summaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
...
* UTIL: convert GeneralizedTime to unix timePavel Reichl2015-03-065-0/+115
| | | | | | | New utility function *sss_utc_to_time_t* to convert GeneralizedTime to unix time. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* ldap_child: initialized ccname_file_dummySumit Bose2015-03-061-1/+1
| | | | | | | | | | | ccname_file_dummy is used in the done-block which is called before ccname_file_dummy is set to a value. This patch initializes ccname_file_dummy to NULL. Related to https://fedorahosted.org/sssd/ticket/2592 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit cc0f9a541c5ecdad750a86b2de9baa1f07403e9e)
* selinux: Delete existing user mapping on empty defaultJakub Hrozek2015-03-042-7/+17
| | | | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2587 The case of SELinux default user mapping being an empty string is valid, it should translate into "pick the default context on the target machine". In case the context is empty, we need to delete the per-user mapping from the SELinux database to make sure the default is used. Reviewed-by: Michal Židek <mzidek@redhat.com> Reviewed-by: Pavel Reichl <preichl@redhat.com> (cherry picked from commit 01f78f755fde63997ccfded71fb8395569b11430)
* LDAP: unlink ccname_file_dummy if there is an errorDaniel Hjorth2015-03-041-1/+11
| | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2592 If there is an error after ccname_file_dummy is created but before it is renamed then the file isn't removed. This can cause a lot of files to be created and take up inodes in a filesystem. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit 2b20ff2e33ad3993a9cad910c4b4b828513613df)
* SDAP: enable change phase of pw expire policy checkPavel Reichl2015-03-037-1/+119
| | | | | | | | | | | | | | Implement new option which does checking password expiration policy in accounting phase. This allows SSSD to issue shadow expiration warning even if alternate authentication method is used. Resolves: https://fedorahosted.org/sssd/ticket/2167 Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit c9b0071bfcb8eb8c71e40248de46d23aceecc0f3)
* SDAP: refactor pwexpire policyPavel Reichl2015-03-032-32/+90
| | | | | | | | | | Move part of pwexpire policy code to a separate function. Relates to: https://fedorahosted.org/sssd/ticket/2167 Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit cdaa29d2c5724a4c72bfa0f42284ccfac3d5a464)
* FO: Use SRV TTL in fail over codeJakub Hrozek2015-03-0310-9/+647
| | | | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/1884 Removes the hardcoded SRV TTL timeout and uses TTL from the DNS instead. Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit 8df69bbc58c2f4d3f0b34be9756d9ddf24b1db6d)
* resolv: Use the same default timeout for SRV queries as previouslyJakub Hrozek2015-03-032-1/+7
| | | | | | | | | | | | When we changed the resolver code to use the TTL values from the DNS queries instead of harcoded ones, we changed the default value by accident. Add a separate SRV TTL that is backwards-compatible with the old harcoded value. Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit eafbc66c2ff6365478e62a8df3fd005bf80e5c7b)
* PAM: check return value of confdb_get_stringPavel Reichl2015-02-271-0/+6
| | | | | | | Coverity found this neglect. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit c5290f2175845f2c5e3f35ce279b6f52b1d51275)
* PAM: warn all services about account expirationPavel Reichl2015-02-231-2/+17
| | | | | | | | | | | if pam_verbose is above one then output warning about account expiration for all services. Resolves: https://fedorahosted.org/sssd/ticket/2050 Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit f3c2dc1f9ccdf456fd78ed96197b9bf404cc29fc)
* PAM: new option pam_account_expired_messagePavel Reichl2015-02-236-5/+35
| | | | | | | | | | | This option sets string to be printed when authenticating using SSH keys and account is expired. Resolves: https://fedorahosted.org/sssd/ticket/2050 Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit e039f1aefecc65a7b3c2d4a13a612bff1dd367c8)
* PAM: do not reject abruptlyPavel Reichl2015-02-233-5/+130
| | | | | | | | | | If account has expired then pass message. Resolves: https://fedorahosted.org/sssd/ticket/2050 Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit a61d6d01a4e89ec14175af135e84f1cac55af748)
* Updating translations for the 1.12.4 releasesssd-1_12_4Jakub Hrozek2015-02-1816-3504/+3956
|
* RESPONDERS: Warn to syslog about colliding objectsLukas Slebodnik2015-02-183-0/+22
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2203 Reviewed-by: Pavel Reichl <preichl@redhat.com>
* LDAP: Handle ENOENT better in the cleanup taskJakub Hrozek2015-02-181-9/+8
| | | | | | | | | The cleanup task handled both count=0 and ret=ENOENT separately which makes no sense, the count=0 handler was dead code previously. Set count=0 on ENOENT instead to just bubble through the DEBUG message gracefully as well. Reviewed-by: Pavel Reichl <preichl@redhat.com>
* LDAP: Add better DEBUG messages to the cleanup taskJakub Hrozek2015-02-181-0/+11
| | | | | | | | Some failures would shortcut to the done handler without telling us anything about why it failed. This commit decorates the cleanup task with more DEBUG statements. Reviewed-by: Pavel Reichl <preichl@redhat.com>
* GPO: Better debugging for gpo_child's mkdirJakub Hrozek2015-02-181-1/+6
| | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* Add missing new lines to debug messagesLukas Slebodnik2015-02-1849-127/+131
| | | | Reviewed-by: Pavel Reichl <preichl@redhat.com>
* sbus_codegen: Port to python3Lukas Slebodnik2015-02-131-8/+13
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2017 Reviewed-by: Petr Viktorin <pviktori@redhat.com>
* Remove strict requirements of python2Lukas Slebodnik2015-02-137-7/+7
| | | | | | | | | | | * fix hashbangs * remove strict requirements of python2 in build system Resolves: https://fedorahosted.org/sssd/ticket/2017 Reviewed-by: Petr Viktorin <pviktori@redhat.com> (cherry picked from commit e8058322725ba050014777ee2484f7e833ab1e3a)
* SSSDConfig: Port missing parts to python3Lukas Slebodnik2015-02-132-31/+34
| | | | | | | | | | | | | | * fix incompatible imports * fix translation.[u]?gettext * fix dict method has_key * fix octal literals PEP 3127 * long is not defined in python3 Resolves: https://fedorahosted.org/sssd/ticket/2017 Reviewed-by: Petr Viktorin <pviktori@redhat.com> (cherry picked from commit a71004c112cd5d61d3a9e37a4cfc5760dc9a1cec)
* SSSDConfig: Remove unused exception nameLukas Slebodnik2015-02-131-3/+3
| | | | | | | | | | | | | | | "except ValueError, e:" was the syntax used for what is normally written as "except ValueError as e:" in modern Python. The old syntax is still supported in python2 for backwards compatibility. This means "except ValueError, KeyError:" is not equivalent to "except (ValueError, KeyError):" but to "except ValueError as KeyError:" and variable with name "KeyError" was not used in exception handler. Resolves: https://fedorahosted.org/sssd/ticket/2017 Reviewed-by: Petr Viktorin <pviktori@redhat.com> (cherry picked from commit 1ac368d0962ef8cc83dcd642c7fec8b3cba5b6fe)
* Python3 support in SSSDBohuslav Kabrda2015-02-1312-141/+292
| | | | | https://fedorahosted.org/sssd/ticket/2017 (cherry picked from commit 341a00311680a440d7f979f06c34c70d86c9367a)
* SELINUX: Check the return value of setuid and setgidJakub Hrozek2015-02-131-2/+12
| | | | | | | Silences a Coverity warning Reviewed-by: Pavel Reichl <preichl@redhat.com> (cherry picked from commit b0f46a3019e0ff4f375ef07682ceb9418751707f)
* resolv: Fix a typoJakub Hrozek2015-02-131-1/+1
| | | | | Reviewed-by: Pavel Reichl <preichl@redhat.com> (cherry picked from commit 842fe49b8c53d84b7f5b7cf67338abb038b5a617)
* Add user_attributes to ifp section of API schemaRob Crittenden2015-02-131-0/+1
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2586 Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit 0e4d3214d95316f182c04c7166a6b92dfc92a85d)
* MONITOR: Fix double freeLukas Slebodnik2015-02-121-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If kill timer was successfully executed then it will be released by libtevent. So we should not released it in mt_svc_exit_handler for the second time. [sssd] [mt_svc_exit_handler] (0x0040): Child [ifp] terminated with signal [9] [sssd] [talloc_log_fn] (0x0010): talloc: access after free error - first free may be at ../tevent_timed.c:351 [sssd] [talloc_log_fn] (0x0010): Bad talloc magic value - access after free ==19129== Invalid read of size 4 ==19129== at 0x50470CD: talloc_chunk_from_ptr (talloc.c:372) ==19129== by 0x50470CD: _talloc_free (talloc.c:1559) ==19129== by 0x11086C: mt_svc_exit_handler (monitor.c:2754) ==19129== by 0x8AF9B2F: sss_child_invoke_cb (child_common.c:181) ==19129== by 0x4E39823: tevent_common_loop_immediate (tevent_immediate.c:135) ==19129== by 0x4E3AF4D: poll_event_loop_once (tevent_poll.c:649) ==19129== by 0x4E38FEC: _tevent_loop_once (tevent.c:530) ==19129== by 0x4E3AA4A: poll_event_loop_wait (tevent_poll.c:677) ==19129== by 0x84C4B02: server_loop (server.c:668) ==19129== by 0x10D9A6: main (monitor.c:3028) ==19129== Address 0xb8a06c0 is 64 bytes inside a block of size 176 free'd ==19129== at 0x4C2ACE9: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==19129== by 0x50472F2: _talloc_free_internal (talloc.c:1057) ==19129== by 0x50472F2: _talloc_free (talloc.c:1581) ==19129== by 0x4E3D0A3: tevent_common_loop_timer_delay (tevent_timed.c:351) ==19129== by 0x4E3AF59: poll_event_loop_once (tevent_poll.c:653) ==19129== by 0x4E38FEC: _tevent_loop_once (tevent.c:530) ==19129== by 0x4E3AA4A: poll_event_loop_wait (tevent_poll.c:677) ==19129== by 0x84C4B02: server_loop (server.c:668) ==19129== by 0x10D9A6: main (monitor.c:3028) Resolves: https://fedorahosted.org/sssd/ticket/2572 Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> (cherry picked from commit 373946b540eaa5d97c6efb39629195dbe2a1f015)
* RESOLV: Add an internal function to read TTL from a DNS packetJakub Hrozek2015-02-117-5/+511
| | | | | | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/1884 Adds an internal resolver function that reads the TTL for SRV records as specified by RFC-2181. Several internal c-ares definitions are used until c-ares contains a function that exposes all this information via a parsing function. Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit bf54fbed126ec3d459af40ea370ffadacd31c76d)
* LDAP: Rename the _res output parameter to avoid clashing with libresolv in testsJakub Hrozek2015-02-112-4/+4
| | | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit 4d7fe714fe74ad242497b2bdbeb7b4e0bf40141f)
* fill_id() fix LE/BE issue with wrong data typeSumit Bose2015-01-301-4/+6
| | | | | | | Related to https://fedorahosted.org/sssd/ticket/1588 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 866ab45027c83fafb7f7f45d34d3e1e7721b77dc)
* AD: use GC for SID requests as wellSumit Bose2015-01-302-10/+29
| | | | | | | | | | If a universal group is looked up by SID the cross-domain members must be resolved with the help of the Global Catalog. Related to https://fedorahosted.org/sssd/ticket/2514 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 561ed2fd03bab04cfdddbc09c4b48563c9d9b87e)
* ipa_s2n_save_objects: properly handle fully-qualified group namesSumit Bose2015-01-301-1/+1
| | | | | | | | | | | Check if the given name is already fully-qualified instead of adding a domain name unconditionally. Related to https://fedorahosted.org/sssd/ticket/2529 and https://fedorahosted.org/sssd/ticket/2524 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 9ad346318dc2cc5d5a340d8d981ddfdcc6f632da)
* MAN: amend sss_ssh_authorizedkeysPavel Reichl2015-01-301-2/+3
| | | | | | | | Directive AuthorizedKeysCommand should be used in conjunction with AuthorizedKeysCommandUser. Reviewed-by: Jan Cholasta <jcholast@redhat.com> (cherry picked from commit ab5f9b58ae740868cb09e92379ed41d30b9401ac)
* IPA: Resolve IPA user groups' overrideDN in non-default viewJakub Hrozek2015-01-301-8/+312
| | | | | | | | | | | When the client is in a non-default view, we need to store the override data, in particular the overrideDN as well. Resolves: https://fedorahosted.org/sssd/ticket/2571 Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit b2c3722b9a1eaf265f6b102043958f6d4378788c)
* LDAP: Add UUID when saving incomplete groupsJakub Hrozek2015-01-305-12/+29
| | | | | | | | Related to: https://fedorahosted.org/sssd/ticket/2571 Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit 108db0e3b9e06e530364ef8228634f5e3f6bd3b5)
* pysss: Fix double freeLukas Slebodnik2015-01-301-3/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The talloc context is removed in destructor. ==1695== Invalid read of size 4 ==1695== at 0x1243D0CD: talloc_chunk_from_ptr (talloc.c:372) ==1695== by 0x1243D0CD: _talloc_free (talloc.c:1559) ==1695== by 0x117B18C3: PySssLocalObject_dealloc (pysss.c:836) ==1695== by 0x117B1AEE: PySssLocalObject_new (pysss.c:898) ==1695== by 0x4ED5522: type_call (typeobject.c:729) ==1695== by 0x4E7F902: PyObject_Call (abstract.c:2529) ==1695== by 0x4F15584: do_call (ceval.c:4328) ==1695== by 0x4F15584: call_function (ceval.c:4133) ==1695== by 0x4F15584: PyEval_EvalFrameEx (ceval.c:2753) ==1695== by 0x4F16BE5: fast_function (ceval.c:4196) ==1695== by 0x4F16BE5: call_function (ceval.c:4131) ==1695== by 0x4F16BE5: PyEval_EvalFrameEx (ceval.c:2753) ==1695== by 0x4F183FF: PyEval_EvalCodeEx (ceval.c:3342) ==1695== by 0x4EA46BC: function_call (funcobject.c:526) ==1695== by 0x4E7F902: PyObject_Call (abstract.c:2529) ==1695== by 0x4F1504F: ext_do_call (ceval.c:4423) ==1695== by 0x4F1504F: PyEval_EvalFrameEx (ceval.c:2792) ==1695== by 0x4F183FF: PyEval_EvalCodeEx (ceval.c:3342) ==1695== Address 0x112d4560 is 64 bytes inside a block of size 96 free'd ==1695== at 0x4C2ACE9: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==1695== by 0x1243D2F2: _talloc_free_internal (talloc.c:1057) ==1695== by 0x1243D2F2: _talloc_free (talloc.c:1581) ==1695== by 0x117B1ABF: PySssLocalObject_new (pysss.c:876) ==1695== by 0x4ED5522: type_call (typeobject.c:729) ==1695== by 0x4E7F902: PyObject_Call (abstract.c:2529) ==1695== by 0x4F15584: do_call (ceval.c:4328) ==1695== by 0x4F15584: call_function (ceval.c:4133) ==1695== by 0x4F15584: PyEval_EvalFrameEx (ceval.c:2753) ==1695== by 0x4F16BE5: fast_function (ceval.c:4196) ==1695== by 0x4F16BE5: call_function (ceval.c:4131) ==1695== by 0x4F16BE5: PyEval_EvalFrameEx (ceval.c:2753) ==1695== by 0x4F183FF: PyEval_EvalCodeEx (ceval.c:3342) ==1695== by 0x4EA46BC: function_call (funcobject.c:526) ==1695== by 0x4E7F902: PyObject_Call (abstract.c:2529) ==1695== by 0x4F1504F: ext_do_call (ceval.c:4423) ==1695== by 0x4F1504F: PyEval_EvalFrameEx (ceval.c:2792) ==1695== by 0x4F183FF: PyEval_EvalCodeEx (ceval.c:3342) Reviewed-by: Pavel Reichl <preichl@redhat.com> (cherry picked from commit 3cd7275c3c41a03eb65769c2bf4e472d1de7b8c0)
* PROXY: Fix use after freeLukas Slebodnik2015-01-301-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The dbus_req and associated talloc context are no longer valid after execution of the function sbus_request_return_and_finish even if error code was returned. ==32479== Invalid read of size 8 ==32479== at 0x131F275F: client_registration (proxy_init.c:474) ==32479== by 0x529709E: sbus_request_invoke_or_finish (sssd_dbus_request.c:69) ==32479== by 0x52949B3: sbus_handler_got_caller_id (sssd_dbus_connection.c:555) ==32479== by 0x89B27E3: tevent_common_loop_immediate (tevent_immediate.c:135) ==32479== by 0x89B70CD: epoll_event_loop_once (tevent_epoll.c:907) ==32479== by 0x89B57D6: std_event_loop_once (tevent_standard.c:114) ==32479== by 0x89B1FBC: _tevent_loop_once (tevent.c:530) ==32479== by 0x89B215A: tevent_common_loop_wait (tevent.c:634) ==32479== by 0x89B5776: std_event_loop_wait (tevent_standard.c:140) ==32479== by 0x529E255: server_loop (server.c:668) ==32479== by 0x40DBC5: main (data_provider_be.c:2915) ==32479== Address 0xb700858 is 104 bytes inside a block of size 136 free'd ==32479== at 0x4C2AD17: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==32479== by 0x8BBE462: _talloc_free (in /usr/lib64/libtalloc.so.2.1.1) ==32479== by 0x52971A4: sbus_request_finish (sssd_dbus_request.c:95) ==32479== by 0x529731A: sbus_request_return_and_finish (sssd_dbus_request.c:119) ==32479== by 0x131F264D: client_registration (proxy_init.c:443) ==32479== by 0x529709E: sbus_request_invoke_or_finish (sssd_dbus_request.c:69) ==32479== by 0x52949B3: sbus_handler_got_caller_id (sssd_dbus_connection.c:555) ==32479== by 0x89B27E3: tevent_common_loop_immediate (tevent_immediate.c:135) ==32479== by 0x89B70CD: epoll_event_loop_once (tevent_epoll.c:907) ==32479== by 0x89B57D6: std_event_loop_once (tevent_standard.c:114) ==32479== by 0x89B1FBC: _tevent_loop_once (tevent.c:530) ==32479== by 0x89B215A: tevent_common_loop_wait (tevent.c:634) Resolves: https://fedorahosted.org/sssd/ticket/2573 Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit 33889b2ad764beb6b129f5211b1fab9790da8884)
* SELINUX: Set and reset umask when caling set_seuser from deamon codeJakub Hrozek2015-01-272-1/+21
| | | | | | | https://fedorahosted.org/sssd/ticket/2563 Reviewed-by: Michal Židek <mzidek@redhat.com> (cherry picked from commit 8f78b6442f3176ee43aa06704a3adb9f4ac625d6)
* SELINUX: Call setuid(0)/setgid(0) to also set the real IDs to rootJakub Hrozek2015-01-271-1/+17
| | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2564 libselinux uses many access(2) calls and access() uses the real UID, not the effective UID for the check. Therefore, the setuid selinux_child, which only has effective UID of root would fail the check. Reviewed-by: Michal Židek <mzidek@redhat.com> (cherry picked from commit 486f0d5227a9b81815aaaf7d9a2c39aafcbfdf6a)
* IPA: Use attr's dom for users, tooJakub Hrozek2015-01-261-11/+11
| | | | | | | | | | | | The 'dom' pointer points to domain of the main object being saved. In case of group, dom points to the domain where the group resides. But when saving members, each members might be from a different domain, so we need to find every member's domain based on the attributes. Also don't use Yoda style in conditions. Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit b2c5e98def89a0c3d16f5cf7e07ce2020338b540)
* IPA: process_members() add ghosts only onceSumit Bose2015-01-261-2/+4
| | | | | | | | | | | | Since ghost entries might not be properly removed on the IPA server (https://fedorahosted.org/sssd/ticket/2567) chances are that during extdom group lookups a single user is returned multiple time. This patch removes the duplicates before trying to write the data to the cache. Related to https://fedorahosted.org/sssd/ticket/2159 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 60f11e2fa1f63cd40ebace525ad823b0360fac94)
* IPA: resolve IPA group-memberships for AD usersSumit Bose2015-01-262-3/+44
| | | | | | | | | | | | | | | | So far only for initgroups requests the IPA group memberships where resolved for AD users and due to 6fac5e5f0c54a0f92872ce1450606cfcb577a920 those memberships are not overridden by other request. But it turned out that the originalMemberOf attributes related to the IPA group memberships can be overridden by user lookups. Since the originalMemberOf attribute is important in the HBAC evaluation this patch makes sure that the originalMemberOf attribute is not removed but updated during user lookups. Related to https://fedorahosted.org/sssd/ticket/2560 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 63748c69a2c6785d949c82f94749704e0408e5a7)
* AD: support for AD site overridePavel Reichl2015-01-265-7/+37
| | | | | | | | | | Override AD site found during DNS discovery. Resolves: https://fedorahosted.org/sssd/ticket/2486 Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit e438fbf102c3d787902504bdae177e84230cbbc9)
* AD: add new option ad_sitePavel Reichl2015-01-265-0/+19
| | | | | | | | | | This option overrides a result of the automatic site discovery. Resolves: https://fedorahosted.org/sssd/ticket/2486 Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit b22e0da9e644f5eb84ee0c8986979fec3fe7eb56)
* sysdb: remove ghosts in all sub-domains as wellSumit Bose2015-01-231-2/+3
| | | | | | | | | | | | | | If a user is a member is a group in a different sub-domain, e.g with universal groups in AD, the ghost attribute might not be properly removed from the group object if the user is resolved. The reason is that only groups from the domain of the user were search for ghost attributes. This patch increases the search-base to all sub-domains of the configured SSSD domain. Resolves https://fedorahosted.org/sssd/ticket/2567 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit fc2146c108e28d50bbf691925cedf9592142dd14)
* nss: fix SID lookupsSumit Bose2015-01-231-1/+9
| | | | | | https://fedorahosted.org/sssd/ticket/2566 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* IPA: properly handle mixed-case trusted domainsSumit Bose2015-01-234-2/+133
| | | | | | | | | | | | In the SSSD cache domain names are handled case-sensitive. As a result fully-qualified names in RDN contain the domain part in the original spelling. When IPA client lookup up group-memberships on the IPA server via the extdom plugin the names returned are all lower case. To make sure new DNs are generated correctly the domain part must adjusted. Related to https://fedorahosted.org/sssd/ticket/2159 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* views: fix GID overrride for mpg domainsSumit Bose2015-01-211-1/+20
| | | | | | | | | | | | When adding a user sysdb internally adds a value to SYSDB_GIDNUM for mpg domain which might cause conflicts with the one we added to users git GID overrides. With this patch the override GID is added after the user is created but in the same transaction Releted to https://fedorahosted.org/sssd/ticket/2514 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit ba818cc39dfe94c2b8613f4badf7912811f0f737)
* Open the PAC socket from krb5_child before dropping rootJakub Hrozek2015-01-213-0/+27
| | | | | | | | | | | The PAC responder by default allows only connections from the root user. This patch opens the socket to the PAC responder before the krb5_child drops privileges so the connection seemingly comes from root. https://fedorahosted.org/sssd/ticket/2559 Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit 858e750c3d4fe54e50616a1ed1e101469503c070)
* nss: Add original DN and memberOf to origbyname requestSumit Bose2015-01-202-2/+5
| | | | | | | | | | IPA HBAC evaluation relies on the original values for DN and memberOf attributes. Resolves https://fedorahosted.org/sssd/ticket/2560 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 7543052f562f157f7b17fdc46a6777d80c0cb3bd)
generated by cgit (git 2.34.1) at 2024-06-27 05:55:32 +0000