| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
Related to https://fedorahosted.org/sssd/ticket/2481
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
sysdb_idmap_get_mappings returns ENOENT if no results were found.
Part od solution for:
https://fedorahosted.org/sssd/ticket/1991
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2448
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Some parts of initialization (Kerberos ticket renewal, checking the
keytab for the right principal) still require the root privileges. Drop
privileges after initializing the back ends.
Related:
https://fedorahosted.org/sssd/ticket/2370
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The code didn't have to handle this case previously as sssd_be was always
running as root and switching to the ccache as the user logging in.
Also handle NULL creds on restore_creds() in case there was no switch.
One less if-condition and fewer indentation levels.
Related:
https://fedorahosted.org/sssd/ticket/2370
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The credential cache operations must be now performed by the krb5_child
completely, because the sssd_be process might be running as the sssd
user who doesn't have access to the ccaches.
src/providers/krb5/krb5_ccache.c is still linked against libsss_krb5
until we fix Kerberos ticket renewal as non-root.
Also includes a new error code that indicates that the back end should
remove the old ccache attribute -- the child can't do that if it's
running as the user.
Related:
https://fedorahosted.org/sssd/ticket/2370
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Otherwise we would have to link krb5_child with pcre and transfer the
regex, which would be cumbersome. Check for illegal patterns when
expanding the template instead.
Related:
https://fedorahosted.org/sssd/ticket/2370
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Add a new module krb5_ccache.c that contains all ccache-related
operations. The only user of this module shall be krb5_child.c as the
other modules will run unprivileged and accessing the ccache requires
either privileges of root or the ccache owner.
Related:
https://fedorahosted.org/sssd/ticket/2370
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In future patches, sssd_be will be running as a non-privileged user, who
will execute the setuid krb5_child. In this case, the child will start
as root and drop the privileges as soon as possible.
However, we need to also remove the privilege drop in sssd_be, because
if we dropped to the user who is authenticating, we wouldn't be even
allowed to execute krb5_child. The krb5_child permissions should be
4750, owned by root.sssd, to make sure only root and sssd can execute
the child and if executed by sssd, the child will run as root.
Related:
https://fedorahosted.org/sssd/ticket/2370
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
| |
Fixes:
https://fedorahosted.org/sssd/ticket/2461
Reviewed-by: Pavel Reichl <preichl@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
LDB does not store attributes if they have the
same name and value and errors out instead.
Fixes:
https://fedorahosted.org/sssd/ticket/2461
Reviewed-by: Pavel Reichl <preichl@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We tried to speed up processing of initgroup lookups with tokenGroups even for
the LDAP provider (if remote server is Active Directory), but it turns out that
there are too many corner cases that we didn't catch during development that
break. For instance, groups from other trusted domains might appear in TG and
the LDAP provider isn't equipped to handle them.
Overall, users who wish to use the added speed benefits of tokenGroups are
advised to use the AD provider.
Resolves:
https://fedorahosted.org/sssd/ticket/2483
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
| |
The end of dnf update is not an operation failure it is just
a usefull debug message.
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit f834f712548db811695ea0fd6d6b31d3bd03e2a3.
OpenLDAP server cannot dereference unknown attributes. The attribute objectSID
isn't in any standard objectclass on OpenLDAP server. This is a reason why
objectSID cannot be set by default in rfc2307 map and rfc2307bis map.
It is the same problem as using non standard attribute "nsUniqueId"
in ticket https://fedorahosted.org/sssd/ticket/2383
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
src/responder/nss/nsssrv_cmd.c:688: mixed_enum_type: enumerated type mixed with
another type
"enum sss_dp_acct_type" was mixed with type "int". ANSI C is not very
strict in this.
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
We remove the password from the PAM stack when OTP is used to make sure
that other pam modules (pam-gnome-keyring, pam_mount) cannot use it anymore
and have to request a password on their own.
Resolves:
https://fedorahosted.org/sssd/ticket/2287
Reviewed-by: Nathaniel McCallum <npmccallum@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Recently the uuid attributes for user and groups were removed because
it was found that there are not used at all and that some of them where
causing issues (https://fedorahosted.org/sssd/ticket/2383).
The new views/overrides feature of FreeIPA uses the ipaUniqueID attribute
to relate overrides with the original IPA objects. The previous two
patches revert the removal of the uuid attributes from users and groups
with this patch set the default value of these attributes to
ipaUniqueID from the IPA provider, to objectGUID for the AD provider and
leaves them unset for the general LDAP case to avoid issues like the one
from ticket #2383.
Related to https://fedorahosted.org/sssd/ticket/2481
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
| |
This reverts commit b5242c146cc0ca96e2b898a74fb060efda15bc77.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
| |
This reverts commit dfb2960ab251f609466fa660449703835c97f99a.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
| |
Wrong name would be used with fully qualified names.
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Two tests stored cache in the same directory, It can cause failures with
parallel execution of tests.
sh$ git grep tests_sysdb
src/tests/cmocka/test_sysdb_views.c:#define TESTS_PATH "tests_sysdb"
src/tests/sysdb-tests.c:#define TESTS_PATH "tests_sysdb"
This patch also clean up potential leftovers after previous failed
test_sysdb_views before execution of test suite.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
| |
In order for the sssd_be process to run as unprivileged user, we need to
move the semanage processing to a process that runs as the root user
using setuid privileges.
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
|
| |
All our child processes duplicated the same code that set up the
debugging all around. Instead of adding yet another copy for the
selinux_child, add a common utility function.
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
|
| |
We had struct io and the associated destructor copied twice in the code
already and need it again in the SELinux provider. Instead of adding
another copy, move the code to a shared subtree under util/
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
|
| |
After ldap_child initializes privileges using root-owned keytab, it
drops privileges to the SSSD user, minimizing the amount of code that
runs as root.
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
| |
The back end wrote uint32_t, the ldap_child process would read int32_t.
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
|
| |
The function was called from one place only, so it makes no sense to
keep it in a shared module. Moreover, the function should only be
called from code that runs as root.
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Since the IPA clients expects that the extdom plugin delivers the
default view data for a given user this patch adds the public SSH key to
the list of returned attributes of the getorigbyname request so that it
can be send back to the clients.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
With this patch the SSH public key override attribute is read from the
FreeIPA server and saved in the cache with the other override data.
Since it is possible to have multiple public SSH keys this override
value does not replace any other data but will be added to existing
values.
Fixes https://fedorahosted.org/sssd/ticket/2454
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
With the new parameter an attribute list other than the default one can
be used.
Override attributes with multiple values (e.g. SSH public keys) are now
supported as well.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This patch add another attribute with is needs for override processing
to the attribute list of sysdb_get_user_attr_with_views(). With two
attribute it does not seem useful to check for existence and add each of
the attributes conditionally. With this patch they are added
unconditionally if the domain has views. Additionally the attributes are
not removed in the end because it is expected that they do not cause any
harm.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
To allow IPA clients to offer special attributes of AD users form
trusted domain the extdom plugin on the IPA server must send them to the
clients. The extdom plugin already uses sss_nss_getorigbyname() to get
attributes like the SID and the user principal name. This patch adds the
attributes given by the NSS/IFP user_attributes option to the list of
attributes returned by sss_nss_getorigbyname().
Fixes https://fedorahosted.org/sssd/ticket/2464
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently the component of the IPA provider which reads the AD user and
group attributes in ipa-server-mode uses default settings for the LDAP
related attributes. As a result even if ldap_user_extra_attrs is defined
in sssd.conf no extra attributes are read from AD.
With the patch the value if ldap_user_extra_attrs is inherited to the AD
subdomains to allow them to read extra attributes as well.
Related to https://fedorahosted.org/sssd/ticket/2464
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
dfb34c6c82ed5014599bf70de6791e6d79106fc2 changed object class
of IPA groups from posixGroups to more general groupOfNames.
However, this object class is used also for roles, permissions and
privileges which caused SSSD to consider those objects to be groups as
well during initgroups.
Resolves:
https://fedorahosted.org/sssd/ticket/2471
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Disable midpoint refresh for netgroups if periodical refresh of expired
netgroups is enabled (refresh_expired_interval)
Resolves:
https://fedorahosted.org/sssd/ticket/2102
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
| |
Related to:
https://fedorahosted.org/sssd/ticket/2102
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
The arrays with members to add or delete may be empty, i.e. have 0
entries. In this case further processing should be skipped to avoid
segfaults later on.
Fixes (hopefully) https://fedorahosted.org/sssd/ticket/2430
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This warning is caused be change 579e5d4b7a3ca161ea7518b2996905fa22c15995
"MONITOR: Allow confdb to be accessed by nonroot user"
src/monitor/monitor.c: In function ‘main’:
src/monitor/monitor.c:2953:24: error: ‘monitor’ may be used uninitialized
in this function [-Werror=maybe-uninitialized]
monitor->is_daemon = !opt_interactive;
^
cc1: all warnings being treated as errors
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
| |
There was a variable in the IPA subdomain code named user_dom, however,
it was used in code that processes both users and groups, which was
confusing.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
|
|
|
|
| |
The IPA subdomain code treated ENOENT as a fatal error, which resulted
in a loud error message and the whole request being aborted. This patch
ignores ENOENT.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
| |
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
About case_sensitive=preserving and services.
The name of the service can be preserved in
result of 'getent service'. However we
should still lowercase the protocol and
service aliases because they serve as keys
in some queries to sysdb. The lowercasing is done
by the provider already. If we did not do that,
we would lose case insesnsitivity.
With this patch the responder preserves the
case of service name and protocol, to match
the case that is stored in the sysdb (however
the protocol is already lowercased by provider,
so it was done only for consistent use of the
case_sensitive=preserve option in the responders
and only the case of name is the same as in
ldap).
Fixes:
https://fedorahosted.org/sssd/ticket/2460
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
| |
Resolves: https://fedorahosted.org/sssd/ticket/2468
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2468
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
