summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Updating the translations for the 1.11.5 releasesssd-1_11_5Jakub Hrozek2014-04-0836-5345/+6797
|
* Makefile: Use alternative method to replace *bindirLukas Slebodnik2014-04-042-2/+22
| | | | | | | | | | | | | | | | | | | https://www.gnu.org/software/autoconf/manual/autoconf-2.67/html_node/Installation-Directory-Variables.html Most of these variables have values that rely on prefix or exec_prefix. It is deliberate that the directory output variables keep them unexpanded: typically ‘@sbindir@’ is replaced by ‘${exec_prefix}/sbin’, not ‘/usr/local/sbin’. This behavior is mandated by the GNU Coding Standards. Installation directory variables (sbindir, pkgdatadir ...) should be used only in makefiles. Similarly, we should not rely on AC_CONFIG_FILES to replace sbindir and friends in shell scripts and other files; instead, let make manage their replacement. Resolves: https://fedorahosted.org/sssd/ticket/2293 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* Possible null dereference in SELinux codeMichal Zidek2014-04-041-2/+2
| | | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> (cherry picked from commit 7ac7dec08ec2c82a86fd6a90388993cfcee26da1)
* TESTS: Link libsss_test_common with teventLukas Slebodnik2014-04-041-1/+2
| | | | | | | Static library libsss_test_common calls tevent functions directly (in module common_tev.c), but it was not linked with tevent library. (cherry picked from commit 25c394fc9d09aa7f58700e67b942aba86505934a)
* Makefile: Add missing library to the dp_opt_testsLukas Slebodnik2014-04-041-0/+1
| | | | | | | | | | | | | dp_opt_tests cannot be linked properly if link_all_deplibs is disabled (debian) /usr/bin/ld: src/tests/cmocka/dp_opt_tests-test_dp_opts.o: undefined reference to symbol 'poptFreeContext@@LIBPOPT_0' /usr/bin/ld: note: 'poptFreeContext@@LIBPOPT_0' is defined in DSO /lib64/libpopt.so.0 so try adding it to the linker command line /lib64/libpopt.so.0: could not read symbols: Invalid operation Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 5c36e1f8901a4baff2b51d81d87c2b577f84fef6)
* IPA: Fix SELinux mapping order memory hierarchyJakub Hrozek2014-04-031-8/+8
| | | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2300 The list of SELinux mapping orders was allocated on tmp_ctx and parsed into an array. The array itself was correctly allocated on mem_ctx but its contents remained on tmp_ctx, leading to a use-after-free error. This patch fixes the memory hierarchy so that both the array and its contents are allocated on mem_ctx. (cherry picked from commit 355b8a655cfcc4e783077d12f76b55da1d23fb87) Reviewed-by: Sumit Bose <sbose@redhat.com>
* AD: connect to forest root when downloading the list of subdomainsJakub Hrozek2014-04-021-9/+363
| | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2285 Only the forest root has the knowledge about all the domains in the forest, the forest leaves only see themselves and the forest root. This patch switches to connecting to the forest root for downloading the trusted domains instead of the server we are connected to. Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* IPA: Use function sysdb_attrs_get_el in safe wayLukas Slebodnik2014-03-311-10/+7
| | | | | | | | | | | | | | | | | | | | | Function sysdb_attrs_get_el can enlarge array of ldb_message_element in "struct sysdb_attrs" if attribute is not among available attributes. Array will be enlarged with function talloc_realloc but realloc can move array to another place in memory therefore ldb_message_element should not be used after next call of function sysdb_attrs_get_el sysdb_attrs_get_el(netgroup, SYSDB_ORIG_MEMBER_USER, &user_found); sysdb_attrs_get_el(netgroup, SYSDB_ORIG_MEMBER_HOST, &host_found); With netgroups, it is common to omit user or host from netgroup triple. There is very high probability that realloc will be called. it is possible pointer user_found can refer to the old area after the second call of function sysdb_attrs_get_el. Resolves: https://fedorahosted.org/sssd/ticket/2284 Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit c048657aa2fbb246b5dc199ef6101bfd6e5eeaea)
* KRB5: Do not attempt to get a TGT after a password change using OTPJakub Hrozek2014-03-264-3/+52
| | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2271 The current krb5_child code attempts to get a TGT for the convenience of the user using the new password after a password change operation. However, an OTP should never be used twice, which means we can't perform the kinit operation after chpass is finished. Instead, we only print a PAM information instructing the user to log out and back in manually. Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
* krb5-child: add revert_changepw_options()Sumit Bose2014-03-211-0/+22
| | | | | | | | | | After changing the Kerberos password krb5-child will try to get a fresh TGT with the new password. This patch tries to make sure the right gic options are used. Resolves: https://fedorahosted.org/sssd/ticket/2289 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* krb5_client: rename krb5_set_canonicalize() to set_canonicalize_option()Sumit Bose2014-03-211-16/+16
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* krb5-child: extract lifetime settings into set_lifetime_options()Sumit Bose2014-03-211-34/+55
| | | | | | | | Additionally the lifetime option flags are unset if there are no explicit settings to make sure the defaults from krb5.conf are used even if other values were set manually in between. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* krb5_child: remove unused option lifetime_str from k5c_setup_fast()Sumit Bose2014-03-211-6/+3
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* SYSV: Do not call functions success and fail itselfLukas Slebodnik2014-03-201-1/+1
| | | | | | | | | | | | | | | Bash function daemon will call success or fail. It is useless to call them one more time. It may cause strange behaviour with some configurations of terminal. # service sssd restart Stopping sssd: [ OK ] [ OK ] sssd: [ OK ] Resolves: https://fedorahosted.org/sssd/ticket/2280 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* Use KRB5_CFLAGS where appropriateAlexey Shabalin2014-03-142-2/+15
| | | | | | | | | | There are cases when MIT Kerberos is installed with includes in a subdirectory of /usr/include (or /usr/local/include). In such case we have to properly use KRB5_CFLAGS to reach them. https://fedorahosted.org/sssd/ticket/2226 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* PAM: add ignore_unknown_user optionPete Fritchman2014-03-142-0/+24
| | | | | | | https://fedorahosted.org/sssd/ticket/2232 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit d987dba42894aceff106d557b13812092028cc29)
* providers: Fix types passed to dbus varargs functionsStef Walter2014-03-142-12/+27
| | | | | | | | | | | | | | | | | | | | Fix some incorrect types passed to dbus_message_get_args(), dbus_message_append_args() or functions accepting similar varargs and types. In particular sizeof(bool) != sizeof(dbus_bool_t) on most platforms. This probably only worked because the compiler was aligning stack variables and so writing off the end of one of them wasn't the end of the world. In addition fix cases where int != int32_t != uint32_t. Although these will work on many common platforms, assuming these are interchangeable is not cross platform safe. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> (cherry picked from commit 5bad17538eab85ce69e0355cd25b52b4a473cc36)
* IPA: Write SELinux usernames in the right caseJakub Hrozek2014-03-131-5/+21
| | | | | | https://fedorahosted.org/sssd/ticket/2282 Reviewed-by: Michal Židek <mzidek@redhat.com>
* AD: Continue if sssd failes to check extra membersLukas Slebodnik2014-03-121-0/+1
| | | | | | | | | | | | | | Reported by scan-build for (mi = 0; group_only[mi]; mi++) { ^~~~~~~~~~ warning: Array access (from variable 'group_only') results in a null pointer dereference It can happend if function ad_group_extra_members fails (ret != EOK) Reviewed-by: Simo Sorce <simo@redhat.com> (cherry picked from commit bad65473c4c28ecbf2b6bd374a7ae2d634d57d8d)
* IPA/KRB5: handle KRB5_PROG_ETYPE_NOSUPP during IPA password migrationSumit Bose2014-03-121-0/+4
| | | | | | | Fixes https://fedorahosted.org/sssd/ticket/2279 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 63bf0b7697d5a51b5338070d0e2652d49a4728ce)
* IPA: Use the correct domain when processing SELinux rulesJakub Hrozek2014-03-111-10/+16
| | | | | | | | | | | We blindly used the user's domain for everything. That wrong in case the user comes from a subdomain. We should use the IPA domain for accessing the SELinux rules and host data and the user domain only for the user. https://fedorahosted.org/sssd/ticket/2270 Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit 36f606d6743e77721bedeed0907f1be7a19fa4f4)
* MAN: Clarify the GC support a bitJakub Hrozek2014-03-111-5/+13
| | | | | | | | | | It should be noted that disabling GC does *not* disable lookups from trusted domains. Disabling GC might be a a good way for admins who wish to use POSIX attributes in trusted domains and the man page should hint this option. Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit fdaaf2525e333af04ee9b48429b6766b5fd6cab6)
* AD: Only connect to GC for subdomain usersJakub Hrozek2014-03-111-0/+17
| | | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2251 By connecting to GC for users from both trusted domains and parent domain, we lose the ability to download the shell and homedir if these are used with ID mapping. This patch changes the user lookups only. Changing the logic for all lookups would break cross-domain group memberships, for example. Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit bb8a08118db0916bf8252a9481c16271ec20acd3)
* IPA: Use GC for AD initgroup requestsSumit Bose2014-03-101-6/+15
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* Fix krb5 changepw when FAST-only preauth methods are used (like OTP)Nathaniel McCallum2014-03-101-34/+6
| | | | | | | | | | | | | | | | | | | | | Before this patch, a different set of options was used when calling krb5_get_init_creds_password() for the changepw principal. Because this set of options did not contain the same FAST settings as the options for normal requests, all authentication would fail when the password of a FAST-only account would expire. The two sets approach was cargo-cult from kinit where multiple requests could be issued using the same options set. However, in the case of krb5_child, only one request (or occasionally a well-defined second request) will be issued. Two option sets are therefore not required. To fix this problem we removed the second option set used for changepw requests. All requests now use a single option set which is modified, if needed, for well-defined subsequent requests. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com>
* IPA: Do not save intermediate data to sysdbJakub Hrozek2014-03-051-28/+28
| | | | | | https://fedorahosted.org/sssd/ticket/2264 Reviewed-by: Sumit Bose <sbose@redhat.com>
* ipa-server-mode: use lower-case user name for home dirSumit Bose2014-03-031-1/+10
| | | | | | | | | | | | In older IPA server versions where the AD users where looked up by winbind the user name component of the home directory path was always lower case. This still holds for IPA clients as well. To avoid regression this patch makes the user name component lower case as well. Fixes https://fedorahosted.org/sssd/ticket/2263 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 48b1db73639135dd4a15ee153f958c912836c621)
* SUDO: AD providerSumit Bose2014-03-028-7/+122
| | | | | | | | | | | | | | | This patch adds the sudo target to the AD provider. The main reason is to cover different default settings in the LDAP and AD provider. E.g. the default for ldap_id_mapping is True in the AD provider and False in the LDAP provider. If ldap_id_mapping was not set explicitly in the config file both components worked with different setting. Fixes https://fedorahosted.org/sssd/ticket/2256 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit 61804568ce5ede3b1a699cda17c033dd6c23f0e3)
* config API: add missing subdomain target to AD provider testSumit Bose2014-03-021-1/+1
| | | | | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit b564424a77c7c3b361c944e0623023d0cfea2c9f)
* libsss_idmap: bump version-infoSumit Bose2014-02-261-1/+1
| | | | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> (cherry picked from commit 034ffb3c69cd04f03b36b89766c47a7c9bd9b831)
* DOC: Fix names of arguments in doxygen commentsLukas Slebodnik2014-02-263-5/+5
| | | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit 3b35ff47651e4893ce537a273466766b962362da)
* MAN: Clarify that changing ID mapping options might require purging the cacheJakub Hrozek2014-02-261-0/+42
| | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2252 Currently SSSD chokes when IDs of users change, we don't support ID changes yet. Because some users were confused about the failures, this patch adds additional clarification. Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> (cherry picked from commit 3dfa09a826e5f63b4948462c2452937fc329834d)
* MAN: Clarify the ldap_access_filter option furtherJakub Hrozek2014-02-261-4/+5
| | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2235 The memberof example was misleading and was making aministrators think that the ldap_access_filter can resolve nested group memberships. Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> (cherry picked from commit 604d46e028ab62f83060fb88bdd3319a31aca2d1)
* DP: Provide separate dp_copy_defaults functionJakub Hrozek2014-02-266-22/+476
| | | | | | | https://fedorahosted.org/sssd/ticket/2257 Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit 90afedb00608547ae1f32aa7aafd552c4b306909)
* OPTS: Allow using defaults for blobsJakub Hrozek2014-02-261-0/+3
| | | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit ddd21d5dc3c89712d9286d1f66f4b2af73651cf2)
* IPA: check ranges for collisions before saving themSumit Bose2014-02-261-20/+63
| | | | Fixes https://fedorahosted.org/sssd/ticket/2253
* IPA: refactor idmap code and add testSumit Bose2014-02-264-147/+373
|
* IDMAP: add sss_idmap_check_collision(_ex)Sumit Bose2014-02-263-37/+244
|
* UTIL: Sanitize whitespaces.Lukas Slebodnik2014-02-261-0/+10
| | | | | | | | | | | | | Original patches submitted by: mpesari(Thanks!!) It can cause problems if user will hit spaces before entering username. (e.g in gdm). Spaces are ignored by LDAP; it's better to escape them. Resolves: https://fedorahosted.org/sssd/ticket/1955 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 2b8208b45feb2aab64d560d3e12e01e7b6d00d39)
* LDAP: Setup periodic task only once.Lukas Slebodnik2014-02-261-13/+41
| | | | | | | | | | | | | | | If id provider is {ipa, ad} periodic task will be stared in sssm_{ipa,ad}_init If you enable enumeration and use different providers for id and sudo(autofs) then another periodic task will be scheduled. This can cause weird behaviour (e.g. missing members of group) Perodic tasks will be started only by id_provider. Resolves: https://fedorahosted.org/sssd/ticket/2153 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 057cb583f02bf47678c393cb8f1f74861c2b960b)
* IPA: Don't fail if apply_subdomain_homedir returns ENOENTJakub Hrozek2014-02-201-1/+1
| | | | | Reviewed-by: Pavel Reichl <preichl@redhat.com> (cherry picked from commit 26786da26706aeedbda4caea0383c143ed4e59dc)
* SPEC: Use systemd on available platformsLukas Slebodnik2014-02-201-1/+1
|
* IPA: Don't call tevent_req_post outside _sendJakub Hrozek2014-02-201-1/+0
| | | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit 6d4574a8dd1a9cafbb15631e7d01bdf6e67f821b)
* Updating the version for the 1.11.5 releaseJakub Hrozek2014-02-171-1/+1
|
* Updating translations for the 1.11.4 releasesssd-1_11_4Jakub Hrozek2014-02-1737-6537/+6980
|
* MAN: Clarify the new krb5_use_fast IPA defaultJakub Hrozek2014-02-172-1/+35
|
* IPA: default krb5_fast_principal to host/$client@$realmPavel Březina2014-02-171-3/+5
| | | | | | | | | If krb5_fast_principal is not set in sssd.conf it was set to host/$client, KRB5 default realm was used which doesn't have to be the same as realm used for IPA, thus authentication failed when using FAST. Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com> (cherry picked from commit e325cabe762fad7d696e014a7fdbb47a5cb8174a)
* IPA: Default to krb5_use_fast=tryJakub Hrozek2014-02-132-1/+28
| | | | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Nathaniel McCallum <npmccallum@redhat.com> Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
* SSS_CACHE: Reset the initgroups attribute when resetting usersJakub Hrozek2014-02-121-0/+6
| | | | | (cherry picked from commit 30ee051025753b63ceb19d3b83c44019a19554a1) Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* LDAP: Handle errors from sdap_id_op properly in enum codeJakub Hrozek2014-02-121-1/+41
| | | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit 93dabb2fe0a798f22bb802b9c6521ab9e6a4ac36)