| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 7ac7dec08ec2c82a86fd6a90388993cfcee26da1)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2300
The list of SELinux mapping orders was allocated on tmp_ctx and parsed
into an array. The array itself was correctly allocated on mem_ctx but
its contents remained on tmp_ctx, leading to a use-after-free error.
This patch fixes the memory hierarchy so that both the array and its
contents are allocated on mem_ctx.
(cherry picked from commit 355b8a655cfcc4e783077d12f76b55da1d23fb87)
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Function sysdb_attrs_get_el can enlarge array of ldb_message_element in "struct
sysdb_attrs" if attribute is not among available attributes. Array will be
enlarged with function talloc_realloc but realloc can move array to another
place in memory therefore ldb_message_element should not be used after next
call of function sysdb_attrs_get_el
sysdb_attrs_get_el(netgroup, SYSDB_ORIG_MEMBER_USER, &user_found);
sysdb_attrs_get_el(netgroup, SYSDB_ORIG_MEMBER_HOST, &host_found);
With netgroups, it is common to omit user or host from netgroup triple.
There is very high probability that realloc will be called. it is possible
pointer user_found can refer to the old area after the second call of function
sysdb_attrs_get_el.
Resolves:
https://fedorahosted.org/sssd/ticket/2284
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit c048657aa2fbb246b5dc199ef6101bfd6e5eeaea)
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2282
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
We blindly used the user's domain for everything. That wrong in case the
user comes from a subdomain. We should use the IPA domain for accessing
the SELinux rules and host data and the user domain only for the user.
https://fedorahosted.org/sssd/ticket/2270
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 36f606d6743e77721bedeed0907f1be7a19fa4f4)
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2264
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
In older IPA server versions where the AD users where looked up by
winbind the user name component of the home directory path was always
lower case. This still holds for IPA clients as well. To avoid
regression this patch makes the user name component lower case as well.
Fixes https://fedorahosted.org/sssd/ticket/2263
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 48b1db73639135dd4a15ee153f958c912836c621)
|
|
|
|
| |
Fixes https://fedorahosted.org/sssd/ticket/2253
|
| |
|
|
|
|
|
| |
Reviewed-by: Pavel Reichl <preichl@redhat.com>
(cherry picked from commit 26786da26706aeedbda4caea0383c143ed4e59dc)
|
|
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 6d4574a8dd1a9cafbb15631e7d01bdf6e67f821b)
|
|
|
|
|
|
|
|
|
| |
If krb5_fast_principal is not set in sssd.conf it was set to host/$client,
KRB5 default realm was used which doesn't have to be the same as realm
used for IPA, thus authentication failed when using FAST.
Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
(cherry picked from commit e325cabe762fad7d696e014a7fdbb47a5cb8174a)
|
|
|
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Nathaniel McCallum <npmccallum@redhat.com>
Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When the schema is set to AD and ID mapping is not used, there is a one-time
check ran when searching for users to detect the presence of POSIX
attributes in LDAP. If this check fails, the search fails as if no entry
was found and returns a special error code.
The sdap_server_opts structure is filled every time a client connects to
a server so the posix check boolean is reset to false again on connecting
to the server.
It might be better to move the check to where the rootDSE is retrieved,
but the check depends on several features that are not known to the code
that retrieves the rootDSE (or the connection code for example) such as what
the attribute mappings are or the authentication method that should be used.
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit e81deec535d11912b87954c81a1edd768c1386c9)
|
|
|
|
|
|
|
|
|
| |
Homedir is defaultly set accordingly to subdomain_homedir for users from AD.
Resolves:
https://fedorahosted.org/sssd/ticket/2169
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
connection
Previously, the sdap-domain enumeration request used a single connection context to
download all the data. Now we'd like to use different connections to
download different objects, so the ID context is passed in and the
request itself decides which connection to use for the sdap-domain
enumeration.
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2160
|
| |
|
| |
|
| |
|
|
|
|
|
|
| |
ipa_ad_subdom_refresh was called before IPA server context was
initialized. On IPA server, this caused the code to dereference a NULL
pointer and crash.
|
|
|
|
|
| |
Write domain-mappings at startup and initialize internal data structures
on provider startup, not only during updates.
|
|
|
|
|
|
|
|
|
|
| |
If Data Provider was unable to refresh the subdomain list, the
sss_domain_info->subdomains list was NULL. Which meant that no DP
request matched any known domain and hence offline authentication was
not working correctly.
Resolves:
https://fedorahosted.org/sssd/ticket/2168
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/1968
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/1968
|
|
|
|
|
|
|
|
|
|
| |
This patch makes the refresh of available subdomains configurable.
New option:
subdomain_refresh_interval (undocumented)
Resolves:
https://fedorahosted.org/sssd/ticket/1968
|
|
|
|
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/2082
Also move the check for subdomain to the handler. I think it is the job
of the handler to decide which domain the request belongs to, not the
request itself.
|
|
|
|
|
|
|
|
|
|
| |
If the forest root of a trusted forest is managing POSIX IDs for its
users and groups the same is assumed for all member domains in the
forest which do not have explicitly have an idrange set.
To reflect this SSSD will create the matching ranges automatically.
Fixes https://fedorahosted.org/sssd/ticket/2101
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When libss_idmap was only used to algorithmically map a SID to a POSIX
ID a domain SID was strictly necessary and the only information needed
to find a domain.
With the introduction of external mappings there are cases where a
domain SID is not available. Currently we relied on the fact that
external mapping was always used as a default if not specific
information about the domain was found. The lead to extra CPU cycles and
potentially confusing debug messages. Adding the domain name as a search
parameter will avoid this.
|
|
|
|
|
| |
be_ptask_destroy was unreachable since sdom is not present
in the list of sdap domains any more.
|
|
|
|
| |
Fixes https://fedorahosted.org/sssd/ticket/2030
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
If there are member domains in a trusted forest which are DNS-wise not
proper children of the forest root the IPA KDC needs some help to
determine the right authentication path. In general this should be done
internally by the IPA KDC but this works requires more effort than
letting sssd write the needed data to the include file for krb5.conf.
If this functionality is available for the IPA KDC this patch might be
removed from the sssd tree.
Fixes https://fedorahosted.org/sssd/ticket/2093
|
|
|
|
|
| |
In order to fix https://fedorahosted.org/sssd/ticket/2093 the name of
the forest must be known for a member domain of the forest.
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2079
If the dns_discovery_domain is set in the server mode, then the current
failover code will use it to discover the AD servers as well. This patch
resets the discovery domain unless the admin configured SRV resolution
for IPA servers manually. In the case he did, we try to warn him that
service discovery of AD servers will most likely fail.
|
|
|
|
| |
AD provider will override the default with its own.
|
|
|
|
| |
Remove code duplication.
|
|
|
|
| |
format specifies type 'int' but the argument has type 'const char *'
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
struct hbac_eval_req is defined in header file and it has attribute
request_time with type time_t, but header file "time.h" was not included.
It was not problem, because time.h was indirectly included by stdlib.h
(stdlib.h -> sys/types.h -> time.h) in implementation files,
but other platforms can have other dependencies among header files.
|
|
|
|
| |
A conflict between two patches was not resolved correctly
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1963
|
| |
|
|
|
|
|
| |
Instead of always performing the setup for the main domain, the setup
can now be performed for subdomains as well.
|
|
|
|
| |
The parameter was not used at all.
|