| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2584
|
| |
|
|
|
|
| |
Related to https://fedorahosted.org/sssd/ticket/2596
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
| |
Make sure the directory is only accessible to the sssd user
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Uses the ipa-getkeytab call to retrieve keytabs for one-way trust
relationships.
https://fedorahosted.org/sssd/ticket/2636
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
According to design page[1], proxy_child should run
with root privileges in non-root mode however proxy_child
did not have setuid bit.
After setting setuid bit proxy_child will be executed with extra privileges.
The effective user ID will be 0 but effective group ID will be still
the same as egid of sssd_be. Therefore gid of private pipe for
proxy_child should be the same. Otherwise proxy_child will fail
due to wrong permissions of unix pipe (sbus_client_init -> check_file)
[1] https://fedorahosted.org/sssd/wiki/DesignDocs/NotRootSSSD
Resolves:
https://fedorahosted.org/sssd/ticket/2655
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
libsss_ldap_common(sssd-common) requires libsss_krb5_common.so(sssd-krb5-common)
and sssd-krb5-common requires sssd-common.
sh$ nm --dynamic --defined-only /usr/lib64/sssd/libsss_krb5_common.so
000000000000c4d0 T krb5_service_init
000000000000b8c0 T krb5_try_kdcip
000000000000c710 T remove_krb5_info_files
0000000000014960 T select_principal_from_keytab
00000000000141d0 T sss_krb5_get_error_message
sh$ nm --dynamic --undefined-only /usr/lib64/sssd/libsss_ldap_common.so
U krb5_service_init
U krb5_try_kdcip
U remove_krb5_info_files
U select_principal_from_keytab
U sss_krb5_get_error_message
This patch fix cyclic dependency with rpm packaging becuase
it's not simple task to remove krb5 dependency from ldap provider.
Resolves:
https://fedorahosted.org/sssd/ticket/2507
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
| |
- removed unnecessary blank lines (leftover after many changes)
- list manual pages according to section number
- add missing white spaces to shall scripts
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
The optional definition of rpm macro with_ccache was removed in patch
"BUILD: Remove unnecessary patch and configure opts"
as a part of ticket https://fedorahosted.org/sssd/ticket/2036.
It is not used anymore so it can be removed.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
| |
Old versions of rpmbuild require ghost files to be present in the buildroot.
It was mainly problem of rpmbuild on rhel5 which is not supported anymore.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
| |
This workaround was for libtool in rhel 5
and we dropped support for it few months ago due to missing dependencies.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2574
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
| |
|
|
| |
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
| |
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2574
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
| |
|
|
|
|
|
| |
Some pyhton bindings pysss and pysss_murmur was in package sssd-common.
Therefore package sssd-common had python as a dependency.
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
| |
|
|
| |
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
| |
|
|
|
|
| |
RHEL6.6 contains libnl3.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2550
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
If sssd_be is running unprivileged, then krb5_child must be setuid to be
able to access the keytab and become arbitrary user.
Related:
https://fedorahosted.org/sssd/ticket/2370
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
| |
In order for the sssd_be process to run as unprivileged user, we need to
move the semanage processing to a process that runs as the root user
using setuid privileges.
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
|
| |
The ldap_child permissions should be 4750, owned by root.sssd,
to make sure only root and sssd can execute the child and if executed by
sssd, the child will run as root.
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Starting from Automake 1.13, the parallel testsuite harness has been made
the default one; this harness is quite silent.
VERBOSE=yes will displays the logs of the non-passed tests (i.e., only
of the failed or skipped ones, or of the ones that passed unexpectedly).
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Adds a private SSSD user in the %pre section of SSSD specfile. Also
changes the ownership of SSSD private directories to sssd.sssd.
Does not change the configure time default, so SSSD will still run as
root. The file and directory ownership does not widen, because the
directories are still only accessible by the private user (whose shell
is /sbin/nologin) and of course the root user.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
| |
Adds a unit test using the nss_wrapper and uid_wrapper libraries that
exercises the ability to become another user.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
| |
changes from previous patch:
* fixed idmapd.conf example (sss plugin name)
* squahsed the rpm spec into one commit
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
It can be possible to build current master without samba
on rhel5, but the spec file would be very complicated.
It is better to simplify spec file.
Resolves:
https://fedorahosted.org/sssd/ticket/1974
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Roland Mainz <rmainz@redhat.com>
|
| |
|
|
|
|
|
|
| |
This patch adds everything what is needed to build the MIT Kerberos
localauth plugin if the used version of MIT Kerberos supports it. It
does not implement the plugin.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch implements the libwbclient API for Samba daemons and
utilities. The main purpose is to map Active Directory users and groups
identified by their SID to POSIX users and groups identified by their
POSIX UIDs and GIDs respectively.
The API is not fully implemented because SSSD does not support some AD
features like WINS or NTLM. Additionally this implementation has its
focus on the file-server use case and hence does not implement some
features which might be needed for a domain controller use case.
Some API calls are generic and independent of the backend like e.g.
converting binary SIDs and GUIDs into a string representation and back
or memory allocation and deallocation. These parts are taken from the
original Samba sources together with copyright and authors. Files
with'_sssd' as part of the name contain the SSSD related calls.
Resolves: https://fedorahosted.org/sssd/ticket/1588
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When upgrading from a 1.9 version with monolithic packaging to 1.10 or
later with per-provider subpackage, sssd-common can be upgraded (and
restarted) before the new sssd-$provider is restarted. This can lead to
a startup failure, because the sssd_be process from already upgraded
sssd-common would attempt to load a sssd_$provider.so from the
legacy sssd package.
Restarting the service in %posttrans makes sure all the packages are in
place when we restart the service.
Resolves:
https://fedorahosted.org/sssd/ticket/2399
|
| |
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
| |
The system bus has the ability to start services on demant. This patch
adds the sysbus service activation file that, currently, only calls the
sss_signal tool to signal the monitor.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
| |
A minimal tool whose only purpose is to signal the monitor with
SIGUSR2. The tool will be executed by the system bus in order to provide
system activation, so it's packaged in libexec.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2254
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
| |
RPM build errors:
error: Installed (but unpackaged) file(s) found:
/usr/lib64/sssd/libsss_ad_common.so
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
| |
since the IFP responder is currently the only planned consumer.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The file sssd_ifp was installed by two subpackages: sssd-common and sssd-dbus
I din't have instaled file org.freedesktop.sssd.infopipe.conf, because it is
in package sssd-dbus. Missing conf file caused problem with starting
the ifp service.
[sssd] [monitor_service_init] (0x0400): Initializing D-BUS Service
[sssd] [mt_svc_exit_handler] (0x0040): Child [ifp] exited with code [3]
[sssd] [mt_svc_exit_handler] (0x0010): Process [ifp], definitely stopped!
[sssd[ifp]] [sysbus_init] (0x0040): DBus error message: Connection ":1.522"
is not allowed to own the service "org.freedesktop.sssd.infopipe" due to
security policies in the configuration file
[sssd[ifp]] [ifp_process_init] (0x0020):
Failed to connect to the system message bus
[sssd[ifp]] [sss_responder_ctx_destructor] (0x0400):
Responder is being shut down
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/2072
Adds the possibility for the InfoPipe responder to connect to the system bus.
At the moment, only a dummy method "Ping" is provided. The method only
accepts a single string parameter that has to be 'ping'.
|
| |
|
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/2072
This commit only adds the responder and the needed plumbing. No DBus
related code is in yet.
|
| |
|
|
| |
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
systemd supports overrides of the standard service file to be placed in
/etc/systemd/system/<service>.service.d/
With this patch, we will install a commented-out override file to /etc
that will instruct the user on how to enable logging to journald.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
| |
The journal provided by systemd gives us structured logging
capabilities that we should be taking advantage of.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| | |
|
