| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
| |
|
| |
|
|
|
|
|
| |
Just moves code around. There should be a way to use the server.c module
without linking the monitor code.
|
| |
|
|
|
|
|
|
| |
Unit testing the utilities to become another user requires the use of
the cwrap libraries. This patch augments our build system with macros to
detect the nss_wrapper and and uid_wrapper libraries.
|
|
|
|
|
|
| |
In order for several other SSSD processes to run as a non-root user, we
need to move the functions to become another user to a shared space in
our source tree.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The sysdb.c should be reserved for utility and setup functions. Search
functions belong to sysdb_search.c Keeping functions in specialized
modules helps to maintain nice dependencies and in overall makes unit
testing easier.
Moreover, the function was not unit tested, which needed fixing.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
| |
Several functions in the monitor.c file were not marked as static even
though they were only used inside monitor.c
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
| |
Talloc context was not used in functions ad_gpo_parse_gpo_child_response
ad_gpo_process_cse_recv, ad_gpo_store_policy_settings.
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some internal gpo functions [1] were called just once and with constant
NDR_SCALARS as 2nd argument(ndr_flags), but 2nd argument was not used
in these functions[1]. They used constant NDR_SCALARS.
[1] ndr_pull_security_ace_flags, ndr_pull_security_ace_type,
ndr_pull_security_ace_object_flags, ndr_pull_security_acl_revision,
ndr_pull_security_descriptor_revision, ndr_pull_security_descriptor_type
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2437
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the access providers, we expect to receive ERR_ACCESS_DENIED when
access is denied, but we were returning EACCES here. The effect was the
same, except that it presented ultimately as a system error instead of
a proper denial.
Related:
https://fedorahosted.org/sssd/ticket/2437
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Preserve case of group members in getgrnam
when 'case_sensitive = preserving' is set.
Fixes:
https://fedorahosted.org/sssd/ticket/2453
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
With a recent patch sysdb_getpwnam() was replaced by
sysdb_get_user_by_name() in the PAM responder. Unfortunately both behave
differently with respect to sub-domain users. As a consequence the PAM
responder was not able to resolve users from sub-domains. This patch
reverts this change and uses sysdb_getpwnam() again.
Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
|
|
|
|
| |
Fixes:
https://fedorahosted.org/sssd/ticket/2452
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Initially the extdom plugin was only used to translate SIDs of AD user
and groups to names or POSIX IDs. On IPA clients group memberships were
resolved with the help of the PAC in the Kerberos ticket which required
that the user has logged in at least once. Home directory and the login
shell were auto generated.
The new version of the extdom plugin can return the complete list of
group memberships of a user and the list of all members of a group.
Additionally the gecos field, home directory and login shell are
returned together with an optional list of key-value pairs for arbitrary
data which is written unmodified to the cache.
Fixes https://fedorahosted.org/sssd/ticket/2159
and https://fedorahosted.org/sssd/ticket/2041
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
| |
When we attempt to request attributes that are not present in
the dereferenced links, some serves might not send the dereference
control back at all. Be permissive and treat the search as if
it didn't find anything.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Design document:
https://fedorahosted.org/sssd/wiki/DesignDocs/RestrictDomainsInPAM
Fixes:
https://fedorahosted.org/sssd/ticket/1021
Signed-off-by: Pavel Reichl <preichl@redhat.com>
Reviewed-by: Sven-Thorsten Dietrich <sven@brocade.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
pam_public_domains option is a list of numerical UIDs or user names
that are trusted.
pam_public_domains option is a list of domains accessible even for
untrusted users.
Based on:
https://fedorahosted.org/sssd/wiki/DesignDocs/RestrictDomainsInPAM
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
| |
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
| |
This patch changes get_primary() into sss_krb5_get_primary() so it can
be used by the AD provider to get the sAMAccountName from the hostname.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
| |
Fix debug messages where '\n' was wrongly followed by '.'.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2412
Even though AD trusts often work with POSIX attributes which are
normally not replicated to GC, our group lookups are smart since commit
008e1ee835602023891ac45408483d87f41e4d5c and look up the group itself using
the LDAP connection and only use the GC connection to look up the members.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
When there was more than one SSSD domain configured, actions performed
against domains later in the list would be incorrectly told to use the
first domain as the base for locating subdomains. This was because we
were rewinding the ->prev list on the sss_domain_info object, which is
only intended to be used by confdb code. The correct approach was to
use only the parent linkage, which would take us up to the top-level
domain in this SSSD domain.
|
|
|
|
| |
Reviewed-by: Daniel Gollub <dgollub@brocade.com>
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2442
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
| |
A recent fix enabled searching for groups by name in a case-insensitive
domain. This patch adds a unit test to check that behaviour.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently sysdb_search_group_by_name uses an optimization which might
fail in case-insensitive environments. The DN of the group object is
generated with the help of the given name. Since the DN is
case-sensitive a group lookup will fail if different cases are used.
sysdb_search_user_by_name already handles case-insensitive searches well
and sysdb_search_group_by_name should use the same scheme.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
| |
In the uid=0 case (to obtain new free id) only uidNumber and gidNumber
attributes got written, but not the additonal provided attributes like
alias or others.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
| |
Free sid retrieved with sss_nss_getsidbyname in test_getsidbyname.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
| |
Free malloc'd symlink paths in test_symlink and test_follow_symlink
tests.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
| |
Free compiled regular expressions after use in krb5_utils-tests.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
| |
Free hbac_info structs after use in ipa_hbac-tests.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
| |
We loop over the array of returned controls and set 'ret' based on the
control value. In case multiple controls were returned, the 'ret'
variable might be clobbered with result of a string-to-int conversion.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since we cannot know if a SID belongs to a user or a group a lookup
should only fail if the given name is in both the negative cache for the
users and the groups.
Currently if the SID for a group called 'abc' should be looked up and
the negative cache for the users contain an entry for 'abc' the request
fails.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Use the alternative group objectclass in queries.
Fixes:
https://fedorahosted.org/sssd/ticket/2436
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In IPA we sometimes need to use posixGroup and
sometimes groupOfNames objectclass to query the
groups. This patch adds the possibility to specify
alternative objectclass in group maps. By
default it is only set for IPA.
Fixes:
https://fedorahosted.org/sssd/ticket/2436
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
| |
On failure, the subreq wasn't freed, which was not a big deal given the
parent request would free the subreq anyway, but it's better to follow
the usual pattern.
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
| |
Reported by Coverity
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2431
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
| |
Reviewed-by: Michal Židek <mzidek@redhat.com>
|