| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
struct sbus_request represents a request from a dbus client
being handled by a dbus server implementation. The struct
contains the message, connection and method (and in the
future teh property) which is being requested.
In the future it will contain caller information as well.
sbus_request is a talloc memory context, and is a good place to
attach any allocations and memory specific to the request.
Each handler accepts an sbus_request. If a handler returns
EOK, it is assumed that the handler will finish the request.
Any of the sbus_request_*finish() methods can be used to
complete the request and send back a reply.
sbus_request_return_and_finish() uses the same argument
varargs syntax as dbus_message_append_args(), which isn't
a great syntax. Document it a bit, but don't try to redesign:
The marshalling work (will follow this patch set) will remove
the need to use varargs for most DBus implementation code.
This patch migrates the monitor and data provider dbus code
to use sbus_request, but does not try to rework the talloc
context's to use it.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix some incorrect types passed to dbus_message_get_args(),
dbus_message_append_args() or functions accepting similar
varargs and types.
In particular sizeof(bool) != sizeof(dbus_bool_t) on most
platforms. This probably only worked because the compiler
was aligning stack variables and so writing off the end of
one of them wasn't the end of the world.
In addition fix cases where int != int32_t != uint32_t.
Although these will work on many common platforms, assuming
these are interchangeable is not cross platform safe.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Some options are relevant to multiple sections of sssd.conf. This patch adds
new sections for those.
Resolves:
https://fedorahosted.org/sssd/ticket/2218
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2282
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Reported by: scan-build
krb5_free_principal(cc->context, ccprinc);
^~
warning: Access to field 'context' results in a dereference of a null pointer
(loaded from variable 'cc')
Variable 'cc' needn't be initialised if function sss_open_ccache_as_user
fails.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
| |
Macro HBAC_TEST_SRCHOSTGROUP2 was defined but it was not used anywhere.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Directory tests_ncache was not removed after negcache test,
because sysdb cache had different name and was not removed in the function
test_dom_suite_cleanup.
[sssd] [test_dom_suite_cleanup] (0x0020):
Could not delete the test dir (39) (Directory not empty)
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Name of sysdb file is automatically generated from domain name and db_path
in function sysdb_domain_init.
talloc_asprintf is called with arguments "%s/cache_%s.ldb", db_path, dom->name
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Reported by scan-build
for (mi = 0; group_only[mi]; mi++) {
^~~~~~~~~~
warning: Array access (from variable 'group_only') results in a null pointer
dereference
It can happend if function ad_group_extra_members fails (ret != EOK)
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
| |
Fixes https://fedorahosted.org/sssd/ticket/2279
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
We blindly used the user's domain for everything. That wrong in case the
user comes from a subdomain. We should use the IPA domain for accessing
the SELinux rules and host data and the user domain only for the user.
https://fedorahosted.org/sssd/ticket/2270
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
| |
It should be noted that disabling GC does *not* disable lookups from
trusted domains. Disabling GC might be a a good way for admins who wish
to use POSIX attributes in trusted domains and the man page should hint
this option.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2251
By connecting to GC for users from both trusted domains and parent
domain, we lose the ability to download the shell and homedir if these
are used with ID mapping.
This patch changes the user lookups only. Changing the logic for all
lookups would break cross-domain group memberships, for example.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
dp_opt_tests cannot be linked properly if link_all_deplibs is disabled (debian)
/usr/bin/ld: src/tests/cmocka/dp_opt_tests-test_dp_opts.o:
undefined reference to symbol 'poptFreeContext@@LIBPOPT_0'
/usr/bin/ld: note: 'poptFreeContext@@LIBPOPT_0' is defined in DSO
/lib64/libpopt.so.0 so try adding it to the linker command line
/lib64/libpopt.so.0: could not read symbols: Invalid operation
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Before this patch, a different set of options was used when calling
krb5_get_init_creds_password() for the changepw principal. Because
this set of options did not contain the same FAST settings as the
options for normal requests, all authentication would fail when the
password of a FAST-only account would expire.
The two sets approach was cargo-cult from kinit where multiple
requests could be issued using the same options set. However, in the
case of krb5_child, only one request (or occasionally a well-defined
second request) will be issued. Two option sets are therefore not
required.
To fix this problem we removed the second option set used for changepw
requests. All requests now use a single option set which is modified,
if needed, for well-defined subsequent requests.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Warnings reported by Coverity (12463,12464)
Dereferencing a pointer that might be null pi->pam_authtok when calling strlen.
Dereferencing a pointer that might be null action when calling strncmp.
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
nss-srv-tests and test-negcache wrote temporary files to the same subdirectory
'tests_nss'. There could be a race condition when tests ran in parallel.
The first test could remove directory which the second one wanted to use.
[ldb] (0x0020): Unable to open tdb 'tests_nss/test_nss_conf.ldb'
[ldb] (0x0020): Failed to connect to 'tests_nss/test_nss_conf.ldb'
with backend 'tdb': Unable to open tdb 'tests_nss/test_nss_conf.ldb'
[confdb_init] (0x0010): Unable to open config database
[tests_nss/test_nss_conf.ldb]
[create_dom_test_ctx] (0x0020): confdb_init failed: 5
Reviewed-by: Michal Žídek <mzidek@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2264
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
In older IPA server versions where the AD users where looked up by
winbind the user name component of the home directory path was always
lower case. This still holds for IPA clients as well. To avoid
regression this patch makes the user name component lower case as well.
Fixes https://fedorahosted.org/sssd/ticket/2263
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Instead of appending the search patch in the source directory should be
prepended. Otherwise the test might find files installed in the default
paths of the system first.
As a result the compiled python files in the build directory must be
remove in the clean target to make 'make distcheck' pass.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently the config API read any file in the schema plugin dir,
typically /usr/share/sssd/sssd.api.d. If there are any unexpected files,
like e.g. editor copies or backups, the python code might break because
it cannot parse the files.
With this patch only files matching the pattern '^sssd-.*\.conf$' are
read from this directory.
Additionally this patch contains a file which will break the config API
self test if it is not filtered out correctly.
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds the sudo target to the AD provider. The main reason is
to cover different default settings in the LDAP and AD provider. E.g.
the default for ldap_id_mapping is True in the AD provider and False
in the LDAP provider. If ldap_id_mapping was not set explicitly in the
config file both components worked with different setting.
Fixes https://fedorahosted.org/sssd/ticket/2256
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Reported by: cppcheck
'struct py_sss_transaction', 'struct resolve_get_domain_stat',
'struct sync_op_res' were defined in implementation modules, but they were not
used anywhere.
Reviewed-by: Michal Žídek <mzidek@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Reported by: cppcheck
"%d" in format string (no. 1) requires 'int' but the argument type is
'unsigned int'
Reviewed-by: Michal Žídek <mzidek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Reported by:cppcheck
Defensive programming: The variable 'i' is used as an array index
before it is checked that is within limits. This can mean that the array might
be accessed out of bounds.
This patch eorder condition such as '(a[i] && i <blen) to
(i < blen && a[i]). That way the array will not be accessed if the index
is out of limits.
Reviewed-by: Michal Žídek <mzidek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Reported by: cppcheck
Finding the same expression on both sides of an operator || is suspicious and
might indicate a cut and paste or logic error.
Resolves:
https://fedorahosted.org/sssd/ticket/2258
Reviewed-by: Michal Žídek <mzidek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2252
Currently SSSD chokes when IDs of users change, we don't support ID
changes yet. Because some users were confused about the failures, this
patch adds additional clarification.
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2235
The memberof example was misleading and was making aministrators think
that the ldap_access_filter can resolve nested group memberships.
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2257
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
| |
Fixes https://fedorahosted.org/sssd/ticket/2253
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Original patches submitted by: mpesari(Thanks!!)
It can cause problems if user will hit spaces before entering username.
(e.g in gdm). Spaces are ignored by LDAP; it's better to escape them.
Resolves:
https://fedorahosted.org/sssd/ticket/1955
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If id provider is {ipa, ad} periodic task will be stared in sssm_{ipa,ad}_init
If you enable enumeration and use different providers for id and sudo(autofs)
then another periodic task will be scheduled.
This can cause weird behaviour (e.g. missing members of group)
Perodic tasks will be started only by id_provider.
Resolves:
https://fedorahosted.org/sssd/ticket/2153
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This allows us to remove duplicated information, and have the
compiler check that when an method name is changed or removed
the callers are updated.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is not strictly necessary, but avoids duplicating data
in mulitple places, and makes the interface definitions
benefit dbus callers (a little).
After applying this commit you may need to 'make clean' as
the codegen has changed.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previous commits added support for interface metadata and
handler vtables. This commit ports sbus_dbus_connection to
use them.
Port the internal uses of dbus to use the new scheme in a
very minimal way. Further cleanup is possible here.
This commit provides basic definitions of the internal
dbus interfaces. The interfaces aren't fully defined, as the
handlers will continue to unpack manually, and often overload
DBus methods with different arguments (which is rather
unorthodox, but not the end of the world).
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is an incorrect use of DBus, where we use a single interface
name with completely different sets of methods.
Easily fixed.
Once the vtable stuff is in use then this would be automatically
detected and fail to build.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Each interface is a vtable structure derived from
sbus_vtable, in the sense that it has an sbus_vtable
struct as its first argument. This lets us upcast the
interface vtable structure to an sbus_vtable and dispatch
to it dynamically and cleanly.
The interface metadata contains information about which
vtable offset in the interface metadata should be dispatched
to for a given function. This is a common scheme, not only
among dbus implementations, but also compiled languages.
Currently all the vtable functions are of type
sbus_msg_handler_fn. These are the handlers we are familiar
with and perform raw processing of the message. Later commits
will introduce type safe handlers that levelage compile checking
and automatic argument packing/unpacking.
Although this may seem contrived now, the remainder of the
dbus infrastructure work will build on this, including
ofd.Properties, ofd.ObjectManager, ofd.Introspect, compiler
checked type safe unpacking/packing, etc.
The codegen now generates vtable structures for each interface
along-side the metadata, and fills in vtable offsets
appropriately.
It is obviously still possible to hand-craft such vtables and
metadata if needed for a special case.
Once again examples output can be found at:
src/tests/sbus_codegen_tests_generated.h
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
These metadata structures hold the information about all the
details of a DBus interface. They are typically generated from
the canonical XML form of the DBus interface, although they
may also be hand crafted.
Add some handy functions for looking up methods, props, signals,
in the metadata of an interface. Currently lookups are just done
by looking through an array. If performance becomes an issue (ie:
very large interfaces) it would be really easy to sort things
and use bsearch().
Later commits will include some definitions using this metadata
and related functions.
DBus interfaces are defined here:
http://dbus.freedesktop.org/doc/dbus-specification.html#introspection-format
The introspection data format has become the standard way to represent a
DBus interface. For many examples see /usr/share/dbus-1/interfaces/ on a
typical linux machine.
A word about annotations. These are extra flags or values that can be
assigned to anything. So far, the codegen supports this annotation:
org.freedesktop.DBus.GLib.CSymbol
- An annotation specified in the specification that tells us what C symbol
to generate for a given interface or method. By default the codegen will
build up a symbol name from the DBus name.
It is possible to confuse the code generator into producing invalid
C code (with strange method names, for example), but the C compiler
catches such silliness right away.
Add tests testing basic features of the codegen and poking through
the metadata it creates. Also test the metadata lookup functions.
Generated code is checked in for easy discovery.
An example of the XML interface definitions can be found at:
src/tests/sbus_codegen_tests.xml
And an example of the generated header can be found here:
src/tests/sbus_codegen_tests_generated.h
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
| |
The variable ap_fallback is used only if sssd is build with journald, but
this variable was declared outside of "#ifdef WITH_JOURNALD"
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
| |
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|