summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* IPA: Remove MPG groups if getgrgid was called before getpw()rhel-7.1Jakub Hrozek2015-08-201-2/+39
| | | | | | | | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2724 This bug only affects IPA clients that are connected to IPA servers with AD trust and ID mapping in effect. If an IPA client calls getgrgid() for an ID that matches a user, the user's private group would be returned and stored as a group entry. Subsequent queries for that user would fail, because MPG domains impose uniqueness restriction for both the ID and name space across groups and users. To work around that, we remove the UPG groups in MPG domains during a group lookup. Reviewed-by: Sumit Bose <sbose@redhat.com>
* SYSDB: Index the objectSIDString attributeJakub Hrozek2015-06-253-1/+62
| | | | (cherry picked from commit 2302b7f53869db17fe6f733f52cce94d9714eeb4)
* sudo: sanitize filter valuesPavel Březina2015-06-181-2/+13
| | | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2613 Reviewed-by: Pavel Reichl <preichl@redhat.com> (cherry picked from commit c526cd124515cc2d44a413dcbfd4a74ddb490150) (cherry picked from commit 2fb2a267d0d15cce84b0ccea7e088a4b580e42fb)
* subdomains: Inherit cleanup period and tokengroup settings from parent domainJakub Hrozek2015-06-086-0/+237
| | | | | | | | | | | | | | | Allows the administrator to extend the functionality of ldap_purge_cache_timeout, ldap_user_principal and ldap_use_tokengroups to the subdomains. This is a less intrusive way of achieving: https://fedorahosted.org/sssd/ticket/2627 Reviewed-by: Pavel Reichl <preichl@redhat.com> (cherry picked from commit 9b162bf39ef75629f54ffa1d0bd5f9c13119b650) Conflicts: src/tests/cmocka/test_sdap.c
* UTIL: Inherit ignore_group_membersJakub Hrozek2015-06-082-0/+13
| | | | | | | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2644 Allows the administrators to extend ignore_group_members to subdomains as well by setting: subdomain_inherit = ignore_group_members in the domain section. Reviewed-by: Pavel Reichl <preichl@redhat.com> (cherry picked from commit 01c049ceef55c7bbfca1e47cecb2a0a2cf0a5d44)
* SDAP: Add sdap_copy_map_entryJakub Hrozek2015-06-083-0/+103
| | | | | | | | Reviewed-by: Pavel Reichl <preichl@redhat.com> (cherry picked from commit 12089241f6a6eabf4f0c95669e5fc2bb3b503c06) Conflicts: src/tests/cmocka/test_sdap.c
* DP: Add a function to inherit DP options, if setJakub Hrozek2015-06-083-8/+181
| | | | | | | | | | | | | | | Related to: https://fedorahosted.org/sssd/ticket/2644 Adds a utility function that checks if a DP option is present in the subdomain_inherit list. If it is, then the option is set from source to destination dp_option array. Reviewed-by: Pavel Reichl <preichl@redhat.com> (cherry picked from commit b3d110fbc424a03674a6e50e489a7cbab9702f0b) Conflicts: src/tests/cmocka/test_dp_opts.c
* confdb: Add new option subdomain_inheritJakub Hrozek2015-06-086-3/+40
| | | | | | | | | | | | | | | Adds a new option subdomain_inherit that would allow administrators to pick and choose which option to pass to subdomains. This option is required for: https://fedorahosted.org/sssd/ticket/2644 as a short-term fix. The proper solution is described in: https://fedorahosted.org/sssd/ticket/2599 Reviewed-by: Pavel Reichl <preichl@redhat.com> (cherry picked from commit 1711cbfd2e36d44af1ae50e3a2beeec3a1f0b5e8)
* Download complete groups if ignore_group_members is set with tokengroupsJakub Hrozek2015-06-081-2/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2644 When tokenGroups are enabled, we save groups using their SID as the RDN attribute during initgroups() and later, if the groups is requested and saved again with the full name, remove the original and save the new group entry. Saving the new group entry would break if ignore_group_members is also set, because the new group entry would lack the "member" attribute, so the member/memberof links between the new group and the user entry wouldn't be established again. This patch changes the initgroups processing so that the full group object is fetched when initgroups is enabled but together with ignore_group_members. This solution imposes some performance impact, because instead of one search for tokenGroups we also need to resolve the groups. The more systematic solution would be to get rid of removing the group entry as described in https://fedorahosted.org/sssd/ticket/2656 To reproduce the bug, set: ignore_group_members = True with a backend that uses: id_provider = ad Then run: $ id aduser@ad_domain.com $ id aduser@ad_domain.com Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit ee44aac95e42c3cb634876286a2aa4960ac69a2b)
* sdap: properly handle binary objectGuid attributeSumit Bose2015-05-2811-34/+307
| | | | | | | | | | | | | | Although in the initial processing SSSD treats the binary value right at some point it mainly assumes that it is a string. Depending on the value this might end up with the correct binary value stored in the cache but in most cases there will be only a broken entry in the cache. This patch converts the binary value into a string representation which is described in [MS-DTYP] and stores the result in the cache. Resolves https://fedorahosted.org/sssd/ticket/2588 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* SDAP: Filter ad groups in initgroupsLukas Slebodnik2015-04-221-0/+12
| | | | | | | | | | | Function sdap_add_incomplete_groups stored domain local groups from subdomain as POSIX group, which should not be done. Resolves: https://fedorahosted.org/sssd/ticket/2614 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit b9fbeb75e7a4f50f98d979a70a710f9221892483)
* SDAP: Extract filtering AD group to functionLukas Slebodnik2015-04-225-47/+101
| | | | | | | Patch remove code duplication. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit bad2fc8133d941e5a6c8d8016c9689e039265c61)
* SDAP: Do not set gid 0 twiceLukas Slebodnik2015-04-221-7/+0
| | | | | | | | | | | | | | | | | | | | | | The gid o was added to sysdb attrs directly in sdap_save_group for 1st time and for second time in the function sdap_store_group_with_gid, which was called every time from function sdap_save_group [sysdb_set_entry_attr] (0x0080): ldb_modify failed: [Attribute or value exists](20)[attribute 'gidNumber': value #1 on 'name=domainlocalgroup1_dom2-493341@sssdad_tree.com,cn=groups,cn=sssdad_tree.com,cn=sysdb' provided more than once] [sysdb_set_entry_attr] (0x0040): Error: 17 (File exists) [sysdb_store_group] (0x1000): sysdb_set_group_attr failed. [sysdb_store_group] (0x0400): Error: 17 (File exists) [sdap_store_group_with_gid] (0x0040): Could not store group domainlocalgroup1_dom2-493341@sssdad_tree.com [sdap_save_group] (0x0080): Could not store group with GID: [File exists] [sdap_save_group] (0x0080): Failed to save group [domainlocalgroup1_dom2-493341@sssdad_tree.com]: [File exists] [sdap_save_groups] (0x0040): Failed to store group 0. Ignoring. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 5d864e7a9d0e1e6fb7dd8158c5b8bfb71040b908)
* LDAP/AD: do not resolve group members during tokenGroups requestSumit Bose2015-04-229-18/+64
| | | | | | | | | | | | | | | | | | | | | | | During initgroups requests we try to avoid to resolve the complete member list of groups if possible, e.g. if there are no nested groups. The tokenGroups LDAP lookup return the complete list of memberships for a user hence it is not necessary lookup the other group member and un-roll nested groups. With this patch only the group entry is looked up and saved as incomplete group to the cache. This is achieved by adding a new boolean parameter no_members to groups_get_send() and sdap_get_groups_send(). The difference to config options like ldap_group_nesting_level = 0 or ignore_group_members is that if no_members is set to true groups which are missing in the cache are created a incomplete groups. As a result a request to lookup this group will trigger a new LDAP request to resolve the group completely. This way no information is ignored but the time needed to read all data is better distributed between different requests. https://fedorahosted.org/sssd/ticket/2601 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit d81d8d3dc151ebc95cd0e3f3b14c1cdaa48980f1)
* IPA: set EINVAL if dn can't be linearizedPavel Reichl2015-03-191-0/+1
| | | | | Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit 131da4d9f40e0e407d7bcae18ff16507976bc6c7)
* IPA: make sure output variable is setSumit Bose2015-03-191-1/+3
| | | | | Reviewed-by: Pavel Reichl <preichl@redhat.com> (cherry picked from commit abb093b4ae10f2a5748bf9f194bf76794002eba0)
* IPA idviews: check if view name is setSumit Bose2015-03-171-1/+4
| | | | | | | | | | | When working with older FreeIPA releases the view name might not always been set. This patch add checks to might sure it is only dereferenced when set. Resolves https://fedorahosted.org/sssd/ticket/2604 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 8be0cf3eea892e13410c13abb030322599ca1b4f)
* selinux: Handle setup with empty default and no configured rulesJakub Hrozek2015-03-172-4/+10
| | | | | | | | | | | | SSSD also needs to handle the setup where no rules match the machine and the default has no MLS component. Related to: https://fedorahosted.org/sssd/ticket/2587 Reviewed-by: Michal Židek <mzidek@redhat.com> (cherry picked from commit 3e6dac8e14f8a3da6d359ee013453dbd8a38dd99) (cherry picked from commit 4b6ee69fb1f713aae125b0fc2d345846e7a0d642)
* ipa_selinux: Fix warning may be used uninitializedLukas Slebodnik2015-03-171-1/+1
| | | | | | | | | | | | | | src/providers/ipa/ipa_selinux.c: In function 'ipa_selinux_handler_done': src/providers/ipa/ipa_selinux.c:927:16: error: 'sci' may be used uninitialized in this function [-Werror=maybe-uninitialized] state->sci = sci; ^ src/providers/ipa/ipa_selinux.c:333:33: note: 'sci' was declared here struct selinux_child_input *sci; ^ cc1: all warnings being treated as errors Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit befd8f4639ecef8185e82092beae801d68fa7eae)
* ldap_child: initialized ccname_file_dummySumit Bose2015-03-061-1/+1
| | | | | | | | | | | ccname_file_dummy is used in the done-block which is called before ccname_file_dummy is set to a value. This patch initializes ccname_file_dummy to NULL. Related to https://fedorahosted.org/sssd/ticket/2592 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit cc0f9a541c5ecdad750a86b2de9baa1f07403e9e)
* selinux: Delete existing user mapping on empty defaultJakub Hrozek2015-03-052-7/+17
| | | | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2587 The case of SELinux default user mapping being an empty string is valid, it should translate into "pick the default context on the target machine". In case the context is empty, we need to delete the per-user mapping from the SELinux database to make sure the default is used. Reviewed-by: Michal Židek <mzidek@redhat.com> Reviewed-by: Pavel Reichl <preichl@redhat.com> (cherry picked from commit 01f78f755fde63997ccfded71fb8395569b11430)
* LDAP: unlink ccname_file_dummy if there is an errorDaniel Hjorth2015-03-051-1/+11
| | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2592 If there is an error after ccname_file_dummy is created but before it is renamed then the file isn't removed. This can cause a lot of files to be created and take up inodes in a filesystem. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit 2b20ff2e33ad3993a9cad910c4b4b828513613df)
* fill_id() fix LE/BE issue with wrong data typeSumit Bose2015-01-301-4/+6
| | | | | | | Related to https://fedorahosted.org/sssd/ticket/1588 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 866ab45027c83fafb7f7f45d34d3e1e7721b77dc)
* AD: use GC for SID requests as wellSumit Bose2015-01-302-10/+29
| | | | | | | | | | If a universal group is looked up by SID the cross-domain members must be resolved with the help of the Global Catalog. Related to https://fedorahosted.org/sssd/ticket/2514 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 561ed2fd03bab04cfdddbc09c4b48563c9d9b87e)
* ipa_s2n_save_objects: properly handle fully-qualified group namesSumit Bose2015-01-301-1/+1
| | | | | | | | | | | Check if the given name is already fully-qualified instead of adding a domain name unconditionally. Related to https://fedorahosted.org/sssd/ticket/2529 and https://fedorahosted.org/sssd/ticket/2524 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 9ad346318dc2cc5d5a340d8d981ddfdcc6f632da)
* IPA: Resolve IPA user groups' overrideDN in non-default viewJakub Hrozek2015-01-301-8/+312
| | | | | | | | | | | When the client is in a non-default view, we need to store the override data, in particular the overrideDN as well. Resolves: https://fedorahosted.org/sssd/ticket/2571 Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit b2c3722b9a1eaf265f6b102043958f6d4378788c)
* LDAP: Add UUID when saving incomplete groupsJakub Hrozek2015-01-305-12/+29
| | | | | | | | Related to: https://fedorahosted.org/sssd/ticket/2571 Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit 108db0e3b9e06e530364ef8228634f5e3f6bd3b5)
* SELINUX: Set and reset umask when caling set_seuser from deamon codeJakub Hrozek2015-01-272-1/+21
| | | | | | | https://fedorahosted.org/sssd/ticket/2563 Reviewed-by: Michal Židek <mzidek@redhat.com> (cherry picked from commit 8f78b6442f3176ee43aa06704a3adb9f4ac625d6)
* SELINUX: Call setuid(0)/setgid(0) to also set the real IDs to rootJakub Hrozek2015-01-271-1/+17
| | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2564 libselinux uses many access(2) calls and access() uses the real UID, not the effective UID for the check. Therefore, the setuid selinux_child, which only has effective UID of root would fail the check. Reviewed-by: Michal Židek <mzidek@redhat.com> (cherry picked from commit 486f0d5227a9b81815aaaf7d9a2c39aafcbfdf6a)
* IPA: Use attr's dom for users, tooJakub Hrozek2015-01-271-11/+11
| | | | | | | | | | | | The 'dom' pointer points to domain of the main object being saved. In case of group, dom points to the domain where the group resides. But when saving members, each members might be from a different domain, so we need to find every member's domain based on the attributes. Also don't use Yoda style in conditions. Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit b2c5e98def89a0c3d16f5cf7e07ce2020338b540)
* IPA: process_members() add ghosts only onceSumit Bose2015-01-271-2/+4
| | | | | | | | | | | | Since ghost entries might not be properly removed on the IPA server (https://fedorahosted.org/sssd/ticket/2567) chances are that during extdom group lookups a single user is returned multiple time. This patch removes the duplicates before trying to write the data to the cache. Related to https://fedorahosted.org/sssd/ticket/2159 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 60f11e2fa1f63cd40ebace525ad823b0360fac94)
* IPA: resolve IPA group-memberships for AD usersSumit Bose2015-01-272-3/+44
| | | | | | | | | | | | | | | | So far only for initgroups requests the IPA group memberships where resolved for AD users and due to 6fac5e5f0c54a0f92872ce1450606cfcb577a920 those memberships are not overridden by other request. But it turned out that the originalMemberOf attributes related to the IPA group memberships can be overridden by user lookups. Since the originalMemberOf attribute is important in the HBAC evaluation this patch makes sure that the originalMemberOf attribute is not removed but updated during user lookups. Related to https://fedorahosted.org/sssd/ticket/2560 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 63748c69a2c6785d949c82f94749704e0408e5a7)
* IPA: Rename user_dom into obj_domJakub Hrozek2015-01-271-12/+12
| | | | | | | | There was a variable in the IPA subdomain code named user_dom, however, it was used in code that processes both users and groups, which was confusing. Reviewed-by: Pavel Reichl <preichl@redhat.com>
* sysdb: remove ghosts in all sub-domains as wellSumit Bose2015-01-231-2/+3
| | | | | | | | | | | | | | If a user is a member is a group in a different sub-domain, e.g with universal groups in AD, the ghost attribute might not be properly removed from the group object if the user is resolved. The reason is that only groups from the domain of the user were search for ghost attributes. This patch increases the search-base to all sub-domains of the configured SSSD domain. Resolves https://fedorahosted.org/sssd/ticket/2567 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit fc2146c108e28d50bbf691925cedf9592142dd14)
* nss: fix SID lookupsSumit Bose2015-01-231-1/+9
| | | | | | https://fedorahosted.org/sssd/ticket/2566 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* IPA: properly handle mixed-case trusted domainsSumit Bose2015-01-234-2/+133
| | | | | | | | | | | | In the SSSD cache domain names are handled case-sensitive. As a result fully-qualified names in RDN contain the domain part in the original spelling. When IPA client lookup up group-memberships on the IPA server via the extdom plugin the names returned are all lower case. To make sure new DNs are generated correctly the domain part must adjusted. Related to https://fedorahosted.org/sssd/ticket/2159 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* views: fix GID overrride for mpg domainsSumit Bose2015-01-221-1/+20
| | | | | | | | | | | | When adding a user sysdb internally adds a value to SYSDB_GIDNUM for mpg domain which might cause conflicts with the one we added to users git GID overrides. With this patch the override GID is added after the user is created but in the same transaction Releted to https://fedorahosted.org/sssd/ticket/2514 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit ba818cc39dfe94c2b8613f4badf7912811f0f737)
* Open the PAC socket from krb5_child before dropping rootJakub Hrozek2015-01-213-0/+27
| | | | | | | | | | | The PAC responder by default allows only connections from the root user. This patch opens the socket to the PAC responder before the krb5_child drops privileges so the connection seemingly comes from root. https://fedorahosted.org/sssd/ticket/2559 Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit 858e750c3d4fe54e50616a1ed1e101469503c070)
* nss: Add original DN and memberOf to origbyname requestSumit Bose2015-01-202-2/+5
| | | | | | | | | | IPA HBAC evaluation relies on the original values for DN and memberOf attributes. Resolves https://fedorahosted.org/sssd/ticket/2560 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 7543052f562f157f7b17fdc46a6777d80c0cb3bd)
* nss: refactor fill_orig()Sumit Bose2015-01-201-67/+66
| | | | | | | The two loops in fill_orig were almost identical. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit a4d64002b5ca763622bde240d27797d361ba0388)
* nss: make fill_orig() multi-value awareSumit Bose2015-01-202-21/+198
| | | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 5f4d896ec8e06476f4282b562b1044de14c48ecf)
* krb5: fix entry order in MEMORY keytabSumit Bose2015-01-191-28/+90
| | | | | | | | | | | | | | | | | Since krb5_kt_add_entry() adds new entries at the beginning of a MEMORY type keytab and not at the end a simple copy into a MEMORY type keytab will revert the order of the keytab entries. Since e.g. the sssd_krb5 man page give hints about where to add entries into keytab files to help SSSD to find a right entry we have to keep the order when coping a keytab into a MEMORY type keytab. This patch fixes this by doing a second copy to retain the original order. Resolves https://fedorahosted.org/sssd/ticket/2557 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 24df1487413d13248dcc70d2548a763930da4c65)
* krb5_child: Return ERR_NETWORK_IO on KRB5_KDCREP_SKEWJakub Hrozek2015-01-141-0/+1
| | | | | | | Previously, we were only handling KRB5KRB_AP_ERR_SKEW Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit 9b2cd4e5e451c07cb2f04cdbaea2b94ccb5fb2ee)
* IPA: set SYSDB_INITGR_EXPIRE for RESP_USER_GROUPLISTSumit Bose2015-01-141-0/+14
| | | | | | | | Since RESP_USER_GROUPLIST contains all group memberships it is effectively an initgroups request hence SYSDB_INITGR_EXPIRE will be set. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 62d919aea98edd1095f6a22241903d4c045b46ed)
* IPA: resolve missing membersSumit Bose2015-01-141-14/+48
| | | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 3cd287313d93e29f9754feb46017dba2a039affd)
* IPA: rename ipa_s2n_get_groups_send() to ipa_s2n_get_fqlist_send()Sumit Bose2015-01-141-50/+50
| | | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit f1f22df95996390f63266ebacb624e521d934592)
* IPA: process_members() optionally return missing members listSumit Bose2015-01-141-18/+67
| | | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 942ebb62c8df766a22271103abd518ddae02ea3a)
* IPA: add missing breakSumit Bose2015-01-141-0/+1
| | | | | | | | The current request already returned the SID, we do not need to request it separately. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit e6046d23b3e90102fb3c796737ced03fb5a60fea)
* IPA: make version check more preciseSumit Bose2015-01-141-2/+2
| | | | | | | | | | The call protected by the check does not only expect the version 1 of the extdom plugin is used but a specific response type as well. Since version 1 can return older response types as well we want to be on the safe side. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 2fc12875f7d51248799016c19c1298b85e06a286)
* IPA: do not look up overrides on client with default viewSumit Bose2015-01-141-14/+49
| | | | | | | | | The IPA extdom plugin returns the data with the default view already applied hence it is on needed to look up the override data if the client has the default view assigned. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit d8ceb194023a2cdc8bc183acc322e9a7fb6fe2b1)
generated by cgit (git 2.34.1) at 2024-05-07 18:56:10 +0000