| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/2057
|
| |
|
|
|
|
| |
Since we now store the enumerate flag in sysdb for subdomains, we can
always descend to all available subdomains and if they do not allow
enumeration, simply skip them.
|
| |
|
|
| |
ht_size is size of hash_table in bytes, but hash keys have type uint32_t
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The code uses 2 hashes for each record, but only one hash table to
index them both, furthermore each record has only one single 'next'
pointer.
This means that in certain conditions a record main end up being on a
hash chain even though its hashes do not match the hash chain. This can
happen when another record 'drags' it in from another hash chain where
they both belong.
If the record without matching hashes happens to be the second of the
chain and the first record is removed, then the non matching record is
left on the wrong chain. On removal of the non-matching record the hash
chain will not be updated and the hash chain will end up pointing to an
invalid slot.
This slot may be later reused for another record and may not be the
first slot of this new record. In this case the hash chain will point to
arbitrary data and may cause issues if the slot is interpreted as the
head of a record.
By skipping any block that has no matching hashes upon removing the
first record in a chain we insure that dangling references cannot be
left in the hash table
Resolves:
https://fedorahosted.org/sssd/ticket/2049
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2059
If len % SSSSRV_PACKET_MEM_SIZE == 0 or some low number,
we can end up with totlen < len and return EINVAL.
It also does not pad the length, but usually allocates
much more memory than is desired.
len = 1024
n = 1024 % 512 + 1 = 0 + 1 = 1
totlen = 1 * 512 = 512
=> totlen < len
len = 511
n = 511 % 512 + 1 = 511 + 1
totlen = 512 * 512 = 262144
totlen is way bigger than it was supposed to be
|
| | |
|
| |
|
|
|
|
|
| |
With the support of POSIX IDs managed on the AD side we may find
non-POSIX groups, i.e. groups which do not have a GID assigned in AD, in
the PAC. Since in this case all cached groups have a SDI attribute it is
more reliable to search the groups by SID instead of GID.
|
| |
|
|
|
| |
When processing a list of groups we try to process as much as possible
only not stop on the first error.
|
| |
|
|
|
|
| |
To avoid issues with case-sensitivity it is more reliable to search the
user entry in the cache and use the returned DN instead of constructing
it.
|
| |
|
|
|
| |
Since the DN of the group is used to remove a membership it is not
necessary to check if the GID is valid.
|
| |
|
|
|
| |
If the user entry does not exist in the cache and a primary GID cannot
be found it does not make sense to create a user entry.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently the PAC responder deletes a user entry and recreates it if
some attributes seems to be different.
Two of the attributes where the home directory and the shell of the
user. Those two attributes are not available from the PAC but where
generates by the PAC responder. The corresponding ID provider might have
better means to determine those attributes, e.g. read them from LDAP, so
we shouldn't change them here.
The third attribute is the user name. Since the PAC responder does
lookups only based on the UID we can wait until the ID provider updates
the entry.
Fixes https://fedorahosted.org/sssd/ticket/1996
|
| | |
|
| |
|
|
|
|
|
|
| |
Use sss_atomic_write_s() instead of write() in
sss_mc_save_corrupted(). Also unlink() the file if no data
were written.
It is better to use sss_atomic_write_s instead of write
|
| |
|
|
|
| |
This patch adds function to store corrupted mmap cache file to
disk for further analysis.
|
| |
|
|
|
| |
We introduced new way to check integrity of memcache in the
client code. We should use similiar checks in the responder.
|
| |
|
|
|
| |
Removes off by one error when using macro MC_SIZE_TO_SLOTS
and adds new macro MC_SLOT_WITHIN_BOUNDS.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
In some cases when MPG domains are used the information about the
original primary group of a user cannot be determined by looking at
the explicit group memberships. In those cases the GID related to the
original primary group is stored in a special attribute of the user
object.
This patch adds the GID of the original primary group when available and
needed.
Fixes https://fedorahosted.org/sssd/ticket/2027
|
| |
|
|
|
|
|
| |
This patch prevents jumping outside of allocated memory in
case of corrupted slot or name_ptr values. It is not proper
solution, just hotfix until we find out what is the root cause
of ticket https://fedorahosted.org/sssd/ticket/2018
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
In order for sss_cache to work correctly, we must also signal the nss
responder to invalidate the hash table requests.
https://fedorahosted.org/sssd/ticket/1759
|
| |
|
|
|
|
|
|
|
| |
There is a timed desctructor in the nss responder that, when the
entry timeout passes, removes the netgroup from the hash table while
the netgroup is freed. This patch adds a hash delete callback so that if the
netgroup is removed from the hash table with hash_delete, its hash table
pointer will be invalidated. Later, when the entry is being freed, the
destructor won't attempt to remove it from the hash table.
|
| |
|
|
|
|
|
|
| |
If cmd_ctx->name was not initialized by sss_parse_name
then copy of name will be used.
https://fedorahosted.org/sssd/ticket/1970
Coverity ID: 11647
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
Netgroups often have memberNisNetgroup entries included in them
that will never process correctly if we require fully-qualified
names on the nested lookup. This patch alters the behavior of
netgroup lookups to check *all* domains for an unqualified
netgroup name, instead of only the ones not requiring fully-
qualified names.
https://fedorahosted.org/sssd/ticket/2013
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1814
When the authtok_length is zero, it shouldn't call
sss_authtok_set_password, because it tries to determine lenght of passed
string by itself and would read parts of DBus message behind boundaries
of authtok.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
Function sysdb_getpwnam return more results than 1 and therefore sss_cmd_done
was called. Inside of function sss_cmd_done memory was freed,
but this freed memory was used in caller functions, therefore sssd crashed.
https://fedorahosted.org/sssd/ticket/1980
|
| | |
|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/1949
|
| |
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1693
Since we don't care about returned values from out of band refresh,
we do not need to set callback data. However, this caused talloc
to abort as it considers it as type mismatch when called from
tevent_req_callback_data().
|
| |
|
|
|
|
|
|
|
|
|
| |
If the PAC responder recognizes some attribute changes between the
cached user entry and the PAC data it quite crudely just removes the
cached entry and recreates it. While in most cases all needed data can
be recovered from the PAC data there is a case where it is not possible.
E.g the IPA HBAC code use the OriginalDN attribute to improve
performance when evaluating access rules. This patch makes sure this
attribute is not lost when the PAC responder updates the object.
|
| |
|
|
|
|
|
| |
sysdb_search_object_by_sid() does not return ENOENT if no related object
was found in the cache but EOK and an empty result list.
Fixes https://fedorahosted.org/sssd/ticket/1989
|
| |
|
|
|
| |
Instead of copying a block of code that checks whether domain is a subdomain
and uses only name of FQDN as appropriate, wrap the logic into a function.
|
| |
|
|
|
|
|
|
|
|
|
| |
This patch modifies the PAC responder so that it can be used with the AD
provider as well. The main difference is that the POSIX UIDs and GIDs
are now lookup up with the help of the SID instead of being calculated
algorithmically. This was necessary because the AD provider allows
either algorithmic mapping or reading the value from attributes stored
in AD.
Fixes https://fedorahosted.org/sssd/ticket/1558
|
| |
|
|
|
|
|
|
|
|
|
|
| |
To make sure that e.g. the short/NetBIOS domain name is available this
patch make sure that the responders send a get_domains request to their
backends at startup the collect the domain information or read it from
the cache if the backend is offline.
For completeness I added this to all responders even if they do not need
the information at the moment.
Fixes https://fedorahosted.org/sssd/ticket/1951
|
| | |
|
| |
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1648
Adds another expansion in the printf format that allows the user to use
the domain flat name in the format.
|
| |
|
|
|
|
| |
Instead of using printf-like functions directly, provide two wrappers
that would encapsulate formatting the fully-qualified names. No
functional change is present in this patch.
|
| |
|
|
|
|
| |
--missing arguments.
--format '%s', but argument is integer.
--wrong format string, examle: '%\n'
|
| |
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1912
SUDO rules are stored under cn=ipa.domain,cn=sysdb tree but sobdomains
users are in cn=sub.domain,cn=sysdb. When we search for rules for
subdomain users we have to switch domain context to parent.
|
| | |
|
| | |
|
| |
|
|
|
| |
Instead of appending @domain to names when the --domain option of sss_ssh_* is
used, put domain name in a separate field in client requests.
|
