| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
Adds two new configure-time options that let you select the user to run
SSSD as. The default is 'root' for backwards compatibility.
The directories the deamon stores its private data at are also created
as owned by this user during install time.
|
| |
|
|
|
|
| |
FIXME - check the PID was created as the user in question.
|
| |
|
| |
|
| |
|
|
|
|
|
| |
Just moves code around. There should be a way to use the server.c module
without linking the monitor code.
|
| |
|
|
|
|
|
|
| |
Unit testing the utilities to become another user requires the use of
the cwrap libraries. This patch augments our build system with macros to
detect the nss_wrapper and and uid_wrapper libraries.
|
|
|
|
|
|
| |
In order for several other SSSD processes to run as a non-root user, we
need to move the functions to become another user to a shared space in
our source tree.
|
| |
|
|
|
|
|
|
|
|
|
| |
It was suggested by the Fedora automake maintainer to use the autoconf
macro $(MKDIR_P) instead of calling "mkdir -p" directly as the macro is
more portable and might actually expand to something else than "mkdir
-p" on some platforms (usually it would be a variant of install.sh)
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
The sysdb.c should be reserved for utility and setup functions. Search
functions belong to sysdb_search.c Keeping functions in specialized
modules helps to maintain nice dependencies and in overall makes unit
testing easier.
Moreover, the function was not unit tested, which needed fixing.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
| |
Several functions in the monitor.c file were not marked as static even
though they were only used inside monitor.c
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
| |
Talloc context was not used in functions ad_gpo_parse_gpo_child_response
ad_gpo_process_cse_recv, ad_gpo_store_policy_settings.
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some internal gpo functions [1] were called just once and with constant
NDR_SCALARS as 2nd argument(ndr_flags), but 2nd argument was not used
in these functions[1]. They used constant NDR_SCALARS.
[1] ndr_pull_security_ace_flags, ndr_pull_security_ace_type,
ndr_pull_security_ace_object_flags, ndr_pull_security_acl_revision,
ndr_pull_security_descriptor_revision, ndr_pull_security_descriptor_type
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2437
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the access providers, we expect to receive ERR_ACCESS_DENIED when
access is denied, but we were returning EACCES here. The effect was the
same, except that it presented ultimately as a system error instead of
a proper denial.
Related:
https://fedorahosted.org/sssd/ticket/2437
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Preserve case of group members in getgrnam
when 'case_sensitive = preserving' is set.
Fixes:
https://fedorahosted.org/sssd/ticket/2453
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
With a recent patch sysdb_getpwnam() was replaced by
sysdb_get_user_by_name() in the PAM responder. Unfortunately both behave
differently with respect to sub-domain users. As a consequence the PAM
responder was not able to resolve users from sub-domains. This patch
reverts this change and uses sysdb_getpwnam() again.
Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
|
|
|
|
| |
Fixes:
https://fedorahosted.org/sssd/ticket/2452
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Initially the extdom plugin was only used to translate SIDs of AD user
and groups to names or POSIX IDs. On IPA clients group memberships were
resolved with the help of the PAC in the Kerberos ticket which required
that the user has logged in at least once. Home directory and the login
shell were auto generated.
The new version of the extdom plugin can return the complete list of
group memberships of a user and the list of all members of a group.
Additionally the gecos field, home directory and login shell are
returned together with an optional list of key-value pairs for arbitrary
data which is written unmodified to the cache.
Fixes https://fedorahosted.org/sssd/ticket/2159
and https://fedorahosted.org/sssd/ticket/2041
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
| |
When we attempt to request attributes that are not present in
the dereferenced links, some serves might not send the dereference
control back at all. Be permissive and treat the search as if
it didn't find anything.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Design document:
https://fedorahosted.org/sssd/wiki/DesignDocs/RestrictDomainsInPAM
Fixes:
https://fedorahosted.org/sssd/ticket/1021
Signed-off-by: Pavel Reichl <preichl@redhat.com>
Reviewed-by: Sven-Thorsten Dietrich <sven@brocade.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
pam_public_domains option is a list of numerical UIDs or user names
that are trusted.
pam_public_domains option is a list of domains accessible even for
untrusted users.
Based on:
https://fedorahosted.org/sssd/wiki/DesignDocs/RestrictDomainsInPAM
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
| |
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
| |
This patch changes get_primary() into sss_krb5_get_primary() so it can
be used by the AD provider to get the sAMAccountName from the hostname.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
| |
Fix debug messages where '\n' was wrongly followed by '.'.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2412
Even though AD trusts often work with POSIX attributes which are
normally not replicated to GC, our group lookups are smart since commit
008e1ee835602023891ac45408483d87f41e4d5c and look up the group itself using
the LDAP connection and only use the GC connection to look up the members.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
| |
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
When there was more than one SSSD domain configured, actions performed
against domains later in the list would be incorrectly told to use the
first domain as the base for locating subdomains. This was because we
were rewinding the ->prev list on the sss_domain_info object, which is
only intended to be used by confdb code. The correct approach was to
use only the parent linkage, which would take us up to the top-level
domain in this SSSD domain.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The mock config with name default is usually symbolic link
to the configuration file of local architecture. The side effect
of this patch is that we will not try to rebuild on old architectures
src.rpm for new architectures(fedora). It caused issues with mock tmpfs
plugin.
Resolves:
https://fedorahosted.org/sssd/ticket/2441
Signed-off-by: Lukas Slebodnik <lslebodn@redhat.com>
Reviewed-by: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
|
|
|
|
|
|
|
|
| |
Remove --vgdb=no option from CI's Valgrind invocation, as default
condition for starting gdb (--vgdb-error=999999999) is highly unlikely
and therefore this option is unnecessary.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
| |
Add check for Valgrind test result to contrib/ci/run.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Add suppressions for all issues detected by Valgrind during CI runs.
These seem to be false positives, or cannot be fixed.
Resolves:
https://fedorahosted.org/sssd/ticket/2428
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add an empty Valgrind suppressions file, use it when invoking Valgrind.
This prepares for addition of Valgrind suppressions for current false
positives and issues that cannot be fixed, preparing for enforcing
Valgrind check.
Make Valgrind output a suppression for every error and make it output
used suppression names and counts at the end of each run. This
simplifies discovery and addition of new suppressions and removal of
unused ones.
Related to https://fedorahosted.org/sssd/ticket/2428
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
| |
Disable running dlopen-tests under Valgrind as their use of dlclose
makes Valgrind drop symbols and produce meaningless backtraces, which
cannot be matched with specific suppressions.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
| |
Reviewed-by: Daniel Gollub <dgollub@brocade.com>
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2442
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|