| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2603
Instead of reusing EINVAL/ENOENT, use more descriptive error codes. This
will be useful in the next patch where we act on certain codes.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Although in the initial processing SSSD treats the binary value right at
some point it mainly assumes that it is a string. Depending on the value
this might end up with the correct binary value stored in the cache but
in most cases there will be only a broken entry in the cache.
This patch converts the binary value into a string representation which
is described in [MS-DTYP] and stores the result in the cache.
Resolves https://fedorahosted.org/sssd/ticket/2588
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
| |
Check if number of error codes and messages is the same.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
| |
We had more error codes than corresponding
messages. Also order of two messages was
wrong.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2569
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
| |
New utility function *sss_utc_to_time_t* to convert GeneralizedTime to
unix time.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Implement new option which does checking password expiration policy
in accounting phase.
This allows SSSD to issue shadow expiration warning even if alternate
authentication method is used.
Resolves:
https://fedorahosted.org/sssd/ticket/2167
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
| |
The function PyUnicode_FromString is available in python >= 2.6
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
|
|
|
|
|
| |
The macro PyModule_AddIntMacro is defined in python >= 2.6
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
|
|
|
|
|
| |
The macro PySet_Check is defined in python >= 2.6
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
|
|
|
|
|
| |
The function PySet_Add is available in python >= 2.6
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
|
|
|
|
|
| |
The function PySet_New is available in python >= 2.6
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
|
|
|
|
|
| |
The type Py_ssize_t is defined in python >= 2.6
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Example of warning:
src/sss_client/libwbclient/wbc_pwd_sssd.c:246:23:
error: equality comparison with extraneous parentheses
[-Werror,-Wparentheses-equality]
if (((wbc_status) == WBC_ERR_SUCCESS)) {
~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~
src/sss_client/libwbclient/wbc_pwd_sssd.c:246:23:
note: remove extraneous parentheses around the comparison
to silence this warning
if (((wbc_status) == WBC_ERR_SUCCESS)) {
~ ^ ~
src/sss_client/libwbclient/wbc_pwd_sssd.c:246:23:
note: use '=' to turn this equality comparison into an assignment
if (((wbc_status) == WBC_ERR_SUCCESS)) {
^~
=
The reason is definition of some macros which were used in if conditions.
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2563
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
|
|
| |
Also reformat debug strings not to exceed 80 columns long lines.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the SSSD cache domain names are handled case-sensitive. As a result
fully-qualified names in RDN contain the domain part in the original
spelling. When IPA client lookup up group-memberships on the IPA server
via the extdom plugin the names returned are all lower case. To make
sure new DNs are generated correctly the domain part must adjusted.
Related to https://fedorahosted.org/sssd/ticket/2159
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
| |
The responder and child_common modules each had their own
implementation. Unify it instead and add a unit test.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
| |
Not used anymore after previous patch.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
| |
Two functions were only used internally, makes no sense to keep them in the
child_common module API.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
| |
Example of warning:
src/ldb_modules/memberof.c:4203:536: error: for loop has empty body [-Werror,-Wempty-body]
src/ldb_modules/memberof.c:4203:536: note: put the semicolon on a separate line to silence this warning
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Related to:
https://fedorahosted.org/sssd/ticket/2544
Adds a new function exec_child_ex and moves setting the extra_argv[]
to exec_child_ex() along with specifying the input and output fds.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2017
|
|
|
|
|
|
|
|
|
| |
krb5_kt_have_content() was introduced in MIT Kerberos 1.11. For older
platforms this patch adds sss_krb5_kt_have_content() as a wrapper.
Resolves https://fedorahosted.org/sssd/ticket/2518
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/2503
Currently all child processes use the same arguments, the construction
of argv[] is even hardcoded in exec_child(). Add an extra_args[] array
that extends the common set of argvs so that we can have child-specific
arguments. Also adds a unit test.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2506
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
sss_krb5_princ_realm set output parameter realm to NULL and len to 0
in case of failure. Clang static analysers reported warning
"Null pointer passed as an argument to a 'nonnull' parameter"
in function match_principal. It was possible, that realm_name with value NULL
could be used in strncmp.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
| |
Function krb5_principal_get_realm can return NULL an it would
case segfault in function strlen.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Assume name is not FQDN if sss_parse_name fails to
match domain with regular expression.
Fixes:
https://fedorahosted.org/sssd/ticket/2487
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
| |
Add new SSSD specific error code for the case when
pcre_exec returns PCRE_ERROR_NOMATCH.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
| |
With this new parameter the directory where Kerberos configuration
snippets are created can be specified.
Fixes https://fedorahosted.org/sssd/ticket/2473
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Currently views and overrides were only available for sub-domains, this
patch enables the lookup for the configured domains as well.
Related to https://fedorahosted.org/sssd/ticket/2481
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The code didn't have to handle this case previously as sssd_be was always
running as root and switching to the ccache as the user logging in.
Also handle NULL creds on restore_creds() in case there was no switch.
One less if-condition and fewer indentation levels.
Related:
https://fedorahosted.org/sssd/ticket/2370
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The credential cache operations must be now performed by the krb5_child
completely, because the sssd_be process might be running as the sssd
user who doesn't have access to the ccaches.
src/providers/krb5/krb5_ccache.c is still linked against libsss_krb5
until we fix Kerberos ticket renewal as non-root.
Also includes a new error code that indicates that the back end should
remove the old ccache attribute -- the child can't do that if it's
running as the user.
Related:
https://fedorahosted.org/sssd/ticket/2370
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
| |
In order for the sssd_be process to run as unprivileged user, we need to
move the semanage processing to a process that runs as the root user
using setuid privileges.
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
|
|
|
|
| |
All our child processes duplicated the same code that set up the
debugging all around. Instead of adding yet another copy for the
selinux_child, add a common utility function.
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
|
|
|
|
| |
We had struct io and the associated destructor copied twice in the code
already and need it again in the SELinux provider. Instead of adding
another copy, move the code to a shared subtree under util/
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
|
|
|
|
| |
The function was called from one place only, so it makes no sense to
keep it in a shared module. Moreover, the function should only be
called from code that runs as root.
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
We need a custom function that would convert a numeric or string input
into uid_t. The function will be used to drop privileges in servers and
also in the PAC and IFP responders.
Includes a unit test to test all code that changed as well as a fix for
a misnamed attribute in the csv_to_uid_list function synopsis.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
| |
server.c used hardcoded PID_PATH and DB_PATH from config.h. Normally,
this path resides in a system directory (like /var/) and should not be
written to by tests. In order to specify a different one for tests, we
need to conditionalize normal builds and unit test builds.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
|
|
| |
We need to chown the log files before dropping root to make sure they
are usable by the SSSD user. Unfortunately, we can't just rely on
passing the fd opened by root, because we need to be also able to rotate
the log files.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Adds new command line options --uid and --gid to all SSSD servers,
making it possible to switch to another user ID if needed.
So far all code still runs as root.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
| |
mlsrange parameter will be needed in IPA provider
and probably at some point in the tools as well.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
| |
These functions will be reused by IPA provider.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
sysdb_search_user_override_by_name() and
sysdb_search_group_override_by_name() search for overrides in the given
view.
sysdb_add_overrides_to_object() adds the data from the override object
to the original object and makes them available for further processing.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
| |
Since a view applies to the whole domain-subdomain tree the view data is
copied from the parent the new created domains.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
| |
We used to only generate the [capaths] section on the IPA server itself,
when running in a trusted setup. But we also found out that the capaths
are often required to make SSO fully work, so it's better to always
generate them.
Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
|