| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/3114
We failed GPO procesing if the gPCMachineExtensionNames
attribute contained just whitespaces. This coused
failures in some server settings.
Comment from Alexander Bokovoy quoting:
You should use MS-GPOL spec. 2.2.4 'GPO Search' section says that when
processing gPCMachineExtensionNames, "Group Policy processing terminates
at the first <CSE GUIDn> out of sequence."
Since ' ' (space only) does not fall into defined syntax for
gPCMachineExtensionNames, this Group Policy processing is stopped and
its CSE GUIDs are set to 'empty list'.
Because of the 3.2.5.1.10 'Extension Protocol Sequences' language
------------------------------------------------------------------------
The Group Policy client MUST evaluate the subset of the abstract element
Filtered GPO list separately for each Group Policy extension by
including in the subset only those GPOs whose gPCUserExtensionNames (for
user policy mode) or gPCMachineExtensionNames (for computer policy mode)
attributes contain CSE GUID that correspond to the Group Policy
extension. If the CSE GUID corresponding to the Group Policy extension
is present in Extension List, it is invoked using the
Implementation Identifier field. Applicability is determined as
specified in section 3.2.1.5. The Group Policy Registry Extension MUST
always execute first. All other applicable Group Policy extensions in
the Extension List MUST be loaded and executed in Extension List order.
A failure in any Group Policy extension sequence MUST NOT affect the
execution of other Group Policy extensions.
-------------------------------------------------------------------------
I think we can practically treat wrong content of
gPCMachineExtensionNames (and gPCUserExtensionNames) as inability of the
GPO to pass through the Filtered GPO list. Thus, the GPO would be
ignored.
Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
| |
Use the full simple access control handlers, just like SSSD does in the
tests.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
| |
To make it possible to call the whole DP handler in the unit test, not
just the evaluator part.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Luckily this error was hidden by the fact that SSSD didn't start at all
when an unparseable name was encountered after startup. Otherwise, this
would have been a security issue.
Nonetheless, we should just fail and deny access if we can't parse a
name in a simple access list.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
It's not required to parse names on SSSD startup in the simple access
provider. We can instead just parse the name when the access request is
processed.
Resolves:
https://fedorahosted.org/sssd/ticket/3101
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The child process finished faster then it has handled by parent
and therefore it timed out. It's the similar solution as in
b3074dca3acebd91437ef13d3329d6d65d655215
[ RUN ] dyndns_test_error
(Fri Jul 29 16:12:00:621444 2016) [sssd] [nsupdate_child_timeout] (0x0020):
Timeout reached for dynamic DNS update
Could not run the test - check test fixtures
[ ERROR ] dyndns_test_error
Reviewed-by: Petr Čech <pcech@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The usage of modifyTimestamp needn't be a reliable way
for detecting of changes in user entry in LDAP.
The authorisation need to rely current data from LDAP
and therefore we will temporary disable optimisation with
modifyTimestamp and we will rather rely on deep comparison
of attributes. In he future, it might be changed and
responders might control the optimization level.
Resolves:
https://fedorahosted.org/sssd/ticket/3110
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
After refactoring of sysdb, we get and internal fully qualified
name from backend in org.freedesktop.sssd.dataprovider_rev.initgrCheck
Previously we got short name and we created fq name in
nss_update_initgr_memcache. Memory cache still need to use short names
if it was specified.
This patch uses right name in different places.
Reviewed-by: Petr Cech <pcech@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
sh-4.2# getent netgroup -s sss QAUsers
QAUsers ( ,qa1,example.com) ( ,qa2,example.com) ( ,qa3,example.com)
sh-4.2# getent netgroup -s sss QASystems
QASystems (qahost1.example.com,,) (qahost2.lab.eng.pnq.redhat.com,,)
sh-4.2# getent netgroup -s sss test
sh-4.2# echo $?
2
sh-4.2# python
Python 2.7.5 (default, Aug 2 2016, 04:20:16)
[GCC 4.8.5 20150623 (Red Hat 4.8.5-4)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import sssd_netgroup
>>> sssd_netgroup.get_sssd_netgroups('QAUsers')
(1, 0, [(None, 'qa1', 'example.com'), (None, 'qa2', 'example.com'), (None, 'qa3', 'example.com')])
>>> sssd_netgroup.get_sssd_netgroups('QASystems')
(1, 0, [('qahost1.example.com', None, None), ('qahost2.lab.eng.pnq.redhat.com', None, None)])
>>> sssd_netgroup.get_sssd_netgroups('test')
(0, 0, [])
>>>
Reviewed-by: Petr Čech <pcech@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The path to sssd nss module (libsss_nss.so) was
relative to prefix and expected subdirectory "lib".
32bit and 64bit platforms and different distributions
use different paths. This patch allows to use python module sssd_id
even with real module and not just integration tests.
It is just required to prepare "config.py" with right path.
e.g.
cd ~/sssd/src/tests/intg
[~/sssd/src/tests/intg]$ echo "NSS_MODULE_DIR = '/usr/lib64'" > config.py
[~/sssd/src/tests/intg]$ python
Python 2.7.12 (default, Jul 18 2016, 09:57:01)
[GCC 6.1.1 20160621 (Red Hat 6.1.1-3)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import sssd_id
>>> sssd_id.get_user_gids('user')
(1, 0, [5977, 1070, 5845, 1076, 1074, 10327, 5975, 5766])
Reviewed-by: Petr Čech <pcech@redhat.com>
|
| |
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/3068
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
| |
Reviewed-by: Petr Cech <pcech@redhat.com>
|
| |
|
|
|
|
|
| |
Remove all entries in a directory but will
not remove the directory itself.
Reviewed-by: Petr Cech <pcech@redhat.com>
|
| |
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2978
Reviewed-by: Fabiano Fidêncio <fabiano@fidencio.org>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
sssd_nss can set different negative timeout for local users
and groups. However, checking whether user/group is local
is quite expensive operation. We can avoid such operations
if local_negative_timeout is not set.
This fix improve performance(40%) of lookup non-existing
entries in offline mode and with disabled local_negative_timeout.
sh$ cat pok.sh
for i in {1..10000}; do
getent passwd -s sss temp$i
getent group -s sss temp$i
done
#without patch
sh $time /bin/bash pok.sh
real 0m41.534s
user 0m3.580s
sys 0m14.202s
#with patch
sh $time /bin/bash pok.sh
real 0m26.686s
user 0m3.292s
sys 0m13.165s
Resolves:
https://fedorahosted.org/sssd/ticket/3122
Reviewed-by: Petr Cech <pcech@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
sssctl COMMAND --help should print at least
generic help, even if the command does not
accept any command specific options.
Resolves:
https://fedorahosted.org/sssd/ticket/3086
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/3111
Reviewed-by: Petr Cech <pcech@redhat.com>
|
| |
|
|
|
|
| |
We should fail the request if sss_parse_internal_fqname() fails.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
| |
This patch adds right pam error code for sssd offline state.
Resolves:
https://fedorahosted.org/sssd/ticket/3109
|
| |
|
|
|
|
|
|
|
|
|
| |
The commit dc30c60f166ad9adc63a47a1013508a71624ac87
changed the logic in NULL check
- if (protocol) {
+ if (protocol == NULL) {
Found by Coverity:
Reviewed-by: Petr Čech <pcech@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When no users are found during the search users process, just log (at
TRACEL_ALL level) that zero users were retrieve and avoid logging (at
OP_FAILURE level) that a failure has occurred, which may end up
misleading admins, giving them the impression that something wrong has
happened.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Resolves:
https://fedorahosted.org/sssd/ticket/3089
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
| |
The message in SSS_TOOL_DELIMITER should be translated.
Reviewed-by: Petr Čech <pcech@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
This patch fixes the issue with empty string recieving from D-Bus.
Data providers obtains NULL. So this is simple conversin.
Resolves:
https://fedorahosted.org/sssd/ticket/3084
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
| |
This reverts commit aa58e216c1f794bd335151f19e79adbb3ddf4c73.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
This debug message used to confuse our users. So this patch changes it.
Old version: "Trust direction of %s is %s\n"
New version: "Trust type of [%s]: %s\n"
Resolves:
https://fedorahosted.org/sssd/ticket/3090
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
current time
sysdb is already able to retrieve the current timestamp if the caller
doesn't specify it. However, for the timestamp cache this came too late
and the timestamp cache used zero as the 'now' time.
Resolves:
https://fedorahosted.org/sssd/ticket/3064
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There was a crash in nss responder when a group contained
a user with special charactes which shoudl be sanitized before
using in filter.
==31651== Conditional jump or move depends on uninitialised value(s)
==31651== at 0x8BEA7DE: _talloc_steal_loc (talloc.c:1215)
==31651== by 0x5264889: sysdb_get_user_members_recursively (sysdb_ops.c:4759)
==31651== by 0x5278F61: sysdb_add_group_member_overrides (sysdb_views.c:1375)
==31651== by 0x526677C: sysdb_getgrnam_with_views (sysdb_search.c:799)
==31651== by 0x1172F6: nss_cmd_getgrnam_search (nsssrv_cmd.c:3168)
==31651== by 0x119C67: nss_cmd_getby_dp_callback (nsssrv_cmd.c:1382)
==31651== by 0x10FD14: nsssrv_dp_send_acct_req_done (nsssrv_cmd.c:916)
==31651== by 0x12898B: sss_dp_internal_get_done (responder_dp.c:791)
==31651== by 0x58FF861: complete_pending_call_and_unlock (dbus-connection.c:2314)
==31651== by 0x5902B50: dbus_connection_dispatch (dbus-connection.c:4580)
==31651== by 0x527F261: sbus_dispatch (sssd_dbus_connection.c:96)
==31651== by 0x89D8B4E: tevent_common_loop_timer_delay (tevent_timed.c:341)
Resolves:
https://fedorahosted.org/sssd/ticket/3121
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
==32577== Conditional jump or move depends on uninitialised value(s)
==32577== at 0x140DCE10: sdap_process_missing_member_2307 (sdap_async_groups.c:1556)
==32577== by 0x140DCE10: sdap_process_group_members_2307 (sdap_async_groups.c:1625)
==32577== by 0x140DCE10: sdap_process_group_send (sdap_async_groups.c:1298)
==32577== by 0x140DCE10: sdap_get_groups_process (sdap_async_groups.c:2130)
==32577== by 0x140CFDA8: generic_ext_search_handler.isra.3 (sdap_async.c:1688)
==32577== by 0x140D2416: sdap_get_generic_op_finished (sdap_async.c:1578)
==32577== by 0x140D0DFC: sdap_process_message (sdap_async.c:353)
==32577== by 0x140D0DFC: sdap_process_result (sdap_async.c:197)
==32577== by 0x8BF1B4E: tevent_common_loop_timer_delay (tevent_timed.c:341)
==32577== by 0x8BF2B59: epoll_event_loop_once (tevent_epoll.c:911)
==32577== by 0x8BF1256: std_event_loop_once (tevent_standard.c:114)
==32577== by 0x8BED40C: _tevent_loop_once (tevent.c:533)
==32577== by 0x8BED5AA: tevent_common_loop_wait (tevent.c:637)
==32577== by 0x8BF11F6: std_event_loop_wait (tevent_standard.c:140)
==32577== by 0x529DD02: server_loop (server.c:702)
==32577== by 0x110951: main (data_provider_be.c:587)
Resolves:
https://fedorahosted.org/sssd/ticket/3121
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It caused an errors.
(Tue Aug 2 06:29:39 2016) [sssd[be[LDAP]]] [sysdb_cache_search_users]
(0x2000): Search users with filter:
(&(objectclass=user)(nameAlias=t(u)ser@ldap))
(Tue Aug 2 06:29:39 2016) [sssd[be[LDAP]]] [sysdb_cache_search_users]
(0x0080): Error: 5 (Input/output error)
Resolves:
https://fedorahosted.org/sssd/ticket/3121
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Use TOPIC-ACTION pattern for sssctl command
names.
Resolves:
https://fedorahosted.org/sssd/ticket/3087
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Syntax errors in configuration files
prevent SSSD or sssctl to start completely.
It would be good to display these errors
by default with the highest level.
Reviewed-by: Petr Čech <pcech@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Currently ret, which is -1, is passed to strerror() instead of errno.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Related:
https://fedorahosted.org/sssd/ticket/3094
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Be explicit that it may happen when SELinux is disabled and also suggest
to enable SELinux.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Related:
https://fedorahosted.org/sssd/ticket/3094
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
As this is not FATAL and may happen when SELinux is disabled, let's just
decrease the debug level to MINOR_FAILURE
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Related:
https://fedorahosted.org/sssd/ticket/3094
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Fabiano Fidêncio <fabiano@fidencio.org>
|
| |
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/3093
Because we compare the list of LDAP names with the list of sysdb names,
we need to qualify the list of LDAP names before running the diff.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
This debug message used to confuse our customer. So this patch changes it.
Resolves:
https://fedorahosted.org/sssd/ticket/3091
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
| |
|
|
|
|
|
| |
If there are no supplementary groups, we tried to qualify a NULL pointer
to an array which resulted in an error.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Unfortunately principal aliases with an alternative realm are stored in
IPA as the string representation of an enterprise principal, i.e.
name\@alt.realm@IPA.REALM. To be able to lookup the alternative
principal in LDAP properly the UPN search filter is extended to search
for this type of name as well.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Unfortunately principal aliases with an alternative realm are stored in
IPA as the string representation of an enterprise principal, i.e.
name\@alt.realm@IPA.REALM. To allow searches with the plain alias
'name@alt.realm' the returned value is converted before it is saved to
the cache.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
| |
Since sysdb_search_user_by_upn() searches the whole cache we have to set
the domain so that it matches the result.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
If Kerberos principals or email address have the same domain suffix as
the domain itself the first user lookup by name might have already added
the name to the negative cache and the second lookup by UPN/email will
skip the domain because of the neg cache entry. To avoid this a special
name with a '@' prefix is used here.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
| |
Currently we only search for UPNs if the domain part of the name was not
know, with Kerberos aliases and email addresses we have to do this even
if the domain name is a know domain.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
| |
Currently we only search for UPNs if the domain part of the name was not
know, with Kerberos aliases and email addresses we have to do this even
if the domain name is a know domain.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
| |
Adding email-addresses from the local domain to the alias names is
strictly not needed by might help to speed up lookups in the NSS
responder.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
| |
The IPA server must send the email address of a user to the clients to
allow login by email.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
