| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
| |
libsemanage documentation says:
~~~~
be sure that a semanage_disconnect() was previously called if the handle
was connected.
~~~~
Otherwise we get a memory leak.
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Previously sssd_sudo always obtained sudo rules for user from LDAP even
when user was enlisted in filter_users.
Resolves https://fedorahosted.org/sssd/ticket/2625
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
| |
Output arguments needn't be initialized if function failed.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
| |
The return valuee of functions test_remove_group_member
sysdb_attrs_add_time_t were ignored and therefore this part of code
was not tested.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
| |
The second argument of function check_access_list should not be an empty list.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Function sdap_add_incomplete_groups stored domain local groups
from subdomain as POSIX group, which should not be done.
Resolves:
https://fedorahosted.org/sssd/ticket/2614
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
| |
Patch remove code duplication.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The gid o was added to sysdb attrs directly in sdap_save_group for 1st time
and for second time in the function sdap_store_group_with_gid,
which was called every time from function sdap_save_group
[sysdb_set_entry_attr] (0x0080): ldb_modify failed:
[Attribute or value exists](20)[attribute 'gidNumber': value #1
on 'name=domainlocalgroup1_dom2-493341@sssdad_tree.com,cn=groups,cn=sssdad_tree.com,cn=sysdb' provided more than once]
[sysdb_set_entry_attr] (0x0040): Error: 17 (File exists)
[sysdb_store_group] (0x1000): sysdb_set_group_attr failed.
[sysdb_store_group] (0x0400): Error: 17 (File exists)
[sdap_store_group_with_gid] (0x0040):
Could not store group domainlocalgroup1_dom2-493341@sssdad_tree.com
[sdap_save_group] (0x0080): Could not store group with GID: [File exists]
[sdap_save_group] (0x0080):
Failed to save group [domainlocalgroup1_dom2-493341@sssdad_tree.com]: [File exists]
[sdap_save_groups] (0x0040): Failed to store group 0. Ignoring.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/897
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2224
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
| |
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2613
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2618
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
| |
The NSS responder periodically re-checks subdomains. We need to reset
the negative cache each time the check finishes to allow the negative
cache to contain entries from different domains.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
After responders start, they add a lookup operation that discovers the
subdomains so that qualifying users works. After this operation is
finishes, we need to reset negcache to allow users to be added into the
newly discovered domains.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
| |
This new function resets the negative cache and then re-adds the
permanent entries.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
is set
When default_domain_suffix is used and filter_users is set (at least
root is always, by default), SSSD tried to add the negcache entry to the
default domain. But since the default domain is not known after start
up, adding the entries fail with a verbose error message.
This patch handles EAGAIN returned from the parsing function while
setting negcache entries gracefully and also makes the debug message in
parsing function more precise.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
| |
There was an off-by-one error in sss_ncache_reset_permanent that
prevented the reset from working.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
In case SSSD is set with id_provider=proxy and auth_provider=ldap, the
LDAP provider is not used to retrieve the user info with the
higher-level calls, but the lower-level connection establishment is used
instead. In this case, we need to make sure to mark the connection as
explicitly connected to be notified about results of looking up the DN.
Resolves:
https://fedorahosted.org/sssd/ticket/2620
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
| |
The boolean variable found_nss could be used uninitialized
in test test_known_service if service "nss" would not be found.
We would catch it with valgind.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
If for some reason ptask fails (e.g. timeout), req is talloc freed
but because subreq is attached to ectx which is permanent it is
finished anyway. Then a crash occures when we are trying to access
callback data.
The same happens in sdap_dom_enum_ex_send.
Resolves:
https://fedorahosted.org/sssd/ticket/2611
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Although errno was cleared in function sss_nss_make_request
some sss glic functions set errno with value of output argument errnop.
Reproducer:
* sssd compiled with enabled option sss-default-nss-plugin
* sss is the last value in group (/etc/nsswitch.conf)
* sssd-client is installed but sssd is stopped.
C-program:
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <grp.h>
int main(int argc, char *argv[])
{
struct group *p_group;
setgrent();
while (1) {
errno = 0; /* initialize for getgrent() */
p_group = getgrent();
if (p_group == NULL) {
if (errno == 0) {
break; /* end of groups */
} else {
perror("getgrent");
printf("getgrent error %d \n", errno);
endgrent();
exit(-2);
}
}
printf("getgrent() OK group(%d) = %s \n",
p_group->gr_gid, p_group->gr_name);
}
exit(0);
}
Resolves:
https://fedorahosted.org/sssd/ticket/2619
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
The prototype of function copy_keytab_into_memory does not match the
definition. One of arguments differs in constant modifier.
Patch also include header file to implementation module.
If should avoid such problems in future.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
| |
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2609
In a trust setup, hosts are normally only stored on the IPA server. The
default_domain_suffix option is only recommended for the IPA-AD trust
scenario as well. Therefore we should ignore this option in the SSH
provider.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
| |
The last usage of function dom_sid_in_domain was removed as a part of chages
in ticket "Enhance PAC responder for AD users"
92af6f25864b5c389b57d0f659686801b45ca58c
|
| |
|
|
|
|
|
|
|
|
|
|
| |
src/tests/cmocka/test_resolv_fake.c:60:9:
error: cast from 'uint8_t *' (aka 'unsigned char *') to 'HEADER *'
increases required alignment from 1 to 4 [-Werror,-Wcast-align]
h = (HEADER *) hb;
^~~~~~~~~~~~~
1 error generated.
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2612
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
| |
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
| |
The macro assert_int_equal prints value of integers if
they are not equal.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Documentation to macro assert_return_code says:
Assert that the return_code is greater than or equal to 0.
The function prints an error message to standard error and terminates the
test by calling fail() if the return code is smaller than 0. If the function
you check sets an errno if it fails you can pass it to the function and
it will be printed as part of the error message.
So in case of error we will see more verbose message.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
src/sss_client/pam_sss.c:1461:73:
error: cast from 'int **' to 'const void **' must have all
intermediate pointers const qualified to be safe [-Werror,-Wcast-qual]
pam_get_data(pamh, "pam_sss:password_expired_flag", (const void **) &exp_data);
^
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Some users are confused about placement of the debug_level directive or
the location of the log files. Clarify both in the man page.
Also add a pointer to sss_debuglevel.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2603
Since deny rules are no longer supported on the server, the client
should no longer support them either. Remove the option.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2603
Deny rules have not been supported by the IPA server since 2.1. We
should deprecate the ipa_hbac_treat_deny_as option.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2603
If deny rules are not in effect, we can skip malformed HBAC rules
because at worst we will deny access. If deny rules are in effect, we
need to error out to be on the safe side and avoid skipping a deny rule.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2603
It's better to dereference the domain structure.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2603
Instead of reusing EINVAL/ENOENT, use more descriptive error codes. This
will be useful in the next patch where we act on certain codes.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
| |
We should make sure the client re-checks the SRV query each request if
the SRV query is 0.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
| |
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
|
|
| |
Refactor nds_check_expired() to use utility function sss_utc_to_time_t().
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Refactor check_pwexpire_kerberos() to use utility function
sss_utc_to_time_t().
Modify test to handle new error code ERR_TIMESPEC_NOT_SUPPORTED
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
[sysdb_set_entry_attr] (0x0080): ldb_modify failed: [Constraint violation](19)
[attribute 'ghost': attribute on 'name=Escalation,cn=groups,cn=LDAP,cn=sysdb'
specified, but with 0 values (illegal)]
[sysdb_error_to_errno] (0x0020): LDB returned unexpected error:
[Constraint violation]
[sysdb_set_entry_attr] (0x0040): Error: 14 (Bad address)
[sdap_store_group_with_gid] (0x0040): Could not store group Escalation
[sdap_save_group] (0x0080): Could not store group with GID: [Bad address]
[sdap_save_group] (0x0080): Failed to save group [Escalation]: [Bad address]
[sdap_save_groups] (0x0040): Failed to store group 1. Ignoring.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/1501
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/1501
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/1501
Reuse the value of sdap_opt_timeout to set a longer bind timeout for
user authentication, ID connection authentication and authentication
during IPA migration mode.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
