| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
| |
We attempted to delete the member attributes of groups that contained a
particular user during the sysdb upgrade, but obviously, this cannot
work for nested groups as the member attribute is present for direct
parents only. As a result, we were getting failures during the upgrade.
https://fedorahosted.org/sssd/ticket/1631
|
| | |
|
| |
|
|
|
|
|
| |
src/providers/krb5/krb5_utils.c: In function ‘cc_dir_create’:
src/providers/krb5/krb5_utils.c:824: warning: declaration of ‘dirname’
shadows a global declaration
/usr/include/libgen.h:27: warning: shadowed declaration is here
|
| | |
|
| |
|
|
|
|
|
|
| |
This caused troubles with subdomain users and it is not really
necessary. This patch does not change the protocol itself, that
should be done on the earliest possible occasion.
Part of https://fedorahosted.org/sssd/ticket/1616
|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/1616
|
| | |
|
| | |
|
| |
|
|
| |
The check is now held only in ipa_get_subdomain_account_info_send().
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To make configuration easier the IPA subdomain provider should be always
loaded if the IPA ID provider is configured and the subdomain provider
is not explicitly disabled. But to avoid the overhead of regular
subdomain requests in setups where no subdomains are used the IPA
subdomain provider should behave differently if configured explicit or
implicit.
If the IPA subdomain provider is configured explicitly, i.e.
'subdomains_provider = ipa' can be found in the domain section of
sssd.conf subdomain request are always send to the server if needed.
If it is configured implicitly and a request to the server fails
with an indication that the server currently does not support subdomains
at all, e.g. is not configured to handle trust relationships, a new
request will be only send to the server after a long timeout or after
a going-online event.
To be able to make this distinction this patch save the configuration
status to the subdomain context.
Fixes https://fedorahosted.org/sssd/ticket/1613
|
| |
|
|
|
|
|
|
| |
Since the PAC responder is used during the authentication of users from
trusted realms it is started automatically if the IPA ID provider is
configured for a domain to simplify the configuration.
Fixes https://fedorahosted.org/sssd/ticket/1613
|
| |
|
|
|
|
|
|
| |
string_in_list() and add_string_to_list() are two utilities for NULL
terminated strings arrays. add_string_to_list() adds a new string to an
existing list or creates a new one with the strings as only item if
there is not list. string_in_list() checks if a given string is in the
list. It can be used case sensitive or in-sensitive.
|
| |
|
|
|
|
|
|
|
|
|
| |
For user of the local domain the server-side DN of the groups the user
is a member of is stored with the user object in the cache and used to
improve performance e.g. by the HBAC code. Since subdomain users should
be handled by HBAC as well the group DN is stored in the same way as for
users of the local domain.
This patch also adds code to remove the attribute from the user object
if the user is removed from the group.
|
| |
|
|
|
|
|
| |
Currently the user was just added to all local groups which are given in
the PAC. With this patch the user is added only to groups he is
currently not a member of and deleted from groups which are not found in
the PAC anymore.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
To be able to efficiently store group memberships we need to know the
current memberships of a user. sysdb_initgroups() is used to read the
user entry together with all groups the user is a member of. Some of the
group attributes are kept to avoid additional lookups and speed up
further processing.
Currently sysdb_initgroups() does not return the original DN of the
group. Since it is needed to remove memberships later on it is added to
the list of requested attributes
|
| |
|
|
|
|
|
|
| |
This patch adds a new call which compares a list of current GIDs with a
list of new GIDs and return a list of GIDs which are currently missing
and must be added and another list of GIDs which are not used anymore
and must be deleted. The method is the same as used by
diff_string_lists().
|
| |
|
|
|
|
|
| |
Currently it is only checked if an expired group still has members of
the local domain. If not, the group is delete from the cache. With this
patch the whole cache, i.e. including subdomains, is searched for
members.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The initgroups request is not handled by the IPA provider for
subdomain users on purpose because the group membership information is
not available on the IPA server but will be directly written to the
cache when the PAC of the user is processed. The old generic debug
message "Invalid sub-domain request type" might be misleading.
This patch adds a specific message for the initgroups case "Initgroups
requests are not handled by the IPA provider but are resolved by the
responder directly from the cache." and increase the debug level so
that typically this message is not shown anymore because it is expected
behaviour.
Fixes https://fedorahosted.org/sssd/ticket/1610
|
| |
|
|
|
|
|
| |
If force is true, ret may stay uninitialized and if ret == 0
after the subrequest is send, we will go to immediate label.
Data provider request is sent, but the answer is never processed.
This prohibited subdomain from working correctly.
|
| |
|
|
|
|
| |
Return EINVAL if number of tries is <= 0. Also the parameter
retries was renamed to num_tries, so it is more obvious that
it also includes the first try.
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/1584
|
| | |
|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/1481
|
| |
|
|
|
|
|
|
|
|
| |
When working with multiple domains and no
matching objects for deletion were found in the first
domain, the other domains were not searched at all.
Also the ERROR message informing about object not found
(the one printed for each domain) was changed to
DEBUG message.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Related to https://fedorahosted.org/sssd/ticket/1357
We realized that sysv and systemd does not use pid file existence
as a notification of finished initialization. Therefore, we create
the pid file in server_setup() again.
We are removing check_file() from monitor main(), it is handled
by server_setup() during pid file creation. This check was
previously included in e7dd2a5102ba6cfd28be6eccdd62768e9758d9f4.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1357
Neither systemd or our init script use pid file as a notification
that sssd is finished initializing. They will continue starting up
next service right after the original (not daemonized) sssd process
is terminated.
If any of the responders fail to start, we will never terminate
the original process via signal and "service sssd start" will hang.
Thus we take this as an error and terminate the daemon with
a non-zero value. This will also terminate the original process
and init script or systemd will print failure.
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
We currently have only SSSDBG_FATAL_FAILURE macro that corresponds
to original debug level 0. But there are several level 0 messages
that are not actually failures but an important information. We
should use this new macro to represent them.
|
| |
|
|
|
|
|
|
| |
The ldb_val's length parameter should not include the terminating NULL.
This was causing funky behaviour as the users were saved as binary
attributes.
https://fedorahosted.org/sssd/ticket/1614
|
| |
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1619
We don't close the fd when we write the selinux login file in the pam
responder. This results in a fd leak.
|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/1602
|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/1611
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Currently the only type of supported sub-domains are AD domains which
are not case-sensitive. To make it easier for Windows user we make
sub-domains case-insensitive as well which allows to write the username
in any case at the login prompt.
If support for other types of sub-domains is added it might be necessary
to set the case-sensitive flag based on the domain type.
|
| |
|
|
|
|
| |
Domains may have a flat or short name to save some keystrokes when
typing fully qualified user names. Internally sssd will always use the
canonical name to allow consistent processing.
|
| |
|
|
|
|
|
|
|
| |
The Active Directory KDC handles request case in-sensitive and it might
not always to possible to guess the UPN with the correct case. We check
if the returned principal has a different case then the one used in the
request and updates the principal if needed. This will help using calls
from the Kerberos client libraries later on which would otherwise fail
because the principal is handled case sensitive by those libraries.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
With the current approach the upn was either a pointer to a const string
in a ldb_message or a string created with the help of talloc. This new
function always makes it a talloc'ed value.
Additionally krb5_get_simple_upn() is enhanced to handle sub-domains as
well.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
In general Kerberos is case sensitive but the KDC of Active Directory
typically handles request case in-sensitive. In the case where we guess
a user principal by combining the user name and the realm and are not
sure about the cases of the letters used in the user name we might get a
valid ticket from the AD KDC but are not able to access it with the
Kerberos client library because we assume a wrong case.
The client principal in the returned credentials will always have the
right cases. To be able to update the cache user principal name the
krb5_child will return the principal for further processing.
|
| | |
|
| |
|
|
|
|
| |
If the authenticated user comes from a different realm the service
ticket which was returned during the validation of the TGT is used to
extract the PAC which is send to the pac responder for evaluation.
|
| |
|
|
|
|
|
| |
The different_realm flag which was set by the responder is send to the
krb5_child so that it can act differently on users from other realms. To
avoid code duplication and inconsistent behaviour the krb5_child will
not set the flag on its own but use the one from the provider.
|
| |
|
|
|
|
| |
Add a flag if the principal used for authentication does not belong
to our realm. This can be used to act differently for users from other
realms.
|
| |
|
|
|
|
|
|
|
| |
krb5_find_authdata() is only available in MIT Kerberos 1.10 or higher.
To allow sssd to be compiled on platform with lower version of MIT
Kerberos a replacement call is added. Please note that on those
platform the replacement call will only return an error. If the
krb5_find_authdata functionality is really needed on those platform it
must be implemented by a different patch.
|
| |
|
|
|
| |
If sssd is configured to renew Kerberos tickets automatically ticket of
sub-domain uses should be renewed as well.
|
| |
|
|
|
| |
Add a help function which returns the ldb_dn object for the base dn of
the cache.
|
