summaryrefslogtreecommitdiffstats
path: root/src/providers/krb5/krb5_auth.c
Commit message (Collapse)AuthorAgeFilesLines
* Always update cached upn if enterprise principals are usedSumit Bose2013-05-141-3/+4
| | | | | | | | | | Instead of continuing to use the initial upn if enterprise principals are used if should always be replaced. The enterprise principal is stored in the credential cache and without knowing it the ccache_for_princ() calls to determine the location of the credential cache will fail. Fixes https://fedorahosted.org/sssd/ticket/1921
* Only check UPN if enterprise principals are not usedJakub Hrozek2013-05-031-0/+5
| | | | | | | | If enterprise principals are enabled (which is the default in the AD provider), then the returned UPN might be slightly different from the one SSSD constructs before attempting the login. This patch makes SSSD only check if the principal is the same when the enterprise principals are disabled.
* Fix krbcc dir creation issue with MIT krb5 1.11Lukas Slebodnik2013-04-121-1/+11
| | | | | | | | | | | | | | | | In krb5-libs >= 1.11, function krb5_cc_resolve verify if credential cache dir exists. If it doesn't exist, than it will be created with process permissions and not user permissions. Function cc_residual_is_used has already checked for non existing directory, but it wasn't considered to be a failure and therefore next call of krb5_init_context will create directory with wrong permissions. Now if directory doesn't exist, it will be handled like there was not ccache attribute in sysdb cache. We also check if "primary" file in ccache directory has right permissions. But we ignore missing "primary" file. https://fedorahosted.org/sssd/ticket/1822
* Allow setting krb5_renew_interval with a delimiterAriel Barria2013-04-031-3/+15
| | | | | | | https://fedorahosted.org/sssd/ticket/902 changed the data type the krb5_renew_interval to string. function krb5_string_to_deltat is used to convert and allow delimiters
* Making the authtok structure really opaque.Lukas Slebodnik2013-04-021-5/+5
| | | | | | | | | | | | | | | | | | | | Definition of structure sss_auth_token was removed from header file authtok.h and there left only declaration of this structure. Therefore only way how to use this structure is to use accessory function from same header file. To creating new empty authotok can only be used newly created function sss_authtok_new(). TALLOC context was removed from copy and setter functions, because pointer to stuct sss_auth_token is used as a memory context. All declaration of struct sss_auth_token variables was replaced with pointer to this structure and related changes was made in source code. Function copy_pam_data can copy from argument src which was dynamically allocated with function create_pam_data() or zero initialized struct pam_data allocated on stack. https://fedorahosted.org/sssd/ticket/1830
* Retry the correct service on krb5 child timeoutJakub Hrozek2013-03-181-1/+1
|
* Add support for krb5 1.11's responder callback.Nathaniel McCallum2013-03-081-1/+1
| | | | | | | | | | | krb5 1.11 adds support for a new method for responding to structured data queries. This method, called the responder, provides an alternative to the prompter interface. This patch adds support for this method. It takes the password and provides it via a responder instead of the prompter. In the case of OTP authentication, it also disables the caching of credentials (since the credentials are one-time only).
* Cleanup error message handling for krb5 childSimo Sorce2013-03-041-67/+80
| | | | | | | | | | | | | | | | | | | | Use the new internal SSSD errors, to simplify error handling. Instead of using up to 3 different error types (system, krb5 and pam_status), collapse all error reporting into one error type mapped on errno_t. The returned error can contain either SSSD internal errors, kerberos errors or system errors, they all use different number spaces so there is no overlap and they can be safely merged. This means that errors being sent from the child to the parent are not pam status error messages anymore. The callers have been changed to properly deal with that. Also note that this patch removes returning SSS_PAM_SYSTEM_INFO from the krb5_child for kerberos errors as all it was doing was simply to make the parent emit the same debug log already emitted by the child, and the code is simpler if we do not do that.
* Add be_req_get_data() helper funciton.Simo Sorce2013-01-211-4/+4
| | | | In preparation for making struct be_req opaque.
* Add be_req_get_be_ctx() helper.Simo Sorce2013-01-211-7/+7
| | | | In preparation for making be_req opaque
* Introduce be_req_terminate() helperSimo Sorce2013-01-211-10/+3
| | | | | Call it everywhere instead of directly dereferencing be_req->fn This is in preparation of making be_req opaque.
* Remove sysdb as a be context structure memberSimo Sorce2013-01-211-2/+2
| | | | The sysdb context is already available through the 'domain' structure.
* Add domain argument to sysdb_cache_auth()Simo Sorce2013-01-151-1/+5
|
* Add domain argument to sysdb_cache_password()Simo Sorce2013-01-151-3/+5
|
* Add domain argument to sysdb_set_user_attr()Simo Sorce2013-01-151-5/+8
|
* Add domain argument to sysdb_get_user_attr()Simo Sorce2013-01-151-7/+7
|
* Change pam data auth tokens.Simo Sorce2013-01-101-35/+23
| | | | Use the new authtok abstraction and interfaces throught the code.
* Code can only check for cached passwordsSimo Sorce2013-01-101-4/+17
| | | | | Make it clear to the API users that we can not take arbitrary auth tokens. We can only take a password for now so simplify and clarify the interface.
* let krb5_kpasswd failover workPavel Březina2012-12-101-3/+7
| | | | | | | | | https://fedorahosted.org/sssd/ticket/1680 There were two errors: 1. kr->kpasswd_srv was never set 2. bad service name (KERBEROS) was provided when setting port status, thus the port status never changed
* Fix tevent_req style for krb5_authSimo Sorce2012-12-041-358/+323
| | | | | | No functionality changes, just make the code respect the tevent_req style and naming conventions and enhance readability by adding some helper functions.
* Do not always return PAM_SYSTEM_ERR when offline krb5 authentication failsJakub Hrozek2012-11-121-1/+2
|
* krb5_auth: update with correct UPN if neededSumit Bose2012-10-261-0/+30
| | | | | | | | | The Active Directory KDC handles request case in-sensitive and it might not always to possible to guess the UPN with the correct case. We check if the returned principal has a different case then the one used in the request and updates the principal if needed. This will help using calls from the Kerberos client libraries later on which would otherwise fail because the principal is handled case sensitive by those libraries.
* Use find_or_guess_upn() where neededSumit Bose2012-10-261-14/+13
|
* krb5_mod_ccname: replace wrong memory contextSumit Bose2012-10-261-1/+1
|
* krb5_auth: check if principal belongs to a different realmSumit Bose2012-10-261-0/+7
| | | | | | Add a flag if the principal used for authentication does not belong to our realm. This can be used to act differently for users from other realms.
* krb5_auth_send: check for sub-domainsSumit Bose2012-10-261-5/+15
| | | | | | If there is an authentication request for a user from a sub-domain a temporary sysdb context is generated to allow lookups in the corresponding sub-tree in the cache.
* Log possibly non-randomizable ccache file templateOndrej Kos2012-10-041-2/+5
| | | | | | | fixes https://fedorahosted.org/sssd/ticket/1533 ccache file template is now checked for appended XXXXXX for use with mkstemp. When those characters are not present, warning is written to log.
* FO: Check server validity before setting statusJakub Hrozek2012-09-131-5/+9
| | | | | | | | | | | | | | | | | The list of resolved servers is allocated on the back end context and kept in the fo_service structure. However, a single request often resolves a server and keeps a pointer until the end of a request and only then gives feedback about the server based on the request result. This presents a big race condition in case the SRV resolution is used. When there are requests coming in in parallel, it is possible that an incoming request will invalidate a server until another request that holds a pointer to the original server is able to give a feedback. This patch simply checks if a server is in the list of servers maintained by a service before reading its status. https://fedorahosted.org/sssd/ticket/1364
* KRB5: Add a missing string argumentJakub Hrozek2012-09-101-1/+2
|
* KRB5: cancel the sysdb transaction on one place onlyJakub Hrozek2012-09-101-1/+0
| | | | | | | https://fedorahosted.org/sssd/ticket/1516 If sysdb_set_user_attr failed, we would cancel the transaction, then go to the error handler and attempt to close it again.
* Unify usage of sysdb transactionsMichal Zidek2012-08-231-2/+14
| | | | | | Removing bad examples of usage of sysdb_transaction_start/commit/end functions and making it more consistent (all files except of src/db/sysdb_*.c).
* KRB5: Only return PAM error for unreachable kpasswd when performing chpassJakub Hrozek2012-08-151-2/+4
| | | | https://fedorahosted.org/sssd/ticket/1452
* KRB5: Initialize the credential cache type properlyStephen Gallagher2012-06-291-0/+11
| | | | | | | | | We weren't guaranteeing that the cctype-specific callbacks were initialized before using them. This bug only presented itself for users who were logging in without a ccacheFile attribute in the LDB (for example, first-time logins).
* Add a credential cache back end structureJakub Hrozek2012-06-141-101/+92
| | | | | | To be able to add support for new credential cache types easily, this patch creates a new structure sss_krb5_cc_be that defines common operations with a credential cache, such as create, check if used or remove.
* Split parse_krb5_child_response so it can be reusedJakub Hrozek2012-06-141-119/+27
| | | | | krb5-child-test will be another consumer. It also makes the code more readable by splitting a huge function.
* Only reset kpasswd server status when performing a chpass operationJakub Hrozek2012-05-071-2/+3
| | | | https://fedorahosted.org/sssd/ticket/1316
* Modify behavior of pam_pwd_expiration_warningJan Zeleny2012-05-041-4/+27
| | | | | | | | | | | | | | | | | | New option pwd_expiration_warning is introduced which can be set per domain and can override the value specified by the original pam_pwd_expiration_warning. If the value of expiration warning is set to zero, the filter isn't apllied at all - if backend server returns the warning, it will be automatically displayed. Default value for Kerberos: 7 days Default value for LDAP: don't apply the filter Technical note: default value when creating the domain is -1. This is important so we can distinguish between "no value set" and 0. Without this possibility it would be impossible to set different values for LDAP and Kerberos provider.
* Detect cycle in the fail over on subsequent resolve requests onlyJakub Hrozek2012-03-081-17/+15
|
* Only do one cycle when resolving a serverJakub Hrozek2012-03-061-7/+12
| | | | https://fedorahosted.org/sssd/ticket/1214
* Do not call krb5_child when changing passwords and provider went offlineJakub Hrozek2012-01-061-1/+11
| | | | https://fedorahosted.org/sssd/ticket/1131
* Honor case sensitive flag when creating the ccname templateJakub Hrozek2011-12-211-1/+3
|
* Move child_common routines to utilStephen Gallagher2011-12-191-1/+1
|
* Cleanup: Remove unused parametersJakub Hrozek2011-11-221-7/+2
|
* sysdb refactoring: memory context deletedJan Zeleny2011-08-151-4/+3
| | | | | | This patch deletes memory context parameter in those places in sysdb where it is not necessary. The code using modified functions has been updated. Tests updated as well.
* sysdb refactoring: deleted domain variables in sysdb APIJan Zeleny2011-08-151-9/+7
| | | | | The patch also updates code using modified functions. Tests have also been adjusted.
* Fix two typosSumit Bose2011-06-151-2/+3
|
* Delete cached ccache file if password is expiredSumit Bose2011-06-151-8/+63
|
* Fix bad password caching when using automatic TGT renewalStephen Gallagher2011-04-291-3/+12
| | | | Fixes CVE-2011-1758, https://fedorahosted.org/sssd/ticket/856
* Always generate kpasswdinfo fileStephen Gallagher2011-04-191-2/+1
| | | | | Previously, we only generated it when performing a password change, but this didn't play nicely with kpasswd.
* Remove unused sysdb_attrs objectJan Zeleny2011-03-081-8/+0
|
generated by cgit (git 2.34.1) at 2024-06-25 02:05:27 +0000