| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
| |
Also fixes a warning about uninitialized 'method' as the 'method'
variable was unused and not set previously when introspecting.
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2313
|
|
|
|
|
|
|
|
|
|
|
|
| |
- use brackets after an if
- use the right variable name (candidate_domain instead of
candidate_name).
- fix a typo in a debug message
- only print a debug message about using a default domain when using a
default domain
- add a comment explaning when is a codepath executed
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
| |
The code of sss_parse_name_for_domains is really complex and hard to
read. This patch adds a unit test to be able to see the function being
used.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Don't add --with-syslog=journald to extra_distcheck_flags if configured
with systemd (--with-initscript=systemd). Add it if configured with
journald (--with-syslog=journald) instead. This fixes distcheck target
when configured with systemd, but without journald.
Don't install journal.conf helping with enabling journald logging,
unless configured with journald (--with-syslog=journald), as it would be
useless and misleading.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Files sss_ldap.c, user_info_msg.c were built in libsss_{ad,ipa,ldap}.so.
In these two files, there are functions sss_ldap_get_diagnostic_msg,
pack_user_info_chpass_error which are needed in libsss_ldap_common.so
sss_ldap_get_diagnostic_msg is used in src/providers/ldap/sdap_async.c,
src/providers/ldap/sdap_async_connection.c
pack_user_info_chpass_error is used in src/providers/ldap/ldap_auth.c
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Functions from module sss_krb5.c were duplicated in many libraries.
e.g. symol check_fast was in libsss_ad.so, libsss_ipa.so,
libsss_krb5.so, libsss_ldap.so
This patch also remove duplicate files between libsss_ldap.so and
libsss_krb5_common.so. libsss_ldap.so has already depended on libkrb5.
Now, it will depend on libsss_krb5_common.so
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Functions from module find_uid.c were duplicated in many libraries.
e.g. symol check_if_uid_is_active was in libsss_ad.so, libsss_ipa.so,
libsss_krb5.so, libsss_ldap.so
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Library libsss_ldap.so does not directly use functions from library
libsss_idmap.so. It only call function sdap_idmap_init (from file sdap_idmap.c)
which is in library libsss_ldap_common.so
sh-4.2$ nm -D --undefined-only /usr/lib64/sssd/libsss_ldap.so | grep idmap
U sdap_idmap_init
On the other hand, libsss_ldap_common.so uses functions from libsss_idmap
but it was not linked to libsss_idmap.so.
sh-4.2$ objdump -p /usr/lib64/sssd/libsss_ldap_common.so | grep idmap
sh-4.2$ echo $?
1
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The symbol add_key (from libkeyutils) is used by
function add_user_to_delayed_online_authentication
(from file src/providers/krb5/krb5_delayed_online_authentication.c)
which is part of libsss_krb5_common.so
Fixes following error:
[sssd[be[default]]] [load_backend_module]
(0x0010): Unable to load ad module with path
(/usr/lib64/sssd/libsss_ad.so), error:
/usr/lib64/sssd/libsss_krb5_common.so: undefined symbol: add_key
-lkeyutils was passed to the libraries libsss_{krb5,ipa,ad}.so,
but when compiling with -Wl,--as-needed this flag will be ignored,
since it is not used directly. So it was unavailable to
libsss_krb5_common.so which actually needs it.
This patch removes $(KEYUTILS_LIBS) from those libraries and adds it to
libsss_krb5_common.so
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2234
This patch generates the introspection data from the sbus interface meta
structure. The generated XML conforms to
http://dbus.freedesktop.org/doc/dbus-specification.html#introspection-format
The XML description of the interface also always includes the
org.freedesktop.DBus.Introspectable interface, which this patch also allows
in the policy settings.
|
|
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/2239
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Until now there was only one timeout used to re-resolve SRV queries.
This patch adds new (shorter) timeout that will be used for queries that
previously failed.
Resolves:
https://fedorahosted.org/sssd/ticket/1885
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
sssd.service was assigned to the dist_systemdunit_DATA variable.
Automake will install this file into the systemd unit directory after building
it if necessary. Automake will also include this generated file in the tarball.
As a result, when building sssd from the tarball, the paths needn't be
recreated.
The files in DATA primaries are added as dependencies to the all target
via the internal all-am target. If sssd.service doesn’t exist, make will look
for a rule to build it. Since there is such a rule, make will simply execute
that rule when I build the all target.
Resolves:
https://fedorahosted.org/sssd/ticket/2314
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
We were assuming that the forest had been looked up by netlogon, but
this is not available on Samba 4 domains. We need to check that the
forest is NULL and force the lookup.
Resolves:
https://fedorahosted.org/sssd/ticket/2311
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
| |
Return value of sss_dp_get_account_recv is checked and logging is done accordingly.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
| |
Instead, let the user pick the fork mode with CK_FORK variable (see info
check)
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
debug_prg_name is used in debug_fn and it was allocated under
talloc context "kr". The variable "kr" was removed before the last debug
messages in function main. It is very little change that it will be overridden.
It is possible to see this issue with exported environment variable
TALLOC_FREE_FILL=255
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
| |
There is a warning if nsupdate does not support realm.
warning: zero-length gnu_printf format string [-Wformat-zero-length]
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
| |
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
|
| |
The 'else' branches in ipa_get_selinux_recv are never
executed (and even if they were, the result would be
the same as if the true branches were taken).
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://www.gnu.org/software/autoconf/manual/autoconf-2.67/html_node/Installation-Directory-Variables.html
Most of these variables have values that rely on prefix or exec_prefix. It is
deliberate that the directory output variables keep them unexpanded: typically
‘@sbindir@’ is replaced by ‘${exec_prefix}/sbin’, not ‘/usr/local/sbin’.
This behavior is mandated by the GNU Coding Standards.
Installation directory variables (sbindir, pkgdatadir ...) should be used
only in makefiles. Similarly, we should not rely on AC_CONFIG_FILES to replace
sbindir and friends in shell scripts and other files; instead, let make
manage their replacement.
Resolves:
https://fedorahosted.org/sssd/ticket/2293
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
There is no need for client socket in IFP responder,
since it uses D-Bus for communication with clients.
Resolves:
https://fedorahosted.org/sssd/ticket/2290
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If LDAP entries have more then one attribute "automountKey"
automount map will be skipped and error message will be printed to log files
and sssd_be will crash.
DEBUG(SSSDBG_MINOR_FAILURE, "Malformed entry, skipping\n");
The output array with automount maps will contain uninitialized pointers
because array was terminated after the expected count of entries and not
after the last successfully retrieved entry
Resolves:
https://fedorahosted.org/sssd/ticket/2288
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/2072
Adds the possibility for the InfoPipe responder to connect to the system bus.
At the moment, only a dummy method "Ping" is provided. The method only
accepts a single string parameter that has to be 'ping'.
|
|
|
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/2072
This commit only adds the responder and the needed plumbing. No DBus
related code is in yet.
|
| |
|
|
|
|
|
|
|
|
|
| |
Remove support for "--with-distro-version" configure option as unused.
The option was added in August 2011 (d3da1c1). As of now nothing seems
to use it. Packaging checked: rpm, deb, pacman, ebuilds, FreeBSD ports.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2300
The list of SELinux mapping orders was allocated on tmp_ctx and parsed
into an array. The array itself was correctly allocated on mem_ctx but
its contents remained on tmp_ctx, leading to a use-after-free error.
This patch fixes the memory hierarchy so that both the array and its
contents are allocated on mem_ctx.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2285
Only the forest root has the knowledge about all the domains in the
forest, the forest leaves only see themselves and the forest root.
This patch switches to connecting to the forest root for downloading the
trusted domains instead of the server we are connected to.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Function sysdb_attrs_get_el can enlarge array of ldb_message_element in "struct
sysdb_attrs" if attribute is not among available attributes. Array will be
enlarged with function talloc_realloc but realloc can move array to another
place in memory therefore ldb_message_element should not be used after next
call of function sysdb_attrs_get_el
sysdb_attrs_get_el(netgroup, SYSDB_ORIG_MEMBER_USER, &user_found);
sysdb_attrs_get_el(netgroup, SYSDB_ORIG_MEMBER_HOST, &host_found);
With netgroups, it is common to omit user or host from netgroup triple.
There is very high probability that realloc will be called. it is possible
pointer user_found can refer to the old area after the second call of function
sysdb_attrs_get_el.
Resolves:
https://fedorahosted.org/sssd/ticket/2284
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2271
The current krb5_child code attempts to get a TGT for the convenience of
the user using the new password after a password change operation.
However, an OTP should never be used twice, which means we can't perform
the kinit operation after chpass is finished. Instead, we only print a
PAM information instructing the user to log out and back in manually.
Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
After changing the Kerberos password krb5-child will try to get a fresh
TGT with the new password. This patch tries to make sure the right gic
options are used.
Resolves: https://fedorahosted.org/sssd/ticket/2289
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
| |
Additionally the lifetime option flags are unset if there are no
explicit settings to make sure the defaults from krb5.conf are used even
if other values were set manually in between.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bash function daemon will call success or fail. It is useless to call them
one more time. It may cause strange behaviour with some configurations of
terminal.
# service sssd restart
Stopping sssd: [ OK ]
[ OK ] sssd: [ OK ]
Resolves:
https://fedorahosted.org/sssd/ticket/2280
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/1451
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2037
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
|
|
|
|
|
|
| |
sss_parse_name now supports NULL as output parameters so existing calls passing
arguments which were never read were substituted by NULL.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
| |
From krb5ccache_dir to krb5_ccachedir
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
| |
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We had in source code following pattern #elif HAVE_<name>
It worked because undefined identifier(in some cases) was evaluated to 0.
But we do not care about value of HAVE_SOMETHING. We just need to know
whether identifier was defined.
There is not equivalent to #ifdef (short for of #if definded)
We need to use long form: #elif defined HAVE_<name>
It causes also compiler warning with enabled compiler flag -Wundef.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|