| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Uses the ipa-getkeytab call to retrieve keytabs for one-way trust
relationships.
https://fedorahosted.org/sssd/ticket/2636
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Allows to distinguish the trust directions for trusted domains. For
domains where we don't know the direction in server mode, we assume
two-way trusts.
Member domains do not have the direction, but rather the forest root
direction is used.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2583
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
|
|
|
|
| |
This function decomposes object path into array of strings. The
"_exact" version expects a certain number of parts otherwise an
error is thrown.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Not all user groups need to be resolved if group deny list is empty.
Resolves:
https://fedorahosted.org/sssd/ticket/2519
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2603
Instead of reusing EINVAL/ENOENT, use more descriptive error codes. This
will be useful in the next patch where we act on certain codes.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
| |
Check if number of error codes and messages is the same.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
| |
We had more error codes than corresponding
messages. Also order of two messages was
wrong.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2569
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
| |
New utility function *sss_utc_to_time_t* to convert GeneralizedTime to
unix time.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Implement new option which does checking password expiration policy
in accounting phase.
This allows SSSD to issue shadow expiration warning even if alternate
authentication method is used.
Resolves:
https://fedorahosted.org/sssd/ticket/2167
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
| |
Add new SSSD specific error code for the case when
pcre_exec returns PCRE_ERROR_NOMATCH.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The credential cache operations must be now performed by the krb5_child
completely, because the sssd_be process might be running as the sssd
user who doesn't have access to the ccaches.
src/providers/krb5/krb5_ccache.c is still linked against libsss_krb5
until we fix Kerberos ticket renewal as non-root.
Also includes a new error code that indicates that the back end should
remove the old ccache attribute -- the child can't do that if it's
running as the user.
Related:
https://fedorahosted.org/sssd/ticket/2370
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
| |
In order for the sssd_be process to run as unprivileged user, we need to
move the semanage processing to a process that runs as the root user
using setuid privileges.
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
| |
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
|
| |
We need to treat the failure to connect to the system bus as non-fatal.
In this commit, we introduce a special error code and only print a DEBUG
message when this error code is returned from the startup function.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds the basis of SBUS getters and setters. A new module,
sssd_dbus_properties.c would contain handlers for the property methods
like Get, Set and GetAll.
Type-safe property access works in a similar fashion like type-safe
method calls - the invoker calls the getter which returns the primitive
type, which is in turn marshalled into variant by the invoker.
This patch does not contain the complete functionality, see later
patches that continue implementing the getters and setters.
Reviewed-by: Stef Walter <stefw@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adds an async request sbus_get_sender_id_{send,recv} that allows
retrieval of UID based on "sender" as returned by
dbus_message_get_sender().
The UID is an int64_t to be able to use "-1" to as a fallback value for
uknown or error cases.
The unit test is added as a standalone one, not part of the sbus_tests
because the request, and by extension the unit test relies on being
connected to the system bus, which is very unlikely to work in a build
system.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Stef Walter <stefw@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2073
This commit adds a new option ldap_user_extra_attrs that is unset by
default. When set, the option contains a list of LDAP attributes the LDAP
provider would download and store in addition to the usual set.
The list can either contain LDAP attribute names only, or colon-separated
tuples of LDAP attribute and SSSD cache attribute name. In case only LDAP
attribute name is specified, the attribute is saved to the cache verbatim.
Using a custom SSSD attribute name might be required by environments that
configure several SSSD domains with different LDAP schemas.
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
| |
The responders were copying code to parse input and on encountering an
uknown domain, send the discover subdomain request. This patch adds a
reusable request that can always be called in responders and in case the
name can be parsed, just shortcut.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When the schema is set to AD and ID mapping is not used, there is a one-time
check ran when searching for users to detect the presence of POSIX
attributes in LDAP. If this check fails, the search fails as if no entry
was found and returns a special error code.
The sdap_server_opts structure is filled every time a client connects to
a server so the posix check boolean is reset to false again on connecting
to the server.
It might be better to move the check to where the rootDSE is retrieved,
but the check depends on several features that are not known to the code
that retrieves the rootDSE (or the connection code for example) such as what
the attribute mappings are or the authentication method that should be used.
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2164
The patch adds a new error code and special cases the new code so that
access is denied and a nicer log message is shown.
|
|
|
|
|
|
|
|
| |
Specific error message is logged for missing sssd.conf file. New sssd specific
error value is introduced for this case.
Resolves:
https://fedorahosted.org/sssd/ticket/2156
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/1968
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In order to use the same defaults in all system daemons that needs to know how
to generate or search for ccaches we introduce ode here to take advantage of
the new option called default_ccache_name provided by libkrb5.
If set this variable we establish the same default for all programs that surce
it out of krb5.conf therefore providing a consistent experience across the
system.
Related:
https://fedorahosted.org/sssd/ticket/2036
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1947
Otherwise we risk that the meta server is removed from the server list,
but without a chance to return, because there may be no fo_server with
srv_data = meta.
Also if state->meta->next is NULL (it is still orphaned because we try
to errornously expand it without invoking collapse first), state->out
will be NULL and SSSD will crash.
New error code: ERR_SRV_DUPLICATES
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1873
KRB preauthentication error was later mishandled like authentication error.
|
|
|
|
|
|
|
|
|
|
|
|
| |
Provides two new layers instead of the previous IPA specific layer:
1) dp_dyndns.c -- a very generic dyndns layer on the DP level. Its
purpose it to make it possible for any back end to use dynamic DNS
updates.
2) sdap_dyndns.c -- a wrapper around dp_dyndns.c that utilizes some
LDAP-specific features like autodetecting the address from the LDAP
connection.
Also converts the dyndns code to new specific error codes.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1032
Introduces two new error codes:
- ERR_SRV_NOT_FOUND
- ERR_SRV_LOOKUP_ERROR
Since id_provider is authoritative in case of SRV plugin choise,
ability to override the selected pluging during runtime is not
desirable. We rely on the fact that id_provider is initialized
before all other providers, thus the plugin is set correctly.
|
|
|
|
| |
Also simplify sdap_access_send to avoid completely fake _send() routines.
|
|
|
|
|
|
|
|
|
| |
Simplifies and consolidates error reporting for ldap authentication paths.
Adds 3 new error codes:
ERR_CHPASS_DENIED - Used when password constraints deny password changes
ERR_ACCOUNT_EXPIRED - Account is expired
ERR_PASSWORD_EXPIRED - Password is expired
|
|
|
|
|
|
|
|
|
|
| |
We need to mask the first part with 0xFFFF or there is a slight chance an
unrelated error code would match even if the upper part is not exactly
equal to ERR_BASE but just has all it's bits and some more.
Also make the macro more reasable by adding another helper macro for filtering
the base.
Finally compare err and ERR_LAST directly w/o masking err, or the comparison
will always return true.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use the new internal SSSD errors, to simplify error handling.
Instead of using up to 3 different error types (system, krb5 and
pam_status), collapse all error reporting into one error type mapped
on errno_t.
The returned error can contain either SSSD internal errors, kerberos
errors or system errors, they all use different number spaces so there
is no overlap and they can be safely merged.
This means that errors being sent from the child to the parent are not
pam status error messages anymore.
The callers have been changed to properly deal with that.
Also note that this patch removes returning SSS_PAM_SYSTEM_INFO from
the krb5_child for kerberos errors as all it was doing was simply to
make the parent emit the same debug log already emitted by the child,
and the code is simpler if we do not do that.
|
|
|
|
|
|
| |
This prevents reportin false errors when internal functions return
a generic EINVAL or EACCES that should just be treated as internal
errors.
|
|
This code adds a new range of error codes specific to SSSD,
It also provides helper functions to print out error defintions
like you can do with system error messages and the strerror() function.
The sss_strerror() function can accept both the new sssd errors and
system errno_t errors falling back to the system strerror() if the error
code provide is not a valid SSSD error code.
|