summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Updating translations for the 1.12.3 releasesssd-1_12_3Jakub Hrozek2015-01-0838-24796/+26484
|
* Add zanata.xml file for integration with Zanata command line clientCarlos A. Munoz2015-01-081-0/+106
| | | | | | | To set up and use the Zanata client, follow: http://zanata.org/help/cli/cli-configuration/ Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* TESTS: typo in 'assert message'Pavel Reichl2015-01-081-2/+2
| | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* monitor: Service restart fixesStephen Gallagher2015-01-071-20/+74
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | There are actually two bugs here: 1) When either the kill(SIGTERM) or kill(SIGKILL) commands returned failure (for any reason), we would talloc_free(svc) which removed it from being eligible for restart, resulting in the service never starting again without an SSSD service restart. 2) There is a fairly wide race condition where it's possible for a SIGKILL timer to "catch up" to the child exit handler between us noticing the termination and actually restarting it. The race happens because we re-enter the mainloop and add a restart timeout to avoid a quick failure if we keep restarting due to a transitory issue (the mt_svc object, and therefore the SIGKILL timer, were never freed until we got to the actual service restart). We can minimize this race by recording the timer_event for the SIGKILL timeout in the mt_svc object. This way, if the process exits via SIGTERM, we will immediately remove the timer for the SIGKILL. Additionally, we'll catch the special-case of an ESRCH response from the kill(SIGKILL) and assume that it means that the process has exited. The only other two possible errors are * EINVAL: (an invalid signal was specified) - This should be impossible, obviously. * EPERM: This process doesn't have permission to send signals to this PID. If this happens, it's either an SELinux bug or else the process has terminated and a new process that SSSD doesn't control has taken the ID over. So in the incredibly unlikely case that one of those occurs, we'll just go ahead and try to start a new process. This patch also removes the incorrect talloc_free(svc) calls on the kill() failures and replaces them with an attempt to just start up the service again and hope for the best. Resolves: https://fedorahosted.org/sssd/ticket/2525 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* Add test for sysdb_store_overrideSumit Bose2015-01-071-0/+70
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* CONFDB: Typo in debug messagePavel Reichl2015-01-051-1/+1
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* libwbclient: initialize some return valuesSumit Bose2014-12-191-0/+36
| | | | | | | | | | Some callers of libwbclient functions expects the return values are initialized even it the functions returns an error. This patch adds some initializations to meet this requirement. Resolves https://fedorahosted.org/sssd/ticket/2537 Reviewed-by: Pavel Reichl <preichl@redhat.com>
* IPA: handle GID overrides for MPG domains on clientsSumit Bose2014-12-171-0/+26
| | | | | | Resolves https://fedorahosted.org/sssd/ticket/2514 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* IPA: do not try to add override gid twiceSumit Bose2014-12-171-1/+7
| | | | | | | | | | By default user and group overrides use the same attribute name for the GID and this cause SSSD machinery to add the same value twice which cause an error in ldb_add() or ldm_modify(). Related to https://fedorahosted.org/sssd/ticket/2514 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* IPA: properly handle groups from different domainsLukas Slebodnik2014-12-171-2/+16
| | | | | | | | | | | When groups are resolved on IPA clients as part of a user lookup not all groups have to be from the same domain as the used. This has to be checked to store the group object properly in the cache. Related to https://fedorahosted.org/sssd/ticket/2529 and https://fedorahosted.org/sssd/ticket/2524 Reviewed-by: Sumit Bose <sbose@redhat.com>
* IPA: verify group memberships of trusted domain usersSumit Bose2014-12-171-1/+144
| | | | | | | | | | | | Depending on the state of the cache group object a freshly created or updates user entry for a trusted domain user might already be a member of the group or not. This cache makes sure the requested user is a member of all groups returned from the extdom request. Special care has to be taken to cover cross-domain group-memberships properly. Resolves https://fedorahosted.org/sssd/ticket/2529 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* krb5: handle KRB5KRB_ERR_GENERIC as unspecific errorSumit Bose2014-12-171-1/+12
| | | | | | | | | | | KRB5KRB_ERR_GENERIC is a generic error and we cannot make any assumptions about the cause. If there are cases where KRB5KRB_ERR_GENERIC is returned and SSSD should behave differently this must be solved by other means. Resolves https://fedorahosted.org/sssd/ticket/2535 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* SYSDB: sysdb_search_object_by_sid returns ENOENTPavel Reichl2014-12-175-89/+38
| | | | | | | | | | | | sysdb_search_object_by_sid returns ENOENT if no results are found. Part od solution for: https://fedorahosted.org/sssd/ticket/1991 Fixes: https://fedorahosted.org/sssd/ticket/2520 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* NSS: nss_cmd_getbysid_search return ENOENTPavel Reichl2014-12-171-8/+8
| | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* TESTS: sysdb_delete_by_sid() test return valuePavel Reichl2014-12-171-0/+22
| | | | | | | | | | Check that return value of sysdb_delete_by_sid() is not changed as called SYSDB functions have changed the return value. Part of patches for: https://fedorahosted.org/sssd/ticket/1991 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* krb5_child: Initialize REALM earlierLukas Slebodnik2014-12-171-6/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Environment variable SSSD_KRB5_REALM was used to late for initialisation realm. and therefore default value NULL was used. The SSSD_KRB5_REALM (kr->realm) was used as fast_principal_realm for checking fast cache: privileged_krb5_setup -> k5c_setup_fast -> check_fast_ccache And therefore wrong principal was used when the option krb5_fast_principal is empty. [find_principal_in_keytab] (0x4000): Trying to find principal (null)@(null) in keytab. [match_principal] (0x1000): Principal matched to the sample ((null)@(null)). [get_tgt_times] (0x1000): FAST ccache must be recreated [get_tgt_times] (0x0020): krb5_cc_retrieve_cred failed [get_tgt_times] (0x0020): 1688: [-1765328243][Matching credential not found] [check_fast_ccache] (0x0040): Valid FAST TGT not found after attempting to renew it [k5c_setup_fast] (0x0020): check_fast_ccache failed. [k5c_setup_fast] (0x0020): 1956: [1432158213][Unknown code UUz 5] [privileged_krb5_setup] (0x0040): Cannot set up FAST [main] (0x0020): privileged_krb5_setup failed. [main] (0x0020): krb5_child failed! As a result of this user was not able to authenticate. Resolves: https://fedorahosted.org/sssd/ticket/2526 Reviewed-by: Sumit Bose <sbose@redhat.com>
* MAN: Clarify ad_gpo_map* optionsDan Lavu2014-12-161-0/+11
| | | | | Resolves: https://fedorahosted.org/sssd/ticket/2515
* RESPONDER: Log failures to resolve user names in csv_string_to_uid_arrayJakub Hrozek2014-12-131-0/+3
| | | | | | | | | This patch makes it more discoverable for the admin to find typos in the various user lists. Typically, the user lists are used to add access to some feature and printing a syslog message would make sure the admin sees the mistake. Reviewed-by: Pavel Reichl <preichl@redhat.com>
* MAN: Misspelled username in pam_trusted_users is not fatalJakub Hrozek2014-12-131-5/+0
| | | | | | | | | | | The man page claimed that failing to resolve an user name results in failure to start SSSD, but it's not the case and shouldn't be, because marking a user as trusted only elevates privileges, so it's safe to ignore that failure. https://fedorahosted.org/sssd/ticket/2530 Reviewed-by: Pavel Reichl <preichl@redhat.com>
* PAM: Missing argument to domains= should fail authJakub Hrozek2014-12-131-0/+6
| | | | | | | | | | When the administrator sets the domains= list, he usually wants to restrict the set of domains. An empty list is an undefined configuration and it's safer to fail then. https://fedorahosted.org/sssd/ticket/2516 Reviewed-by: Pavel Reichl <preichl@redhat.com>
* PAM: Domain names are case-insensitiveJakub Hrozek2014-12-131-2/+2
| | | | | | | | The pam_public_domains option and matching the domain requested by a trusted process was done in a case-sensitive manner which is different from how we match domain names in SSSD normally. Reviewed-by: Pavel Reichl <preichl@redhat.com>
* Skip CHAUTHTOK_PRELIM when using OTPsJakub Hrozek2014-12-136-3/+43
| | | | | | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2484 When OTPs are used, we can only used each authtoken at most once. When it comes to Kerberos password changes, this was only working previously by accident, because the old authtoken was first used to verify the old password is valid and not expired and then also to acquire a chpass principal. This patch looks at the user object in LDAP to check if the user has any OTPs enabled. If he does, the CHAUTHTOK_PRELIM step is skipped completely so that the OTP can be used to acquire the chpass ticket later. Reviewed-by: Sumit Bose <sbose@redhat.com>
* LDAP: retain external membersPavel Reichl2014-12-133-0/+193
| | | | | | | | | | | | When processing group membership check sysdb for group members from extern domain and include them in newly processed group membership as extern members are curently found only when initgroups() is called. Resolves: https://fedorahosted.org/sssd/ticket/2492 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com>
* MONITOR: Disable inlining of function load_configurationLukas Slebodnik2014-12-111-6/+12
| | | | | | | | | | | | | | | | | | | This reverts commit cff89439b21f8573c6896b09cb1a8d5f9de3144c. The previous fix was not sufficient and similar warning appears after different change in function load_configuration. src/monitor/monitor.c: In function ‘main’: src/monitor/monitor.c:2962:24: error: ‘monitor’ may be used uninitialized in this function [-Werror=maybe-uninitialized] monitor->is_daemon = !opt_interactive; ^ cc1: all warnings being treated as errors It's better to disable optimisation of function load_configuration after fail in chown(unlink) instead of checking errno for 0 and overriding it with EINVAL. Reviewed-by: Michal Židek <mzidek@redhat.com>
* BUILD: Install libsss_crypt after its dependenciesLukas Slebodnik2014-12-111-33/+34
| | | | | | | | | | | | | | A library should not be installed before it's internal dependencies otherwise there is an error in make distcheck. libtool: install: error: relink `libsss_crypt.la' with the above command before installing it It would be sufficient just to change order of libraries in automake variable pkglib_LTLIBRARIES, but it's better to have internal libraries on the one place. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* KRB5: Check FAST kinit errors using get_tgt_times()Jakub Hrozek2014-12-111-13/+15
| | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* be_ptask: use gettimeofday() instead of time()Pavel Březina2014-12-112-34/+52
| | | | | | | | | | | Sometimes the timestamp from gettimeofday() slightly differs from the one obtained via time() which caused unit test to fail on occasionaly. Resolves: https://fedorahosted.org/sssd/ticket/2521 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* UTIL: Fix dependencies of internal sss librariesLukas Slebodnik2014-12-082-12/+17
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* MAKE: Fix linking of test_child_commonLukas Slebodnik2014-12-081-1/+7
| | | | | | | | | | | | | | | | | | | | Compilation of test_child_common failed with linker flag --as-needned due to cyclic dependencies between libsss_child.so and libsss_util.so CCLD test_child_common ./.libs/libsss_child.so: undefined reference to `sss_hash_create' ./.libs/libsss_child.so: undefined reference to `hash_lookup' ./.libs/libsss_child.so: undefined reference to `BlockSignals' ./.libs/libsss_child.so: undefined reference to `hash_delete' ./.libs/libsss_child.so: undefined reference to `hash_enter' ./.libs/libsss_child.so: undefined reference to `hash_error_string' ./.libs/libsss_child.so: undefined reference to `sss_atomic_io_s' ./.libs/libsss_child.so: undefined reference to `sss_strerror' collect2: error: ld returned 1 exit status This patch is temporary workaround. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* sss_client: Work around glibc bugLukas Slebodnik2014-12-082-0/+23
| | | | | | | | | | | | | | | | | | glibc is inconsistent with how it treats and returns NSS_STATUS_UNAVAIL. The sss nss plugin is present in nsswitch by default on some platforms due to glibc caching and problem with long living applications (e.g. GNOME). But sssd needn't be configuread and it cause problems in some programs. In this situation, the SSSD nss plugin should behave as if it was functioning but had no data even thought sssd is not running. The errors have to be passed from nss plugin up to the user with minimal moidiffication. Thanks to Stephen Gallagher for initial patch. Resolves: https://fedorahosted.org/sssd/ticket/2439 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* simple-access-provider: break matching allowed usersPavel Reichl2014-12-081-1/+3
| | | | | | | Stop matching username with names in simple_allow_users after positive match. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* simple access provider: non-existing objectPavel Reichl2014-12-081-10/+25
| | | | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2519 Not existing user/group in simple_allow_users/simple_allow_groups should not imply access denied. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* IFP: Return group names with the right caseJakub Hrozek2014-12-081-4/+14
| | | | | | The IFP code wasn't honoring the case settings of the domain. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* IPA: Do not append domain name to fq nameLukas Slebodnik2014-12-081-4/+17
| | | | | | | | | | Usernames from AD subdomains are already in fqdn we should not append domain name in this case. Resolves: https://fedorahosted.org/sssd/ticket/2512 Reviewed-by: Michal Židek <mzidek@redhat.com>
* be_ptask: let backoff affect only periodPavel Březina2014-12-083-32/+154
| | | | | | With this patch the first and enabled delay values are respected. Reviewed-by: Michal Židek <mzidek@redhat.com>
* krb5: add wrapper for krb5_kt_have_content()Sumit Bose2014-12-075-1/+77
| | | | | | | | | krb5_kt_have_content() was introduced in MIT Kerberos 1.11. For older platforms this patch adds sss_krb5_kt_have_content() as a wrapper. Resolves https://fedorahosted.org/sssd/ticket/2518 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* tests: Free popt_contextJakub Hrozek2014-12-071-0/+2
| | | | Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
* CI: Suppress memory errors from poptGetNextOptJakub Hrozek2014-12-071-0/+29
| | | | Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
* CI: Update valgrind suppresion database for libselinuxLukas Slebodnik2014-12-051-0/+13
| | | | | | The problem is already fixed in fedora >= 21 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* Rename test-child to dummy-childJakub Hrozek2014-12-043-5/+5
| | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* TESTS: Build test_child even without cmockaJakub Hrozek2014-12-041-1/+4
| | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* KRB5: Relax DEBUG messageJakub Hrozek2014-12-031-2/+5
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* sss_atomic_write_s() return value is signedJakub Hrozek2014-12-038-16/+15
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* LDAP: Remove useless includeJakub Hrozek2014-12-031-2/+0
| | | | | | Using a PAM include file in an LDAP child is confusing. Reviewed-by: Sumit Bose <sbose@redhat.com>
* KRB5: Create the fast ccache in a child processJakub Hrozek2014-12-032-28/+100
| | | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2503 In order to avoid calling Kerberos library calls as root, the krb5_child forks itself and recreates the FAST ccache as the SSSD user. Reviewed-by: Sumit Bose <sbose@redhat.com>
* Add extra_args to exec_child()Jakub Hrozek2014-12-038-22/+93
| | | | | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2503 Currently all child processes use the same arguments, the construction of argv[] is even hardcoded in exec_child(). Add an extra_args[] array that extends the common set of argvs so that we can have child-specific arguments. Also adds a unit test. Reviewed-by: Sumit Bose <sbose@redhat.com>
* TESTS: Basic child testsJakub Hrozek2014-12-033-0/+258
| | | | | | The child_common.c module had no unit tests, yet we need to amend it. Reviewed-by: Sumit Bose <sbose@redhat.com>
* SYSDB: sysdb_get_bool() return ENOENT & unit testsPavel Reichl2014-12-023-6/+71
| | | | | | | | | | | | | sysdb_get_bool() return ENOENT if no result is found. Unit test for sysdb_get_bool() & sysdb_set_bool() was added. This patch also fixes ldap_setup_enumeration() to handle ENOENT returned by sysdb_has_enumerated(). Resolves: https://fedorahosted.org/sssd/ticket/1991 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* TOOLS: sss_debuglevel should worh with ifp responderLukas Slebodnik2014-12-021-1/+2
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* BUILD: restrict perms. when installing from sourcePavel Reichl2014-12-021-0/+6
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2467 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
generated by cgit (git 2.34.1) at 2024-09-28 09:58:23 +0000