| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
connection
Resolves:
https://fedorahosted.org/sssd/ticket/2639
When a subdomain account lookup errors out, try to re-setup the trust
object. Only do this, if the connection was established after the last
re-set of the trust object.
Internally, the setup function looks at the modifyTimestamp operational
attribute of the TDO. If the modifyTimestamp is newer than the last
keytab check, then the trust was re-created and we need to fetch the
keytab again.
Marking the back end as online re-sets the TDO check timestamp so that
after cycling the sssd, the keytab would always be checked.
|
|
|
|
|
| |
Whenever a connection request ends successfully, store the success time
to the sdap_id_conn_ctx.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Required for:
https://fedorahosted.org/sssd/ticket/2639
Instead of calling ipa_get_ad_acct_send directly, call a new request
ipa_srv_ad_acct_send. The new request wraps ipa_get_ad_acct_send and
either tries to request a new keytab every time the lookup fails but the
domain is online.
be_mark_dom_offline() is called when the retry fails with the new code.
The retry tries to re-setup the trusted domain. With two-way setups, the
request is a no-op. With one-way trust setups, the request re-fetches
new keytab unconditionally.
|
|
|
|
|
|
|
|
|
| |
In a server that is expanded from a SRV query was reset, only it's
'meta-server' status was set to neutral, but the server->common
structure still retained its not_working status.
This patch also resets the status of the common structure so that both
the SRV query and resolving the server are retried next time.
|
|
|
|
|
|
|
|
|
|
|
|
| |
Required for:
https://fedorahosted.org/sssd/ticket/2639
Previously, we had a function that allowed the caller to reset the
status of all services in the global fail over context. This patch adds
a new function that allows the caller to reset a single service instead.
The main user would be IPA subdomain provider that might need to reset
the status of an AD trusted domain on demand.
|
|
|
|
|
|
|
|
|
|
|
|
| |
Required for:
https://fedorahosted.org/sssd/ticket/2639
Expose a request ipa_server_trusted_dom_setup_send that sets up a
trusted domain. The setup might include actions like retrieving a keytab
for one-way trusts.
Creating the AD ID context for the trused domain is now done in the
caller of this new request.
|
|
|
|
|
|
|
|
|
|
|
| |
nsupdate fails definitely if any of update request fails when GSSAPI is used.
As tmp solution nsupdate is executed for each update.
Resolves:
https://fedorahosted.org/sssd/ticket/2783
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Informations about usergroup membership are stored in memberOf
attribute. And informations about hostgroup membership are stored
in originalMemberOf.
This patch add appropriate memberOf attributes
for searching in.
Ticket: https://fedorahosted.org/sssd/ticket/2275
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
In case domain overlap, we might download multiple objects. To avoid
saving them all, we attempt to filter out the objects from foreign
domains.
We can only do this optimization for non-wildcard lookups.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
| |
The function shouldn't be placed in the LDAP tree, but in the SDAP tree
to make it usable from tests without linking to libraries that are
normally linked from LDAP provider (such as confdb)
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2723
In case there are overlapping sdap domains, a search for a single user
might match and return multiple entries. For instance, with AD domains
represented by search bases:
DC=win,DC=trust,DC=test
DC=child,DC=win,DC=trust,DC=test
A search for user from win.trust.test would be based at:
DC=win,DC=trust,DC=test
but would match both search bases and return both users.
Instead of performing complex filtering, just save both users. The
responder would select the entry that matches the user's search.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2637
In server mode, we should not allow the AD lookups to set the backend
offline. Rather just let them report an error and deal with the error
separately.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2637
Avoid going offline in cases where SSSD is connected to a child domain
but the root domain is not accessible.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Required for:
https://fedorahosted.org/sssd/ticket/2637
Rather mark the domain as inactive. It will be marked as active later,
in the meantime the main domain can continue to work online and
subdomain requests will be answered from cache.
The lookup request itself just returns a special error code and lets the
caller handle the error code as appropriate (normally by disabling the
subdomain temporarily).
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2637
If a subdomain is in the disabled state, switch krb5_child operation
into offline mode.
Similarly, instead of marking the whole back end as offline, mark just
the domain as offline -- depending on the domain type, this would mark
the whole back end or just inactivate subdomain.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
fallback to
Required for:
https://fedorahosted.org/sssd/ticket/2637
The AD lookup code honors the ignore_mark_offline flag in the sense that
if it's set, the sdap return code is not reported to the upper layer,
but EOK is returned as request status and the sdap return code is
returned separately.
This patch modifies the behaviour further to only apply if there is
another connection to fall back to.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Required for:
https://fedorahosted.org/sssd/ticket/2637
The caller of the sdap_id_op requests can set the ignore_mark_offline
flag to avoid the sdap_id_op from marking the whole back end as offline.
However, there was a small bug - the is_offline internal sdap_id_op flag
was still being set. As a consequence, the error code from the
connection was ignored and EAGAIN was always returned.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
with offline_timeout
https://fedorahosted.org/sssd/ticket/2637
Adds a new Data Provider function be_mark_dom_offline() that is a
replacement for be_mark_offline(). When called, the function would
either set the whole back end offline, just like be_mark_offline or just
set the subdomain status to inactive.
When a subdomain is inactive, there is a singleton timed task that would
re-set the subdomin after offline_timeout seconds.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Required for:
https://fedorahosted.org/sssd/ticket/2637
This is a first step towards making it possible for domain to be around,
but not contacted by Data Provider.
Also explicitly create domains as active, previously we only relied on
talloc_zero marking dom->disabled as false.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Each string should be sanitized(rfc4515) before using ldbsearch.
A group dn was not sanitized in the function cleanup_groups.
Resolves:
https://fedorahosted.org/sssd/ticket/2744
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
| |
This reverts commit e2e334b2f51118cb14c7391c4e4e44ff247ef638.
+ temporary disable unit test
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
| |
This reverts commit f31a57321fc0a2390bb0d6030053c49787e5e587.
It blocked reverting commit e2e334b2f51118cb14c7391c4e4e44ff247ef638.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add be_req2str() for translation BE_REQ to string.
So we will have
|| Got request for [0x1001][FAST BE_REQ_USER][1][name=celestian]
instead of
|| Got request for [0x1001][1][name=celestian]
Function be_req2str() is used in data provider and in responder too.
So this patch create new header file data_provider_req.h which
delivers function be_req2str() and definitions of BE_REQ_*.
Resolves:
https://fedorahosted.org/sssd/ticket/2708
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The samAccountName for AD hosts is the hosts NetBIOS name with a
trailing $. Since there is a size limit on NetBIOS names long DNS names
must be truncated to find a matching entry in the AD LDAP tree.
The NetBIOS name is already needed during kinit/SASL bind where the
SDAP_SASL_AUTHID config option is used. Since the GPO lookup code is
only reached after the SASL bind was successful we can safely assume
that the name is correct and use it for the GPO lookup.
Resolves https://fedorahosted.org/sssd/ticket/2692
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2777
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Ticket:
https://fedorahosted.org/sssd/ticket/2676
When user is removed from cache during cleanup task, mark all
his memberof targets as expired to refresh member/ghost
attributes on next request.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
|
| |
The GPO child didn't remove temporary file on failure and didn't close
the fd on failure (the latter was not much of a problem for a
short-lived child process).
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Create new callback that handles logging messages in cyrus sasl library.
Resolves:
https://fedorahosted.org/sssd/ticket/2561
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1697
It is safer to isolate the checked (unknown/untrusted)
value on the left hand side in the conditions
to avoid overflows/underflows.
Reviewed-by: Petr Cech <pcech@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Improvement of debug messages.
Instead of:"(0x0400): Running command [17]..."
We could see:"(0x0400): Running command [17][SSS_NSS_GETPWNAM]..."
(It's not used in sss_client. There are only hex numbers of commands.)
Resolves:
https://fedorahosted.org/sssd/ticket/2708
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Ticket:
https://fedorahosted.org/sssd/ticket/2762
Use specific errmsg when ldap returns
LDAP_CONSTRAINT_VIOLATION code if that specific
message is available.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
| |
Simplifies the code.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
| |
In krb5_child, we intentionally don' set the owner of the temporary
file, because we're not renaming it to a 'stable' name, but rather
directly using it as the ccache.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
cleanup_groups() uses DN of group in filter for ldbsearch. But the name
might contain characters with special meaning for filtering
like - "*()\/"
Resolves:
https://fedorahosted.org/sssd/ticket/2744
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Move copy pasted code for converting sockaddr_storage to string into
function.
Resolves:
https://fedorahosted.org/sssd/ticket/2495
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Rename 'use_server_with_nsupdate' to more general name 'fallback_mode'.
Resolves:
https://fedorahosted.org/sssd/ticket/2495
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Remove zone command from message to nsupsate. This command is generally
used to hint nsupdate. In correctly configured environment such
information should be obtained via DNS.
If DNS does not provide necessary information we give other hints.
For more details see:
https://fedorahosted.org/sssd/wiki/DesignDocs/DDNSMessagesUpdate
Resolves:
https://fedorahosted.org/sssd/ticket/2495
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
| |
String 'update_msg' was already allocated on mem_ctx, so, there is no
need to steal it.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
nsupdate command `server` should not be used for the first attempt
to udpate DNS. It should be used only in subsequent attempts after the
first attempt failed.
Resolves:
https://fedorahosted.org/sssd/ticket/2495
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Some environments use a different DNS server than identity server. For
these environments, it would be useful to be able to override the DNS
server used to perform DNS updates.
This patch adds a new option dyndns_server that, if set, would be used
to hardcode a DNS server address into the nsupdate message.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Even if a keytab for one-way trust exists, re-fetch the keytab again and
try to use it. Fall back to the previous one if it exists.
This is in order to allow the admin to re-establish the trust keytabs
with a simple sssd restart.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
This is safe from ldb point of view, because ldb gurantees the data is
NULL-terminated. We must be careful before we save the data, though.
Resolves:
https://fedorahosted.org/sssd/ticket/2742
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
If a KDC proxy is configured a request in the KRB5 provider will assume
online state even if the backend is offline without changing the state
of the backend.
Resolves https://fedorahosted.org/sssd/ticket/2700
Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|