| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
connection
Resolves:
https://fedorahosted.org/sssd/ticket/2639
When a subdomain account lookup errors out, try to re-setup the trust
object. Only do this, if the connection was established after the last
re-set of the trust object.
Internally, the setup function looks at the modifyTimestamp operational
attribute of the TDO. If the modifyTimestamp is newer than the last
keytab check, then the trust was re-created and we need to fetch the
keytab again.
Marking the back end as online re-sets the TDO check timestamp so that
after cycling the sssd, the keytab would always be checked.
|
|
|
|
|
|
|
|
|
|
|
|
| |
Required for:
https://fedorahosted.org/sssd/ticket/2639
Expose a request ipa_server_trusted_dom_setup_send that sets up a
trusted domain. The setup might include actions like retrieving a keytab
for one-way trusts.
Creating the AD ID context for the trused domain is now done in the
caller of this new request.
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2718
This patch handles the case where the keytab is created with sssd:sssd
ownership (perhaps by the IPA oddjob script) but SSSD runs as root,
which is the default in many distributions.
Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
|
|
|
| |
Make sure the directory is only accessible to the sssd user
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Uses the ipa-getkeytab call to retrieve keytabs for one-way trust
relationships.
https://fedorahosted.org/sssd/ticket/2636
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
| |
Refactoring in preparation for requesting the keytab in future patches.
Currently it's a fake async that just marks the request as done.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Allows to distinguish the trust directions for trusted domains. For
domains where we don't know the direction in server mode, we assume
two-way trusts.
Member domains do not have the direction, but rather the forest root
direction is used.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
| |
These functions will be later reused by the subdomains_server.c module.
Splitting them into a separate subdomains_utils.c module will make sure
there are no cyclic dependencies and the functions are testable in
isolation.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
| |
There is already quite a few functions that are server-mode specific and
there will be even more with one-way trusts. Split the server-mode
specific functions into a separate module.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Newer versions of the extdom plugin return the full list of
group-memberships during a user lookup request. With these version there
is no need to reject a initgroups request for sub/trusted-domain users
anymore. This is e.g. useful for callers which call getgrouplist()
directly without calling getpwnam() before. Additionally it helps if for
some reasons the lifetime of the user entry and the lifetime of the
initgroups data is different.
Related to https://fedorahosted.org/sssd/ticket/2633
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
| |
The function was added in 70eaade10feedd7845e39170d0b7eebf3a030af1 and
is unused since b8d703cf3aba81800cf1b8ccca64bb00ef0b30f7
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When IPA trusts an AD domain the AD user or groups can be placed into
IPA groups e.g. to put AD users under the control of HBAC. Since IPA
group can only have members from the IPA directory tree and the AD users
and groups are not stored there a special IPA object called external
group was introduced. SIDs of users and groups can be added to the
external group and since the external groups are in the IPA directory
tree they can be member of IPA groups.
To speed things up and to remove some load from the IPA servers SSSD
reads all external groups and stores them in memory for some time before
rereading the data.
Enhances https://fedorahosted.org/sssd/ticket/1962
|
|
|
|
|
|
|
|
|
|
| |
This patch introduces a new structure that holds information about a
subdomain and its ad_id_ctx. This structure will be used only in server
mode to make it possible to search subdomains with a particular
ad_id_ctx.
Subtask of:
https://fedorahosted.org/sssd/ticket/1962
|
|
|
|
|
|
|
| |
Currently the POSIX ID or the user name are passed in different
parameters to some calls. The method will get cumbersome and error-prone
if new parameters like, e.g. the SID, are added. This patch adds a union
to hold the different kind of parameters.
|
|
|
|
| |
Fixes https://fedorahosted.org/sssd/ticket/1892
|
|
|
|
|
|
|
|
| |
There are case where the extdom extended operation will return the flat
or NetBIOS name of a domain instead of the DNS domain name. If this name
is available for the current domain we accept it as well.
Related to https://fedorahosted.org/sssd/ticket/1561
|
|
|
|
|
|
| |
Instead of exporting internal structures, expose an initilizer function
like the autofs code and initialize everything inside the
ipa_subdomains.c file.
|
| |
|
|
|
|
|
|
|
| |
The query is performed only if there is missing information in the
cache. That means this should be done only once after restart when cache
doesn't exist. All subsequent requests for subdomains won't include the
request for master domain.
|
|
|