| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
| |
src/sss_client/pam_sss.c:1461:73:
error: cast from 'int **' to 'const void **' must have all
intermediate pointers const qualified to be safe [-Werror,-Wcast-qual]
pam_get_data(pamh, "pam_sss:password_expired_flag", (const void **) &exp_data);
^
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Some users are confused about placement of the debug_level directive or
the location of the log files. Clarify both in the man page.
Also add a pointer to sss_debuglevel.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2603
Since deny rules are no longer supported on the server, the client
should no longer support them either. Remove the option.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2603
Deny rules have not been supported by the IPA server since 2.1. We
should deprecate the ipa_hbac_treat_deny_as option.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2603
If deny rules are not in effect, we can skip malformed HBAC rules
because at worst we will deny access. If deny rules are in effect, we
need to error out to be on the safe side and avoid skipping a deny rule.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2603
It's better to dereference the domain structure.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2603
Instead of reusing EINVAL/ENOENT, use more descriptive error codes. This
will be useful in the next patch where we act on certain codes.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
| |
We should make sure the client re-checks the SRV query each request if
the SRV query is 0.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
| |
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
|
|
| |
Refactor nds_check_expired() to use utility function sss_utc_to_time_t().
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Refactor check_pwexpire_kerberos() to use utility function
sss_utc_to_time_t().
Modify test to handle new error code ERR_TIMESPEC_NOT_SUPPORTED
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
[sysdb_set_entry_attr] (0x0080): ldb_modify failed: [Constraint violation](19)
[attribute 'ghost': attribute on 'name=Escalation,cn=groups,cn=LDAP,cn=sysdb'
specified, but with 0 values (illegal)]
[sysdb_error_to_errno] (0x0020): LDB returned unexpected error:
[Constraint violation]
[sysdb_set_entry_attr] (0x0040): Error: 14 (Bad address)
[sdap_store_group_with_gid] (0x0040): Could not store group Escalation
[sdap_save_group] (0x0080): Could not store group with GID: [Bad address]
[sdap_save_group] (0x0080): Failed to save group [Escalation]: [Bad address]
[sdap_save_groups] (0x0040): Failed to store group 1. Ignoring.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/1501
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/1501
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/1501
Reuse the value of sdap_opt_timeout to set a longer bind timeout for
user authentication, ID connection authentication and authentication
during IPA migration mode.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
|
|
| |
Also fix debug message.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
In general every object created by the AD provider should have a SID
attribute. Since SIDs and GPOs are used for access control a missing SID
should be treated as error for now until it is known if there is a valid
reason why the SID is missing.
Resolves https://fedorahosted.org/sssd/ticket/2608
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Although in the initial processing SSSD treats the binary value right at
some point it mainly assumes that it is a string. Depending on the value
this might end up with the correct binary value stored in the cache but
in most cases there will be only a broken entry in the cache.
This patch converts the binary value into a string representation which
is described in [MS-DTYP] and stores the result in the cache.
Resolves https://fedorahosted.org/sssd/ticket/2588
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
| |
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
SSSD also needs to handle the setup where no rules match the machine and
the default has no MLS component.
Related to:
https://fedorahosted.org/sssd/ticket/2587
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
When working with older FreeIPA releases the view name might not always
been set. This patch add checks to might sure it is only dereferenced
when set.
Resolves https://fedorahosted.org/sssd/ticket/2604
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
During initgroups requests we try to avoid to resolve the complete
member list of groups if possible, e.g. if there are no nested groups.
The tokenGroups LDAP lookup return the complete list of memberships for
a user hence it is not necessary lookup the other group member and
un-roll nested groups. With this patch only the group entry is looked up
and saved as incomplete group to the cache.
This is achieved by adding a new boolean parameter no_members to
groups_get_send() and sdap_get_groups_send(). The difference to config
options like ldap_group_nesting_level = 0 or ignore_group_members is
that if no_members is set to true groups which are missing in the cache
are created a incomplete groups. As a result a request to lookup this
group will trigger a new LDAP request to resolve the group completely.
This way no information is ignored but the time needed to read all data
is better distributed between different requests.
https://fedorahosted.org/sssd/ticket/2601
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There is a warning with gcc-5.0 and enabled optimization.
Warning is not visible with "-O0".
CC src/responder/common/responder_cache_req.o
src/responder/common/responder_cache_req.c: In function ‘cache_req_next_domain’:
src/responder/common/responder_cache_req.c:296:160: error: ‘ret’ may be used uninitialized in this function [-Werror=maybe-uninitialized]
src/responder/common/responder_cache_req.c:277:13: note: ‘ret’ was declared here
errno_t ret;
^
cc1: all warnings being treated as errors
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
src/providers/ipa/ipa_selinux.c: In function 'ipa_selinux_handler_done':
src/providers/ipa/ipa_selinux.c:927:16: error: 'sci' may be used uninitialized in this function [-Werror=maybe-uninitialized]
state->sci = sci;
^
src/providers/ipa/ipa_selinux.c:333:33: note: 'sci' was declared here
struct selinux_child_input *sci;
^
cc1: all warnings being treated as errors
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
| |
Resolves: https://fedorahosted.org/sssd/ticket/2444
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Currently the name member of the pam_data struct is used as a key but it
can change during a request. Especially for sub-domain users the name is
changed from the short to the fully-qualified version before the cache
entry is created. As a result the cache searches are always done with
the short name while the entry was written with the fully-qualified name.
The logon_name member of the pam_data struct contains the name which was
send by the PAM client and is never changed during the request.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
| |
This means that the db is not in the expected format thus we should
make the error more visible.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
| |
The input name is now parse automatically by cache_req if
none particullar domain is specified. The parsed named is
returned from _recv as an output parameter.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
| |
This is a non static function that is supposed to be
used in tests but it was missing from header file.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Originaly, the cache_req used enum sss_dp_acct_type to indicate
request type but not all types were implemented. Thus we used default
branch to indicate unimplemented request type.
Now when we switched to a custom enum type we can get rid of the default
branch so the compiler can check if all switches contains all values.
This proved to be useful during development of new request types.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Currently cache_req takes only user name as an input parameter. However,
this is not enough since we will need also UID and GID in the future.
This patch creates a structure to hold input parameters so it can be
simply extended to support other input types.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
| |
Using a constant here is better since the name is shared between
the test function and testing _done function.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
| |
This is done in order to distinguish those tests from other
user tests that are about to come. For example: test_user_by_id.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2017
Reviewed-by: Petr Viktorin <pviktori@redhat.com>
|
| |
|
|
|
|
| |
Check if number of error codes and messages is the same.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
| |
We had more error codes than corresponding
messages. Also order of two messages was
wrong.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Users often wrongly use SSSD expansions in libkrb5 expansion template
for principals. State explicitly it won't work.
Resolves:
https://fedorahosted.org/sssd/ticket/2528
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2598
We need to return an empty result in cases an initgroups lookup by UPN
doesn't return anything. Please note testing with "id user" is not
sufficient as id calls a getpwnam first.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
