| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2574
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
|
|
|
| |
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2574
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
|
|
|
|
|
|
| |
Some pyhton bindings pysss and pysss_murmur was in package sssd-common.
Therefore package sssd-common had python as a dependency.
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
|
|
|
| |
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
|
|
|
|
|
| |
RHEL6.6 contains libnl3.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2550
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
If sssd_be is running unprivileged, then krb5_child must be setuid to be
able to access the keytab and become arbitrary user.
Related:
https://fedorahosted.org/sssd/ticket/2370
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
| |
In order for the sssd_be process to run as unprivileged user, we need to
move the semanage processing to a process that runs as the root user
using setuid privileges.
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
|
|
|
|
| |
The ldap_child permissions should be 4750, owned by root.sssd,
to make sure only root and sssd can execute the child and if executed by
sssd, the child will run as root.
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Starting from Automake 1.13, the parallel testsuite harness has been made
the default one; this harness is quite silent.
VERBOSE=yes will displays the logs of the non-passed tests (i.e., only
of the failed or skipped ones, or of the ones that passed unexpectedly).
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adds a private SSSD user in the %pre section of SSSD specfile. Also
changes the ownership of SSSD private directories to sssd.sssd.
Does not change the configure time default, so SSSD will still run as
root. The file and directory ownership does not widen, because the
directories are still only accessible by the private user (whose shell
is /sbin/nologin) and of course the root user.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
| |
Adds a unit test using the nss_wrapper and uid_wrapper libraries that
exercises the ability to become another user.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
| |
changes from previous patch:
* fixed idmapd.conf example (sss plugin name)
* squahsed the rpm spec into one commit
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
It can be possible to build current master without samba
on rhel5, but the spec file would be very complicated.
It is better to simplify spec file.
Resolves:
https://fedorahosted.org/sssd/ticket/1974
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Roland Mainz <rmainz@redhat.com>
|
|
|
|
|
|
|
|
| |
This patch adds everything what is needed to build the MIT Kerberos
localauth plugin if the used version of MIT Kerberos supports it. It
does not implement the plugin.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch implements the libwbclient API for Samba daemons and
utilities. The main purpose is to map Active Directory users and groups
identified by their SID to POSIX users and groups identified by their
POSIX UIDs and GIDs respectively.
The API is not fully implemented because SSSD does not support some AD
features like WINS or NTLM. Additionally this implementation has its
focus on the file-server use case and hence does not implement some
features which might be needed for a domain controller use case.
Some API calls are generic and independent of the backend like e.g.
converting binary SIDs and GUIDs into a string representation and back
or memory allocation and deallocation. These parts are taken from the
original Samba sources together with copyright and authors. Files
with'_sssd' as part of the name contain the SSSD related calls.
Resolves: https://fedorahosted.org/sssd/ticket/1588
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When upgrading from a 1.9 version with monolithic packaging to 1.10 or
later with per-provider subpackage, sssd-common can be upgraded (and
restarted) before the new sssd-$provider is restarted. This can lead to
a startup failure, because the sssd_be process from already upgraded
sssd-common would attempt to load a sssd_$provider.so from the
legacy sssd package.
Restarting the service in %posttrans makes sure all the packages are in
place when we restart the service.
Resolves:
https://fedorahosted.org/sssd/ticket/2399
|
|
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
| |
The system bus has the ability to start services on demant. This patch
adds the sysbus service activation file that, currently, only calls the
sss_signal tool to signal the monitor.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
| |
A minimal tool whose only purpose is to signal the monitor with
SIGUSR2. The tool will be executed by the system bus in order to provide
system activation, so it's packaged in libexec.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2254
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
| |
RPM build errors:
error: Installed (but unpackaged) file(s) found:
/usr/lib64/sssd/libsss_ad_common.so
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
| |
since the IFP responder is currently the only planned consumer.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The file sssd_ifp was installed by two subpackages: sssd-common and sssd-dbus
I din't have instaled file org.freedesktop.sssd.infopipe.conf, because it is
in package sssd-dbus. Missing conf file caused problem with starting
the ifp service.
[sssd] [monitor_service_init] (0x0400): Initializing D-BUS Service
[sssd] [mt_svc_exit_handler] (0x0040): Child [ifp] exited with code [3]
[sssd] [mt_svc_exit_handler] (0x0010): Process [ifp], definitely stopped!
[sssd[ifp]] [sysbus_init] (0x0040): DBus error message: Connection ":1.522"
is not allowed to own the service "org.freedesktop.sssd.infopipe" due to
security policies in the configuration file
[sssd[ifp]] [ifp_process_init] (0x0020):
Failed to connect to the system message bus
[sssd[ifp]] [sss_responder_ctx_destructor] (0x0400):
Responder is being shut down
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/2072
Adds the possibility for the InfoPipe responder to connect to the system bus.
At the moment, only a dummy method "Ping" is provided. The method only
accepts a single string parameter that has to be 'ping'.
|
|
|
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/2072
This commit only adds the responder and the needed plumbing. No DBus
related code is in yet.
|
|
|
|
| |
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
systemd supports overrides of the standard service file to be placed in
/etc/systemd/system/<service>.service.d/
With this patch, we will install a commented-out override file to /etc
that will instruct the user on how to enable logging to journald.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
| |
The journal provided by systemd gives us structured logging
capabilities that we should be taking advantage of.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use systemd-lgin in preference to check if the user is logged in or not.
Fall back to the old method if no systemd-login support is available at compile
time or if it returns a fatal error, and can't determine the status of the user
on its own.
This will allow to consider a user really active (in order to reuse or refresh
crdentials) only if it really is logged into the system, and not just if one
of the user's processes is stuck around.
Resolves:
https://fedorahosted.org/sssd/ticket/2084
|
|
|
|
|
|
|
|
|
| |
It was discovered that duplicating files in two subpackages is not
permitted by Fedora packaging guidelines[1]. This patch moves the PAC
responder to a new sssd-common-pac subpackage that both the sssd-ipa
and sssd-ad subpackages will require.
[1] https://fedoraproject.org/wiki/Packaging:Guidelines?rd=Packaging/Guidelines#DuplicateFiles
|
|
|
|
|
|
|
|
|
| |
Now that we use the libkrb5 defaults for the default ccname template
we do not need the patch that changes the man pages defaults nor the
configure options to change sssd defaults anymore.
Related:
https://fedorahosted.org/sssd/ticket/2036
|
|
|
|
|
| |
The NSS responder recently started using libsss_idmap in the getbysid
functions. The bug itself was spotted by one of our automated QA tools.
|
|
|
|
|
| |
This will ensure that we aren't pulling in extra samba4
dependencies for the Kerberos provider.
|
|
|
|
| |
The PAC responder is now used by both IPA and AD providers.
|
|
|
|
|
| |
There are no longer any Fedora platforms running SSSD with SYSV
init scripts. We don't need the upgrade logic any more.
|
| |
|
|
|
|
|
| |
* Include localized pam_sss manpages in sssd-client
* Call ldconfig after libsss_nss_idmap is installed or removed
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1510
This patch splits the previously monolithic sssd package into sssd-common
that contains the deamon and the responders and per-provider packages
such as sssd-ldap or sssd-ipa.
This split would benefit two parties:
1) security auditors who are often trying to find the smallest package
set including dependencies needed for the package to function.
They would be able to i.e. install sssd-ldap and not bother
about sssd-ipa or sssd-ad pulling in more dependencies.
2) 3rd party programs such as realmd or authconfig
that would only be able to require or install on demand the
needed packages.
|