sssd.git/src/providers, branch token3 System Security Services Daemon [okos' clone] AD: Enable TokenGroups initgroups lookup 2013-09-11T16:03:53+00:00 Ondrej Kos okos@redhat.com 2013-09-03T10:27:17+00:00 3d58b3e8c6f4dca1582634a46f59c5144261609d This is first implementation of getting TokenGroups lookup working. If all of the group SIDs that are fetched via the users TokenGroups attribute are in sysdb, the membership is processed this way. If any of the groups is missing in the cache, it falls back to rfc2307bis initgroups lookup. Resolves: https://fedorahosted.org/sssd/ticket/1568 
This is first implementation of getting TokenGroups lookup working.

If all of the group SIDs that are fetched via the users TokenGroups
attribute are in sysdb, the membership is processed this way. If any of
the groups is missing in the cache, it falls back to rfc2307bis
initgroups lookup.

Resolves:
https://fedorahosted.org/sssd/ticket/1568
LDAP: Make sdap_add_incomplete_groups public 2013-09-11T16:03:53+00:00 Ondrej Kos okos@redhat.com 2013-09-11T15:35:51+00:00 52de962038d8b226ee3313a357aab1d859848cca Explanation Resolves: https://fedorahosted.org/sssd/ticket/XXXX 
Explanation

Resolves:
https://fedorahosted.org/sssd/ticket/XXXX
LDAP: move sdap_get_initgr_state structure to private header 2013-09-11T16:03:53+00:00 Ondrej Kos okos@redhat.com 2013-09-03T11:20:41+00:00 009464c491a53b1207643483db22dd0d244d94ba 






is_dn(): free dn
2013-09-10T15:37:26+00:00

Pavel Březina
pbrezina@redhat.com

2013-09-10T12:09:08+00:00

114c1ed8ec72b43f04527b4f3b4f0940c1fb2c54












krb5: Fix warning sometimes uninitialized
2013-09-10T15:32:33+00:00

Lukas Slebodnik
lslebodn@redhat.com

2013-09-10T08:07:51+00:00

c1f94194a9fee8582a0af3b151b4f2b14fa1019a

warning: variable 'ret' is used uninitialized whenever
'if' condition is false
    if (kerr) {
        ^~~~





warning: variable 'ret' is used uninitialized whenever
'if' condition is false
    if (kerr) {
        ^~~~







krb5_child: Simplify ccache creation
2013-09-09T19:11:46+00:00

Simo Sorce
simo@redhat.com

2013-09-03T03:52:46+00:00

a6a0d4edebccd3cf04f9813fc65185845626b5d4

The containing ccache directory is precreated by the parent code,
so there is no special need to do so here for any type.
Also the special handling for the FILE ccache temporary file is not really
useful, because libkrb5 internally unlinks and then recreate the file, so
mkstemp cannot really prevent subtle races, it can only make sure the file is
unique at creation time.

Resolves:
https://fedorahosted.org/sssd/ticket/2061





The containing ccache directory is precreated by the parent code,
so there is no special need to do so here for any type.
Also the special handling for the FILE ccache temporary file is not really
useful, because libkrb5 internally unlinks and then recreate the file, so
mkstemp cannot really prevent subtle races, it can only make sure the file is
unique at creation time.

Resolves:
https://fedorahosted.org/sssd/ticket/2061







krb5: Add file/dir path precheck
2013-09-09T19:11:46+00:00

Simo Sorce
simo@redhat.com

2013-08-31T18:21:22+00:00

14050f35224360883e20ebd810d3eb40f39267cf

Add a precheck on the actual existence at all of the file/dir ccname
targeted (for FILE/DIR types), and bail early if nothing is available.

While testing I found out that without this check, the krb5_cc_resolve()
function we call as user to check old paths would try to create the
directory if it didn't exist.

With a ccname of DIR:/tmp/ccdir_1000 saved in the user entry this would
cause two undesirable side effects:

First it would actually create a directory with the old name, when it
should not.

Second, because for some reason the umask is set to 0127 in sssd_be, it
would create the directory with permission 600 (missing the 'x' traverse
bit on the directory. If the new ccache has the same name it would cause
the krb5_child process to fal to store the credential cache in it.

Related:
https://fedorahosted.org/sssd/ticket/2061





Add a precheck on the actual existence at all of the file/dir ccname
targeted (for FILE/DIR types), and bail early if nothing is available.

While testing I found out that without this check, the krb5_cc_resolve()
function we call as user to check old paths would try to create the
directory if it didn't exist.

With a ccname of DIR:/tmp/ccdir_1000 saved in the user entry this would
cause two undesirable side effects:

First it would actually create a directory with the old name, when it
should not.

Second, because for some reason the umask is set to 0127 in sssd_be, it
would create the directory with permission 600 (missing the 'x' traverse
bit on the directory. If the new ccache has the same name it would cause
the krb5_child process to fal to store the credential cache in it.

Related:
https://fedorahosted.org/sssd/ticket/2061







krb5: Remove unused ccache backend infrastructure
2013-09-09T19:11:46+00:00

Simo Sorce
simo@redhat.com

2013-08-31T00:11:42+00:00

d20a5a74666413cadbf64c02eb656a5a3b4bb1de

Remove struct sss_krb5_cc_be and the remaining functions that reference
it as they are all unused now.

Resolves:
https://fedorahosted.org/sssd/ticket/2061





Remove struct sss_krb5_cc_be and the remaining functions that reference
it as they are all unused now.

Resolves:
https://fedorahosted.org/sssd/ticket/2061







krb5: Unify function to create ccache files
2013-09-09T19:11:46+00:00

Simo Sorce
simo@redhat.com

2013-08-30T21:25:01+00:00

1c022b3556f442f57326c4a3f250128b1bd232ae

Only 2 types (FILE and DIR) need to precreate files or directories
on the file system, and the 2 functions were basically identical.

Consolidate all in one common function and use that function directly
where needed instead of using indirection.

Resolves:
https://fedorahosted.org/sssd/ticket/2061





Only 2 types (FILE and DIR) need to precreate files or directories
on the file system, and the 2 functions were basically identical.

Consolidate all in one common function and use that function directly
where needed instead of using indirection.

Resolves:
https://fedorahosted.org/sssd/ticket/2061







krb5: Use new function to validate ccaches
2013-09-09T19:11:45+00:00

Simo Sorce
simo@redhat.com

2013-08-30T20:35:43+00:00

84ce563e3f430eec1225a6f8493eb0a6c9a3013a

This function replaces and combines check_for_valid_tgt() and type specific
functions that checked for ccache existence by using generic krb5 cache
function and executing them as the target user (implicitly validate the
target use rcan properly access the ccache).

Resolves:
https://fedorahosted.org/sssd/ticket/2061





This function replaces and combines check_for_valid_tgt() and type specific
functions that checked for ccache existence by using generic krb5 cache
function and executing them as the target user (implicitly validate the
target use rcan properly access the ccache).

Resolves:
https://fedorahosted.org/sssd/ticket/2061