| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
|
|
| |
To avoid wrong or missing netgroup names in the getent_ctx destructor
set_netgroup_entry() now takes the name out of the getent_ctx struct
instead of using a separate argument.
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/817
|
|
|
|
|
|
|
|
|
|
| |
Previously, we were setting the client context PAM lookup timeout
after the first domain replied. However, if the user wasn't a
member of the first domain, their information wasn't being
updated.
This patch ensures that we only set this timeout after the user
has been found or all domains were searched.
|
|
|
|
|
| |
Previously we were only looking up the user, but we need to make
sure that all groups are available for use by access providers.
|
| |
|
| |
|
|
|
|
|
|
|
| |
When the automatic cleanup happened, if the netgroup had been
created with no contents (to indicate an unknown netgroup), we
weren't saving the hash table address and the talloc_free() was
failing.
|
|
|
|
|
|
| |
Specially crafted packages might lead to an integer overflow and the
parsing of the input buffer might not continue as expected. This issue
was identified by Sebastian Krahmer <krahmer@suse.de>.
|
|
|
|
|
| |
The existence of the getent_ctx is used to track the enumeration cache
timeout.
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
Also adds an option to limit how often we check the ID provider,
so that conversations with multiple PAM requests won't update the
cache multiple times.
https://fedorahosted.org/sssd/ticket/749
|
|
|
|
|
|
|
| |
Previously, this was initialized to zero, so the first domain in
the list wouldn't be checked for ID updates in
pam_check_user_search. This initializes the first domain to check
the provider.
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/735
|
|
|
|
|
|
| |
Also fixes the same problem with set_close_on_exec
https://fedorahosted.org/sssd/ticket/713
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/716
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/719
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Currently we display all PAM messages generated by sssd to the user. But
only some of them are important and others are just some useful
information.
This patch introduces a new option to the PAM responder which controls
what kind of messages are displayed. As an example the 'Authenticated
with cached credentials' message is used. This message is only displayed
if pam_verbosity=1 or if there is an expire date.
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
| |
Currently we do not handle the open nss request after a reconnect and
wait until they timeout (which is a couple of minutes!). This patch adds
a handler that terminates all requests after a reconnect. Then responder
will return matching cache entries or nothing.
|
| |
|
|
|
|
| |
Useful for optimizing the initgroups operation.
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
| |
Create a new private header and make some functions available for
other object files.
|
| |
|
|
|
|
|
| |
Previously, it was implicitly using the nss_dom_ctx, but there are
situations where we would want to send a different private context
|
|
|
|
|
|
|
| |
We were accidentally returning an error when sysdb_getpwnam()
returned zero results internally in sysdb_initgroups(). The
correct behavior here is to return EOK and a result object with
zero entries.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously, if a second enumeration request arrived while one was
already being processed, each process would receive only a subset
of the total number of available users or groups. This is because
we were maintaining the response object as a global value in the
NSS responder. The second request would come in, see that the data
set was already populated, and start reading from wherever the
cursor was currently pointed.
With this patch, we now move the cursor to the client context
instead of the global NSS context.
Additionally, this patch completely rewrites the approach to
enumerations in the tevent_req style. This makes it much easier to
follow in the code.
In order to ensure that a slow or malicious client cannot hold
onto a reference for the setent result object indefinitely, we
set an expiration on the object. We use the enum_cache_timeout
here, since that is an appropriate value.
If the timeout fires during the normal operation of the get*ent()
loop of a client program, we will save the current values of the
read index so that we can resume as soon as the object has been
refreshed by an implicit setent call.
Instead of deleting the enumeration result object immediately
after the last in-progress client has read it, we'll keep the
object around for the lifetime of enum_cache_timeout. This way,
additional clients making enumeration requests can still access
the results in-memory.
|
|
|
|
|
|
| |
Various dead assignments were deleted, some return value inspections
were added.
Ticket: #588
|
|
|
|
|
|
| |
A refactoring patch that creates a common util/crypto subdir with
per-implementation subdirectories for each underlying crypto library
supported by SSSD.
|
| |
|
|
|
|
|
| |
Creates a new function - sss_ncache_prepopulate() - that can be
shared with other responders, such as PAM.
|
|
|
|
|
| |
Rename functions from nss_ncache_* to sss_ncache_*
Move negative cache to responder/common and rename as negcache.c/h
|
|
|
|
|
|
|
| |
There was a bug in the negative cache checks (probably a leftover
from when filter_users was global-only) that meant that if a user
was filtered out of a domain, the remaining domains would not be
checked for that user. (Same for groups/initgroups)
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/540
|
|
|
|
|
|
|
|
|
| |
In several places, we were creating a new timer and assigning it
to the tev variable, but then we were checking for NULL from the
te variable (which, incidentally, is guaranteed never to be NULL
in this situation)
https://fedorahosted.org/sssd/ticket/523
|
| |
|
|
|
|
|
|
|
| |
If the configuration option krb5_store_password_if_offline is set to
true and the backend is offline the plain text user password is stored
and used to request a TGT if the backend becomes online. If available
the Linux kernel key retention service is used.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is the second attempt to let the PAM client and the PAM responder
exchange their credentials, i.e. uid, gid and pid. Because this approach
does not require any message interchange between the client and the
server the protocol version number is not changed.
On the client side the connection is terminated it the responder is not
run by root. On the server side the effective uid and gid and the pid of
the client are available for future use.
The following additional changes are made by this patch:
- the checks of the ownership and the permissions on the PAM sockets are
enhanced
- internal error codes are introduced on the client side to generate
more specific log messages if an error occurs
|
|
|
|
| |
This reverts commit 5a88e963744e5da453e88b5c36499f04712df097.
|
|
|
|
| |
This commit completes the migration to a synchronous sysdb
|