| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2613
Reviewed-by: Pavel Reichl <preichl@redhat.com>
(cherry picked from commit c526cd124515cc2d44a413dcbfd4a74ddb490150)
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Function sysdb_get_real_name overrode reurned code LDAP
and thus user was not removed from cache after removing it from LDAP.
This patch also do not try to set initgroups flag if user
does not exist. It reduce some error message.
Resolves:
https://fedorahosted.org/sssd/ticket/2681
Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit 9fc96a4a2b07b92585b02dba161ab1eb2dbdad98)
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Allows the administrator to extend the functionality of
ldap_purge_cache_timeout, ldap_user_principal and ldap_use_tokengroups to
the subdomains.
This is a less intrusive way of achieving:
https://fedorahosted.org/sssd/ticket/2627
Reviewed-by: Pavel Reichl <preichl@redhat.com>
(cherry picked from commit 9b162bf39ef75629f54ffa1d0bd5f9c13119b650)
(cherry picked from commit 602eb710c62c192060debad3062f13677ec3b105)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2644
Allows the administrators to extend ignore_group_members to subdomains
as well by setting:
subdomain_inherit = ignore_group_members
in the domain section.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
(cherry picked from commit 01c049ceef55c7bbfca1e47cecb2a0a2cf0a5d44)
(cherry picked from commit 27d8524cf635d61d93c71539709a30e1205dcaf1)
|
|
|
|
|
|
| |
Reviewed-by: Pavel Reichl <preichl@redhat.com>
(cherry picked from commit 12089241f6a6eabf4f0c95669e5fc2bb3b503c06)
(cherry picked from commit 155e6c7223b732bfcb2984aa79462f60c092bba8)
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Related to:
https://fedorahosted.org/sssd/ticket/2644
Adds a utility function that checks if a DP option is present in
the subdomain_inherit list. If it is, then the option is set from source
to destination dp_option array.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
(cherry picked from commit b3d110fbc424a03674a6e50e489a7cbab9702f0b)
(cherry picked from commit 37a84884634e6e969c3617dac7fa1e463f42177b)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adds a new option subdomain_inherit that would allow administrators to pick
and choose which option to pass to subdomains.
This option is required for:
https://fedorahosted.org/sssd/ticket/2644
as a short-term fix.
The proper solution is described in:
https://fedorahosted.org/sssd/ticket/2599
Reviewed-by: Pavel Reichl <preichl@redhat.com>
(cherry picked from commit 1711cbfd2e36d44af1ae50e3a2beeec3a1f0b5e8)
(cherry picked from commit da2d33f81746a9bf8abd97becaf17005e4f89d2c)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In a recent change set_initgroups_expire_attribute() was added to
groups_by_user_done() to make sure that the initgroups timeout is only
added to the user object until all groups added to the cache.
This change (and the original code in groups_by_user_done() as well)
didn't took sub-domain users into account where the name in sysdb might
different form the original request and the domain is not the configured
domain. This patch tries to ensure that the right name and domain are
used.
https://fedorahosted.org/sssd/ticket/2663
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit d0b7e5fcfca7d0db9e3d19be7b51f34d03d3d720)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Checking the enum request in the underlying LDAP provider to skip it
might be too late as the richer IPA or AD providers depend on having a
useful result when the sdap request finishes.
Move the enumeration check earlier instead and allow directly in the IPA
or AD handler.
Related:
https://fedorahosted.org/sssd/ticket/2659
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit 40bc389bc79bc41429b5a92d5ce75955f8eefaf5)
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some providers, notably IPA, rely on extra_value to be either a useful
value or NULL. In enumeration, however, extra_value was random. Set
the extra_value pointer explicitly to NULL to make it clear that it's
not used for enumeration and also use talloc_zero as future-proof.
Resolves:
https://fedorahosted.org/sssd/ticket/2659
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit d9296ba018228ac6a19f710b8bb9044c4ea9ab5b)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2644
When tokenGroups are enabled, we save groups using their SID as the RDN
attribute during initgroups() and later, if the groups is requested and saved
again with the full name, remove the original and save the new group entry.
Saving the new group entry would break if ignore_group_members is also
set, because the new group entry would lack the "member" attribute, so the
member/memberof links between the new group and the user entry wouldn't
be established again.
This patch changes the initgroups processing so that the full group
object is fetched when initgroups is enabled but together with
ignore_group_members. This solution imposes some performance impact,
because instead of one search for tokenGroups we also need to resolve the
groups. The more systematic solution would be to get rid of removing the
group entry as described in https://fedorahosted.org/sssd/ticket/2656
To reproduce the bug, set: ignore_group_members = True with a
backend that uses:
id_provider = ad
Then run:
$ id aduser@ad_domain.com
$ id aduser@ad_domain.com
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit ee44aac95e42c3cb634876286a2aa4960ac69a2b)
|
|
|
|
|
|
| |
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 5c2f80ef0b6ace6b331bcf99e5e5c7d73cfb92c6)
|
|
|
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit dca741129d221558a4325479aefc617240f1ab08)
(cherry picked from commit cd4e7846b8b1695956977e19a478198595946c4c)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Initgrups consisted of two main steps:
1. store user to cache
2. store all user groups to cache.
Previously the attribute SYSDB_INITGR_EXPIRE was set in the first step.
So in case of epmty cache and parallel initgroups request in responders
there was a small period when SYSDB_INITGR_EXPIRE was valid but groups were
not cached. Therefore sometime responder could return zero supplementary
groups.
This patch moves the setting of initgroups expire attribute from 1st step
to the end of 2nd step.
In case of parallel initgroups requests in responder there are two
other ways how we could get correct results even thought there was a bug.
a) Time between two request was too small. User was not stored in cache
yet and 2nd request waited for response from DP.
b) Time between two request was big enough. All users groups were
successfully stored in cache and 2nd request returned correct results.
Resolves:
https://fedorahosted.org/sssd/ticket/2634
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit d0cc678d20d8bde829450eb50bec1b7397cea3e1)
(cherry picked from commit 9ae6567a573c05ba59d1138cfda94b44732019e8)
|
|
|
|
|
|
|
|
|
|
| |
When SYSDB_INITGR_EXPIRE had default value (0) then value of
SYSDB_CACHE_EXPIRE was used as initgroups expire attribute.
The right apoach is already used in responder_cache_req.c
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit fd60528321fd52720222ec35b895ade54cccb48d)
(cherry picked from commit 521eb7ca65040c009bc4885ba8d6c8ad257bc0f1)
|
|
|
|
|
|
|
|
|
| |
The size of time_t can be 8 bytes on some platforms.
It is because of year 2038 problem.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 390de028b3130ae564059101c662fe74e0e85a45)
(cherry picked from commit 21431d90b19068e86b2b8550667cb80c6475e27b)
|
|
|
|
|
|
| |
Reviewed-by: Pavel Reichl <preichl@redhat.com>
(cherry picked from commit aa648535f445e7a95bf6dedc7c43bb5f94ab7354)
(cherry picked from commit c3d7e06590b0755902c544897fab0951aba923e5)
|
|
|
|
|
|
| |
Reviewed-by: Pavel Reichl <preichl@redhat.com>
(cherry picked from commit 84a4c4fcc93b3dcc70604817a05f7943606ff596)
(cherry picked from commit 17f2f1caa26b1bdb213e166bcd77d2f237965d56)
|
|
|
|
|
|
|
|
|
|
| |
In order to detect faulty cases where negcache would be checked twice,
we need to convert the ncache_hit to integer and check exact amounts of
hits.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
(cherry picked from commit 9cc2223e0bc0478c1b47a47fd71bba7e7129492d)
(cherry picked from commit eb6be4e9c1bafcf86822f9300d4c79f9299e015a)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Type of timestamp for entries in negative cache is time_t
which is number of *seconds* that have elapsed since 1 January 1970.
The condition for ttl was to strict so entry could be valid
from "ttl-1" to ttl e.g.
* ttl is 1 second
* entry was stored to negative cache at 1432120871.999639
stored_timestamp = 1432120871
* entry was tested few miliseconds later 1432120872.001293
current_time = 1432120872
Entry was marked as expired becuase result of condition was false
stored_timestamp + ttl < current_time
1432120871 + 1 < 1432120872
This is a reason why ./test-negcache sometime fails.
It's quite easily reproducible on slow machine or when valgrind was used.
sh$ while libtool --mode=execute valgrind ./test-negcache ; do echo OK: done
Reviewed-by: Pavel Reichl <preichl@redhat.com>
(cherry picked from commit 75e4a7753c44e9f2a7a65fad77d95e394f81c125)
(cherry picked from commit be4569c92c2de86a71232e3f4b94caa1b13281e4)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If subdomains are disabled "subdomain_provider = none"
then auto-discovery discovery of domain SID is disabled.
It is possible to configure options ldap_idmap_default_domain{,_sid}
and id mapping should work.
However value of option ldap_idmap_default_domain_sid was not assigned to
sss_domain_info for main domain. It was only used for initialisation of
sdap_idmap_ctx. As a result of this bug posix attributes were used in
ldap filter and id mapping worked just for users with posix attributes.
[be_get_account_info] (0x0100): Got request for [0x1001][1][name=user]
[be_req_set_domain] (0x0400):
Changing request domain from [EXAMPLE.TEST] to [EXAMPLE.TEST]
[sdap_idmap_domain_has_algorithmic_mapping] (0x0080):
Could not parse domain SID from [(null)]
[sdap_idmap_domain_has_algorithmic_mapping] (0x0080):
Could not parse domain SID from [(null)]
[sdap_search_user_next_base] (0x0400):
Searching for users with base [DC=EXAMPLE,DC=TEST]
[sdap_get_generic_ext_step] (0x0400):
calling ldap_search_ext with
[(&(sAMAccountName=hdpadmin)(objectclass=user)
(sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0))))]
[DC=EXAMPLE,DC=TEST].
[sdap_search_user_process] (0x0400): Search for users, returned 0 results.
[sdap_get_users_done] (0x0040): Failed to retrieve users
Resolves:
https://fedorahosted.org/sssd/ticket/2635
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 21687d1d553579e81aa43bfa20f2e70fb39e8461)
(cherry picked from commit 2bf32678c96304d04e69813fd6d317d981ad2c41)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Depending on the version 389ds return a different error code if the
search for the view name failed because our dereference attribute
ipaAssignedIDView is not known. Newer version return
LDAP_UNAVAILABLE_CRITICAL_EXTENSION(12) which is translated to
EOPNOTSUPP and older versions return LDAP_PROTOCOL_ERROR(2) which is
returned as EIO. In both cases we have to assume that the server is not
view aware and keep the view name unset.
Resolves https://fedorahosted.org/sssd/ticket/2650
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2649
libsemanage is very strict about its API usage and actually doesn't
allow disconnecting a handle that is not connected. The unpatched code
would fail with:
selinux_child: handle.c:231: semanage_disconnect: Assertion `sh !=
((void *)0) && sh->funcs != ((void *)0) && sh->funcs->disconnect !=
((void *)0)' failed.
If semanage_connect() failed.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 589a8760b38d9e2dfa278764af12d59e1487fe07)
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If a FreeIPA user is searched with the help of an override name the UUID
from the override anchor is used to search the user. Currently the
initgroups request only allows searches by SID or name. With this patch
a UUID can be used as well.
Related to https://fedorahosted.org/sssd/ticket/2642
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 0f9c28eb52d2b45c8a97f709308dc11377831b8c)
(cherry picked from commit 3b00bcd8b6d53d33207005c4e7a631b6a241d300)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently the flag that the input data in a user or group lookup request
might be an override value is only set if no cached entry was found. If
the cached entry of an object with overrides is expired and a request
with the override value as input is processed the flag is not set and
the backend might not be able to find the right entry on the server.
Typically this should not happen because of mid-point refreshes. To
reproduce this create a FreeIPA user and override the login name for a
specific view. On a client which has this view applied call
getent passwd overridename
sss_cache -E
getent passwd overridename
The second getent command will still show the right output but in the
logs a
[sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error
code: 3 errno: 0 error message: Account info lookup failed
message can be found for the second request.
Related to https://fedorahosted.org/sssd/ticket/2642
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 35b178d02dfd293778aefbc0b465a5a3a4b6cd8f)
(cherry picked from commit a4a447b7bf394ded65c8ae872832e7cd135425d1)
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Depending on the server-side configuration the extdom plugin can return
short or fully qualified names for IPA objects. The client must handle
the names according to its own configuration and not add the domain part
of the fully-qualified name unconditionally.
Resolves https://fedorahosted.org/sssd/ticket/2647
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 3fe2e555edd3963d72483600e5d9616873afd00a)
(cherry picked from commit 226224c91971247f60a86d9c46dd1402f5c29e8a)
|
|
|
|
|
|
|
|
|
|
|
|
| |
After the group memberships of a user from a trusted domain are read it
must be checked if there are overrides for the discovered groups to be
able to return the right gid or name to the caller.
Related to https://fedorahosted.org/sssd/ticket/2633
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 2263c6dd1242c92253240f4998c86a04b6a0ca3a)
(cherry picked from commit eaf656843831d579f30f94154d88aba2201c1712)
|
|
|
|
|
|
|
|
|
|
|
| |
This patch makes ipa_initgr_get_overrides_send() public and add support
to search overrides by UUID or by SID.
Related to https://fedorahosted.org/sssd/ticket/2633
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 145578006684481434ced78461ab8d1c3570f478)
(cherry picked from commit 58a19d50888b1a7da0ee78b49e7d3dcbebc8614d)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Newer versions of the extdom plugin return the full list of
group-memberships during user lookups. As a result the lifetime of the
group-membership data is updates in those cases. But if the user is not
looked up directly but is resolved as a group member during a group
lookup SSSD does not resolve all group-membership of the user to avoid
deep recursion and eventually a complete enumeration of the user and
group base. In this case the lifetime of the group-memberships should
not be updated because it might be incomplete.
Related to https://fedorahosted.org/sssd/ticket/2633
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit cffe3135f29c737f2598f3c1384bfba1694fb843)
(cherry picked from commit f643fadbd072a9d3725f5f750340d5b13628ce6a)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Newer versions of the extdom plugin return the full list of
group-memberships during a user lookup request. With these version there
is no need to reject a initgroups request for sub/trusted-domain users
anymore. This is e.g. useful for callers which call getgrouplist()
directly without calling getpwnam() before. Additionally it helps if for
some reasons the lifetime of the user entry and the lifetime of the
initgroups data is different.
Related to https://fedorahosted.org/sssd/ticket/2633
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit e87badc0f6fb20a443cf12bde9582ecbc2aef727)
(cherry picked from commit 24905d4ecbf210687e385449448f5a5ec97d2833)
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2643
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 4df706219e64527209f12ad0c7814ee1be979c07)
(cherry picked from commit 8f57c6765b10de36582ef1dbee32d75452451a94)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We don't want to skip over a GPO that might properly be denying
users.
[sssd[be[a.foo.com]]] [sdap_sd_search_send] (0x0400):
Searching entry [cn={2BA15B73-9524-419F-B4B7-185E1F0D3DCF},cn=policies,cn=system,DC=foo,DC=com] using SD
[sssd[be[a.foo.com]]] [sdap_get_generic_ext_step] (0x0400):
calling ldap_search_ext with [(objectclass=*)][cn={2BA15B73-9524-419F-B4B7-185E1F0D3DCF},cn=policies,cn=system,DC=lzb,DC=hq].
[sssd[be[a.foo.com]]] [sdap_process_message] (0x4000):
Message type: [LDAP_RES_SEARCH_RESULT]
[sssd[be[a.foo.com]]] [sdap_get_generic_op_finished] (0x0400):
Search result: Referral(10), 0000202B: RefErr: DSID-0310063C, data 0, 1 access points
ref 1: 'lzb.hq'
[sssd[be[a.foo.com]]] [sdap_get_generic_op_finished] (0x1000):
Ref: ldap://foo.com/cn=%7B2BA15B73-9524-419F-B4B7-185E1F0D3DCF%7D,cn=policies,cn=system,DC=foo,DC=com
[sssd[be[a.foo.com]]] [ad_gpo_get_gpo_attrs_done] (0x0040):
no attrs found for GPO; try next GPO.
Resolves:
https://fedorahosted.org/sssd/ticket/2629
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
(cherry picked from commit 03e5f1528184a558fd990e66f083157b404dce08)
(cherry picked from commit 7c8c34c1ad152892f93d8e01336258bfd0bc35b9)
|
|
|
|
|
|
|
|
|
| |
can be triggered on demand by assigning a POSIX group
with external members sudo privileges, then dropping
the cache and doing a sudo -U <user> -l.
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit c520f40d1a2d77cf1d413451b5682297733521ed)
|
|
|
|
|
|
|
|
|
|
|
|
| |
If a user from a trusted AD domain is search with the help of an
override name the SID from the override anchor is used to search the
user in AD. Currently the initgroups request only allows searches by
name. With this patch a SID can be used as well.
Resolves https://fedorahosted.org/sssd/ticket/2632
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit f70a1adbfc30b9acc302027439fb8157e0c6ea2a)
|
|
|
|
|
|
|
|
|
|
|
| |
Not all user groups need to be resolved if group deny list is empty.
Resolves:
https://fedorahosted.org/sssd/ticket/2519
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 82a958e6592c4a4078e45b7197bbe4751b70f511)
(cherry picked from commit 45a089a7bcf54e27fb46dc1a2c08c21ac07db96a)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
With views and overrides groups are not allowed to have ghost members
anymore because the name of a member might be overridden. To achieve
this ghost members are looked up and resolved later during group
lookups. Currently this is only done for group lookups by name but
should happen as well if the group is looked up by uuid.
Resolves https://fedorahosted.org/sssd/ticket/2631
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 605dc7fcc848dffb7c9d270c864c70e6dff1242e)
(cherry picked from commit 1b2119aab14a4ea3ca6de0d29a661b2825bfec8d)
|
|
|
|
|
|
|
|
|
|
| |
The member list returned by the extdom plugin might contain some entries
more than once. Although this is an issue on the server side to avoid
ldb errors duplicates should be filtered out on the client as well.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 625cff0b0938538e51fdd3b2d985e6082b492ea5)
(cherry picked from commit 7752046aea558e4fbf057d4efc9aea1a61b1e009)
|
|
|
|
|
|
|
|
|
|
|
|
| |
For the default view all override data is available in the cached user
or group object. Even if separate override data is available it should
not be written into the cache.
Resolves https://fedorahosted.org/sssd/ticket/2630
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 2ab9a4538eb2e1a255e645f7efdcfd6bb722d265)
(cherry picked from commit 3453e4734d2f7738034af61edb7d33c0c7095d8a)
|
|
|
|
|
|
|
|
|
|
|
| |
Previously sssd_sudo always obtained sudo rules for user from LDAP even
when user was enlisted in filter_users.
Resolves https://fedorahosted.org/sssd/ticket/2625
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 2a25713afc6beefb11a799903a43f695c5d7a4f9)
(cherry picked from commit d008c239c62ab6a467559156d5df854b099e4422)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When dealing with users from a child domain, SSSD was attempting to use
the subdomain for lookups. However, all GPOs applicable to this machine
are stored in the primary domain (the domain the host directly joined).
This patch has the GPO processing use the primary domain instead of the
user domain.
Resolves:
https://fedorahosted.org/sssd/ticket/2606
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 475d986b534c5e0dfdb8e2348ab89b13fd4874aa)
(cherry picked from commit b025f8a22cab47ac1f705a872917e3da0799fdd9)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ad_get_dom_ldap_conn() assumed that ad_ctx->ldap_ctx always points at
the LDAP connection for the primary domain, however it turns out that
this is not always the case. It's currently unclear why, but this
connection can sometimes be pointing at a subdomain. Since the value of
subdom_id_ctx->ldap_ctx always points to the correct domain (including
the primary domain case), there's no benefit to trying to shortcut to
the ad_ctx->ldap_ctx when performing this lookup.
This patch also makes a minor tweak to the tests so that the primary
domain passes the sdap_domain_get() check for validity (since it needs
to have a private member assigned).
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit e2bd4f8a41b72aea0712ad21ad02ccebb707f536)
(cherry picked from commit 89a706acf3131bbe8c0aefa9c740dd44e892754f)
|
|
|
|
|
|
|
|
| |
Align goto usage with conventions in the rest of the source.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit d9079aa05eb8aacb488992fdce328c1abadd08d8)
(cherry picked from commit d7efa39ab732fb034f51501cb2b1b8d3b1716979)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2624
Add a function to query the libsemanage database for a user context and
only update the database if the context differes from the one set on the
server.
Adds talloc dependency to libsss_semanage.
Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit 1e0fa55fb377db788e065de917ba8e149eb56161)
(cherry picked from commit 4d31f2c294db6090047e4d5348322b32ea0aaac1)
|
|
|
|
|
|
|
|
|
|
|
| |
Transaction should be started and commited on the same code nesting or
abstraction level. Also, transactions are really costly with libselinux
and splitting them from initialization will make init function reusable
by read-only libsemanage functions.
Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit 748b38a7991d78cbf4726f2a14ace5e926629a54)
(cherry picked from commit 9c695e3a82fe5903b36b2d514b3284efeadc908c)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
libsemanage documentation says:
~~~~
be sure that a semanage_disconnect() was previously called if the handle
was connected.
~~~~
Otherwise we get a memory leak.
Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit aa00d67b2a8e07c9080e7798defdc6c774c93465)
(cherry picked from commit 816d3cc041e276b138057aacb81d1a2bfb25add6)
|
|
|
|
|
|
|
|
|
|
|
|
| |
Function sdap_add_incomplete_groups stored domain local groups
from subdomain as POSIX group, which should not be done.
Resolves:
https://fedorahosted.org/sssd/ticket/2614
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit b9fbeb75e7a4f50f98d979a70a710f9221892483)
(cherry picked from commit 49895bb18508a4f4b83b99d9875e99e17c81285b)
|
|
|
|
|
|
|
|
| |
Patch remove code duplication.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit bad2fc8133d941e5a6c8d8016c9689e039265c61)
(cherry picked from commit bdd031d274659263db5f28408d8b75c63d3485a0)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The gid o was added to sysdb attrs directly in sdap_save_group for 1st time
and for second time in the function sdap_store_group_with_gid,
which was called every time from function sdap_save_group
[sysdb_set_entry_attr] (0x0080): ldb_modify failed:
[Attribute or value exists](20)[attribute 'gidNumber': value #1
on 'name=domainlocalgroup1_dom2-493341@sssdad_tree.com,cn=groups,cn=sssdad_tree.com,cn=sysdb' provided more than once]
[sysdb_set_entry_attr] (0x0040): Error: 17 (File exists)
[sysdb_store_group] (0x1000): sysdb_set_group_attr failed.
[sysdb_store_group] (0x0400): Error: 17 (File exists)
[sdap_store_group_with_gid] (0x0040):
Could not store group domainlocalgroup1_dom2-493341@sssdad_tree.com
[sdap_save_group] (0x0080): Could not store group with GID: [File exists]
[sdap_save_group] (0x0080):
Failed to save group [domainlocalgroup1_dom2-493341@sssdad_tree.com]: [File exists]
[sdap_save_groups] (0x0040): Failed to store group 0. Ignoring.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 5d864e7a9d0e1e6fb7dd8158c5b8bfb71040b908)
(cherry picked from commit cf7047634308c431f4cfbff1d88564668d2a33c7)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If for some reason ptask fails (e.g. timeout), req is talloc freed
but because subreq is attached to ectx which is permanent it is
finished anyway. Then a crash occures when we are trying to access
callback data.
The same happens in sdap_dom_enum_ex_send.
Resolves:
https://fedorahosted.org/sssd/ticket/2611
Reviewed-by: Pavel Reichl <preichl@redhat.com>
(cherry picked from commit 725bb2a9901c4f673b107ed179f5d68ec443ca63)
(cherry picked from commit 81bb9be1ae0b2a4ebe960f136a52576abcdfbbac)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
[sysdb_set_entry_attr] (0x0080): ldb_modify failed: [Constraint violation](19)
[attribute 'ghost': attribute on 'name=Escalation,cn=groups,cn=LDAP,cn=sysdb'
specified, but with 0 values (illegal)]
[sysdb_error_to_errno] (0x0020): LDB returned unexpected error:
[Constraint violation]
[sysdb_set_entry_attr] (0x0040): Error: 14 (Bad address)
[sdap_store_group_with_gid] (0x0040): Could not store group Escalation
[sdap_save_group] (0x0080): Could not store group with GID: [Bad address]
[sdap_save_group] (0x0080): Failed to save group [Escalation]: [Bad address]
[sdap_save_groups] (0x0040): Failed to store group 1. Ignoring.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 999c87114479f230c840a5c020e107c45b29fd56)
(cherry picked from commit cbab37e665d948278a491733e3993ac62beb0427)
|