summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* RESPONDER: Log failures to resolve user names in csv_string_to_uid_arrayJakub Hrozek2014-12-131-0/+3
| | | | | | | | | This patch makes it more discoverable for the admin to find typos in the various user lists. Typically, the user lists are used to add access to some feature and printing a syslog message would make sure the admin sees the mistake. Reviewed-by: Pavel Reichl <preichl@redhat.com>
* MAN: Misspelled username in pam_trusted_users is not fatalJakub Hrozek2014-12-131-5/+0
| | | | | | | | | | | The man page claimed that failing to resolve an user name results in failure to start SSSD, but it's not the case and shouldn't be, because marking a user as trusted only elevates privileges, so it's safe to ignore that failure. https://fedorahosted.org/sssd/ticket/2530 Reviewed-by: Pavel Reichl <preichl@redhat.com>
* PAM: Missing argument to domains= should fail authJakub Hrozek2014-12-131-0/+6
| | | | | | | | | | When the administrator sets the domains= list, he usually wants to restrict the set of domains. An empty list is an undefined configuration and it's safer to fail then. https://fedorahosted.org/sssd/ticket/2516 Reviewed-by: Pavel Reichl <preichl@redhat.com>
* PAM: Domain names are case-insensitiveJakub Hrozek2014-12-131-2/+2
| | | | | | | | The pam_public_domains option and matching the domain requested by a trusted process was done in a case-sensitive manner which is different from how we match domain names in SSSD normally. Reviewed-by: Pavel Reichl <preichl@redhat.com>
* Skip CHAUTHTOK_PRELIM when using OTPsJakub Hrozek2014-12-136-3/+43
| | | | | | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2484 When OTPs are used, we can only used each authtoken at most once. When it comes to Kerberos password changes, this was only working previously by accident, because the old authtoken was first used to verify the old password is valid and not expired and then also to acquire a chpass principal. This patch looks at the user object in LDAP to check if the user has any OTPs enabled. If he does, the CHAUTHTOK_PRELIM step is skipped completely so that the OTP can be used to acquire the chpass ticket later. Reviewed-by: Sumit Bose <sbose@redhat.com>
* LDAP: retain external membersPavel Reichl2014-12-133-0/+193
| | | | | | | | | | | | When processing group membership check sysdb for group members from extern domain and include them in newly processed group membership as extern members are curently found only when initgroups() is called. Resolves: https://fedorahosted.org/sssd/ticket/2492 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com>
* MONITOR: Disable inlining of function load_configurationLukas Slebodnik2014-12-111-6/+12
| | | | | | | | | | | | | | | | | | | This reverts commit cff89439b21f8573c6896b09cb1a8d5f9de3144c. The previous fix was not sufficient and similar warning appears after different change in function load_configuration. src/monitor/monitor.c: In function ‘main’: src/monitor/monitor.c:2962:24: error: ‘monitor’ may be used uninitialized in this function [-Werror=maybe-uninitialized] monitor->is_daemon = !opt_interactive; ^ cc1: all warnings being treated as errors It's better to disable optimisation of function load_configuration after fail in chown(unlink) instead of checking errno for 0 and overriding it with EINVAL. Reviewed-by: Michal Židek <mzidek@redhat.com>
* BUILD: Install libsss_crypt after its dependenciesLukas Slebodnik2014-12-111-33/+34
| | | | | | | | | | | | | | A library should not be installed before it's internal dependencies otherwise there is an error in make distcheck. libtool: install: error: relink `libsss_crypt.la' with the above command before installing it It would be sufficient just to change order of libraries in automake variable pkglib_LTLIBRARIES, but it's better to have internal libraries on the one place. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* KRB5: Check FAST kinit errors using get_tgt_times()Jakub Hrozek2014-12-111-13/+15
| | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* be_ptask: use gettimeofday() instead of time()Pavel Březina2014-12-112-34/+52
| | | | | | | | | | | Sometimes the timestamp from gettimeofday() slightly differs from the one obtained via time() which caused unit test to fail on occasionaly. Resolves: https://fedorahosted.org/sssd/ticket/2521 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* UTIL: Fix dependencies of internal sss librariesLukas Slebodnik2014-12-082-12/+17
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* MAKE: Fix linking of test_child_commonLukas Slebodnik2014-12-081-1/+7
| | | | | | | | | | | | | | | | | | | | Compilation of test_child_common failed with linker flag --as-needned due to cyclic dependencies between libsss_child.so and libsss_util.so CCLD test_child_common ./.libs/libsss_child.so: undefined reference to `sss_hash_create' ./.libs/libsss_child.so: undefined reference to `hash_lookup' ./.libs/libsss_child.so: undefined reference to `BlockSignals' ./.libs/libsss_child.so: undefined reference to `hash_delete' ./.libs/libsss_child.so: undefined reference to `hash_enter' ./.libs/libsss_child.so: undefined reference to `hash_error_string' ./.libs/libsss_child.so: undefined reference to `sss_atomic_io_s' ./.libs/libsss_child.so: undefined reference to `sss_strerror' collect2: error: ld returned 1 exit status This patch is temporary workaround. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* sss_client: Work around glibc bugLukas Slebodnik2014-12-082-0/+23
| | | | | | | | | | | | | | | | | | glibc is inconsistent with how it treats and returns NSS_STATUS_UNAVAIL. The sss nss plugin is present in nsswitch by default on some platforms due to glibc caching and problem with long living applications (e.g. GNOME). But sssd needn't be configuread and it cause problems in some programs. In this situation, the SSSD nss plugin should behave as if it was functioning but had no data even thought sssd is not running. The errors have to be passed from nss plugin up to the user with minimal moidiffication. Thanks to Stephen Gallagher for initial patch. Resolves: https://fedorahosted.org/sssd/ticket/2439 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* simple-access-provider: break matching allowed usersPavel Reichl2014-12-081-1/+3
| | | | | | | Stop matching username with names in simple_allow_users after positive match. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* simple access provider: non-existing objectPavel Reichl2014-12-081-10/+25
| | | | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2519 Not existing user/group in simple_allow_users/simple_allow_groups should not imply access denied. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* IFP: Return group names with the right caseJakub Hrozek2014-12-081-4/+14
| | | | | | The IFP code wasn't honoring the case settings of the domain. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* IPA: Do not append domain name to fq nameLukas Slebodnik2014-12-081-4/+17
| | | | | | | | | | Usernames from AD subdomains are already in fqdn we should not append domain name in this case. Resolves: https://fedorahosted.org/sssd/ticket/2512 Reviewed-by: Michal Židek <mzidek@redhat.com>
* be_ptask: let backoff affect only periodPavel Březina2014-12-083-32/+154
| | | | | | With this patch the first and enabled delay values are respected. Reviewed-by: Michal Židek <mzidek@redhat.com>
* krb5: add wrapper for krb5_kt_have_content()Sumit Bose2014-12-075-1/+77
| | | | | | | | | krb5_kt_have_content() was introduced in MIT Kerberos 1.11. For older platforms this patch adds sss_krb5_kt_have_content() as a wrapper. Resolves https://fedorahosted.org/sssd/ticket/2518 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* tests: Free popt_contextJakub Hrozek2014-12-071-0/+2
| | | | Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
* CI: Suppress memory errors from poptGetNextOptJakub Hrozek2014-12-071-0/+29
| | | | Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
* CI: Update valgrind suppresion database for libselinuxLukas Slebodnik2014-12-051-0/+13
| | | | | | The problem is already fixed in fedora >= 21 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* Rename test-child to dummy-childJakub Hrozek2014-12-043-5/+5
| | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* TESTS: Build test_child even without cmockaJakub Hrozek2014-12-041-1/+4
| | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* KRB5: Relax DEBUG messageJakub Hrozek2014-12-031-2/+5
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* sss_atomic_write_s() return value is signedJakub Hrozek2014-12-038-16/+15
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* LDAP: Remove useless includeJakub Hrozek2014-12-031-2/+0
| | | | | | Using a PAM include file in an LDAP child is confusing. Reviewed-by: Sumit Bose <sbose@redhat.com>
* KRB5: Create the fast ccache in a child processJakub Hrozek2014-12-032-28/+100
| | | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2503 In order to avoid calling Kerberos library calls as root, the krb5_child forks itself and recreates the FAST ccache as the SSSD user. Reviewed-by: Sumit Bose <sbose@redhat.com>
* Add extra_args to exec_child()Jakub Hrozek2014-12-038-22/+93
| | | | | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2503 Currently all child processes use the same arguments, the construction of argv[] is even hardcoded in exec_child(). Add an extra_args[] array that extends the common set of argvs so that we can have child-specific arguments. Also adds a unit test. Reviewed-by: Sumit Bose <sbose@redhat.com>
* TESTS: Basic child testsJakub Hrozek2014-12-033-0/+258
| | | | | | The child_common.c module had no unit tests, yet we need to amend it. Reviewed-by: Sumit Bose <sbose@redhat.com>
* SYSDB: sysdb_get_bool() return ENOENT & unit testsPavel Reichl2014-12-023-6/+71
| | | | | | | | | | | | | sysdb_get_bool() return ENOENT if no result is found. Unit test for sysdb_get_bool() & sysdb_set_bool() was added. This patch also fixes ldap_setup_enumeration() to handle ENOENT returned by sysdb_has_enumerated(). Resolves: https://fedorahosted.org/sssd/ticket/1991 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* TOOLS: sss_debuglevel should worh with ifp responderLukas Slebodnik2014-12-021-1/+2
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* BUILD: restrict perms. when installing from sourcePavel Reichl2014-12-021-0/+6
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2467 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* krb5_child: become user earlierSumit Bose2014-12-022-38/+94
| | | | | | | The host keytab and the FAST credential cache are copied into memory early at startup to allow to drop privileges earlier. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* ldap_child: copy keytab into memory to drop privileges earlierSumit Bose2014-12-022-19/+46
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* krb5: add copy_keytab_into_memory()Sumit Bose2014-12-024-0/+427
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* krb5: add copy_ccache_into_memory()Sumit Bose2014-12-024-0/+383
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* test: avoid leaks in leak testsSumit Bose2014-12-022-2/+9
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* krb5: do not fail if checking the old ccache failedSumit Bose2014-12-022-2/+6
| | | | | | https://fedorahosted.org/sssd/ticket/2510 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: only update view data if it really changedSumit Bose2014-12-021-50/+66
| | | | | | https://fedorahosted.org/sssd/ticket/2510 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* krb5: make krb5 provider view awareSumit Bose2014-12-022-6/+25
| | | | | | https://fedorahosted.org/sssd/ticket/2510 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* AD: Set dp_error if gc was not usedLukas Slebodnik2014-12-021-0/+4
| | | | | | | | | | | | | | Global catalog was not used in ipa server mode and request failed then dp_error was not set (default is zero). dp_error should not be OK on failed request. [ipa_get_ad_acct_ad_part_done] (0x0040): AD lookup failed: 11 [ipa_subdomain_account_done] (0x0040): ipa_get_*_acct request failed: 11 [sdap_id_op_destroy] (0x4000): releasing operation connection [ipa_account_info_error_text] (0x0020): Bug: dp_error is OK on failed request [acctinfo_callback] (0x0100): Request processed. Returned 3,11,Account info lookup failed Reviewed-by: Sumit Bose <sbose@redhat.com>
* tests: be_ptaskPavel Březina2014-11-282-0/+880
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/1939 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* be_ptask: do not store sync ctx to _taskPavel Březina2014-11-281-4/+0
| | | | | | | | The _task is an output variable of type struct be_ptask * which is filled by be_ptask_create(). However, we tried to set sync ctx there as a result of copy and paste error. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* be_ptask: add next_execution time to struct be_ptaskPavel Březina2014-11-282-0/+3
| | | | | | For debugging and testing purposes. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* be_ptask: handle OFFLINE_DISABLE mode before task executionPavel Březina2014-11-281-1/+4
| | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* be_ptask: create a private header filePavel Březina2014-11-283-23/+49
| | | | | | This is done so we gain access to the be_ptask structure in unit tests. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* Fix: always check return value of unlink()Pavel Reichl2014-11-284-7/+38
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2506 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* AD: Never store case_sensitive as "true" to confdbMichal Zidek2014-11-281-4/+6
| | | | | | | | | | | | | | If case_sensitive was set 'true' for AD backend, we ignore it and continue with AD default (false). However we still set confdb to whatever was set in sssd.conf for the responders. We should store to confdb the value that is used by the backend. Also fixes some misleading DEBUG messages in that code area. Reviewed-by: Pavel Reichl <preichl@redhat.com>
* confdb: Make confdb_set_string accept const char pointerMichal Zidek2014-11-282-2/+2
| | | | | | | | The last parameter (value) in the confdb_set_string is not modified, so it makes sense to make it const to avoid unnecessary warnings or casts. Reviewed-by: Pavel Reichl <preichl@redhat.com>
generated by cgit (git 2.34.1) at 2024-11-19 01:42:19 +0000