| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
Although it should enver happen that we pass in an invalid hash it
is always better to just not do anything than access memory ouf of
the hash table. It can lead to segfaults, or worse referencing
memory that should not be touched.
|
| |
|
|
|
| |
For some reason I was under the impression that the DN components are
counted backwards in libldb. This patch corrects this.
|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/1687
|
| |
|
|
|
|
| |
switch statements should always have a default section. In this
particular case gcc gave a "'send_fn' may be used uninitialized in this
function" warning.
|
| | |
|
| |
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1708
The services kept the fd to /var/log/sssd/sssd.log open. I don't think
there's any point in keeping the logfiles open after exec-ing for the
child, so I set the CLOEXEC flag.
|
| |
|
|
|
| |
A recent patch introduced a glaring memory leak in the routines that clean up
memcache memory on initgroups calls.
|
| |
|
|
|
|
|
|
|
|
| |
When deleting a user we would fail the operation completely if the member
attribute was not found on one of the groups it was allegedly member of.
Failing in this case is unnecessary, and can cause issues.
Found trying to upgrade db versione (and failing) on one of my RHEL machines.
Also removed a tray \ in the companion function that removes ghost members,
that function needs no changes as it was already ignoring this kind of
failure.
|
| |
|
|
|
|
|
| |
This is an additional proteciont in case the provider misbheaves to avoid
having requests pending forever.
Fixes: https://fedorahosted.org/sssd/ticket/1717
|
| |
|
|
|
|
|
| |
We've been hitting situations where the sysdb conversion failed.
Unfortunately, the current code doesn't include enough debugging info to
pinpoint the failing entries. This patch adds more DEBUG statements for
each processed entry.
|
| |
|
|
|
|
|
|
|
|
| |
Currently the wildcard lookup '*$' is done before the one for
host/our.hostname@REALM. This means we would ignore a more specific
match in favour of an unspecific match with a principal which is only
used in a AD environment.
I think this is wrong an wildcards should only be used is all specific
lookups fail.
|
| |
|
|
|
|
|
| |
Currently in select_principal_from_keytab() all kind of different
versions of the host principal are looked up in the keytab except for
the plain name the ldap_sasl_authid option. With this patch the plain
name is looked up first.
|
| | |
|
| |
|
|
|
| |
In order for sss_cache to work correctly, we must also signal the autofs
responder to invalidate the hash table requests.
|
| |
|
|
|
|
|
| |
The monitor sends calls different sbus methods to different responders.
Instead of including headers of the particular responders directly in
monitor, which breaks layering a little, create a common header file
that will be included from src/responder/common/
|
| |
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1592
When a request for auto.master comes in, we need to remove all the maps
from the lookup hash table. We can't simply delete the maps, because
another request might be processing them, so instead the maps are
removed from the hash table, effectively becoming orphaned. The maps
will get freed when the timed destructor is invoked.
|
| |
|
|
|
|
|
|
|
| |
There is a timed desctructor in the autofs responder that, when the
entry timeout passes, removes the autofs map from the hash table while
the map is freed. This patch adds a hash delete callback so that if the
map is removed from the hash table with hash_delete, its hash table
pointer will be invalidated. Later, when the entry is being freed, the
destructor won't attempt to remove it from the hash table.
|
| |
|
|
|
|
| |
If the Data Provider receives a request for the auto.master map, it
passes on a flag to let the actual provider let know he should
invalidate the existing maps
|
| |
|
|
| |
This sysdb API will be used later to invalidate the autofs maps
|
| | |
|
| |
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1689
Add a online callback if the first full refresh fails due to the
provider beeing offline so we can perform the refresh as soon as
possible.
|
| |
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1689
If the first full refresh of sudo rules fails because the data provider
is offline, we will schedule another one in 2, 4, ... minutes.
|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/1689
|
| |
|
|
| |
Reduces amount of code duplication.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1679
The problem is when we are about to reset the server status, we don't
get through the timeout (30 seconds) because the "switch to primary
server" task is scheduled 30 seconds after fall back to a backup
server. Thus the server status remains "not working" and is resetted
after another 30 seconds.
We need to make sure that the server status is tried after the
timeout period. retry_timeout is currently hardcoded to 30, thus
the change in man page.
|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/1706
|
| |
|
|
|
|
|
|
|
|
|
|
| |
src/ldb_modules/memberof.c: In function ‘mbof_get_ghost_from_parent_cb’:
src/ldb_modules/memberof.c:3085: warning: declaration of ‘dup’ shadows a global declaration
/usr/include/unistd.h:528: warning: shadowed declaration is here
src/ldb_modules/memberof.c: In function ‘mbof_inherited_mod’:
src/ldb_modules/memberof.c:3253: warning: declaration of ‘dup’ shadows a global declaration
/usr/include/unistd.h:528: warning: shadowed declaration is here
src/ldb_modules/memberof.c: In function ‘mbof_fill_vals_array’:
src/ldb_modules/memberof.c:3786: warning: declaration of ‘index’ shadows a global declaration
/usr/include/string.h:489: warning: shadowed declaration is here
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1685
Properly react on deleting group which was not found in sysdb.
|
| |
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1699
We want to continue with the next server on all errors, not only
on ETIMEDOUT.
This particullar ticket was dealing with ECONNREFUSED.
|
| |
|
|
|
|
|
|
|
| |
The pam responder was not properly configured to recover from a backend
disconnect. The connections that were in flight before the disconnection
were never freed and new requests for the same user would just pile up on
top of the now phantom requests.
Fixes: https://fedorahosted.org/sssd/ticket/1655
|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/1659
|
| |
|
|
|
| |
Functions nss_cmd_getXXnam remove entries from memory cache if
not found in sysdb cache of a local domain.
|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/1677
|
| | |
|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/1701
|
| |
|
|
|
|
| |
expression
https://fedorahosted.org/sssd/ticket/1690
|
| |
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1680
Bad service name (KERBEROS) was provided when setting port status,
thus the port status never changed
|
| |
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1704
The function is short enough so that we can simply stick with return and
release resources before returning as appropriate.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1682
The problem was in following code:
if (ret != EOK || state->dp_error != DP_ERR_OK || state->error != EOK) {
tevent_req_error(req, ret);
return;
}
In situation when data provider error occurs (e.g. when offline),
ret == EOK but dp_error != DP_ERR_OK and we take the true branch.
This results in calling tevent_req_error(req, EOK).
Unfortunately, with EOK tevent_req_error only returns false, but
does not trigger callback and this tevent request hangs forever,
because no tevent_req_done(req) is called.
|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/1703
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1685
The PROXY provider wasn't storing credentials to negative cache due to
bad return value. This was delegated from attempt to delete these
credentials from local cache. Therefore ENOENT is replaced as EOK.
|
| | |
|
| |
|
|
|
|
|
|
| |
There used to be an overlinked dependency that's gone now, so
to fix a build error add CLIENT_LIBS to sss_ssh_knownhostsproxy_LDFLAGS.
v2:
Fix sss_ssh_authorizedkeys linking as well.
|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/1695
|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/1686
|
| |
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1683
The result of the percent calculation was always 0 as it used plain
ints. The patch switches to using explicit floats to avoid reintroducing
the bug again even with brackets.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1652
It is possible to simply reset the list of ghost users to a different one
during a modify operation. It is also actually how we update entries that
are expired in the SSSD cache.
In this case, we must be careful and retain the ghost users that are not
native to the group we are processing but are rather inherited from child
groups. The intention of the replace operation after all is to set the
list of direct members of that group, not direct and indirect.
|
