| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
| |
When the client is in a non-default view, we need to store the override
data, in particular the overrideDN as well.
Resolves:
https://fedorahosted.org/sssd/ticket/2571
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit b2c3722b9a1eaf265f6b102043958f6d4378788c)
|
| |
|
|
|
|
|
|
| |
Related to:
https://fedorahosted.org/sssd/ticket/2571
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit 108db0e3b9e06e530364ef8228634f5e3f6bd3b5)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The talloc context is removed in destructor.
==1695== Invalid read of size 4
==1695== at 0x1243D0CD: talloc_chunk_from_ptr (talloc.c:372)
==1695== by 0x1243D0CD: _talloc_free (talloc.c:1559)
==1695== by 0x117B18C3: PySssLocalObject_dealloc (pysss.c:836)
==1695== by 0x117B1AEE: PySssLocalObject_new (pysss.c:898)
==1695== by 0x4ED5522: type_call (typeobject.c:729)
==1695== by 0x4E7F902: PyObject_Call (abstract.c:2529)
==1695== by 0x4F15584: do_call (ceval.c:4328)
==1695== by 0x4F15584: call_function (ceval.c:4133)
==1695== by 0x4F15584: PyEval_EvalFrameEx (ceval.c:2753)
==1695== by 0x4F16BE5: fast_function (ceval.c:4196)
==1695== by 0x4F16BE5: call_function (ceval.c:4131)
==1695== by 0x4F16BE5: PyEval_EvalFrameEx (ceval.c:2753)
==1695== by 0x4F183FF: PyEval_EvalCodeEx (ceval.c:3342)
==1695== by 0x4EA46BC: function_call (funcobject.c:526)
==1695== by 0x4E7F902: PyObject_Call (abstract.c:2529)
==1695== by 0x4F1504F: ext_do_call (ceval.c:4423)
==1695== by 0x4F1504F: PyEval_EvalFrameEx (ceval.c:2792)
==1695== by 0x4F183FF: PyEval_EvalCodeEx (ceval.c:3342)
==1695== Address 0x112d4560 is 64 bytes inside a block of size 96 free'd
==1695== at 0x4C2ACE9: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==1695== by 0x1243D2F2: _talloc_free_internal (talloc.c:1057)
==1695== by 0x1243D2F2: _talloc_free (talloc.c:1581)
==1695== by 0x117B1ABF: PySssLocalObject_new (pysss.c:876)
==1695== by 0x4ED5522: type_call (typeobject.c:729)
==1695== by 0x4E7F902: PyObject_Call (abstract.c:2529)
==1695== by 0x4F15584: do_call (ceval.c:4328)
==1695== by 0x4F15584: call_function (ceval.c:4133)
==1695== by 0x4F15584: PyEval_EvalFrameEx (ceval.c:2753)
==1695== by 0x4F16BE5: fast_function (ceval.c:4196)
==1695== by 0x4F16BE5: call_function (ceval.c:4131)
==1695== by 0x4F16BE5: PyEval_EvalFrameEx (ceval.c:2753)
==1695== by 0x4F183FF: PyEval_EvalCodeEx (ceval.c:3342)
==1695== by 0x4EA46BC: function_call (funcobject.c:526)
==1695== by 0x4E7F902: PyObject_Call (abstract.c:2529)
==1695== by 0x4F1504F: ext_do_call (ceval.c:4423)
==1695== by 0x4F1504F: PyEval_EvalFrameEx (ceval.c:2792)
==1695== by 0x4F183FF: PyEval_EvalCodeEx (ceval.c:3342)
Reviewed-by: Pavel Reichl <preichl@redhat.com>
(cherry picked from commit 3cd7275c3c41a03eb65769c2bf4e472d1de7b8c0)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The dbus_req and associated talloc context are no longer valid after
execution of the function sbus_request_return_and_finish even if error code
was returned.
==32479== Invalid read of size 8
==32479== at 0x131F275F: client_registration (proxy_init.c:474)
==32479== by 0x529709E: sbus_request_invoke_or_finish (sssd_dbus_request.c:69)
==32479== by 0x52949B3: sbus_handler_got_caller_id (sssd_dbus_connection.c:555)
==32479== by 0x89B27E3: tevent_common_loop_immediate (tevent_immediate.c:135)
==32479== by 0x89B70CD: epoll_event_loop_once (tevent_epoll.c:907)
==32479== by 0x89B57D6: std_event_loop_once (tevent_standard.c:114)
==32479== by 0x89B1FBC: _tevent_loop_once (tevent.c:530)
==32479== by 0x89B215A: tevent_common_loop_wait (tevent.c:634)
==32479== by 0x89B5776: std_event_loop_wait (tevent_standard.c:140)
==32479== by 0x529E255: server_loop (server.c:668)
==32479== by 0x40DBC5: main (data_provider_be.c:2915)
==32479== Address 0xb700858 is 104 bytes inside a block of size 136 free'd
==32479== at 0x4C2AD17: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==32479== by 0x8BBE462: _talloc_free (in /usr/lib64/libtalloc.so.2.1.1)
==32479== by 0x52971A4: sbus_request_finish (sssd_dbus_request.c:95)
==32479== by 0x529731A: sbus_request_return_and_finish (sssd_dbus_request.c:119)
==32479== by 0x131F264D: client_registration (proxy_init.c:443)
==32479== by 0x529709E: sbus_request_invoke_or_finish (sssd_dbus_request.c:69)
==32479== by 0x52949B3: sbus_handler_got_caller_id (sssd_dbus_connection.c:555)
==32479== by 0x89B27E3: tevent_common_loop_immediate (tevent_immediate.c:135)
==32479== by 0x89B70CD: epoll_event_loop_once (tevent_epoll.c:907)
==32479== by 0x89B57D6: std_event_loop_once (tevent_standard.c:114)
==32479== by 0x89B1FBC: _tevent_loop_once (tevent.c:530)
==32479== by 0x89B215A: tevent_common_loop_wait (tevent.c:634)
Resolves:
https://fedorahosted.org/sssd/ticket/2573
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 33889b2ad764beb6b129f5211b1fab9790da8884)
|
| |
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2563
Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit 8f78b6442f3176ee43aa06704a3adb9f4ac625d6)
|
| |
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2564
libselinux uses many access(2) calls and access() uses the real UID,
not the effective UID for the check. Therefore, the setuid selinux_child,
which only has effective UID of root would fail the check.
Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit 486f0d5227a9b81815aaaf7d9a2c39aafcbfdf6a)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The 'dom' pointer points to domain of the main object being saved. In
case of group, dom points to the domain where the group resides. But
when saving members, each members might be from a different domain, so we
need to find every member's domain based on the attributes.
Also don't use Yoda style in conditions.
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit b2c5e98def89a0c3d16f5cf7e07ce2020338b540)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Since ghost entries might not be properly removed on the IPA server
(https://fedorahosted.org/sssd/ticket/2567) chances are that during
extdom group lookups a single user is returned multiple time. This patch
removes the duplicates before trying to write the data to the cache.
Related to https://fedorahosted.org/sssd/ticket/2159
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 60f11e2fa1f63cd40ebace525ad823b0360fac94)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
So far only for initgroups requests the IPA group memberships where
resolved for AD users and due to
6fac5e5f0c54a0f92872ce1450606cfcb577a920 those memberships are not
overridden by other request. But it turned out that the originalMemberOf
attributes related to the IPA group memberships can be overridden by
user lookups. Since the originalMemberOf attribute is important in the
HBAC evaluation this patch makes sure that the originalMemberOf
attribute is not removed but updated during user lookups.
Related to https://fedorahosted.org/sssd/ticket/2560
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 63748c69a2c6785d949c82f94749704e0408e5a7)
|
| |
|
|
|
|
|
|
|
|
| |
Override AD site found during DNS discovery.
Resolves:
https://fedorahosted.org/sssd/ticket/2486
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit e438fbf102c3d787902504bdae177e84230cbbc9)
|
| |
|
|
|
|
|
|
|
|
| |
This option overrides a result of the automatic site discovery.
Resolves:
https://fedorahosted.org/sssd/ticket/2486
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit b22e0da9e644f5eb84ee0c8986979fec3fe7eb56)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
If a user is a member is a group in a different sub-domain, e.g with
universal groups in AD, the ghost attribute might not be properly
removed from the group object if the user is resolved. The reason is
that only groups from the domain of the user were search for ghost
attributes. This patch increases the search-base to all sub-domains of
the configured SSSD domain.
Resolves https://fedorahosted.org/sssd/ticket/2567
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit fc2146c108e28d50bbf691925cedf9592142dd14)
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2566
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
In the SSSD cache domain names are handled case-sensitive. As a result
fully-qualified names in RDN contain the domain part in the original
spelling. When IPA client lookup up group-memberships on the IPA server
via the extdom plugin the names returned are all lower case. To make
sure new DNs are generated correctly the domain part must adjusted.
Related to https://fedorahosted.org/sssd/ticket/2159
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When adding a user sysdb internally adds a value to SYSDB_GIDNUM for
mpg domain which might cause conflicts with the one we added to users
git GID overrides. With this patch the override GID is added after the
user is created but in the same transaction
Releted to https://fedorahosted.org/sssd/ticket/2514
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit ba818cc39dfe94c2b8613f4badf7912811f0f737)
|
| |
|
|
|
|
|
|
|
|
|
| |
The PAC responder by default allows only connections from the root user.
This patch opens the socket to the PAC responder before the krb5_child
drops privileges so the connection seemingly comes from root.
https://fedorahosted.org/sssd/ticket/2559
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit 858e750c3d4fe54e50616a1ed1e101469503c070)
|
| |
|
|
|
|
|
|
|
|
| |
IPA HBAC evaluation relies on the original values for DN and memberOf
attributes.
Resolves https://fedorahosted.org/sssd/ticket/2560
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 7543052f562f157f7b17fdc46a6777d80c0cb3bd)
|
| |
|
|
|
|
|
| |
The two loops in fill_orig were almost identical.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit a4d64002b5ca763622bde240d27797d361ba0388)
|
| |
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 5f4d896ec8e06476f4282b562b1044de14c48ecf)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since krb5_kt_add_entry() adds new entries at the beginning of a MEMORY
type keytab and not at the end a simple copy into a MEMORY type keytab
will revert the order of the keytab entries. Since e.g. the sssd_krb5
man page give hints about where to add entries into keytab files to help
SSSD to find a right entry we have to keep the order when coping a
keytab into a MEMORY type keytab. This patch fixes this by doing a
second copy to retain the original order.
Resolves https://fedorahosted.org/sssd/ticket/2557
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Add dots into a set of allowed characters for domain names.
Resolves:
https://fedorahosted.org/sssd/ticket/2527
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 9a15eb105d01d9e100e69e9d66fb8e880b228246)
|
| |
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2548
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 702176303382b5a385e90fe68ad2c32bd708ebf1)
|
| |
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2556
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
(cherry picked from commit b49c6abe12721ee8442be1c1bd6c15443b518ca2)
|
| |
|
|
|
|
|
| |
Previously, we were only handling KRB5KRB_AP_ERR_SKEW
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit 9b2cd4e5e451c07cb2f04cdbaea2b94ccb5fb2ee)
|
| |
|
|
|
|
|
|
| |
Since RESP_USER_GROUPLIST contains all group memberships it is
effectively an initgroups request hence SYSDB_INITGR_EXPIRE will be set.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 62d919aea98edd1095f6a22241903d4c045b46ed)
|
| |
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 3cd287313d93e29f9754feb46017dba2a039affd)
|
| |
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit f1f22df95996390f63266ebacb624e521d934592)
|
| |
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 942ebb62c8df766a22271103abd518ddae02ea3a)
|
| |
|
|
|
|
|
|
| |
The current request already returned the SID, we do not need to request
it separately.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit e6046d23b3e90102fb3c796737ced03fb5a60fea)
|
| |
|
|
|
|
|
|
|
|
| |
The call protected by the check does not only expect the version 1 of
the extdom plugin is used but a specific response type as well. Since
version 1 can return older response types as well we want to be on the
safe side.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 2fc12875f7d51248799016c19c1298b85e06a286)
|
| |
|
|
|
|
|
|
|
| |
The IPA extdom plugin returns the data with the default view already
applied hence it is on needed to look up the override data if the client
has the default view assigned.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit d8ceb194023a2cdc8bc183acc322e9a7fb6fe2b1)
|
| |
|
|
|
|
|
|
| |
Currently ipa_resolve_user_list_send() only looks up the related user
objects but do not check for overrides. This patch tries to fix this.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit eab17959df71341073f946c533f59fc5e593b35c)
|
| |
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit fbcdc08722aa8ed17c4b114e01fbb37c02cfb2fe)
|
| |
|
|
|
|
|
| |
Related to https://fedorahosted.org/sssd/ticket/2481
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 765d9075bb1e10ae0f09b6c2701bfd50aeb423d4)
|
| |
|
|
|
|
|
| |
Related to https://fedorahosted.org/sssd/ticket/2481
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit d32b165fad7b89462f49c82349e1df5a2343afa2)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2543
The LDAP URI is not valid prior to connecting to LDAP. Moreover,
reconnecting to a different server might invalidate the URI.
Move reading the URI after the connection has been established.
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit ccff8e75940963a0f68f86efcddc37133318abfa)
|
| |
|
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2544
Use a dedicated fd instead to work around
https://bugzilla.samba.org/show_bug.cgi?id=11036
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit f00a61b6079d8de81432077a59daf015d85800d2)
|
| |
|
|
|
|
|
|
|
|
|
| |
Related to:
https://fedorahosted.org/sssd/ticket/2544
Adds a new function exec_child_ex and moves setting the extra_argv[]
to exec_child_ex() along with specifying the input and output fds.
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit 16cb0969f0a9ea71524d852077d6a480740d4f12)
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
libsmb logs to stdout by default. It's much more reasonable to log to
stderr by default.
Please also note:
https://bugzilla.samba.org/show_bug.cgi?id=11036
and:
https://fedorahosted.org/sssd/ticket/2544
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit bb7ddd2be9847bfb07395341c7623da1b104b8a6)
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Postpone compression of the previous log file to the next rotation cycle.
This only has effect when used in combination with compress. We need to use it
because we cannot tell sssd to close log files and thus sssd processes might
continue writing to the previous log file for some time.
Resolves:
https://fedorahosted.org/sssd/ticket/2547
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 565eb6fa43e74e2fbfff00dc29fdb20c5544a3d2)
|
| |
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2550
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit ce6ba48c5a0723d9c8db6d960d2dfbcb6ffdd673)
|
| |
|
|
|
|
|
| |
Untested code is risky to change.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
(cherry picked from commit ee8dccf5f0a7de4aba16ab73a53872df9a65175c)
|
| |
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2542
If the GPO result object was missing completely, we would error out with
a fatal error code. It's more user-friendly to treat the missing object
as if the requested attribute was missing on the provider level.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
(cherry picked from commit fc2cc91a5b645180e53d46436b0d08011aac8d74)
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
To set up and use the Zanata client, follow:
http://zanata.org/help/cli/cli-configuration/
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There are actually two bugs here:
1) When either the kill(SIGTERM) or kill(SIGKILL) commands returned
failure (for any reason), we would talloc_free(svc) which removed it
from being eligible for restart, resulting in the service never
starting again without an SSSD service restart.
2) There is a fairly wide race condition where it's possible for a
SIGKILL timer to "catch up" to the child exit handler between us
noticing the termination and actually restarting it. The race
happens because we re-enter the mainloop and add a restart
timeout to avoid a quick failure if we keep restarting due to a
transitory issue (the mt_svc object, and therefore the SIGKILL
timer, were never freed until we got to the actual service
restart).
We can minimize this race by recording the timer_event for the
SIGKILL timeout in the mt_svc object. This way, if the process
exits via SIGTERM, we will immediately remove the timer for the
SIGKILL. Additionally, we'll catch the special-case of an ESRCH
response from the kill(SIGKILL) and assume that it means that the
process has exited. The only other two possible errors are
* EINVAL: (an invalid signal was specified) - This should be
impossible, obviously.
* EPERM: This process doesn't have permission to send signals to
this PID. If this happens, it's either an SELinux bug or
else the process has terminated and a new process that
SSSD doesn't control has taken the ID over.
So in the incredibly unlikely case that one of those occurs, we'll
just go ahead and try to start a new process.
This patch also removes the incorrect talloc_free(svc) calls on the
kill() failures and replaces them with an attempt to just start up
the service again and hope for the best.
Resolves:
https://fedorahosted.org/sssd/ticket/2525
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
