sssd.git - sssd with jhrozek's patches

	Commit message (Collapse)	Author	Age	Files	Lines
*	IPA: Reuse ipa_subdomains_retrieve_send for re-setting up a trusted domainoneway	Jakub Hrozek	2015-09-23	1	-0/+1
\|
*	IPA: Only re-fetch the keytab if modifyTimestamp is newer than last LDAP ↵	Jakub Hrozek	2015-09-23	1	-1/+6
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	connection Resolves: https://fedorahosted.org/sssd/ticket/2639 When a subdomain account lookup errors out, try to re-setup the trust object. Only do this, if the connection was established after the last re-set of the trust object. Internally, the setup function looks at the modifyTimestamp operational attribute of the TDO. If the modifyTimestamp is newer than the last keytab check, then the trust was re-created and we need to fetch the keytab again. Marking the back end as online re-sets the TDO check timestamp so that after cycling the sssd, the keytab would always be checked.
*	IPA: Change ipa_server_trust_add_send request to be reusable from ID code	Jakub Hrozek	2015-09-22	1	-0/+11
\| \| \| \| \| \| \| \| \| \| \| \|	Required for: https://fedorahosted.org/sssd/ticket/2639 Expose a request ipa_server_trusted_dom_setup_send that sets up a trusted domain. The setup might include actions like retrieving a keytab for one-way trusts. Creating the AD ID context for the trused domain is now done in the caller of this new request.
*	IPA: Handle sssd-owned keytabs when running as root	Jakub Hrozek	2015-07-28	1	-0/+3
\| \| \| \| \| \| \| \| \| \|	https://fedorahosted.org/sssd/ticket/2718 This patch handles the case where the keytab is created with sssd:sssd ownership (perhaps by the IPA oddjob script) but SSSD runs as root, which is the default in many distributions. Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
*	BUILD: Store keytabs in /var/lib/sss/keytabs	Jakub Hrozek	2015-06-16	1	-1/+1
\| \| \| \| \| \|	Make sure the directory is only accessible to the sssd user Reviewed-by: Michal Židek <mzidek@redhat.com>
*	IPA: Fetch keytab for 1way trusts	Jakub Hrozek	2015-06-14	1	-0/+5
\| \| \| \| \| \| \| \| \|	Uses the ipa-getkeytab call to retrieve keytabs for one-way trust relationships. https://fedorahosted.org/sssd/ticket/2636 Reviewed-by: Sumit Bose <sbose@redhat.com>
*	IPA: Make constructing an IPA server mode context async	Jakub Hrozek	2015-06-14	1	-1/+6
\| \| \| \| \| \| \|	Refactoring in preparation for requesting the keytab in future patches. Currently it's a fake async that just marks the request as done. Reviewed-by: Sumit Bose <sbose@redhat.com>
*	IPA: Include ipaNTTrustDirection in the attribute set for trusted domains	Jakub Hrozek	2015-06-14	1	-0/+9
\| \| \| \| \| \| \| \| \| \| \|	Allows to distinguish the trust directions for trusted domains. For domains where we don't know the direction in server mode, we assume two-way trusts. Member domains do not have the direction, but rather the forest root direction is used. Reviewed-by: Sumit Bose <sbose@redhat.com>
*	IPA: Split two functions to new module ipa_subdomains_utils.c	Jakub Hrozek	2015-06-14	1	-0/+6
\| \| \| \| \| \| \| \| \|	These functions will be later reused by the subdomains_server.c module. Splitting them into a separate subdomains_utils.c module will make sure there are no cyclic dependencies and the functions are testable in isolation. Reviewed-by: Sumit Bose <sbose@redhat.com>
*	IPA: Move server-mode functions to a separate module	Jakub Hrozek	2015-06-14	1	-0/+12
\| \| \| \| \| \| \| \|	There is already quite a few functions that are server-mode specific and there will be even more with one-way trusts. Split the server-mode specific functions into a separate module. Reviewed-by: Sumit Bose <sbose@redhat.com>
*	IPA: do initgroups if extdom exop supports it	Sumit Bose	2015-05-05	1	-0/+4
\| \| \| \| \| \| \| \| \| \| \| \| \| \|	Newer versions of the extdom plugin return the full list of group-memberships during a user lookup request. With these version there is no need to reject a initgroups request for sub/trusted-domain users anymore. This is e.g. useful for callers which call getgrouplist() directly without calling getpwnam() before. Additionally it helps if for some reasons the lifetime of the user entry and the lifetime of the initgroups data is different. Related to https://fedorahosted.org/sssd/ticket/2633 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
*	subdom: Remove unused function get_flat_name_from_subdomain_name	Jakub Hrozek	2015-04-16	1	-3/+0
\| \| \| \| \| \| \|	The function was added in 70eaade10feedd7845e39170d0b7eebf3a030af1 and is unused since b8d703cf3aba81800cf1b8ccca64bb00ef0b30f7 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
*	ipa-server-mode: add IPA group memberships to AD users	Sumit Bose	2013-08-28	1	-0/+15
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	When IPA trusts an AD domain the AD user or groups can be placed into IPA groups e.g. to put AD users under the control of HBAC. Since IPA group can only have members from the IPA directory tree and the AD users and groups are not stored there a special IPA object called external group was introduced. SIDs of users and groups can be added to the external group and since the external groups are in the IPA directory tree they can be member of IPA groups. To speed things up and to remove some load from the IPA servers SSSD reads all external groups and stores them in memory for some time before rereading the data. Enhances https://fedorahosted.org/sssd/ticket/1962
*	IPA: Initialize server mode ctx if server mode is on	Jakub Hrozek	2013-06-28	1	-0/+18
\| \| \| \| \| \| \| \| \| \|	This patch introduces a new structure that holds information about a subdomain and its ad_id_ctx. This structure will be used only in server mode to make it possible to search subdomains with a particular ad_id_ctx. Subtask of: https://fedorahosted.org/sssd/ticket/1962
*	Use struct to hold different types of request parameters	Sumit Bose	2013-05-02	1	-0/+14
\| \| \| \| \| \| \|	Currently the POSIX ID or the user name are passed in different parameters to some calls. The method will get cumbersome and error-prone if new parameters like, e.g. the SID, are added. This patch adds a union to hold the different kind of parameters.
*	Make IPA SELinux provider aware of subdomain users	Sumit Bose	2013-04-29	1	-0/+2
\| \| \| \|	Fixes https://fedorahosted.org/sssd/ticket/1892
*	Allow extdom exop to return flat domain name as well	Sumit Bose	2012-10-12	1	-0/+3
\| \| \| \| \| \| \| \|	There are case where the extdom extended operation will return the flat or NetBIOS name of a domain instead of the DNS domain name. If this name is available for the current domain we accept it as well. Related to https://fedorahosted.org/sssd/ticket/1561
*	Expose an initializer function from subdomain	Simo Sorce	2012-08-01	1	-10/+5
\| \| \| \| \| \|	Instead of exporting internal structures, expose an initilizer function like the autofs code and initialize everything inside the ipa_subdomains.c file.
*	Add support for ID ranges	Sumit Bose	2012-06-21	1	-0/+1
\|
*	IPA subdomains - ask for information about master domain	Jan Zeleny	2012-06-10	1	-0/+1
\| \| \| \| \| \| \|	The query is performed only if there is missing information in the cache. That means this should be done only once after restart when cache doesn't exist. All subsequent requests for subdomains won't include the request for master domain.
*	IPA: Add get-domains target	Sumit Bose	2012-04-24	1	-0/+39