| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
| |
http://support.microsoft.com/kb/2830145
In Windows Server 2012, two new security principal SIDs are introduced to
differentiate between proof of possession and Service-for-User-to-Self
(S4U2Self) protocol transitions .
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
We should call freeaddrinfo only in situation if getaddrinfo succeeds.
It is not specified in RFC2553 the behaviour of calling freeaddrinfo
with the NULL argument. It is more portable to do not rely on undocumented
behaviour of glibc.
http://www.ietf.org/rfc/rfc2553.txt [Page 28]
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
| |
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
glibc contains two versions of finction stpncpy
sh-4.2$ nm --dynamic --defined-only /lib64/libc.so.6 | grep stpncpy
0000003ce1c89b00 i stpncpy
0000003ce1c89b00 i __stpncpy
0000003ce1d040a0 T __stpncpy_chk
We should use more portable version of stpncpy without prefix with underscores.
The function __stpncpy was used in initial veersion
e65c65fc710fa030bfb8319efc43fcdc9ce5a26f, which was based on
http://people.redhat.com/drepper/SHA-crypt.txt
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
| |
This part was introduced in commit dba7903ba7fc04bc331004b0453938c116be3663
"PAM: close socket fd with pam_set_data"
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The functions strdup and strncmp are used in pam_test_client,
but header file string.h was not included directly in this file.
The header file string.h was indirectly included by the header file
security/pam_client.h.
src/sss_client/pam_test_client.c: In function 'main':
src/sss_client/pam_test_client.c:45:
error: implicit declaration of function 'strdup'
src/sss_client/pam_test_client.c:45:
warning: incompatible implicit declaration of built-in function 'strdup'
src/sss_client/pam_test_client.c:49:
warning: incompatible implicit declaration of built-in function 'strdup'
src/sss_client/pam_test_client.c:52:
warning: incompatible implicit declaration of built-in function 'strdup'
src/sss_client/pam_test_client.c:64:
error: implicit declaration of function 'strncmp'
gmake[2]: *** [src/sss_client/pam_test_client.o] Error 1
sh-4.2$ nm --undefined-only ./pam_test_client | grep -E "strdup|strncmp"
U __strdup@@GLIBC_2.2.5
U strncmp@@GLIBC_2.2.5
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
src/sbus/sssd_dbus_meta.c: In function 'sbus_meta_find_signal':
src/sbus/sssd_dbus_meta.c:43: warning: declaration of 'signal' shadows a global
declaration
/usr/include/signal.h:101: warning: shadowed declaration is here
Reviewed-by: Stef Walter <stefw@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Samba 4 libraries are necessary for building {ad, ipa} provider,
but samba4 needn't be available on older distributions.
This patch add possibility to build SSSD without {ad, ipa} provider
and thus without Samba 4 libraries.
The script configure have new argument --with-samba with default value yes.
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
| |
Tests should not create resources. It is purpose of setup functions.
Patch fixes also fd leaks from mkstemp.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds a new method on the bus with the following synopsis:
<method name="GetUserGroups">
<arg name="user" type="s" direction="in" />
<arg name="values" type="as" direction="out"/>
</method>
Its purpose is to return names of groups the user is a member of as a
list of strings.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
| |
For the GetGroupsList function it would be handy to get the user names as
well with a single sysdb_initgroups() call. This patch adds SYSDB_NAME to
the default attribute list.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Some interfaces we support, such as domain might not be bound to a
single path, but rather anything under a path 'directory'. This patch
allows the SBUS to register a fallback path that would route any
messages under a given anchor to a handler of an interface.
The fallback interface is denoted with a trailing wildcard:
/org/sssd/anchor/*
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Introduces a new option called user_attributes that allows to specify
which user attributes are allowed to be queried from the IFP responder.
By default only the default POSIX set is allowed, this option allows to
either add other attributes (+attrname) or remove them from the default
set (-attrname).
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2322
When the AD subdomains code looked up the root domain subsequently
(after the domain list was already populated), the non-root domains
might have been removed along with their respective tasks, because the
root domain lookup only ever matched a single root domain.
This could cause havoc especially during login when different lookups
for different domains might be going on during user group refresh.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adds a DBus method that allows the caller to retrieve attributes of a
user. The synopsis of the call is as follows:
<method name="GetUserAttr">
<arg type="s" name="user" direction="in"/>
<arg type="as" name="attr" direction="in"/>
<arg type="a{sv}" name="values" direction="out"/>
</method>
The return value is an array (one attribute per array member) of
dictionaries. The key of the dictionary is the attribute name, the value
is a variant containing the attribute values as strings.
If an attribute does not exist or is not permitted to be read, no error
is returned. If the users does not exist, the method returns an error.
In future patches this function will be marked as obsolete in favor of
object-oriented approach.
ifp_user_get_attr_unpack_msg is a separate function to allow extending
it in a later patch.
The function to check the cache validity duplicates quite a bit of code
with the NSS responder. The refactoring would be nice to get done along
with #843.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Stef Walter <stefw@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
In order to avoid hitting the back end with repetitive requests, the
InfoPipe responder needs a negative cache, too. This patch follows the
convention set by other responders, where the negative cache timeouts are
read from the [nss] section. This is not ideal, however, and ticket #2318
tracks moving the configuration to the [ifp] section primarily.
The timeout is also a separate parameter in the NSS context. We should
consider moving it to the negcache context instead (#2317).
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Stef Walter <stefw@redhat.com>
|
| |
|
|
|
|
|
|
| |
Similar to the PAC responder, the InfoPipe uses a list of UIDs that are
allowed to communicate with the IFP responder.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Stef Walter <stefw@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Adds a number of utility functions, most importanly ifp_req_create().
The ifp_req is a structure that will be passed along with the ifp
request and would provide easy access to both the sbus_request data and
per-responder data, like the ifp_ctx.
Also includes a utility function to split a path prefix from a full path
and add a ldb_element into a dictionary. These will be reused later.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Stef Walter <stefw@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
sbus_message_handler() is refactored so that it only verifies the
message matches any of the interfaces SSSD listens on in order to be
able to return either of HANDLED or NOT_YET_HANDLED.
If the interface is one of those the SSSD should handle, the caller ID
is first resolved using sbus_get_sender_id_send and only then passed on
to the appropriate special handler.
If the sernder ID can't be retrieved, the message is dropped with an
error.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Stef Walter <stefw@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adds an async request sbus_get_sender_id_{send,recv} that allows
retrieval of UID based on "sender" as returned by
dbus_message_get_sender().
The UID is an int64_t to be able to use "-1" to as a fallback value for
uknown or error cases.
The unit test is added as a standalone one, not part of the sbus_tests
because the request, and by extension the unit test relies on being
connected to the system bus, which is very unlikely to work in a build
system.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Stef Walter <stefw@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
We need to retrieve caller IDs for each call from the system bus. This
commit adds a new SBUS connection type that identifies system bus
connection. The connection is used in the IFP provider.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Stef Walter <stefw@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Split dbus_conn_send out of sbus_conn_send to be able to call DBus
messages without having a full sbus connection. This function is
available to the sbus code only, consumers of sbus (responders and
providers) should use sbus_conn_send.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Stef Walter <stefw@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Adds a convenience function that constructs a DBusError on top of a talloc
context and as such can be used to mark an sbus request as failed without
having to create a DBusError instance by the caller.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Stef Walter <stefw@redhat.com>
|
| |
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Stef Walter <stefw@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
In SSSD we tend to use {} brackets around single-line blocks, too to
make sure we don't forget to add them should the block become larger.
We also don't add a space between function name and the opening "(".
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Stef Walter <stefw@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
As the connection code is async-driven, the LDAP handle might be
invalidated before SSSD attempts to use it. Similar to commit
5fe6ca5e339fd345119752e996c14edf8db57660, this patch adds a NULL check
for the LDAP handle and aborts the request instead of crashing.
Resolves:
https://fedorahosted.org/sssd/ticket/2305
|
| |
|
|
|
|
|
|
|
|
|
| |
Small change to make the code more readable. The relation between
order, order_array and order_count is more obvious when they
are grouped in structure.
resolves:
https://fedorahosted.org/sssd/ticket/2304
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The monitor process does not read data from standard input in.
We can close file descriptor from stdin.
[sssd] [server_stdin_handler] (0x0020): sssd: EOF on stdin - terminating
Resolves:
https://fedorahosted.org/sssd/ticket/2312
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
| |
There was a resource leak in the introspection code. This patch fixes
the leak.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2073
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2073
This commit adds a new option ldap_user_extra_attrs that is unset by
default. When set, the option contains a list of LDAP attributes the LDAP
provider would download and store in addition to the usual set.
The list can either contain LDAP attribute names only, or colon-separated
tuples of LDAP attribute and SSSD cache attribute name. In case only LDAP
attribute name is specified, the attribute is saved to the cache verbatim.
Using a custom SSSD attribute name might be required by environments that
configure several SSSD domains with different LDAP schemas.
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
| |
The sdap_copy_opts function copied all the arguments except for the
sentinel.
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2322
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
| |
ad_subdomains_refresh() always set value to output parameter 'changes' if EOK is returned.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The size of output buffer(obufsize) was longer than initialised data.
In calculation, uint32_t was used for length of the cryptotext,
but uint16_t was written into buffer. The end of buffer was not initialised
and it caused valgrind warning.
Use of uninitialised value of size 8
at 0x37AE40F363: pl_base64_encode_buffer (nssb64e.c:180)
by 0x37AE40F6ED: NSSBase64_EncodeItem_Util (nssb64e.c:482)
by 0x37AE40F87A: BTOA_DataToAscii_Util (nssb64e.c:721)
by 0x40208A: sss_base64_encode (nss_base64.c:47)
by 0x403305: sss_password_encrypt (nss_obfuscate.c:358)
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
| |
Change description of supported access modes.
Add missing new line in message.
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
We only really care that the file is readable by the owner and not
accessible by group or others. We do not really care whether the owner
can write/execute the file or not, so we mask out those perms.
Resolves:
https://bugzilla.redhat.com/1089098
Resolves:
https://fedorahosted.org/sssd/ticket/2321
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Instead of using a custom way to chck file type, use the system
provided macros and a mode mask to decide when we want to check.
Additionally a mask also allows us to selectively check permissions.
Related:
https://bugzilla.redhat.com/1089098
Resolves:
https://fedorahosted.org/sssd/ticket/2321
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
src/tests/sbus_codegen_tests-sbus_codegen_tests.o: In function `eject_handler':
tests/sbus_codegen_tests.c:229: undefined reference to `ck_assert_uint_eq'
tests/sbus_codegen_tests.c:235: undefined reference to `ck_assert_uint_eq'
tests/sbus_codegen_tests.c:239: undefined reference to `ck_assert_uint_eq'
src/tests/sbus_codegen_tests-sbus_codegen_tests.o: In function `test_marshal_basic_types':
src/tests/sbus_codegen_tests.c:446: undefined reference to `ck_assert_uint_eq'
src/tests/sbus_codegen_tests.c:449: undefined reference to `ck_assert_uint_eq'
src/tests/sbus_codegen_tests-sbus_codegen_tests.o:
src/tests/sbus_codegen_tests.c:451: more undefined references to `ck_assert_uint_eq' follow
collect2: ld returned 1 exit status
make[3]: *** [sbus_codegen_tests] Error 1
Macro ck_assert_uint_eq was added in check-0.9.10
Resolves:
https://fedorahosted.org/sssd/ticket/2319
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
