summaryrefslogtreecommitdiffstats
path: root/src/util
Commit message (Collapse)AuthorAgeFilesLines
* UTIL: Convert domain->disabled into tri-state with domain statesJakub Hrozek2015-09-214-3/+22
| | | | | | | | | | | | | Required for: https://fedorahosted.org/sssd/ticket/2637 This is a first step towards making it possible for domain to be around, but not contacted by Data Provider. Also explicitly create domains as active, previously we only relied on talloc_zero marking dom->disabled as false. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* KRB5: Don't error out reading a minimal krb5.confJakub Hrozek2015-09-161-1/+4
| | | | | | | | With some setups, krb5.conf can be really minimal. In those cases, we should ignore PROF_NO_RELATION and PROF_NO_SECTION and just return "false" as in "no proxy" without a loud debug message. Reviewed-by: Petr Cech <pcech@redhat.com>
* utils: make sss_krb5_get_primary() privateSumit Bose2015-09-142-6/+1
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* Remove trailing whitespacePavel Reichl2015-09-032-8/+8
| | | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
* sbus: Add a special error code for messages sent by the bus itselfJakub Hrozek2015-09-012-0/+2
| | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* NSS: Don't ignore backslash in usernames with ldap providerLukas Slebodnik2015-09-012-1/+13
| | | | | | | | | | The regression was caused by changing default domain regex for ldap provider in ticket #2717 Resolves: https://fedorahosted.org/sssd/ticket/2772 Reviewed-by: Sumit Bose <sbose@redhat.com>
* UTIL: Function 2string for enum sss_cli_commandPetr Cech2015-08-312-0/+266
| | | | | | | | | | | | Improvement of debug messages. Instead of:"(0x0400): Running command [17]..." We could see:"(0x0400): Running command [17][SSS_NSS_GETPWNAM]..." (It's not used in sss_client. There are only hex numbers of commands.) Resolves: https://fedorahosted.org/sssd/ticket/2708 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* DYNDNS: remove code duplicationPavel Reichl2015-08-142-0/+2
| | | | | | | | | | Move copy pasted code for converting sockaddr_storage to string into function. Resolves: https://fedorahosted.org/sssd/ticket/2495 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* UTIL: Provide a common interface to safely create temporary filesJakub Hrozek2015-08-142-0/+148
| | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* DEBUG: Add new debug category for fail over.Michal Židek2015-08-142-1/+2
| | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* IPA: Improve messages about failuresPavel Reichl2015-08-071-1/+3
| | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* krb5 utils: add sss_krb5_realm_has_proxy()Sumit Bose2015-08-052-0/+59
| | | | | Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* NSS: Initgr memory cache should work with fq namesLukas Slebodnik2015-08-051-3/+4
| | | | | | | | | | | | | | | | | | | | | We need to stored two versions of name to the initgroups memory cache. Otherwise it could be stored many times if sssd is configured with case_sensitive = false. It would be impossible to invalidate all version of names after user login. As a result of this wrong user groups could be returned from initgroups memory cache. Therefore we store raw name provided by glibc function and internal sanitized fully qualified name, which is unique for particular user. This patch also increase average space for initgroups because there are also stored two quite long names in case of fq names. Resolves: https://fedorahosted.org/sssd/ticket/2712 Reviewed-by: Michal Židek <mzidek@redhat.com>
* mmap_cache: "Override" functions for initgr mmap cacheLukas Slebodnik2015-08-051-1/+5
| | | | | | | | | | | | | | | | | | Functions sss_mc_get_strs_offset and sss_mc_get_strs_len provides data about strings for individual memory caches (passwd, ...) Their are used in generic responder mmap cache code to find a record in mmap cache (sss_mc_find_record). Data provided from functions sss_mc_get_* are used for checking the validity of record. So in case of corrupted record the whole mmap cache can be invalidated. Functions sss_mc_get_strs_offset and sss_mc_get_strs_len did not provide data for initgroups mmap cache and therefore particular record could not be invalidated. Resolves: https://fedorahosted.org/sssd/ticket/2716 Reviewed-by: Michal Židek <mzidek@redhat.com>
* mmap_cache: Rename variablesLukas Slebodnik2015-08-051-1/+1
| | | | Reviewed-by: Michal Židek <mzidek@redhat.com>
* ssh: generate public keys from certificateSumit Bose2015-07-313-0/+227
| | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2711 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* PAM: add certificate support to PAM (pre-)auth requestsSumit Bose2015-07-312-0/+2
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* authok: add support for Smart Card related authtokensSumit Bose2015-07-312-0/+105
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* utils: add NSS version of cert utilsSumit Bose2015-07-311-0/+212
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* UTIL: Lower debug level in perform_checks()Jakub Hrozek2015-07-281-4/+4
| | | | | | | Failures in perform_checks() don't have to be fatal, therefore the debug messages shouldn't be either. Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
* nss_check_name_of_well_known_sid() improve name splittingSumit Bose2015-07-161-2/+1
| | | | | | | | | | | | | | | Currently in the default configuration nss_check_name_of_well_known_sid() can only split fully-qualified names in the user@domain.name style. DOM\user style names will cause an error and terminate the whole request. With this patch both styles can be handled by default, additionally if the name could not be split nss_check_name_of_well_known_sid() returns ENOENT which can be handled more gracefully by the caller. Resolves https://fedorahosted.org/sssd/ticket/2717 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* Use NSCD path in execl()Jakub Hrozek2015-07-151-1/+1
| | | | | | | | | | man execl says: The first argument, by convention, should point to the filename associated with the file being executed. We used just 'nscd' instead. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* UTIL: Add sss_filter_sanitize_exJakub Hrozek2015-07-152-3/+30
| | | | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2553 In order to support wildcard request, we need to introduce an optionally relaxed version of sss_filter_sanitize that allows to select which characters are exempt from sanitizing. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* nss: Store entries in responder to initgr mmap cacheLukas Slebodnik2015-07-031-0/+8
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2485 Reviewed-by: Michal Židek <mzidek@redhat.com>
* utils: add get_last_x_chars()Sumit Bose2015-06-192-0/+19
| | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* certs: add PEM/DER conversion utilitiesSumit Bose2015-06-193-0/+369
| | | | | | Related to https://fedorahosted.org/sssd/ticket/2596 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* IPA: Fetch keytab for 1way trustsJakub Hrozek2015-06-142-0/+4
| | | | | | | | | Uses the ipa-getkeytab call to retrieve keytabs for one-way trust relationships. https://fedorahosted.org/sssd/ticket/2636 Reviewed-by: Sumit Bose <sbose@redhat.com>
* IPA: Include ipaNTTrustDirection in the attribute set for trusted domainsJakub Hrozek2015-06-142-0/+2
| | | | | | | | | | | Allows to distinguish the trust directions for trusted domains. For domains where we don't know the direction in server mode, we assume two-way trusts. Member domains do not have the direction, but rather the forest root direction is used. Reviewed-by: Sumit Bose <sbose@redhat.com>
* UTIL/SYSDB: Move new_subdomain() to sysdb_subdomains.c and make it privateJakub Hrozek2015-06-142-144/+0
| | | | | | | | | | | In order to make updating the subdomain list a two-step process. Therefore we need to make sure that update_subdomains() is the only interface towards the SSSD that changes the subdomain list. Move the new_subdomain() function to sysdb_subdomains.c and only make it available through a private header so it's usable by unit tests. Reviewed-by: Sumit Bose <sbose@redhat.com>
* SYSDB: Store trust direction for subdomainsJakub Hrozek2015-06-142-2/+5
| | | | | | | | | | | | We need to store the subdomain trust direction in order to recover the structure after SSSD restart. The trust direction is a plain uint32_t to avoid leaking the knowledge about AD trust directions to sysdb while at the same time making it easy to compare values between sysdb and LDAP and avoid translating the values. Reviewed-by: Sumit Bose <sbose@redhat.com>
* IPA: Don't override homedir with subdomain_homedirPavel Reichl2015-06-142-0/+2
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2583 Reviewed-by: Michal Židek <mzidek@redhat.com>
* UTIL: Inherit ignore_group_membersJakub Hrozek2015-06-051-0/+9
| | | | | | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2644 Allows the administrators to extend ignore_group_members to subdomains as well by setting: subdomain_inherit = ignore_group_members in the domain section. Reviewed-by: Pavel Reichl <preichl@redhat.com>
* util-tests: Add validation of internal error messagesLukas Slebodnik2015-06-011-4/+4
| | | | | | | The function sss_strerror() should not return a sentence. It shoudl return string; the same as strerror() Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* sbus: add sbus_opath_decompose[_exact]Pavel Březina2015-05-222-0/+2
| | | | | | | | This function decomposes object path into array of strings. The "_exact" version expects a certain number of parts otherwise an error is thrown. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* SELINUX: Avoid disconnecting disconnected handleJakub Hrozek2015-05-111-2/+7
| | | | | | | | | | | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2649 libsemanage is very strict about its API usage and actually doesn't allow disconnecting a handle that is not connected. The unpatched code would fail with: selinux_child: handle.c:231: semanage_disconnect: Assertion `sh != ((void *)0) && sh->funcs != ((void *)0) && sh->funcs->disconnect != ((void *)0)' failed. If semanage_connect() failed. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* Add cache_credentials_minimal_first_factor_length config optionSumit Bose2015-05-081-0/+2
| | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* utils: add sss_authtok_[gs]et_2faSumit Bose2015-05-084-0/+369
| | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* IPA: do not add domain name unconditionallySumit Bose2015-05-061-1/+1
| | | | | | | | | | | Depending on the server-side configuration the extdom plugin can return short or fully qualified names for IPA objects. The client must handle the names according to its own configuration and not add the domain part of the fully-qualified name unconditionally. Resolves https://fedorahosted.org/sssd/ticket/2647 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* simple-access-provider: make user grp res more robustPavel Reichl2015-04-282-0/+2
| | | | | | | | | Not all user groups need to be resolved if group deny list is empty. Resolves: https://fedorahosted.org/sssd/ticket/2519 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* selinux: Only call semanage if the context actually changesJakub Hrozek2015-04-142-0/+73
| | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2624 Add a function to query the libsemanage database for a user context and only update the database if the context differes from the one set on the server. Adds talloc dependency to libsss_semanage. Reviewed-by: Michal Židek <mzidek@redhat.com>
* selinux: Begin and end the transaction on the same nesting levelJakub Hrozek2015-04-141-6/+14
| | | | | | | | | Transaction should be started and commited on the same code nesting or abstraction level. Also, transactions are really costly with libselinux and splitting them from initialization will make init function reusable by read-only libsemanage functions. Reviewed-by: Michal Židek <mzidek@redhat.com>
* selinux: Disconnect before closing the handleJakub Hrozek2015-04-141-3/+10
| | | | | | | | | | | | libsemanage documentation says: ~~~~ be sure that a semanage_disconnect() was previously called if the handle was connected. ~~~~ Otherwise we get a memory leak. Reviewed-by: Michal Židek <mzidek@redhat.com>
* UTIL: Add a simple function to get the fd of debug_fileJakub Hrozek2015-04-142-0/+10
| | | | Reviewed-by: Pavel Reichl <preichl@redhat.com>
* ncache: Silence critical error from filter_users when default_domain_suffix ↵Jakub Hrozek2015-04-091-2/+1
| | | | | | | | | | | | | | | is set When default_domain_suffix is used and filter_users is set (at least root is always, by default), SSSD tried to add the negcache entry to the default domain. But since the default domain is not known after start up, adding the entries fail with a verbose error message. This patch handles EAGAIN returned from the parsing function while setting negcache entries gracefully and also makes the debug message in parsing function more precise. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* IPA: Use custom error codes when validating HBAC rulesJakub Hrozek2015-03-242-0/+4
| | | | | | | | | https://fedorahosted.org/sssd/ticket/2603 Instead of reusing EINVAL/ENOENT, use more descriptive error codes. This will be useful in the next patch where we act on certain codes. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* sdap: properly handle binary objectGuid attributeSumit Bose2015-03-202-0/+32
| | | | | | | | | | | | | | Although in the initial processing SSSD treats the binary value right at some point it mainly assumes that it is a string. Depending on the value this might end up with the correct binary value stored in the cache but in most cases there will be only a broken entry in the cache. This patch converts the binary value into a string representation which is described in [MS-DTYP] and stores the result in the cache. Resolves https://fedorahosted.org/sssd/ticket/2588 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* Add missing new lines to debug messagesLukas Slebodnik2015-03-178-19/+20
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* test: Check ERR_LASTMichal Zidek2015-03-132-1/+2
| | | | | | Check if number of error codes and messages is the same. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* DEBUG: Add missing strings for error messagesMichal Zidek2015-03-132-1/+4
| | | | | | | | We had more error codes than corresponding messages. Also order of two messages was wrong. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* Use FQDN if default domain was setMichal Zidek2015-03-112-0/+2
| | | | | | https://fedorahosted.org/sssd/ticket/2569 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
generated by cgit (git 2.34.1) at 2024-06-13 01:59:27 +0000