| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2701
Previously, only the krb5 provides used to queue requests, which
resulted in concurrent authentication requests stepping on one another.
This patch queues requests by default.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
| |
Ticket:
https://fedorahosted.org/sssd/ticket/2641
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
We're attempting to use strerror() to print the result from
ad_gpo_access_check(), but that function returns an extended SSSD errno
Signed-off-by: Lukas Slebodnik <lslebodn@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Function sysdb_get_real_name overrode reurned code LDAP
and thus user was not removed from cache after removing it from LDAP.
This patch also do not try to set initgroups flag if user
does not exist. It reduce some error message.
Resolves:
https://fedorahosted.org/sssd/ticket/2681
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
|
|
| |
Related to https://fedorahosted.org/sssd/ticket/2596
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
| |
Related to https://fedorahosted.org/sssd/ticket/2596
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
| |
Make sure the directory is only accessible to the sssd user
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Otherwise each connection would clobber the environment variable with
its own.
This is a temporary workaround until SSSD's ldap_child is able to store
ccaches in a collection.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/2638
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/2638
For one-way trusts we can assume that AD domain is the same as the
Kerberis realm. On the other hand, SASL realm and keytab path are
specified, unlike two-way trusts that use the system keytab.
Includes a unit test.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/2638
Both the AD common code and ipa_ad_ctx_new() used set AD_KRB5_REALM. As
verified by unit tests, we don't need to set the parameter twice.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/2638
Removed code duplication. Amends unit test to make sure we don't
regress.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/2638
Make the function reusable and add a simple unit test.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/2638
Better reflects what's going on in the function. Also adds a unit test.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/2638
The function sets SDAP related options based on the AD ID context
options. The name should reflect what the function does.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Uses the ipa-getkeytab call to retrieve keytabs for one-way trust
relationships.
https://fedorahosted.org/sssd/ticket/2636
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
| |
Refactoring in preparation for requesting the keytab in future patches.
Currently it's a fake async that just marks the request as done.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
| |
This will reduce special-casing when establishing forest roots as all
domains will contain the forest name.
Additionally, AD subdomains already contain the forest name.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Allows to distinguish the trust directions for trusted domains. For
domains where we don't know the direction in server mode, we assume
two-way trusts.
Member domains do not have the direction, but rather the forest root
direction is used.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
| |
These functions will be later reused by the subdomains_server.c module.
Splitting them into a separate subdomains_utils.c module will make sure
there are no cyclic dependencies and the functions are testable in
isolation.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
| |
There is already quite a few functions that are server-mode specific and
there will be even more with one-way trusts. Split the server-mode
specific functions into a separate module.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
| |
Updating master domain record from sysdb will ensure the flat name of
the master domain record is up-to-date.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
| |
Reduced code duplication
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For one-way trusts we need to know the flat name of the IPA domain when
we process subdomains, hence we need to swap the processing order and
read the master domain record sooner.
Previsouly the order was:
- ranges
- subdomains
- if on client, views
- master
Now the order is:
- ranges
- master
- subdomains
- if on client, views
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Previously it was error-prone to move code around, because the functions
that started next subdomain request were scattered together with moving
to next base or assigning next base.
This patch creates a wrappers for better readability.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Adding realm to both master domain and subdomain will make it easier to
set and select forest roots. Even master domains can be forest members,
it's preferable to avoid special-casing as much as possible.
Includes a unit test.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
We need to store the subdomain trust direction in order to recover the
structure after SSSD restart.
The trust direction is a plain uint32_t to avoid leaking the knowledge
about AD trust directions to sysdb while at the same time making it easy
to compare values between sysdb and LDAP and avoid translating the
values.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
| |
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2583
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Allows the administrator to extend the functionality of
ldap_purge_cache_timeout, ldap_user_principal and ldap_use_tokengroups to
the subdomains.
This is a less intrusive way of achieving:
https://fedorahosted.org/sssd/ticket/2627
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
| |
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Related to:
https://fedorahosted.org/sssd/ticket/2644
Adds a utility function that checks if a DP option is present in
the subdomain_inherit list. If it is, then the option is set from source
to destination dp_option array.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
| |
function write_krb5info_file() was declared twice in krb5_common.h
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
| |
ipa_dyndns.h was depended on header files included before it.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Don't pass zone directive to nsupdate for the first pass. The
information about zone should be generated by nsupdate which has
auto-detection logic for zone value. The previous version code sometime
worked but it broke when client domain was not the same as FreeIPA
domain.
Log without patch applied:
[ipa_dyndns_update_send] (0x0400): Performing update
[ipa_dyndns_sdap_update_done] (0x0040): Dynamic DNS update failed [5]: Input/output error
[ipa_dyndns_nsupdate_done] (0x0040): Updating DNS entry failed [5]: Input/output error
Log after patch applied:
[ipa_dyndns_update_send] (0x0400): Performing update
[ipa_dyndns_nsupdate_done] (0x0040): DNS update finished
Resolves:
https://fedorahosted.org/sssd/ticket/2540
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In a recent change set_initgroups_expire_attribute() was added to
groups_by_user_done() to make sure that the initgroups timeout is only
added to the user object until all groups added to the cache.
This change (and the original code in groups_by_user_done() as well)
didn't took sub-domain users into account where the name in sysdb might
different form the original request and the domain is not the configured
domain. This patch tries to ensure that the right name and domain are
used.
https://fedorahosted.org/sssd/ticket/2663
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
==18139== Conditional jump or move depends on uninitialised value(s)
==18139== at 0x14400F1B: generic_ext_search_handler.isra.3 (sdap_async.c:1626)
==18139== by 0x879D7E3: tevent_common_loop_immediate (tevent_immediate.c:135)
==18139== by 0x87A20CD: epoll_event_loop_once (tevent_epoll.c:907)
==18139== by 0x87A07D6: std_event_loop_once (tevent_standard.c:114)
==18139== by 0x879CFBC: _tevent_loop_once (tevent.c:530)
==18139== by 0x879D15A: tevent_common_loop_wait (tevent.c:634)
==18139== by 0x87A0776: std_event_loop_wait (tevent_standard.c:140)
==18139== by 0x5293862: server_loop (server.c:668)
==18139== by 0x10EA41: main (data_provider_be.c:2909
Related tickets:
https://fedorahosted.org/sssd/ticket/2645
https://fedorahosted.org/sssd/ticket/2662
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Checking the enum request in the underlying LDAP provider to skip it
might be too late as the richer IPA or AD providers depend on having a
useful result when the sdap request finishes.
Move the enumeration check earlier instead and allow directly in the IPA
or AD handler.
Related:
https://fedorahosted.org/sssd/ticket/2659
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some providers, notably IPA, rely on extra_value to be either a useful
value or NULL. In enumeration, however, extra_value was random. Set
the extra_value pointer explicitly to NULL to make it clear that it's
not used for enumeration and also use talloc_zero as future-proof.
Resolves:
https://fedorahosted.org/sssd/ticket/2659
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Argument "siginfo_t *siginfo" (void *__siginfo) was not used in
signal handlers pc_init_sig_handler, proxy_child_sig_handler.
siginfo is mostly used for additional information for about signal
and precesses (@see man 2 sigaction) and we store needed information
in custom context (private_data); It's tevent style.
Why backend crashed:
proxy_child_init_send creates request; forks a process and register
handler for signal SIGCHLD. Talloc parent of tevent_signal is previously
created request.
If proxy_child fails (return code is not 0) then SIGCHLD is received
handler pc_init_sig_handler is called. However pc_init_sig_handler can call
tevent_req_error for request which calls request callback and released
request.
tevent_signal_destructor was called as a part of releasing
tevent_signal. The destructor cleared siginfo in ring buffer for first time.
Then tevent tried to clear the same siginfo in ring buffer for the secont time
after returning from signal hander (pc_init_sig_handler). But it was already
cleared and it caused dereference of NULL pointer.
Resolves:
https://fedorahosted.org/sssd/ticket/2654
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
According to design page[1], proxy_child should run
with root privileges in non-root mode however proxy_child
did not have setuid bit.
After setting setuid bit proxy_child will be executed with extra privileges.
The effective user ID will be 0 but effective group ID will be still
the same as egid of sssd_be. Therefore gid of private pipe for
proxy_child should be the same. Otherwise proxy_child will fail
due to wrong permissions of unix pipe (sbus_client_init -> check_file)
[1] https://fedorahosted.org/sssd/wiki/DesignDocs/NotRootSSSD
Resolves:
https://fedorahosted.org/sssd/ticket/2655
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2644
When tokenGroups are enabled, we save groups using their SID as the RDN
attribute during initgroups() and later, if the groups is requested and saved
again with the full name, remove the original and save the new group entry.
Saving the new group entry would break if ignore_group_members is also
set, because the new group entry would lack the "member" attribute, so the
member/memberof links between the new group and the user entry wouldn't
be established again.
This patch changes the initgroups processing so that the full group
object is fetched when initgroups is enabled but together with
ignore_group_members. This solution imposes some performance impact,
because instead of one search for tokenGroups we also need to resolve the
groups. The more systematic solution would be to get rid of removing the
group entry as described in https://fedorahosted.org/sssd/ticket/2656
To reproduce the bug, set: ignore_group_members = True with a
backend that uses:
id_provider = ad
Then run:
$ id aduser@ad_domain.com
$ id aduser@ad_domain.com
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When a user enrolls a system against Active Directory, the expectation
is that the client will honor the centrally-managed settings. In the
past, we avoided changing the default (and left it in permissive mode,
to warn admins that the security policy wasn't being honored) in order
to avoid breaking existing Active Directory enrollments.
However, sufficient time has likely passed for users to become
accustomed to using GPOs to manage access-control for their systems.
This patch changes the default to enforcing and adds a configure flag
for distributions to use if they wish to provide a different default
value.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
For GPOs assigned to a site, it's possible that their definition
actually exists in another domain. To retrieve this information,
we need to follow the referral and perform a base search on
another domain controller.
Resolves:
https://fedorahosted.org/sssd/ticket/2645
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Some callers may be interested in the raw referral values returned from
a lookup. This patch allows interested consumers to get these referrals
back and process them if they wish. It does not implement a generic
automatic following of referrals.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
New option `krb5_map_user` providing mapping of ID provider names to
Kerberos principals.
Resolves:
https://fedorahosted.org/sssd/ticket/2509
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Initgrups consisted of two main steps:
1. store user to cache
2. store all user groups to cache.
Previously the attribute SYSDB_INITGR_EXPIRE was set in the first step.
So in case of epmty cache and parallel initgroups request in responders
there was a small period when SYSDB_INITGR_EXPIRE was valid but groups were
not cached. Therefore sometime responder could return zero supplementary
groups.
This patch moves the setting of initgroups expire attribute from 1st step
to the end of 2nd step.
In case of parallel initgroups requests in responder there are two
other ways how we could get correct results even thought there was a bug.
a) Time between two request was too small. User was not stored in cache
yet and 2nd request waited for response from DP.
b) Time between two request was big enough. All users groups were
successfully stored in cache and 2nd request returned correct results.
Resolves:
https://fedorahosted.org/sssd/ticket/2634
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|