| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2940
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
without this patch, valgrind was reporting:
==30955== Conditional jump or move depends on uninitialised value(s)
==30955== at 0xDBBACC3: ipa_subdomains_slave_search_done (ipa_subdomains.c:1111)
==30955== by 0xE73B34D: sdap_search_bases_ex_done (sdap_ops.c:222)
==30955== by 0xE6FFA98: sdap_get_generic_done (sdap_async.c:1872)
==30955== by 0xE6FF4E2: generic_ext_search_handler (sdap_async.c:1689)
==30955== by 0xE6FF840: sdap_get_and_parse_generic_done (sdap_async.c:1797)
==30955== by 0xE6FEFB5: sdap_get_generic_op_finished (sdap_async.c:1579)
==30955== by 0xE6FB1D2: sdap_process_message (sdap_async.c:353)
==30955== by 0xE6FAD51: sdap_process_result (sdap_async.c:197)
==30955== by 0xE6FAA14: sdap_ldap_next_result (sdap_async.c:145)
==30955== by 0x8E157FF: tevent_common_loop_timer_delay (tevent_timed.c:341)
==30955== by 0x8E16809: epoll_event_loop_once (tevent_epoll.c:911)
==30955== by 0x8E14F09: std_event_loop_once (tevent_standard.c:114)
==30955==
Resolves:
https://fedorahosted.org/sssd/ticket/3213
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
This patch fixes creation of FQ username if krb5_map_user option
ise used.
Resolves:
https://fedorahosted.org/sssd/ticket/3188
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Multiple failover requests come in same time, the first one will
result in collapsing the meta server but multiple resolution of
SRV records are triggered. The first one finishes normally but the
others won't find any new server thus ends with an error.
This patch makes failover to proceed normally even in such case.
Resolves:
https://fedorahosted.org/sssd/ticket/3131
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/3185
Since commit c420ce830ac0b0b288a2a887ec2cfce5c748018c we try to move to
the next server on any error on the connection, which in case there is
only one server sends SSSD offline.
It's more graceful to try to process the results, same as we already do
with sizelimit exceeded.
Reviewed-by: Michal Židek <mzidek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
The new option 'proxy_max_children' is applicable
in domain section. Default value is 10.
Resolves:
https://fedorahosted.org/sssd/ticket/3153
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
We should set pagging flag in state and not in local
variable which is not read anywhere in the function.
Found by clang static analyzer.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Adds two more return codes to the list of codes we translate to
ERR_NETWORK_IO.
Resolves:
https://fedorahosted.org/sssd/ticket/3174
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
krb5_child calls krb5_kuserok() during the access phase which checks if
a particular user is allowed to authenticate as a particular principal.
We used to pass the internal fqname to krb5_kuserok() which broke the
functionality and all users were denied access.
This patch changes that to send the 'output' username to krb5_child,
because that's the username the system receives through getpwnam() or
getpwuid() anyway. The patch also adds a new structure member fo the
krb5child_req structure to avoid reusing the pd->user variable but have
an explicit one that serves as the input for the child process.
Resolves:
https://fedorahosted.org/sssd/ticket/3172
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
I think this is a leftover from the change to use fully-qualified names
in sysdb. To verify this you can create a nested group in IPA. Without
this patch the id command will only show the groups the user is a direct
member of. With the patch the indirect groups memberships should be
shown as well.
https://fedorahosted.org/sssd/ticket/3163
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
| |
Reviewed-by: Petr Čech <pcech@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
We used internal fq name in ldap filter
with id_provider proxy to files and auth provider
ldap
[sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x0400): calling ldap_search_ext with
[(&(uid=testuser1@ldap)(objectclass=posixAccount))][dc=example,dc=com].
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
These two functions (save_user() and save_group()) share, between
themselves, the code preparing the attributes that are going to be
stored in the sysdb.
This patch basically splits this code out of those functions and
introduces the new prepare_attrs_for_saving_ops().
Related:
https://fedorahosted.org/sssd/ticket/3134
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Those comments are similar to what we have in the save_group() function.
Related:
https://fedorahosted.org/sssd/ticket/3134
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
As this function already receives a struct sss_domain_info * parameter
as argument, we can simply get the cache_timeout attribute by accessing
domain->group_timeout.
Related:
https://fedorahosted.org/sssd/ticket/3134
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
As this function already receives a struct sss_domain_info * parameter
as argument, we can simply get the cache_timeout attribute by accessing
domain->user_timeout.
Related:
https://fedorahosted.org/sssd/ticket/3134
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
As this function already receives a struct sss_domain_info * parameter
as argument, we can simply check whether we will need a lowercase name
by accessing domain->case_sensitive.
Related:
https://fedorahosted.org/sssd/ticket/3134
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Most AD users store their UPN in an attribute. If they don't, or the sssd
was configured (typically in earlier versions to work around a bug) to not
look at the principal attribute, then sssd is supposed to guess
the attribute.
That currently doesn't work in 1.14, because the username is already
qualified and then we also append the realm name to it. We need to parse
the simple username from the qualified name first.
The issue can be reproduced simply by authenticating as the Administrator
account in IPA-AD trust setups.
Resolves:
https://fedorahosted.org/sssd/ticket/3127
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
There were problem with local key which wasn't properly removed.
This patch fixes it.
Resolves:
https://fedorahosted.org/sssd/ticket/2841
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
When saving the user there is a comparison between the "cased alias"
and the "lowercase password name". However, the first doesn't use fully
qualified name while the second does, resulting in a not expected
override of the "nameAlias" attribute of a stored user when trying to
authenticate more than once using an alias.
Resolves:
https://fedorahosted.org/sssd/ticket/3134
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When extending map with entry that already
exists in the map in the exacty same form,
then there is no need to fail.
We should only fail if we try to
change purpose of already used sysdb
attribute.
Resolves:
https://fedorahosted.org/sssd/ticket/3120
Signed-off-by: Lukas Slebodnik <lslebodn@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Petr Čech <pcech@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
grep -nE "0x0040" /var/log/sssd/sssd_example.com.log
361:(Tue Aug 16 13:04:04 2016) [sssd[be[example.com]]]
[ldap_get_autofs_options] (0x0040): Your configuration uses the autofs
provider with schema set to rfc2307 and default attribute mappings.
The default map has changed in this release, please make sure
the configuration matches the server attributes.
Reviewed-by: Petr Čech <pcech@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This patch adds SIGCHLD callback for ldap_child. So if timeout is
reached and ldap_child is terminated by handler we have debug message
about it.
Resolves:
https://fedorahosted.org/sssd/ticket/3106
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
We add better termination of ldap_child. If ldap_child reaches
the timeout for termination parent sents SIGTERM signal. Child
has 2 seconds for removing temporary file and exit.
If it is not sufficient there is SIGKILL send to the child.
Resolves:
https://fedorahosted.org/sssd/ticket/3106
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
We add support for handling SIGTERM signal. If ldap_child receives
SIGTERM signal it removes temporary file.
Resolves:
https://fedorahosted.org/sssd/ticket/3106
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
We can skip looking up other domains if
option ad_enabled_domains doesn't contain them.
Resolves:
https://fedorahosted.org/sssd/ticket/2828
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
We can skip looking up other domains if option ad_enabled_domains
contains only master domain.
Resolves:
https://fedorahosted.org/sssd/ticket/2828
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
We add ad_enabled_domains into ad_subdomains_ctx.
Resolves:
https://fedorahosted.org/sssd/ticket/2828
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2828
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
GSSAPI is dependent on DNS with hostnames and we should warn about this.
Resolves:
https://fedorahosted.org/sssd/ticket/2789
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Reverse data provider interface is moved to a better location in
NSS responder. All responders now can have an sbus interface
defined per data provider connection. The unused old data provider
interface is removed.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
| |
We want to use custom interface for proxy provider so we do not
abuse the data provider one. This way we gain more control over
it and we can remove the old interface entirely.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/3069
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This simplifies error handling in sbus requests since we avoid
creating DBusError and checking for NULL manually. It removes
few lines of code.
This patch does not replace all calls to sbus_request_fail_and_finish
since sometimes it is desirable to create the error manualy. But
it replaces it in most recent places.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/3114
We failed GPO procesing if the gPCMachineExtensionNames
attribute contained just whitespaces. This coused
failures in some server settings.
Comment from Alexander Bokovoy quoting:
You should use MS-GPOL spec. 2.2.4 'GPO Search' section says that when
processing gPCMachineExtensionNames, "Group Policy processing terminates
at the first <CSE GUIDn> out of sequence."
Since ' ' (space only) does not fall into defined syntax for
gPCMachineExtensionNames, this Group Policy processing is stopped and
its CSE GUIDs are set to 'empty list'.
Because of the 3.2.5.1.10 'Extension Protocol Sequences' language
------------------------------------------------------------------------
The Group Policy client MUST evaluate the subset of the abstract element
Filtered GPO list separately for each Group Policy extension by
including in the subset only those GPOs whose gPCUserExtensionNames (for
user policy mode) or gPCMachineExtensionNames (for computer policy mode)
attributes contain CSE GUID that correspond to the Group Policy
extension. If the CSE GUID corresponding to the Group Policy extension
is present in Extension List, it is invoked using the
Implementation Identifier field. Applicability is determined as
specified in section 3.2.1.5. The Group Policy Registry Extension MUST
always execute first. All other applicable Group Policy extensions in
the Extension List MUST be loaded and executed in Extension List order.
A failure in any Group Policy extension sequence MUST NOT affect the
execution of other Group Policy extensions.
-------------------------------------------------------------------------
I think we can practically treat wrong content of
gPCMachineExtensionNames (and gPCUserExtensionNames) as inability of the
GPO to pass through the Filtered GPO list. Thus, the GPO would be
ignored.
Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
| |
To make it possible to call the whole DP handler in the unit test, not
just the evaluator part.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Luckily this error was hidden by the fact that SSSD didn't start at all
when an unparseable name was encountered after startup. Otherwise, this
would have been a security issue.
Nonetheless, we should just fail and deny access if we can't parse a
name in a simple access list.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
It's not required to parse names on SSSD startup in the simple access
provider. We can instead just parse the name when the access request is
processed.
Resolves:
https://fedorahosted.org/sssd/ticket/3101
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/3111
Reviewed-by: Petr Cech <pcech@redhat.com>
|
| |
|
|
|
|
| |
We should fail the request if sss_parse_internal_fqname() fails.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
| |
This patch adds right pam error code for sssd offline state.
Resolves:
https://fedorahosted.org/sssd/ticket/3109
|
| |
|
|
|
|
|
|
|
|
|
| |
The commit dc30c60f166ad9adc63a47a1013508a71624ac87
changed the logic in NULL check
- if (protocol) {
+ if (protocol == NULL) {
Found by Coverity:
Reviewed-by: Petr Čech <pcech@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When no users are found during the search users process, just log (at
TRACEL_ALL level) that zero users were retrieve and avoid logging (at
OP_FAILURE level) that a failure has occurred, which may end up
misleading admins, giving them the impression that something wrong has
happened.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Resolves:
https://fedorahosted.org/sssd/ticket/3089
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
This patch fixes the issue with empty string recieving from D-Bus.
Data providers obtains NULL. So this is simple conversin.
Resolves:
https://fedorahosted.org/sssd/ticket/3084
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
| |
This reverts commit aa58e216c1f794bd335151f19e79adbb3ddf4c73.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
This debug message used to confuse our users. So this patch changes it.
Old version: "Trust direction of %s is %s\n"
New version: "Trust type of [%s]: %s\n"
Resolves:
https://fedorahosted.org/sssd/ticket/3090
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
==32577== Conditional jump or move depends on uninitialised value(s)
==32577== at 0x140DCE10: sdap_process_missing_member_2307 (sdap_async_groups.c:1556)
==32577== by 0x140DCE10: sdap_process_group_members_2307 (sdap_async_groups.c:1625)
==32577== by 0x140DCE10: sdap_process_group_send (sdap_async_groups.c:1298)
==32577== by 0x140DCE10: sdap_get_groups_process (sdap_async_groups.c:2130)
==32577== by 0x140CFDA8: generic_ext_search_handler.isra.3 (sdap_async.c:1688)
==32577== by 0x140D2416: sdap_get_generic_op_finished (sdap_async.c:1578)
==32577== by 0x140D0DFC: sdap_process_message (sdap_async.c:353)
==32577== by 0x140D0DFC: sdap_process_result (sdap_async.c:197)
==32577== by 0x8BF1B4E: tevent_common_loop_timer_delay (tevent_timed.c:341)
==32577== by 0x8BF2B59: epoll_event_loop_once (tevent_epoll.c:911)
==32577== by 0x8BF1256: std_event_loop_once (tevent_standard.c:114)
==32577== by 0x8BED40C: _tevent_loop_once (tevent.c:533)
==32577== by 0x8BED5AA: tevent_common_loop_wait (tevent.c:637)
==32577== by 0x8BF11F6: std_event_loop_wait (tevent_standard.c:140)
==32577== by 0x529DD02: server_loop (server.c:702)
==32577== by 0x110951: main (data_provider_be.c:587)
Resolves:
https://fedorahosted.org/sssd/ticket/3121
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
