summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* GPO: Use sss_unique_file and close fd on failureHEADmasterJakub Hrozek2015-09-011-16/+14
| | | | | | | | The GPO child didn't remove temporary file on failure and didn't close the fd on failure (the latter was not much of a problem for a short-lived child process). Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* intg_tests: Add regression test for 2163Lukas Slebodnik2015-09-011-0/+40
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* AD: send less logs to syslogPavel Reichl2015-09-011-0/+42
| | | | | | | | | Create new callback that handles logging messages in cyrus sasl library. Resolves: https://fedorahosted.org/sssd/ticket/2561 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* sbus: Add a special error code for messages sent by the bus itselfJakub Hrozek2015-09-014-1/+10
| | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* sbus: Initialize errno if constructing message fails and add debug messagesJakub Hrozek2015-09-011-0/+6
| | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* UTIL: Fixing Makefile.am for util/sss_cli_cmd.hmpgfixPetr Cech2015-09-011-0/+1
| | | | | | | | | Last patch for ticket 2708 broke make distcheck. This is fix. Resolves: https://fedorahosted.org/sssd/ticket/2708 Reviewed-by: Pavel Reichl <preichl@redhat.com>
* NSS: Don't ignore backslash in usernames with ldap providerLukas Slebodnik2015-09-014-5/+17
| | | | | | | | | | The regression was caused by changing default domain regex for ldap provider in ticket #2717 Resolves: https://fedorahosted.org/sssd/ticket/2772 Reviewed-by: Sumit Bose <sbose@redhat.com>
* LDAP: end on ENOMEMPavel Reichl2015-08-311-0/+1
| | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* sssd: incorrect checks on length values during packet decodingMichal Židek2015-08-317-22/+22
| | | | | | | | | | https://fedorahosted.org/sssd/ticket/1697 It is safer to isolate the checked (unknown/untrusted) value on the left hand side in the conditions to avoid overflows/underflows. Reviewed-by: Petr Cech <pcech@redhat.com>
* UTIL: Function 2string for enum sss_cli_commandPetr Cech2015-08-317-55/+306
| | | | | | | | | | | | Improvement of debug messages. Instead of:"(0x0400): Running command [17]..." We could see:"(0x0400): Running command [17][SSS_NSS_GETPWNAM]..." (It's not used in sss_client. There are only hex numbers of commands.) Resolves: https://fedorahosted.org/sssd/ticket/2708 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* TESTS: Removing part of responder_cache_req-testsPetr Cech2015-08-311-211/+0
| | | | | | | | | | | | | | | | | | | | If you call cache_req_[user|group]_by_filter_send() it than later calls updated_[users|groups]_by_filter(), which adds filter that is called "recent". This filter causes that only [users|groups] added after the request started are returned. This patch removes tests which use cache_req_[user|group]_by_filter_send(), because the logic of those tests is corrupted. The tests create [users|groups] and after it, they call cache_req_[user|group]_by_filter_send(). So it is obvious that it is not in the right manner. Possible fix is rewrite the tests to create the entries in the callback. Works around: https://fedorahosted.org/sssd/ticket/2730 Reviewed-by: Michal Židek <mzidek@redhat.com>
* TESTS: fix fail in test_id_cleanup_exp_groupPavel Reichl2015-08-311-1/+1
| | | | | | | | | Test was named same as the folder containing its data. Resolves: https://fedorahosted.org/sssd/ticket/2768 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* TESTS: ldap_id_cleanup timeoutsMichal Židek2015-08-311-4/+7
| | | | | | | | | The one second timeout interval was sometimes too short when the tests where running under Valgrind in the CI and the entries expired too soon. Reviewed-by: Petr Cech <pcech@redhat.com>
* sss_override: document --debug optionsPavel Březina2015-08-312-4/+37
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2758 Reviewed-by: Petr Cech <pcech@redhat.com>
* NSS: Fix use after freeLukas Slebodnik2015-08-202-3/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | It can happed if there are two domains and user is not found in the first one. ==29279== Invalid read of size 1 ==29279== at 0x4C2CBA2: strlen (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==29279== by 0x89A7AC4: talloc_strdup (in /usr/lib64/libtalloc.so.2.1.2) ==29279== by 0x11668A: nss_cmd_initgroups_search (nsssrv_cmd.c:4191) ==29279== by 0x118B27: nss_cmd_getby_dp_callback (nsssrv_cmd.c:1208) ==29279== by 0x10F2B4: nsssrv_dp_send_acct_req_done (nsssrv_cmd.c:759) ==29279== by 0x126AFB: sss_dp_internal_get_done (responder_dp.c:802) ==29279== by 0x56EA861: ??? (in /usr/lib64/libdbus-1.so.3.7.4) ==29279== by 0x56EDB50: dbus_connection_dispatch (in /usr/lib64/libdbus-1.so.3.7.4) ==29279== by 0x50721E1: sbus_dispatch (sssd_dbus_connection.c:96) ==29279== by 0x879B22E: tevent_common_loop_timer_delay (tevent_timed.c:341) ==29279== by 0x879C239: epoll_event_loop_once (tevent_epoll.c:911) ==29279== by 0x879A936: std_event_loop_once (tevent_standard.c:114) ==29279== Address 0xbbad240 is 96 bytes inside a block of size 106 free'd ==29279== at 0x4C2AD17: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==29279== by 0x89A46E3: _talloc_free (in /usr/lib64/libtalloc.so.2.1.2) ==29279== by 0x116679: nss_cmd_initgroups_search (nsssrv_cmd.c:4190) ==29279== by 0x118B27: nss_cmd_getby_dp_callback (nsssrv_cmd.c:1208) ==29279== by 0x10F2B4: nsssrv_dp_send_acct_req_done (nsssrv_cmd.c:759) ==29279== by 0x126AFB: sss_dp_internal_get_done (responder_dp.c:802) ==29279== by 0x56EA861: ??? (in /usr/lib64/libdbus-1.so.3.7.4) ==29279== by 0x56EDB50: dbus_connection_dispatch (in /usr/lib64/libdbus-1.so.3.7.4) ==29279== by 0x50721E1: sbus_dispatch (sssd_dbus_connection.c:96) ==29279== by 0x879B22E: tevent_common_loop_timer_delay (tevent_timed.c:341) ==29279== by 0x879C239: epoll_event_loop_once (tevent_epoll.c:911) ==29279== by 0x879A936: std_event_loop_once (tevent_standard.c:114) Resolves: https://fedorahosted.org/sssd/ticket/2749 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* sss_override: support import and exportPavel Březina2015-08-203-3/+675
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2737 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* sss_override: decompose code betterPavel Březina2015-08-201-109/+181
| | | | | | | Preparation for: https://fedorahosted.org/sssd/ticket/2737 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* TOOLS: add sss_colondb APIPavel Březina2015-08-202-0/+378
| | | | | | To simplify import/export users and groups. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* sss_override: support domains that require fqnamePavel Březina2015-08-201-2/+57
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2757 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* sss_override: print input name if unable to parse itPavel Březina2015-08-201-1/+1
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* SYSDB: Index the objectSIDString attributeJakub Hrozek2015-08-193-1/+61
| | | | Reviewed-by: Michal Židek <mzidek@redhat.com>
* sdap_async: Use specific errmsg when availableMichal Židek2015-08-191-2/+8
| | | | | | | | | | | Ticket: https://fedorahosted.org/sssd/ticket/2762 Use specific errmsg when ldap returns LDAP_CONSTRAINT_VIOLATION code if that specific message is available. Reviewed-by: Pavel Reichl <preichl@redhat.com>
* SSH: Use sss_unique_file_ex to create the known hosts fileJakub Hrozek2015-08-171-17/+4
| | | | | | Simplifies the code. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* LDAP: Use sss_unique_filename in ldap_childJakub Hrozek2015-08-171-22/+3
| | | | | | Simplifies the code. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* KRB5: Use sss_unique_file when creating kdcinfo filesJakub Hrozek2015-08-171-7/+9
| | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* KRB5: Use sss_unique file in krb5_childJakub Hrozek2015-08-171-16/+11
| | | | | | | | In krb5_child, we intentionally don' set the owner of the temporary file, because we're not renaming it to a 'stable' name, but rather directly using it as the ccache. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* LDAP: minor improvements in ldap id cleanupPavel Reichl2015-08-172-4/+5
| | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* LDAP: sanitize group name when used in filterPavel Reichl2015-08-173-5/+418
| | | | | | | | | | | cleanup_groups() uses DN of group in filter for ldbsearch. But the name might contain characters with special meaning for filtering like - "*()\/" Resolves: https://fedorahosted.org/sssd/ticket/2744 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* pam: Incerease p11 child timeoutMichal Židek2015-08-172-2/+8
| | | | | | | | | Ticket: https://fedorahosted.org/sssd/ticket/2746 It was timeouting often in CI machines. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* p11child: set restrictive umask and clear environmentJakub Hrozek2015-08-171-0/+3
| | | | | | | | | https://fedorahosted.org/sssd/ticket/2754 Before doing any calls, set a very restrictive umask and clear environment variables to harden p11child execution. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* TESTS: UT for sss_iface_addr_list_as_str_list()Pavel Reichl2015-08-141-0/+42
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2495 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* DYNDNS: remove code duplicationPavel Reichl2015-08-143-55/+46
| | | | | | | | | | Move copy pasted code for converting sockaddr_storage to string into function. Resolves: https://fedorahosted.org/sssd/ticket/2495 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* DYNDNS: rename field of sdap_dyndns_update_statePavel Reichl2015-08-141-8/+8
| | | | | | | | | Rename 'use_server_with_nsupdate' to more general name 'fallback_mode'. Resolves: https://fedorahosted.org/sssd/ticket/2495 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* DYNDNS: remove zone commandPavel Reichl2015-08-146-42/+3
| | | | | | | | | | | | | | | | Remove zone command from message to nsupsate. This command is generally used to hint nsupdate. In correctly configured environment such information should be obtained via DNS. If DNS does not provide necessary information we give other hints. For more details see: https://fedorahosted.org/sssd/wiki/DesignDocs/DDNSMessagesUpdate Resolves: https://fedorahosted.org/sssd/ticket/2495 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* DYNDNS: remove redundant talloc_steal()Pavel Reichl2015-08-141-1/+2
| | | | | | | String 'update_msg' was already allocated on mem_ctx, so, there is no need to steal it. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* DYNDNS: Don't use server cmd in nsupdate by defaultPavel Reichl2015-08-143-2/+11
| | | | | | | | | | | nsupdate command `server` should not be used for the first attempt to udpate DNS. It should be used only in subsequent attempts after the first attempt failed. Resolves: https://fedorahosted.org/sssd/ticket/2495 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* DYNDNS: Add a new option dyndns_serverJakub Hrozek2015-08-1410-0/+54
| | | | | | | | | | | Some environments use a different DNS server than identity server. For these environments, it would be useful to be able to override the DNS server used to perform DNS updates. This patch adds a new option dyndns_server that, if set, would be used to hardcode a DNS server address into the nsupdate message. Reviewed-by: Pavel Reichl <preichl@redhat.com>
* IPA: Always re-fetch the keytab from the IPA serverJakub Hrozek2015-08-144-34/+221
| | | | | | | | | | Even if a keytab for one-way trust exists, re-fetch the keytab again and try to use it. Fall back to the previous one if it exists. This is in order to allow the admin to re-establish the trust keytabs with a simple sssd restart. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* UTIL: Provide a common interface to safely create temporary filesJakub Hrozek2015-08-143-0/+323
| | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* IPA: Change the default of ldap_user_certificate to userCertificate;binaryJakub Hrozek2015-08-142-2/+2
| | | | | | | | | | This is safe from ldb point of view, because ldb gurantees the data is NULL-terminated. We must be careful before we save the data, though. Resolves: https://fedorahosted.org/sssd/ticket/2742 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* LDAP: use ldb_binary_encode when printing attribute valuesJakub Hrozek2015-08-141-1/+10
| | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* sudo: use "higher value wins" when ordering rulesPavel Březina2015-08-146-10/+60
| | | | | | | | | | | | This commit changes the default ordering logic (lower value wins) to a correct one that is used by native ldap support. It also adds a new option sudo_inverse_order to switch to the original SSSD (incorrect) behaviour if needed. Resolves: https://fedorahosted.org/sssd/ticket/2682 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IFP: use default limit if provided is 0Pavel Březina2015-08-141-1/+3
| | | | | | | Returning zero values doesn't make any sense, so we may use it as "use sssd configuration instead". Reviewed-by: Petr Cech <pcech@redhat.com>
* DEBUG: Add new debug category for fail over.Michal Židek2015-08-145-10/+40
| | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* test_memory_cache: Fix few python issuesLukas Slebodnik2015-08-131-5/+5
| | | | | | | | | | W:438,17: Unused variable 'gids' (unused-variable) W:438,10: Unused variable 'errno' (unused-variable) E:618,31: Undefined variable 'user' (undefined-variable) W:443,17: Unused variable 'gids' (unused-variable) W:443,10: Unused variable 'errno' (unused-variable) Reviewed-by: Michal Židek <mzidek@redhat.com>
* sss_cache: Wait a while for invalidation of mc by nss responderLukas Slebodnik2015-08-131-0/+34
| | | | | | | | | | | | | | | | The sss_cache cannot invalidate memory cache directly because the nss responder owns file locks to memory caches. Therefore sss_cache just "tell" nss responder to invalidate memory cache. However there might be short interval between calling the utility sss_cache and stopping sssd. So nss responder needn't be so fast and therefore memory cache needn't be invalidated. Resolves: https://fedorahosted.org/sssd/ticket/2748 Reviewed-by: Michal Židek <mzidek@redhat.com>
* krb5_utils-tests: Remove unused variablesLukas Slebodnik2015-08-101-3/+0
| | | | Reviewed-by: Pavel Reichl <preichl@redhat.com>
* IPA: Improve messages about failuresPavel Reichl2015-08-073-4/+11
| | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* krb5: assume online state if KDC proxy is configuredSumit Bose2015-08-051-0/+6
| | | | | | | | | | | If a KDC proxy is configured a request in the KRB5 provider will assume online state even if the backend is offline without changing the state of the backend. Resolves https://fedorahosted.org/sssd/ticket/2700 Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* krb5: do not create kdcinfo file if proxy configuration existsSumit Bose2015-08-051-0/+7
| | | | | | | Resolves https://fedorahosted.org/sssd/ticket/2652 Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>