summaryrefslogtreecommitdiffstats
path: root/src/providers/krb5
Commit message (Collapse)AuthorAgeFilesLines
* krb5: Replace type-specific ccache/principal checksimo_ccnameSimo Sorce2013-08-303-148/+84
| | | | | | | | | Instead of having duplicate functions that are type custom use a signle common function that also performs access to the cache as the user owner, implicitly validating correctness of ownership. Resolves: https://fedorahosted.org/sssd/ticket/2061
* krb5: Use krb5_cc_destroy to remove old ccachesSimo Sorce2013-08-283-104/+16
| | | | | | | | | This completely replaces the per-ccache-type custom code to remove old cacches and instead uses libkrb5 base doperations (krb5_cc_destroy) and operating as the user owner. Resolves: https://fedorahosted.org/sssd/ticket/2061
* krb5: Add helper to destroy ccache as userSimo Sorce2013-08-282-0/+114
| | | | | | | | | | | This function safely destroy a ccache given a cache name and user crdentials. It becomes the user so no possible races can compromise the system, then uses libkrb5 functions to properly destroy a ccache, independently of the cache type. Finally restores the original credentials after closing the ccache handlers. Resolves: https://fedorahosted.org/sssd/ticket/2061
* krb5: Add calls to change and restore credentialsSimo Sorce2013-08-282-0/+128
| | | | | | | | In some cases we want to temporarily assume user credentials but allow the process to regain back the original credentials (normally regaining uid 0). Related: https://fedorahosted.org/sssd/ticket/2061
* krb5: Fetch ccname template from krb5.confStephen Gallagher2013-08-284-12/+167
| | | | | | | | | | | | | In order to use the same defaults in all system daemons that needs to know how to generate or search for ccaches we introduce ode here to take advantage of the new option called default_ccache_name provided by libkrb5. If set this variable we establish the same default for all programs that surce it out of krb5.conf therefore providing a consistent experience across the system. Related: https://fedorahosted.org/sssd/ticket/2036
* krb5_common: Refactor to use a talloc temp contextSimo Sorce2013-08-281-12/+28
| | | | | | | | In preparation for handling some more allocations in the following patches and fixes a curent memleak on the opts struct. Related: https://fedorahosted.org/sssd/ticket/2036
* KRB5: Add support for KEYRING cache typeStephen Gallagher2013-08-274-0/+212
| | | | https://fedorahosted.org/sssd/ticket/2036
* KRB5: Remove unnecessary call to become_user()Stephen Gallagher2013-08-271-6/+0
| | | | | | | | By the time that the create_ccache_in_dir() routine is called, we are already guaranteed to have dropped privileges. This has either happened because we dropped them before the exec() in the normal operation case or because we dropped them explicitly after we completed the TGT validation step if that or FAST is configured.
* check_cc_validity: make sure _valid is always setSumit Bose2013-08-241-5/+7
| | | | | In the KRB5_FCC_NOFILE code path _valid is not set leading to 'may be used uninitialized' compiler warnings.
* KRB5: Only set active and valid on successStephen Gallagher2013-08-221-6/+5
| | | | | | | | The FILE cache only sets the return values of _active and _bool if the entire function succeeds. The DIR cache was setting it even on failure. This patch makes both consistent. This will benefit static analysis tools which would be able to detect if the variable is ever used uninitialized anywhere.
* KRB5: Refactor cc_*_check_existingStephen Gallagher2013-08-221-61/+59
| | | | | | | | | | | | | | There was duplicated code in cc_file_check_existing() and in cc_dir_check_existing(). I pulled them into the same function. There are two changes made to the original code here: 1) Fixes a use-after-free bug in cc_file_check_existing(). In the original code, we called krb5_free_context() and then used that context immediately after that in krb5_cc_close(). This patch corrects the ordering 2) The krb5_cc_resolve() call handles KRB5_FCC_NOFILE for all cache types. Previously, this was only handled for DIR caches.
* KRB5: Add new #define for collection cache typesStephen Gallagher2013-08-224-18/+18
| | | | | | Kerberos now supports multiple types of collection caches, not just DIR: caches. We should add a macro for generic collection behavior and use that where appropriate.
* KRB5: Do not log to syslog on each loginJakub Hrozek2013-08-191-1/+3
|
* KRB5: Formatting changesJakub Hrozek2013-08-191-4/+4
|
* ldap, krb5: More descriptive msg on chpass failure.Michal Zidek2013-08-111-0/+15
| | | | | | | | Print more descriptive message when wrong current password is given during password change operation. resolves: https://fedorahosted.org/sssd/ticket/2029
* KRB5: Do not send PAC in server modeJakub Hrozek2013-07-233-6/+19
| | | | | | | | The krb5 child contacts the PAC responder for any user except for the IPA native users if the PAC is configured. This works fine for the general case but the ipa_server_mode is a special one. The PAC responder is there, but since in the server mode we should be operating as AD provider default, the PAC shouldn't be analyzed either in this case.
* Fix warnings: uninitialized variableLukas Slebodnik2013-07-222-4/+3
|
* Remove unused memory context from function unpack_authtokLukas Slebodnik2013-07-221-3/+3
|
* Add mising argument required by format stringLukas Slebodnik2013-07-191-2/+3
|
* KRB: Replace multiple calls with variableOndrej Kos2013-07-181-6/+9
| | | | | Instead of multiple calls of sss_authtok_get_type, perform the call just once and store into variable.
* KRB: Handle empty password gracefullyOndrej Kos2013-07-181-0/+11
| | | | | | https://fedorahosted.org/sssd/ticket/1814 Return authentication error when empty password is passed.
* SIGCHLD handler: do not call callback when pvt data where freedPavel Březina2013-07-171-1/+1
| | | | https://fedorahosted.org/sssd/ticket/1992
* print hint about password complexity when new password is rejectedPavel Březina2013-07-171-1/+7
| | | | https://fedorahosted.org/sssd/ticket/1827
* Use conditional build for retrieving ccache.Lukas Slebodnik2013-07-152-88/+22
| | | | | | | | Some krb5 functions needn't be available for retrieving ccache with principal. Therefore ifdef is used to solve this situation with older version of libkrb5. There were two functions with similar functionality in krb5_child and krb5_utils. They were merged to one universal function, which was moved to file src/util/sss_krb5.c
* Return right directory name for dircacheLukas Slebodnik2013-07-111-6/+10
| | | | | | | Dircache can be either file or directory. Wrong value was used when dircache was itself directory. https://fedorahosted.org/sssd/ticket/2002
* KRB5_CHILD: Fix handling of get_password return codeOndrej Kos2013-07-101-4/+10
| | | | The switch statement was dead code due to missing case/default.
* Replace new_subdomain() with find_subdomain_by_name()Sumit Bose2013-06-281-3/+2
| | | | | | new_subdomain() will create a new domain object and should not be used anymore in the priovder code directly. Instead a reference to the domain from the common domain object should be used.
* Fix compilation warningJakub Hrozek2013-06-271-1/+1
|
* AD: Write out domain-realm mappingsJakub Hrozek2013-06-271-1/+0
| | | | | This patch reuses the code from IPA provider to make sure that domain-realm mappings are written even for AD sub domains.
* KRB5: guess UPN for subdomain usersJakub Hrozek2013-06-277-18/+43
|
* Do not switch to credentials everytime.Lukas Slebodnik2013-06-261-4/+69
| | | | | | | | | If user decide to kinit as another user we do not want to switch back to user ccache at another login. We will switch to new ccache if and only if default principal name is the same as current principal name, or there is not any default ccache. https://fedorahosted.org/sssd/ticket/1936
* Every time return directory for krb5 cache collection.Lukas Slebodnik2013-06-262-4/+64
| | | | | | | | Function krb5_cc_get_full_name is called only as a way to validate that, we have the right cache. Instead of returned name, location will be returned from function cc_dir_cache_for_princ. https://fedorahosted.org/sssd/ticket/1936
* krb5: do not use enterprise principals for renewalsSumit Bose2013-06-251-1/+6
| | | | | | When renewing a ticket we already know the canonical principal hence it is not needed to expand it to an enterprise principal but we can contact the KDC of the corresponding realm directly.
* krb5: do not send pac for IPA users from the local domainSumit Bose2013-06-254-10/+19
| | | | | | | | | | | | | So far we didn't send the PAC of IPA users to the PAC responder during password authentication because group memberships for IPA users can be retrieved efficiently with LDAP calls. Recently patches added PAC support for the AD provider as well and removed the restriction for the IPA users. This patch restores the original behaviour by introducing a new flag in struct krb5_ctx which is only set for the IPA provider. Additionally a different flag is renamed to make it's purpose more clear. Fixes https://fedorahosted.org/sssd/ticket/1995
* Revert "Always send the PAC to the PAC responder"Sumit Bose2013-06-251-18/+20
| | | | This reverts commit d153941864fe481399665be8fe583c9317194a99.
* Fix typo in pack_authtok()Sumit Bose2013-06-241-1/+1
|
* KRB5: use the right authtok type for renewalsSumit Bose2013-06-241-3/+20
|
* Set default realm for enterprise principalsSumit Bose2013-06-171-0/+12
| | | | | | | | | | Enterprise principals require that a default realm is available. To make SSSD more robust in the case that the default realm option is missing in krb5.conf or to allow SSSD to work with multiple unconnected realms (e.g. AD domains without trust between them) the default realm will be set explicitly. Fixes https://fedorahosted.org/sssd/ticket/1931
* Use principal from the ticket to find validation entrySumit Bose2013-06-171-1/+1
| | | | | | | | | If canonicalization or enterprise principals are enabled the realm of the client principal might have changed compared to the original request. To find the most suitable keytab entry to validate the TGT is it better to use the returned client principal. Fixes https://fedorahosted.org/sssd/ticket/1931
* KRB: Handle preauthentication error correctlyOndrej Kos2013-06-142-1/+9
| | | | | | https://fedorahosted.org/sssd/ticket/1873 KRB preauthentication error was later mishandled like authentication error.
* A new option krb5_use_kdcinfoJakub Hrozek2013-06-104-18/+36
| | | | | | | | | | https://fedorahosted.org/sssd/ticket/1883 The patch introduces a new Kerberos provider option called krb5_use_kdcinfo. The option is true by default in all providers. When set to false, the SSSD will not create krb5 info files that the locator plugin consumes and the user would have to set up the Kerberos options manually in krb5.conf
* Do not obfuscate calls with booleansJakub Hrozek2013-06-071-7/+22
| | | | | | Instead of using boolean variables to denote whether the call is adding a primary or a secondary server, use a function wrapper that tells what it's doing by its name.
* Always send the PAC to the PAC responderSumit Bose2013-06-061-20/+18
| | | | | | | | | | | Currently while doing a Kerberos based authentication the PAC was only send to the PAC responder for principals from a different realm. This reflects the FreeIPA use case of users from trusted domains. This restriction does not make sense anymore when the data from the PAC should be used for the AD provider as well. It also makes only limited sense for the IPA use case, because when using GSSAPI the PAC of users from the local IPA domain are already evaluated by the PAC responder.
* Set canonicalize flag if enterprise principals are usedSumit Bose2013-05-311-1/+6
| | | | | | | In contrast to MIT KDCs AD does not automatically canonicalize the enterprise principal in an AS request but requires the canonicalize flags to be set. To be on the safe side we always enable canonicalization if enterprise principals are used.
* Fixing critical format string issues.Lukas Slebodnik2013-05-202-3/+5
| | | | | | --missing arguments. --format '%s', but argument is integer. --wrong format string, examle: '%\n'
* Always update cached upn if enterprise principals are usedSumit Bose2013-05-141-3/+4
| | | | | | | | | | Instead of continuing to use the initial upn if enterprise principals are used if should always be replaced. The enterprise principal is stored in the credential cache and without knowing it the ccache_for_princ() calls to determine the location of the credential cache will fail. Fixes https://fedorahosted.org/sssd/ticket/1921
* Only check UPN if enterprise principals are not usedJakub Hrozek2013-05-031-0/+5
| | | | | | | | If enterprise principals are enabled (which is the default in the AD provider), then the returned UPN might be slightly different from the one SSSD constructs before attempting the login. This patch makes SSSD only check if the principal is the same when the enterprise principals are disabled.
* Allow usage of enterprise principalsSumit Bose2013-04-224-4/+18
| | | | | | | | | | | | | | | | | | | | | | | | Enterprise principals are currently most useful for the AD provider and hence enabled here by default while for the other Kerberos based authentication providers they are disabled by default. If additional UPN suffixes are configured for the AD domain the user principal stored in the AD LDAP server might not contain the real Kerberos realm of the AD domain but one of the additional suffixes which might be completely randomly chooses, e.g. are not related to any existing DNS domain. This make it hard for a client to figure out the right KDC to send requests to. To get around this enterprise principals (see http://tools.ietf.org/html/rfc6806 for details) were introduced. Basically a default realm is added to the principal so that the Kerberos client libraries at least know where to send the request to. It is not in the responsibility of the KDC to either handle the request itself, return a client referral if he thinks a different KDC can handle the request or return and error. This feature is also use to allow authentication in AD environments with cross forest trusts. Fixes https://fedorahosted.org/sssd/ticket/1842
* Fix krbcc dir creation issue with MIT krb5 1.11Lukas Slebodnik2013-04-122-11/+61
| | | | | | | | | | | | | | | | In krb5-libs >= 1.11, function krb5_cc_resolve verify if credential cache dir exists. If it doesn't exist, than it will be created with process permissions and not user permissions. Function cc_residual_is_used has already checked for non existing directory, but it wasn't considered to be a failure and therefore next call of krb5_init_context will create directory with wrong permissions. Now if directory doesn't exist, it will be handled like there was not ccache attribute in sysdb cache. We also check if "primary" file in ccache directory has right permissions. But we ignore missing "primary" file. https://fedorahosted.org/sssd/ticket/1822
* Further restrict become_user drop of privileges.Simo Sorce2013-04-051-15/+18
| | | | | | | | | | | | | | | | We never need to regain root after we call become_user() so tighten up even further our privilege drop. Add a setgroups() call to remove all secondary groups root may have been given for whateve reason. Then use the setres[ug]id function to also drop the saved uid/gid so the process cannot regain back root id. Capabilities are also implicitly dropped here, no more CAP_SETUID so this is a Point of No Return, once changed to non-root the process can't get back. Remove redefinition of sys/types.h and unistd.h, they are already defined in util.h and they need to be included after _GNU_SOURCE/_BSD_SOURCE is defined or the prototypes for setres[ug]id will not be found. Add grp.h after util.h for the same reason.
generated by cgit (git 2.34.1) at 2024-06-08 16:38:57 +0000