| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2389
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 983983dd1629ab33eab340a40d9ee83965a339c6)
|
| |
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2385
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit ed346bcc84b8a326996e5550771773d8e63f17c2)
|
| |
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit e6fa71b990d7068d66b98015ae54aae399cc84f1)
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Resolving groups obtained via Token-Groups in case of disabled ID mapping may
lead to failure as non-posix groups are not resolved. This patch amends
sdap_ad_resolve_sids_done() not to abruptly finish request if ENOENT is
returned.
Resolves:
https://fedorahosted.org/sssd/ticket/2345
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 1614e1b25a98ff2f03648c4bf61d750fb688285a)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
With plain LDAP provider we already have a sdap_handle, so it should be possible
that in the case where sdom->pvt == NULL sdap_id_op_connect_send() can be
skipped and sdap_get_ad_tokengroups_send() can be already send with the
sdap_handle passed to sdap_ad_tokengroups_initgr_mapping_send(). So we should
only fail if sdom->pvt == NULL and sh == NULL.
if find_subdomain_by_sid() failed we can check if there is only one domain in
the domain list (state->domain) and in this case continue with this domain since
the LDAP provider does not know about sub-domains and hence can only have one
configured domain.
Resolves:
https://fedorahosted.org/sssd/ticket/2345
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit b12e2500237f33c44807d7e5b377ec06007c7252)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use a script (identical to commit
83bf46f4066e3d5e838a32357c201de9bd6ecdfd) to update DEBUG* macro
invocations, which use literal numbers for levels, to use bitmask macros
instead:
grep -rl --include '*.[hc]' DEBUG . |
while read f; do
mv "$f"{,.orig}
perl -e 'use strict;
use File::Slurp;
my @map=qw"
SSSDBG_FATAL_FAILURE
SSSDBG_CRIT_FAILURE
SSSDBG_OP_FAILURE
SSSDBG_MINOR_FAILURE
SSSDBG_CONF_SETTINGS
SSSDBG_FUNC_DATA
SSSDBG_TRACE_FUNC
SSSDBG_TRACE_LIBS
SSSDBG_TRACE_INTERNAL
SSSDBG_TRACE_ALL
";
my $text=read_file(\*STDIN);
my $repl;
$text=~s/
^
(
.*
\b
(DEBUG|DEBUG_PAM_DATA|DEBUG_GR_MEM)
\s*
\(\s*
)(
[0-9]
)(
\s*,
)
(
\s*
)
(
.*
)
$
/
$repl = $1.$map[$3].$4.$5.$6,
length($repl) <= 80
? $repl
: $1.$map[$3].$4."\n".(" " x length($1)).$6
/xmge;
print $text;
' < "$f.orig" > "$f"
rm "$f.orig"
done
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use a script to update DEBUG macro invocations to use it as a variadic
macro, supplying format string and its arguments directly, instead of
wrapping them in parens.
This script was used to update the code
(identical to commit a3c8390d19593b1e5277d95bfb4ab206d4785150):
grep -rwl --include '*.[hc]' DEBUG . |
while read f; do
mv "$f"{,.orig}
perl -e \
'use strict;
use File::Slurp;
my $text=read_file(\*STDIN);
$text=~s#(\bDEBUG\s*\([^(]+)\((.*?)\)\s*\)\s*;#$1$2);#gs;
print $text;' < "$f.orig" > "$f"
rm "$f.orig"
done
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2164
The patch adds a new error code and special cases the new code so that
access is denied and a nicer log message is shown.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A recent patch directed all call related to group membership lookups to
the AD LDAP port to fix an issue related to missing group memberships in
the Global Catalog. As a side-effect it broke cross-domain
group-memberships because those cannot be resolved by the connection to
the LDAP port.
The patch tires to fix this by restoring the original behaviour in the
top-level lookup calls in the AD provider and switching to the LDAP port
only for the LDAP request which is expected to return the full group
membership.
Additionally this patch contains a related fix for the tokenGroups with
Posix attributes patch. The original connection, typically a Global
Catalog connection in the AD case is passed down the stack so that the
group lookup after the tokenGroups request can run over the same
connection.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
In Active Directory groups with a domain local scope should only be used
inside of the specific domain. Since SSSD read the group memberships
from LDAP server of the user's domain the domain local groups are
included in the LDAP result. Those groups should be filtered out if the
domain is a sub/trusted domain, i.e. is not the domain the client
running SSSD is joined to.
The groups will still be in the cache but marked as non-POSIX groups and
no GID will be assigned.
Fixes https://fedorahosted.org/sssd/ticket/2178
|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/1568
|
| |
|
|
|
| |
sdap_get_ad_tokengroups_initgroups is split into more parts so
it can be reused later.
|
| |
|
|
|
| |
If any function before failed, sss_idmap_free_sid() might have been
called with random data.
|
| |
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2133
|
| |
|
|
|
|
|
|
|
| |
If tokenGroups contains group from different domain than user's,
we stored it under the user's domain tree in sysdb. This patch
changes it so we store it under group's domain tree.
Resolves:
https://fedorahosted.org/sssd/ticket/2066
|
| | |
|
| | |
|
| |
|
|
|
|
| |
During initgroups request we read the SID of a group from the server but
do not save it to the cache. This patch fixes this and might help to
avoid an additional lookup of the SID later.
|
| |
|
|
|
|
|
|
|
|
|
| |
Previously an sdap_id_ctx was always tied to one domain with a single
set of search bases. But with the introduction of Global Catalog
lookups, primary domain and subdomains might have different search
bases.
This patch introduces a new structure sdap_domain that contains an sssd
domain or subdomain and a set of search bases. With this patch, there is
only one sdap_domain that describes the primary domain.
|
| |
|
|
|
|
| |
--missing arguments.
--format '%s', but argument is integer.
--wrong format string, examle: '%\n'
|
| | |
|
| | |
|
| |
|
|
| |
Also remove unused sysdb_search_domgroup_by_gid()
|
| |
|
|
| |
Also remove unused sysdb_search_domgroup_by_name()
|
| |
|
|
| |
Also remove unused sysdb_search_domuser_by_name()
|
| |
|
|
|
|
|
|
| |
When converting built-in SID to unix GID/UID a confusing debug
message about the failed conversion was printed. This patch special
cases these built-in objects.
https://fedorahosted.org/sssd/ticket/1593
|
| | |
|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/1355
|
| |
|
