| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2556
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
|
|
|
|
|
|
| |
The responder and child_common modules each had their own
implementation. Unify it instead and add a unit test.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
| |
ldap_child was the only child process that used child_cleanup instead of
the common child_io_destructor. Unify the implementation to use the
common function instead.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
| |
Previously, we were only handling KRB5KRB_AP_ERR_SKEW
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
| |
Since RESP_USER_GROUPLIST contains all group memberships it is
effectively an initgroups request hence SYSDB_INITGR_EXPIRE will be set.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
| |
The current request already returned the SID, we do not need to request
it separately.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
| |
The call protected by the check does not only expect the version 1 of
the extdom plugin is used but a specific response type as well. Since
version 1 can return older response types as well we want to be on the
safe side.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
| |
The IPA extdom plugin returns the data with the default view already
applied hence it is on needed to look up the override data if the client
has the default view assigned.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
| |
Currently ipa_resolve_user_list_send() only looks up the related user
objects but do not check for overrides. This patch tries to fix this.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
| |
Related to https://fedorahosted.org/sssd/ticket/2481
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
| |
Related to https://fedorahosted.org/sssd/ticket/2481
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2543
The LDAP URI is not valid prior to connecting to LDAP. Moreover,
reconnecting to a different server might invalidate the URI.
Move reading the URI after the connection has been established.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2544
Use a dedicated fd instead to work around
https://bugzilla.samba.org/show_bug.cgi?id=11036
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Related to:
https://fedorahosted.org/sssd/ticket/2544
Adds a new function exec_child_ex and moves setting the extra_argv[]
to exec_child_ex() along with specifying the input and output fds.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
libsmb logs to stdout by default. It's much more reasonable to log to
stderr by default.
Please also note:
https://bugzilla.samba.org/show_bug.cgi?id=11036
and:
https://fedorahosted.org/sssd/ticket/2544
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2542
If the GPO result object was missing completely, we would error out with
a fatal error code. It's more user-friendly to treat the missing object
as if the requested attribute was missing on the provider level.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
| |
Resolves https://fedorahosted.org/sssd/ticket/2514
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
When groups are resolved on IPA clients as part of a user lookup not all
groups have to be from the same domain as the used. This has to be
checked to store the group object properly in the cache.
Related to https://fedorahosted.org/sssd/ticket/2529
and https://fedorahosted.org/sssd/ticket/2524
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Depending on the state of the cache group object a freshly created or
updates user entry for a trusted domain user might already be a member
of the group or not. This cache makes sure the requested user is a
member of all groups returned from the extdom request. Special care has
to be taken to cover cross-domain group-memberships properly.
Resolves https://fedorahosted.org/sssd/ticket/2529
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
KRB5KRB_ERR_GENERIC is a generic error and we cannot make any
assumptions about the cause. If there are cases where
KRB5KRB_ERR_GENERIC is returned and SSSD should behave differently this
must be solved by other means.
Resolves https://fedorahosted.org/sssd/ticket/2535
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Environment variable SSSD_KRB5_REALM was used to late for initialisation
realm. and therefore default value NULL was used.
The SSSD_KRB5_REALM (kr->realm) was used as fast_principal_realm for checking
fast cache: privileged_krb5_setup -> k5c_setup_fast -> check_fast_ccache
And therefore wrong principal was used when the option krb5_fast_principal is
empty.
[find_principal_in_keytab] (0x4000): Trying to find principal (null)@(null) in keytab.
[match_principal] (0x1000): Principal matched to the sample ((null)@(null)).
[get_tgt_times] (0x1000): FAST ccache must be recreated
[get_tgt_times] (0x0020): krb5_cc_retrieve_cred failed
[get_tgt_times] (0x0020): 1688: [-1765328243][Matching credential not found]
[check_fast_ccache] (0x0040): Valid FAST TGT not found after attempting to renew it
[k5c_setup_fast] (0x0020): check_fast_ccache failed.
[k5c_setup_fast] (0x0020): 1956: [1432158213][Unknown code UUz 5]
[privileged_krb5_setup] (0x0040): Cannot set up FAST
[main] (0x0020): privileged_krb5_setup failed.
[main] (0x0020): krb5_child failed!
As a result of this user was not able to authenticate.
Resolves:
https://fedorahosted.org/sssd/ticket/2526
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2484
When OTPs are used, we can only used each authtoken at most once. When
it comes to Kerberos password changes, this was only working previously
by accident, because the old authtoken was first used to verify the old
password is valid and not expired and then also to acquire a chpass
principal.
This patch looks at the user object in LDAP to check if the user has any
OTPs enabled. If he does, the CHAUTHTOK_PRELIM step is skipped
completely so that the OTP can be used to acquire the chpass ticket
later.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
When processing group membership check sysdb for group members from
extern domain and include them in newly processed group membership as
extern members are curently found only when initgroups() is called.
Resolves:
https://fedorahosted.org/sssd/ticket/2492
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Sometimes the timestamp from gettimeofday() slightly differs
from the one obtained via time() which caused unit test to fail on
occasionaly.
Resolves:
https://fedorahosted.org/sssd/ticket/2521
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
| |
Stop matching username with names in simple_allow_users after positive
match.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2519
Not existing user/group in simple_allow_users/simple_allow_groups should not
imply access denied.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Usernames from AD subdomains are already in fqdn we should not append
domain name in this case.
Resolves:
https://fedorahosted.org/sssd/ticket/2512
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
|
|
| |
With this patch the first and enabled delay values are respected.
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
|
|
|
|
|
| |
krb5_kt_have_content() was introduced in MIT Kerberos 1.11. For older
platforms this patch adds sss_krb5_kt_have_content() as a wrapper.
Resolves https://fedorahosted.org/sssd/ticket/2518
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
| |
Using a PAM include file in an LDAP child is confusing.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/2503
In order to avoid calling Kerberos library calls as root, the krb5_child
forks itself and recreates the FAST ccache as the SSSD user.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/2503
Currently all child processes use the same arguments, the construction
of argv[] is even hardcoded in exec_child(). Add an extra_args[] array
that extends the common set of argvs so that we can have child-specific
arguments. Also adds a unit test.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
sysdb_get_bool() return ENOENT if no result is found.
Unit test for sysdb_get_bool() & sysdb_set_bool() was added.
This patch also fixes ldap_setup_enumeration() to handle ENOENT returned by
sysdb_has_enumerated().
Resolves:
https://fedorahosted.org/sssd/ticket/1991
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
| |
The host keytab and the FAST credential cache are copied into memory
early at startup to allow to drop privileges earlier.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2510
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2510
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2510
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Global catalog was not used in ipa server mode and request failed then
dp_error was not set (default is zero). dp_error should not be OK
on failed request.
[ipa_get_ad_acct_ad_part_done] (0x0040): AD lookup failed: 11
[ipa_subdomain_account_done] (0x0040): ipa_get_*_acct request failed: 11
[sdap_id_op_destroy] (0x4000): releasing operation connection
[ipa_account_info_error_text] (0x0020): Bug: dp_error is OK on failed request
[acctinfo_callback] (0x0100): Request processed. Returned 3,11,Account info lookup failed
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
| |
The _task is an output variable of type struct be_ptask * which
is filled by be_ptask_create(). However, we tried to set sync ctx there
as a result of copy and paste error.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
| |
For debugging and testing purposes.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|