| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/1884
Adds an internal resolver function that reads the TTL for SRV records as
specified by RFC-2181. Several internal c-ares definitions are used
until c-ares contains a function that exposes all this information via a
parsing function.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
| |
These functions are quite general thus they may be part
of sbus interface.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
This is done to better distinguish between connection code and interface
stuff. It will help with orientation and thus simplify next changes.
Preparation for:
https://fedorahosted.org/sssd/ticket/2339
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
| |
The module wasn't tested properly, which made it harder to patch it
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Many areas of responders performs an expiration check and refresh
of cached objects during single or multiple domain search. This code
is duplicated on many areas of the code with small or none
modifications.
This interface aims to reduce code duplication between responders,
by providing one universal API for requesting cached objects.
This API will take care of cache lookup, expiration check, cache
refresh, out of band cache request, negative cache in both single
and multi domain searches.
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
A library should not be installed before it's internal dependencies
otherwise there is an error in make distcheck.
libtool: install: error: relink `libsss_crypt.la' with the above command before
installing it
It would be sufficient just to change order of libraries in
automake variable pkglib_LTLIBRARIES, but it's better to have
internal libraries on the one place.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Compilation of test_child_common failed with linker flag --as-needned
due to cyclic dependencies between libsss_child.so and libsss_util.so
CCLD test_child_common
./.libs/libsss_child.so: undefined reference to `sss_hash_create'
./.libs/libsss_child.so: undefined reference to `hash_lookup'
./.libs/libsss_child.so: undefined reference to `BlockSignals'
./.libs/libsss_child.so: undefined reference to `hash_delete'
./.libs/libsss_child.so: undefined reference to `hash_enter'
./.libs/libsss_child.so: undefined reference to `hash_error_string'
./.libs/libsss_child.so: undefined reference to `sss_atomic_io_s'
./.libs/libsss_child.so: undefined reference to `sss_strerror'
collect2: error: ld returned 1 exit status
This patch is temporary workaround.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
| |
The child_common.c module had no unit tests, yet we need to amend it.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2467
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
| |
The host keytab and the FAST credential cache are copied into memory
early at startup to allow to drop privileges earlier.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2510
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/1939
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
| |
This is done so we gain access to the be_ptask structure in unit tests.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
| |
Currently a shell/Makefile variable is used in the definition of
KRB5_CONF_PATH for C code. This patch replaces it with a complier macro.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
This call extracts the domain and the UUID part from an IPA override
anchor.
Related to https://fedorahosted.org/sssd/ticket/2481
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/2370
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
In build environments, we can't assume the sssd user will be created
prior to installing the package, so we can't chown the files.
RPM will own the files instead in this case.
Related:
https://fedorahosted.org/sssd/ticket/2370
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When the SSSD is built in the build system using a non-root user, the
user doesn't exist in the build system and file ownership will be
maintained by the downstream packaging instead.
We need to make sure that setting the ownership to the sssd user is a
separate step from creating the directories in this case in order to
make failure to set the ownership non-fatal.
Related:
https://fedorahosted.org/sssd/ticket/2370
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The credential cache operations must be now performed by the krb5_child
completely, because the sssd_be process might be running as the sssd
user who doesn't have access to the ccaches.
src/providers/krb5/krb5_ccache.c is still linked against libsss_krb5
until we fix Kerberos ticket renewal as non-root.
Also includes a new error code that indicates that the back end should
remove the old ccache attribute -- the child can't do that if it's
running as the user.
Related:
https://fedorahosted.org/sssd/ticket/2370
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Add a new module krb5_ccache.c that contains all ccache-related
operations. The only user of this module shall be krb5_child.c as the
other modules will run unprivileged and accessing the ccache requires
either privileges of root or the ccache owner.
Related:
https://fedorahosted.org/sssd/ticket/2370
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
If sssd_be is running unprivileged, then krb5_child must be setuid to be
able to access the keytab and become arbitrary user.
Related:
https://fedorahosted.org/sssd/ticket/2370
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
| |
In order for the sssd_be process to run as unprivileged user, we need to
move the semanage processing to a process that runs as the root user
using setuid privileges.
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
|
| |
After ldap_child initializes privileges using root-owned keytab, it
drops privileges to the SSSD user, minimizing the amount of code that
runs as root.
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
|
| |
The ldap_child permissions should be 4750, owned by root.sssd,
to make sure only root and sssd can execute the child and if executed by
sssd, the child will run as root.
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Adds a new configure-time option that lets you select the user to run
SSSD as. The default is 'root' for backwards compatibility.
The directories the deamon stores its private data at are also created
as owned by this user during install time.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Adds new command line options --uid and --gid to all SSSD servers,
making it possible to switch to another user ID if needed.
So far all code still runs as root.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
|
|
| |
These functions will be reused by IPA provider.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
| |
Related to https://fedorahosted.org/sssd/ticket/2375
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds an interface to the new SSS_NSS_GETORIGBYNAME request of
the nss responder to libsss_nss_idmap.
The main use case for this new call is to replace sss_nss_getsidbyname()
in the extdom plugin on the FreeIPA server to get more information about
the given object than just the SID which is not available with the
default POSIX interfaces.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
| |
Adds a unit test using the nss_wrapper and uid_wrapper libraries that
exercises the ability to become another user.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
| |
In order for several other SSSD processes to run as a non-root user, we
need to move the functions to become another user to a shared space in
our source tree.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
It was suggested by the Fedora automake maintainer to use the autoconf
macro $(MKDIR_P) instead of calling "mkdir -p" directly as the macro is
more portable and might actually expand to something else than "mkdir
-p" on some platforms (usually it would be a variant of install.sh)
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add an empty Valgrind suppressions file, use it when invoking Valgrind.
This prepares for addition of Valgrind suppressions for current false
positives and issues that cannot be fixed, preparing for enforcing
Valgrind check.
Make Valgrind output a suppression for every error and make it output
used suppression names and counts at the end of each run. This
simplifies discovery and addition of new suppressions and removal of
unused ones.
Related to https://fedorahosted.org/sssd/ticket/2428
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
| |
Interface did not change, only the code.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Roland Mainz <rmainz@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add basic support for executing continuous integration (CI) tests on
RHEL6, RHEL7, Fedora 20, Fedora Rawhide and Debian Testing.
This adds two front-end scripts which can be executed either locally by
developers, or on a CI server: contrib/ci/run and contrib/ci/clean.
The first one will run the tests and the second will wipe out the
artifacts.
See contrib/ci/README.md for further details.
Reviewed-by: Michal Židek <mzidek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The MIT Kerberos localauth pluing interface defines two different calls.
The first checks if a given Kerberos principal relates to a given name
of a local user (userok). The implementation lets SSSD resolve the
principal and the user name and if the returned user entries both have
the same UID success is returned.
The second translates a given Kerberos principal to a local user name
(a2l). Here SSSD is only called once to resolve the principal and the
user name is returned.
Resolves https://fedorahosted.org/sssd/ticket/1835
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
