| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
If previous SRV lookup failed and the SRV lookup status is not yet
reseted to neutral we end up with unresolved meta server with
neutral port status. This caused the failover to stick with
the meta server instead of cycling through all configured servers.
https://fedorahosted.org/sssd/ticket/2390
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch add possibility to replace whitespace in user and group names with
a specified string. With string "-", sssd will return the same result as
winbind enabled option "winbind normalize names"
Resolves:
https://fedorahosted.org/sssd/ticket/1854
Reviewed-by: Pavel Reichl <preichl@redhat.com>
Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit 21bc143c2855638242e9dfe01ea66198b5883b8a)
(cherry picked from commit c2859eec9d110d0062dbc5733fa842fd99d1edeb)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Reviewed-by: Pavel Reichl <preichl@redhat.com>
Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit 022c6b90bb37851c0e8704c0e5388ebc113c6470)
Conflicts:
Makefile.am
src/util/util.h
(cherry picked from commit 50d24652b5321f4cc5709bc0877dde5da4e67f08)
|
| |
|
|
|
|
|
|
|
|
|
| |
Reviewed-by: Pavel Reichl <preichl@redhat.com>
Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit 462db32918a05097652f8232cd6c8d78a826e63c)
Conflicts:
Makefile.am
(cherry picked from commit 31cd021079212a78ebeb6ec2f10d66acc160f89b)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There is problem with OpenLDAP server and dereferencing of attributes
that is not in the schema of the server?
sh-4.2$ ldapsearch -x -LLL -h openldap.server.test -b 'dc=example,dc=com' \
-E 'deref=member:uid,dummy_attr' cn=ref_grp
Protocol error (2)
Additional information: Dereference control: attribute decoding error
sh-4.2$ echo $?
2
The attribute nsUniqueID is a 389-only, non-standard attribute.
It is an operational attribute that is not in the rfc2307bis nor inetOrgPerson
nor posixAccount schema. It was a default value of option ldap_user_uuid,
but it was not use anywhere.
Resolves:
https://fedorahosted.org/sssd/ticket/2383
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit dfb2960ab251f609466fa660449703835c97f99a)
|
| |
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit b5242c146cc0ca96e2b898a74fb060efda15bc77)
|
| |
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 87ff519b472568b19809963ca860d2182e874fcd)
|
| |
|
|
|
|
|
|
|
|
|
| |
D-Bus only supports 255 signatures which caused a segmentation fault
when sudo responder tried to refresh more rules at once.
Resolves:
https://fedorahosted.org/sssd/ticket/2387
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit dfef1d050c35398c6061256a947b4cc9c1f4b8e6)
|
| |
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2385
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit ed346bcc84b8a326996e5550771773d8e63f17c2)
|
| |
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit e6fa71b990d7068d66b98015ae54aae399cc84f1)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Memory leak can happen with long living clients where there are records with
colliding hashes; usually LDAP servers with many users or groups.
Function sss_nss_mc_get_record allocates memory that is stored into "rec",
with next iteration variable rec is overriden with new record and old
one is lost and cannot be freed.
Example code flow:
src/sss_client/nss_mc_group.c:133: alloc_arg: "sss_nss_mc_get_record" allocates memory that is stored into "rec".
src/sss_client/nss_mc_common.c:216:13: alloc_fn: Storage is returned from allocation function "malloc".
src/sss_client/nss_mc_common.c:216:13: var_assign: Assigning: "copy_rec" = "malloc(rec_len)".
src/sss_client/nss_mc_common.c:225:9: noescape: Resource "copy_rec" is not freed or pointed-to in function "memcpy". [Note: The source code implementation of the function has been overridden by a builtin model.]
src/sss_client/nss_mc_common.c:239:5: var_assign: Assigning: "*_rec" = "copy_rec".
src/sss_client/nss_mc_group.c:163: noescape: Resource "rec" is not freed or pointed-to in "sss_nss_mc_next_slot_with_hash".
src/sss_client/nss_mc_common.c:294:60: noescape: "sss_nss_mc_next_slot_with_hash(struct sss_mc_rec *, uint32_t)" does not free or save its pointer parameter "rec".
src/sss_client/nss_mc_group.c:133: overwrite_var: Overwriting "rec" in call to "sss_nss_mc_get_record" leaks the storage that "rec" points to.
src/sss_client/nss_mc_common.c:239:5: write_notnull_to_parm: Assigning: "*_rec" = "copy_rec".
Reviewed-by: Michal Židek <mzidek@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit 9d876108620931e0941a115adf60bfd8d67459d9)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In multi threaded application, it may happen that more threads will call
function getpwuid(or similar) and sss client will not have initialized
structure for fast memory cache. This structure is initialized just once.
There isn't any problem with multi threaded application after successful
initialisation.
The race condition will happen if more threads try to initialise structure
sss_cli_mc_ctx in function sss_nss_mc_get_ctx (ctx->initialized is false)
It takes some time to initialise mmap cache: open file, get file size, mmap
file, initialize structure sss_cli_mc_ctx. One of problems is that file with
memory cache can be opened more times (file descriptor leak), but the race
condition is with initialising structure sss_cli_mc_ctx. One tread will start
to initialise this structure; another thread will think that structure is
already initialised and will check consistency of this structure. It will fail
because 1st thread did not finish initialisation. Therefore 2nd thread will
return EINVAL and will do clean up in done section: munmap, close file and
reset structure data. The 1st thread will finish an try to use memory cache,
but structure was zero initialised by 2nd thread and it will cause dereference
of NULL pointer in 1st thread (SIGSEGV) or dividing by zero in murmurhash
function(SIGFPE)
Function sss_nss_mc_get_ctx was split into two parts for simplification
of locking and unlocking. The locking is used only in new static function
sss_nss_mc_init_ctx. This function will not be called very often therefore the
same mutex is used as in other nss functions.
Resolves:
https://fedorahosted.org/sssd/ticket/2380
Reviewed-by: Michal Židek <mzidek@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit 0d22416f94dff7756091e983518ed3684cc9597a)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This attribute was used in pre 1.7 versions of sudo and it is now
deprecated by sudoRunAsUser and sudoRunAsGroup. However, some users
still use this attribute so we need to support it to ensure backward
compatibility.
This patch makes sure that this attribute is downloaded if present and
provided to sudo. Sudo than decides how to handle it.
The new mapping option is not present in a man page since this
attribute is deprecated in sudo for a very long time.
Resolves:
https://fedorahosted.org/sssd/ticket/2212
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 7c30e60c525ea798aaab142766ff00eef4b5df3b)
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Resolving groups obtained via Token-Groups in case of disabled ID mapping may
lead to failure as non-posix groups are not resolved. This patch amends
sdap_ad_resolve_sids_done() not to abruptly finish request if ENOENT is
returned.
Resolves:
https://fedorahosted.org/sssd/ticket/2345
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 1614e1b25a98ff2f03648c4bf61d750fb688285a)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
With plain LDAP provider we already have a sdap_handle, so it should be possible
that in the case where sdom->pvt == NULL sdap_id_op_connect_send() can be
skipped and sdap_get_ad_tokengroups_send() can be already send with the
sdap_handle passed to sdap_ad_tokengroups_initgr_mapping_send(). So we should
only fail if sdom->pvt == NULL and sh == NULL.
if find_subdomain_by_sid() failed we can check if there is only one domain in
the domain list (state->domain) and in this case continue with this domain since
the LDAP provider does not know about sub-domains and hence can only have one
configured domain.
Resolves:
https://fedorahosted.org/sssd/ticket/2345
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit b12e2500237f33c44807d7e5b377ec06007c7252)
|
| |
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
| |
The system bus has the ability to start services on demant. This patch
adds the sysbus service activation file that, currently, only calls the
sss_signal tool to signal the monitor.
|
| |
|
|
|
|
| |
A minimal tool whose only purpose is to signal the monitor with
SIGUSR2. The tool will be executed by the system bus in order to provide
system activation, so it's packaged in libexec.
|
| |
|
|
|
|
| |
When the monitor receives SIGUSR2, it also signals the IFP responder to
attempt to reconnect to the system bus using the sysbusReconnect SBUS
method. No action is taken by other responders.
|
| |
|
|
|
|
| |
Introduces a new method implemented only by the IFP responder. When this
method is received, the responder attempts to reconnect to the system
bus, if not connected already.
|
| |
|
|
|
|
| |
We need to treat the failure to connect to the system bus as non-fatal.
In this commit, we introduce a special error code and only print a DEBUG
message when this error code is returned from the startup function.
|
| |
|
|
|
| |
The DEBUG messages in the IFP responder predated Nikolai's mass-patches
and were not converted correctly.
|
| |
|
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit b5f61c9b3f5ea79bf319c18ff59394070c04d607)
|
| |
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2349
Reviewed-by: Pavel Reichl <preichl@redhat.com>
(cherry picked from commit 26510727739c3e8d14f804568e496b7d7b073964)
|
| |
|
|
|
|
|
| |
Commit 2d9df96c8a801ababcb136f665f3f1ebd0ac05c1 was pushed to sssd-1-11
after I pushed the translation updates already. This patch synchronizes
the translations with the tip of the sssd-1-11 branch before the
release.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Reported by: scan-build
krb5_free_principal(cc->context, ccprinc);
^~
warning: Access to field 'context' results in a dereference of a null pointer
(loaded from variable 'cc')
Variable 'cc' needn't be initialised if function sss_open_ccache_as_user
fails.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
| |
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
(cherry picked from commit 7fa8c51e7ece2f4fed046d9f2a43d20c13db645c)
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2291
The dbus tests that mock an sbus server were failing when make distcheck
was ran by a user logged in through the SSSD.
The reason was that the libtool wrapper around the test library alters
the LD_LIBRARY_PATH and as a consequence, the standard getpwuid_r() calls
the dbus server performs would load the in-tree NSS library and not the
system one. The-in tree library would then attempt to talk to an in-tree
NSS socket, fail, which would fail the getpwuid_r call with an error such as:
"""
Could not get password database information for UID of current process:
User "???" unknown or no memory to allocate password entry
"""
This patch adds a new configure-time option called --enable-dbus-tests
that is enabled by default and disabled during distcheck. When the
option is disabled, the tests that require a mocked dbus server are not
compiled at all.
(cherry picked from commit 4bd20c075f0f187db0181dc53d00ab6cd47fdb4d)
Conflicts:
Makefile.am
src/conf_macros.m4
|
| |
|
|
| |
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 8d5d91878875fec2930b37ff79ef6bb6782faa65)
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
man gethostanme says:
NOTES
SUSv2 guarantees that "Host names are limited to 255 bytes".
POSIX.1-2001 guarantees that "Host names (not including the terminating
null byte) are limited to HOST_NAME_MAX bytes". On Linux,
HOST_NAME_MAX is defined with the value 64, which has been the limit
since Linux 1.0 (earlier kernels imposed a limit of 8 bytes).
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit bf6f1b3d49e17b1adf0448c0b06e94b1e52ddffd)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Older versions of glibc requires extra feature macros
for function open_memstream.
fmemopen(), open_memstream(), open_wmemstream():
Since glibc 2.10:
_XOPEN_SOURCE >= 700 || _POSIX_C_SOURCE >= 200809L
Before glibc 2.10:
_GNU_SOURCE
src/sbus/sssd_dbus_introspect.c: In function 'introspect_begin':
src/sbus/sssd_dbus_introspect.c:82: error: implicit declaration of function 'open_memstream'
src/sbus/sssd_dbus_introspect.c:82: warning: assignment makes pointer from integer without a cast
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 18647db9e275e7aa3e002551237abae756a2afb9)
Conflicts:
src/sbus/sssd_dbus.h
|
| |
|
|
|
|
|
|
|
| |
Functions pam_vsyslog and pam_modutil_getlogin are not available in openpam.
This patch conditionally define macros for these function if they are not
available. Compatible macros use standard functions vsyslog, getlogin
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit 683e1f67d08be7165ea456d4594c4c8a4eddc9b3)
|
| |
|
|
|
|
|
|
| |
The header file security/_pam_macros.h is not available in openapam.
This patch copies necessary macros from linux-pam 1.1.8.
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit 78eae10aa035bc0e0996189b9d11c8db4904a98d)
|
| |
|
|
|
|
|
| |
linuxpam and openpam use different functions for text based conversation.
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit 9e17b0516d2b640d34cbb50933bd065e65bfab9d)
|
| |
|
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit d2d21d45a88d0869f860e215c2cf946f032818ca)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We need this file for declaration of pam functions
pam_get_item, pam_putenv, pam_set_data, pam_strerror, pam_set_item
There is already test in configure script for this header file,
but it was not included in pam_sss.c
sh-4.2$ git grep pam_appl.h
src/external/pam.m4:AC_CHECK_HEADERS([security/pam_appl.h ...
src/providers/data_provider_be.c:#include <security/pam_appl.h>
src/providers/proxy/proxy.h:#include <security/pam_appl.h>
src/providers/proxy/proxy_child.c:#include <security/pam_appl.h>
src/responder/pam/pamsrv.h:#include <security/pam_appl.h>
src/sss_client/pam_test_client.c:#include <security/pam_appl.h>
src/util/auth_utils.h:#include <security/pam_appl.h>
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit 81d6673764c4e2f635482be1efd52eba3ab5a27f)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The macros SOL_TCP and IPPROTO_TCP have the same value on linux,
but the first one is not portable.
man in.h says:
The <netinet/in.h> header shall define the following macros for use as
values of the level argument of getsockopt() and setsockopt():
IPPROTO_IP Internet protocol.
IPPROTO_IPV6 Internet Protocol Version 6.
IPPROTO_ICMP Control message protocol.
IPPROTO_RAW Raw IP Packets Protocol.
IPPROTO_TCP Transmission control protocol.
IPPROTO_UDP User datagram protocol.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
(cherry picked from commit cf901f549abe18f32562cbe1ef7a1ef258edab1a)
|
| |
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2232
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit ffa42f689dded74b0c0b0451bff3516bc4003179)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We defined macro _XOPEN_SOURCE before time.h, because we need function strptime
The problem is with undef after including header time.h
The macro _XOPEN_SOURCE can be defined on some platforms
and undef can cause problems.
We detect all necessary feature macros in configure script
using AC_USE_SYSTEM_EXTENSIONS or AC_GNU_SOURCE.
It is better to include header file config.h
instead of defining macro _XOPEN_SOURCE
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 80c092f94a7ac24ea00e560201e37ae27cfbf665)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The older version of glibc and different implementations of libs
requires feature macros for enabling function getline.
getline(), getdelim():
Since glibc 2.10:
_POSIX_C_SOURCE >= 200809L || _XOPEN_SOURCE >= 700
Before glibc 2.10:
_GNU_SOURCE
All feature macros are in header file config.h and are detected by configure
script. The header file config.h was included after few other header files.
The problem is that header files stdio.h is included just once and
is included from many external header files. We need to include config.h
before any other header file to prevent problems.
src/util/nscd.c: In function ‘sss_nscd_parse_conf’:
src/util/nscd.c:150: error: implicit declaration of function ‘getline’
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit b3007e32fa5d6b722f3aaaf9fe7593103cb443c3)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The functions strdup and strncmp are used in pam_test_client,
but header file string.h was not included directly in this file.
The header file string.h was indirectly included by the header file
security/pam_client.h.
src/sss_client/pam_test_client.c: In function 'main':
src/sss_client/pam_test_client.c:45:
error: implicit declaration of function 'strdup'
src/sss_client/pam_test_client.c:45:
warning: incompatible implicit declaration of built-in function 'strdup'
src/sss_client/pam_test_client.c:49:
warning: incompatible implicit declaration of built-in function 'strdup'
src/sss_client/pam_test_client.c:52:
warning: incompatible implicit declaration of built-in function 'strdup'
src/sss_client/pam_test_client.c:64:
error: implicit declaration of function 'strncmp'
gmake[2]: *** [src/sss_client/pam_test_client.o] Error 1
sh-4.2$ nm --undefined-only ./pam_test_client | grep -E "strdup|strncmp"
U __strdup@@GLIBC_2.2.5
U strncmp@@GLIBC_2.2.5
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 654f1abaec4e26453cb88ef02a8a71ba9aea0026)
|
| |
|
|
|
|
|
|
| |
This part was introduced in commit dba7903ba7fc04bc331004b0453938c116be3663
"PAM: close socket fd with pam_set_data"
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit a4b2352c97053c79fd0d78d0dd647beed69b17e5)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
glibc contains two versions of finction stpncpy
sh-4.2$ nm --dynamic --defined-only /lib64/libc.so.6 | grep stpncpy
0000003ce1c89b00 i stpncpy
0000003ce1c89b00 i __stpncpy
0000003ce1d040a0 T __stpncpy_chk
We should use more portable version of stpncpy without prefix with underscores.
The function __stpncpy was used in initial veersion
e65c65fc710fa030bfb8319efc43fcdc9ce5a26f, which was based on
http://people.redhat.com/drepper/SHA-crypt.txt
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 83e1ea9e24aabe6ade180649ecfc9c253ad19395)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
We should call freeaddrinfo only in situation if getaddrinfo succeeds.
It is not specified in RFC2553 the behaviour of calling freeaddrinfo
with the NULL argument. It is more portable to do not rely on undocumented
behaviour of glibc.
http://www.ietf.org/rfc/rfc2553.txt [Page 28]
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 7aaf9138ccf7ab73883f28cfafd6e508d29ffa67)
|
| |
|
|
|
| |
Reviewed-by: Pavel Reichl <preichl@redhat.com>
(cherry picked from commit 4084ccd3442917c7aa88ba4d76ba1e71e67d3846)
|
| |
|
|
|
| |
Reviewed-by: Pavel Reichl <preichl@redhat.com>
(cherry picked from commit 93a7dc1ed50a1f7a82d6e3985f16be774c84ada0)
|
