summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* tests: Use cmocka-1.0+ API in test_sysdb_utilsJakub Hrozek2015-04-161-3/+3
| | | | | Reviewed-by: Pavel Reichl <preichl@redhat.com> (cherry picked from commit e2405de14e2fb3d58af4108ecc2726818e6c7c71)
* AD GPO: Always look up GPOs from machine domainStephen Gallagher2015-04-151-21/+33
| | | | | | | | | | | | | | | When dealing with users from a child domain, SSSD was attempting to use the subdomain for lookups. However, all GPOs applicable to this machine are stored in the primary domain (the domain the host directly joined). This patch has the GPO processing use the primary domain instead of the user domain. Resolves: https://fedorahosted.org/sssd/ticket/2606 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 475d986b534c5e0dfdb8e2348ab89b13fd4874aa)
* AD: Always get domain-specific ID connectionStephen Gallagher2015-04-152-11/+8
| | | | | | | | | | | | | | | | | ad_get_dom_ldap_conn() assumed that ad_ctx->ldap_ctx always points at the LDAP connection for the primary domain, however it turns out that this is not always the case. It's currently unclear why, but this connection can sometimes be pointing at a subdomain. Since the value of subdom_id_ctx->ldap_ctx always points to the correct domain (including the primary domain case), there's no benefit to trying to shortcut to the ad_ctx->ldap_ctx when performing this lookup. This patch also makes a minor tweak to the tests so that the primary domain passes the sdap_domain_get() check for validity (since it needs to have a private member assigned). Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit e2bd4f8a41b72aea0712ad21ad02ccebb707f536)
* AD: Clean up ad_access_gpoStephen Gallagher2015-04-151-7/+5
| | | | | | | Align goto usage with conventions in the rest of the source. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit d9079aa05eb8aacb488992fdce328c1abadd08d8)
* Option filter_users had no effect for retrieving sudo rulesAdam Tkac2015-04-153-0/+39
| | | | | | | | | | Previously sssd_sudo always obtained sudo rules for user from LDAP even when user was enlisted in filter_users. Resolves https://fedorahosted.org/sssd/ticket/2625 Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit 2a25713afc6beefb11a799903a43f695c5d7a4f9)
* selinux: Only call semanage if the context actually changesJakub Hrozek2015-04-144-4/+109
| | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2624 Add a function to query the libsemanage database for a user context and only update the database if the context differes from the one set on the server. Adds talloc dependency to libsss_semanage. Reviewed-by: Michal Židek <mzidek@redhat.com> (cherry picked from commit 1e0fa55fb377db788e065de917ba8e149eb56161)
* selinux: Begin and end the transaction on the same nesting levelJakub Hrozek2015-04-141-6/+14
| | | | | | | | | | Transaction should be started and commited on the same code nesting or abstraction level. Also, transactions are really costly with libselinux and splitting them from initialization will make init function reusable by read-only libsemanage functions. Reviewed-by: Michal Židek <mzidek@redhat.com> (cherry picked from commit 748b38a7991d78cbf4726f2a14ace5e926629a54)
* selinux: Disconnect before closing the handleJakub Hrozek2015-04-141-3/+10
| | | | | | | | | | | | | libsemanage documentation says: ~~~~ be sure that a semanage_disconnect() was previously called if the handle was connected. ~~~~ Otherwise we get a memory leak. Reviewed-by: Michal Židek <mzidek@redhat.com> (cherry picked from commit aa00d67b2a8e07c9080e7798defdc6c774c93465)
* SDAP: Filter ad groups in initgroupsLukas Slebodnik2015-04-141-0/+12
| | | | | | | | | | | Function sdap_add_incomplete_groups stored domain local groups from subdomain as POSIX group, which should not be done. Resolves: https://fedorahosted.org/sssd/ticket/2614 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit b9fbeb75e7a4f50f98d979a70a710f9221892483)
* SDAP: Extract filtering AD group to functionLukas Slebodnik2015-04-145-47/+101
| | | | | | | Patch remove code duplication. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit bad2fc8133d941e5a6c8d8016c9689e039265c61)
* SDAP: Do not set gid 0 twiceLukas Slebodnik2015-04-141-7/+0
| | | | | | | | | | | | | | | | | | | | | | The gid o was added to sysdb attrs directly in sdap_save_group for 1st time and for second time in the function sdap_store_group_with_gid, which was called every time from function sdap_save_group [sysdb_set_entry_attr] (0x0080): ldb_modify failed: [Attribute or value exists](20)[attribute 'gidNumber': value #1 on 'name=domainlocalgroup1_dom2-493341@sssdad_tree.com,cn=groups,cn=sssdad_tree.com,cn=sysdb' provided more than once] [sysdb_set_entry_attr] (0x0040): Error: 17 (File exists) [sysdb_store_group] (0x1000): sysdb_set_group_attr failed. [sysdb_store_group] (0x0400): Error: 17 (File exists) [sdap_store_group_with_gid] (0x0040): Could not store group domainlocalgroup1_dom2-493341@sssdad_tree.com [sdap_save_group] (0x0080): Could not store group with GID: [File exists] [sdap_save_group] (0x0080): Failed to save group [domainlocalgroup1_dom2-493341@sssdad_tree.com]: [File exists] [sdap_save_groups] (0x0040): Failed to store group 0. Ignoring. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 5d864e7a9d0e1e6fb7dd8158c5b8bfb71040b908)
* sudo: sanitize filter valuesPavel Březina2015-04-131-2/+13
| | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2613 Reviewed-by: Pavel Reichl <preichl@redhat.com> (cherry picked from commit c526cd124515cc2d44a413dcbfd4a74ddb490150)
* enumeration: fix talloc contextPavel Březina2015-04-082-2/+2
| | | | | | | | | | | | | | | If for some reason ptask fails (e.g. timeout), req is talloc freed but because subreq is attached to ectx which is permanent it is finished anyway. Then a crash occures when we are trying to access callback data. The same happens in sdap_dom_enum_ex_send. Resolves: https://fedorahosted.org/sssd/ticket/2611 Reviewed-by: Pavel Reichl <preichl@redhat.com> (cherry picked from commit 725bb2a9901c4f673b107ed179f5d68ec443ca63)
* GPO: Check return value of ad_gpo_store_policy_settingsLukas Slebodnik2015-04-081-0/+6
| | | | Reviewed-by: Pavel Reichl <preichl@redhat.com>
* CLIENT: Clear errno with enabled sss-default-nss-pluginLukas Slebodnik2015-04-071-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Although errno was cleared in function sss_nss_make_request some sss glic functions set errno with value of output argument errnop. Reproducer: * sssd compiled with enabled option sss-default-nss-plugin * sss is the last value in group (/etc/nsswitch.conf) * sssd-client is installed but sssd is stopped. C-program: #include <stdio.h> #include <stdlib.h> #include <errno.h> #include <grp.h> int main(int argc, char *argv[]) { struct group *p_group; setgrent(); while (1) { errno = 0; /* initialize for getgrent() */ p_group = getgrent(); if (p_group == NULL) { if (errno == 0) { break; /* end of groups */ } else { perror("getgrent"); printf("getgrent error %d \n", errno); endgrent(); exit(-2); } } printf("getgrent() OK group(%d) = %s \n", p_group->gr_gid, p_group->gr_name); } exit(0); } Resolves: https://fedorahosted.org/sssd/ticket/2619 Reviewed-by: Pavel Reichl <preichl@redhat.com> (cherry picked from commit d51bc5f43fffa516446ef62c2b860be9fa939c9d)
* MAN: Update ppolicy descriptionPavel Reichl2015-03-271-4/+7
| | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2612 Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> (cherry picked from commit 1426ee8756a1df4ec0651417dce92e1dcc8a246d)
* LDAP: fix a typo in debug messagePavel Reichl2015-03-261-1/+1
| | | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit 871f340834f25ca92a481718939164e708a70e29)
* IPA: Deprecate the ipa_hbac_treat_deny_as optionJakub Hrozek2015-03-241-0/+4
| | | | | | | | | | https://fedorahosted.org/sssd/ticket/2603 Deny rules have not been supported by the IPA server since 2.1. We should deprecate the ipa_hbac_treat_deny_as option. Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit fdfe33975cd902bf7a334e49f2667f6346c4e6ae)
* IPA: Only treat malformed HBAC rules as fatal if deny rules are enabledJakub Hrozek2015-03-241-14/+54
| | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2603 If deny rules are not in effect, we can skip malformed HBAC rules because at worst we will deny access. If deny rules are in effect, we need to error out to be on the safe side and avoid skipping a deny rule. Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit c41ae115bfa808d04e729dcbd759d8aae8387ce7)
* IPA: Drop useless sysdb parameterJakub Hrozek2015-03-241-16/+10
| | | | | | | | | https://fedorahosted.org/sssd/ticket/2603 It's better to dereference the domain structure. Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit 64d8e2df816323a004bf6e7e9d05ba373b9e033d)
* IPA: Use custom error codes when validating HBAC rulesJakub Hrozek2015-03-246-29/+33
| | | | | | | | | | https://fedorahosted.org/sssd/ticket/2603 Instead of reusing EINVAL/ENOENT, use more descriptive error codes. This will be useful in the next patch where we act on certain codes. Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit 1243e093fd31c5660adf1bb3dd477d6935a755be)
* Resolv: re-read SRV query every time if its TTL is 0Jakub Hrozek2015-03-242-6/+27
| | | | | | | | We should make sure the client re-checks the SRV query each request if the SRV query is 0. Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit 9797aa5907191cef5db8279e20ec75fd0abbe980)
* sdap: properly handle binary objectGuid attributeSumit Bose2015-03-2413-34/+324
| | | | | | | | | | | | | | Although in the initial processing SSSD treats the binary value right at some point it mainly assumes that it is a string. Depending on the value this might end up with the correct binary value stored in the cache but in most cases there will be only a broken entry in the cache. This patch converts the binary value into a string representation which is described in [MS-DTYP] and stores the result in the cache. Resolves https://fedorahosted.org/sssd/ticket/2588 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* build: Only run cmocka tests if cmocka 1.0 or newer is availableJakub Hrozek2015-03-241-2/+2
| | | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> (cherry picked from commit cecee447d41c3ca22e94880a7d0cbd910f230fe5)
* RPM: BuildRequire libcmocka >= 1.0Jakub Hrozek2015-03-241-1/+1
| | | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> (cherry picked from commit 0aad066baeed6833cf061b71d72c6bbbb2d2b9e8)
* tests: convert all unit tests to cmocka 1.0 or laterJakub Hrozek2015-03-2433-638/+741
| | | | | | | All tests now use the cmocka-1.0-compatible API. Signed-off-by: Lukas Slebodnik <lslebodn@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* memberof: Do not create request with 0 attribute valuesLukas Slebodnik2015-03-231-0/+6
| | | | | | | | | | | | | | | | [sysdb_set_entry_attr] (0x0080): ldb_modify failed: [Constraint violation](19) [attribute 'ghost': attribute on 'name=Escalation,cn=groups,cn=LDAP,cn=sysdb' specified, but with 0 values (illegal)] [sysdb_error_to_errno] (0x0020): LDB returned unexpected error: [Constraint violation] [sysdb_set_entry_attr] (0x0040): Error: 14 (Bad address) [sdap_store_group_with_gid] (0x0040): Could not store group Escalation [sdap_save_group] (0x0080): Could not store group with GID: [Bad address] [sdap_save_group] (0x0080): Failed to save group [Escalation]: [Bad address] [sdap_save_groups] (0x0040): Failed to store group 1. Ignoring. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 999c87114479f230c840a5c020e107c45b29fd56)
* LDAP: remove unused codePavel Reichl2015-03-231-5/+1
| | | | | | | Also fix debug message. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit ef9ca5848ea08aafa0827f5d2922d49130ba324d)
* GPO: error out instead of leaving array element uninitializedSumit Bose2015-03-231-1/+4
| | | | | | | | | | | | In general every object created by the AD provider should have a SID attribute. Since SIDs and GPOs are used for access control a missing SID should be treated as error for now until it is known if there is a valid reason why the SID is missing. Resolves https://fedorahosted.org/sssd/ticket/2608 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 4cfab2330323834574c179f774a0c6b1fff4936e)
* IPA: set EINVAL if dn can't be linearizedPavel Reichl2015-03-191-0/+1
| | | | | Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit 131da4d9f40e0e407d7bcae18ff16507976bc6c7)
* IPA: make sure output variable is setSumit Bose2015-03-191-1/+3
| | | | | Reviewed-by: Pavel Reichl <preichl@redhat.com> (cherry picked from commit abb093b4ae10f2a5748bf9f194bf76794002eba0)
* selinux: Handle setup with empty default and no configured rulesJakub Hrozek2015-03-172-4/+10
| | | | | | | | | | | SSSD also needs to handle the setup where no rules match the machine and the default has no MLS component. Related to: https://fedorahosted.org/sssd/ticket/2587 Reviewed-by: Michal Židek <mzidek@redhat.com> (cherry picked from commit 3e6dac8e14f8a3da6d359ee013453dbd8a38dd99)
* IPA idviews: check if view name is setSumit Bose2015-03-171-1/+4
| | | | | | | | | | | When working with older FreeIPA releases the view name might not always been set. This patch add checks to might sure it is only dereferenced when set. Resolves https://fedorahosted.org/sssd/ticket/2604 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 8be0cf3eea892e13410c13abb030322599ca1b4f)
* LDAP/AD: do not resolve group members during tokenGroups requestSumit Bose2015-03-179-18/+64
| | | | | | | | | | | | | | | | | | | | | | | During initgroups requests we try to avoid to resolve the complete member list of groups if possible, e.g. if there are no nested groups. The tokenGroups LDAP lookup return the complete list of memberships for a user hence it is not necessary lookup the other group member and un-roll nested groups. With this patch only the group entry is looked up and saved as incomplete group to the cache. This is achieved by adding a new boolean parameter no_members to groups_get_send() and sdap_get_groups_send(). The difference to config options like ldap_group_nesting_level = 0 or ignore_group_members is that if no_members is set to true groups which are missing in the cache are created a incomplete groups. As a result a request to lookup this group will trigger a new LDAP request to resolve the group completely. This way no information is ignored but the time needed to read all data is better distributed between different requests. https://fedorahosted.org/sssd/ticket/2601 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit d81d8d3dc151ebc95cd0e3f3b14c1cdaa48980f1)
* ipa_selinux: Fix warning may be used uninitializedLukas Slebodnik2015-03-171-1/+1
| | | | | | | | | | | | | src/providers/ipa/ipa_selinux.c: In function 'ipa_selinux_handler_done': src/providers/ipa/ipa_selinux.c:927:16: error: 'sci' may be used uninitialized in this function [-Werror=maybe-uninitialized] state->sci = sci; ^ src/providers/ipa/ipa_selinux.c:333:33: note: 'sci' was declared here struct selinux_child_input *sci; ^ cc1: all warnings being treated as errors Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* ipa: make sure extdom expo data is availableSumit Bose2015-03-131-0/+5
| | | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 7ee9ac32485483beece872d6fcb3096fa77a004b)
* ipa: do not treat missing sub-domain users as errorSumit Bose2015-03-131-3/+7
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2444 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 3e9712c2fdbba8f9cd25886943331e76e0b2cedd)
* pam_initgr_check_timeout: add debug outputSumit Bose2015-03-131-0/+4
| | | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 10da5ea89b2b963e5e0bb0e0113d118e3bdea892)
* PAM: use the logon_name as the key for the PAM initgr cacheSumit Bose2015-03-131-13/+3
| | | | | | | | | | | | | | Currently the name member of the pam_data struct is used as a key but it can change during a request. Especially for sub-domain users the name is changed from the short to the fully-qualified version before the cache entry is created. As a result the cache searches are always done with the short name while the entry was written with the fully-qualified name. The logon_name member of the pam_data struct contains the name which was send by the PAM client and is never changed during the request. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 7bbf9d1d054f0571fa90ff5dd400a6f4a5a7f6c8)
* test: Check ERR_LASTMichal Zidek2015-03-133-1/+12
| | | | | | Check if number of error codes and messages is the same. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* DEBUG: Add missing strings for error messagesMichal Zidek2015-03-132-1/+4
| | | | | | | | We had more error codes than corresponding messages. Also order of two messages was wrong. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* MAN: libkrb5 and SSSD use different expansionsPavel Reichl2015-03-131-0/+9
| | | | | | | | | | | Users often wrongly use SSSD expansions in libkrb5 expansion template for principals. State explicitly it won't work. Resolves: https://fedorahosted.org/sssd/ticket/2528 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 33b8bf140b1d82d2626eeeaaea29af49dcdb3c99)
* NSS: Handle ENOENT when doing initgroups by UPNJakub Hrozek2015-03-121-18/+28
| | | | | | | | | | https://fedorahosted.org/sssd/ticket/2598 We need to return an empty result in cases an initgroups lookup by UPN doesn't return anything. Please note testing with "id user" is not sufficient as id calls a getpwnam first. Reviewed-by: Pavel Reichl <preichl@redhat.com>
* ldap_child: fix coverity warningPavel Reichl2015-03-111-2/+12
| | | | | | | | In ldap_child_get_tgt_sync() variable 'ret' got overriden in done section without ever before being read. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> (cherry picked from commit 6ccda8691123bb27f5f2a88a0c80174af3e0fd0a)
* Log reason in debug message why ldb_modify failedLukas Slebodnik2015-03-118-10/+68
| | | | | Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit 04d138472cc086fb7961f0d378852b09961b1a33)
* be_refresh: support groupsPavel Březina2015-03-085-0/+63
| | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2346 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 61c8d13e55ebafc28da1b0b5ad9ae578d687e288)
* be_refresh: support usersPavel Březina2015-03-085-0/+62
| | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2346 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit e77d6366ff9e49dbbb607f1709f1ae4190b99489)
* be_refresh: add sdap_refresh_initPavel Březina2015-03-085-30/+33
| | | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 17531a398cc9084036cb08d69fe876a8f12707bb)
* be_refresh: refactor netgroups refreshPavel Březina2015-03-081-32/+77
| | | | | | | | This is a preparation to support other object types without introducing duplicated code. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit ab0eda3622b828df2bfb7850c96d1395f614eb13)
* sdap_handle_acct_req_send: remove be_reqPavel Březina2015-03-084-17/+13
| | | | | | | | | | | | be_req was used only as a talloc context for subreq. This memory context was replace by state of the parent request which is more suitable for tevent coding style. This change will allow us to use this function in be_refresh where none be_req is available. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit a849d848d53f305a90613a74c1767a42b250deda)
generated by cgit (git 2.34.1) at 2024-05-02 02:36:00 +0000