summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* selinux testselinuxJakub Hrozek2015-04-275-11/+144
|
* tests: Add NSS responder tests for bysid requestsJakub Hrozek2015-04-242-0/+220
| | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* nss: Use negcache for getbysid requestsJakub Hrozek2015-04-241-0/+9
| | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* sysdb: Add cache_expire to the default sysdb_search_object_by_str_attr setJakub Hrozek2015-04-241-1/+2
| | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* BUILD: Write hints about optional python bindingsLukas Slebodnik2015-04-241-2/+22
| | | | Reviewed-by: Michal Židek <mzidek@redhat.com>
* ad_opts: Use different default attribute for group nameLukas Slebodnik2015-04-171-1/+1
| | | | | | | | | | | | | | | | The MSFT docs [1,2] for LDAP attributes says: samAccountName is mandotory for 'user' and 'group' objectclasses via the 'Security-Principal' aux-class name is part of the 'top' class and *not* mandatory for 'user' or 'group'. [1] https://msdn.microsoft.com/en-us/library/ms679635%28v=vs.85%29.aspx [2] https://msdn.microsoft.com/en-us/library/ms678697%28v=vs.85%29.aspx Resolves: https://fedorahosted.org/sssd/ticket/2593 Reviewed-by: Sumit Bose <sbose@redhat.com>
* subdom: Remove unused function get_flat_name_from_subdomain_nameJakub Hrozek2015-04-162-24/+0
| | | | | | | The function was added in 70eaade10feedd7845e39170d0b7eebf3a030af1 and is unused since b8d703cf3aba81800cf1b8ccca64bb00ef0b30f7 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* AD GPO: Always look up GPOs from machine domainStephen Gallagher2015-04-151-21/+33
| | | | | | | | | | | | | | When dealing with users from a child domain, SSSD was attempting to use the subdomain for lookups. However, all GPOs applicable to this machine are stored in the primary domain (the domain the host directly joined). This patch has the GPO processing use the primary domain instead of the user domain. Resolves: https://fedorahosted.org/sssd/ticket/2606 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* AD: Always get domain-specific ID connectionStephen Gallagher2015-04-152-11/+8
| | | | | | | | | | | | | | | | ad_get_dom_ldap_conn() assumed that ad_ctx->ldap_ctx always points at the LDAP connection for the primary domain, however it turns out that this is not always the case. It's currently unclear why, but this connection can sometimes be pointing at a subdomain. Since the value of subdom_id_ctx->ldap_ctx always points to the correct domain (including the primary domain case), there's no benefit to trying to shortcut to the ad_ctx->ldap_ctx when performing this lookup. This patch also makes a minor tweak to the tests so that the primary domain passes the sdap_domain_get() check for validity (since it needs to have a private member assigned). Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* AD: Clean up ad_access_gpoStephen Gallagher2015-04-151-7/+5
| | | | | | Align goto usage with conventions in the rest of the source. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* selinux: Only call semanage if the context actually changesJakub Hrozek2015-04-144-4/+109
| | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2624 Add a function to query the libsemanage database for a user context and only update the database if the context differes from the one set on the server. Adds talloc dependency to libsss_semanage. Reviewed-by: Michal Židek <mzidek@redhat.com>
* selinux: Begin and end the transaction on the same nesting levelJakub Hrozek2015-04-141-6/+14
| | | | | | | | | Transaction should be started and commited on the same code nesting or abstraction level. Also, transactions are really costly with libselinux and splitting them from initialization will make init function reusable by read-only libsemanage functions. Reviewed-by: Michal Židek <mzidek@redhat.com>
* selinux: Disconnect before closing the handleJakub Hrozek2015-04-141-3/+10
| | | | | | | | | | | | libsemanage documentation says: ~~~~ be sure that a semanage_disconnect() was previously called if the handle was connected. ~~~~ Otherwise we get a memory leak. Reviewed-by: Michal Židek <mzidek@redhat.com>
* Option filter_users had no effect for retrieving sudo rulesAdam Tkac2015-04-143-0/+39
| | | | | | | | | Previously sssd_sudo always obtained sudo rules for user from LDAP even when user was enlisted in filter_users. Resolves https://fedorahosted.org/sssd/ticket/2625 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* sysdb-tests: test return value before output argumentsLukas Slebodnik2015-04-141-0/+1
| | | | | | Output arguments needn't be initialized if function failed. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* sysdb-tests: Add missing assertionsLukas Slebodnik2015-04-141-0/+3
| | | | | | | | The return valuee of functions test_remove_group_member sysdb_attrs_add_time_t were ignored and therefore this part of code was not tested. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* simple_access-tests: Simplify assertionLukas Slebodnik2015-04-141-3/+1
| | | | | | The second argument of function check_access_list should not be an empty list. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* SDAP: Filter ad groups in initgroupsLukas Slebodnik2015-04-141-0/+12
| | | | | | | | | | Function sdap_add_incomplete_groups stored domain local groups from subdomain as POSIX group, which should not be done. Resolves: https://fedorahosted.org/sssd/ticket/2614 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* SDAP: Extract filtering AD group to functionLukas Slebodnik2015-04-145-47/+101
| | | | | | Patch remove code duplication. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* SDAP: Do not set gid 0 twiceLukas Slebodnik2015-04-141-7/+0
| | | | | | | | | | | | | | | | | | | | | The gid o was added to sysdb attrs directly in sdap_save_group for 1st time and for second time in the function sdap_store_group_with_gid, which was called every time from function sdap_save_group [sysdb_set_entry_attr] (0x0080): ldb_modify failed: [Attribute or value exists](20)[attribute 'gidNumber': value #1 on 'name=domainlocalgroup1_dom2-493341@sssdad_tree.com,cn=groups,cn=sssdad_tree.com,cn=sysdb' provided more than once] [sysdb_set_entry_attr] (0x0040): Error: 17 (File exists) [sysdb_store_group] (0x1000): sysdb_set_group_attr failed. [sysdb_store_group] (0x0400): Error: 17 (File exists) [sdap_store_group_with_gid] (0x0040): Could not store group domainlocalgroup1_dom2-493341@sssdad_tree.com [sdap_save_group] (0x0080): Could not store group with GID: [File exists] [sdap_save_group] (0x0080): Failed to save group [domainlocalgroup1_dom2-493341@sssdad_tree.com]: [File exists] [sdap_save_groups] (0x0040): Failed to store group 0. Ignoring. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* nsupdate: Append -d/-D to nsupdate with a high debug levelJakub Hrozek2015-04-141-1/+17
| | | | | | https://fedorahosted.org/sssd/ticket/897 Reviewed-by: Pavel Reichl <preichl@redhat.com>
* dyndns: Log nsupdate stderr with a high debug levelJakub Hrozek2015-04-141-0/+12
| | | | | | https://fedorahosted.org/sssd/ticket/2224 Reviewed-by: Pavel Reichl <preichl@redhat.com>
* UTIL: Add a simple function to get the fd of debug_fileJakub Hrozek2015-04-142-0/+10
| | | | Reviewed-by: Pavel Reichl <preichl@redhat.com>
* sudo: sanitize filter valuesPavel Březina2015-04-131-2/+13
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2613 Reviewed-by: Pavel Reichl <preichl@redhat.com>
* MAN: Clarify how are GPO mappings called in GPO editorJakub Hrozek2015-04-101-3/+19
| | | | | | https://fedorahosted.org/sssd/ticket/2618 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* NSS: Reset negcache after checking domainsJakub Hrozek2015-04-091-0/+24
| | | | | | | | The NSS responder periodically re-checks subdomains. We need to reset the negative cache each time the check finishes to allow the negative cache to contain entries from different domains. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* responders: reset ncache after domains are discovered during startupJakub Hrozek2015-04-0910-15/+82
| | | | | | | | | After responders start, they add a lookup operation that discovers the subdomains so that qualifying users works. After this operation is finishes, we need to reset negcache to allow users to be added into the newly discovered domains. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* ncache: Add sss_ncache_reset_repopulate_permanentJakub Hrozek2015-04-093-0/+113
| | | | | | | This new function resets the negative cache and then re-adds the permanent entries. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* ncache: Silence critical error from filter_users when default_domain_suffix ↵Jakub Hrozek2015-04-093-8/+101
| | | | | | | | | | | | | | | is set When default_domain_suffix is used and filter_users is set (at least root is always, by default), SSSD tried to add the negcache entry to the default domain. But since the default domain is not known after start up, adding the entries fail with a verbose error message. This patch handles EAGAIN returned from the parsing function while setting negcache entries gracefully and also makes the debug message in parsing function more precise. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* ncache: Fix sss_ncache_reset_permanentJakub Hrozek2015-04-092-1/+12
| | | | | | | There was an off-by-one error in sss_ncache_reset_permanent that prevented the reset from working. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* tests: Revert strcmp conditionJakub Hrozek2015-04-081-1/+1
| | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* LDAP: Set sdap handle as explicitly connected in LDAP authJakub Hrozek2015-04-081-0/+12
| | | | | | | | | | | | | In case SSSD is set with id_provider=proxy and auth_provider=ldap, the LDAP provider is not used to retrieve the user info with the higher-level calls, but the lower-level connection establishment is used instead. In this case, we need to make sure to mark the connection as explicitly connected to be notified about results of looking up the DN. Resolves: https://fedorahosted.org/sssd/ticket/2620 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* SPEC: Few cosmetic changesLukas Slebodnik2015-04-081-6/+4
| | | | | | | | - removed unnecessary blank lines (leftover after many changes) - list manual pages according to section number - add missing white spaces to shall scripts Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* SPEC: Remove unused optionLukas Slebodnik2015-04-081-1/+0
| | | | | | | | | | The optional definition of rpm macro with_ccache was removed in patch "BUILD: Remove unnecessary patch and configure opts" as a part of ticket https://fedorahosted.org/sssd/ticket/2036. It is not used anymore so it can be removed. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* SPEC: Drop workarounds for old rpmbuildLukas Slebodnik2015-04-081-9/+0
| | | | | | | Old versions of rpmbuild require ghost files to be present in the buildroot. It was mainly problem of rpmbuild on rhel5 which is not supported anymore. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* SPEC: Drop workaround for old libtoolLukas Slebodnik2015-04-081-9/+0
| | | | | | | This workaround was for libtool in rhel 5 and we dropped support for it few months ago due to missing dependencies. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* util-tests: Initialize boolean variable to default valueLukas Slebodnik2015-04-081-1/+1
| | | | | | | | The boolean variable found_nss could be used uninitialized in test test_known_service if service "nss" would not be found. We would catch it with valgind. Reviewed-by: Pavel Reichl <preichl@redhat.com>
* enumeration: fix talloc contextPavel Březina2015-04-082-2/+2
| | | | | | | | | | | | | | If for some reason ptask fails (e.g. timeout), req is talloc freed but because subreq is attached to ectx which is permanent it is finished anyway. Then a crash occures when we are trying to access callback data. The same happens in sdap_dom_enum_ex_send. Resolves: https://fedorahosted.org/sssd/ticket/2611 Reviewed-by: Pavel Reichl <preichl@redhat.com>
* CLIENT: Clear errno with enabled sss-default-nss-pluginLukas Slebodnik2015-04-071-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Although errno was cleared in function sss_nss_make_request some sss glic functions set errno with value of output argument errnop. Reproducer: * sssd compiled with enabled option sss-default-nss-plugin * sss is the last value in group (/etc/nsswitch.conf) * sssd-client is installed but sssd is stopped. C-program: #include <stdio.h> #include <stdlib.h> #include <errno.h> #include <grp.h> int main(int argc, char *argv[]) { struct group *p_group; setgrent(); while (1) { errno = 0; /* initialize for getgrent() */ p_group = getgrent(); if (p_group == NULL) { if (errno == 0) { break; /* end of groups */ } else { perror("getgrent"); printf("getgrent error %d \n", errno); endgrent(); exit(-2); } } printf("getgrent() OK group(%d) = %s \n", p_group->gr_gid, p_group->gr_name); } exit(0); } Resolves: https://fedorahosted.org/sssd/ticket/2619 Reviewed-by: Pavel Reichl <preichl@redhat.com>
* KRB5: Unify prototype and definitionLukas Slebodnik2015-04-011-2/+3
| | | | | | | | | The prototype of function copy_keytab_into_memory does not match the definition. One of arguments differs in constant modifier. Patch also include header file to implementation module. If should avoid such problems in future. Reviewed-by: Pavel Reichl <preichl@redhat.com>
* GPO: Check return value of ad_gpo_store_policy_settingsLukas Slebodnik2015-04-011-0/+6
| | | | Reviewed-by: Pavel Reichl <preichl@redhat.com>
* SSH: Ignore the default_domain_suffixJakub Hrozek2015-04-011-1/+1
| | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2609 In a trust setup, hosts are normally only stored on the IPA server. The default_domain_suffix option is only recommended for the IPA-AD trust scenario as well. Therefore we should ignore this option in the SSH provider. Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Jan Cholasta <jcholast@redhat.com>
* PAC: Remove unused functionLukas Slebodnik2015-03-311-35/+0
| | | | | | The last usage of function dom_sid_in_domain was removed as a part of chages in ticket "Enhance PAC responder for AD users" 92af6f25864b5c389b57d0f659686801b45ca58c
* test_resolv_fake: Fix alignment warningLukas Slebodnik2015-03-271-9/+10
| | | | | | | | | | | | src/tests/cmocka/test_resolv_fake.c:60:9: error: cast from 'uint8_t *' (aka 'unsigned char *') to 'HEADER *' increases required alignment from 1 to 4 [-Werror,-Wcast-align] h = (HEADER *) hb; ^~~~~~~~~~~~~ 1 error generated. Reviewed-by: Michal Židek <mzidek@redhat.com>
* MAN: Update ppolicy descriptionPavel Reichl2015-03-271-4/+7
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2612 Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
* Fix a few typos in commentsPavel Reichl2015-03-262-5/+5
| | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* LDAP: fix a typo in debug messagePavel Reichl2015-03-261-1/+1
| | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* test_ldap_auth: Use right assertion for integer comparisonLukas Slebodnik2015-03-261-6/+6
| | | | | | | The macro assert_int_equal prints value of integers if they are not equal. Reviewed-by: Pavel Reichl <preichl@redhat.com>
* test_expire: Use right assertion macro for standard functionsLukas Slebodnik2015-03-261-2/+3
| | | | | | | | | | | | | | Documentation to macro assert_return_code says: Assert that the return_code is greater than or equal to 0. The function prints an error message to standard error and terminates the test by calling fail() if the return code is smaller than 0. If the function you check sets an errno if it fails you can pass it to the function and it will be printed as part of the error message. So in case of error we will see more verbose message. Reviewed-by: Pavel Reichl <preichl@redhat.com>
* pam_client: fix casting to const pointerLukas Slebodnik2015-03-261-7/+8
| | | | | | | | | | src/sss_client/pam_sss.c:1461:73: error: cast from 'int **' to 'const void **' must have all intermediate pointers const qualified to be safe [-Werror,-Wcast-qual] pam_get_data(pamh, "pam_sss:password_expired_flag", (const void **) &exp_data); ^ Reviewed-by: Sumit Bose <sbose@redhat.com>