summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* memberof: Use fqname instead of namememberofJakub Hrozek2015-05-051-38/+42
|
* SPEC: Fix cyclic dependencies between sssd-{krb5,}-commonLukas Slebodnik2015-05-051-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | libsss_ldap_common(sssd-common) requires libsss_krb5_common.so(sssd-krb5-common) and sssd-krb5-common requires sssd-common. sh$ nm --dynamic --defined-only /usr/lib64/sssd/libsss_krb5_common.so 000000000000c4d0 T krb5_service_init 000000000000b8c0 T krb5_try_kdcip 000000000000c710 T remove_krb5_info_files 0000000000014960 T select_principal_from_keytab 00000000000141d0 T sss_krb5_get_error_message sh$ nm --dynamic --undefined-only /usr/lib64/sssd/libsss_ldap_common.so U krb5_service_init U krb5_try_kdcip U remove_krb5_info_files U select_principal_from_keytab U sss_krb5_get_error_message This patch fix cyclic dependency with rpm packaging becuase it's not simple task to remove krb5 dependency from ldap provider. Resolves: https://fedorahosted.org/sssd/ticket/2507 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* SDAP: Fix id mapping with disabled subdomainsLukas Slebodnik2015-05-051-0/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If subdomains are disabled "subdomain_provider = none" then auto-discovery discovery of domain SID is disabled. It is possible to configure options ldap_idmap_default_domain{,_sid} and id mapping should work. However value of option ldap_idmap_default_domain_sid was not assigned to sss_domain_info for main domain. It was only used for initialisation of sdap_idmap_ctx. As a result of this bug posix attributes were used in ldap filter and id mapping worked just for users with posix attributes. [be_get_account_info] (0x0100): Got request for [0x1001][1][name=user] [be_req_set_domain] (0x0400): Changing request domain from [EXAMPLE.TEST] to [EXAMPLE.TEST] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] [sdap_search_user_next_base] (0x0400): Searching for users with base [DC=EXAMPLE,DC=TEST] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=hdpadmin)(objectclass=user) (sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0))))] [DC=EXAMPLE,DC=TEST]. [sdap_search_user_process] (0x0400): Search for users, returned 0 results. [sdap_get_users_done] (0x0040): Failed to retrieve users Resolves: https://fedorahosted.org/sssd/ticket/2635 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* sss_nss_idmap-tests: Use different prepared buffers for big endianLukas Slebodnik2015-05-041-0/+12
| | | | | | | | | | | | | | | | | | We get error EBADMSG instead of EOK due to endianess issue [==========] Running 2 test(s). [ RUN ] test_getsidbyname 0x4a != 0 src/tests/cmocka/sss_nss_idmap-tests.c:108: error: Failure! [ FAILED ] test_getsidbyname [ RUN ] test_getorigbyname 0x4a != 0 src/tests/cmocka/sss_nss_idmap-tests.c:127: error: Failure! [ FAILED ] test_getorigbyname Reviewed-by: Sumit Bose <sbose@redhat.com>
* GPO: Do not ignore missing attrs for GPOsLukas Slebodnik2015-04-301-3/+9
| | | | | | | | | | | | | | | | | | | | | | | | We don't want to skip over a GPO that might properly be denying users. [sssd[be[a.foo.com]]] [sdap_sd_search_send] (0x0400): Searching entry [cn={2BA15B73-9524-419F-B4B7-185E1F0D3DCF},cn=policies,cn=system,DC=foo,DC=com] using SD [sssd[be[a.foo.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=*)][cn={2BA15B73-9524-419F-B4B7-185E1F0D3DCF},cn=policies,cn=system,DC=lzb,DC=hq]. [sssd[be[a.foo.com]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] [sssd[be[a.foo.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Referral(10), 0000202B: RefErr: DSID-0310063C, data 0, 1 access points ref 1: 'lzb.hq' [sssd[be[a.foo.com]]] [sdap_get_generic_op_finished] (0x1000): Ref: ldap://foo.com/cn=%7B2BA15B73-9524-419F-B4B7-185E1F0D3DCF%7D,cn=policies,cn=system,DC=foo,DC=com [sssd[be[a.foo.com]]] [ad_gpo_get_gpo_attrs_done] (0x0040): no attrs found for GPO; try next GPO. Resolves: https://fedorahosted.org/sssd/ticket/2629 Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
* autofs: fix 'Cannot allocate memory' with FQDNsAron Parsons2015-04-301-9/+0
| | | | | | https://fedorahosted.org/sssd/ticket/2643 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: fix segfault in ipa_s2n_exopAron Parsons2015-04-291-1/+1
| | | | | | | | can be triggered on demand by assigning a POSIX group with external members sudo privileges, then dropping the cache and doing a sudo -U <user> -l. Reviewed-by: Sumit Bose <sbose@redhat.com>
* IPA: allow initgroups by SID for AD usersSumit Bose2015-04-296-11/+56
| | | | | | | | | | | If a user from a trusted AD domain is search with the help of an override name the SID from the override anchor is used to search the user in AD. Currently the initgroups request only allows searches by name. With this patch a SID can be used as well. Resolves https://fedorahosted.org/sssd/ticket/2632 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* simple-access-provider: make user grp res more robustPavel Reichl2015-04-283-4/+24
| | | | | | | | | Not all user groups need to be resolved if group deny list is empty. Resolves: https://fedorahosted.org/sssd/ticket/2519 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: check ghosts in groups found by uuid as wellSumit Bose2015-04-271-9/+12
| | | | | | | | | | | | With views and overrides groups are not allowed to have ghost members anymore because the name of a member might be overridden. To achieve this ghost members are looked up and resolved later during group lookups. Currently this is only done for group lookups by name but should happen as well if the group is looked up by uuid. Resolves https://fedorahosted.org/sssd/ticket/2631 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: use sysdb_attrs_add_string_safe to add group memberSumit Bose2015-04-271-2/+3
| | | | | | | | The member list returned by the extdom plugin might contain some entries more than once. Although this is an issue on the server side to avoid ldb errors duplicates should be filtered out on the client as well. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: do not try to save override data for the default viewSumit Bose2015-04-271-5/+10
| | | | | | | | | | For the default view all override data is available in the cached user or group object. Even if separate override data is available it should not be written into the cache. Resolves https://fedorahosted.org/sssd/ticket/2630 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* tests: Add NSS responder tests for bysid requestsJakub Hrozek2015-04-242-0/+220
| | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* nss: Use negcache for getbysid requestsJakub Hrozek2015-04-241-0/+9
| | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* sysdb: Add cache_expire to the default sysdb_search_object_by_str_attr setJakub Hrozek2015-04-241-1/+2
| | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* BUILD: Write hints about optional python bindingsLukas Slebodnik2015-04-241-2/+22
| | | | Reviewed-by: Michal Židek <mzidek@redhat.com>
* ad_opts: Use different default attribute for group nameLukas Slebodnik2015-04-171-1/+1
| | | | | | | | | | | | | | | | The MSFT docs [1,2] for LDAP attributes says: samAccountName is mandotory for 'user' and 'group' objectclasses via the 'Security-Principal' aux-class name is part of the 'top' class and *not* mandatory for 'user' or 'group'. [1] https://msdn.microsoft.com/en-us/library/ms679635%28v=vs.85%29.aspx [2] https://msdn.microsoft.com/en-us/library/ms678697%28v=vs.85%29.aspx Resolves: https://fedorahosted.org/sssd/ticket/2593 Reviewed-by: Sumit Bose <sbose@redhat.com>
* subdom: Remove unused function get_flat_name_from_subdomain_nameJakub Hrozek2015-04-162-24/+0
| | | | | | | The function was added in 70eaade10feedd7845e39170d0b7eebf3a030af1 and is unused since b8d703cf3aba81800cf1b8ccca64bb00ef0b30f7 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* AD GPO: Always look up GPOs from machine domainStephen Gallagher2015-04-151-21/+33
| | | | | | | | | | | | | | When dealing with users from a child domain, SSSD was attempting to use the subdomain for lookups. However, all GPOs applicable to this machine are stored in the primary domain (the domain the host directly joined). This patch has the GPO processing use the primary domain instead of the user domain. Resolves: https://fedorahosted.org/sssd/ticket/2606 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* AD: Always get domain-specific ID connectionStephen Gallagher2015-04-152-11/+8
| | | | | | | | | | | | | | | | ad_get_dom_ldap_conn() assumed that ad_ctx->ldap_ctx always points at the LDAP connection for the primary domain, however it turns out that this is not always the case. It's currently unclear why, but this connection can sometimes be pointing at a subdomain. Since the value of subdom_id_ctx->ldap_ctx always points to the correct domain (including the primary domain case), there's no benefit to trying to shortcut to the ad_ctx->ldap_ctx when performing this lookup. This patch also makes a minor tweak to the tests so that the primary domain passes the sdap_domain_get() check for validity (since it needs to have a private member assigned). Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* AD: Clean up ad_access_gpoStephen Gallagher2015-04-151-7/+5
| | | | | | Align goto usage with conventions in the rest of the source. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* selinux: Only call semanage if the context actually changesJakub Hrozek2015-04-144-4/+109
| | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2624 Add a function to query the libsemanage database for a user context and only update the database if the context differes from the one set on the server. Adds talloc dependency to libsss_semanage. Reviewed-by: Michal Židek <mzidek@redhat.com>
* selinux: Begin and end the transaction on the same nesting levelJakub Hrozek2015-04-141-6/+14
| | | | | | | | | Transaction should be started and commited on the same code nesting or abstraction level. Also, transactions are really costly with libselinux and splitting them from initialization will make init function reusable by read-only libsemanage functions. Reviewed-by: Michal Židek <mzidek@redhat.com>
* selinux: Disconnect before closing the handleJakub Hrozek2015-04-141-3/+10
| | | | | | | | | | | | libsemanage documentation says: ~~~~ be sure that a semanage_disconnect() was previously called if the handle was connected. ~~~~ Otherwise we get a memory leak. Reviewed-by: Michal Židek <mzidek@redhat.com>
* Option filter_users had no effect for retrieving sudo rulesAdam Tkac2015-04-143-0/+39
| | | | | | | | | Previously sssd_sudo always obtained sudo rules for user from LDAP even when user was enlisted in filter_users. Resolves https://fedorahosted.org/sssd/ticket/2625 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* sysdb-tests: test return value before output argumentsLukas Slebodnik2015-04-141-0/+1
| | | | | | Output arguments needn't be initialized if function failed. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* sysdb-tests: Add missing assertionsLukas Slebodnik2015-04-141-0/+3
| | | | | | | | The return valuee of functions test_remove_group_member sysdb_attrs_add_time_t were ignored and therefore this part of code was not tested. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* simple_access-tests: Simplify assertionLukas Slebodnik2015-04-141-3/+1
| | | | | | The second argument of function check_access_list should not be an empty list. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* SDAP: Filter ad groups in initgroupsLukas Slebodnik2015-04-141-0/+12
| | | | | | | | | | Function sdap_add_incomplete_groups stored domain local groups from subdomain as POSIX group, which should not be done. Resolves: https://fedorahosted.org/sssd/ticket/2614 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* SDAP: Extract filtering AD group to functionLukas Slebodnik2015-04-145-47/+101
| | | | | | Patch remove code duplication. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* SDAP: Do not set gid 0 twiceLukas Slebodnik2015-04-141-7/+0
| | | | | | | | | | | | | | | | | | | | | The gid o was added to sysdb attrs directly in sdap_save_group for 1st time and for second time in the function sdap_store_group_with_gid, which was called every time from function sdap_save_group [sysdb_set_entry_attr] (0x0080): ldb_modify failed: [Attribute or value exists](20)[attribute 'gidNumber': value #1 on 'name=domainlocalgroup1_dom2-493341@sssdad_tree.com,cn=groups,cn=sssdad_tree.com,cn=sysdb' provided more than once] [sysdb_set_entry_attr] (0x0040): Error: 17 (File exists) [sysdb_store_group] (0x1000): sysdb_set_group_attr failed. [sysdb_store_group] (0x0400): Error: 17 (File exists) [sdap_store_group_with_gid] (0x0040): Could not store group domainlocalgroup1_dom2-493341@sssdad_tree.com [sdap_save_group] (0x0080): Could not store group with GID: [File exists] [sdap_save_group] (0x0080): Failed to save group [domainlocalgroup1_dom2-493341@sssdad_tree.com]: [File exists] [sdap_save_groups] (0x0040): Failed to store group 0. Ignoring. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* nsupdate: Append -d/-D to nsupdate with a high debug levelJakub Hrozek2015-04-141-1/+17
| | | | | | https://fedorahosted.org/sssd/ticket/897 Reviewed-by: Pavel Reichl <preichl@redhat.com>
* dyndns: Log nsupdate stderr with a high debug levelJakub Hrozek2015-04-141-0/+12
| | | | | | https://fedorahosted.org/sssd/ticket/2224 Reviewed-by: Pavel Reichl <preichl@redhat.com>
* UTIL: Add a simple function to get the fd of debug_fileJakub Hrozek2015-04-142-0/+10
| | | | Reviewed-by: Pavel Reichl <preichl@redhat.com>
* sudo: sanitize filter valuesPavel Březina2015-04-131-2/+13
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2613 Reviewed-by: Pavel Reichl <preichl@redhat.com>
* MAN: Clarify how are GPO mappings called in GPO editorJakub Hrozek2015-04-101-3/+19
| | | | | | https://fedorahosted.org/sssd/ticket/2618 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* NSS: Reset negcache after checking domainsJakub Hrozek2015-04-091-0/+24
| | | | | | | | The NSS responder periodically re-checks subdomains. We need to reset the negative cache each time the check finishes to allow the negative cache to contain entries from different domains. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* responders: reset ncache after domains are discovered during startupJakub Hrozek2015-04-0910-15/+82
| | | | | | | | | After responders start, they add a lookup operation that discovers the subdomains so that qualifying users works. After this operation is finishes, we need to reset negcache to allow users to be added into the newly discovered domains. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* ncache: Add sss_ncache_reset_repopulate_permanentJakub Hrozek2015-04-093-0/+113
| | | | | | | This new function resets the negative cache and then re-adds the permanent entries. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* ncache: Silence critical error from filter_users when default_domain_suffix ↵Jakub Hrozek2015-04-093-8/+101
| | | | | | | | | | | | | | | is set When default_domain_suffix is used and filter_users is set (at least root is always, by default), SSSD tried to add the negcache entry to the default domain. But since the default domain is not known after start up, adding the entries fail with a verbose error message. This patch handles EAGAIN returned from the parsing function while setting negcache entries gracefully and also makes the debug message in parsing function more precise. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* ncache: Fix sss_ncache_reset_permanentJakub Hrozek2015-04-092-1/+12
| | | | | | | There was an off-by-one error in sss_ncache_reset_permanent that prevented the reset from working. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* tests: Revert strcmp conditionJakub Hrozek2015-04-081-1/+1
| | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* LDAP: Set sdap handle as explicitly connected in LDAP authJakub Hrozek2015-04-081-0/+12
| | | | | | | | | | | | | In case SSSD is set with id_provider=proxy and auth_provider=ldap, the LDAP provider is not used to retrieve the user info with the higher-level calls, but the lower-level connection establishment is used instead. In this case, we need to make sure to mark the connection as explicitly connected to be notified about results of looking up the DN. Resolves: https://fedorahosted.org/sssd/ticket/2620 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* SPEC: Few cosmetic changesLukas Slebodnik2015-04-081-6/+4
| | | | | | | | - removed unnecessary blank lines (leftover after many changes) - list manual pages according to section number - add missing white spaces to shall scripts Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* SPEC: Remove unused optionLukas Slebodnik2015-04-081-1/+0
| | | | | | | | | | The optional definition of rpm macro with_ccache was removed in patch "BUILD: Remove unnecessary patch and configure opts" as a part of ticket https://fedorahosted.org/sssd/ticket/2036. It is not used anymore so it can be removed. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* SPEC: Drop workarounds for old rpmbuildLukas Slebodnik2015-04-081-9/+0
| | | | | | | Old versions of rpmbuild require ghost files to be present in the buildroot. It was mainly problem of rpmbuild on rhel5 which is not supported anymore. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* SPEC: Drop workaround for old libtoolLukas Slebodnik2015-04-081-9/+0
| | | | | | | This workaround was for libtool in rhel 5 and we dropped support for it few months ago due to missing dependencies. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* util-tests: Initialize boolean variable to default valueLukas Slebodnik2015-04-081-1/+1
| | | | | | | | The boolean variable found_nss could be used uninitialized in test test_known_service if service "nss" would not be found. We would catch it with valgind. Reviewed-by: Pavel Reichl <preichl@redhat.com>
* enumeration: fix talloc contextPavel Březina2015-04-082-2/+2
| | | | | | | | | | | | | | If for some reason ptask fails (e.g. timeout), req is talloc freed but because subreq is attached to ectx which is permanent it is finished anyway. Then a crash occures when we are trying to access callback data. The same happens in sdap_dom_enum_ex_send. Resolves: https://fedorahosted.org/sssd/ticket/2611 Reviewed-by: Pavel Reichl <preichl@redhat.com>
* CLIENT: Clear errno with enabled sss-default-nss-pluginLukas Slebodnik2015-04-071-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Although errno was cleared in function sss_nss_make_request some sss glic functions set errno with value of output argument errnop. Reproducer: * sssd compiled with enabled option sss-default-nss-plugin * sss is the last value in group (/etc/nsswitch.conf) * sssd-client is installed but sssd is stopped. C-program: #include <stdio.h> #include <stdlib.h> #include <errno.h> #include <grp.h> int main(int argc, char *argv[]) { struct group *p_group; setgrent(); while (1) { errno = 0; /* initialize for getgrent() */ p_group = getgrent(); if (p_group == NULL) { if (errno == 0) { break; /* end of groups */ } else { perror("getgrent"); printf("getgrent error %d \n", errno); endgrent(); exit(-2); } } printf("getgrent() OK group(%d) = %s \n", p_group->gr_gid, p_group->gr_name); } exit(0); } Resolves: https://fedorahosted.org/sssd/ticket/2619 Reviewed-by: Pavel Reichl <preichl@redhat.com>