summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* krb5_mod_ccname: replace wrong memory contextSumit Bose2012-11-051-1/+1
|
* krb5_child: send PAC to PAC responderSumit Bose2012-11-052-3/+143
| | | | | | If the authenticated user comes from a different realm the service ticket which was returned during the validation of the TGT is used to extract the PAC which is send to the pac responder for evaluation.
* krb5_auth: send different_realm flag to krb5_childSumit Bose2012-11-052-1/+8
| | | | | | | The different_realm flag which was set by the responder is send to the krb5_child so that it can act differently on users from other realms. To avoid code duplication and inconsistent behaviour the krb5_child will not set the flag on its own but use the one from the provider.
* krb5_auth: check if principal belongs to a different realmSumit Bose2012-11-055-0/+88
| | | | | | Add a flag if the principal used for authentication does not belong to our realm. This can be used to act differently for users from other realms.
* Add replacement for krb5_find_authdata()Sumit Bose2012-11-053-0/+20
| | | | | | | | | krb5_find_authdata() is only available in MIT Kerberos 1.10 or higher. To allow sssd to be compiled on platform with lower version of MIT Kerberos a replacement call is added. Please note that on those platform the replacement call will only return an error. If the krb5_find_authdata functionality is really needed on those platform it must be implemented by a different patch.
* check_ccache_files: search sub-domains as wellSumit Bose2012-11-051-4/+14
| | | | | If sssd is configured to renew Kerberos tickets automatically ticket of sub-domain uses should be renewed as well.
* sysdb: add sysdb_base_dn()Sumit Bose2012-11-052-0/+5
| | | | | Add a help function which returns the ldb_dn object for the base dn of the cache.
* krb5_auth_send: check for sub-domainsSumit Bose2012-11-054-11/+37
| | | | | | If there is an authentication request for a user from a sub-domain a temporary sysdb context is generated to allow lookups in the corresponding sub-tree in the cache.
* pac responder: add user principal and name alias to cached user objectSumit Bose2012-11-053-4/+46
| | | | | | | The principal name for the user is generated with the user name and the domain from the PAC. It is stored in the cache so that if e.g. can be used by password authentication. Additionally the name alias is stored to allow case-insensitive searches.
* pac responder: use only lower case user nameSumit Bose2012-11-052-5/+15
| | | | | Since winbind can only return lower-cased user name the pac responder must do the same to avoid inconsistent behaviour.
* sysdb: look for ranges in the parent treeSumit Bose2012-11-051-1/+4
| | | | | | Make sure the right sub-tree in the cache is used to search for ranges. Sub-domain trees do not have range objects only the tree of the parent domain.
* pac responder: fix copy-and-paste errorSumit Bose2012-11-051-7/+0
| | | | This error prevent proper id-mapping in the PAC responder.
* subdomain-id: Generate homedir only for users not groupsSumit Bose2012-11-051-10/+12
|
* KRB5: Return error when principal selection failsJakub Hrozek2012-11-051-1/+4
| | | | | | | The ldap_child would return a NULL ccache but the error code would still indicate success. https://fedorahosted.org/sssd/ticket/1594
* sudo refresh: handle errors properlyPavel Březina2012-11-051-8/+25
| | | | We should test both ret and (dp_error, errno) pair.
* sudo: do not fail if usn value is zero but full refresh is completedPavel Březina2012-11-052-7/+19
| | | | | | | | https://fedorahosted.org/sssd/ticket/1596 In case that LDAP server contains zero sudo rules, the full refresh completes succussfully and stores current USN value (= 0). But then smart refresh will fail because it takes USN=0 as invalid value.
* Fix two errors in the nss responderSumit Bose2012-11-051-1/+3
| | | | | | | | | One is a copy-and-paste error which was introduce by 1774ee9a61b9d691dadd1a0538f32bcdcc84f72f. The second fixes a missing explicit setting of the return value. In the case where we want fully qualified names ret contains the number of characters from the last snprintf() which is almost ever not 0.
* LDAP: Check validity of naming_contextJakub Hrozek2012-11-051-1/+1
| | | | | | | https://fedorahosted.org/sssd/ticket/1581 If the namingContext attribute had no values or multiple values, then our code would dereference a NULL pointer.
* Updating the translations for the 1.9.2 releasesssd-1_9_2Jakub Hrozek2012-10-1235-2885/+5459
|
* MAN: improve wording of default_domain parameterJakub Hrozek2012-10-121-5/+5
|
* Only call krb5_set_trace_callback on platforms that support itJakub Hrozek2012-10-125-6/+21
|
* Create ghost users when a user DN is encountered in IPAJakub Hrozek2012-10-121-37/+276
| | | | | | | The IPA has a defined directory tree structure that allows us to guess the username from a DN without having to look up the DN in LDAP. https://fedorahosted.org/sssd/ticket/1319
* SSH: When host keys are removed from LDAP, remove them from the cache as wellJan Cholasta2012-10-121-36/+34
| | | | https://fedorahosted.org/sssd/ticket/1574
* Allow extdom exop to return flat domain name as wellSumit Bose2012-10-124-4/+37
| | | | | | | | There are case where the extdom extended operation will return the flat or NetBIOS name of a domain instead of the DNS domain name. If this name is available for the current domain we accept it as well. Related to https://fedorahosted.org/sssd/ticket/1561
* Check for subdomains if getpwuid or getgrgid are the first requestsSumit Bose2012-10-121-0/+72
| | | | Fixes https://fedorahosted.org/sssd/ticket/1561
* Save time of last get_domains requestSumit Bose2012-10-121-0/+16
|
* PAM: fix handling the client fd in pam destructorJakub Hrozek2012-10-123-18/+18
| | | | | * Protect the fd with a mutex when closing * Set it to a safe value after closing
* Collect krb5 trace on high debug levelsJakub Hrozek2012-10-126-3/+69
| | | | | | | If the debug level contains SSSDBG_TRACE_ALL, then the logs would also include tracing information from libkrb5. https://fedorahosted.org/sssd/ticket/1539
* Two fixes to child processesJakub Hrozek2012-10-122-6/+5
| | | | | | | | There was an unused structure member in the krb5_child. Declaration of __krb5_error_msg was shadowing the same variable from sss_krb5.h which is not nice. Also we might actually use the error context directly instead of passing it as parameter.
* Remove libsss_sudo.pc and move libsss_sudo.so to libsss_sudoJakub Hrozek2012-10-124-17/+1
|
* Couple of specfile fixesJakub Hrozek2012-10-121-3/+7
|
* PAM: close socket fd with pam_set_dataJakub Hrozek2012-10-113-0/+33
| | | | https://fedorahosted.org/sssd/ticket/1569
* Fix memory hierarchy in subdomains discoveryJakub Hrozek2012-10-111-116/+160
| | | | | | | | | https://fedorahosted.org/sssd/ticket/1571 The patch changes the subdomains discovery to use the tevent_req style. Previously, the code violated several rules which made the code very unreadable and led to memory hierarchy issues and use-after-free errors.
* nss_cmd_retpwent(): do not go into infinite loop if n < 0Pavel Březina2012-10-111-0/+8
| | | | https://fedorahosted.org/sssd/ticket/1551
* do not call dp callbacks when responder is shutting downPavel Březina2012-10-113-0/+25
| | | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/1514 We were experiencing crash duting responder shut down. This happened when there were some unresolved dp request during the shut down. The memory hierarchy is main_ctx->specific_ctx->rctx, where specific_ctx may be one of the pam, nss, sudo, etc. contexts. If we try to call dp request callback as a result of responder termination, the specific context is already semi freed, which may cause crash.
* Fix language errors in the sssd-krb5.conf man pageE Deon Lackey2012-10-111-70/+71
|
* Fixed: translation bugThorsten Scherf2012-10-111-1/+1
|
* Add more info about ticket validationOndrej Kos2012-10-102-1/+15
| | | | | | | | | https://fedorahosted.org/sssd/ticket/1499 Adds log message about not finding appropriate entry in keytab and using the last keytab entry when validation is enabled. Adds more information about validation into manpage.
* Fix segfault when ID-mapping an entry without a SIDJakub Hrozek2012-10-101-1/+1
| | | | | | | | | If there was no SID attribute, then we would have detected it by checking the number of values of an element. We would however happily return EOK in that case and save garbage into the sid_str. This was causing segfault when the entry was supposed to be ID-mapped by had no SID.
* do not fail if POLLHUP occurs while reading dataPavel Březina2012-10-101-1/+9
| | | | | | | | | | | This cause troubles when we send data to a pipe and close the file descriptor before data is read. The pipe is still readable, but POLLHUP is detected and we fail to read them. For example, this may cause a user beeing unable to log in. Now if POLLHUP appears, we read the pipe and then close it on the client side too.
* Fix typosYuri Chornoivan2012-10-093-3/+3
|
* Fix uninitialized pointer read in ssh_host_pubkeys_update_known_hostsJakub Hrozek2012-10-091-1/+2
|
* Bumping the version to 1.9.1 releaseJakub Hrozek2012-10-051-1/+1
|
* Updating the translations for 1.9.1 releasesssd-1_9_1Jakub Hrozek2012-10-0532-14806/+17626
|
* man: Note that automounter must be restarted to re-read the master mapJakub Hrozek2012-10-055-0/+10
| | | | https://fedorahosted.org/sssd/ticket/1563
* do not create pid file twicePavel Březina2012-10-051-1/+6
| | | | | | | | | | If a provider is terminated and the monitor tries to restart it, it goes again through mark_service_as_started() which will try to create pid file again because number of running services didn't change. Because the pid file cannot be created twice, it will not return EOK and the whole SSSD is terminated.
* manpage: ldap_access_filter is not always mandatoryPavel Březina2012-10-051-5/+7
| | | | https://fedorahosted.org/sssd/ticket/1540
* SSH: Expire hosts in known_hostsJan Cholasta2012-10-0512-4/+216
|
* SSH: Refactor sysdb and related codeJan Cholasta2012-10-056-196/+261
|
* Fix default upper limit of slicesOndrej Kos2012-10-044-4/+4
| | | | | | | https://fedorahosted.org/sssd/ticket/1537 changes upper limit of slices to 2000200000 in providers code and manpage.
generated by cgit (git 2.34.1) at 2024-11-16 17:25:32 +0000