summaryrefslogtreecommitdiffstats
path: root/src/providers
Commit message (Collapse)AuthorAgeFilesLines
...
* IPA: properly handle mixed-case trusted domainsSumit Bose2015-01-231-2/+14
| | | | | | | | | | | | In the SSSD cache domain names are handled case-sensitive. As a result fully-qualified names in RDN contain the domain part in the original spelling. When IPA client lookup up group-memberships on the IPA server via the extdom plugin the names returned are all lower case. To make sure new DNs are generated correctly the domain part must adjusted. Related to https://fedorahosted.org/sssd/ticket/2159 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* views: fix GID overrride for mpg domainsSumit Bose2015-01-211-1/+20
| | | | | | | | | | | When adding a user sysdb internally adds a value to SYSDB_GIDNUM for mpg domain which might cause conflicts with the one we added to users git GID overrides. With this patch the override GID is added after the user is created but in the same transaction Releted to https://fedorahosted.org/sssd/ticket/2514 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* Open the PAC socket from krb5_child before dropping rootJakub Hrozek2015-01-211-0/+8
| | | | | | | | | | The PAC responder by default allows only connections from the root user. This patch opens the socket to the PAC responder before the krb5_child drops privileges so the connection seemingly comes from root. https://fedorahosted.org/sssd/ticket/2559 Reviewed-by: Sumit Bose <sbose@redhat.com>
* krb5: fix entry order in MEMORY keytabSumit Bose2015-01-191-28/+90
| | | | | | | | | | | | | | | Since krb5_kt_add_entry() adds new entries at the beginning of a MEMORY type keytab and not at the end a simple copy into a MEMORY type keytab will revert the order of the keytab entries. Since e.g. the sssd_krb5 man page give hints about where to add entries into keytab files to help SSSD to find a right entry we have to keep the order when coping a keytab into a MEMORY type keytab. This patch fixes this by doing a second copy to retain the original order. Resolves https://fedorahosted.org/sssd/ticket/2557 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* GPO: add systemd-user to gpo default permit listPavel Reichl2015-01-151-1/+3
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2556 Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
* UTIL: Unify the fd_nonblocking implementationJakub Hrozek2015-01-154-8/+8
| | | | | | | The responder and child_common modules each had their own implementation. Unify it instead and add a unit test. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* LDAP: Use child_io_destructor instead of child_cleanup in a custom desctructorJakub Hrozek2015-01-151-22/+17
| | | | | | | | ldap_child was the only child process that used child_cleanup instead of the common child_io_destructor. Unify the implementation to use the common function instead. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* krb5_child: Return ERR_NETWORK_IO on KRB5_KDCREP_SKEWJakub Hrozek2015-01-141-0/+1
| | | | | | Previously, we were only handling KRB5KRB_AP_ERR_SKEW Reviewed-by: Sumit Bose <sbose@redhat.com>
* IPA: set SYSDB_INITGR_EXPIRE for RESP_USER_GROUPLISTSumit Bose2015-01-141-0/+14
| | | | | | | Since RESP_USER_GROUPLIST contains all group memberships it is effectively an initgroups request hence SYSDB_INITGR_EXPIRE will be set. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: resolve missing membersSumit Bose2015-01-141-14/+48
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: rename ipa_s2n_get_groups_send() to ipa_s2n_get_fqlist_send()Sumit Bose2015-01-141-50/+50
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: process_members() optionally return missing members listSumit Bose2015-01-141-18/+67
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: add missing breakSumit Bose2015-01-141-0/+1
| | | | | | | The current request already returned the SID, we do not need to request it separately. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: make version check more preciseSumit Bose2015-01-141-2/+2
| | | | | | | | | The call protected by the check does not only expect the version 1 of the extdom plugin is used but a specific response type as well. Since version 1 can return older response types as well we want to be on the safe side. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: do not look up overrides on client with default viewSumit Bose2015-01-141-14/+49
| | | | | | | | The IPA extdom plugin returns the data with the default view already applied hence it is on needed to look up the override data if the client has the default view assigned. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: ipa_resolve_user_list_send() take care of overridesSumit Bose2015-01-131-10/+8
| | | | | | | Currently ipa_resolve_user_list_send() only looks up the related user objects but do not check for overrides. This patch tries to fix this. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: resolve ghost members if a non-default view is appliedSumit Bose2015-01-132-0/+213
| | | | | | Related to https://fedorahosted.org/sssd/ticket/2481 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: add get_be_acct_req_for_user_name()Sumit Bose2015-01-132-0/+18
| | | | | | Related to https://fedorahosted.org/sssd/ticket/2481 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* GPO: Extract server hostname after connectingJakub Hrozek2015-01-131-29/+29
| | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2543 The LDAP URI is not valid prior to connecting to LDAP. Moreover, reconnecting to a different server might invalidate the URI. Move reading the URI after the connection has been established. Reviewed-by: Sumit Bose <sbose@redhat.com>
* GPO: Don't use stdout for output in gpo_childJakub Hrozek2015-01-133-6/+12
| | | | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2544 Use a dedicated fd instead to work around https://bugzilla.samba.org/show_bug.cgi?id=11036 Reviewed-by: Sumit Bose <sbose@redhat.com>
* UTIL: Allow dup-ing child pipe to a different FDJakub Hrozek2015-01-134-9/+7
| | | | | | | | | | Related to: https://fedorahosted.org/sssd/ticket/2544 Adds a new function exec_child_ex and moves setting the extra_argv[] to exec_child_ex() along with specifying the input and output fds. Reviewed-by: Sumit Bose <sbose@redhat.com>
* GPO: Set libsmb debugging to stderrJakub Hrozek2015-01-131-0/+1
| | | | | | | | | | | | libsmb logs to stdout by default. It's much more reasonable to log to stderr by default. Please also note: https://bugzilla.samba.org/show_bug.cgi?id=11036 and: https://fedorahosted.org/sssd/ticket/2544 Reviewed-by: Sumit Bose <sbose@redhat.com>
* GPO: Ignore ENOENT result from sysdb_gpo_get_gpo_result_setting()Jakub Hrozek2015-01-081-1/+4
| | | | | | | | | | https://fedorahosted.org/sssd/ticket/2542 If the GPO result object was missing completely, we would error out with a fatal error code. It's more user-friendly to treat the missing object as if the requested attribute was missing on the provider level. Reviewed-by: Pavel Reichl <preichl@redhat.com>
* IPA: handle GID overrides for MPG domains on clientsSumit Bose2014-12-171-0/+26
| | | | | | Resolves https://fedorahosted.org/sssd/ticket/2514 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* IPA: properly handle groups from different domainsLukas Slebodnik2014-12-171-2/+16
| | | | | | | | | | | When groups are resolved on IPA clients as part of a user lookup not all groups have to be from the same domain as the used. This has to be checked to store the group object properly in the cache. Related to https://fedorahosted.org/sssd/ticket/2529 and https://fedorahosted.org/sssd/ticket/2524 Reviewed-by: Sumit Bose <sbose@redhat.com>
* IPA: verify group memberships of trusted domain usersSumit Bose2014-12-171-1/+144
| | | | | | | | | | | | Depending on the state of the cache group object a freshly created or updates user entry for a trusted domain user might already be a member of the group or not. This cache makes sure the requested user is a member of all groups returned from the extdom request. Special care has to be taken to cover cross-domain group-memberships properly. Resolves https://fedorahosted.org/sssd/ticket/2529 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* krb5: handle KRB5KRB_ERR_GENERIC as unspecific errorSumit Bose2014-12-171-1/+12
| | | | | | | | | | | KRB5KRB_ERR_GENERIC is a generic error and we cannot make any assumptions about the cause. If there are cases where KRB5KRB_ERR_GENERIC is returned and SSSD should behave differently this must be solved by other means. Resolves https://fedorahosted.org/sssd/ticket/2535 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* krb5_child: Initialize REALM earlierLukas Slebodnik2014-12-171-6/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Environment variable SSSD_KRB5_REALM was used to late for initialisation realm. and therefore default value NULL was used. The SSSD_KRB5_REALM (kr->realm) was used as fast_principal_realm for checking fast cache: privileged_krb5_setup -> k5c_setup_fast -> check_fast_ccache And therefore wrong principal was used when the option krb5_fast_principal is empty. [find_principal_in_keytab] (0x4000): Trying to find principal (null)@(null) in keytab. [match_principal] (0x1000): Principal matched to the sample ((null)@(null)). [get_tgt_times] (0x1000): FAST ccache must be recreated [get_tgt_times] (0x0020): krb5_cc_retrieve_cred failed [get_tgt_times] (0x0020): 1688: [-1765328243][Matching credential not found] [check_fast_ccache] (0x0040): Valid FAST TGT not found after attempting to renew it [k5c_setup_fast] (0x0020): check_fast_ccache failed. [k5c_setup_fast] (0x0020): 1956: [1432158213][Unknown code UUz 5] [privileged_krb5_setup] (0x0040): Cannot set up FAST [main] (0x0020): privileged_krb5_setup failed. [main] (0x0020): krb5_child failed! As a result of this user was not able to authenticate. Resolves: https://fedorahosted.org/sssd/ticket/2526 Reviewed-by: Sumit Bose <sbose@redhat.com>
* Skip CHAUTHTOK_PRELIM when using OTPsJakub Hrozek2014-12-135-3/+41
| | | | | | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2484 When OTPs are used, we can only used each authtoken at most once. When it comes to Kerberos password changes, this was only working previously by accident, because the old authtoken was first used to verify the old password is valid and not expired and then also to acquire a chpass principal. This patch looks at the user object in LDAP to check if the user has any OTPs enabled. If he does, the CHAUTHTOK_PRELIM step is skipped completely so that the OTP can be used to acquire the chpass ticket later. Reviewed-by: Sumit Bose <sbose@redhat.com>
* LDAP: retain external membersPavel Reichl2014-12-131-0/+104
| | | | | | | | | | | | When processing group membership check sysdb for group members from extern domain and include them in newly processed group membership as extern members are curently found only when initgroups() is called. Resolves: https://fedorahosted.org/sssd/ticket/2492 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com>
* KRB5: Check FAST kinit errors using get_tgt_times()Jakub Hrozek2014-12-111-13/+15
| | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* be_ptask: use gettimeofday() instead of time()Pavel Březina2014-12-111-1/+1
| | | | | | | | | | | Sometimes the timestamp from gettimeofday() slightly differs from the one obtained via time() which caused unit test to fail on occasionaly. Resolves: https://fedorahosted.org/sssd/ticket/2521 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* simple-access-provider: break matching allowed usersPavel Reichl2014-12-081-1/+3
| | | | | | | Stop matching username with names in simple_allow_users after positive match. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* simple access provider: non-existing objectPavel Reichl2014-12-081-10/+25
| | | | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2519 Not existing user/group in simple_allow_users/simple_allow_groups should not imply access denied. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* IPA: Do not append domain name to fq nameLukas Slebodnik2014-12-081-4/+17
| | | | | | | | | | Usernames from AD subdomains are already in fqdn we should not append domain name in this case. Resolves: https://fedorahosted.org/sssd/ticket/2512 Reviewed-by: Michal Židek <mzidek@redhat.com>
* be_ptask: let backoff affect only periodPavel Březina2014-12-082-30/+43
| | | | | | With this patch the first and enabled delay values are respected. Reviewed-by: Michal Židek <mzidek@redhat.com>
* krb5: add wrapper for krb5_kt_have_content()Sumit Bose2014-12-071-1/+1
| | | | | | | | | krb5_kt_have_content() was introduced in MIT Kerberos 1.11. For older platforms this patch adds sss_krb5_kt_have_content() as a wrapper. Resolves https://fedorahosted.org/sssd/ticket/2518 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* KRB5: Relax DEBUG messageJakub Hrozek2014-12-031-2/+5
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* sss_atomic_write_s() return value is signedJakub Hrozek2014-12-034-4/+4
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* LDAP: Remove useless includeJakub Hrozek2014-12-031-2/+0
| | | | | | Using a PAM include file in an LDAP child is confusing. Reviewed-by: Sumit Bose <sbose@redhat.com>
* KRB5: Create the fast ccache in a child processJakub Hrozek2014-12-032-28/+100
| | | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2503 In order to avoid calling Kerberos library calls as root, the krb5_child forks itself and recreates the FAST ccache as the SSSD user. Reviewed-by: Sumit Bose <sbose@redhat.com>
* Add extra_args to exec_child()Jakub Hrozek2014-12-034-4/+7
| | | | | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2503 Currently all child processes use the same arguments, the construction of argv[] is even hardcoded in exec_child(). Add an extra_args[] array that extends the common set of argvs so that we can have child-specific arguments. Also adds a unit test. Reviewed-by: Sumit Bose <sbose@redhat.com>
* SYSDB: sysdb_get_bool() return ENOENT & unit testsPavel Reichl2014-12-021-1/+5
| | | | | | | | | | | | | sysdb_get_bool() return ENOENT if no result is found. Unit test for sysdb_get_bool() & sysdb_set_bool() was added. This patch also fixes ldap_setup_enumeration() to handle ENOENT returned by sysdb_has_enumerated(). Resolves: https://fedorahosted.org/sssd/ticket/1991 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* krb5_child: become user earlierSumit Bose2014-12-021-38/+93
| | | | | | | The host keytab and the FAST credential cache are copied into memory early at startup to allow to drop privileges earlier. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* ldap_child: copy keytab into memory to drop privileges earlierSumit Bose2014-12-021-19/+45
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* krb5: add copy_keytab_into_memory()Sumit Bose2014-12-022-0/+196
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* krb5: add copy_ccache_into_memory()Sumit Bose2014-12-022-0/+127
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* krb5: do not fail if checking the old ccache failedSumit Bose2014-12-021-2/+5
| | | | | | https://fedorahosted.org/sssd/ticket/2510 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: only update view data if it really changedSumit Bose2014-12-021-50/+66
| | | | | | https://fedorahosted.org/sssd/ticket/2510 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* krb5: make krb5 provider view awareSumit Bose2014-12-022-6/+25
| | | | | | https://fedorahosted.org/sssd/ticket/2510 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>