summaryrefslogtreecommitdiffstats
path: root/src/providers/krb5/krb5_auth.c
Commit message (Collapse)AuthorAgeFilesLines
* let krb5_kpasswd failover work1.9.2-40Pavel Březina2012-12-141-3/+4
| | | | | | | https://fedorahosted.org/sssd/ticket/1680 Bad service name (KERBEROS) was provided when setting port status, thus the port status never changed
* Do not always return PAM_SYSTEM_ERR when offline krb5 authentication failsJakub Hrozek2012-11-151-1/+2
|
* krb5_auth: update with correct UPN if neededSumit Bose2012-11-051-0/+30
| | | | | | | | | The Active Directory KDC handles request case in-sensitive and it might not always to possible to guess the UPN with the correct case. We check if the returned principal has a different case then the one used in the request and updates the principal if needed. This will help using calls from the Kerberos client libraries later on which would otherwise fail because the principal is handled case sensitive by those libraries.
* Use find_or_guess_upn() where neededSumit Bose2012-11-051-14/+13
|
* krb5_mod_ccname: replace wrong memory contextSumit Bose2012-11-051-1/+1
|
* krb5_auth: check if principal belongs to a different realmSumit Bose2012-11-051-0/+7
| | | | | | Add a flag if the principal used for authentication does not belong to our realm. This can be used to act differently for users from other realms.
* krb5_auth_send: check for sub-domainsSumit Bose2012-11-051-5/+15
| | | | | | If there is an authentication request for a user from a sub-domain a temporary sysdb context is generated to allow lookups in the corresponding sub-tree in the cache.
* Log possibly non-randomizable ccache file templateOndrej Kos2012-10-041-2/+5
| | | | | | | fixes https://fedorahosted.org/sssd/ticket/1533 ccache file template is now checked for appended XXXXXX for use with mkstemp. When those characters are not present, warning is written to log.
* FO: Check server validity before setting statusJakub Hrozek2012-09-131-5/+9
| | | | | | | | | | | | | | | | | The list of resolved servers is allocated on the back end context and kept in the fo_service structure. However, a single request often resolves a server and keeps a pointer until the end of a request and only then gives feedback about the server based on the request result. This presents a big race condition in case the SRV resolution is used. When there are requests coming in in parallel, it is possible that an incoming request will invalidate a server until another request that holds a pointer to the original server is able to give a feedback. This patch simply checks if a server is in the list of servers maintained by a service before reading its status. https://fedorahosted.org/sssd/ticket/1364
* KRB5: Add a missing string argumentJakub Hrozek2012-09-101-1/+2
|
* KRB5: cancel the sysdb transaction on one place onlyJakub Hrozek2012-09-101-1/+0
| | | | | | | https://fedorahosted.org/sssd/ticket/1516 If sysdb_set_user_attr failed, we would cancel the transaction, then go to the error handler and attempt to close it again.
* Unify usage of sysdb transactionsMichal Zidek2012-08-231-2/+14
| | | | | | Removing bad examples of usage of sysdb_transaction_start/commit/end functions and making it more consistent (all files except of src/db/sysdb_*.c).
* KRB5: Only return PAM error for unreachable kpasswd when performing chpassJakub Hrozek2012-08-151-2/+4
| | | | https://fedorahosted.org/sssd/ticket/1452
* KRB5: Initialize the credential cache type properlyStephen Gallagher2012-06-291-0/+11
| | | | | | | | | We weren't guaranteeing that the cctype-specific callbacks were initialized before using them. This bug only presented itself for users who were logging in without a ccacheFile attribute in the LDB (for example, first-time logins).
* Add a credential cache back end structureJakub Hrozek2012-06-141-101/+92
| | | | | | To be able to add support for new credential cache types easily, this patch creates a new structure sss_krb5_cc_be that defines common operations with a credential cache, such as create, check if used or remove.
* Split parse_krb5_child_response so it can be reusedJakub Hrozek2012-06-141-119/+27
| | | | | krb5-child-test will be another consumer. It also makes the code more readable by splitting a huge function.
* Only reset kpasswd server status when performing a chpass operationJakub Hrozek2012-05-071-2/+3
| | | | https://fedorahosted.org/sssd/ticket/1316
* Modify behavior of pam_pwd_expiration_warningJan Zeleny2012-05-041-4/+27
| | | | | | | | | | | | | | | | | | New option pwd_expiration_warning is introduced which can be set per domain and can override the value specified by the original pam_pwd_expiration_warning. If the value of expiration warning is set to zero, the filter isn't apllied at all - if backend server returns the warning, it will be automatically displayed. Default value for Kerberos: 7 days Default value for LDAP: don't apply the filter Technical note: default value when creating the domain is -1. This is important so we can distinguish between "no value set" and 0. Without this possibility it would be impossible to set different values for LDAP and Kerberos provider.
* Detect cycle in the fail over on subsequent resolve requests onlyJakub Hrozek2012-03-081-17/+15
|
* Only do one cycle when resolving a serverJakub Hrozek2012-03-061-7/+12
| | | | https://fedorahosted.org/sssd/ticket/1214
* Do not call krb5_child when changing passwords and provider went offlineJakub Hrozek2012-01-061-1/+11
| | | | https://fedorahosted.org/sssd/ticket/1131
* Honor case sensitive flag when creating the ccname templateJakub Hrozek2011-12-211-1/+3
|
* Move child_common routines to utilStephen Gallagher2011-12-191-1/+1
|
* Cleanup: Remove unused parametersJakub Hrozek2011-11-221-7/+2
|
* sysdb refactoring: memory context deletedJan Zeleny2011-08-151-4/+3
| | | | | | This patch deletes memory context parameter in those places in sysdb where it is not necessary. The code using modified functions has been updated. Tests updated as well.
* sysdb refactoring: deleted domain variables in sysdb APIJan Zeleny2011-08-151-9/+7
| | | | | The patch also updates code using modified functions. Tests have also been adjusted.
* Fix two typosSumit Bose2011-06-151-2/+3
|
* Delete cached ccache file if password is expiredSumit Bose2011-06-151-8/+63
|
* Fix bad password caching when using automatic TGT renewalStephen Gallagher2011-04-291-3/+12
| | | | Fixes CVE-2011-1758, https://fedorahosted.org/sssd/ticket/856
* Always generate kpasswdinfo fileStephen Gallagher2011-04-191-2/+1
| | | | | Previously, we only generated it when performing a password change, but this didn't play nicely with kpasswd.
* Remove unused sysdb_attrs objectJan Zeleny2011-03-081-8/+0
|
* Fix potential NULL-dereference in krb5_auth_done()Sumit Bose2010-12-211-3/+3
| | | | https://fedorahosted.org/sssd/ticket/745
* Serialize requests of the same user in the krb5 providerSumit Bose2010-12-201-0/+22
|
* Fixes for automatic ticket renewalSumit Bose2010-12-201-18/+27
| | | | | | - do not recreate the ccache file when renewing the TGT - use user principal name as hash key instead of ccfile name - let krb5_child return Kerberos error codes
* Add support for FAST in krb5 providerSumit Bose2010-12-071-5/+7
|
* Add support for automatic Kerberos ticket renewalSumit Bose2010-12-031-0/+18
|
* krb5_child returns TGT lifetimeSumit Bose2010-12-031-0/+21
|
* Make handle_child_* request publicSumit Bose2010-11-041-319/+12
| | | | | | I took the opportunity to move everything related to the handling of the krb5_child into a separate file and cleaned the interfaces and related structures a bit.
* Make krb5_setup() publicSumit Bose2010-11-041-3/+2
|
* Add krb5_get_simple_upn()Sumit Bose2010-11-041-6/+3
|
* Add infrastructure for Kerberos access providerSumit Bose2010-11-041-26/+78
|
* Fix two return value checksSumit Bose2010-11-011-2/+2
|
* Fix incorrect free of req in krb5_auth.cStephen Gallagher2010-11-011-1/+1
|
* Fixed potential comparison of undefined variableJan Zeleny2010-09-021-0/+1
| | | | | | If the allocation on line 678 failed, the value of ret was undefined in following comparison. ENOMEM is now assigned before the comparison. Ticket: #578
* Fix handling of ccache file when going offlineSumit Bose2010-05-261-32/+75
| | | | | | | The ccache file was removed too early if system is offline but the backend was not already marked offline. Now we remove the ccache file only if the successfully got a new one and it is not the same as the old one.
* Add support for delayed kinit if offlineSumit Bose2010-05-261-26/+50
| | | | | | | If the configuration option krb5_store_password_if_offline is set to true and the backend is offline the plain text user password is stored and used to request a TGT if the backend becomes online. If available the Linux kernel key retention service is used.
* Handle Krb5 password expiration warningSumit Bose2010-05-261-119/+73
|
* Try all servers during Kerberos authJakub Hrozek2010-05-261-23/+104
| | | | | The Kerberos backend would previously try only the first server and if it was unreachable, it immediatelly went offline.
* Properly set up SIGCHLD handlersStephen Gallagher2010-05-161-0/+6
| | | | | | Instead of having all-purpose SIGCHLD handlers that try to catch every occurrence, we instead create a per-PID handler. This will allow us to specify callbacks to occur when certain children exit.
* Make Kerberos authentication a tevent_reqSumit Bose2010-05-161-214/+339
| | | | | To allow other providers to include Kerberos authentication the main part is put into a tevent request.
generated by cgit (git 2.34.1) at 2024-06-07 12:41:29 +0000