summaryrefslogtreecommitdiffstats
path: root/Makefile.am
Commit message (Collapse)AuthorAgeFilesLines
* krb5/ldap: use MEMORY ccache and keytab in *_child processesSumit Bose2014-11-281-0/+2
|
* tests: be_ptaskPavel Březina2014-11-281-0/+16
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/1939 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* be_ptask: create a private header filePavel Březina2014-11-281-0/+1
| | | | | | This is done so we gain access to the be_ptask structure in unit tests. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* Fix KRB5_CONF_PATHSumit Bose2014-11-251-0/+1
| | | | | | | Currently a shell/Makefile variable is used in the definition of KRB5_CONF_PATH for C code. This patch replaces it with a complier macro. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* ipa: add split_ipa_anchor()Sumit Bose2014-11-201-0/+2
| | | | | | | | | This call extracts the domain and the UUID part from an IPA override anchor. Related to https://fedorahosted.org/sssd/ticket/2481 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* BUILD: Touch files in DESTDIRJakub Hrozek2014-11-181-6/+6
| | | | | | | Related: https://fedorahosted.org/sssd/ticket/2370 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* BUILD: Make chown of files to sssd user non-fatalJakub Hrozek2014-11-181-3/+3
| | | | | | | | | | | | In build environments, we can't assume the sssd user will be created prior to installing the package, so we can't chown the files. RPM will own the files instead in this case. Related: https://fedorahosted.org/sssd/ticket/2370 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* BUILD: Use separate chown to make changing ownership to the sssd user non-fatalJakub Hrozek2014-11-181-17/+18
| | | | | | | | | | | | | | | When the SSSD is built in the build system using a non-root user, the user doesn't exist in the build system and file ownership will be maintained by the downstream packaging instead. We need to make sure that setting the ownership to the sssd user is a separate step from creating the directories in this case in order to make failure to set the ownership non-fatal. Related: https://fedorahosted.org/sssd/ticket/2370 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* KRB5: Move all ccache operations to krb5_child.cJakub Hrozek2014-11-181-2/+11
| | | | | | | | | | | | | | | | | | | The credential cache operations must be now performed by the krb5_child completely, because the sssd_be process might be running as the sssd user who doesn't have access to the ccaches. src/providers/krb5/krb5_ccache.c is still linked against libsss_krb5 until we fix Kerberos ticket renewal as non-root. Also includes a new error code that indicates that the back end should remove the old ccache attribute -- the child can't do that if it's running as the user. Related: https://fedorahosted.org/sssd/ticket/2370 Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* KRB5: Move ccache-related functions to krb5_ccache.cJakub Hrozek2014-11-181-0/+4
| | | | | | | | | | | | | Add a new module krb5_ccache.c that contains all ccache-related operations. The only user of this module shall be krb5_child.c as the other modules will run unprivileged and accessing the ccache requires either privileges of root or the ccache owner. Related: https://fedorahosted.org/sssd/ticket/2370 Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* BUILD: Install krb5_child as suid if running under non-privileged userJakub Hrozek2014-11-181-0/+2
| | | | | | | | | | | If sssd_be is running unprivileged, then krb5_child must be setuid to be able to access the keytab and become arbitrary user. Related: https://fedorahosted.org/sssd/ticket/2370 Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* IPA: Move setting the SELinux context to a child processJakub Hrozek2014-11-051-0/+27
| | | | | | | | In order for the sssd_be process to run as unprivileged user, we need to move the semanage processing to a process that runs as the root user using setuid privileges. Reviewed-by: Michal Židek <mzidek@redhat.com>
* LDAP: Drop privileges after kinit in ldap_childJakub Hrozek2014-11-051-1/+3
| | | | | | | | After ldap_child initializes privileges using root-owned keytab, it drops privileges to the SSSD user, minimizing the amount of code that runs as root. Reviewed-by: Michal Židek <mzidek@redhat.com>
* BUILD: Install ldap_child and as setuid if running under non-privileged userJakub Hrozek2014-11-051-0/+5
| | | | | | | | The ldap_child permissions should be 4750, owned by root.sssd, to make sure only root and sssd can execute the child and if executed by sssd, the child will run as root. Reviewed-by: Michal Židek <mzidek@redhat.com>
* Add test for sysdb_add_overrides_to_object()Sumit Bose2014-11-051-0/+16
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* Add parse_attr_list_ex() helper functionSumit Bose2014-11-051-1/+4
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* BUILD: Add a config option for sssd user, own private directories as the userJakub Hrozek2014-10-221-6/+17
| | | | | | | | | | | Adds a new configure-time option that lets you select the user to run SSSD as. The default is 'root' for backwards compatibility. The directories the deamon stores its private data at are also created as owned by this user during install time. Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* SSSD: Add the options to specify a UID and GID to run asJakub Hrozek2014-10-201-2/+5
| | | | | | | | | Adds new command line options --uid and --gid to all SSSD servers, making it possible to switch to another user ID if needed. So far all code still runs as root. Reviewed-by: Pavel Reichl <preichl@redhat.com>
* util: Move semanage related functions to src/utilMichal Zidek2014-10-201-9/+28
| | | | | | These functions will be reused by IPA provider. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* views: add ipa_get_ad_override_send()Sumit Bose2014-10-161-0/+1
| | | | | | Related to https://fedorahosted.org/sssd/ticket/2375 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* sysdb: add sysdb_update_view_name()Sumit Bose2014-10-161-0/+1
| | | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* sss_nss_idmap: add sss_nss_getorigbyname()Sumit Bose2014-10-141-1/+1
| | | | | | | | | | | | | This patch adds an interface to the new SSS_NSS_GETORIGBYNAME request of the nss responder to libsss_nss_idmap. The main use case for this new call is to replace sss_nss_getsidbyname() in the extdom plugin on the FreeIPA server to get more information about the given object than just the SID which is not available with the default POSIX interfaces. Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* TESTS: Add a test to change user IDsJakub Hrozek2014-10-101-0/+3
| | | | | | | Adds a unit test using the nss_wrapper and uid_wrapper libraries that exercises the ability to become another user. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* UTIL: Move become_user outside krb5 treeJakub Hrozek2014-10-101-8/+12
| | | | | | | | In order for several other SSSD processes to run as a non-root user, we need to move the functions to become another user to a shared space in our source tree. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* BUILD: Use $(MKDIR_P) in Makefile.amJakub Hrozek2014-10-061-13/+16
| | | | | | | | | It was suggested by the Fedora automake maintainer to use the autoconf macro $(MKDIR_P) instead of calling "mkdir -p" directly as the macro is more portable and might actually expand to something else than "mkdir -p" on some platforms (usually it would be a variant of install.sh) Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* CI: Add Valgrind suppression supportNikolai Kondrashov2014-09-221-1/+3
| | | | | | | | | | | | | | | | Add an empty Valgrind suppressions file, use it when invoking Valgrind. This prepares for addition of Valgrind suppressions for current false positives and issues that cannot be fixed, preparing for enforcing Valgrind check. Make Valgrind output a suppression for every error and make it output used suppression names and counts at the end of each run. This simplifies discovery and addition of new suppressions and removal of unused ones. Related to https://fedorahosted.org/sssd/ticket/2428 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* libwbclient: avoid collision with Samba versionSumit Bose2014-09-081-4/+8
| | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* sss_sifp: bump version to 0:1:0Pavel Březina2014-09-081-1/+1
| | | | | | Interface did not change, only the code. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* libwbclient: make build optionalSumit Bose2014-09-021-8/+11
| | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* NFSv4 client: add to build systemNoam Meltzer2014-09-021-0/+24
| | | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Roland Mainz <rmainz@redhat.com>
* Add basic support for CI test executionNikolai Kondrashov2014-09-021-1/+11
| | | | | | | | | | | | | | | Add basic support for executing continuous integration (CI) tests on RHEL6, RHEL7, Fedora 20, Fedora Rawhide and Debian Testing. This adds two front-end scripts which can be executed either locally by developers, or on a CI server: contrib/ci/run and contrib/ci/clean. The first one will run the tests and the second will wipe out the artifacts. See contrib/ci/README.md for further details. Reviewed-by: Michal Židek <mzidek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* Implement MIT Kerberos localauth pluginSumit Bose2014-09-021-1/+9
| | | | | | | | | | | | | | | | | The MIT Kerberos localauth pluing interface defines two different calls. The first checks if a given Kerberos principal relates to a given name of a local user (userok). The implementation lets SSSD resolve the principal and the user name and if the returned user entries both have the same UID success is returned. The second translates a given Kerberos principal to a local user name (a2l). Here SSSD is only called once to resolve the principal and the user name is returned. Resolves https://fedorahosted.org/sssd/ticket/1835 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* Add conditional build for MIT Kerberos localauth pluginSumit Bose2014-09-021-0/+19
| | | | | | | | This patch adds everything what is needed to build the MIT Kerberos localauth plugin if the used version of MIT Kerberos supports it. It does not implement the plugin. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* libwbclient: SSSD implementationSumit Bose2014-08-211-2/+37
| | | | | | | | | | | | | | | | | | | | | | | This patch implements the libwbclient API for Samba daemons and utilities. The main purpose is to map Active Directory users and groups identified by their SID to POSIX users and groups identified by their POSIX UIDs and GIDs respectively. The API is not fully implemented because SSSD does not support some AD features like WINS or NTLM. Additionally this implementation has its focus on the file-server use case and hence does not implement some features which might be needed for a domain controller use case. Some API calls are generic and independent of the backend like e.g. converting binary SIDs and GUIDs into a string representation and back or memory allocation and deallocation. These parts are taken from the original Samba sources together with copyright and authors. Files with'_sssd' as part of the name contain the SSSD related calls. Resolves: https://fedorahosted.org/sssd/ticket/1588 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* AD-GPO: add sysdb_gpo support for caching gpo versionYassir Elley2014-07-301-0/+1
| | | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* UTIL: Add functions for replacing whitespaces.Lukas Slebodnik2014-07-281-3/+6
| | | | | Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Michal Židek <mzidek@redhat.com>
* test_utils: Use common header file for libsss_util tests.Lukas Slebodnik2014-07-281-1/+3
| | | | | Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Michal Židek <mzidek@redhat.com>
* Only check GID if ID-mappingJakub Hrozek2014-07-231-3/+8
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* AD-GPO: Store policy settings in local filesYassir Elley2014-07-201-0/+2
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* BUILD: Link sdap-tests with openldap librariesLukas Slebodnik2014-07-091-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | sdap-tests uses functions from openldap, but it was not linked with libldap or liblber. sh-4.2$ nm --undefined-only .libs/sdap-tests | grep -E "ldap|ber" U ber_free U ldap_control_create U ldap_err2string U ldap_get_option U ldap_init_fd U ldap_install_tls U ldap_is_ldaps_url U ldap_unbind_ext sdap-tests cannot be linked on platfrms with disabled link_all_deplibs. CCLD sdap-tests /usr/bin/ld: src/providers/ldap/sdap_tests-sdap.o: undefined reference to symbol 'ber_free' /usr/bin/ld: note: 'ber_free' is defined in DSO /lib64/liblber-2.4.so.2 so try adding it to the linker command line /lib64/liblber-2.4.so.2: could not read symbols: Invalid operation clang: error: linker command failed with exit code 1 (use -v to see invocation) make[3]: *** [sdap-tests] Error 1 Reviewed-by: Pavel Reichl <preichl@redhat.com>
* BUILD: Add version symbol files for public libraries.Lukas Slebodnik2014-07-091-3/+28
| | | | | | | | | | | | | | | | Version symbol files will help package systems to catch backward compatible changes (newly added functions) into library. The difference between libraries libsss_nss_idmap_test.so and libsss_nss_idmap.so is that the 1st library will not be installed and has more exported functions, which are necessary for mocking with cmocka for test sss_nss_idmap-test. Resolves: https://fedorahosted.org/sssd/ticket/2194 Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* BUILD: Add the DBus service activationJakub Hrozek2014-07-081-0/+4
| | | | | | | | The system bus has the ability to start services on demant. This patch adds the sysbus service activation file that, currently, only calls the sss_signal tool to signal the monitor. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* TOOLS: New helper tool sss_signalJakub Hrozek2014-07-081-1/+12
| | | | | | | | A minimal tool whose only purpose is to signal the monitor with SIGUSR2. The tool will be executed by the system bus in order to provide system activation, so it's packaged in libexec. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* BUILD: dbusintrospectdir is not used anymoreJakub Hrozek2014-07-081-3/+0
| | | | | | | We fprintf the introspection data on demand rather than printing an XML file. The directory specification can be removed. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* TESTS: Add a unit test for the sdap.c moduleJakub Hrozek2014-07-081-1/+32
| | | | | | | | Covers the sdap_parse_entry function with unit tests so that we know that modifying the function in a later patch will not result in a regression. Reviewed-by: Michal Židek <mzidek@redhat.com>
* BUILD: ad_gpo_tests should be built only with sambaLukas Slebodnik2014-07-011-2/+3
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* AD-GPO: Add gpo-smb implementation in gpo_child processYassir Elley2014-07-011-0/+22
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* build: Allow augmenting TESTS_ENVIRONMENTNikolai Kondrashov2014-06-231-1/+2
| | | | | | | | | | | | | | Add substitution of a special variable "AUX_TESTS_ENVIRONMENT" to the "TESTS_ENVIRONMENT" value, allowing its augmentation from the make command line. This enables wrapping test commands with older versions of Automake, where LOG_COMPILER support is missing. This enables executing "make check" target with Valgrind on RHEL6, like this: make check AUX_TESTS_ENVIRONMENT="libtool --mode=execute valgrind" Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* build: Augment systemdconfdir at configure stageNikolai Kondrashov2014-06-191-1/+1
| | | | | | | | | | | | | | | Add "/sssd.service.d" to systemdconfdir at configure stage, instead of the make stage. This way, if systemd is not used, systemdconfdir variable stays empty. That in turn, works around the attempt by older versions of Automake to create the installation directory even though no files are installed there [1]. This fixes installation and distcheck target on RHEL6, where an "/sssd.service.d" directory creation would otherwise be attempted. [1] http://debbugs.gnu.org/cgi/bugreport.cgi?bug=11030 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* build: Switch back to DISTCHECK_CONFIGURE_FLAGSNikolai Kondrashov2014-06-191-4/+5
| | | | | | | | | | | Switch back to using DISTCHECK_CONFIGURE_FLAGS instead of the AM_-version in Makefile.am, as the latter is not supported by Automake version in RHEL6. Instead, use a special variable AUX_DISTCHECK_CONFIGURE_FLAGS to augment distcheck target configure flags from the command line. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>