| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | |
|
| |
|
|
|
|
|
| |
To avoid duplicated entries in the group list all gids are added to a
hash table first.
Fixes: https://fedorahosted.org/sssd/ticket/1672
|
| |
|
|
|
|
|
|
| |
Currently only the LDB error code indicating that an entry already
exists is translated to EEXIST. To make debugging easier and return a
better indication of the reason for an error in the logs this patch
translates the LDB error code for an already existing attribute or value
to EEXIST as well.
|
| |
|
|
|
|
|
| |
Read the group membership of the remote domain the user belongs to from
the PAC and add them to the cache.
Fixes: https://fedorahosted.org/sssd/ticket/1666
|
| |
|
|
|
|
|
| |
Groups from subdomains will not have an attribute holding the original
DN because in general it will not be available. This attribute is only
used by IPA HABC to improve performance and remote groups cannot be used
for access control.
|
| |
|
|
|
|
|
|
|
|
| |
Currently users from subdomains can only be members of groups from the
configured domain and to access those groups a pointer to the domain
struct of the configured domain is used. This patch sets the dom_grp
member of struct pac_grp to point to the domain struct of the configured
for groups from this domain. This is a first step to allow group
membership for groups from subdomains as well. For those groups a
pointer to the related subdomain structure will be saved.
|
| |
|
|
|
|
|
| |
Currently some user specific data from the PAC is only read when the
user is not already in the cache. Since some of this information is
needed later on, e.g. the domain SID the user belongs to, with this
patch the data is read always from the PAC.
|
| |
|
|
|
|
|
| |
Currently only the flat name of the configured domain is updated if it
is not already set. This patch updates the domain ID as well. This is
typically the case when trust support is enabled on the server side
while sssd is running.
|
| |
|
|
|
| |
To avoid a conversion on the caller side a new call is added to
libsss_idmap which converts a Samba dom_sid structure to a Posix ID.
|
| |
|
|
|
|
|
| |
Currently domains can only be searched by name in the global domain
list. To make it easier to find the domain for a given SID
find_domain_by_id() which returns a pointer to the domain or subdomain
entry in the global domain list if a matching id was found.
|
| |
|
|
|
| |
To be able to handle groupmemberships from other domains more data than
just the gid must be kept for groups given in the PAC.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1736
When there are no rules during first refresh, we don't have valid
USN value. We use 0 in this case, but it turned out that OpenLDAP
takes it as invalid time format (if modifyTimestamp is used instead
of USN) and thus returns no records.
Now we don't include USN/modifyTimestamp attribute in the filter
if such situasion occurs.
|
| |
|
|
|
|
|
|
| |
The search was intended for the AD provider mostly, but keytabs coming
from AD via samba don't contain fqdn$@REALM but rather uppercased
SHORTNAME$@REALM
https://fedorahosted.org/sssd/ticket/1740
|
| |
|
|
|
| |
If use_fully_qualified_names is used, we need to pass fqdn
to sss_mmap_cache_*_invalidate.
|
| |
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1714
The attempt to delete all ghosts for users name and aliases was failing,
resulting into failure of whole user-add operation. In permissive mode,
the attempts to delete non-existent entries are not interpreted as
error.
|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/1735
|
| |
|
|
|
|
| |
sss_cache did not accept fully quaified domain names.
https://fedorahosted.org/sssd/ticket/1620
|
| |
|
|
|
|
|
| |
The logic that checks if sssd_nss is running and then
sends SIGHUP to monitor or removes the caches was moved
to a function sss_memcache_clear_all() and made public in
tools_util.h.
|
| |
|
|
|
|
|
|
|
|
| |
If a fatal EFAULT error is returned by the internal function that frees used
memory invalidate the whole cache and reinit it. This way we avoid further
corruption and insure clients see consistent data.
Also insure we use the right context in init() and we use talloc_zfree() in
reinit so that if the init() later fails we do not leave around a pointer
to free memory in the callers.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
We should never try to invalidate an already invalid record as
internal pointers will not be consistent. Carefully test that the
record really is valid when we are fishing for free space, and
properly invalidate records or return a fatal error if something
goes wrong.
In order to make the code more robust always invalidate the whole
data space on initialization by setting all bits to 1, and make sure
to invalidate the whole last allocated slot by converting rec->len to
the number of slots instead of just the space used.
|
| |
|
|
|
| |
We were holding up slots when entries were invalidated directly an not through
our primitive garbage collection scheme.
|
| |
|
|
|
|
|
| |
Although it should enver happen that we pass in an invalid hash it
is always better to just not do anything than access memory ouf of
the hash table. It can lead to segfaults, or worse referencing
memory that should not be touched.
|
| |
|
|
|
| |
For some reason I was under the impression that the DN components are
counted backwards in libldb. This patch corrects this.
|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/1687
|
| |
|
|
|
|
| |
switch statements should always have a default section. In this
particular case gcc gave a "'send_fn' may be used uninitialized in this
function" warning.
|
| | |
|
| |
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1708
The services kept the fd to /var/log/sssd/sssd.log open. I don't think
there's any point in keeping the logfiles open after exec-ing for the
child, so I set the CLOEXEC flag.
|
| |
|
|
|
| |
A recent patch introduced a glaring memory leak in the routines that clean up
memcache memory on initgroups calls.
|
| |
|
|
|
|
|
|
|
|
| |
When deleting a user we would fail the operation completely if the member
attribute was not found on one of the groups it was allegedly member of.
Failing in this case is unnecessary, and can cause issues.
Found trying to upgrade db versione (and failing) on one of my RHEL machines.
Also removed a tray \ in the companion function that removes ghost members,
that function needs no changes as it was already ignoring this kind of
failure.
|
| |
|
|
|
|
|
| |
This is an additional proteciont in case the provider misbheaves to avoid
having requests pending forever.
Fixes: https://fedorahosted.org/sssd/ticket/1717
|
| |
|
|
|
|
|
| |
We've been hitting situations where the sysdb conversion failed.
Unfortunately, the current code doesn't include enough debugging info to
pinpoint the failing entries. This patch adds more DEBUG statements for
each processed entry.
|
| |
|
|
|
|
|
|
|
|
| |
Currently the wildcard lookup '*$' is done before the one for
host/our.hostname@REALM. This means we would ignore a more specific
match in favour of an unspecific match with a principal which is only
used in a AD environment.
I think this is wrong an wildcards should only be used is all specific
lookups fail.
|
| |
|
|
|
|
|
| |
Currently in select_principal_from_keytab() all kind of different
versions of the host principal are looked up in the keytab except for
the plain name the ldap_sasl_authid option. With this patch the plain
name is looked up first.
|
| | |
|
| |
|
|
|
| |
In order for sss_cache to work correctly, we must also signal the autofs
responder to invalidate the hash table requests.
|
| |
|
|
|
|
|
| |
The monitor sends calls different sbus methods to different responders.
Instead of including headers of the particular responders directly in
monitor, which breaks layering a little, create a common header file
that will be included from src/responder/common/
|
| |
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1592
When a request for auto.master comes in, we need to remove all the maps
from the lookup hash table. We can't simply delete the maps, because
another request might be processing them, so instead the maps are
removed from the hash table, effectively becoming orphaned. The maps
will get freed when the timed destructor is invoked.
|
| |
|
|
|
|
|
|
|
| |
There is a timed desctructor in the autofs responder that, when the
entry timeout passes, removes the autofs map from the hash table while
the map is freed. This patch adds a hash delete callback so that if the
map is removed from the hash table with hash_delete, its hash table
pointer will be invalidated. Later, when the entry is being freed, the
destructor won't attempt to remove it from the hash table.
|
| |
|
|
|
|
| |
If the Data Provider receives a request for the auto.master map, it
passes on a flag to let the actual provider let know he should
invalidate the existing maps
|
| |
|
|
| |
This sysdb API will be used later to invalidate the autofs maps
|
| | |
|
| |
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1689
Add a online callback if the first full refresh fails due to the
provider beeing offline so we can perform the refresh as soon as
possible.
|
| |
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1689
If the first full refresh of sudo rules fails because the data provider
is offline, we will schedule another one in 2, 4, ... minutes.
|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/1689
|
| |
|
|
| |
Reduces amount of code duplication.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1679
The problem is when we are about to reset the server status, we don't
get through the timeout (30 seconds) because the "switch to primary
server" task is scheduled 30 seconds after fall back to a backup
server. Thus the server status remains "not working" and is resetted
after another 30 seconds.
We need to make sure that the server status is tried after the
timeout period. retry_timeout is currently hardcoded to 30, thus
the change in man page.
|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/1706
|
| |
|
|
|
|
|
|
|
|
|
|
| |
src/ldb_modules/memberof.c: In function ‘mbof_get_ghost_from_parent_cb’:
src/ldb_modules/memberof.c:3085: warning: declaration of ‘dup’ shadows a global declaration
/usr/include/unistd.h:528: warning: shadowed declaration is here
src/ldb_modules/memberof.c: In function ‘mbof_inherited_mod’:
src/ldb_modules/memberof.c:3253: warning: declaration of ‘dup’ shadows a global declaration
/usr/include/unistd.h:528: warning: shadowed declaration is here
src/ldb_modules/memberof.c: In function ‘mbof_fill_vals_array’:
src/ldb_modules/memberof.c:3786: warning: declaration of ‘index’ shadows a global declaration
/usr/include/string.h:489: warning: shadowed declaration is here
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1685
Properly react on deleting group which was not found in sysdb.
|
