedorahosted.org/sssd/ticket/2629 Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> 
We don't want to skip over a GPO that might properly be denying
users.

[sssd[be[a.foo.com]]] [sdap_sd_search_send] (0x0400):
    Searching entry [cn={2BA15B73-9524-419F-B4B7-185E1F0D3DCF},cn=policies,cn=system,DC=foo,DC=com] using SD
[sssd[be[a.foo.com]]] [sdap_get_generic_ext_step] (0x0400):
    calling ldap_search_ext with [(objectclass=*)][cn={2BA15B73-9524-419F-B4B7-185E1F0D3DCF},cn=policies,cn=system,DC=lzb,DC=hq].
[sssd[be[a.foo.com]]] [sdap_process_message] (0x4000):
    Message type: [LDAP_RES_SEARCH_RESULT]
[sssd[be[a.foo.com]]] [sdap_get_generic_op_finished] (0x0400):
    Search result: Referral(10), 0000202B: RefErr: DSID-0310063C, data 0, 1 access points
        ref 1: 'lzb.hq'
[sssd[be[a.foo.com]]] [sdap_get_generic_op_finished] (0x1000):
    Ref: ldap://foo.com/cn=%7B2BA15B73-9524-419F-B4B7-185E1F0D3DCF%7D,cn=policies,cn=system,DC=foo,DC=com
[sssd[be[a.foo.com]]] [ad_gpo_get_gpo_attrs_done] (0x0040):
    no attrs found for GPO; try next GPO.

Resolves:
https://fedorahosted.org/sssd/ticket/2629

Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
ad_opts: Use different default attribute for group name 2015-04-17T11:35:49+00:00 Lukas Slebodnik lslebodn@redhat.com 2015-04-07T07:47:17+00:00 adb148603344a42d6edffdda0786a10af715dacb The MSFT docs [1,2] for LDAP attributes says: samAccountName is mandotory for 'user' and 'group' objectclasses via the 'Security-Principal' aux-class name is part of the 'top' class and *not* mandatory for 'user' or 'group'. [1] https://msdn.microsoft.com/en-us/library/ms679635%28v=vs.85%29.aspx [2] https://msdn.microsoft.com/en-us/library/ms678697%28v=vs.85%29.aspx Resolves: https://fedorahosted.org/sssd/ticket/2593 Reviewed-by: Sumit Bose <sbose@redhat.com> 
The MSFT docs [1,2] for LDAP attributes says:
samAccountName is mandotory for 'user' and 'group' objectclasses
via the 'Security-Principal' aux-class

name is part of the 'top' class and *not* mandatory for 'user' or 'group'.

[1] https://msdn.microsoft.com/en-us/library/ms679635%28v=vs.85%29.aspx
[2] https://msdn.microsoft.com/en-us/library/ms678697%28v=vs.85%29.aspx

Resolves:
https://fedorahosted.org/sssd/ticket/2593

Reviewed-by: Sumit Bose <sbose@redhat.com>
AD GPO: Always look up GPOs from machine domain 2015-04-15T15:30:30+00:00 Stephen Gallagher sgallagh@redhat.com 2015-04-10T20:34:37+00:00 475d986b534c5e0dfdb8e2348ab89b13fd4874aa When dealing with users from a child domain, SSSD was attempting to use the subdomain for lookups. However, all GPOs applicable to this machine are stored in the primary domain (the domain the host directly joined). This patch has the GPO processing use the primary domain instead of the user domain. Resolves: https://fedorahosted.org/sssd/ticket/2606 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
When dealing with users from a child domain, SSSD was attempting to use
the subdomain for lookups. However, all GPOs applicable to this machine
are stored in the primary domain (the domain the host directly joined).

This patch has the GPO processing use the primary domain instead of the
user domain.

Resolves:
https://fedorahosted.org/sssd/ticket/2606

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
AD: Always get domain-specific ID connection 2015-04-15T15:30:27+00:00 Stephen Gallagher sgallagh@redhat.com 2015-04-15T01:50:36+00:00 e2bd4f8a41b72aea0712ad21ad02ccebb707f536 ad_get_dom_ldap_conn() assumed that ad_ctx->ldap_ctx always points at the LDAP connection for the primary domain, however it turns out that this is not always the case. It's currently unclear why, but this connection can sometimes be pointing at a subdomain. Since the value of subdom_id_ctx->ldap_ctx always points to the correct domain (including the primary domain case), there's no benefit to trying to shortcut to the ad_ctx->ldap_ctx when performing this lookup. This patch also makes a minor tweak to the tests so that the primary domain passes the sdap_domain_get() check for validity (since it needs to have a private member assigned). Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
ad_get_dom_ldap_conn() assumed that ad_ctx->ldap_ctx always points at
the LDAP connection for the primary domain, however it turns out that
this is not always the case. It's currently unclear why, but this
connection can sometimes be pointing at a subdomain. Since the value of
subdom_id_ctx->ldap_ctx always points to the correct domain (including
the primary domain case), there's no benefit to trying to shortcut to
the ad_ctx->ldap_ctx when performing this lookup.

This patch also makes a minor tweak to the tests so that the primary
domain passes the sdap_domain_get() check for validity (since it needs
to have a private member assigned).

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
AD: Clean up ad_access_gpo 2015-04-15T15:30:14+00:00 Stephen Gallagher sgallagh@redhat.com 2015-04-14T17:07:36+00:00 d9079aa05eb8aacb488992fdce328c1abadd08d8 Align goto usage with conventions in the rest of the source. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Align goto usage with conventions in the rest of the source.

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
GPO: Check return value of ad_gpo_store_policy_settings 2015-04-01T11:54:05+00:00 Lukas Slebodnik lslebodn@redhat.com 2015-03-06T19:42:35+00:00 818c55be478ca2539a86567280114e823d79a51f Reviewed-by: Pavel Reichl <preichl@redhat.com> 
Reviewed-by: Pavel Reichl <preichl@redhat.com>
GPO: error out instead of leaving array element uninitialized 2015-03-23T06:47:02+00:00 Sumit Bose sbose@redhat.com 2015-03-20T17:41:52+00:00 4cfab2330323834574c179f774a0c6b1fff4936e In general every object created by the AD provider should have a SID attribute. Since SIDs and GPOs are used for access control a missing SID should be treated as error for now until it is known if there is a valid reason why the SID is missing. Resolves https://fedorahosted.org/sssd/ticket/2608 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
In general every object created by the AD provider should have a SID
attribute. Since SIDs and GPOs are used for access control a missing SID
should be treated as error for now until it is known if there is a valid
reason why the SID is missing.

Resolves https://fedorahosted.org/sssd/ticket/2608

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Add missing new lines to debug messages 2015-03-17T13:40:19+00:00 Lukas Slebodnik lslebodn@redhat.com 2015-02-17T15:40:01+00:00 87f8bee53ee1b4ca87b602ff8536bc5fd5b5b595 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
be_refresh: add sdap_refresh_init 2015-03-08T21:27:16+00:00 Pavel Březina pbrezina@redhat.com 2015-02-19T11:04:09+00:00 17531a398cc9084036cb08d69fe876a8f12707bb Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
sdap_handle_acct_req_send: remove be_req 2015-03-08T21:27:10+00:00 Pavel Březina pbrezina@redhat.com 2015-02-13T12:49:17+00:00 a849d848d53f305a90613a74c1767a42b250deda be_req was used only as a talloc context for subreq. This memory context was replace by state of the parent request which is more suitable for tevent coding style. This change will allow us to use this function in be_refresh where none be_req is available. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
be_req was used only as a talloc context for subreq. This memory context
was replace by state of the parent request which is more suitable for
tevent coding style.

This change will allow us to use this function in be_refresh where
none be_req is available.

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>