| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
connection
Resolves:
https://fedorahosted.org/sssd/ticket/2639
When a subdomain account lookup errors out, try to re-setup the trust
object. Only do this, if the connection was established after the last
re-set of the trust object.
Internally, the setup function looks at the modifyTimestamp operational
attribute of the TDO. If the modifyTimestamp is newer than the last
keytab check, then the trust was re-created and we need to fetch the
keytab again.
Marking the back end as online re-sets the TDO check timestamp so that
after cycling the sssd, the keytab would always be checked.
|
| |
|
|
|
| |
Whenever a connection request ends successfully, store the success time
to the sdap_id_conn_ctx.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Required for:
https://fedorahosted.org/sssd/ticket/2639
Instead of calling ipa_get_ad_acct_send directly, call a new request
ipa_srv_ad_acct_send. The new request wraps ipa_get_ad_acct_send and
either tries to request a new keytab every time the lookup fails but the
domain is online.
be_mark_dom_offline() is called when the retry fails with the new code.
The retry tries to re-setup the trusted domain. With two-way setups, the
request is a no-op. With one-way trust setups, the request re-fetches
new keytab unconditionally.
|
| |
|
|
|
|
|
|
|
| |
In a server that is expanded from a SRV query was reset, only it's
'meta-server' status was set to neutral, but the server->common
structure still retained its not_working status.
This patch also resets the status of the common structure so that both
the SRV query and resolving the server are retried next time.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Required for:
https://fedorahosted.org/sssd/ticket/2639
Previously, we had a function that allowed the caller to reset the
status of all services in the global fail over context. This patch adds
a new function that allows the caller to reset a single service instead.
The main user would be IPA subdomain provider that might need to reset
the status of an AD trusted domain on demand.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Required for:
https://fedorahosted.org/sssd/ticket/2639
Expose a request ipa_server_trusted_dom_setup_send that sets up a
trusted domain. The setup might include actions like retrieving a keytab
for one-way trusts.
Creating the AD ID context for the trused domain is now done in the
caller of this new request.
|
| |
|
|
|
|
|
|
|
|
|
| |
nsupdate fails definitely if any of update request fails when GSSAPI is used.
As tmp solution nsupdate is executed for each update.
Resolves:
https://fedorahosted.org/sssd/ticket/2783
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Informations about usergroup membership are stored in memberOf
attribute. And informations about hostgroup membership are stored
in originalMemberOf.
This patch add appropriate memberOf attributes
for searching in.
Ticket: https://fedorahosted.org/sssd/ticket/2275
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
In case domain overlap, we might download multiple objects. To avoid
saving them all, we attempt to filter out the objects from foreign
domains.
We can only do this optimization for non-wildcard lookups.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
| |
The function shouldn't be placed in the LDAP tree, but in the SDAP tree
to make it usable from tests without linking to libraries that are
normally linked from LDAP provider (such as confdb)
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
| |
This handy function should be reused by other parts of the code.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2723
In case there are overlapping sdap domains, a search for a single user
might match and return multiple entries. For instance, with AD domains
represented by search bases:
DC=win,DC=trust,DC=test
DC=child,DC=win,DC=trust,DC=test
A search for user from win.trust.test would be based at:
DC=win,DC=trust,DC=test
but would match both search bases and return both users.
Instead of performing complex filtering, just save both users. The
responder would select the entry that matches the user's search.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2799
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
| |
Short version of --debug is not acepted.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2637
In server mode, we should not allow the AD lookups to set the backend
offline. Rather just let them report an error and deal with the error
separately.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2637
Avoid going offline in cases where SSSD is connected to a child domain
but the root domain is not accessible.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Required for:
https://fedorahosted.org/sssd/ticket/2637
Rather mark the domain as inactive. It will be marked as active later,
in the meantime the main domain can continue to work online and
subdomain requests will be answered from cache.
The lookup request itself just returns a special error code and lets the
caller handle the error code as appropriate (normally by disabling the
subdomain temporarily).
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2637
If a subdomain is in the disabled state, switch krb5_child operation
into offline mode.
Similarly, instead of marking the whole back end as offline, mark just
the domain as offline -- depending on the domain type, this would mark
the whole back end or just inactivate subdomain.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
fallback to
Required for:
https://fedorahosted.org/sssd/ticket/2637
The AD lookup code honors the ignore_mark_offline flag in the sense that
if it's set, the sdap return code is not reported to the upper layer,
but EOK is returned as request status and the sdap return code is
returned separately.
This patch modifies the behaviour further to only apply if there is
another connection to fall back to.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Required for:
https://fedorahosted.org/sssd/ticket/2637
The caller of the sdap_id_op requests can set the ignore_mark_offline
flag to avoid the sdap_id_op from marking the whole back end as offline.
However, there was a small bug - the is_offline internal sdap_id_op flag
was still being set. As a consequence, the error code from the
connection was ignored and EAGAIN was always returned.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
with offline_timeout
https://fedorahosted.org/sssd/ticket/2637
Adds a new Data Provider function be_mark_dom_offline() that is a
replacement for be_mark_offline(). When called, the function would
either set the whole back end offline, just like be_mark_offline or just
set the subdomain status to inactive.
When a subdomain is inactive, there is a singleton timed task that would
re-set the subdomin after offline_timeout seconds.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Required for:
https://fedorahosted.org/sssd/ticket/2637
This is a first step towards making it possible for domain to be around,
but not contacted by Data Provider.
Also explicitly create domains as active, previously we only relied on
talloc_zero marking dom->disabled as false.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Each string should be sanitized(rfc4515) before using ldbsearch.
A group dn was not sanitized in the function cleanup_groups.
Resolves:
https://fedorahosted.org/sssd/ticket/2744
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
| |
This reverts commit e2e334b2f51118cb14c7391c4e4e44ff247ef638.
+ temporary disable unit test
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
| |
This reverts commit f31a57321fc0a2390bb0d6030053c49787e5e587.
It blocked reverting commit e2e334b2f51118cb14c7391c4e4e44ff247ef638.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
This patch also improved cleanup. The functions
test_ad_create_2way_trust_options created keytab which was used by other
following tests test_ldap_conn_list, test_conn_list. The keytab was not
removed at the end of al tests.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2694
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
The function test_dom_suite_setup is a simple function which creates
a directory which should be used for creating files. This function
needn't be linked with libsss_util.so as other functions in common_dom.c
This is a reason why it's better to move it to the file common.c
so linker can optimize out other unnecessary module objects from static
library libsss_test_common.a and test needn't be linked libsss_util.so.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
We had a cases in patch where two tests were using the same TEST_PATH
and therefore they were stepping each other to the same files
which caused failures. These failures are not easy to reproduce.
This patch uses macro BASE_FILE_STEM for unique name. It should prevent
copy&paste problem resulting to intermittent failures.
@see also
https://www.gnu.org/software/make/manual/html_node/Automatic-Variables.html
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We already require GNU make extenstions to build
manual pages.
src/man/Makefile.am:46: warning: wildcard $(srcdir: non-POSIX variable name
src/man/Makefile.am:46: (probably a GNU make extension)
src/man/Makefile.am:125: warning: wildcard $(srcdir: non-POSIX variable name
src/man/Makefile.am:125: (probably a GNU make extension)
src/man/Makefile.am:128: warning: addprefix $(srcdir: non-POSIX variable name
src/man/Makefile.am:128: (probably a GNU make extension)
src/man/Makefile.am:128: warning: shell grep '\[type:docbook\]' $(PO4A_CONFIG: non-POSIX variable name
src/man/Makefile.am:128: (probably a GNU make extension)
src/man/Makefile.am:129: warning: filter-out $(CFG_PAGES: non-POSIX variable name
src/man/Makefile.am:129: (probably a GNU make extension)
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
LOCAL view does not allow the case when both ghost member and
user override is created so it is safe to allow ghost members
for this view.
Resolves:
https://fedorahosted.org/sssd/ticket/2790
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2790
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
| |
With some setups, krb5.conf can be really minimal. In those cases, we
should ignore PROF_NO_RELATION and PROF_NO_SECTION and just return
"false" as in "no proxy" without a loud debug message.
Reviewed-by: Petr Cech <pcech@redhat.com>
|
| |
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2782
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add be_req2str() for translation BE_REQ to string.
So we will have
|| Got request for [0x1001][FAST BE_REQ_USER][1][name=celestian]
instead of
|| Got request for [0x1001][1][name=celestian]
Function be_req2str() is used in data provider and in responder too.
So this patch create new header file data_provider_req.h which
delivers function be_req2str() and definitions of BE_REQ_*.
Resolves:
https://fedorahosted.org/sssd/ticket/2708
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The function be_nsupdate_send fork a child for execution of the utility
nsupdate.
The child process builds nsupdate args in the function
be_nsupdate_args and then execute the utility.
Meanwhile the parent process register handlers for child and timeout
for canceling the long lasting child.
nsupdate_child_send -> child_handler_setup
You can see in following log file that the wrapped version of execv
function might be very fast and therefore parent can register handlers
after finishing child. This is a reason why there is a child timeout.
(10:18:48:556001 2015) [sssd] [be_nsupdate_args] (0x0200): nsupdate auth type: GSS-TSIG
(10:18:48:556126 2015) [sssd] [__wrap_execv] (0x0200): nsupdate success test case
(10:18:48:556200 2015) [sssd] [__wrap_execv] (0x1000): Child exiting with status 0
(10:18:48:557218 2015) [sssd] [child_handler_setup] (0x2000): Setting up signal handler up for pid [3957]
(10:18:48:560987 2015) [sssd] [child_handler_setup] (0x2000): Signal handler set up for pid [3957]
(10:18:50:608520 2015) [sssd] [nsupdate_child_timeout] (0x0020): Timeout reached for dynamic DNS update
(10:18:50:681525 2015) [sssd] [be_nsupdate_done] (0x0040): nsupdate child execution failed [1432158233]: Dynamic DNS update timed out
(10:18:50:687031 2015) [sssd] [dyndns_test_ok] (0x1000): Child request returned [1432158233]: Unknown error 1432158233
The patch simulate a work in wrapped function with small delay.
It should be enough time for the parent process to registering a child.
Based on patch from Jurica Stanojkovic <jurica.stanojkovic@rt-rk.com>
Thank you.
Resolves:
https://fedorahosted.org/sssd/ticket/2283
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The samAccountName for AD hosts is the hosts NetBIOS name with a
trailing $. Since there is a size limit on NetBIOS names long DNS names
must be truncated to find a matching entry in the AD LDAP tree.
The NetBIOS name is already needed during kinit/SASL bind where the
SDAP_SASL_AUTHID config option is used. Since the GPO lookup code is
only reached after the SASL bind was successful we can safely assume
that the name is correct and use it for the GPO lookup.
Resolves https://fedorahosted.org/sssd/ticket/2692
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Previously, only one tab had configured all environment variables
and current working directory was set to source directory.
It's better to open shell in "chroot" directory for troubleshooting purposes.
This patch also open pre-defined tabs with useful
directories with sssd cache, sssd log files, "chroot" directory
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2777
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Link test with existing libraries instead of building all
necessary source file on more time.
It's not portable to link with libsss_simple.so because it is a dynamic module
and not dynamic library.
*** Warning: Linking the executable simple_access-tests against the loadable module
*** libsss_simple.so is not portable!
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
| |
Some tests were built with files require for backend $(sssd_be_SOURCES).
This automake variable contains 15 files
which were build every time for each test.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Module which can be loaded by dlopen but cannot be linked with
other binaries.
*** Warning: Linking the executable test_xyzp against the loadable module
*** libdlopen_test_providers.so is not portable!
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Ticket:
https://fedorahosted.org/sssd/ticket/2676
Regression test for the above ticket.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
