| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
PyUnicode_FromString -> sss_python_unicode_from_string
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit f1f5854566c1ee44320a1111a33c12bcc409f00a)
(cherry picked from commit fec528a3929792d4ec2981d6f3db30d6286197e7)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If for some reason ptask fails (e.g. timeout), req is talloc freed
but because subreq is attached to ectx which is permanent it is
finished anyway. Then a crash occures when we are trying to access
callback data.
The same happens in sdap_dom_enum_ex_send.
Resolves:
https://fedorahosted.org/sssd/ticket/2611
Reviewed-by: Pavel Reichl <preichl@redhat.com>
(cherry picked from commit 725bb2a9901c4f673b107ed179f5d68ec443ca63)
(cherry picked from commit 81bb9be1ae0b2a4ebe960f136a52576abcdfbbac)
|
| |
|
|
|
|
|
| |
Don't call tevent_req_done after tevent_req_error (for the same request).
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit 979f969abe7a75a2f41f6fddabec94674ca3c722)
|
| |
|
|
|
|
|
| |
Don't call tevent_req_done after tevent_req_error (for the same request).
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit 0d47aef7577f8cf651255cf59df87b3847dbe1ad)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The dbus_req and associated talloc context are no longer valid after
execution of the function sbus_request_return_and_finish even if error code
was returned.
==32479== Invalid read of size 8
==32479== at 0x131F275F: client_registration (proxy_init.c:474)
==32479== by 0x529709E: sbus_request_invoke_or_finish (sssd_dbus_request.c:69)
==32479== by 0x52949B3: sbus_handler_got_caller_id (sssd_dbus_connection.c:555)
==32479== by 0x89B27E3: tevent_common_loop_immediate (tevent_immediate.c:135)
==32479== by 0x89B70CD: epoll_event_loop_once (tevent_epoll.c:907)
==32479== by 0x89B57D6: std_event_loop_once (tevent_standard.c:114)
==32479== by 0x89B1FBC: _tevent_loop_once (tevent.c:530)
==32479== by 0x89B215A: tevent_common_loop_wait (tevent.c:634)
==32479== by 0x89B5776: std_event_loop_wait (tevent_standard.c:140)
==32479== by 0x529E255: server_loop (server.c:668)
==32479== by 0x40DBC5: main (data_provider_be.c:2915)
==32479== Address 0xb700858 is 104 bytes inside a block of size 136 free'd
==32479== at 0x4C2AD17: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==32479== by 0x8BBE462: _talloc_free (in /usr/lib64/libtalloc.so.2.1.1)
==32479== by 0x52971A4: sbus_request_finish (sssd_dbus_request.c:95)
==32479== by 0x529731A: sbus_request_return_and_finish (sssd_dbus_request.c:119)
==32479== by 0x131F264D: client_registration (proxy_init.c:443)
==32479== by 0x529709E: sbus_request_invoke_or_finish (sssd_dbus_request.c:69)
==32479== by 0x52949B3: sbus_handler_got_caller_id (sssd_dbus_connection.c:555)
==32479== by 0x89B27E3: tevent_common_loop_immediate (tevent_immediate.c:135)
==32479== by 0x89B70CD: epoll_event_loop_once (tevent_epoll.c:907)
==32479== by 0x89B57D6: std_event_loop_once (tevent_standard.c:114)
==32479== by 0x89B1FBC: _tevent_loop_once (tevent.c:530)
==32479== by 0x89B215A: tevent_common_loop_wait (tevent.c:634)
Resolves:
https://fedorahosted.org/sssd/ticket/2573
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 33889b2ad764beb6b129f5211b1fab9790da8884)
(cherry picked from commit 31dd2a8c5042493b24ef4f9360139525c018bcb4)
|
| |
|
|
|
|
|
|
|
|
|
| |
When processing group membership check sysdb for group members from
extern domain and include them in newly processed group membership as
extern members are curently found only when initgroups() is called.
Resolves:
https://fedorahosted.org/sssd/ticket/2492
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
| |
Cleanup unused signal functions
(cherry picked from commit d054a96e102b53a3aab6602f531a0e8d254080ab)
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
As noted in the MIT KRB5 documentation, some servers send PAC with no
checksum, therefire the PAC validation should not be fatal, instead, we
should treat a failure from krb5_pac_verify as if there was no PAC at
all.
Reported on sssd-devel by Thomas Sondergaard
(cherry picked from commit 6e51d44a65b15c2f0491b0a8b452caac0bc00584)
|
| |
|
|
|
|
|
|
|
| |
We loop over the array of returned controls and set 'ret' based on the
control value. In case multiple controls were returned, the 'ret'
variable might be clobbered with result of a string-to-int conversion.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
(cherry picked from commit 6a3ec7ba6f99b027c4c15a360ef0116fe60a0705)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Thread safe initialisation was fixed in ticket #2380, but there is
still race condition in reinitialisation.
If caches is invalidated with command sss_cache -U (-G or -E) then
client code will need to reinitialize fast memory cache.
Let say we have two threads. The 1st thread find out that memory cache
should be reinitialized; therefore the fast memory cached is unmapped
and context destroyed. In the same time, 2nd thread tried to check
header of memory cache whether it is initialized and valid. As a result
of previously unmapped memory the 2nd thread access
out of bound memory (SEGFAULT).
The destroying of fast memory cache cannot be done any time. We need
to be sure that there isn't any other thread which uses mmaped memory.
The new counter of active threads was added for this purpose. The state
of fast memory cache was converted from boolean to three value state
(UNINITIALIZED, INITIALIZED, RECYCLED)
UNINITIALIZED
- the fast memory cache need to be initialized.
- if there is a problem with initialisation the state will not change
- after successful initialisation, the state will change to INITIALIZED
INITIALIZED
- if the cahe was invalidated or there is any other problem was
detected in memory cache header the state will change to RECYCLED
and memory cache IS NOT destroyed.
RECYCLED
- nothing will be done is there are any active threads which may use
the data from mmaped memory
- if there aren't active threads the fast memory cahe is destroyed and
state is changed to UNINITIALIZED.
https://fedorahosted.org/sssd/ticket/2445
Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit 6a60e29468fc6b4043a4dc52d3aab73e8465db70)
|
| |
|
|
|
| |
Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit 19f6a6733b5c6cf7dd2f6f746cfa5c787706331c)
|
| |
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2448
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We tried to speed up processing of initgroup lookups with tokenGroups even for
the LDAP provider (if remote server is Active Directory), but it turns out that
there are too many corner cases that we didn't catch during development that
break. For instance, groups from other trusted domains might appear in TG and
the LDAP provider isn't equipped to handle them.
Overall, users who wish to use the added speed benefits of tokenGroups are
advised to use the AD provider.
Resolves:
https://fedorahosted.org/sssd/ticket/2483
Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit 5febf5ed0cfb4ba7665d8c3e36ee6941988da773)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit 29e5b5d17d9700022958bf1f59bb861cdf68bb57.
OpenLDAP server cannot dereference unknown attributes. The attribute objectSID
isn't in any standard objectclass on OpenLDAP server. This is a reason why
objectSID cannot be set by default in rfc2307 map and rfc2307bis map.
It is the same problem as using non standard attribute "nsUniqueId"
in ticket https://fedorahosted.org/sssd/ticket/2383
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
dfb34c6c82ed5014599bf70de6791e6d79106fc2 changed object class
of IPA groups from posixGroups to more general groupOfNames.
However, this object class is used also for roles, permissions and
privileges which caused SSSD to consider those objects to be groups as
well during initgroups.
Resolves:
https://fedorahosted.org/sssd/ticket/2471
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 3937736546e2a4b7cccc58fded3efdff9ae690fc)
|
| |
|
|
|
|
|
|
|
| |
Fixes:
https://fedorahosted.org/sssd/ticket/2361
https://fedorahosted.org/sssd/ticket/2472
Reviewed-by: Pavel Reichl <preichl@redhat.com>
(cherry picked from commit f834f712548db811695ea0fd6d6b31d3bd03e2a3)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2412
Even though AD trusts often work with POSIX attributes which are
normally not replicated to GC, our group lookups are smart since commit
008e1ee835602023891ac45408483d87f41e4d5c and look up the group itself using
the LDAP connection and only use the GC connection to look up the members.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
(cherry picked from commit a20ce8cd43d72c89e2ea1d65aefe24ba270f040f)
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Use the alternative group objectclass in queries.
Fixes:
https://fedorahosted.org/sssd/ticket/2436
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 7ba70236daccb48432350147d0560b3302518cee)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
In IPA we sometimes need to use posixGroup and
sometimes groupOfNames objectclass to query the
groups. This patch adds the possibility to specify
alternative objectclass in group maps. By
default it is only set for IPA.
Fixes:
https://fedorahosted.org/sssd/ticket/2436
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 6f91c61426c8cfbfec52d5e77ae4650007694e69)
|
| |
|
|
| |
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2421
In case we dereference an entry, for which we have /some/ permissions
for reading, but we only request attributes that we can't access, the
dereference control only returns the DN.
This is also the case with the current version of 389DS for cases where
no entries at all are readable. In this case, the server should not return
the DN at all, though. This DS bug was tracked as
https://fedorahosted.org/389/ticket/47885
Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit 2284e50c801a53541016eb9a5af00d1250d36afb)
|
| |
|
|
|
|
|
|
|
|
|
| |
When initgr is performed for AD supporting tokenGroups, do not skip
non-posix groups.
Resolves:
https://fedorahosted.org/sssd/ticket/2343
Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit 4932db6258ccfb612a3a28eb6a618c2f042b9d58)
|
| |
|
|
|
|
|
|
|
|
|
| |
When initgr is performed for AD not supporting tokenGroups, do not
filter out groups without gid attribute or with gid equal to zero.
Resolves:
https://fedorahosted.org/sssd/ticket/2343
Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit 981bf55532fbec91a106f82d7daf32094c76dfe0)
|
| |
|
|
|
|
|
|
|
|
|
| |
Do not expect objectClass to be posixGroup but rather more general
groupofnames.
Resolves:
https://fedorahosted.org/sssd/ticket/2343
Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit bc8c93ffe881271043492c938c626a9be948000e)
|
| |
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=1088619
Before permitting user sessions sssd should be running. This also correctly
orders shutdown of sssd after the user sessions.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit ea0a71921ea396f5cc0e9e20d9a2aafc681b3eb9)
|
| |
|
|
|
| |
Reviewed-by: Pavel Reichl <preichl@redhat.com>
(cherry picked from commit a2ea3f5d9ef9f17efbb61e942c2bc6cff7d1ebf2)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds some additional checks if the option for replacing
spaces in user and group names is used.
When replacing space with the replacement character it is checked if the
name already contains the replacement character. If it does the
unmodified name is returned because in this case a revers operation
would not be possible.
For the reverse operation is it checked if the input contains both a
space and the replacement character. If this is true the unmodified name
is returned as well, because we have to assume that it is the original
name because otherwise it wouldn't contain both characters.
Additionally a shortcut if the replacement characters is a space and
tests for the new checks are added. The man page is updated accordingly.
Related to https://fedorahosted.org/sssd/ticket/1854 and
https://fedorahosted.org/sssd/ticket/2397 .
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 92d19f76449817dfb125da9510d478a30eed37bc)
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
According to Microsoft documentation, the tokenGroups attribute is
available since Windows 2000:
http://msdn.microsoft.com/en-us/library/cc220937.aspx
We were not able to test against Windows 2000, though, as we don't have
that OS around, so this patch only changes the compatibility level to
2003.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 5c2f2023696d1ff79c3c5d94b89e7ef9cd4159e9)
|
| |
|
|
|
|
|
|
|
|
| |
The newest functional level we branch for is currently
DS_BEHAVIOR_WIN2003. Therefore (and also because extended support for
Windows server 2003 ends in 2015) we can safely set the functional level
to 2003 if the attribute is present but not a known value.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 0fafb51756913e78dbf523a69fc3a4ef2bac54ec)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2418
According to http://msdn.microsoft.com/en-us/library/cc223272.aspx a
Windows Server 2012 R2 has a functional level set to '6'. We need to
support that value in order for tokenGroups to be functional.
For more information on the functional levels, please refer to:
http://technet.microsoft.com/en-us/library/understanding-active-directory-functional-levels%28v=ws.10%29.aspx
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 9ea0969f6a9e52b7c57feb5808266b0739ee40a4)
|
| |
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2364
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Be able to configure sssd to honor openldap account lock to restrict
access via ssh key. Introduce new ldap_access_order value ('lock')
for enabling/disabling this feature.
Account is considered locked if pwdAccountLockedTime attribut has value
of 000001010000Z.
------------------------------------------------------------------------
Quotation from man slapo-ppolicy:
pwdAccountLockedTime
This attribute contains the time that the user's account was locked. If
the account has been locked, the password may no longer be used to
authenticate the user to the directory. If pwdAccountLockedTime is set
to 000001010000Z, the user's account has been permanently locked and
may only be unlocked by an administrator. Note that account locking
only takes effect when the pwdLockout password policy attribute is set
to "TRUE".
------------------------------------------------------------------------
Also set default value for sdap_pwdlockout_dn to
cn=ppolicy,ou=policies,${search_base}
Resolves:
https://fedorahosted.org/sssd/ticket/2364
|
| |
|
|
|
|
|
|
| |
To check value of pwdLockout attribute on LDAP server, DN of ppolicy
must be set.
Resolves:
https://fedorahosted.org/sssd/ticket/2364
|
| |
|
|
| |
Prepare code for other access control checks.
|
| |
|
|
|
|
| |
Don't log error if access is denied in function sdap_access_done().
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
As preparation for ticket #2364 move code from sdap_access_filter_done()
into sdap_access_done() to make its reuse possible and thus avoid code
duplication.
Rename check_next_rule() to sdap_access_check_next_rule().
Update definition order of tevent-using functions by time of execution.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
| |
Fixed typo and replaced duplicated string by macro definition.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
As preparation for ticket #2364 separate code for parsing user basedn
to a new function sdap_get_basedn_user_entry().
We actually do not need to call strdup on basedn, instead we can just point to address in user_entry as it's allocated on parent memory context.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
| |
As a preparation for ticket #2364 separate code for storing user bool
values into sysdb to a new function sdap_save_user_cache_bool().
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The function sdap_ad_tokengroups_update_members finds the differences between
list of groups from sysdb and list of groups from LDAP (input argument).
For each new group, connections are created between user and group. The other
connections are removed.
The problem was that in some cases function sdap_ad_tokengroups_update_members
was called twice (sdap_ad_tokengroups_initgr_posix_tg_done and
sdap_ad_tokengroups_initgr_posix_sids_done).
The first call created connection between user and groups resolved from
tokengroups and the second call update groups from missing SIDs, but previously
created connections were removed. The worst case was when there weren't any
missing groups. This behaviour caused missing groups in some cases (for users
in child ad domain)
This patch join array of groups obtained from token group and array of groups
obtained from missing SIDs. The function sdap_ad_tokengroups_update_members
is called just once with single array.
Resolves:
https://fedorahosted.org/sssd/ticket/2407
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 99f53d551a1db5d8023b4271eb691d554257624c)
|
| |
|
|
|
|
|
| |
It will be easier to steal whole array to another talloc context
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 174e9ec6f88d709b6e9481ed06a322c0fc495842)
|
| |
|
|
|
|
|
|
|
| |
If array of sids is empty we needn't try to resolve them
and we can immediately finish request in function sdap_ad_resolve_sids_send
This patch is just a small optimisation.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 21f2821a4420291c8eb3ee9d427e9e1b0a1d9989)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2410
If two ldap_child processes attempt to prime the ccache at the same time
for the same domain, the ldap_child might fail with:
[ldap_child_get_tgt_sync] (0x0040): Failed to init ccache: Internal credentials cache error
[main] (0x0020): ldap_child_get_tgt_sync failed.
To avoid the race-condition, the ldap_child process now creates the
ccache randomized and before returning to the caller, renames the
randomized ccache to a permanent one.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
| |
Using a global memory context for short-lived private data might lead to
memory growth.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2406
In the AD case, deployments sometimes add groups as parents of the
primary GID group. These groups are then returned during initgroups
in the tokenGroups attribute and member/memberof links are established
between the user and the group. However, any update of these groups
would remove the links, so a sequence of calls: id -G user; id user; id
-G user would return different group memberships.
Our code errored out in the rare case when the user was *also* an LDAP
member of his primary group.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
|
|
|
| |
The function sdap_fill_memberships did several tasks. It's more readable
to split linking the primary members into a separate function.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2323
The functions that check for password expiration can return non-zero
return codes not only on internal failure, but also to indicate that the
password was expired. The code would in this case shortcut in the error
handler instead of making its way to the switch-case code below that
translates the SSSD error codes into PAM error codes.
We don't lose the error reporting, because any internal error would
translate into PAM_SYSTEM_ERROR anyway.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 06ba69972e6728f97f5adbcc3cc4df811a831f53)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When we have difficulty setting up an sss_cli_mc_ctx structure, we try
to clean things up so that we'll be ready to try again the next time
we're called.
Part of that is closing the descriptor of the file if we've opened it
and using memset() to clear the structure.
Now that sss_nss_mc_get_ctx() does its work in two phases, and each one
may end up doing the cleanup, each needs to be careful to reset the
descriptor field so that the new value provided by memset() (0) isn't
mistakenly treated as a file which should be closed by the other.
Resolves:
https://fedorahosted.org/sssd/ticket/2409
Reviewed-by: Simo Sorce <simo@redhat.com>
(cherry picked from commit 5a4df83d769ace54f92513f0be78e753e0985a25)
|
