sssd.git/src/responder, branch sysdb sssd with jhrozek's patches sysdb: Unify name format for groups and users 2016-01-13T10:28:45+00:00 Michal Zidek mzidek@redhat.com 2015-02-10T16:30:00+00:00 23674dfef4225b90d45c27b88fe72dc37b22e32d This is WIP patch to unify format of usernames and groupnames in sssd internals. In current form it breaks just about everything. The sysdb update function is just placeholder and it's contents are irelevant. Currently I am working on fqname attribute removal because it seems to just add confusion. If you decide to look into the code, please use sunglasses or other other protective gear and play some calm music in your backgroun to prevent eye or brain injury. 
This is WIP patch to unify format of
usernames and groupnames in sssd internals.

In current form it breaks just about everything.

The sysdb update function is just placeholder
and it's contents are irelevant.

Currently I am working on fqname attribute
removal because it seems to just add confusion.

If you decide to look into the code, please use
sunglasses or other other protective gear and play
some calm music in your backgroun to prevent
eye or brain injury.
p11: enable ocsp checks 2015-11-26T15:39:49+00:00 Sumit Bose sbose@redhat.com 2015-11-05T17:20:27+00:00 544a20de7667f05c1a406c4dea0706b0ab507430 This patch enables the Online Certificate Status Protocol in NSS and adds an option to disable it if needed. To make further tuning of certificate verification more easy it is not an option on its own but an option to the new certificate_verification configuration option. Resolves https://fedorahosted.org/sssd/ticket/2812 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
This patch enables the Online Certificate Status Protocol in NSS and
adds an option to disable it if needed. To make further tuning of
certificate verification more easy it is not an option on its own but an
option to the new certificate_verification configuration option.

Resolves https://fedorahosted.org/sssd/ticket/2812

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
pam-srv-tests: Add UT for cached 'online' auth. 2015-11-12T08:38:47+00:00 Pavel Reichl preichl@redhat.com 2015-10-20T13:10:30+00:00 4b12be504e20173e0629835818e4db6a9617a9a4 Extend PAM responder unit test to check 'online' cached authentication. Resolves: https://fedorahosted.org/sssd/ticket/2697 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
Extend PAM responder unit test to check 'online' cached authentication.

Resolves:
https://fedorahosted.org/sssd/ticket/2697

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
cache_req: check all domains for lookups by certificate 2015-11-11T17:17:11+00:00 Sumit Bose sbose@redhat.com 2015-10-12T11:00:28+00:00 04aed439cc058413e2331e9bfbe598cc563c2c7b Like lookup by ID or by UPN the match for lookups by certificate can be found in any domain and all sub-domains must be included in the search. Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
Like lookup by ID or by UPN the match for lookups by certificate can be
found in any domain and all sub-domains must be included in the search.

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
IFP: Skip non-POSIX groups properly 2015-11-11T11:05:29+00:00 Jakub Hrozek jhrozek@redhat.com 2015-11-09T21:12:05+00:00 788146c3e3a564f333f39a2fcffccf3012cc2679 When ifp_users_user_get_groups is called, for example via GetAll and the list of groups contains a non-POSIX group, we skip an array member, resulting in random memory being passed to the caller. Resolves: https://fedorahosted.org/sssd/ticket/2863 Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
When ifp_users_user_get_groups is called, for example via GetAll and
the list of groups contains a non-POSIX group, we skip an array member,
resulting in random memory being passed to the caller.

Resolves:
    https://fedorahosted.org/sssd/ticket/2863

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
cache_req: Fix warning -Wshadow 2015-11-10T14:34:32+00:00 Lukas Slebodnik lslebodn@redhat.com 2015-11-09T09:40:11+00:00 32dc4016585cbffc55a92a38e7a1e14c7e1e22ac src/responder/common/responder_cache_req.c: In function 'cache_req_input_set_name': src/responder/common/responder_cache_req.c:199: warning: declaration of 'dup' shadows a global declaration /usr/include/unistd.h:528: warning: shadowed declaration is here Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
src/responder/common/responder_cache_req.c: In function 'cache_req_input_set_name':
src/responder/common/responder_cache_req.c:199: warning: declaration of 'dup' shadows a global declaration
/usr/include/unistd.h:528: warning: shadowed declaration is here

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
NSS: fix a use-after-free issue 2015-11-04T08:37:57+00:00 Sumit Bose sbose@redhat.com 2015-10-30T15:28:37+00:00 343b053bc61792023003d077ae81c05ff1676a89 While handling well-known SIDs a debug statement tries to access memory that is already freed. This can be seen with the following output from valgrind. ==17600== Invalid read of size 4 ==17600== at 0x805ACC6: nss_cmd_getbysid (nsssrv_cmd.c:5458) ==17600== by 0x805AF41: nss_cmd_getnamebysid (nsssrv_cmd.c:5509) ==17600== by 0x80662F4: sss_cmd_execute (responder_cmd.c:161) ==17600== by 0x8067015: client_cmd_execute (responder_common.c:249) ==17600== by 0x80671F5: client_recv (responder_common.c:283) ==17600== by 0x806741C: client_fd_handler (responder_common.c:335) ==17600== by 0x45F5112: epoll_event_loop (tevent_epoll.c:728) ==17600== by 0x45F5112: epoll_event_loop_once (tevent_epoll.c:926) ==17600== by 0x45F32EE: std_event_loop_once (tevent_standard.c:114) ==17600== by 0x45EF3BF: _tevent_loop_once (tevent.c:530) ==17600== by 0x45EF5AB: tevent_common_loop_wait (tevent.c:634) ==17600== by 0x45F326E: std_event_loop_wait (tevent_standard.c:140) ==17600== by 0x45EF647: _tevent_loop_wait (tevent.c:653) ==17600== Address 0x4b248a0 is 72 bytes inside a block of size 88 free'd ==17600== at 0x402C26D: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==17600== by 0x45FEC9E: _talloc_free_internal (talloc.c:1057) ==17600== by 0x45FEC9E: _talloc_free (talloc.c:1581) ==17600== by 0x8066085: sss_cmd_done (responder_cmd.c:93) ==17600== by 0x805A9B0: nss_check_well_known_sid (nsssrv_cmd.c:5382) ==17600== by 0x805AC86: nss_cmd_getbysid (nsssrv_cmd.c:5455) ==17600== by 0x805AF41: nss_cmd_getnamebysid (nsssrv_cmd.c:5509) ==17600== by 0x80662F4: sss_cmd_execute (responder_cmd.c:161) ==17600== by 0x8067015: client_cmd_execute (responder_common.c:249) ==17600== by 0x80671F5: client_recv (responder_common.c:283) ==17600== by 0x806741C: client_fd_handler (responder_common.c:335) ==17600== by 0x45F5112: epoll_event_loop (tevent_epoll.c:728) ==17600== by 0x45F5112: epoll_event_loop_once (tevent_epoll.c:926) ==17600== by 0x45F32EE: std_event_loop_once (tevent_standard.c:114) ==17600== The patch contains a change to the unit tests which frees the memory in the wrapper for sss_cmd_done() too. This allows to detect this kind of issue in the unit tests as well. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
While handling well-known SIDs a debug statement tries to access memory that is
already freed. This can be seen with the following output from valgrind.

==17600== Invalid read of size 4
==17600==    at 0x805ACC6: nss_cmd_getbysid (nsssrv_cmd.c:5458)
==17600==    by 0x805AF41: nss_cmd_getnamebysid (nsssrv_cmd.c:5509)
==17600==    by 0x80662F4: sss_cmd_execute (responder_cmd.c:161)
==17600==    by 0x8067015: client_cmd_execute (responder_common.c:249)
==17600==    by 0x80671F5: client_recv (responder_common.c:283)
==17600==    by 0x806741C: client_fd_handler (responder_common.c:335)
==17600==    by 0x45F5112: epoll_event_loop (tevent_epoll.c:728)
==17600==    by 0x45F5112: epoll_event_loop_once (tevent_epoll.c:926)
==17600==    by 0x45F32EE: std_event_loop_once (tevent_standard.c:114)
==17600==    by 0x45EF3BF: _tevent_loop_once (tevent.c:530)
==17600==    by 0x45EF5AB: tevent_common_loop_wait (tevent.c:634)
==17600==    by 0x45F326E: std_event_loop_wait (tevent_standard.c:140)
==17600==    by 0x45EF647: _tevent_loop_wait (tevent.c:653)
==17600==  Address 0x4b248a0 is 72 bytes inside a block of size 88 free'd
==17600==    at 0x402C26D: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==17600==    by 0x45FEC9E: _talloc_free_internal (talloc.c:1057)
==17600==    by 0x45FEC9E: _talloc_free (talloc.c:1581)
==17600==    by 0x8066085: sss_cmd_done (responder_cmd.c:93)
==17600==    by 0x805A9B0: nss_check_well_known_sid (nsssrv_cmd.c:5382)
==17600==    by 0x805AC86: nss_cmd_getbysid (nsssrv_cmd.c:5455)
==17600==    by 0x805AF41: nss_cmd_getnamebysid (nsssrv_cmd.c:5509)
==17600==    by 0x80662F4: sss_cmd_execute (responder_cmd.c:161)
==17600==    by 0x8067015: client_cmd_execute (responder_common.c:249)
==17600==    by 0x80671F5: client_recv (responder_common.c:283)
==17600==    by 0x806741C: client_fd_handler (responder_common.c:335)
==17600==    by 0x45F5112: epoll_event_loop (tevent_epoll.c:728)
==17600==    by 0x45F5112: epoll_event_loop_once (tevent_epoll.c:926)
==17600==    by 0x45F32EE: std_event_loop_once (tevent_standard.c:114)
==17600==

The patch contains a change to the unit tests which frees the memory in
the wrapper for sss_cmd_done() too. This allows to detect this kind of
issue in the unit tests as well.

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Refactor some conditions 2015-10-23T08:33:06+00:00 Michal Židek mzidek@redhat.com 2015-10-22T10:51:47+00:00 e563de9203be581acc30c7794f568ae40d22bee0 Conditions with get_next_domain were a little confusing for coverity (but also for developers' eyes). Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Conditions with get_next_domain were a little
confusing for coverity (but also for developers'
eyes).

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
util: Update get_next_domain's interface 2015-10-23T08:32:23+00:00 Michal Židek mzidek@redhat.com 2015-09-09T12:37:48+00:00 877b92e80bde510d5cd9f03dbf01e2bcf73ab072 Update get next domain to be able to include disbled domains and change the interface to accept flags instead of multiple booleans. Ticket: https://fedorahosted.org/sssd/ticket/2673 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Update get next domain to be able to
include disbled domains and change the
interface to accept flags instead of
multiple booleans.

Ticket:
https://fedorahosted.org/sssd/ticket/2673

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
PAM: remove unused parameter cdb 2015-10-20T07:39:42+00:00 Pavel Reichl preichl@redhat.com 2015-10-19T17:00:44+00:00 b1bc8836c82290238cf3bb32b27686d25e6226a8 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>