| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is WIP patch to unify format of
usernames and groupnames in sssd internals.
In current form it breaks just about everything.
The sysdb update function is just placeholder
and it's contents are irelevant.
Currently I am working on fqname attribute
removal because it seems to just add confusion.
If you decide to look into the code, please use
sunglasses or other other protective gear and play
some calm music in your backgroun to prevent
eye or brain injury.
|
|
|
|
|
|
|
|
|
|
|
| |
This patch enables the Online Certificate Status Protocol in NSS and
adds an option to disable it if needed. To make further tuning of
certificate verification more easy it is not an option on its own but an
option to the new certificate_verification configuration option.
Resolves https://fedorahosted.org/sssd/ticket/2812
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Extend PAM responder unit test to check 'online' cached authentication.
Resolves:
https://fedorahosted.org/sssd/ticket/2697
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
| |
Like lookup by ID or by UPN the match for lookups by certificate can be
found in any domain and all sub-domains must be included in the search.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
When ifp_users_user_get_groups is called, for example via GetAll and
the list of groups contains a non-POSIX group, we skip an array member,
resulting in random memory being passed to the caller.
Resolves:
https://fedorahosted.org/sssd/ticket/2863
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
| |
src/responder/common/responder_cache_req.c: In function 'cache_req_input_set_name':
src/responder/common/responder_cache_req.c:199: warning: declaration of 'dup' shadows a global declaration
/usr/include/unistd.h:528: warning: shadowed declaration is here
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
While handling well-known SIDs a debug statement tries to access memory that is
already freed. This can be seen with the following output from valgrind.
==17600== Invalid read of size 4
==17600== at 0x805ACC6: nss_cmd_getbysid (nsssrv_cmd.c:5458)
==17600== by 0x805AF41: nss_cmd_getnamebysid (nsssrv_cmd.c:5509)
==17600== by 0x80662F4: sss_cmd_execute (responder_cmd.c:161)
==17600== by 0x8067015: client_cmd_execute (responder_common.c:249)
==17600== by 0x80671F5: client_recv (responder_common.c:283)
==17600== by 0x806741C: client_fd_handler (responder_common.c:335)
==17600== by 0x45F5112: epoll_event_loop (tevent_epoll.c:728)
==17600== by 0x45F5112: epoll_event_loop_once (tevent_epoll.c:926)
==17600== by 0x45F32EE: std_event_loop_once (tevent_standard.c:114)
==17600== by 0x45EF3BF: _tevent_loop_once (tevent.c:530)
==17600== by 0x45EF5AB: tevent_common_loop_wait (tevent.c:634)
==17600== by 0x45F326E: std_event_loop_wait (tevent_standard.c:140)
==17600== by 0x45EF647: _tevent_loop_wait (tevent.c:653)
==17600== Address 0x4b248a0 is 72 bytes inside a block of size 88 free'd
==17600== at 0x402C26D: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==17600== by 0x45FEC9E: _talloc_free_internal (talloc.c:1057)
==17600== by 0x45FEC9E: _talloc_free (talloc.c:1581)
==17600== by 0x8066085: sss_cmd_done (responder_cmd.c:93)
==17600== by 0x805A9B0: nss_check_well_known_sid (nsssrv_cmd.c:5382)
==17600== by 0x805AC86: nss_cmd_getbysid (nsssrv_cmd.c:5455)
==17600== by 0x805AF41: nss_cmd_getnamebysid (nsssrv_cmd.c:5509)
==17600== by 0x80662F4: sss_cmd_execute (responder_cmd.c:161)
==17600== by 0x8067015: client_cmd_execute (responder_common.c:249)
==17600== by 0x80671F5: client_recv (responder_common.c:283)
==17600== by 0x806741C: client_fd_handler (responder_common.c:335)
==17600== by 0x45F5112: epoll_event_loop (tevent_epoll.c:728)
==17600== by 0x45F5112: epoll_event_loop_once (tevent_epoll.c:926)
==17600== by 0x45F32EE: std_event_loop_once (tevent_standard.c:114)
==17600==
The patch contains a change to the unit tests which frees the memory in
the wrapper for sss_cmd_done() too. This allows to detect this kind of
issue in the unit tests as well.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
| |
Conditions with get_next_domain were a little
confusing for coverity (but also for developers'
eyes).
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Update get next domain to be able to
include disbled domains and change the
interface to accept flags instead of
multiple booleans.
Ticket:
https://fedorahosted.org/sssd/ticket/2673
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
This patch adds new SCKT_RSP_UMASK constant which stands for 0111. And
it replaces all occurances in responder code.
Resolves:
https://fedorahosted.org/sssd/ticket/2424
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
There is DFL_RSP_UMASK constant for very secure umask in responder
code. This patch replaces occurances of value 0177 with this constant.
Resolves:
https://fedorahosted.org/sssd/ticket/2424
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2833
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
| |
If an overriden name is provided and the user is already cache we fail
to refresh it since we won't search with VIEW flag. This patch fix
it.
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2833
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
| |
Parsed name or UPN is now stored in input->name instead of touching
orig_name and storing the original name in raw_name.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2811
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
| |
It seems that clang expected that errno can change to 0
in case of error. It might be a bug in static analyzer.
But the workaround does not change the logic and
the errno is read just once.
|
|
|
|
|
|
|
|
| |
Ticket:
https://fedorahosted.org/sssd/ticket/2773
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Required for:
https://fedorahosted.org/sssd/ticket/2637
This is a first step towards making it possible for domain to be around,
but not contacted by Data Provider.
Also explicitly create domains as active, previously we only relied on
talloc_zero marking dom->disabled as false.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
LOCAL view does not allow the case when both ghost member and
user override is created so it is safe to allow ghost members
for this view.
Resolves:
https://fedorahosted.org/sssd/ticket/2790
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add be_req2str() for translation BE_REQ to string.
So we will have
|| Got request for [0x1001][FAST BE_REQ_USER][1][name=celestian]
instead of
|| Got request for [0x1001][1][name=celestian]
Function be_req2str() is used in data provider and in responder too.
So this patch create new header file data_provider_req.h which
delivers function be_req2str() and definitions of BE_REQ_*.
Resolves:
https://fedorahosted.org/sssd/ticket/2708
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
The regression was caused by changing default domain regex
for ldap provider in ticket #2717
Resolves:
https://fedorahosted.org/sssd/ticket/2772
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Improvement of debug messages.
Instead of:"(0x0400): Running command [17]..."
We could see:"(0x0400): Running command [17][SSS_NSS_GETPWNAM]..."
(It's not used in sss_client. There are only hex numbers of commands.)
Resolves:
https://fedorahosted.org/sssd/ticket/2708
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It can happed if there are two domains and user is not found
in the first one.
==29279== Invalid read of size 1
==29279== at 0x4C2CBA2: strlen (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==29279== by 0x89A7AC4: talloc_strdup (in /usr/lib64/libtalloc.so.2.1.2)
==29279== by 0x11668A: nss_cmd_initgroups_search (nsssrv_cmd.c:4191)
==29279== by 0x118B27: nss_cmd_getby_dp_callback (nsssrv_cmd.c:1208)
==29279== by 0x10F2B4: nsssrv_dp_send_acct_req_done (nsssrv_cmd.c:759)
==29279== by 0x126AFB: sss_dp_internal_get_done (responder_dp.c:802)
==29279== by 0x56EA861: ??? (in /usr/lib64/libdbus-1.so.3.7.4)
==29279== by 0x56EDB50: dbus_connection_dispatch (in /usr/lib64/libdbus-1.so.3.7.4)
==29279== by 0x50721E1: sbus_dispatch (sssd_dbus_connection.c:96)
==29279== by 0x879B22E: tevent_common_loop_timer_delay (tevent_timed.c:341)
==29279== by 0x879C239: epoll_event_loop_once (tevent_epoll.c:911)
==29279== by 0x879A936: std_event_loop_once (tevent_standard.c:114)
==29279== Address 0xbbad240 is 96 bytes inside a block of size 106 free'd
==29279== at 0x4C2AD17: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==29279== by 0x89A46E3: _talloc_free (in /usr/lib64/libtalloc.so.2.1.2)
==29279== by 0x116679: nss_cmd_initgroups_search (nsssrv_cmd.c:4190)
==29279== by 0x118B27: nss_cmd_getby_dp_callback (nsssrv_cmd.c:1208)
==29279== by 0x10F2B4: nsssrv_dp_send_acct_req_done (nsssrv_cmd.c:759)
==29279== by 0x126AFB: sss_dp_internal_get_done (responder_dp.c:802)
==29279== by 0x56EA861: ??? (in /usr/lib64/libdbus-1.so.3.7.4)
==29279== by 0x56EDB50: dbus_connection_dispatch (in /usr/lib64/libdbus-1.so.3.7.4)
==29279== by 0x50721E1: sbus_dispatch (sssd_dbus_connection.c:96)
==29279== by 0x879B22E: tevent_common_loop_timer_delay (tevent_timed.c:341)
==29279== by 0x879C239: epoll_event_loop_once (tevent_epoll.c:911)
==29279== by 0x879A936: std_event_loop_once (tevent_standard.c:114)
Resolves:
https://fedorahosted.org/sssd/ticket/2749
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
| |
Simplifies the code.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Ticket:
https://fedorahosted.org/sssd/ticket/2746
It was timeouting often in CI machines.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit changes the default ordering logic (lower value wins) to
a correct one that is used by native ldap support. It also adds a new
option sudo_inverse_order to switch to the original SSSD (incorrect)
behaviour if needed.
Resolves:
https://fedorahosted.org/sssd/ticket/2682
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
| |
Returning zero values doesn't make any sense, so we may use it as
"use sssd configuration instead".
Reviewed-by: Petr Cech <pcech@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We need to stored two versions of name to the initgroups memory cache.
Otherwise it could be stored many times if sssd is configured with
case_sensitive = false. It would be impossible to invalidate all
version of names after user login. As a result of this wrong user
groups could be returned from initgroups memory cache.
Therefore we store raw name provided by glibc function
and internal sanitized fully qualified name,
which is unique for particular user.
This patch also increase average space for initgroups
because there are also stored two quite long names in case of
fq names.
Resolves:
https://fedorahosted.org/sssd/ticket/2712
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Initgroups memory cache was invalidated only in case on removed user.
it should be invalidated also after changes in group membership.
Resolves:
https://fedorahosted.org/sssd/ticket/2716
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Functions sss_mc_get_strs_offset and sss_mc_get_strs_len provides
data about strings for individual memory caches (passwd, ...)
Their are used in generic responder mmap cache code to find a record
in mmap cache (sss_mc_find_record). Data provided from functions sss_mc_get_*
are used for checking the validity of record. So in case of corrupted record
the whole mmap cache can be invalidated.
Functions sss_mc_get_strs_offset and sss_mc_get_strs_len did not provide
data for initgroups mmap cache and therefore particular record could not be
invalidated.
Resolves:
https://fedorahosted.org/sssd/ticket/2716
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
| |
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
|
|
| |
Resolves: https://fedorahosted.org/sssd/ticket/2711
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since requests by ID are not assized to a specific domain SSSD might
check the ID in domains where the ID does not exists even if the ID is
already in the sysdb cache of the right domain. For requests where
already a memory cache is available like e.g. getpwuid() and getgrgid()
this has no negative impact because the requests are answered directly
from the cache most of the time without hitting SSSD. As long as there
is no use-case which does not use the memory cache those requests do not
need an update.
But for request like sid-by-id where currently no memory cache is
available there are quite some additional costs especially for trusted
domains.
Resolves https://fedorahosted.org/sssd/ticket/2731
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
| |
Related to https://fedorahosted.org/sssd/ticket/2731
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently in the default configuration
nss_check_name_of_well_known_sid() can only split fully-qualified names
in the user@domain.name style. DOM\user style names will cause an error
and terminate the whole request.
With this patch both styles can be handled by default, additionally if
the name could not be split nss_check_name_of_well_known_sid() returns
ENOENT which can be handled more gracefully by the caller.
Resolves https://fedorahosted.org/sssd/ticket/2717
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2553
Can be used as:
dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe \
/org/freedesktop/sssd/infopipe/Users \
org.freedesktop.sssd.infopipe.Users.ListByName \
string:r\* uint32:10
dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe \
/org/freedesktop/sssd/infopipe/Groups \
org.freedesktop.sssd.infopipe.Groups.ListByName \
string:r\* uint32:10
dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe \
/org/freedesktop/sssd/infopipe/Users \
org.freedesktop.sssd.infopipe.Users.ListByDomainAndName \
string:ipaldap string:r\* uint32:10
dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe \
/org/freedesktop/sssd/infopipe/Groups \
org.freedesktop.sssd.infopipe.Groups.ListByDomainAndName \
string:ipaldap string:r\* uint32:10
By default the wildcard_limit is unset, that is, the request will return
all cached entries that match.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/2553
Adds two new functions to the cache_req API:
- cache_req_user_by_filter_send
- cache_req_group_by_filter_send
These functions can be used to retrieve users or groups that match a
specified filter.
Also renames a variable to avoid constant confusion -- the variable is
only used for debug output.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/2553
Extends the Data Provider interface and the responder<->Data provider
interface with wildcard lookups.
The patch uses a new "wildcard" prefix rather than reusing the existing
user/group prefixes.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
| |
pam_helpers.h had to be included after util.h.
Removed exara empty line.
Fixed code alignment
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Enable authenticating users from cache even when SSSD is in online mode.
Introduce new option `cached_auth_timeout`.
Resolves:
https://fedorahosted.org/sssd/ticket/1807
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Introduce new user attribute lastOnlineAuthWithCurrentToken.
This attribute behaves similarly to lastOnlineAuth but is set to NULL
after password is changed.
This attribute is needed for use-case when cached authentication is used, to
request online authentication after password is locally changed.
Resolves:
https://fedorahosted.org/sssd/ticket/1807
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
If user is removed from sysdb cache then
it should be also removed from initgroups memory cache.
Resolves:
https://fedorahosted.org/sssd/ticket/2485
Reviewed-by: Michal Židek <mzidek@redhat.com>
|