sssd.git - sssd with jhrozek's patches

	Commit message (Collapse)	Author	Age	Files	Lines
*	init script: source /etc/sysconfig/sssd	Pavel Březina	2013-06-25	3	-0/+18
\| \| \| \|	https://fedorahosted.org/sssd/ticket/1959
*	krb5: do not use enterprise principals for renewals	Sumit Bose	2013-06-25	1	-1/+6
\| \| \| \| \| \|	When renewing a ticket we already know the canonical principal hence it is not needed to expand it to an enterprise principal but we can contact the KDC of the corresponding realm directly.
*	krb5: do not send pac for IPA users from the local domain	Sumit Bose	2013-06-25	5	-10/+20
\| \| \| \| \| \| \| \| \| \| \| \| \|	So far we didn't send the PAC of IPA users to the PAC responder during password authentication because group memberships for IPA users can be retrieved efficiently with LDAP calls. Recently patches added PAC support for the AD provider as well and removed the restriction for the IPA users. This patch restores the original behaviour by introducing a new flag in struct krb5_ctx which is only set for the IPA provider. Additionally a different flag is renamed to make it's purpose more clear. Fixes https://fedorahosted.org/sssd/ticket/1995
*	Revert "Always send the PAC to the PAC responder"	Sumit Bose	2013-06-25	1	-18/+20
\| \| \| \|	This reverts commit d153941864fe481399665be8fe583c9317194a99.
*	Fix typo in pack_authtok()	Sumit Bose	2013-06-24	1	-1/+1
\|
*	KRB5: use the right authtok type for renewals	Sumit Bose	2013-06-24	1	-3/+20
\|
*	IPA: Do not download or store the member attribute of host groups	Jakub Hrozek	2013-06-24	2	-2/+0
\| \| \| \| \| \| \| \|	https://fedorahosted.org/sssd/ticket/1806 The IPA provider attempted to store the original value of member attribute to the cache. That caused the memberof plugin to process the values which was really CPU intensive.
*	PAC: do not delete originalDN or cached password if present	Sumit Bose	2013-06-24	1	-1/+26
\| \| \| \| \| \| \| \| \| \| \|	If the PAC responder recognizes some attribute changes between the cached user entry and the PAC data it quite crudely just removes the cached entry and recreates it. While in most cases all needed data can be recovered from the PAC data there is a case where it is not possible. E.g the IPA HBAC code use the OriginalDN attribute to improve performance when evaluating access rules. This patch makes sure this attribute is not lost when the PAC responder updates the object.
*	LDAP: Retry SID search based on result of LDAP search, not the return code	Jakub Hrozek	2013-06-24	1	-2/+13
\|
*	failover: if expanded server is marked as neutral, invoke srv collapse	Pavel Březina	2013-06-21	1	-0/+7
\| \| \| \| \| \| \| \| \| \|	https://fedorahosted.org/sssd/ticket/1947 Otherwise we will do the SRV expansion once again: 1. leaving the old servers in server list 2. meta server is not inserted back in the list, the newly found servers are inserted behind meta server, meta server is orphaned and the new servers are forgotten
*	collapse_srv_lookup may free the server, make it clear from the API	Pavel Březina	2013-06-21	1	-6/+9
\| \| \| \|	https://fedorahosted.org/sssd/ticket/1947
*	failover: return error when SRV lookup returned only duplicates	Pavel Březina	2013-06-21	3	-2/+23
\| \| \| \| \| \| \| \| \| \| \| \| \| \|	https://fedorahosted.org/sssd/ticket/1947 Otherwise we risk that the meta server is removed from the server list, but without a chance to return, because there may be no fo_server with srv_data = meta. Also if state->meta->next is NULL (it is still orphaned because we try to errornously expand it without invoking collapse first), state->out will be NULL and SSSD will crash. New error code: ERR_SRV_DUPLICATES
*	failover: do not return invalid pointer when server is already present	Pavel Březina	2013-06-21	1	-2/+6
\| \| \| \|	https://fedorahosted.org/sssd/ticket/1947
*	Configure SYSV init scripts properly	Stephen Gallagher	2013-06-21	3	-9/+7
\| \| \| \| \| \| \|	Previously, these contained hard-coded paths. Now they are populated correctly by the configure script. https://fedorahosted.org/sssd/ticket/1986
*	FO: Check the return value of send_fn	Jakub Hrozek	2013-06-21	1	-0/+4
\|
*	Fix dp_copy_options	Jakub Hrozek	2013-06-21	1	-1/+1
\|
*	PAC: do not expect that sysdb_search_object_by_sid() return ENOENT	Sumit Bose	2013-06-19	1	-8/+8
\| \| \| \| \| \| \|	sysdb_search_object_by_sid() does not return ENOENT if no related object was found in the cache but EOK and an empty result list. Fixes https://fedorahosted.org/sssd/ticket/1989
*	nested groups: do not expect any particular number of groups	Pavel Březina	2013-06-18	1	-19/+10
\|
*	nested groups: do not return ENOMEM if num_groups is 0	Pavel Březina	2013-06-18	1	-6/+10
\| \| \| \| \| \|	talloc_realloc(..., 0) calls talloc_free() and returns NULL. If we process group that contains only users, we errornously return ENOMEM.
*	Set default realm for enterprise principals	Sumit Bose	2013-06-17	1	-0/+12
\| \| \| \| \| \| \| \| \| \|	Enterprise principals require that a default realm is available. To make SSSD more robust in the case that the default realm option is missing in krb5.conf or to allow SSSD to work with multiple unconnected realms (e.g. AD domains without trust between them) the default realm will be set explicitly. Fixes https://fedorahosted.org/sssd/ticket/1931
*	Use principal from the ticket to find validation entry	Sumit Bose	2013-06-17	1	-1/+1
\| \| \| \| \| \| \| \| \|	If canonicalization or enterprise principals are enabled the realm of the client principal might have changed compared to the original request. To find the most suitable keytab entry to validate the TGT is it better to use the returned client principal. Fixes https://fedorahosted.org/sssd/ticket/1931
*	handle ERR_ACCOUNT_EXPIRED properly	Pavel Březina	2013-06-17	3	-1/+13
\| \| \| \|	https://fedorahosted.org/sssd/ticket/1953
*	Fix allocation check	Jakub Hrozek	2013-06-17	1	-1/+1
\|
*	nested groups: allocate more space if deref returns more members	Pavel Březina	2013-06-17	1	-0/+21
\| \| \| \|	https://fedorahosted.org/sssd/ticket/1894
*	subdomains: touch krb5.conf when creating new domain-realm mappings	Pavel Březina	2013-06-16	4	-0/+46
\| \| \| \|	https://fedorahosted.org/sssd/ticket/1815
*	AD: Remove ad_options->auth options reference	Jakub Hrozek	2013-06-14	1	-1/+0
\| \| \| \| \|	The options are stored in ad_options->auth_ctx->opts, this member was completely unused and confusing.
*	AD: Fix segfault in DEBUG message	Jakub Hrozek	2013-06-14	1	-1/+1
\|
*	KRB: Handle preauthentication error correctly	Ondrej Kos	2013-06-14	4	-1/+11
\| \| \| \| \| \|	https://fedorahosted.org/sssd/ticket/1873 KRB preauthentication error was later mishandled like authentication error.
*	failover: set state->out when meta server remains in SRV_RESOLVE_ERROR	Pavel Březina	2013-06-14	1	-0/+1
\| \| \| \|	https://fedorahosted.org/sssd/ticket/1886
*	Fix minor typos	Yuri Chornoivan	2013-06-12	5	-6/+6
\|
*	Use the correct talloc context when creating AD subdomains	Jakub Hrozek	2013-06-12	1	-1/+1
\| \| \| \| \|	sdom was only ever guaranteed to be set when a new domain was being created. sditer is a valid pointer in both cases, so just use that.
*	be_refresh: send and recv shadow a global declaration	Pavel Březina	2013-06-12	2	-13/+13
\|
*	be_ptask: send and recv shadow a global declaration	Pavel Březina	2013-06-12	2	-11/+11
\|
*	Updating translations for the 1.10 beta2 releasesssd-1_9_94 sssd-1_9_93 sssd-1_10_beta2	Jakub Hrozek	2013-06-11	15	-12547/+14575
\|
*	Fix some doxygen warnings	Sumit Bose	2013-06-11	2	-5/+3
\|
*	Fix allocation check in the AD provider	Jakub Hrozek	2013-06-11	1	-1/+1
\| \| \| \|	https://fedorahosted.org/sssd/ticket/1976
*	A new option krb5_use_kdcinfo	Jakub Hrozek	2013-06-10	19	-49/+163
\| \| \| \| \| \| \| \| \| \|	https://fedorahosted.org/sssd/ticket/1883 The patch introduces a new Kerberos provider option called krb5_use_kdcinfo. The option is true by default in all providers. When set to false, the SSSD will not create krb5 info files that the locator plugin consumes and the user would have to set up the Kerberos options manually in krb5.conf
*	providers: refresh expired netgroups	Pavel Březina	2013-06-10	6	-3/+212
\| \| \| \|	https://fedorahosted.org/sssd/ticket/1713
*	back end: add refresh expired records periodic task	Pavel Březina	2013-06-10	10	-0/+68
\| \| \| \| \| \|	https://fedorahosted.org/sssd/ticket/1713 Add new option refresh_expired_interval.
*	back end: periodical refresh of expired records API	Pavel Březina	2013-06-10	2	-0/+376
\| \| \| \|	https://fedorahosted.org/sssd/ticket/1713
*	back end: periodic task API	Pavel Březina	2013-06-10	2	-0/+447
\| \| \| \|	https://fedorahosted.org/sssd/ticket/1891
*	man: document the need to set ldap_access_order	Jakub Hrozek	2013-06-10	1	-0/+21
\| \| \| \| \| \| \| \|	https://fedorahosted.org/sssd/ticket/1789 ldap_access_order must be set in order to non-default access control options to work. This patch amends the sssd-ldap man page to document this fact with all non-default ldap_access_order options.
*	Fix dereference after a NULL check in tests.	Lukas Slebodnik	2013-06-10	1	-6/+20
\| \| \| \| \| \| \|	https://fedorahosted.org/sssd/ticket/1972 Coverity IDs: 11870,11871 Do not call unlink with NULL pointer.
*	Don't test for NULL in nscd config check	Ondrej Kos	2013-06-10	1	-12/+3
\| \| \| \| \| \| \| \| \|	https://fedorahosted.org/sssd/ticket/1971 Coverity IDs: 11851, 11852, 11853 The NULL check on "entry" "service" and "enable" line string parts is not necessary and triggers warnings in coverity scans.
*	dyndns: Fix NULL check	Jakub Hrozek	2013-06-10	1	-1/+1
\|
*	DB: Don't add invalid ranges	Ondrej Kos	2013-06-09	1	-7/+10
\| \| \| \| \| \| \| \|	https://fedorahosted.org/sssd/ticket/1816 When saving or updating ranges, skip those which are invalid (not provided ipaNTTrustedDomainSID or ipaSecondaryBaseRID, or both provided at the same time)
*	AD: Store trusted AD domains as subdomains	Jakub Hrozek	2013-06-07	1	-2/+364
\| \| \| \| \| \| \| \| \| \|	https://fedorahosted.org/sssd/ticket/364 Looks up trusted domain objects in the LDAP and stores them as AD subdomains. Currently only trusted domains that run NT5 or newer from the same forest are looked up and stored.
*	AD ID lookups - choose GC or LDAP as appropriate	Jakub Hrozek	2013-06-07	1	-1/+262
\| \| \| \| \| \| \| \| \| \| \| \| \|	https://fedorahosted.org/sssd/ticket/1557 Some lookups should be performed from GC only -- for example trusted users are only present in the Global Catalog, while some lookups should be performed from LDAP only as not all objects or attributes are replicated to Global Catalog. This patch adds a generic failover mechanism for identity lookups in the AD provider that allows to choose the appropriate source and even fail over to the other source if available.
*	AD: Add additional service to support Global Catalog lookups	Jakub Hrozek	2013-06-07	3	-33/+178
\| \| \| \| \| \| \| \| \| \| \| \|	When fixed host names of AD servers are configured in the config file, we can't know (unlike when service discovery is at play) if the servers are Global Catalogs or not. This patch adds a private data to servers read from the config file that denote whether the server can be tried for contacting the Global Catalog port or just LDAP. The GC or LDAP URIs are generated based on contents of this private data structure. Because SSSD sticks to a working server, we don't have to disable or remove the faulty GC servers from the list.
*	LDAP: Do not store separate GID for subdomain users	Jakub Hrozek	2013-06-07	1	-10/+18
\| \| \| \| \|	As the subdomains are MPG domains, we don't want to store a separate GID for the subdomain users, but rather just create a UPG.