sssd.git/src/providers/krb5, branch sysdb sssd with jhrozek's patches sysdb: Unify name format for groups and users 2016-01-13T10:28:45+00:00 Michal Zidek mzidek@redhat.com 2015-02-10T16:30:00+00:00 23674dfef4225b90d45c27b88fe72dc37b22e32d This is WIP patch to unify format of usernames and groupnames in sssd internals. In current form it breaks just about everything. The sysdb update function is just placeholder and it's contents are irelevant. Currently I am working on fqname attribute removal because it seems to just add confusion. If you decide to look into the code, please use sunglasses or other other protective gear and play some calm music in your backgroun to prevent eye or brain injury. 
This is WIP patch to unify format of
usernames and groupnames in sssd internals.

In current form it breaks just about everything.

The sysdb update function is just placeholder
and it's contents are irelevant.

Currently I am working on fqname attribute
removal because it seems to just add confusion.

If you decide to look into the code, please use
sunglasses or other other protective gear and play
some calm music in your backgroun to prevent
eye or brain injury.
KRB5_CHILD: Debug logs for PAC timeout 2015-12-14T12:46:20+00:00 Petr Cech pcech@redhat.com 2015-12-09T13:13:59+00:00 e131fef2d3f40bce5af85613690df8aa15f90fde This patch adds debug message that inform user when KRB5_CHILD calls PAC responder. This action might take a bit of time in case the cache is not populated or up to date. Resolves: https://fedorahosted.org/sssd/ticket/2846 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
This patch adds debug message that inform user when KRB5_CHILD calls
PAC responder. This action might take a bit of time in case the cache
is not populated or up to date.

Resolves:
https://fedorahosted.org/sssd/ticket/2846

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
KRB5: Mark globals in krb5_opts.h as extern 2015-12-14T12:29:46+00:00 Pavel Březina pbrezina@redhat.com 2015-12-14T10:17:37+00:00 291a6c8af9759e41cec6f332cb72606ca90768c3 To avoid collisions when we want to work with them elsewhere in the code. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
To avoid collisions when we want to work with them elsewhere in the code.

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
KRB5: Handle KRB5_REALM_UNKNOWN as ERR_NETWORK_IO 2015-12-07T15:07:59+00:00 Jakub Hrozek jhrozek@redhat.com 2015-11-27T13:45:03+00:00 9f69dff2af5ee0e922ca75efa9749913fd2d944f Resolves: https://fedorahosted.org/sssd/ticket/2866 This would help users who authenticate to AD trust servers while offline and see error messages such as: [get_and_save_tgt] (0x0020): 996: [-1765328230][Cannot find KDC for realm "AD.EXAMPLE.COM"] in the krb5_child.log Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
Resolves:
    https://fedorahosted.org/sssd/ticket/2866

This would help users who authenticate to AD trust servers while offline
and see error messages such as:
    [get_and_save_tgt] (0x0020): 996: [-1765328230][Cannot find KDC for realm "AD.EXAMPLE.COM"]

in the krb5_child.log

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
KRB5: Handle preauth request timeout more gracefully 2015-12-07T15:04:45+00:00 Jakub Hrozek jhrozek@redhat.com 2015-11-27T13:31:54+00:00 54189e0a2f24a2951d95a2ec5da3125a52e2f5ed The error itself doesn't matter that much, because pam_sss.so handles all preauth errors gracefully already, but the issue triggered a loud and confusing debug message in the logs. Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
The error itself doesn't matter that much, because pam_sss.so handles
all preauth errors gracefully already, but the issue triggered a loud
and confusing debug message in the logs.

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
KRB5_CHILD: More restrictive umask 2015-11-05T15:07:51+00:00 Petr Cech pcech@redhat.com 2015-10-07T12:57:15+00:00 fb75e886c2f203fe8c10e572cd4d8c635941678d We could use more restrictive umask in krb5_child. I found out that there is directory creation, but it is done by create_ccache_dir() which has its own umask setup. Resolves: https://fedorahosted.org/sssd/ticket/2424 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
We could use more restrictive umask in krb5_child. I found out that
there is directory creation, but it is done by create_ccache_dir()
which has its own umask setup.

Resolves:
https://fedorahosted.org/sssd/ticket/2424

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
FO: Use refcount to keep track of servers returned to callers 2015-10-23T08:21:13+00:00 Jakub Hrozek jhrozek@redhat.com 2015-10-11T13:34:44+00:00 10c07e188323a2f9824b5e34379f3b1a9b37759e Resolves: https://fedorahosted.org/sssd/ticket/2829 Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
Resolves:
    https://fedorahosted.org/sssd/ticket/2829

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
REFACTOR: umask(077) --> umask(SSS_DFL_X_UMASK) 2015-10-14T11:27:13+00:00 Petr Cech pcech@redhat.com 2015-10-05T14:12:36+00:00 f8e337540d280f944098cd4dd7d670e2f7166b54 There are many calls of umask function with 077 argument. This patch add new constant SSS_DFL_X_UMASK which stands fot 077. So all occurences of umask(077) are replaced by constant SSS_DFL_X_UMASK. Resolves: https://fedorahosted.org/sssd/ticket/2424 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
There are many calls of umask function with 077 argument. This patch
add new constant SSS_DFL_X_UMASK which stands fot 077. So all
occurences of umask(077) are replaced by constant SSS_DFL_X_UMASK.

Resolves:
https://fedorahosted.org/sssd/ticket/2424

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
KRB5: Offline operation with disabled domain 2015-09-21T15:04:07+00:00 Jakub Hrozek jhrozek@redhat.com 2015-09-02T13:53:34+00:00 dd0a21738e1b71940bba11134734b5999e9fd8e9 https://fedorahosted.org/sssd/ticket/2637 If a subdomain is in the disabled state, switch krb5_child operation into offline mode. Similarly, instead of marking the whole back end as offline, mark just the domain as offline -- depending on the domain type, this would mark the whole back end or just inactivate subdomain. Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
https://fedorahosted.org/sssd/ticket/2637

If a subdomain is in the disabled state, switch krb5_child operation
into offline mode.

Similarly, instead of marking the whole back end as offline, mark just
the domain as offline -- depending on the domain type, this would mark
the whole back end or just inactivate subdomain.

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
sssd: incorrect checks on length values during packet decoding 2015-08-31T16:34:26+00:00 Michal Židek mzidek@redhat.com 2015-07-22T14:35:35+00:00 9f0bffebd070115ab47a92eadc6890a721c7b78d https://fedorahosted.org/sssd/ticket/1697 It is safer to isolate the checked (unknown/untrusted) value on the left hand side in the conditions to avoid overflows/underflows. Reviewed-by: Petr Cech <pcech@redhat.com> 
https://fedorahosted.org/sssd/ticket/1697

It is safer to isolate the checked (unknown/untrusted)
value on the left hand side in the conditions
to avoid overflows/underflows.

Reviewed-by: Petr Cech <pcech@redhat.com>