| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
|
|
|
|
|
|
|
| |
We were assuming that the forest had been looked up by netlogon, but
this is not available on Samba 4 domains. We need to check that the
forest is NULL and force the lookup.
Resolves:
https://fedorahosted.org/sssd/ticket/2311
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2285
Only the forest root has the knowledge about all the domains in the
forest, the forest leaves only see themselves and the forest root.
This patch switches to connecting to the forest root for downloading the
trusted domains instead of the server we are connected to.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Reported by scan-build
for (mi = 0; group_only[mi]; mi++) {
^~~~~~~~~~
warning: Array access (from variable 'group_only') results in a null pointer
dereference
It can happend if function ad_group_extra_members fails (ret != EOK)
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2251
By connecting to GC for users from both trusted domains and parent
domain, we lose the ability to download the shell and homedir if these
are used with ID mapping.
This patch changes the user lookups only. Changing the logic for all
lookups would break cross-domain group memberships, for example.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds the sudo target to the AD provider. The main reason is
to cover different default settings in the LDAP and AD provider. E.g.
the default for ldap_id_mapping is True in the AD provider and False
in the LDAP provider. If ldap_id_mapping was not set explicitly in the
config file both components worked with different setting.
Fixes https://fedorahosted.org/sssd/ticket/2256
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2257
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2210
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use a script to update DEBUG macro invocations to use it as a variadic
macro, supplying format string and its arguments directly, instead of
wrapping them in parens.
This script was used to update the code:
grep -rwl --include '*.[hc]' DEBUG . |
while read f; do
mv "$f"{,.orig}
perl -e \
'use strict;
use File::Slurp;
my $text=read_file(\*STDIN);
$text=~s#(\bDEBUG\s*\([^(]+)\((.*?)\)\s*\)\s*;#$1$2);#gs;
print $text;' < "$f.orig" > "$f"
rm "$f.orig"
done
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When the schema is set to AD and ID mapping is not used, there is a one-time
check ran when searching for users to detect the presence of POSIX
attributes in LDAP. If this check fails, the search fails as if no entry
was found and returns a special error code.
The sdap_server_opts structure is filled every time a client connects to
a server so the posix check boolean is reset to false again on connecting
to the server.
It might be better to move the check to where the rootDSE is retrieved,
but the check depends on several features that are not known to the code
that retrieves the rootDSE (or the connection code for example) such as what
the attribute mappings are or the authentication method that should be used.
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
| |
Memory context memctx was unused in functions _ad_servers_init
sdap_ad_tokengroups_update_members
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Because domain enumeration currently works for each domain separately,
the code has to establish cross-domain memberships after all domains are
enumerated. The code works as follows:
1) check if any *sub*domains were enumerated. If not, do nothing
2) if any of the groups saved had more original members than
sysdb members, check if members of these groups can be linked now
that all users and groups are saved using the orig_member
attribute of the group matched against originalDN member of the
user.
Related:
https://fedorahosted.org/sssd/ticket/2142
|
| |
|
|
|
|
|
|
|
|
|
|
| |
connection
Previously, the sdap-domain enumeration request used a single connection context to
download all the data. Now we'd like to use different connections to
download different objects, so the ID context is passed in and the
request itself decides which connection to use for the sdap-domain
enumeration.
|
|
|
|
|
|
| |
Depending on the state of the subdomain_enumerate variable, the newly
created subdomain object is created with the right value of "enumerate"
attribute in the sysdb.
|
|
|
|
|
|
| |
Currently always the name of the configured domain was passed to the
CLDAP request. This will fail if the CLDAP request is send to a DC form
a different domain.
|
|
|
|
|
|
|
|
|
| |
If an ID was requested from the back end, but no ID mapping domain
matched, the request ended with a scary error message. It's better to
treat the request as if no such ID was found in the domain
Related:
https://fedorahosted.org/sssd/ticket/2200
|
| |
|
|
|
|
|
|
|
| |
EOK was returned in done section of netlogon_get_flat_name,
even if error code was set in variable ret.
This patch fixes also warnings from scan-build.
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2160
|
|
|
|
|
| |
Since we have the LDAP port of a trusted AD GC always available now, we
can always perform a fallback.
|
|
|
|
|
|
|
|
|
|
| |
SSSD now defaults to using GC by default. For some environments, for
instance those that don't or can't replicate the POSIX attributes to
Global Catalog, this might not be desirable.
This patch introduces a new option ad_enable_gc, that is enabled by
default. Setting this option to false makes the SSSD contact only the
LDAP port of AD DCs.
|
|
|
|
|
|
|
|
|
|
| |
ad_id.c and ad_access.c used the same block of code. With the upcoming
option to disable GC lookups, we should unify the code in a function to
avoid breaking one of the code paths.
The same applies for the LDAP connection to the trusted AD DC.
Includes a unit test.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A recent patch directed all call related to group membership lookups to
the AD LDAP port to fix an issue related to missing group memberships in
the Global Catalog. As a side-effect it broke cross-domain
group-memberships because those cannot be resolved by the connection to
the LDAP port.
The patch tires to fix this by restoring the original behaviour in the
top-level lookup calls in the AD provider and switching to the LDAP port
only for the LDAP request which is expected to return the full group
membership.
Additionally this patch contains a related fix for the tokenGroups with
Posix attributes patch. The original connection, typically a Global
Catalog connection in the AD case is passed down the stack so that the
group lookup after the tokenGroups request can run over the same
connection.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Previously, if no changes were done to the list of subdomains, the SSSD
didn't update its list of sdap_domain mappings for the new subdomain.
This resulted in errors as no id_ctx was present for the subdomain
during lookup.
This patch moves the block of code performed during update to a function
of its own and calls it during provider initialization as well.
|
|
|
|
|
| |
The domain was already marked as enumerated using sysdb_set_enumerated
in the enumeration request itself.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The group memberships cannot be reliable retrieved from the Global
Catalog. By default the memberOf attribute is not replicated to the GC
at all and the member attribute is copied from the local LDAP instance
to the GC running on the same host, but is only replicated to other GC
instances for groups with universal scope. Additionally the tokenGroups
attribute contains invalid SIDs when used with the GC for users from a
different domains than the GC belongs to.
As a result the requests which tries to resolve group-memberships of a
AD user have to go to a LDAP server from the domain of the user.
Fixes https://fedorahosted.org/sssd/ticket/2161 and
https://fedorahosted.org/sssd/ticket/2148 as a side-effect.
|
|
|
|
|
|
|
|
|
|
| |
If Data Provider was unable to refresh the subdomain list, the
sss_domain_info->subdomains list was NULL. Which meant that no DP
request matched any known domain and hence offline authentication was
not working correctly.
Resolves:
https://fedorahosted.org/sssd/ticket/2168
|
| |
|
| |
|
|
|
|
|
| |
If any function before failed, sss_idmap_free_sid() might have been
called with random data.
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2133
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When getByID or getBySID comes from responder, the request doesn't
necessarily have to contain correct domain, since responder iterates
over all domains until it finds a match.
Every domain has its own ID range, so we can simply shortcut if
domain does not match and avoid LDAP round trip. Responder will
continue with next domain until it finds the correct one.
|
| |
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/1968
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/1968
|
|
|
|
|
|
|
|
|
|
| |
This patch makes the refresh of available subdomains configurable.
New option:
subdomain_refresh_interval (undocumented)
Resolves:
https://fedorahosted.org/sssd/ticket/1968
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2082
Adds a new option that allows the admin to specify a LDAP access filter
that can be applied globally, per-domain or per-forest.
|
|
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2082
In order to allow the ad_access_filter option to work for subdomain
users as well, the Global Catalog must be searched. This patch adds a
wrapper request atop sdap_access_send that selects the right connection
(GC or LDAP) and optionally falls back to LDAP.
|
|
|
|
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/2082
Currently the AD access control only checks if an account has been
expired. This patch amends the logic so that if ad_access_filter is set,
it is used automatically.
|
|
|
|
|
|
|
| |
This patch just adds the option, it doesn't do anything useful yet.
Related:
https://fedorahosted.org/sssd/ticket/2082
|
|
|
|
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/2082
Also move the check for subdomain to the handler. I think it is the job
of the handler to decide which domain the request belongs to, not the
request itself.
|
|
|
|
|
|
|
|
|
|
|
|
| |
AD provider went offline if the Global Catalog could not be connected although
there was also the LDAP port available. With this patch, AD provider will
fall back to the LDAP port before going offline.
New boolean flag ignore_mark_offline was added to structure sdap_id_conn_ctx
If this flag is enabled function be_mark_offline will not be called.
Resolves:
https://fedorahosted.org/sssd/ticket/2104
|
|
|
|
|
|
|
| |
We had a hard coded value of Global Catalog port (3268).
Informations from SRV record was ignored.
This patch prefer port number from SRV record and hard coded value is used only
as a fall back if port number was not initialized.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When libss_idmap was only used to algorithmically map a SID to a POSIX
ID a domain SID was strictly necessary and the only information needed
to find a domain.
With the introduction of external mappings there are cases where a
domain SID is not available. Currently we relied on the fact that
external mapping was always used as a default if not specific
information about the domain was found. The lead to extra CPU cycles and
potentially confusing debug messages. Adding the domain name as a search
parameter will avoid this.
|
| |
|