| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
When libss_idmap was only used to algorithmically map a SID to a POSIX
ID a domain SID was strictly necessary and the only information needed
to find a domain.
With the introduction of external mappings there are cases where a
domain SID is not available. Currently we relied on the fact that
external mapping was always used as a default if not specific
information about the domain was found. The lead to extra CPU cycles and
potentially confusing debug messages. Adding the domain name as a search
parameter will avoid this.
|
| |
|
|
|
| |
be_ptask_destroy was unreachable since sdom is not present
in the list of sdap domains any more.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
At the beginning of a LDAP request we check if we are connecte and have
a valid sdap handle. But for some requests more than one LDAP operation,
typically a search, is needed. Due to the asynchronous handling of LDAP
request it might be possible that a second request might detect a server
error and close the connection while the first request just finished one
LDAP search and wants to start a new LDAP search.
This patch tries to make sure that there is a valid sdap handle before
sending a LDAP search to the server.
Fixes https://fedorahosted.org/sssd/ticket/2126
|
| |
|
|
| |
Fixes https://fedorahosted.org/sssd/ticket/2030
|
| |
|
|
|
|
|
|
|
| |
Currently online callbacks are only executed if the backend was offline
before. This patch add a new class of callback which are always called
if the backend gets a request to go online.
They can be used e.g. to reset timeouts until a more sophisticated method
(OpenLMI, sssctl) is available.
|
| |
|
|
|
|
|
| |
In function create_empty_cred, krb5_creds was aloocated using calloc,
but krb5_free_creds was used to remove this creds in done section.
Therefore clang static analyzer repoted this as warning:
Potential leak of memory pointed to by 'cred'
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Variable kr->creds is initialized in function krb5_get_init_creds_password.
It does not make sense to check kr->creds for null, because we have already
checked return value of function krb5_get_init_creds_password.
Resolves:
https://fedorahosted.org/sssd/ticket/2112
|
| |
|
|
|
|
|
|
|
|
|
| |
Currently we relied on the fact that external ID mapping is used as
default fallback in case of an error and did not properly add subdomains
with external ID mapping to the idmap library. If debugging is enabled
this leads to irritating debug messages for every user or group lookup.
With this patch this subdomains are added to the idmap library.
Fixes https://fedorahosted.org/sssd/ticket/2105
|
| | |
|
| |
|
|
|
|
|
| |
If an expired AD user logs in, the SSSD receives
KRB5KDC_ERR_CLIENT_REVOKED from the KDC. This error code was not handled
by the SSSD which resulted in System Error being returned to the PAM
stack.
|
| | |
|
| |
|
|
|
|
|
|
| |
In some cases, local boolean variable "do_update" could be used
without proper initialisation.
Clang static analyser warning: "Assigned value is garbage or undefined"
It was not a big problem, because non-zero value for boolean variable mean
true.
|
| |
|
|
| |
Fixes https://fedorahosted.org/sssd/ticket/2116
|
| |
|
|
|
|
|
|
|
| |
Setting up public directories is the job of the admin, and
current sssd syntax can't express the actual intention of the admin with
regrads to which parts of the path should be public or private.
Resolves:
https://fedorahosted.org/sssd/ticket/2071
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Related: https://fedorahosted.org/sssd/ticket/2070
Since we are recommending to configure the POSIX attributes so that they
are replicated to the Global Catalog, we can start connecting to the GC
by default even for local users. If the object is not matches in the GC,
there is a possibility to fall back to LDAP.
|
| |
|
|
|
|
|
|
| |
Related: https://fedorahosted.org/sssd/ticket/2070
Until now, the POSIX-compliant initgroups would only be able to search
the parent domain. Since we want to allow using POSIX attributes from AD
subdomains as well, we should allow searching a custom sdap_domain.
|
| |
|
|
|
|
|
|
|
| |
Related: https://fedorahosted.org/sssd/ticket/2070
When searching for users and groups without the use of ID mapping, make
sure the UIDs and GIDs are included in the search. This will make the
SSSD seemigly "miss" entries when searching in Global Catalog in the
scenario where the POSIX attributes are not replicated to the GC.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
If there are member domains in a trusted forest which are DNS-wise not
proper children of the forest root the IPA KDC needs some help to
determine the right authentication path. In general this should be done
internally by the IPA KDC but this works requires more effort than
letting sssd write the needed data to the include file for krb5.conf.
If this functionality is available for the IPA KDC this patch might be
removed from the sssd tree.
Fixes https://fedorahosted.org/sssd/ticket/2093
|
| |
|
|
|
| |
In order to fix https://fedorahosted.org/sssd/ticket/2093 the name of
the forest must be known for a member domain of the forest.
|
| |
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2079
If the dns_discovery_domain is set in the server mode, then the current
failover code will use it to discover the AD servers as well. This patch
resets the discovery domain unless the admin configured SRV resolution
for IPA servers manually. In the case he did, we try to warn him that
service discovery of AD servers will most likely fail.
|
| |
|
|
|
|
|
|
|
| |
If tokenGroups contains group from different domain than user's,
we stored it under the user's domain tree in sysdb. This patch
changes it so we store it under group's domain tree.
Resolves:
https://fedorahosted.org/sssd/ticket/2066
|
| |
|
|
|
|
|
|
|
| |
We need to work with distinguish names when processing
cross-domain membership, because groups and users may
be stored in different sysdb tree.
Resolves:
https://fedorahosted.org/sssd/ticket/2066
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
Fix a check for an error return code that can be returned when
the ccache is not found.
Even in case of other errors still do not fail authentication
but allow it to proceed using a new ccache file if necessary.
Related:
https://fedorahosted.org/sssd/ticket/2053
|
| |
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2087
IN_MULTICAST accepts address in the host order, but network order was
supplied.
|
| |
|
|
|
|
|
|
| |
Expanding a principle to an enterprise principal only makes sense if
there is a KDC available which can process it. If we are offline the
plain principal should be used, e.g. to create an expired ccache.
Fixes https://fedorahosted.org/sssd/ticket/2060
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
If the returned TGT contains a different user principal name (upn) than
used in the request, i.e. the upn was canonicalized, we currently save
it to sysdb into the same attribute where the upn coming from an LDAP
server is stored as well. This means the canonical upn might be
overwritten when the user data is re-read from the LDAP server.
To avoid this this patch add a new attribute to sysdb where the
canonical upn is stored and makes sure it is used when available.
Fixes https://fedorahosted.org/sssd/ticket/2060
|
| |
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2075
|
| |
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2067
Some AD or AD-like servers do not contain the netlogon attribute in the
master domain name. Instead of failing completely, we should just abort
the master domain request and carry on. The only functionality we miss
would be getting users by domain flat name.
|
| |
|
|
|
| |
The check worked for simple setups but fails e.g. in environment with
trusts.
|
| |
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2068
With the current design, downloading master domain data was tied to
subdomains refresh, triggered by responders. But because enumeration is
a background task that can't be triggered on its own, we can't rely on
responders to download the master domain data and we need to check the
master domain on each enumeration request.
|
| |
|
|
| |
AD provider will override the default with its own.
|
| |
|
|
| |
Adds a reusable async request to download the master domain info.
|
| | |
|
| |
|
|
|
|
|
|
| |
When comparing username and his groups to access list, we will
obey case sensitivity of object from access list.
Resolves:
https://fedorahosted.org/sssd/ticket/2034
|
| |
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2034
|
| |
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2034
|
| |
|
|
| |
Remove code duplication.
|
| |
|
|
|
| |
Parameter "int *dp_err" and parameter "int *pam_status" were unused
in static function krb5_auth_prepare_ccache_name.
|
| |
|
|
| |
mem_ctx was unused in function get_domain_or_subdomain
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
format specifies type 'int' but the argument has type 'const char *'
|
| | |
|
