| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2397
When using the override_default_space option, this patch allows to log
in using both the original name (space user) as well as the normalized
name (space_user).
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 0fcc9ed1c66bed7ef3a0bcd6c517280a82391d2b)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2397
In order to make the override_space option usable by other responders,
we need to move the override_space option to the generic responder
structure.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit f3a5ac1a50c1fccd0801023658e42d2093e1a33a)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2397
- make sss_replace_whitespaces only replace space (' ') not any
whitespace
- make sss_replace_whitespaces only replace a single char, not the whole
string
- rename CONFDB_NSS_OVERRIDE_DEFAULT_WHITESPACE to
CONFDB_NSS_OVERRIDE_DEFAULT_SPACE
- rename the override_default_whitespace option to override_space
- rename sss_replace_whitespaces() to sss_replace_space()
- rename sss_reverse_replace_whitespaces() to sss_reverse_replace_space()
- rename nctx->override_default_wsp_str to nctx->override_space
- make the return value of sss_replace_space non-const to avoid freeing
the result without compilation warnings
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 1f3127e88a87953f059c9a70d3582ae1719594b1)
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2400
Netgroups often have members that will not process correctly when we
require a fully-qualified name. This patch simply ignores the
default_domain setting for netgroup lookups - we ignore FQDN only
domains for netgroup lookups since
1933ff17513da1d979dd22776a03478341ef5e6b anyway.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit e6d441518531e7931e29dd8c65a3448a213e3865)
|
| |
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2389
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 983983dd1629ab33eab340a40d9ee83965a339c6)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When upgrading from a 1.9 version with monolithic packaging to 1.10 or
later with per-provider subpackage, sssd-common can be upgraded (and
restarted) before the new sssd-$provider is restarted. This can lead to
a startup failure, because the sssd_be process from already upgraded
sssd-common would attempt to load a sssd_$provider.so from the
legacy sssd package.
Restarting the service in %posttrans makes sure all the packages are in
place when we restart the service.
Resolves:
https://fedorahosted.org/sssd/ticket/2399
(cherry picked from commit 192027debeaa991690160c3cb68480fe54ad8fdf)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The EntryUSN is not fetched by the sudo LDAP provider when it downloads
the rules because sudorule_map is missing this attribute. We forgot to
add the SDAP_AT_SUDO_RUNAS into sdap_sudorule_attrs when we added support
for sudoRunAs.
Related to:
https://fedorahosted.org/sssd/ticket/2212
(cherry picked from commit a1e89ede4995f948abc1acc364246161df7cca2c)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The Data Provider lookup code user the original input string as the
lookup key instead of the parsed name component. For example, for an
input joe@mydomain, the backend would have searched for:
(&(cn=joe@mydomain)(objectclass=user))
This patch fixes the lookup to use the parsed name.
https://fedorahosted.org/sssd/ticket/2402
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit d8b8995ef1c3f2a6c85dc141aaff7eef3faf05c1)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The meta server status consists of two parts:
A) port status - managed by failover mechanism
B) SRV lookup status - managed by SRV resolver
Both parts are resetted to "neutral" after some time, having
B timeout greater than A timeout.
We were hitting the following issue:
1. SRV lookup fails (DNS is not reachable), this will set A to
"not working and B to "resolve error". Then the next server is
tried but fails as well.
2. If SSSD tries to go back online the failover will set A to
"neutral" and it will try to resolve SRV again. But B status is
still set to "resolve error" since we haven't reached the timeout
yet and SRV resolution fails immediately. But the next server
is not tried since the port status (A) remains "neutral".
This patch sets the port status to "not working" making the
failover to continue with the next server as expected.
https://fedorahosted.org/sssd/ticket/2390
Reviewed-by: Pavel Reichl <preichl@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
(cherry picked from commit 5490fa3ea4f6a4118a5188acb0e05daa302ed9d6)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds periodic check to test if
backend can exit offline mode and only
marks backend as not offline if server
for the service is available.
Prior to this patch we marked backend as not
offline if the offline_timeout was reached
without checking for the server availability
and when the next request failed again
we switched back to the offline mode.
This caused significant slowdowns in some
edge cases.
Fixes:
https://fedorahosted.org/sssd/ticket/2355
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2377
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 8c4abd227035169e75cb081424765e65c52b5266)
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This patch add possibility to replace whitespace in user and group names with
a specified string. With string "-", sssd will return the same result as
winbind enabled option "winbind normalize names"
Resolves:
https://fedorahosted.org/sssd/ticket/1854
Reviewed-by: Pavel Reichl <preichl@redhat.com>
Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit 21bc143c2855638242e9dfe01ea66198b5883b8a)
|
| |
|
|
|
|
|
|
|
|
| |
Reviewed-by: Pavel Reichl <preichl@redhat.com>
Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit 022c6b90bb37851c0e8704c0e5388ebc113c6470)
Conflicts:
Makefile.am
src/util/util.h
|
| |
|
|
|
|
|
|
|
| |
Reviewed-by: Pavel Reichl <preichl@redhat.com>
Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit 462db32918a05097652f8232cd6c8d78a826e63c)
Conflicts:
Makefile.am
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There is problem with OpenLDAP server and dereferencing of attributes
that is not in the schema of the server?
sh-4.2$ ldapsearch -x -LLL -h openldap.server.test -b 'dc=example,dc=com' \
-E 'deref=member:uid,dummy_attr' cn=ref_grp
Protocol error (2)
Additional information: Dereference control: attribute decoding error
sh-4.2$ echo $?
2
The attribute nsUniqueID is a 389-only, non-standard attribute.
It is an operational attribute that is not in the rfc2307bis nor inetOrgPerson
nor posixAccount schema. It was a default value of option ldap_user_uuid,
but it was not use anywhere.
Resolves:
https://fedorahosted.org/sssd/ticket/2383
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit dfb2960ab251f609466fa660449703835c97f99a)
|
| |
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit b5242c146cc0ca96e2b898a74fb060efda15bc77)
|
| |
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 87ff519b472568b19809963ca860d2182e874fcd)
|
| |
|
|
|
|
|
|
|
|
|
| |
D-Bus only supports 255 signatures which caused a segmentation fault
when sudo responder tried to refresh more rules at once.
Resolves:
https://fedorahosted.org/sssd/ticket/2387
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit dfef1d050c35398c6061256a947b4cc9c1f4b8e6)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Memory leak can happen with long living clients where there are records with
colliding hashes; usually LDAP servers with many users or groups.
Function sss_nss_mc_get_record allocates memory that is stored into "rec",
with next iteration variable rec is overriden with new record and old
one is lost and cannot be freed.
Example code flow:
src/sss_client/nss_mc_group.c:133: alloc_arg: "sss_nss_mc_get_record" allocates memory that is stored into "rec".
src/sss_client/nss_mc_common.c:216:13: alloc_fn: Storage is returned from allocation function "malloc".
src/sss_client/nss_mc_common.c:216:13: var_assign: Assigning: "copy_rec" = "malloc(rec_len)".
src/sss_client/nss_mc_common.c:225:9: noescape: Resource "copy_rec" is not freed or pointed-to in function "memcpy". [Note: The source code implementation of the function has been overridden by a builtin model.]
src/sss_client/nss_mc_common.c:239:5: var_assign: Assigning: "*_rec" = "copy_rec".
src/sss_client/nss_mc_group.c:163: noescape: Resource "rec" is not freed or pointed-to in "sss_nss_mc_next_slot_with_hash".
src/sss_client/nss_mc_common.c:294:60: noescape: "sss_nss_mc_next_slot_with_hash(struct sss_mc_rec *, uint32_t)" does not free or save its pointer parameter "rec".
src/sss_client/nss_mc_group.c:133: overwrite_var: Overwriting "rec" in call to "sss_nss_mc_get_record" leaks the storage that "rec" points to.
src/sss_client/nss_mc_common.c:239:5: write_notnull_to_parm: Assigning: "*_rec" = "copy_rec".
Reviewed-by: Michal Židek <mzidek@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit 9d876108620931e0941a115adf60bfd8d67459d9)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In multi threaded application, it may happen that more threads will call
function getpwuid(or similar) and sss client will not have initialized
structure for fast memory cache. This structure is initialized just once.
There isn't any problem with multi threaded application after successful
initialisation.
The race condition will happen if more threads try to initialise structure
sss_cli_mc_ctx in function sss_nss_mc_get_ctx (ctx->initialized is false)
It takes some time to initialise mmap cache: open file, get file size, mmap
file, initialize structure sss_cli_mc_ctx. One of problems is that file with
memory cache can be opened more times (file descriptor leak), but the race
condition is with initialising structure sss_cli_mc_ctx. One tread will start
to initialise this structure; another thread will think that structure is
already initialised and will check consistency of this structure. It will fail
because 1st thread did not finish initialisation. Therefore 2nd thread will
return EINVAL and will do clean up in done section: munmap, close file and
reset structure data. The 1st thread will finish an try to use memory cache,
but structure was zero initialised by 2nd thread and it will cause dereference
of NULL pointer in 1st thread (SIGSEGV) or dividing by zero in murmurhash
function(SIGFPE)
Function sss_nss_mc_get_ctx was split into two parts for simplification
of locking and unlocking. The locking is used only in new static function
sss_nss_mc_init_ctx. This function will not be called very often therefore the
same mutex is used as in other nss functions.
Resolves:
https://fedorahosted.org/sssd/ticket/2380
Reviewed-by: Michal Židek <mzidek@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit 0d22416f94dff7756091e983518ed3684cc9597a)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This attribute was used in pre 1.7 versions of sudo and it is now
deprecated by sudoRunAsUser and sudoRunAsGroup. However, some users
still use this attribute so we need to support it to ensure backward
compatibility.
This patch makes sure that this attribute is downloaded if present and
provided to sudo. Sudo than decides how to handle it.
The new mapping option is not present in a man page since this
attribute is deprecated in sudo for a very long time.
Resolves:
https://fedorahosted.org/sssd/ticket/2212
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 7c30e60c525ea798aaab142766ff00eef4b5df3b)
|
| |
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2385
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit ed346bcc84b8a326996e5550771773d8e63f17c2)
|
| |
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit e6fa71b990d7068d66b98015ae54aae399cc84f1)
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Resolving groups obtained via Token-Groups in case of disabled ID mapping may
lead to failure as non-posix groups are not resolved. This patch amends
sdap_ad_resolve_sids_done() not to abruptly finish request if ENOENT is
returned.
Resolves:
https://fedorahosted.org/sssd/ticket/2345
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 1614e1b25a98ff2f03648c4bf61d750fb688285a)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
With plain LDAP provider we already have a sdap_handle, so it should be possible
that in the case where sdom->pvt == NULL sdap_id_op_connect_send() can be
skipped and sdap_get_ad_tokengroups_send() can be already send with the
sdap_handle passed to sdap_ad_tokengroups_initgr_mapping_send(). So we should
only fail if sdom->pvt == NULL and sh == NULL.
if find_subdomain_by_sid() failed we can check if there is only one domain in
the domain list (state->domain) and in this case continue with this domain since
the LDAP provider does not know about sub-domains and hence can only have one
configured domain.
Resolves:
https://fedorahosted.org/sssd/ticket/2345
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit b12e2500237f33c44807d7e5b377ec06007c7252)
|
| |
|
|
|
|
|
|
| |
The system bus has the ability to start services on demant. This patch
adds the sysbus service activation file that, currently, only calls the
sss_signal tool to signal the monitor.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
| |
A minimal tool whose only purpose is to signal the monitor with
SIGUSR2. The tool will be executed by the system bus in order to provide
system activation, so it's packaged in libexec.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
| |
When the monitor receives SIGUSR2, it also signals the IFP responder to
attempt to reconnect to the system bus using the sysbusReconnect SBUS
method. No action is taken by other responders.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
| |
Introduces a new method implemented only by the IFP responder. When this
method is received, the responder attempts to reconnect to the system
bus, if not connected already.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
| |
We need to treat the failure to connect to the system bus as non-fatal.
In this commit, we introduce a special error code and only print a DEBUG
message when this error code is returned from the startup function.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
| |
The DEBUG messages in the IFP responder predated Nikolai's mass-patches
and were not converted correctly.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
| |
We fprintf the introspection data on demand rather than printing an XML
file. The directory specification can be removed.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Switch back to using DISTCHECK_CONFIGURE_FLAGS instead of the
AM_-version in Makefile.am, as the latter is not supported by Automake
version in RHEL6.
Instead, use a special variable AUX_DISTCHECK_CONFIGURE_FLAGS to
augment distcheck target configure flags from the command line.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit c6e39e15178675d0779e0ae855245774a09b4eb5)
Conflicts:
Makefile.am
|
| |
|
|
|
|
|
|
|
|
| |
We detect all necessary feature macros in configure script
using AC_USE_SYSTEM_EXTENSIONS or AC_GNU_SOURCE.
This patch replaces all definitions of macro _XOPEN_SOURCE with
header file config.h
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 5389b3714be747f1a11ac51beb0c5988cfb6c240)
|
| |
|
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit b5f61c9b3f5ea79bf319c18ff59394070c04d607)
|
| |
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2349
Reviewed-by: Pavel Reichl <preichl@redhat.com>
(cherry picked from commit 26510727739c3e8d14f804568e496b7d7b073964)
|
| | |
|
| |
|
|
|
|
|
| |
Commit 2d9df96c8a801ababcb136f665f3f1ebd0ac05c1 was pushed to sssd-1-11
after I pushed the translation updates already. This patch synchronizes
the translations with the tip of the sssd-1-11 branch before the
release.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Reported by: scan-build
krb5_free_principal(cc->context, ccprinc);
^~
warning: Access to field 'context' results in a dereference of a null pointer
(loaded from variable 'cc')
Variable 'cc' needn't be initialised if function sss_open_ccache_as_user
fails.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
| |
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
(cherry picked from commit 7fa8c51e7ece2f4fed046d9f2a43d20c13db645c)
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2291
The dbus tests that mock an sbus server were failing when make distcheck
was ran by a user logged in through the SSSD.
The reason was that the libtool wrapper around the test library alters
the LD_LIBRARY_PATH and as a consequence, the standard getpwuid_r() calls
the dbus server performs would load the in-tree NSS library and not the
system one. The-in tree library would then attempt to talk to an in-tree
NSS socket, fail, which would fail the getpwuid_r call with an error such as:
"""
Could not get password database information for UID of current process:
User "???" unknown or no memory to allocate password entry
"""
This patch adds a new configure-time option called --enable-dbus-tests
that is enabled by default and disabled during distcheck. When the
option is disabled, the tests that require a mocked dbus server are not
compiled at all.
(cherry picked from commit 4bd20c075f0f187db0181dc53d00ab6cd47fdb4d)
Conflicts:
Makefile.am
src/conf_macros.m4
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use AM_DISTCHECK_CONFIGURE_FLAGS in Makefile.am instead of
DISTCHECK_CONFIGURE_FLAGS to allow using the latter at build time,
upon making distcheck target.
In particular, the above would allow specifying --with-test-dir option
to help archive test data in CI runs, like this:
make distcheck DISTCHECK_CONFIGURE_FLAGS=--with-test-dir=/dev/shm/ci-test-dir
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 8d15291907aaa4d50bb66fdb7a5002fce7ac7bf4)
Conflicts:
Makefile.am
|
| |
|
|
| |
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 8d5d91878875fec2930b37ff79ef6bb6782faa65)
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
man gethostanme says:
NOTES
SUSv2 guarantees that "Host names are limited to 255 bytes".
POSIX.1-2001 guarantees that "Host names (not including the terminating
null byte) are limited to HOST_NAME_MAX bytes". On Linux,
HOST_NAME_MAX is defined with the value 64, which has been the limit
since Linux 1.0 (earlier kernels imposed a limit of 8 bytes).
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit bf6f1b3d49e17b1adf0448c0b06e94b1e52ddffd)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Older versions of glibc requires extra feature macros
for function open_memstream.
fmemopen(), open_memstream(), open_wmemstream():
Since glibc 2.10:
_XOPEN_SOURCE >= 700 || _POSIX_C_SOURCE >= 200809L
Before glibc 2.10:
_GNU_SOURCE
src/sbus/sssd_dbus_introspect.c: In function 'introspect_begin':
src/sbus/sssd_dbus_introspect.c:82: error: implicit declaration of function 'open_memstream'
src/sbus/sssd_dbus_introspect.c:82: warning: assignment makes pointer from integer without a cast
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
