| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/1968
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/1968
|
|
|
|
|
|
|
|
|
|
| |
This patch makes the refresh of available subdomains configurable.
New option:
subdomain_refresh_interval (undocumented)
Resolves:
https://fedorahosted.org/sssd/ticket/1968
|
|
|
|
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/2082
Also move the check for subdomain to the handler. I think it is the job
of the handler to decide which domain the request belongs to, not the
request itself.
|
|
|
|
|
|
|
|
|
|
| |
If the forest root of a trusted forest is managing POSIX IDs for its
users and groups the same is assumed for all member domains in the
forest which do not have explicitly have an idrange set.
To reflect this SSSD will create the matching ranges automatically.
Fixes https://fedorahosted.org/sssd/ticket/2101
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When libss_idmap was only used to algorithmically map a SID to a POSIX
ID a domain SID was strictly necessary and the only information needed
to find a domain.
With the introduction of external mappings there are cases where a
domain SID is not available. Currently we relied on the fact that
external mapping was always used as a default if not specific
information about the domain was found. The lead to extra CPU cycles and
potentially confusing debug messages. Adding the domain name as a search
parameter will avoid this.
|
|
|
|
|
| |
be_ptask_destroy was unreachable since sdom is not present
in the list of sdap domains any more.
|
|
|
|
| |
Fixes https://fedorahosted.org/sssd/ticket/2030
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
If there are member domains in a trusted forest which are DNS-wise not
proper children of the forest root the IPA KDC needs some help to
determine the right authentication path. In general this should be done
internally by the IPA KDC but this works requires more effort than
letting sssd write the needed data to the include file for krb5.conf.
If this functionality is available for the IPA KDC this patch might be
removed from the sssd tree.
Fixes https://fedorahosted.org/sssd/ticket/2093
|
|
|
|
|
| |
In order to fix https://fedorahosted.org/sssd/ticket/2093 the name of
the forest must be known for a member domain of the forest.
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2079
If the dns_discovery_domain is set in the server mode, then the current
failover code will use it to discover the AD servers as well. This patch
resets the discovery domain unless the admin configured SRV resolution
for IPA servers manually. In the case he did, we try to warn him that
service discovery of AD servers will most likely fail.
|
|
|
|
| |
AD provider will override the default with its own.
|
|
|
|
| |
Remove code duplication.
|
|
|
|
| |
format specifies type 'int' but the argument has type 'const char *'
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
struct hbac_eval_req is defined in header file and it has attribute
request_time with type time_t, but header file "time.h" was not included.
It was not problem, because time.h was indirectly included by stdlib.h
(stdlib.h -> sys/types.h -> time.h) in implementation files,
but other platforms can have other dependencies among header files.
|
|
|
|
| |
A conflict between two patches was not resolved correctly
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1963
|
| |
|
|
|
|
|
| |
Instead of always performing the setup for the main domain, the setup
can now be performed for subdomains as well.
|
|
|
|
| |
The parameter was not used at all.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When IPA trusts an AD domain the AD user or groups can be placed into
IPA groups e.g. to put AD users under the control of HBAC. Since IPA
group can only have members from the IPA directory tree and the AD users
and groups are not stored there a special IPA object called external
group was introduced. SIDs of users and groups can be added to the
external group and since the external groups are in the IPA directory
tree they can be member of IPA groups.
To speed things up and to remove some load from the IPA servers SSSD
reads all external groups and stores them in memory for some time before
rereading the data.
Enhances https://fedorahosted.org/sssd/ticket/1962
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1964
Currently the AD sites are enabled unconditionally
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In order to use the same defaults in all system daemons that needs to know how
to generate or search for ccaches we introduce ode here to take advantage of
the new option called default_ccache_name provided by libkrb5.
If set this variable we establish the same default for all programs that surce
it out of krb5.conf therefore providing a consistent experience across the
system.
Related:
https://fedorahosted.org/sssd/ticket/2036
|
|
|
|
| |
Fixes https://fedorahosted.org/sssd/ticket/1630
|
| |
|
|
|
|
| |
Previous check was wrong, servername cannot be NULL.
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2032
In non-MPG subdomains (such as those that manage their IDs manually with
POSIX attributes), we need to set the GID ourself.
|
|
|
|
|
|
| |
We check if function ipa_get_ad_id_ctx returns NULL,
but function ipa_get_ad_id_ctx could never return NULL.
This issue was found by scan-build.
|
|
|
|
|
|
|
|
| |
The krb5 child contacts the PAC responder for any user except for the
IPA native users if the PAC is configured. This works fine for the
general case but the ipa_server_mode is a special one. The PAC responder
is there, but since in the server mode we should be operating as AD
provider default, the PAC shouldn't be analyzed either in this case.
|
|
|
|
|
|
| |
Commit 52ae806bd17c3c00d70bd1aed437f10f5ae51a1c changed the default FQDN
format by accident to the one we only ever user internally. This commit
fixes the mistake.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2009
If the IPA server mode is on and the SSSD is running on the IPA server,
then the server's extdom plugin calls getpwnam_r to read info about trusted
users from the AD server and return them to the clients that called the
extended operation.
The SSSD returns the subdomain users fully-qualified, ie "user@domain"
by default. The format of the fully qualified name is configurable.
However, the extdom plugin returns the user name without the domain
component.
With this patch, when ipa_server_mode is on, warn if the full_name_format
is set to a non-default value. That would prompt the admin to change the
format if he changed it to something exotic.
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1962
If the ipa_server_mode is selected IPA subdomain user and group lookups
are not done with the help of the extdom plugin but directly against AD
using the AD ID code.
|
|
|
|
|
|
|
|
|
| |
When IPA server mode is on, then this patch will create an ad_id_ctx for
each subdomain discovered in IPA provider. The ID context is needed to
perform direct lookups using the AD provider.
Subtask of:
https://fedorahosted.org/sssd/ticket/1962
|
|
|
|
|
|
|
|
|
|
| |
This patch introduces a new structure that holds information about a
subdomain and its ad_id_ctx. This structure will be used only in server
mode to make it possible to search subdomains with a particular
ad_id_ctx.
Subtask of:
https://fedorahosted.org/sssd/ticket/1962
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1993
SSSD needs to know that it is running on an IPA server and should not
look up trusted users and groups with the help of the extdom plugin
but do the lookups on its own. For this a new boolean configuration
option, is introduced which defaults to false but is set to true during
ipa-server-install or during updates of the FreeIPA server if it is not
already set.
|
|
|
|
|
|
| |
The information of a subdomain will use magic private groups (mpg) or
not will be stored together with other information about the domain in
the cache.
|
|
|
|
|
|
|
| |
Since FreIPA will start to support external mapping for trusted domains
as well the range type for the domain must be know before the domain
object is created. The reason is that external mapping will not use
magic private groups (mpg) while algorithmic mapping will use them.
|
|
|
|
|
|
| |
new_subdomain() will create a new domain object and should not be used
anymore in the priovder code directly. Instead a reference to the domain
from the common domain object should be used.
|
|
|
|
|
|
|
|
|
| |
Recent versions of FreeIPA support a range type attribute to allow
different type of ranges for sub/trusted-domains. If the attribute is
available it will be used, if not the right value is determined with the
help of the other idrange attributes.
Fixes https://fedorahosted.org/sssd/ticket/1961
|
|
|
|
|
|
| |
Use the sdap_idmap context for the IPA provider as well.
https://fedorahosted.org/sssd/ticket/1961
|
|
|
|
|
|
|
| |
Currently the range for Posix IDs stored in an LDAP server is unbound.
This might lead to conflicts in a setup with AD and trusts when the
configured domain uses IDs from LDAP. With the two noe options this
conflict can be avoided.
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1949
|
|
|
|
|
| |
This patch reuses the code from IPA provider to make sure that
domain-realm mappings are written even for AD sub domains.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
So far we didn't send the PAC of IPA users to the PAC responder during
password authentication because group memberships for IPA users can be
retrieved efficiently with LDAP calls. Recently patches added PAC
support for the AD provider as well and removed the restriction for the
IPA users. This patch restores the original behaviour by introducing a
new flag in struct krb5_ctx which is only set for the IPA provider.
Additionally a different flag is renamed to make it's purpose more
clear.
Fixes https://fedorahosted.org/sssd/ticket/1995
|