| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Recently support was added to use also libkrb5 style expansions that
uses a %{varname} type of template.
There are a number of templates we do not care/can't expand in sssd.
The current code misses tests and failed to properly preserve some of
the templates we do not want to handle.
Addiotionally in order to be future proof this patch treats unknown
templates as pass-through templates and defer any error checking to
libkrb5, so that sssd is consistent with how kinit would behave.
Resolves:
https://fedorahosted.org/sssd/ticket/2076
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2063
|
|
|
|
|
|
| |
src/providers/krb5/krb5_utils.c:193: warning: declaration of 'rewind' shadows a
global declaration
/usr/include/stdio.h:754: warning: shadowed declaration is here
|
|
|
|
|
|
|
|
| |
struct hbac_eval_req is defined in header file and it has attribute
request_time with type time_t, but header file "time.h" was not included.
It was not problem, because time.h was indirectly included by stdlib.h
(stdlib.h -> sys/types.h -> time.h) in implementation files,
but other platforms can have other dependencies among header files.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In order to use the same defaults in all system daemons that needs to know how
to generate or search for ccaches we introduce ode here to take advantage of
the new option called default_ccache_name provided by libkrb5.
If set this variable we establish the same default for all programs that surce
it out of krb5.conf therefore providing a consistent experience across the
system.
Related:
https://fedorahosted.org/sssd/ticket/2036
|
|
|
|
|
|
|
|
| |
In preparation for handling some more allocations in the following patches and
fixes a curent memleak on the opts struct.
Related:
https://fedorahosted.org/sssd/ticket/2036
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2036
|
|
|
|
|
|
|
|
| |
By the time that the create_ccache_in_dir() routine is called, we are
already guaranteed to have dropped privileges. This has either happened
because we dropped them before the exec() in the normal operation case
or because we dropped them explicitly after we completed the TGT
validation step if that or FAST is configured.
|
|
|
|
|
|
| |
If USN attribute is not present, we call strdup on uninitialized
variable. This may cause segfault, or if we are lucky and
usn is NULL it will return ENOMEM.
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2052
|
|
|
|
|
| |
Adds pac_cli be_client structure pointer, to indetify and log the PAC
responder termination correctly.
|
|
|
|
|
| |
In the KRB5_FCC_NOFILE code path _valid is not set leading to 'may be
used uninitialized' compiler warnings.
|
|
|
|
|
|
|
|
|
| |
When the user is only member of its own primary group, initgroups_dyn may
return NOTFOUND as, at least for the 'files' nss provider the code skips the
passed in group.
Resolves:
https://fedorahosted.org/sssd/ticket/2051
|
|
|
|
|
|
|
|
| |
The FILE cache only sets the return values of _active and _bool if the
entire function succeeds. The DIR cache was setting it even on failure.
This patch makes both consistent. This will benefit static analysis
tools which would be able to detect if the variable is ever used
uninitialized anywhere.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There was duplicated code in cc_file_check_existing() and in
cc_dir_check_existing(). I pulled them into the same function.
There are two changes made to the original code here:
1) Fixes a use-after-free bug in cc_file_check_existing(). In the
original code, we called krb5_free_context() and then used that
context immediately after that in krb5_cc_close(). This patch
corrects the ordering
2) The krb5_cc_resolve() call handles KRB5_FCC_NOFILE for all
cache types. Previously, this was only handled for DIR caches.
|
|
|
|
|
|
| |
Kerberos now supports multiple types of collection caches, not just
DIR: caches. We should add a macro for generic collection behavior
and use that where appropriate.
|
|
|
|
|
|
|
|
| |
Some krb5 functions needn't be available for retrieving ccache
with principal. Therefore ifdef is used to solve this situation with older
version of libkrb5. There were two functions with similar functionality
in krb5_child and krb5_utils. They were merged to one universal function, which
was moved to file src/util/sss_krb5.c
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2043
|
| |
|
| |
|
| |
|
|
|
|
| |
Fixes https://fedorahosted.org/sssd/ticket/1630
|
| |
|
| |
|
|
|
|
| |
Header file proxy.h included itself.
|
|
|
|
| |
Previous check was wrong, servername cannot be NULL.
|
|
|
|
|
|
|
|
|
|
|
| |
Struct sss_auth_token became opaque in commit
9acfb09f7969a69f58bd45c856b01700541853ca.
All ocasions of "struct sss_auth_token" was replaced with pointer to this
struct, but proper initialization of auth_tokens was missing
in struct authtok_conv.
Resolves:
https://fedorahosted.org/sssd/ticket/2046
|
|
|
|
|
|
|
|
| |
Print more descriptive message when wrong current password
is given during password change operation.
resolves:
https://fedorahosted.org/sssd/ticket/2029
|
|
|
|
|
|
| |
The initialization of ad_sasl_callbacks raised an incompatible pointer
type warning. This was caused because the cyrus-sasl API hasa changed.
The callback function list needs to be cast now.
|
| |
|
| |
|
|
|
|
| |
Change was introduced in commit ca344fde
|
|
|
|
|
|
|
|
| |
In sdap_nested_group_populate_users() username and orignal_dn are
allocated on a temporary memory context. If the corresponding user is
not found in the cache both are added to a hash which is later on
returned to the caller. To avoid a use-after-free when the hash entries
are looked up both must be reassigned to the memory context of the hash.
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2026
|
|
|
|
|
|
| |
primary_name was allocated on a temporary memory context but as it is a
member of the state struct it should belong to the memory context of the
state.
|
|
|
|
|
|
|
|
|
| |
This tries to set the ad_compat option for sasl, by working around
the openldap/sasl initialization as openldap does not allow us to pass
down to sasl our own getopt callback.
Resolves:
https://fedorahosted.org/sssd/ticket/2040
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2031
|
|
|
|
| |
Coverity ID: 11927
|
|
|
|
|
|
|
|
|
| |
The subdomain users user FQDN in their name attribute. However, handling
of whether to use FQDN in the LDAP code was not really good. This patch
introduces a utility function and converts code that was relying on
user/group names matching to this utility function.
This is a temporary fix until we can refactor the sysdb API in #2011.
|
|
|
|
|
|
|
|
| |
Partially solves ticket:
https://fedorahosted.org/sssd/ticket/1966
To avoid the problem mentioned in the ticket above, option
dns_discovery_domain must be set properly.
|
| |
|
|
|
|
|
| |
Instead of multiple calls of sss_authtok_get_type, perform the call just
once and store into variable.
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1814
Return authentication error when empty password is passed.
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1992
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1827
|
|
|
|
|
|
|
| |
Dircache can be either file or directory. Wrong value was used
when dircache was itself directory.
https://fedorahosted.org/sssd/ticket/2002
|
|
|
|
|
|
|
|
| |
We did not set port status for metaservers (srv servers)
in fo_reset_services().
Fixes:
https://fedorahosted.org/sssd/ticket/1933
|
|
|
|
| |
The switch statement was dead code due to missing case/default.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1999
ldap_auth.c code which was added to SSSD for updating the
shadowLastChange when "ldap_chpass_update_last_change" option is
enabled updates shadowLastChange even when the PAM password change
status reports failure.
We should only update shadowLastChange on PAM password change success or
we open up a work around for users to avoid changing their passwords
periodically as required by policy. The user simply attempts to change
password, fails by trying to set new password which invalid (denied due
to password history check) yet shadowLastChange is updated, avoiding
their need to actually change the password they are using.
|