| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1783
When dn in member attribute is invalid (e.g. rdn instead of dn)
or it is outside of configured search bases, we might hit a situation
when tevent_req is marked as done before any callback could be
attached on it.
|
| |
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1776
Although cb->list got updated when the callback is removed,
this change did not propagate to be_ctx->*_cb_list which
caused dlist having invalid records.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1758
The autofs entries do not have the key as an unique identifier, but
rather the full (key, value) tuple as some keys have a special meaning,
such as the direct mount key (/-) and may be present in a single map
multiple times.
Comparing the full DN that contains both the key and the value will
allow for working updates if either key or value changes.
|
| |
|
|
|
|
|
|
|
| |
Related to https://fedorahosted.org/sssd/ticket/1757
Previously we would optimize the mc invalidate code for cases where the
user was a member of some groups. But if the user was removed from the
server while being in memory cache, we would only invalidate the mc
record if he was a member of at least one supplementary group.
|
| |
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1761
The function tried to be smart and realloc only when needed, but that
only lead to hard-to find bugs where the logic would not allocate the
proper space. Remove the reallocation and prefer readability over speed
in this case.
|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/1760
|
| |
|
|
|
|
|
|
|
|
|
|
| |
In the AD case, deployments sometimes add groups as parents of the
primary GID group. These groups are then returned during initgroups
in the tokenGroups attribute and member/memberof links are established
between the user and the group. However, any update of these groups
would remove the links, so a sequence of calls: id -G user; id user; id
-G user would return different group memberships.
The downside of this approach is that the user is returned as a group
member during getgrgid call as well.
|
| |
|
|
|
|
|
| |
The code would call sysdb_attrs_add_uint32 which added another UID or GID
to the ID=0 we already downloaded from LDAP (0 is the default value) when
ID-mapping an entry. This led to funky behaviour later on when we wanted
to process the ID.
|
| |
|
|
| |
It is not a map, but a default context. The name should reflect that.
|
| |
|
|
|
| |
Changes the ipa_get_selinux{send,recv} request so that it only delivers
data and moves processing to the IPA selinux handler.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1736
When there are no rules during first refresh, we don't have valid
USN value. We use 0 in this case, but it turned out that OpenLDAP
takes it as invalid time format (if modifyTimestamp is used instead
of USN) and thus returns no records.
Now we don't include USN/modifyTimestamp attribute in the filter
if such situasion occurs.
|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/1735
|
| |
|
|
|
| |
For some reason I was under the impression that the DN components are
counted backwards in libldb. This patch corrects this.
|
| |
|
|
|
|
| |
switch statements should always have a default section. In this
particular case gcc gave a "'send_fn' may be used uninitialized in this
function" warning.
|
| |
|
|
|
|
| |
If the Data Provider receives a request for the auto.master map, it
passes on a flag to let the actual provider let know he should
invalidate the existing maps
|
| |
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1689
Add a online callback if the first full refresh fails due to the
provider beeing offline so we can perform the refresh as soon as
possible.
|
| |
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1689
If the first full refresh of sudo rules fails because the data provider
is offline, we will schedule another one in 2, 4, ... minutes.
|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/1689
|
| |
|
|
| |
Reduces amount of code duplication.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1679
The problem is when we are about to reset the server status, we don't
get through the timeout (30 seconds) because the "switch to primary
server" task is scheduled 30 seconds after fall back to a backup
server. Thus the server status remains "not working" and is resetted
after another 30 seconds.
We need to make sure that the server status is tried after the
timeout period. retry_timeout is currently hardcoded to 30, thus
the change in man page.
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1685
Properly react on deleting group which was not found in sysdb.
|
| |
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1699
We want to continue with the next server on all errors, not only
on ETIMEDOUT.
This particullar ticket was dealing with ECONNREFUSED.
|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/1701
|
| |
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1680
Bad service name (KERBEROS) was provided when setting port status,
thus the port status never changed
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1682
The problem was in following code:
if (ret != EOK || state->dp_error != DP_ERR_OK || state->error != EOK) {
tevent_req_error(req, ret);
return;
}
In situation when data provider error occurs (e.g. when offline),
ret == EOK but dp_error != DP_ERR_OK and we take the true branch.
This results in calling tevent_req_error(req, EOK).
Unfortunately, with EOK tevent_req_error only returns false, but
does not trigger callback and this tevent request hangs forever,
because no tevent_req_done(req) is called.
|
| | |
|
| |
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1685
The PROXY provider wasn't storing credentials to negative cache due to
bad return value. This was delegated from attempt to delete these
credentials from local cache. Therefore ENOENT is replaced as EOK.
|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/1695
|
| |
|
|
|
|
|
|
|
| |
This is needed in order to assure the memcache is properly and promptly
cleaned up if a user memberships change on login.
The list of the current groups for the user is sourced before it is
updated and sent to the NSS provider to verify if it has changed after
the update call has been made.
|
| |
|
|
|
| |
This set of functions enumerate the user's groups and invalidate them all
if the list does not matches what we get from the caller.
|
| |
|
|
|
| |
This set of functions enumerate each user/group from all domains
and invalidate any mmap cache record that matches.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1638
If pwd_exp_warning == 0, expiry warning should be printed if it is
returned by server.
If pwd_exp_warning > 0, expiry warning should be printed only if
the password will expire in time <= pwd_exp_warning.
ppolicy->expiry contains period in seconds after which the password
expires. Not the exact timestamp. Thus we should not add 'now' to
pwd_exp_warning.
|
| |
|
|
|
|
|
|
|
| |
In some situations, the c-ares lookup can return NULL instead of
a list of addresses. In this situation, we need to avoid
dereferencing NULL.
This patch adds a log message and sets the count to zero so it is
handled appropriately below.
|
| |
|
|
|
|
|
|
| |
When converting built-in SID to unix GID/UID a confusing debug
message about the failed conversion was printed. This patch special
cases these built-in objects.
https://fedorahosted.org/sssd/ticket/1593
|
| |
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1482
When we add fullname to user_attrs, then sysdb_add_basic_user()
will set fullname to gecos when it initially creates the user
object in the cache, but it will be overwritten in the same
transaction when sysdb_store_user() adds all the user_attrs.
|
| |
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1657
IPA_HOSTNAME is not stored in ipa_opts->id options so it the option
was always NULL here. This caused SIGSEGV when accessed by strchr()
in subsequent function.
|
| |
|
|
| |
initialized variable, was causing build warning
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1612
This patch changes the handling of ghost attributes when saving the
actual user entry. Instead of always linking all groups that contained
the ghost attribute with the new user entry, the original member
attributes are now saved in the group object and the user entry is only
linked with its direct parents.
As the member attribute is compared against the originalDN of the user,
if either the originalDN or the originalMember attributes are missing,
the user object is linked with all the groups as a fallback.
The original member attributes are only saved if the LDAP schema
supports nesting.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If canonicalization is enabled Active Directory KDCs return
'krbtgt/AD.DOMAIN' as service name instead of the expected
'kadmin/changepw' which causes a 'KDC reply did not match expectations'
error.
Additionally the forwardable and proxiable flags are disabled, the
renewable lifetime is set to 0 and the lifetime of the ticket is set to
5 minutes as recommended in https://fedorahosted.org/sssd/ticket/1405
and also done by the kpasswd utility.
Fixes: https://fedorahosted.org/sssd/ticket/1405
https://fedorahosted.org/sssd/ticket/1615
|
| |
|
|
|
| |
In case of a short UPN compare_principal_realm() erroneously returns an
error.
|
| |
|
|
|
|
|
|
|
| |
Currently we add the realm name to change password principal but
according to the MIT Kerberos docs and the upstream usage the realm name
is just ignored.
Dropping the realm name also does not lead to confusion if the change
password request was received for a user of a trusted domain.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The check is too restrictive as the select_principal_from_keytab can
return something else than user requested right now.
Consider that user query for host/myserver@EXAMPLE.COM, then the
select_principal_from_keytab function will return "myserver" in primary and
"EXAMPLE.COM" in realm. So the caller needs to add logic to also break
down the principal to get rid of the host/ part. The heuristics would
simply get too complex.
select_principal_from_keytab will error out anyway if there's no
suitable principal at all.
|
| |
|
|
|
| |
The AD and IPA initialization functions shared the same code. This patch
moves the code into a common initialization function.
|
| |
|
|
|
|
|
| |
The connections request was terminated before setting the expiry timeout
in case no authentication was set.
https://fedorahosted.org/sssd/ticket/1649
|
