| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
| |
Reviewed-by: Pavel Reichl <preichl@redhat.com>
(cherry picked from commit a2ea3f5d9ef9f17efbb61e942c2bc6cff7d1ebf2)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2391
apply_subdomain_homedir() didn't handle the situation where an entity
that doesn't match was requested from the cache. For user and group
lookups this wasn't a problem because the negative match was caught
sooner.
But SID lookups can match either user or group. When a group SID was
requested, the preceding LDAP request matched the SID and stored the
group in the cache. Then apply_subdomain_homedir() only tried to search
user by SID, didn't find the entry and accessed a NULL pointer.
A simple reproducer is:
$ python
>>> import pysss_nss_idmap
>>> pysss_nss_idmap.getnamebysid(group_sid)
The group_sid can be anything, including Domain Users (XXX-513)
Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit 82347f452febe3cbffc36b0a3308ffb462515442)
|
| |
|
|
|
| |
The functionality was removed, but we forgot to remove the corresponding
tests, mostly because these tests were only ever ran as root.
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2322
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit ed61bfc5184d9c7a46d17681a22a1abb64423708)
|
| |
|
|
|
|
|
| |
ad_subdomains_refresh() always set value to output parameter 'changes' if EOK is returned.
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit cef2384a3a6fc1a1637c6a55e2bced93d28e8fca)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2322
When the AD subdomains code looked up the root domain subsequently
(after the domain list was already populated), the non-root domains
might have been removed along with their respective tasks, because the
root domain lookup only ever matched a single root domain.
This could cause havoc especially during login when different lookups
for different domains might be going on during user group refresh.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2300
The list of SELinux mapping orders was allocated on tmp_ctx and parsed
into an array. The array itself was correctly allocated on mem_ctx but
its contents remained on tmp_ctx, leading to a use-after-free error.
This patch fixes the memory hierarchy so that both the array and its
contents are allocated on mem_ctx.
(cherry picked from commit 355b8a655cfcc4e783077d12f76b55da1d23fb87)
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2285
Only the forest root has the knowledge about all the domains in the forest,
the forest leaves only see themselves and the forest root.
This patch switches to connecting to the forest root for downloading the
trusted domains instead of the server we are connected to.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Function sysdb_attrs_get_el can enlarge array of ldb_message_element in "struct
sysdb_attrs" if attribute is not among available attributes. Array will be
enlarged with function talloc_realloc but realloc can move array to another
place in memory therefore ldb_message_element should not be used after next
call of function sysdb_attrs_get_el
sysdb_attrs_get_el(netgroup, SYSDB_ORIG_MEMBER_USER, &user_found);
sysdb_attrs_get_el(netgroup, SYSDB_ORIG_MEMBER_HOST, &host_found);
With netgroups, it is common to omit user or host from netgroup triple.
There is very high probability that realloc will be called. it is possible
pointer user_found can refer to the old area after the second call of function
sysdb_attrs_get_el.
Resolves:
https://fedorahosted.org/sssd/ticket/2284
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit c048657aa2fbb246b5dc199ef6101bfd6e5eeaea)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2271
The current krb5_child code attempts to get a TGT for the convenience of
the user using the new password after a password change operation.
However, an OTP should never be used twice, which means we can't perform
the kinit operation after chpass is finished. Instead, we only print a
PAM information instructing the user to log out and back in manually.
Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
After changing the Kerberos password krb5-child will try to get a fresh
TGT with the new password. This patch tries to make sure the right gic
options are used.
Resolves: https://fedorahosted.org/sssd/ticket/2289
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
| |
Additionally the lifetime option flags are unset if there are no
explicit settings to make sure the defaults from krb5.conf are used even
if other values were set manually in between.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2282
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Reported by scan-build
for (mi = 0; group_only[mi]; mi++) {
^~~~~~~~~~
warning: Array access (from variable 'group_only') results in a null pointer
dereference
It can happend if function ad_group_extra_members fails (ret != EOK)
Reviewed-by: Simo Sorce <simo@redhat.com>
(cherry picked from commit bad65473c4c28ecbf2b6bd374a7ae2d634d57d8d)
|
| |
|
|
|
|
|
| |
Fixes https://fedorahosted.org/sssd/ticket/2279
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 63bf0b7697d5a51b5338070d0e2652d49a4728ce)
|
| |
|
|
|
|
|
|
|
|
|
| |
We blindly used the user's domain for everything. That wrong in case the
user comes from a subdomain. We should use the IPA domain for accessing
the SELinux rules and host data and the user domain only for the user.
https://fedorahosted.org/sssd/ticket/2270
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 36f606d6743e77721bedeed0907f1be7a19fa4f4)
|
| |
|
|
|
|
|
|
|
|
| |
It should be noted that disabling GC does *not* disable lookups from
trusted domains. Disabling GC might be a a good way for admins who wish
to use POSIX attributes in trusted domains and the man page should hint
this option.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit fdaaf2525e333af04ee9b48429b6766b5fd6cab6)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2251
By connecting to GC for users from both trusted domains and parent
domain, we lose the ability to download the shell and homedir if these
are used with ID mapping.
This patch changes the user lookups only. Changing the logic for all
lookups would break cross-domain group memberships, for example.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit bb8a08118db0916bf8252a9481c16271ec20acd3)
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Before this patch, a different set of options was used when calling
krb5_get_init_creds_password() for the changepw principal. Because
this set of options did not contain the same FAST settings as the
options for normal requests, all authentication would fail when the
password of a FAST-only account would expire.
The two sets approach was cargo-cult from kinit where multiple
requests could be issued using the same options set. However, in the
case of krb5_child, only one request (or occasionally a well-defined
second request) will be issued. Two option sets are therefore not
required.
To fix this problem we removed the second option set used for changepw
requests. All requests now use a single option set which is modified,
if needed, for well-defined subsequent requests.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2264
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
In older IPA server versions where the AD users where looked up by
winbind the user name component of the home directory path was always
lower case. This still holds for IPA clients as well. To avoid
regression this patch makes the user name component lower case as well.
Fixes https://fedorahosted.org/sssd/ticket/2263
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 48b1db73639135dd4a15ee153f958c912836c621)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds the sudo target to the AD provider. The main reason is
to cover different default settings in the LDAP and AD provider. E.g.
the default for ldap_id_mapping is True in the AD provider and False
in the LDAP provider. If ldap_id_mapping was not set explicitly in the
config file both components worked with different setting.
Fixes https://fedorahosted.org/sssd/ticket/2256
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 61804568ce5ede3b1a699cda17c033dd6c23f0e3)
|
| |
|
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit b564424a77c7c3b361c944e0623023d0cfea2c9f)
|
| |
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 3b35ff47651e4893ce537a273466766b962362da)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2252
Currently SSSD chokes when IDs of users change, we don't support ID
changes yet. Because some users were confused about the failures, this
patch adds additional clarification.
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
(cherry picked from commit 3dfa09a826e5f63b4948462c2452937fc329834d)
|
| |
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2235
The memberof example was misleading and was making aministrators think
that the ldap_access_filter can resolve nested group memberships.
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
(cherry picked from commit 604d46e028ab62f83060fb88bdd3319a31aca2d1)
|
| |
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2257
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 90afedb00608547ae1f32aa7aafd552c4b306909)
|
| |
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit ddd21d5dc3c89712d9286d1f66f4b2af73651cf2)
|
| |
|
|
| |
Fixes https://fedorahosted.org/sssd/ticket/2253
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Original patches submitted by: mpesari(Thanks!!)
It can cause problems if user will hit spaces before entering username.
(e.g in gdm). Spaces are ignored by LDAP; it's better to escape them.
Resolves:
https://fedorahosted.org/sssd/ticket/1955
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 2b8208b45feb2aab64d560d3e12e01e7b6d00d39)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If id provider is {ipa, ad} periodic task will be stared in sssm_{ipa,ad}_init
If you enable enumeration and use different providers for id and sudo(autofs)
then another periodic task will be scheduled.
This can cause weird behaviour (e.g. missing members of group)
Perodic tasks will be started only by id_provider.
Resolves:
https://fedorahosted.org/sssd/ticket/2153
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 057cb583f02bf47678c393cb8f1f74861c2b960b)
|
| |
|
|
|
| |
Reviewed-by: Pavel Reichl <preichl@redhat.com>
(cherry picked from commit 26786da26706aeedbda4caea0383c143ed4e59dc)
|
| |
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 6d4574a8dd1a9cafbb15631e7d01bdf6e67f821b)
|
| | |
|
| |
|
|
|
|
|
|
|
| |
If krb5_fast_principal is not set in sssd.conf it was set to host/$client,
KRB5 default realm was used which doesn't have to be the same as realm
used for IPA, thus authentication failed when using FAST.
Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
(cherry picked from commit e325cabe762fad7d696e014a7fdbb47a5cb8174a)
|
| |
|
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Nathaniel McCallum <npmccallum@redhat.com>
Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
| |
(cherry picked from commit 30ee051025753b63ceb19d3b83c44019a19554a1)
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 93dabb2fe0a798f22bb802b9c6521ab9e6a4ac36)
|
| |
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit d3436880c0ec1a7776698c739d4a3edc9a6ac57c)
|
| |
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 957c55df7a7086166fb3c14cead6a0dab8f574c1)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When the schema is set to AD and ID mapping is not used, there is a one-time
check ran when searching for users to detect the presence of POSIX
attributes in LDAP. If this check fails, the search fails as if no entry
was found and returns a special error code.
The sdap_server_opts structure is filled every time a client connects to
a server so the posix check boolean is reset to false again on connecting
to the server.
It might be better to move the check to where the rootDSE is retrieved,
but the check depends on several features that are not known to the code
that retrieves the rootDSE (or the connection code for example) such as what
the attribute mappings are or the authentication method that should be used.
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit e81deec535d11912b87954c81a1edd768c1386c9)
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2169
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
