sssd.git/src/providers/ipa, branch subdomfo sssd with jhrozek's patches UTIL: Convert domain->disabled into tri-state with domain states 2015-09-01T12:06:29+00:00 Jakub Hrozek jhrozek@redhat.com 2015-08-18T15:15:44+00:00 13e1628e34e4b4bc2320a87dd5ac888c70a63ddd This is a first step towards making it possible for domain to be around, but not contacted by Data Provider. Also explicitly create domains as enabled, previously we only relied on talloc_zero marking dom->disabled as false. 
This is a first step towards making it possible for domain to be around,
but not contacted by Data Provider.

Also explicitly create domains as enabled, previously we only relied on
talloc_zero marking dom->disabled as false.
sssd: incorrect checks on length values during packet decoding 2015-08-31T16:34:26+00:00 Michal Židek mzidek@redhat.com 2015-07-22T14:35:35+00:00 9f0bffebd070115ab47a92eadc6890a721c7b78d https://fedorahosted.org/sssd/ticket/1697 It is safer to isolate the checked (unknown/untrusted) value on the left hand side in the conditions to avoid overflows/underflows. Reviewed-by: Petr Cech <pcech@redhat.com> 
https://fedorahosted.org/sssd/ticket/1697

It is safer to isolate the checked (unknown/untrusted)
value on the left hand side in the conditions
to avoid overflows/underflows.

Reviewed-by: Petr Cech <pcech@redhat.com>
DYNDNS: remove zone command 2015-08-14T21:54:44+00:00 Pavel Reichl preichl@redhat.com 2015-07-23T09:30:34+00:00 4f2a07c422fa357ef6651bca8c48b8005280fa1d Remove zone command from message to nsupsate. This command is generally used to hint nsupdate. In correctly configured environment such information should be obtained via DNS. If DNS does not provide necessary information we give other hints. For more details see: https://fedorahosted.org/sssd/wiki/DesignDocs/DDNSMessagesUpdate Resolves: https://fedorahosted.org/sssd/ticket/2495 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Remove zone command from message to nsupsate. This command is generally
used to hint nsupdate. In correctly configured environment such
information should be obtained via DNS.

If DNS does not provide necessary information we give other hints.

For more details see:
https://fedorahosted.org/sssd/wiki/DesignDocs/DDNSMessagesUpdate

Resolves:
https://fedorahosted.org/sssd/ticket/2495

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
DYNDNS: Add a new option dyndns_server 2015-08-14T21:51:02+00:00 Jakub Hrozek jhrozek@redhat.com 2014-07-06T20:53:27+00:00 8145ab51b05aa86b2f1a21b49383f55e50b0a2e3 Some environments use a different DNS server than identity server. For these environments, it would be useful to be able to override the DNS server used to perform DNS updates. This patch adds a new option dyndns_server that, if set, would be used to hardcode a DNS server address into the nsupdate message. Reviewed-by: Pavel Reichl <preichl@redhat.com> 
Some environments use a different DNS server than identity server. For
these environments, it would be useful to be able to override the DNS
server used to perform DNS updates.

This patch adds a new option dyndns_server that, if set, would be used
to hardcode a DNS server address into the nsupdate message.

Reviewed-by: Pavel Reichl <preichl@redhat.com>
IPA: Always re-fetch the keytab from the IPA server 2015-08-14T21:44:18+00:00 Jakub Hrozek jhrozek@redhat.com 2015-07-24T11:13:08+00:00 db5f9ab3feb85aa444eab20428ca2b98801b6783 Even if a keytab for one-way trust exists, re-fetch the keytab again and try to use it. Fall back to the previous one if it exists. This is in order to allow the admin to re-establish the trust keytabs with a simple sssd restart. Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
Even if a keytab for one-way trust exists, re-fetch the keytab again and
try to use it. Fall back to the previous one if it exists.

This is in order to allow the admin to re-establish the trust keytabs
with a simple sssd restart.

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
IPA: Change the default of ldap_user_certificate to userCertificate;binary 2015-08-14T21:24:27+00:00 Jakub Hrozek jhrozek@redhat.com 2015-08-10T10:40:39+00:00 619e21ed9c7a71e35e53f38867b53ed974f1d36a This is safe from ldb point of view, because ldb gurantees the data is NULL-terminated. We must be careful before we save the data, though. Resolves: https://fedorahosted.org/sssd/ticket/2742 Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
This is safe from ldb point of view, because ldb gurantees the data is
NULL-terminated. We must be careful before we save the data, though.

Resolves:
https://fedorahosted.org/sssd/ticket/2742

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
IPA: Improve messages about failures 2015-08-07T09:17:40+00:00 Pavel Reichl preichl@redhat.com 2015-08-05T12:26:42+00:00 afa6ac75f97951ea5ea4b6e96c607acc3c5fafcc Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
IPA: Remove MPG groups if getgrgid was called before getpw() 2015-07-31T08:19:52+00:00 Jakub Hrozek jhrozek@redhat.com 2015-07-21T09:44:03+00:00 6fe057efb981ee4b45dcadf131c03f8501fce28d https://fedorahosted.org/sssd/ticket/2724 This bug only affects IPA clients that are connected to IPA servers with AD trust and ID mapping in effect. If an IPA client calls getgrgid() for an ID that matches a user, the user's private group would be returned and stored as a group entry. Subsequent queries for that user would fail, because MPG domains impose uniqueness restriction for both the ID and name space across groups and users. To work around that, we remove the UPG groups in MPG domains during a group lookup. Reviewed-by: Sumit Bose <sbose@redhat.com> 
https://fedorahosted.org/sssd/ticket/2724

This bug only affects IPA clients that are connected to IPA servers with
AD trust and ID mapping in effect.

If an IPA client calls getgrgid() for an ID that matches a user, the
user's private group would be returned and stored as a group entry.

Subsequent queries for that user would fail, because MPG domains impose
uniqueness restriction for both the ID and name space across groups and
users.

To work around that, we remove the UPG groups in MPG domains during a
group lookup.

Reviewed-by: Sumit Bose <sbose@redhat.com>
IPA: Handle sssd-owned keytabs when running as root 2015-07-28T09:34:10+00:00 Jakub Hrozek jhrozek@redhat.com 2015-07-22T15:20:11+00:00 6ed964cf2e5a68e92e220f3b9f55029731bcabaa https://fedorahosted.org/sssd/ticket/2718 This patch handles the case where the keytab is created with sssd:sssd ownership (perhaps by the IPA oddjob script) but SSSD runs as root, which is the default in many distributions. Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com> 
https://fedorahosted.org/sssd/ticket/2718

This patch handles the case where the keytab is created with sssd:sssd
ownership (perhaps by the IPA oddjob script) but SSSD runs as root,
which is the default in many distributions.

Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
IPA: Better debugging 2015-07-28T09:33:41+00:00 Jakub Hrozek jhrozek@redhat.com 2015-07-22T13:17:57+00:00 146e024b318dadeb069e8ce8254179f6119747f2 Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com> 
Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>