| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In a recent change set_initgroups_expire_attribute() was added to
groups_by_user_done() to make sure that the initgroups timeout is only
added to the user object until all groups added to the cache.
This change (and the original code in groups_by_user_done() as well)
didn't took sub-domain users into account where the name in sysdb might
different form the original request and the domain is not the configured
domain. This patch tries to ensure that the right name and domain are
used.
https://fedorahosted.org/sssd/ticket/2663
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
==18139== Conditional jump or move depends on uninitialised value(s)
==18139== at 0x14400F1B: generic_ext_search_handler.isra.3 (sdap_async.c:1626)
==18139== by 0x879D7E3: tevent_common_loop_immediate (tevent_immediate.c:135)
==18139== by 0x87A20CD: epoll_event_loop_once (tevent_epoll.c:907)
==18139== by 0x87A07D6: std_event_loop_once (tevent_standard.c:114)
==18139== by 0x879CFBC: _tevent_loop_once (tevent.c:530)
==18139== by 0x879D15A: tevent_common_loop_wait (tevent.c:634)
==18139== by 0x87A0776: std_event_loop_wait (tevent_standard.c:140)
==18139== by 0x5293862: server_loop (server.c:668)
==18139== by 0x10EA41: main (data_provider_be.c:2909
Related tickets:
https://fedorahosted.org/sssd/ticket/2645
https://fedorahosted.org/sssd/ticket/2662
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
| |
The function sss_strerror() should not return a sentence.
It shoudl return string; the same as strerror()
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Checking the enum request in the underlying LDAP provider to skip it
might be too late as the richer IPA or AD providers depend on having a
useful result when the sdap request finishes.
Move the enumeration check earlier instead and allow directly in the IPA
or AD handler.
Related:
https://fedorahosted.org/sssd/ticket/2659
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some providers, notably IPA, rely on extra_value to be either a useful
value or NULL. In enumeration, however, extra_value was random. Set
the extra_value pointer explicitly to NULL to make it clear that it's
not used for enumeration and also use talloc_zero as future-proof.
Resolves:
https://fedorahosted.org/sssd/ticket/2659
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Argument "siginfo_t *siginfo" (void *__siginfo) was not used in
signal handlers pc_init_sig_handler, proxy_child_sig_handler.
siginfo is mostly used for additional information for about signal
and precesses (@see man 2 sigaction) and we store needed information
in custom context (private_data); It's tevent style.
Why backend crashed:
proxy_child_init_send creates request; forks a process and register
handler for signal SIGCHLD. Talloc parent of tevent_signal is previously
created request.
If proxy_child fails (return code is not 0) then SIGCHLD is received
handler pc_init_sig_handler is called. However pc_init_sig_handler can call
tevent_req_error for request which calls request callback and released
request.
tevent_signal_destructor was called as a part of releasing
tevent_signal. The destructor cleared siginfo in ring buffer for first time.
Then tevent tried to clear the same siginfo in ring buffer for the secont time
after returning from signal hander (pc_init_sig_handler). But it was already
cleared and it caused dereference of NULL pointer.
Resolves:
https://fedorahosted.org/sssd/ticket/2654
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
According to design page[1], proxy_child should run
with root privileges in non-root mode however proxy_child
did not have setuid bit.
After setting setuid bit proxy_child will be executed with extra privileges.
The effective user ID will be 0 but effective group ID will be still
the same as egid of sssd_be. Therefore gid of private pipe for
proxy_child should be the same. Otherwise proxy_child will fail
due to wrong permissions of unix pipe (sbus_client_init -> check_file)
[1] https://fedorahosted.org/sssd/wiki/DesignDocs/NotRootSSSD
Resolves:
https://fedorahosted.org/sssd/ticket/2655
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2644
When tokenGroups are enabled, we save groups using their SID as the RDN
attribute during initgroups() and later, if the groups is requested and saved
again with the full name, remove the original and save the new group entry.
Saving the new group entry would break if ignore_group_members is also
set, because the new group entry would lack the "member" attribute, so the
member/memberof links between the new group and the user entry wouldn't
be established again.
This patch changes the initgroups processing so that the full group
object is fetched when initgroups is enabled but together with
ignore_group_members. This solution imposes some performance impact,
because instead of one search for tokenGroups we also need to resolve the
groups. The more systematic solution would be to get rid of removing the
group entry as described in https://fedorahosted.org/sssd/ticket/2656
To reproduce the bug, set: ignore_group_members = True with a
backend that uses:
id_provider = ad
Then run:
$ id aduser@ad_domain.com
$ id aduser@ad_domain.com
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add another dollar sign to have variable name substituted by m4 in
"cwrap.m4" further substituted with its value by shell in "configure".
Before, this:
[ test x$2 = xyes]
would produce this in "configure" for uid_wrapper test:
test xHAVE_UID_WRAPPER = xyes
which is always false.
Now the changed code:
[ test x$$2 = xyes]
Would produce this in "configure" instead:
test x$HAVE_UID_WRAPPER = xyes
which will properly process the test result.
This fixes uid_wrapper and nss_wrapper detection, which were considered
missing otherwise, resulting in cwrap tests not running.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add "intgcheck" make target. Update CI to use it.
The "intgcheck" target configures and builds sssd in a sub-directory,
installs it into a prefix in another sub-directory, and then makes the
"intgcheck-installed" target from within src/tests/intg in that separate
build.
The "intgcheck-installed" target in src/tests/intg runs py.test for all
tests it can find in that directory, under fakeroot and
nss_wrapper/uid_wrapper environments emulating running under root.
It also adds the value of INTGCHECK_PYTEST_ARGS environment/make
variable to the py.test command line. You can use it to pass additional
py.test options, such as specifying a subset of tests to run. See
"py.test --help" output.
There are only two test suites in src/tests/intg at the moment:
ent_test.py and ldap_test.py.
The ent_test.py runs tests on ent.py - a module of assertion functions
for checking entries in NSS database (passwd and group), for use in
actual tests. The ent_test.py suite can be used as ent.py usage
reference.
The ldap_test.py suite sets up and starts a slapd instance, adds a few
user and group entries, configures and starts sssd and verifies that
those users and groups are retrieved correctly using various NSS
functions. The tests are very basic at the moment.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Add AM_PYTHON2_MODULE - an autoconf macro checking for presence of
Python 2 modules. This is for use with the upcoming integration tests
configuration, but can be used by other code as well.
Reviewed-by: Michal Židek <mzidek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When a user enrolls a system against Active Directory, the expectation
is that the client will honor the centrally-managed settings. In the
past, we avoided changing the default (and left it in permissive mode,
to warn admins that the security policy wasn't being honored) in order
to avoid breaking existing Active Directory enrollments.
However, sufficient time has likely passed for users to become
accustomed to using GPOs to manage access-control for their systems.
This patch changes the default to enforcing and adds a configure flag
for distributions to use if they wish to provide a different default
value.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
For GPOs assigned to a site, it's possible that their definition
actually exists in another domain. To retrieve this information,
we need to follow the referral and perform a base search on
another domain controller.
Resolves:
https://fedorahosted.org/sssd/ticket/2645
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Some callers may be interested in the raw referral values returned from
a lookup. This patch allows interested consumers to get these referrals
back and process them if they wish. It does not implement a generic
automatic following of referrals.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
New option `krb5_map_user` providing mapping of ID provider names to
Kerberos principals.
Resolves:
https://fedorahosted.org/sssd/ticket/2509
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Test SSSDConfigTest is executed twice with make check
if python2 and python3 are available.
Tests are executed in parallel with new automake
and therefore it caused sometimes failures e.g.
ERROR: testModifyExistingConfig (__main__.SSSDConfigTestValid)
----------------------------------------------------------------------
Traceback (most recent call last):
File "/tmp/sssd/src/config/SSSDConfigTest.py", line 215, in testModifyExistingConfig
mode = os.stat(of)[ST_MODE]
FileNotFoundError: [Errno 2] No such file or directory: '/tmp/testModifyExistingConfig.conf'
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Error: FORWARD_NULL (CWE-476): [#def1]
sssd-1.12.90/src/krb5_plugin/sssd_krb5_localauth_plugin.c:111: assign_zero: Assigning: "pwd.pw_name" = "NULL".
sssd-1.12.90/src/krb5_plugin/sssd_krb5_localauth_plugin.c:142: var_deref_model: Passing null pointer "pwd.pw_name" to "strdup", which dereferences it.
140| }
141|
142|-> str = strdup(pwd.pw_name);
143| if (str == NULL) {
144| ret = ENOMEM;
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Example calls:
dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Groups/LDAP_2ePB/30001 org.freedesktop.DBus.Properties.Get string:org.freedesktop.sssd.infopipe.Groups.Group string:name
method return sender=:1.159 -> dest=:1.168 reply_serial=2
variant string "group-1"
dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Groups/LDAP/30002 org.freedesktop.sssd.infopipe.Groups.Group.UpdateMemberList
method return sender=:1.934 -> dest=:1.937 reply_serial=2
Resolves:
https://fedorahosted.org/sssd/ticket/2150
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Example calls:
dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Groups org.freedesktop.sssd.infopipe.Groups.FindByName string:group-1method return sender=:1.159 -> dest=:1.166 reply_serial=2
object path "/org/freedesktop/sssd/infopipe/Groups/LDAP_2ePB/30001"
dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Groups org.freedesktop.sssd.infopipe.Groups.FindByID uint32:30001
method return sender=:1.159 -> dest=:1.167 reply_serial=2
object path "/org/freedesktop/sssd/infopipe/Groups/LDAP_2ePB/30001"
Resolves:
https://fedorahosted.org/sssd/ticket/2150
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Example calls:
dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users/LDAP_2ePB/10001 org.freedesktop.DBus.Properties.Get string:org.freedesktop.sssd.infopipe.Users.User string:name
method return sender=:1.159 -> dest=:1.165 reply_serial=2
variant string "user-1"
Resolves:
https://fedorahosted.org/sssd/ticket/2150
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Example calls:
dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.FindByName string:user-1
method return sender=:1.159 -> dest=:1.160 reply_serial=2
object path "/org/freedesktop/sssd/infopipe/Users/LDAP_2ePB/10001"
dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.FindByID uint32:10001
method return sender=:1.159 -> dest=:1.163 reply_serial=2
object path "/org/freedesktop/sssd/infopipe/Users/LDAP_2ePB/1000
Resolves:
https://fedorahosted.org/sssd/ticket/2150
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
| |
This function decomposes object path into array of strings. The
"_exact" version expects a certain number of parts otherwise an
error is thrown.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
| |
Errors provided directly by D-Bus are not sufficient
to fulfill all our needs.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
"enum sss_authtok_type" is defined in sss_client/pam_message.h
So it's better to include it instead of "util/authtok.h".
"util/authtok.h" includes many header files including "util/util.h"
CC src/util/crypto/nss/libsss_crypt_la-nss_base64.lo
src/sss_client/pam_sss.c:48:0: error: "_" redefined [-Werror]
#define _(STRING) dgettext (PACKAGE, STRING)
^
In file included from ../sssd/src/util/authtok.h:23:0,
from ../sssd/src/sss_client/pam_message.h:29,
from ../sssd/src/sss_client/pam_sss.c:43:
src/util/util.h:55:0: note: this is the location of the previous definition
#define _(STRING) gettext (STRING)
^
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Initgrups consisted of two main steps:
1. store user to cache
2. store all user groups to cache.
Previously the attribute SYSDB_INITGR_EXPIRE was set in the first step.
So in case of epmty cache and parallel initgroups request in responders
there was a small period when SYSDB_INITGR_EXPIRE was valid but groups were
not cached. Therefore sometime responder could return zero supplementary
groups.
This patch moves the setting of initgroups expire attribute from 1st step
to the end of 2nd step.
In case of parallel initgroups requests in responder there are two
other ways how we could get correct results even thought there was a bug.
a) Time between two request was too small. User was not stored in cache
yet and 2nd request waited for response from DP.
b) Time between two request was big enough. All users groups were
successfully stored in cache and 2nd request returned correct results.
Resolves:
https://fedorahosted.org/sssd/ticket/2634
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
| |
When SYSDB_INITGR_EXPIRE had default value (0) then value of
SYSDB_CACHE_EXPIRE was used as initgroups expire attribute.
The right apoach is already used in responder_cache_req.c
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
| |
The size of time_t can be 8 bytes on some platforms.
It is because of year 2038 problem.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Type of timestamp for entries in negative cache is time_t
which is number of *seconds* that have elapsed since 1 January 1970.
The condition for ttl was to strict so entry could be valid
from "ttl-1" to ttl e.g.
* ttl is 1 second
* entry was stored to negative cache at 1432120871.999639
stored_timestamp = 1432120871
* entry was tested few miliseconds later 1432120872.001293
current_time = 1432120872
Entry was marked as expired becuase result of condition was false
stored_timestamp + ttl < current_time
1432120871 + 1 < 1432120872
This is a reason why ./test-negcache sometime fails.
It's quite easily reproducible on slow machine or when valgrind was used.
sh$ while libtool --mode=execute valgrind ./test-negcache ; do echo OK: done
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
| |
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
| |
The variable ret was not read when function sysdb_has_enumerated
returned ENOENT. Just boolean variable has_enumerated need to be changed.
This dead assignment caused warning from clang static analyser
Value stored to 'ret' is never read
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Error: PW.MIXED_ENUM_TYPE: [#def4]
sssd-1.12.90/src/sss_client/pam_message.c:159: mixed_enum_type: enumerated type mixed with another type
# 157| &buf[rp]);
# 158|
# 159|-> rp += add_authtok_item(SSS_PAM_ITEM_AUTHTOK, pi->pam_authtok_type,
# 160| pi->pam_authtok, pi->pam_authtok_size, &buf[rp]);
# 161|
Error: PW.MIXED_ENUM_TYPE: [#def5]
sssd-1.12.90/src/sss_client/pam_message.c:162: mixed_enum_type: enumerated type mixed with another type
# 160| pi->pam_authtok, pi->pam_authtok_size, &buf[rp]);
# 161|
# 162|-> rp += add_authtok_item(SSS_PAM_ITEM_NEWAUTHTOK, pi->pam_newauthtok_type,
# 163| pi->pam_newauthtok, pi->pam_newauthtok_size,
# 164|
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
| |
run_as_user is set set but never read.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2627
The cleanup task was designed to keep the cache size within certain
limits. This is how it roughly works now:
- find users who have never logged in by default. If
account_cache_expiration is set, find users who loggged in later
than account_cache_expiration
- delete the matching set of users
- find groups that have no members
- delete the matching set of groups
So unless account_cache_expiration is set to something sensible, only empty
groups and expired users who never logged in are removed and that's quite
a corner case. The above effectivelly walks the whole database, especially
the groups step is quite slow with a huge database. The whole cleanup task
also runs in a single sysdb transaction, which means all other transactions
are blocked while the cleanup task crunches the database.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Depending on the version 389ds return a different error code if the
search for the view name failed because our dereference attribute
ipaAssignedIDView is not known. Newer version return
LDAP_UNAVAILABLE_CRITICAL_EXTENSION(12) which is translated to
EOPNOTSUPP and older versions return LDAP_PROTOCOL_ERROR(2) which is
returned as EIO. In both cases we have to assume that the server is not
view aware and keep the view name unset.
Resolves https://fedorahosted.org/sssd/ticket/2650
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
sdap_nested_group_populate_users() has code to handle user name changes.
It updates the SYSDB_NAME attribute. This attribute is also used in the
RDN but changing the attribute in the object does not change the DN
hence the DN still contains the old name. Currently
sysdb_set_user_attr() was used to update the entry which creates the DN
based on the give name. This will fail if the name is changed for a
second time. Since the DN is already available in the search result it
is more reliable to use it directly with sysdb_set_entry_attr().
Related to https://fedorahosted.org/sssd/ticket/2591
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2649
libsemanage is very strict about its API usage and actually doesn't
allow disconnecting a handle that is not connected. The unpatched code
would fail with:
selinux_child: handle.c:231: semanage_disconnect: Assertion `sh !=
((void *)0) && sh->funcs != ((void *)0) && sh->funcs->disconnect !=
((void *)0)' failed.
If semanage_connect() failed.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|