summaryrefslogtreecommitdiffstats
path: root/src/providers
Commit message (Collapse)AuthorAgeFilesLines
* IPA: make version check more preciseSumit Bose2015-01-141-2/+2
| | | | | | | | | | The call protected by the check does not only expect the version 1 of the extdom plugin is used but a specific response type as well. Since version 1 can return older response types as well we want to be on the safe side. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 2fc12875f7d51248799016c19c1298b85e06a286)
* IPA: do not look up overrides on client with default viewSumit Bose2015-01-141-14/+49
| | | | | | | | | The IPA extdom plugin returns the data with the default view already applied hence it is on needed to look up the override data if the client has the default view assigned. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit d8ceb194023a2cdc8bc183acc322e9a7fb6fe2b1)
* IPA: ipa_resolve_user_list_send() take care of overridesSumit Bose2015-01-131-10/+8
| | | | | | | | Currently ipa_resolve_user_list_send() only looks up the related user objects but do not check for overrides. This patch tries to fix this. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit eab17959df71341073f946c533f59fc5e593b35c)
* IPA: resolve ghost members if a non-default view is appliedSumit Bose2015-01-132-0/+213
| | | | | | | Related to https://fedorahosted.org/sssd/ticket/2481 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 765d9075bb1e10ae0f09b6c2701bfd50aeb423d4)
* IPA: add get_be_acct_req_for_user_name()Sumit Bose2015-01-132-0/+18
| | | | | | | Related to https://fedorahosted.org/sssd/ticket/2481 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit d32b165fad7b89462f49c82349e1df5a2343afa2)
* GPO: Extract server hostname after connectingJakub Hrozek2015-01-131-29/+29
| | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2543 The LDAP URI is not valid prior to connecting to LDAP. Moreover, reconnecting to a different server might invalidate the URI. Move reading the URI after the connection has been established. Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit ccff8e75940963a0f68f86efcddc37133318abfa)
* GPO: Don't use stdout for output in gpo_childJakub Hrozek2015-01-133-6/+12
| | | | | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2544 Use a dedicated fd instead to work around https://bugzilla.samba.org/show_bug.cgi?id=11036 Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit f00a61b6079d8de81432077a59daf015d85800d2)
* UTIL: Allow dup-ing child pipe to a different FDJakub Hrozek2015-01-134-9/+7
| | | | | | | | | | | Related to: https://fedorahosted.org/sssd/ticket/2544 Adds a new function exec_child_ex and moves setting the extra_argv[] to exec_child_ex() along with specifying the input and output fds. Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit 16cb0969f0a9ea71524d852077d6a480740d4f12)
* GPO: Set libsmb debugging to stderrJakub Hrozek2015-01-131-0/+1
| | | | | | | | | | | | | libsmb logs to stdout by default. It's much more reasonable to log to stderr by default. Please also note: https://bugzilla.samba.org/show_bug.cgi?id=11036 and: https://fedorahosted.org/sssd/ticket/2544 Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit bb7ddd2be9847bfb07395341c7623da1b104b8a6)
* GPO: Ignore ENOENT result from sysdb_gpo_get_gpo_result_setting()Jakub Hrozek2015-01-131-1/+4
| | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2542 If the GPO result object was missing completely, we would error out with a fatal error code. It's more user-friendly to treat the missing object as if the requested attribute was missing on the provider level. Reviewed-by: Pavel Reichl <preichl@redhat.com> (cherry picked from commit fc2cc91a5b645180e53d46436b0d08011aac8d74)
* simple access provider: non-existing objectPavel Reichl2015-01-131-10/+25
| | | | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2519 Not existing user/group in simple_allow_users/simple_allow_groups should not imply access denied. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* IPA: handle GID overrides for MPG domains on clientsSumit Bose2015-01-131-0/+26
| | | | | | Resolves https://fedorahosted.org/sssd/ticket/2514 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* IPA: properly handle groups from different domainsLukas Slebodnik2015-01-131-2/+16
| | | | | | | | | | | When groups are resolved on IPA clients as part of a user lookup not all groups have to be from the same domain as the used. This has to be checked to store the group object properly in the cache. Related to https://fedorahosted.org/sssd/ticket/2529 and https://fedorahosted.org/sssd/ticket/2524 Reviewed-by: Sumit Bose <sbose@redhat.com>
* IPA: verify group memberships of trusted domain usersSumit Bose2015-01-131-1/+144
| | | | | | | | | | | | Depending on the state of the cache group object a freshly created or updates user entry for a trusted domain user might already be a member of the group or not. This cache makes sure the requested user is a member of all groups returned from the extdom request. Special care has to be taken to cover cross-domain group-memberships properly. Resolves https://fedorahosted.org/sssd/ticket/2529 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* krb5: handle KRB5KRB_ERR_GENERIC as unspecific errorSumit Bose2015-01-131-1/+12
| | | | | | | | | | | KRB5KRB_ERR_GENERIC is a generic error and we cannot make any assumptions about the cause. If there are cases where KRB5KRB_ERR_GENERIC is returned and SSSD should behave differently this must be solved by other means. Resolves https://fedorahosted.org/sssd/ticket/2535 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* krb5_child: Initialize REALM earlierLukas Slebodnik2015-01-131-6/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Environment variable SSSD_KRB5_REALM was used to late for initialisation realm. and therefore default value NULL was used. The SSSD_KRB5_REALM (kr->realm) was used as fast_principal_realm for checking fast cache: privileged_krb5_setup -> k5c_setup_fast -> check_fast_ccache And therefore wrong principal was used when the option krb5_fast_principal is empty. [find_principal_in_keytab] (0x4000): Trying to find principal (null)@(null) in keytab. [match_principal] (0x1000): Principal matched to the sample ((null)@(null)). [get_tgt_times] (0x1000): FAST ccache must be recreated [get_tgt_times] (0x0020): krb5_cc_retrieve_cred failed [get_tgt_times] (0x0020): 1688: [-1765328243][Matching credential not found] [check_fast_ccache] (0x0040): Valid FAST TGT not found after attempting to renew it [k5c_setup_fast] (0x0020): check_fast_ccache failed. [k5c_setup_fast] (0x0020): 1956: [1432158213][Unknown code UUz 5] [privileged_krb5_setup] (0x0040): Cannot set up FAST [main] (0x0020): privileged_krb5_setup failed. [main] (0x0020): krb5_child failed! As a result of this user was not able to authenticate. Resolves: https://fedorahosted.org/sssd/ticket/2526 Reviewed-by: Sumit Bose <sbose@redhat.com>
* LDAP: retain external membersPavel Reichl2014-12-151-0/+104
| | | | | | | | | | | | When processing group membership check sysdb for group members from extern domain and include them in newly processed group membership as extern members are curently found only when initgroups() is called. Resolves: https://fedorahosted.org/sssd/ticket/2492 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com>
* KRB5: Check FAST kinit errors using get_tgt_times()Jakub Hrozek2014-12-131-13/+15
| | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* Skip CHAUTHTOK_PRELIM when using OTPsJakub Hrozek2014-12-135-3/+41
| | | | | | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2484 When OTPs are used, we can only used each authtoken at most once. When it comes to Kerberos password changes, this was only working previously by accident, because the old authtoken was first used to verify the old password is valid and not expired and then also to acquire a chpass principal. This patch looks at the user object in LDAP to check if the user has any OTPs enabled. If he does, the CHAUTHTOK_PRELIM step is skipped completely so that the OTP can be used to acquire the chpass ticket later. Reviewed-by: Sumit Bose <sbose@redhat.com>
* IPA: Do not append domain name to fq nameLukas Slebodnik2014-12-081-4/+17
| | | | | | | | | | Usernames from AD subdomains are already in fqdn we should not append domain name in this case. Resolves: https://fedorahosted.org/sssd/ticket/2512 Reviewed-by: Michal Židek <mzidek@redhat.com>
* KRB5: Relax DEBUG messageJakub Hrozek2014-12-081-2/+5
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* KRB5: Create the fast ccache in a child processJakub Hrozek2014-12-032-28/+100
| | | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2503 In order to avoid calling Kerberos library calls as root, the krb5_child forks itself and recreates the FAST ccache as the SSSD user. Reviewed-by: Sumit Bose <sbose@redhat.com>
* Add extra_args to exec_child()Jakub Hrozek2014-12-034-4/+7
| | | | | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2503 Currently all child processes use the same arguments, the construction of argv[] is even hardcoded in exec_child(). Add an extra_args[] array that extends the common set of argvs so that we can have child-specific arguments. Also adds a unit test. Reviewed-by: Sumit Bose <sbose@redhat.com>
* krb5_child: become user earlierSumit Bose2014-12-031-38/+93
| | | | | | | The host keytab and the FAST credential cache are copied into memory early at startup to allow to drop privileges earlier. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* ldap_child: copy keytab into memory to drop privileges earlierSumit Bose2014-12-031-19/+45
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* krb5: add copy_keytab_into_memory()Sumit Bose2014-12-032-0/+196
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* krb5: add copy_ccache_into_memory()Sumit Bose2014-12-032-0/+127
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* krb5: do not fail if checking the old ccache failedSumit Bose2014-12-031-2/+5
| | | | | | https://fedorahosted.org/sssd/ticket/2510 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: only update view data if it really changedSumit Bose2014-12-031-50/+66
| | | | | | https://fedorahosted.org/sssd/ticket/2510 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* krb5: make krb5 provider view awareSumit Bose2014-12-032-6/+25
| | | | | | https://fedorahosted.org/sssd/ticket/2510 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* views: allow view name change at startupSumit Bose2014-11-261-16/+81
| | | | | | | | | | Currently some manual steps are needed on a FreeIPA to switch from one view to another. With this patch the IPA provider checks at startup if the view name changed and does the needed steps automatically. Besides saving the new view name this includes removing the old view data and marking the user and group entries as invalid. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* AD/IPA: add krb5_confd_path configuration optionSumit Bose2014-11-256-0/+20
| | | | | | | | | With this new parameter the directory where Kerberos configuration snippets are created can be specified. Fixes https://fedorahosted.org/sssd/ticket/2473 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: Handle IPA groups returned from extop pluginJakub Hrozek2014-11-251-4/+9
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* IPA: check overrrides for IPA users as wellSumit Bose2014-11-203-4/+432
| | | | | | | | | Currently overrides were only available for sub-domains, e.g. trusted AD domains. With this patch overrides can be used for IPA users as well. Related to https://fedorahosted.org/sssd/ticket/2481 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: make get_object_from_cache() publicSumit Bose2014-11-202-4/+10
| | | | | | Related to https://fedorahosted.org/sssd/ticket/2481 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* ipa: add get_be_acct_req_for_uuid()Sumit Bose2014-11-202-6/+40
| | | | | | | | | | This new call creates the needs data for a lookup by UUID which is needed when trying to find the original object for an IPA override object. Related to https://fedorahosted.org/sssd/ticket/2481 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* LDAP: always store UUID if availableSumit Bose2014-11-202-13/+52
| | | | | | Related to https://fedorahosted.org/sssd/ticket/2481 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* LDAP: add support for lookups by UUIDSumit Bose2014-11-202-5/+55
| | | | | | Related to https://fedorahosted.org/sssd/ticket/2481 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* ipa: add split_ipa_anchor()Sumit Bose2014-11-202-0/+65
| | | | | | | | | This call extracts the domain and the UUID part from an IPA override anchor. Related to https://fedorahosted.org/sssd/ticket/2481 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* BE: Become a regular user after initializationJakub Hrozek2014-11-191-0/+13
| | | | | | | | | | | Some parts of initialization (Kerberos ticket renewal, checking the keytab for the right principal) still require the root privileges. Drop privileges after initializing the back ends. Related: https://fedorahosted.org/sssd/ticket/2370 Reviewed-by: Sumit Bose <sbose@redhat.com>
* KRB5: Move all ccache operations to krb5_child.cJakub Hrozek2014-11-195-244/+267
| | | | | | | | | | | | | | | | | | | The credential cache operations must be now performed by the krb5_child completely, because the sssd_be process might be running as the sssd user who doesn't have access to the ccaches. src/providers/krb5/krb5_ccache.c is still linked against libsss_krb5 until we fix Kerberos ticket renewal as non-root. Also includes a new error code that indicates that the back end should remove the old ccache attribute -- the child can't do that if it's running as the user. Related: https://fedorahosted.org/sssd/ticket/2370 Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* KRB5: Move checking for illegal RE to krb5_utils.cJakub Hrozek2014-11-195-48/+42
| | | | | | | | | | | | Otherwise we would have to link krb5_child with pcre and transfer the regex, which would be cumbersome. Check for illegal patterns when expanding the template instead. Related: https://fedorahosted.org/sssd/ticket/2370 Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* KRB5: Move ccache-related functions to krb5_ccache.cJakub Hrozek2014-11-199-709/+783
| | | | | | | | | | | | | Add a new module krb5_ccache.c that contains all ccache-related operations. The only user of this module shall be krb5_child.c as the other modules will run unprivileged and accessing the ccache requires either privileges of root or the ccache owner. Related: https://fedorahosted.org/sssd/ticket/2370 Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* KRB5: Drop privileges in the child, not the back endJakub Hrozek2014-11-192-21/+56
| | | | | | | | | | | | | | | | | | In future patches, sssd_be will be running as a non-privileged user, who will execute the setuid krb5_child. In this case, the child will start as root and drop the privileges as soon as possible. However, we need to also remove the privilege drop in sssd_be, because if we dropped to the user who is authenticating, we wouldn't be even allowed to execute krb5_child. The krb5_child permissions should be 4750, owned by root.sssd, to make sure only root and sssd can execute the child and if executed by sssd, the child will run as root. Related: https://fedorahosted.org/sssd/ticket/2370 Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* PROXY: Preserve service name in proxy providerMichal Zidek2014-11-191-1/+21
| | | | | | | | Fixes: https://fedorahosted.org/sssd/ticket/2461 Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* proxy: Do not try to store same alias twiceMichal Zidek2014-11-191-28/+49
| | | | | | | | | | | LDB does not store attributes if they have the same name and value and errors out instead. Fixes: https://fedorahosted.org/sssd/ticket/2461 Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* LDAP: Disable token groups by defaultLukas Slebodnik2014-11-191-1/+1
| | | | | | | | | | | | | | | | We tried to speed up processing of initgroup lookups with tokenGroups even for the LDAP provider (if remote server is Active Directory), but it turns out that there are too many corner cases that we didn't catch during development that break. For instance, groups from other trusted domains might appear in TG and the LDAP provider isn't equipped to handle them. Overall, users who wish to use the added speed benefits of tokenGroups are advised to use the AD provider. Resolves: https://fedorahosted.org/sssd/ticket/2483 Reviewed-by: Michal Židek <mzidek@redhat.com>
* Revert "LDAP: Change defaults for ldap_user/group_objectsid"Lukas Slebodnik2014-11-191-4/+4
| | | | | | | | | | | | This reverts commit f834f712548db811695ea0fd6d6b31d3bd03e2a3. OpenLDAP server cannot dereference unknown attributes. The attribute objectSID isn't in any standard objectclass on OpenLDAP server. This is a reason why objectSID cannot be set by default in rfc2307 map and rfc2307bis map. It is the same problem as using non standard attribute "nsUniqueId" in ticket https://fedorahosted.org/sssd/ticket/2383 Reviewed-by: Michal Židek <mzidek@redhat.com>
* Fix uuid defaultsSumit Bose2014-11-192-6/+4
| | | | | | | | | | | | | | | | | | Recently the uuid attributes for user and groups were removed because it was found that there are not used at all and that some of them where causing issues (https://fedorahosted.org/sssd/ticket/2383). The new views/overrides feature of FreeIPA uses the ipaUniqueID attribute to relate overrides with the original IPA objects. The previous two patches revert the removal of the uuid attributes from users and groups with this patch set the default value of these attributes to ipaUniqueID from the IPA provider, to objectGUID for the AD provider and leaves them unset for the general LDAP case to avoid issues like the one from ticket #2383. Related to https://fedorahosted.org/sssd/ticket/2481 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* Revert "LDAP: Remove unused option ldap_group_uuid"Sumit Bose2014-11-194-0/+7
| | | | | | This reverts commit b5242c146cc0ca96e2b898a74fb060efda15bc77. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
generated by cgit (git 2.34.1) at 2024-06-24 19:05:18 +0000