| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2612
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
(cherry picked from commit 1426ee8756a1df4ec0651417dce92e1dcc8a246d)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Although in the initial processing SSSD treats the binary value right at
some point it mainly assumes that it is a string. Depending on the value
this might end up with the correct binary value stored in the cache but
in most cases there will be only a broken entry in the cache.
This patch converts the binary value into a string representation which
is described in [MS-DTYP] and stores the result in the cache.
Resolves https://fedorahosted.org/sssd/ticket/2588
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 4619742836ec22edf8f9d274d928bc896c5b0883)
|
|
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 871f340834f25ca92a481718939164e708a70e29)
|
|
|
|
|
|
|
|
| |
We should make sure the client re-checks the SRV query each request if
the SRV query is 0.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 9797aa5907191cef5db8279e20ec75fd0abbe980)
|
|
|
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit cecee447d41c3ca22e94880a7d0cbd910f230fe5)
|
|
|
|
|
|
|
| |
All tests now use the cmocka-1.0-compatible API.
Signed-off-by: Lukas Slebodnik <lslebodn@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
| |
Also fix debug message.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit ef9ca5848ea08aafa0827f5d2922d49130ba324d)
|
|
|
|
|
|
|
|
|
|
|
|
| |
In general every object created by the AD provider should have a SID
attribute. Since SIDs and GPOs are used for access control a missing SID
should be treated as error for now until it is known if there is a valid
reason why the SID is missing.
Resolves https://fedorahosted.org/sssd/ticket/2608
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 4cfab2330323834574c179f774a0c6b1fff4936e)
|
|
|
|
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit 131da4d9f40e0e407d7bcae18ff16507976bc6c7)
(cherry picked from commit e8f5e135b4d389a1ae224da174c15dfe66b30810)
|
|
|
|
|
|
| |
Reviewed-by: Pavel Reichl <preichl@redhat.com>
(cherry picked from commit abb093b4ae10f2a5748bf9f194bf76794002eba0)
(cherry picked from commit ee3cd052a2aca57040a9b435def5442922f8af76)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
During initgroups requests we try to avoid to resolve the complete
member list of groups if possible, e.g. if there are no nested groups.
The tokenGroups LDAP lookup return the complete list of memberships for
a user hence it is not necessary lookup the other group member and
un-roll nested groups. With this patch only the group entry is looked up
and saved as incomplete group to the cache.
This is achieved by adding a new boolean parameter no_members to
groups_get_send() and sdap_get_groups_send(). The difference to config
options like ldap_group_nesting_level = 0 or ignore_group_members is
that if no_members is set to true groups which are missing in the cache
are created a incomplete groups. As a result a request to lookup this
group will trigger a new LDAP request to resolve the group completely.
This way no information is ignored but the time needed to read all data
is better distributed between different requests.
https://fedorahosted.org/sssd/ticket/2601
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit d81d8d3dc151ebc95cd0e3f3b14c1cdaa48980f1)
(cherry picked from commit b8d9eca0d9469c1209161b31a0109d8e4ea2868c)
|
|
|
|
|
|
|
|
|
|
|
| |
SSSD also needs to handle the setup where no rules match the machine and
the default has no MLS component.
Related to:
https://fedorahosted.org/sssd/ticket/2587
Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit 3e6dac8e14f8a3da6d359ee013453dbd8a38dd99)
|
|
|
|
|
|
|
|
|
|
|
| |
When working with older FreeIPA releases the view name might not always
been set. This patch add checks to might sure it is only dereferenced
when set.
Resolves https://fedorahosted.org/sssd/ticket/2604
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 8be0cf3eea892e13410c13abb030322599ca1b4f)
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
src/providers/ipa/ipa_selinux.c: In function 'ipa_selinux_handler_done':
src/providers/ipa/ipa_selinux.c:927:16: error: 'sci' may be used uninitialized in this function [-Werror=maybe-uninitialized]
state->sci = sci;
^
src/providers/ipa/ipa_selinux.c:333:33: note: 'sci' was declared here
struct selinux_child_input *sci;
^
cc1: all warnings being treated as errors
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 7ee9ac32485483beece872d6fcb3096fa77a004b)
|
|
|
|
|
|
|
| |
Resolves: https://fedorahosted.org/sssd/ticket/2444
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 3e9712c2fdbba8f9cd25886943331e76e0b2cedd)
|
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 10da5ea89b2b963e5e0bb0e0113d118e3bdea892)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently the name member of the pam_data struct is used as a key but it
can change during a request. Especially for sub-domain users the name is
changed from the short to the fully-qualified version before the cache
entry is created. As a result the cache searches are always done with
the short name while the entry was written with the fully-qualified name.
The logon_name member of the pam_data struct contains the name which was
send by the PAM client and is never changed during the request.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 7bbf9d1d054f0571fa90ff5dd400a6f4a5a7f6c8)
|
|
|
|
|
|
| |
Check if number of error codes and messages is the same.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
| |
We had more error codes than corresponding
messages. Also order of two messages was
wrong.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Users often wrongly use SSSD expansions in libkrb5 expansion template
for principals. State explicitly it won't work.
Resolves:
https://fedorahosted.org/sssd/ticket/2528
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 33b8bf140b1d82d2626eeeaaea29af49dcdb3c99)
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2598
We need to return an empty result in cases an initgroups lookup by UPN
doesn't return anything. Please note testing with "id user" is not
sufficient as id calls a getpwnam first.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
|
| |
In ldap_child_get_tgt_sync() variable 'ret' got overriden in done
section without ever before being read.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 6ccda8691123bb27f5f2a88a0c80174af3e0fd0a)
|
|
|
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit 04d138472cc086fb7961f0d378852b09961b1a33)
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2346
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 61c8d13e55ebafc28da1b0b5ad9ae578d687e288)
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2346
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit e77d6366ff9e49dbbb607f1709f1ae4190b99489)
|
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 17531a398cc9084036cb08d69fe876a8f12707bb)
|
|
|
|
|
|
|
|
| |
This is a preparation to support other object types without
introducing duplicated code.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit ab0eda3622b828df2bfb7850c96d1395f614eb13)
|
|
|
|
|
|
|
|
|
|
|
|
| |
be_req was used only as a talloc context for subreq. This memory context
was replace by state of the parent request which is more suitable for
tevent coding style.
This change will allow us to use this function in be_refresh where
none be_req is available.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit a849d848d53f305a90613a74c1767a42b250deda)
|
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit b0d3164ca2bd842e176268c26935c5ce54f7f76e)
|
|
|
|
|
|
|
|
|
|
| |
It would be better to return explicit error code, although access is
still denied and error message printed.
Relates:
https://fedorahosted.org/sssd/ticket/2534
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2534
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
| |
New utility function *sss_utc_to_time_t* to convert GeneralizedTime to
unix time.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
ccname_file_dummy is used in the done-block which is called before
ccname_file_dummy is set to a value. This patch initializes
ccname_file_dummy to NULL.
Related to https://fedorahosted.org/sssd/ticket/2592
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit cc0f9a541c5ecdad750a86b2de9baa1f07403e9e)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2587
The case of SELinux default user mapping being an empty string is valid,
it should translate into "pick the default context on the target
machine".
In case the context is empty, we need to delete the per-user mapping from
the SELinux database to make sure the default is used.
Reviewed-by: Michal Židek <mzidek@redhat.com>
Reviewed-by: Pavel Reichl <preichl@redhat.com>
(cherry picked from commit 01f78f755fde63997ccfded71fb8395569b11430)
(cherry picked from commit 90efb3c2a48146d7b6cc81fe8422e9024144402a)
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2592
If there is an error after ccname_file_dummy is created but before it is
renamed then the file isn't removed. This can cause a lot of files to be
created and take up inodes in a filesystem.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit 2b20ff2e33ad3993a9cad910c4b4b828513613df)
(cherry picked from commit 0b5036e4c652e6983a3352c045c8701d6573587b)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Implement new option which does checking password expiration policy
in accounting phase.
This allows SSSD to issue shadow expiration warning even if alternate
authentication method is used.
Resolves:
https://fedorahosted.org/sssd/ticket/2167
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit c9b0071bfcb8eb8c71e40248de46d23aceecc0f3)
(cherry picked from commit d3f82e944dc5dab3812700a245deec4aa3245b21)
|
|
|
|
|
|
|
|
|
|
|
| |
Move part of pwexpire policy code to a separate function.
Relates to:
https://fedorahosted.org/sssd/ticket/2167
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit cdaa29d2c5724a4c72bfa0f42284ccfac3d5a464)
(cherry picked from commit 8b353dd2b90b7ab222acdea726ab7e8681752237)
|
|
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/1884
Removes the hardcoded SRV TTL timeout and uses TTL from the DNS instead.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 8df69bbc58c2f4d3f0b34be9756d9ddf24b1db6d)
|
|
|
|
|
|
|
|
|
|
|
|
| |
When we changed the resolver code to use the TTL values from the DNS
queries instead of harcoded ones, we changed the default value by
accident.
Add a separate SRV TTL that is backwards-compatible with the old
harcoded value.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit eafbc66c2ff6365478e62a8df3fd005bf80e5c7b)
|
|
|
|
|
|
|
| |
Coverity found this neglect.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit c5290f2175845f2c5e3f35ce279b6f52b1d51275)
|
|
|
|
|
|
|
|
|
|
|
| |
if pam_verbose is above one then output warning about account
expiration for all services.
Resolves:
https://fedorahosted.org/sssd/ticket/2050
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit f3c2dc1f9ccdf456fd78ed96197b9bf404cc29fc)
|
|
|
|
|
|
|
|
|
|
|
| |
This option sets string to be printed when authenticating using SSH
keys and account is expired.
Resolves:
https://fedorahosted.org/sssd/ticket/2050
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit e039f1aefecc65a7b3c2d4a13a612bff1dd367c8)
|
|
|
|
|
|
|
|
|
|
| |
If account has expired then pass message.
Resolves:
https://fedorahosted.org/sssd/ticket/2050
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit a61d6d01a4e89ec14175af135e84f1cac55af748)
|
| |
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2203
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
|
|
| |
The cleanup task handled both count=0 and ret=ENOENT separately which
makes no sense, the count=0 handler was dead code previously. Set
count=0 on ENOENT instead to just bubble through the DEBUG message
gracefully as well.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
|
| |
Some failures would shortcut to the done handler without telling us
anything about why it failed. This commit decorates the cleanup task
with more DEBUG statements.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
| |
Macro AC_PROG_MKDIR_P need to be used just conditionally
This patch also fixes fallback of macro MKDIR_P
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|