| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If canonicalization is enabled Active Directory KDCs return
'krbtgt/AD.DOMAIN' as service name instead of the expected
'kadmin/changepw' which causes a 'KDC reply did not match expectations'
error.
Additionally the forwardable and proxiable flags are disabled, the
renewable lifetime is set to 0 and the lifetime of the ticket is set to
5 minutes as recommended in https://fedorahosted.org/sssd/ticket/1405
and also done by the kpasswd utility.
Fixes: https://fedorahosted.org/sssd/ticket/1405
https://fedorahosted.org/sssd/ticket/1615
|
| |
|
|
|
| |
In case of a short UPN compare_principal_realm() erroneously returns an
error.
|
| |
|
|
|
|
|
|
|
| |
Currently we add the realm name to change password principal but
according to the MIT Kerberos docs and the upstream usage the realm name
is just ignored.
Dropping the realm name also does not lead to confusion if the change
password request was received for a user of a trusted domain.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The check is too restrictive as the select_principal_from_keytab can
return something else than user requested right now.
Consider that user query for host/myserver@EXAMPLE.COM, then the
select_principal_from_keytab function will return "myserver" in primary and
"EXAMPLE.COM" in realm. So the caller needs to add logic to also break
down the principal to get rid of the host/ part. The heuristics would
simply get too complex.
select_principal_from_keytab will error out anyway if there's no
suitable principal at all.
|
| |
|
|
|
| |
The AD and IPA initialization functions shared the same code. This patch
moves the code into a common initialization function.
|
| |
|
|
|
|
|
| |
The connections request was terminated before setting the expiry timeout
in case no authentication was set.
https://fedorahosted.org/sssd/ticket/1649
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently the sysdb context is pointed to the subdomain subtree
containing user the user to be checked at the beginning of a HBAC
request. As a result all HBAC rules and related data is save in the
subdomain tree as well. But since the HBAC rules of the configured
domain apply to all users it is sufficient to save them once in the
subtree of the configured domain.
Since most of the sysdb operations during a HBAC request are related to
the HBAC rules and related data this patch does not change the default
sysdb context but only create a special context to look up subdomain
users.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The original sysdb code had a strong assumption that only users from one
domain are saved in the databse, with the subdomain feature, we have
changed reality, but have not adjusted all the code arund the sysdb calls
to not rely on the original assumption.
One of the side effects of this incongrunece is that currently group
memberships do not return fully qualified names for subdomain users as they
should.
In oreder to fix this and other potential issues surrounding the violation
of the original assumption, we need to fully qualify subdomain user names.
By savin them fully qualified we do not risk aliasing local users and have
group memberhips or other name based matching code mistake a domain user
with subdomain usr or vice versa.
|
| | |
|
| | |
|
| |
|
|
|
| |
The element being reallocated is part of the "group_attrs" array, not
attrs.
|
| |
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1647
A logic bug in the LDAP provider causes an attempt to allocate a zero-length
array for group members while processing an empty group. The allocation
would return NULL and saving the empty group would fail.
|
| |
|
|
|
|
| |
Allocating temporary context on NULL helps vind memory leaks with
valgrind and avoid growing memory over time by allocating on a
long-lived context.
|
| |
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1640
Normal rules requires that sudoHost attribute is present. But this
attribute is not mandatory for a special rule named cn=defaults.
This patch modifies filter so that we store even rules that doesn't
have sudoHost attribute specified. SUDO will then decide whether it
is allowed or not.
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
src/providers/krb5/krb5_utils.c: In function ‘cc_dir_create’:
src/providers/krb5/krb5_utils.c:824: warning: declaration of ‘dirname’
shadows a global declaration
/usr/include/libgen.h:27: warning: shadowed declaration is here
|
| |
|
|
| |
The check is now held only in ipa_get_subdomain_account_info_send().
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To make configuration easier the IPA subdomain provider should be always
loaded if the IPA ID provider is configured and the subdomain provider
is not explicitly disabled. But to avoid the overhead of regular
subdomain requests in setups where no subdomains are used the IPA
subdomain provider should behave differently if configured explicit or
implicit.
If the IPA subdomain provider is configured explicitly, i.e.
'subdomains_provider = ipa' can be found in the domain section of
sssd.conf subdomain request are always send to the server if needed.
If it is configured implicitly and a request to the server fails
with an indication that the server currently does not support subdomains
at all, e.g. is not configured to handle trust relationships, a new
request will be only send to the server after a long timeout or after
a going-online event.
To be able to make this distinction this patch save the configuration
status to the subdomain context.
Fixes https://fedorahosted.org/sssd/ticket/1613
|
| |
|
|
|
|
|
| |
Currently it is only checked if an expired group still has members of
the local domain. If not, the group is delete from the cache. With this
patch the whole cache, i.e. including subdomains, is searched for
members.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The initgroups request is not handled by the IPA provider for
subdomain users on purpose because the group membership information is
not available on the IPA server but will be directly written to the
cache when the PAC of the user is processed. The old generic debug
message "Invalid sub-domain request type" might be misleading.
This patch adds a specific message for the initgroups case "Initgroups
requests are not handled by the IPA provider but are resolved by the
responder directly from the cache." and increase the debug level so
that typically this message is not shown anymore because it is expected
behaviour.
Fixes https://fedorahosted.org/sssd/ticket/1610
|
| |
|
|
|
|
|
|
| |
The ldb_val's length parameter should not include the terminating NULL.
This was causing funky behaviour as the users were saved as binary
attributes.
https://fedorahosted.org/sssd/ticket/1614
|
| |
|
|
|
|
|
|
|
|
| |
Currently the only type of supported sub-domains are AD domains which
are not case-sensitive. To make it easier for Windows user we make
sub-domains case-insensitive as well which allows to write the username
in any case at the login prompt.
If support for other types of sub-domains is added it might be necessary
to set the case-sensitive flag based on the domain type.
|
| |
|
|
|
|
|
|
|
| |
The Active Directory KDC handles request case in-sensitive and it might
not always to possible to guess the UPN with the correct case. We check
if the returned principal has a different case then the one used in the
request and updates the principal if needed. This will help using calls
from the Kerberos client libraries later on which would otherwise fail
because the principal is handled case sensitive by those libraries.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
With the current approach the upn was either a pointer to a const string
in a ldb_message or a string created with the help of talloc. This new
function always makes it a talloc'ed value.
Additionally krb5_get_simple_upn() is enhanced to handle sub-domains as
well.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
In general Kerberos is case sensitive but the KDC of Active Directory
typically handles request case in-sensitive. In the case where we guess
a user principal by combining the user name and the realm and are not
sure about the cases of the letters used in the user name we might get a
valid ticket from the AD KDC but are not able to access it with the
Kerberos client library because we assume a wrong case.
The client principal in the returned credentials will always have the
right cases. To be able to update the cache user principal name the
krb5_child will return the principal for further processing.
|
| | |
|
| |
|
|
|
|
| |
If the authenticated user comes from a different realm the service
ticket which was returned during the validation of the TGT is used to
extract the PAC which is send to the pac responder for evaluation.
|
| |
|
|
|
|
|
| |
The different_realm flag which was set by the responder is send to the
krb5_child so that it can act differently on users from other realms. To
avoid code duplication and inconsistent behaviour the krb5_child will
not set the flag on its own but use the one from the provider.
|
| |
|
|
|
|
| |
Add a flag if the principal used for authentication does not belong
to our realm. This can be used to act differently for users from other
realms.
|
| |
|
|
|
| |
If sssd is configured to renew Kerberos tickets automatically ticket of
sub-domain uses should be renewed as well.
|
| |
|
|
|
|
| |
If there is an authentication request for a user from a sub-domain a
temporary sysdb context is generated to allow lookups in the
corresponding sub-tree in the cache.
|
| | |
|
| |
|
|
|
|
|
| |
The ldap_child would return a NULL ccache but the error code would still
indicate success.
https://fedorahosted.org/sssd/ticket/1594
|
| |
|
|
| |
We should test both ret and (dp_error, errno) pair.
|
| |
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1596
In case that LDAP server contains zero sudo rules, the full refresh
completes succussfully and stores current USN value (= 0). But then
smart refresh will fail because it takes USN=0 as invalid value.
|
| |
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1581
If the namingContext attribute had no values or multiple values, then
our code would dereference a NULL pointer.
|
| | |
|
| |
|
|
|
|
|
| |
The IPA has a defined directory tree structure that allows us to guess
the username from a DN without having to look up the DN in LDAP.
https://fedorahosted.org/sssd/ticket/1319
|
| |
|
|
|
|
|
|
| |
There are case where the extdom extended operation will return the flat
or NetBIOS name of a domain instead of the DNS domain name. If this name
is available for the current domain we accept it as well.
Related to https://fedorahosted.org/sssd/ticket/1561
|
| |
|
|
|
|
|
| |
If the debug level contains SSSDBG_TRACE_ALL, then the logs would also
include tracing information from libkrb5.
https://fedorahosted.org/sssd/ticket/1539
|
| |
|
|
|
|
|
|
| |
There was an unused structure member in the krb5_child.
Declaration of __krb5_error_msg was shadowing the same variable from
sss_krb5.h which is not nice. Also we might actually use the error
context directly instead of passing it as parameter.
|
| |
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1499
Adds log message about not finding appropriate entry in keytab and using
the last keytab entry when validation is enabled.
Adds more information about validation into manpage.
|
| |
|
|
|
|
|
|
|
| |
If there was no SID attribute, then we would have detected it by
checking the number of values of an element. We would however happily
return EOK in that case and save garbage into the sid_str.
This was causing segfault when the entry was supposed to be ID-mapped by
had no SID.
|
| | |
|
| |
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1537
changes upper limit of slices to 2000200000 in providers code and
manpage.
|
