| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
|
|
|
| |
To set up and use the Zanata client, follow:
http://zanata.org/help/cli/cli-configuration/
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There are actually two bugs here:
1) When either the kill(SIGTERM) or kill(SIGKILL) commands returned
failure (for any reason), we would talloc_free(svc) which removed it
from being eligible for restart, resulting in the service never
starting again without an SSSD service restart.
2) There is a fairly wide race condition where it's possible for a
SIGKILL timer to "catch up" to the child exit handler between us
noticing the termination and actually restarting it. The race
happens because we re-enter the mainloop and add a restart
timeout to avoid a quick failure if we keep restarting due to a
transitory issue (the mt_svc object, and therefore the SIGKILL
timer, were never freed until we got to the actual service
restart).
We can minimize this race by recording the timer_event for the
SIGKILL timeout in the mt_svc object. This way, if the process
exits via SIGTERM, we will immediately remove the timer for the
SIGKILL. Additionally, we'll catch the special-case of an ESRCH
response from the kill(SIGKILL) and assume that it means that the
process has exited. The only other two possible errors are
* EINVAL: (an invalid signal was specified) - This should be
impossible, obviously.
* EPERM: This process doesn't have permission to send signals to
this PID. If this happens, it's either an SELinux bug or
else the process has terminated and a new process that
SSSD doesn't control has taken the ID over.
So in the incredibly unlikely case that one of those occurs, we'll
just go ahead and try to start a new process.
This patch also removes the incorrect talloc_free(svc) calls on the
kill() failures and replaces them with an attempt to just start up
the service again and hope for the best.
Resolves:
https://fedorahosted.org/sssd/ticket/2525
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Some callers of libwbclient functions expects the return values are
initialized even it the functions returns an error. This patch adds some
initializations to meet this requirement.
Resolves https://fedorahosted.org/sssd/ticket/2537
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
| |
Resolves https://fedorahosted.org/sssd/ticket/2514
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
By default user and group overrides use the same attribute name for the
GID and this cause SSSD machinery to add the same value twice which
cause an error in ldb_add() or ldm_modify().
Related to https://fedorahosted.org/sssd/ticket/2514
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
When groups are resolved on IPA clients as part of a user lookup not all
groups have to be from the same domain as the used. This has to be
checked to store the group object properly in the cache.
Related to https://fedorahosted.org/sssd/ticket/2529
and https://fedorahosted.org/sssd/ticket/2524
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Depending on the state of the cache group object a freshly created or
updates user entry for a trusted domain user might already be a member
of the group or not. This cache makes sure the requested user is a
member of all groups returned from the extdom request. Special care has
to be taken to cover cross-domain group-memberships properly.
Resolves https://fedorahosted.org/sssd/ticket/2529
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
KRB5KRB_ERR_GENERIC is a generic error and we cannot make any
assumptions about the cause. If there are cases where
KRB5KRB_ERR_GENERIC is returned and SSSD should behave differently this
must be solved by other means.
Resolves https://fedorahosted.org/sssd/ticket/2535
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
sysdb_search_object_by_sid returns ENOENT if no results are found.
Part od solution for:
https://fedorahosted.org/sssd/ticket/1991
Fixes:
https://fedorahosted.org/sssd/ticket/2520
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Check that return value of sysdb_delete_by_sid() is not changed as
called SYSDB functions have changed the return value.
Part of patches for:
https://fedorahosted.org/sssd/ticket/1991
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Environment variable SSSD_KRB5_REALM was used to late for initialisation
realm. and therefore default value NULL was used.
The SSSD_KRB5_REALM (kr->realm) was used as fast_principal_realm for checking
fast cache: privileged_krb5_setup -> k5c_setup_fast -> check_fast_ccache
And therefore wrong principal was used when the option krb5_fast_principal is
empty.
[find_principal_in_keytab] (0x4000): Trying to find principal (null)@(null) in keytab.
[match_principal] (0x1000): Principal matched to the sample ((null)@(null)).
[get_tgt_times] (0x1000): FAST ccache must be recreated
[get_tgt_times] (0x0020): krb5_cc_retrieve_cred failed
[get_tgt_times] (0x0020): 1688: [-1765328243][Matching credential not found]
[check_fast_ccache] (0x0040): Valid FAST TGT not found after attempting to renew it
[k5c_setup_fast] (0x0020): check_fast_ccache failed.
[k5c_setup_fast] (0x0020): 1956: [1432158213][Unknown code UUz 5]
[privileged_krb5_setup] (0x0040): Cannot set up FAST
[main] (0x0020): privileged_krb5_setup failed.
[main] (0x0020): krb5_child failed!
As a result of this user was not able to authenticate.
Resolves:
https://fedorahosted.org/sssd/ticket/2526
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2515
|
|
|
|
|
|
|
|
|
| |
This patch makes it more discoverable for the admin to find typos in the
various user lists. Typically, the user lists are used to add access to
some feature and printing a syslog message would make sure the admin
sees the mistake.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
The man page claimed that failing to resolve an user name results in
failure to start SSSD, but it's not the case and shouldn't be, because
marking a user as trusted only elevates privileges, so it's safe to
ignore that failure.
https://fedorahosted.org/sssd/ticket/2530
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
When the administrator sets the domains= list, he usually wants to
restrict the set of domains. An empty list is an undefined configuration
and it's safer to fail then.
https://fedorahosted.org/sssd/ticket/2516
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
|
| |
The pam_public_domains option and matching the domain requested by a
trusted process was done in a case-sensitive manner which is different
from how we match domain names in SSSD normally.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2484
When OTPs are used, we can only used each authtoken at most once. When
it comes to Kerberos password changes, this was only working previously
by accident, because the old authtoken was first used to verify the old
password is valid and not expired and then also to acquire a chpass
principal.
This patch looks at the user object in LDAP to check if the user has any
OTPs enabled. If he does, the CHAUTHTOK_PRELIM step is skipped
completely so that the OTP can be used to acquire the chpass ticket
later.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
When processing group membership check sysdb for group members from
extern domain and include them in newly processed group membership as
extern members are curently found only when initgroups() is called.
Resolves:
https://fedorahosted.org/sssd/ticket/2492
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit cff89439b21f8573c6896b09cb1a8d5f9de3144c.
The previous fix was not sufficient and similar warning appears after different
change in function load_configuration.
src/monitor/monitor.c: In function ‘main’:
src/monitor/monitor.c:2962:24: error: ‘monitor’ may be used uninitialized
in this function [-Werror=maybe-uninitialized]
monitor->is_daemon = !opt_interactive;
^
cc1: all warnings being treated as errors
It's better to disable optimisation of function load_configuration after fail
in chown(unlink) instead of checking errno for 0 and overriding it with EINVAL.
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A library should not be installed before it's internal dependencies
otherwise there is an error in make distcheck.
libtool: install: error: relink `libsss_crypt.la' with the above command before
installing it
It would be sufficient just to change order of libraries in
automake variable pkglib_LTLIBRARIES, but it's better to have
internal libraries on the one place.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Sometimes the timestamp from gettimeofday() slightly differs
from the one obtained via time() which caused unit test to fail on
occasionaly.
Resolves:
https://fedorahosted.org/sssd/ticket/2521
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Compilation of test_child_common failed with linker flag --as-needned
due to cyclic dependencies between libsss_child.so and libsss_util.so
CCLD test_child_common
./.libs/libsss_child.so: undefined reference to `sss_hash_create'
./.libs/libsss_child.so: undefined reference to `hash_lookup'
./.libs/libsss_child.so: undefined reference to `BlockSignals'
./.libs/libsss_child.so: undefined reference to `hash_delete'
./.libs/libsss_child.so: undefined reference to `hash_enter'
./.libs/libsss_child.so: undefined reference to `hash_error_string'
./.libs/libsss_child.so: undefined reference to `sss_atomic_io_s'
./.libs/libsss_child.so: undefined reference to `sss_strerror'
collect2: error: ld returned 1 exit status
This patch is temporary workaround.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
glibc is inconsistent with how it treats and returns NSS_STATUS_UNAVAIL.
The sss nss plugin is present in nsswitch by default on some platforms
due to glibc caching and problem with long living applications (e.g. GNOME).
But sssd needn't be configuread and it cause problems in some programs.
In this situation, the SSSD nss plugin should behave as if it was functioning
but had no data even thought sssd is not running. The errors have to be passed
from nss plugin up to the user with minimal moidiffication.
Thanks to Stephen Gallagher for initial patch.
Resolves:
https://fedorahosted.org/sssd/ticket/2439
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
| |
Stop matching username with names in simple_allow_users after positive
match.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2519
Not existing user/group in simple_allow_users/simple_allow_groups should not
imply access denied.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
| |
The IFP code wasn't honoring the case settings of the domain.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Usernames from AD subdomains are already in fqdn we should not append
domain name in this case.
Resolves:
https://fedorahosted.org/sssd/ticket/2512
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
|
|
| |
With this patch the first and enabled delay values are respected.
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
|
|
|
|
|
| |
krb5_kt_have_content() was introduced in MIT Kerberos 1.11. For older
platforms this patch adds sss_krb5_kt_have_content() as a wrapper.
Resolves https://fedorahosted.org/sssd/ticket/2518
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
| |
Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
|
|
|
|
| |
Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
|
|
|
|
|
|
| |
The problem is already fixed in fedora >= 21
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
| |
Using a PAM include file in an LDAP child is confusing.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/2503
In order to avoid calling Kerberos library calls as root, the krb5_child
forks itself and recreates the FAST ccache as the SSSD user.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/2503
Currently all child processes use the same arguments, the construction
of argv[] is even hardcoded in exec_child(). Add an extra_args[] array
that extends the common set of argvs so that we can have child-specific
arguments. Also adds a unit test.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
| |
The child_common.c module had no unit tests, yet we need to amend it.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
sysdb_get_bool() return ENOENT if no result is found.
Unit test for sysdb_get_bool() & sysdb_set_bool() was added.
This patch also fixes ldap_setup_enumeration() to handle ENOENT returned by
sysdb_has_enumerated().
Resolves:
https://fedorahosted.org/sssd/ticket/1991
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2467
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|