| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/3169
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Previously, a generic 500 error code was returned. This patch adds a new
error message on a failure to contact the proxy server and returns 504,
"Gateway timeout" instead.
Resolves:
https://fedorahosted.org/sssd/ticket/3212
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/3168
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
| |
It wasn't simple to read log files from libsemanage
because they were on single line.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
| |
Instead of using the number 3 directly, let's introduce and use
WATCHDOG_MAX_TICKS.
Reviewed-by: Petr Čech <pcech@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When a time is changed into the past during sssd runtime
(e.g. on boot during time correction), it is possible that
we never hit watchdog tevent timer since it is based on
system time.
This patch adds a past-time shift detection mechanism. If a time
shift is detected we restart watchdog.
Resolves:
https://fedorahosted.org/sssd/ticket/3154
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
There was a bug in generate_csprng_buffer() where if we read the exact
amount of bytes from /dev/urandom, we would always return EIO. Instead,
let's reuse the existing code from sss_atomic_read_s() which fixes this
bug and reduces code duplication.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Fabiano Fidêncio <fabiano@fidencio.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
We add better termination of ldap_child. If ldap_child reaches
the timeout for termination parent sents SIGTERM signal. Child
has 2 seconds for removing temporary file and exit.
If it is not sufficient there is SIGKILL send to the child.
Resolves:
https://fedorahosted.org/sssd/ticket/3106
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
We add support for handling SIGTERM signal. If ldap_child receives
SIGTERM signal it removes temporary file.
Resolves:
https://fedorahosted.org/sssd/ticket/3106
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2978
Reviewed-by: Fabiano Fidêncio <fabiano@fidencio.org>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Syntax errors in configuration files
prevent SSSD or sssctl to start completely.
It would be good to display these errors
by default with the highest level.
Reviewed-by: Petr Čech <pcech@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
| |
Some messages did not have errno or name of problematic file.
There was also improper use of negative value.
The function strerror was called with -1 instead of errno
Reviewed-by: Petr Čech <pcech@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
the capaths for a single domain should be collected in a single
sub-section in the MIT Kerberos configuration not spread over multiple
one. See the capaths section of the krb5.conf man page for details.
Resolves:
https://fedorahosted.org/sssd/ticket/3103
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
| |
In the ssh keys a leading 0 is added to the bignums of the RSA modulus
and exponent if the leading bit is set to avoid the interpretation as a
negative number.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Fixes:
https://fedorahosted.org/sssd/ticket/2269
sssctl sconfig-check command allows to
call SSSD config file validators on
demand.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
| |
Separate logic to fill errobj so that
the errors can be printed by the caller.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
| |
The conversion to sysdb made several functions obsolete. Remove them.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
| |
Previously, the sss_parse_name function was used. That function is meant
to parse SSSD input, mainly in responders, not internal object names.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the sudoUser values we fetch from LDAP correspond to a user or a
group name per:
http://www.sudo.ws/man/1.8.14/sudoers.ldap.man.html
then we parse the usernames into (name,domain) tuples and store them
qualified.
This patch not only makes the sudo provider work with qualified names,
but also makes it possible to use qualified names on the LDAP side,
allowing for example AD users from different domains to access sudo
rules.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
expand_homedir_template() can be considered an outward-facing interface,
therefore the function and its input structure will accept the internal
name format and parse it internally into a username and domain
component.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Adds a convenience function that will help reduce the amount of code
duplication in the responders. All responders need to parse the username
from the internal format, lower-case the name, if the domain is
case-insensitive and then replace spaces if the responder is configured
to do so.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
| |
Adds a convenience wrapper around sss_create_fqname that qualifies a
list of names into the format used internally in sssd.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
| |
Add function to create internal fqname in format
shortname@domname where domain portion is lowercased.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
| |
Add lightweight function to parse internal fqname format
(shortname@domain). This function does not require the
sss_names to be initialized.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
If Kerberos principal canonicalization is configured in SSSD, currently
it is the default for the IPA provider, a configuration snippet is
generated for the system-wide libkrb5 configuration so that all
kerberized applications will use canonicalization by default.
Resolves https://fedorahosted.org/sssd/ticket/3041
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
| |
Resolves https://fedorahosted.org/sssd/ticket/2788
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
local user
If an IPA client uses the SSH integration and a local user logs in with
SSH, the sss_ssh_authorizedkeys looks up their keys in the SSH
responder, which doesn't find the user and returns ENOENT. The
sss_ssh_authorizedkeys reports a failure on any error, including ENOENT
which produced a confusing error message in the logs.
This patch adds a new error code that handles users that are not found
by SSSD but exist on the system and also special cases root with the
same error code. Therefore, logging in as a local user no longer prints
an error message.
Resolves:
https://fedorahosted.org/sssd/ticket/3003
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
| |
Configuration file snippets must end with suffix
.conf. We wrongly allowed any suffixes that begin
with .conf (for example .conf.back).
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Older versions of gcc does not like initialisation of struct sigevent
because the first member of structure is union (sigval_t)
src/util/util_watchdog.c: In function 'setup_watchdog':
src/util/util_watchdog.c:77:12:
warning: missing braces around initializer [-Wmissing-braces]
struct sigevent sev = { 0 };
^
src/util/util_watchdog.c:77:12:
warning: (near initialization for 'sev.sigev_value') [-Wmissing-braces]
src/util/util_watchdog.c:77:12:
warning: initialization makes integer from pointer without a cast
src/util/util_watchdog.c:77:12:
warning: (near initialization for 'sev.sigev_value.sival_int')
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
With this mode we can add socket activated services and have systemd
pre exec sssd to genrate the configuration file w/o starting the whole
sssd if not necessary.
https://fedorahosted.org/sssd/ticket/2243
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
| |
Generates a master key file if it doesn't exist and encrypts secrets
using the master key contained in the file.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
This allows the services to self monitor.
Related:
https://fedorahosted.org/sssd/ticket/2921
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The watchdog uses a kernel timer to issue a signal to the process.
It checks if the ticker is not being reset by the main event loop, which
would indicate that the process got stuck.
At the same time it sets a tevent timer to clear the watchdog ticker, so
that the watchdog handler is kept happy.
If the watchdog detects that the timer event failed to reset the watchdog for
three times in a row then the process is killed.
Normally the monitor will detect the child terminated and will rescheduled it.
Related:
https://fedorahosted.org/sssd/ticket/2921
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Functions tevent_req_is_error and _tevent_req_error
use type uint64_t for error code.
SSSD uses errno_t which is an alias for int.
Therefore complier assumes that macro TEVENT_REQ_RETURN_ON_ERROR
can return 0 due to implicit down casting from uint64_t -> int.
This patch makes down casting explicit and returns EINVAL
if result of downcasting is 0.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Even though the connect() man page says waiting on a non-blocking connect
should be done by checking for writability, we need to check also for
readability. Otherwise it slightly break offline mode.
Changing password in offline mode is not supported by sssd
and error message "System is offline, password change not possible"
is printed. However without TEVENT_FD_READ for connect it takes much longer
when sssd finds out that it cannot connect to a server. It fails after
expiration of timeout (6 seconds). But meanwhile "passwd user" finished
without logging the offline message.
With TEVENT_FD_READ, connect fails much faster
with errno 113/No route to host.
The change was introduced in the commit
e05d3f5872263aadfbc2f6a2a8c9735219922387
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Function strerror does not expect negative values.
There should be errno.
[sssd_async_connect_done] (0x0020):
connect failed [-1][Unknown error 18446744073709551615].
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2028
Signed-off-by: Lukas Slebodnik <lslebodn@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2247
Signed-off-by: Lukas Slebodnik <lslebodn@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch is a performance enhancement. When looking for entries to
refresh, we always looked up all members in the cache, even if we ended
up dereferencing the whole group. If we are about to try dereference, it
makes sense to shortcut the lookups after the dereference threshold is
reached. In that case, the split_members function returns a special
error code and the caller just dereferences the whole group.
Only if dereference fails, we fall back to looking up all members so
that we can look them up one-by-one.
Also adds an integration test to make sure the dereference code works.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When a sysdb entry is searched, the sysdb cache is consulted first
for users or groups. If an entry is found in the sysdb cache, the
attributes from the timestamp cache are merged to return the full and
up-to-date set of attributes.
The merging is done with a single BASE search which is a direct lookup
into the underlying key-value database, so it should be relatively fast.
More complex merging is done only for enumeration by filter which is
currently done only via the IFP back end and should be quite
infrequent, so I hope we can justify a more complex merging there.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
| |
We used really strange errno codes for detecting whether the database is
too old or too new. We should use our sssd-specific error coded instead.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
| |
To indicate that data provider request was unexpectedly terminated.
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
