sssd.git/src/util, branch nonroot sssd with jhrozek's patches KRB5: Pass the sssd_be uid and gid to krb5_child 2014-11-28T17:48:23+00:00 Jakub Hrozek jhrozek@redhat.com 2014-11-28T12:30:20+00:00 89c1048cb19440f5a9b6a931c3af04ad23b73246 






Fix: always check return value of unlink()
2014-11-28T15:16:37+00:00

Pavel Reichl
preichl@redhat.com

2014-11-28T13:17:44+00:00

aff8b0e3b41644c70704b78e15501779d52b6ff4

Resolves:
https://fedorahosted.org/sssd/ticket/2506

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>





Resolves:
https://fedorahosted.org/sssd/ticket/2506

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>







krb5: Check return value of sss_krb5_princ_realm
2014-11-28T15:06:11+00:00

Lukas Slebodnik
lslebodn@redhat.com

2013-10-14T09:21:02+00:00

466f5a539be1e4c6e7cfb396a2f406e1eb8c428d

sss_krb5_princ_realm set output parameter realm to NULL and len to 0
in case of failure. Clang static analysers reported warning
"Null pointer passed as an argument to a 'nonnull' parameter"
in function match_principal. It was possible, that realm_name with value NULL
could be used in strncmp.

Reviewed-by: Pavel Reichl <preichl@redhat.com>





sss_krb5_princ_realm set output parameter realm to NULL and len to 0
in case of failure. Clang static analysers reported warning
"Null pointer passed as an argument to a 'nonnull' parameter"
in function match_principal. It was possible, that realm_name with value NULL
could be used in strncmp.

Reviewed-by: Pavel Reichl <preichl@redhat.com>







krb5: Check return value of krb5_principal_get_realm
2014-11-28T15:06:05+00:00

Lukas Slebodnik
lslebodn@redhat.com

2014-10-14T09:20:40+00:00

2dc519ba98ca886076ba9e16b95a72732909cea1

Function krb5_principal_get_realm can return NULL an it would
case segfault in function strlen.

Reviewed-by: Pavel Reichl <preichl@redhat.com>





Function krb5_principal_get_realm can return NULL an it would
case segfault in function strlen.

Reviewed-by: Pavel Reichl <preichl@redhat.com>







util: sss_get_domain_name regex mismatch not fatal
2014-11-25T12:47:57+00:00

Michal Zidek
mzidek@redhat.com

2014-11-21T19:06:32+00:00

e894a127a9979dea667408b0cced59fedc3bcd0a

Assume name is not FQDN if sss_parse_name fails to
match domain with regular expression.

Fixes:
https://fedorahosted.org/sssd/ticket/2487

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>





Assume name is not FQDN if sss_parse_name fails to
match domain with regular expression.

Fixes:
https://fedorahosted.org/sssd/ticket/2487

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>







util: Special-case PCRE_ERROR_NOMATCH in sss_parse_name
2014-11-25T12:47:57+00:00

Michal Zidek
mzidek@redhat.com

2014-11-24T18:50:14+00:00

8394eddba54b5d3e3fda868145e3751247bdbdb2

Add new SSSD specific error code for the case when
pcre_exec returns PCRE_ERROR_NOMATCH.

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>





Add new SSSD specific error code for the case when
pcre_exec returns PCRE_ERROR_NOMATCH.

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>







AD/IPA: add krb5_confd_path configuration option
2014-11-25T12:28:39+00:00

Sumit Bose
sbose@redhat.com

2014-11-21T17:07:10+00:00

4fa184e2c60b377fd71e0115a618bd68dc73627d

With this new parameter the directory where Kerberos configuration
snippets are created can be specified.

Fixes https://fedorahosted.org/sssd/ticket/2473

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>





With this new parameter the directory where Kerberos configuration
snippets are created can be specified.

Fixes https://fedorahosted.org/sssd/ticket/2473

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>







Enable views for all domains
2014-11-20T09:53:01+00:00

Sumit Bose
sbose@redhat.com

2014-11-07T20:36:12+00:00

b114bcc370c8d78b5e9f43963cfa91213901c3be

Currently views and overrides were only available for sub-domains, this
patch enables the lookup for the configured domains as well.

Related to https://fedorahosted.org/sssd/ticket/2481

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>





Currently views and overrides were only available for sub-domains, this
patch enables the lookup for the configured domains as well.

Related to https://fedorahosted.org/sssd/ticket/2481

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>







KRB5: Do not switch_creds() if already the specified user
2014-11-18T19:33:46+00:00

Jakub Hrozek
jhrozek@redhat.com

2014-10-19T10:28:13+00:00

35b4b217fa2b91bfc8d58c47024faf41c95fc807

The code didn't have to handle this case previously as sssd_be was always
running as root and switching to the ccache as the user logging in.

Also handle NULL creds on restore_creds() in case there was no switch.
One less if-condition and fewer indentation levels.

Related:
https://fedorahosted.org/sssd/ticket/2370

Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>





The code didn't have to handle this case previously as sssd_be was always
running as root and switching to the ccache as the user logging in.

Also handle NULL creds on restore_creds() in case there was no switch.
One less if-condition and fewer indentation levels.

Related:
https://fedorahosted.org/sssd/ticket/2370

Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>







KRB5: Move all ccache operations to krb5_child.c
2014-11-18T19:33:42+00:00

Jakub Hrozek
jhrozek@redhat.com

2014-10-18T20:03:13+00:00

2745b0156f12df7a7eb93d57716233243658e4d9

The credential cache operations must be now performed by the krb5_child
completely, because the sssd_be process might be running as the sssd
user who doesn't have access to the ccaches.

src/providers/krb5/krb5_ccache.c is still linked against libsss_krb5
until we fix Kerberos ticket renewal as non-root.

Also includes a new error code that indicates that the back end should
remove the old ccache attribute -- the child can't do that if it's
running as the user.

Related:
https://fedorahosted.org/sssd/ticket/2370

Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>





The credential cache operations must be now performed by the krb5_child
completely, because the sssd_be process might be running as the sssd
user who doesn't have access to the ccaches.

src/providers/krb5/krb5_ccache.c is still linked against libsss_krb5
until we fix Kerberos ticket renewal as non-root.

Also includes a new error code that indicates that the back end should
remove the old ccache attribute -- the child can't do that if it's
running as the user.

Related:
https://fedorahosted.org/sssd/ticket/2370

Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>