sssd.git/src/responder, branch token System Security Services Daemon [okos' clone] PAC: Skip SIDs that cannot be resolved to domain 2013-08-26T09:49:17+00:00 Jakub Hrozek jhrozek@redhat.com 2013-08-25T13:22:36+00:00 59a95122d6bf4e271e79443cfc8caab5831c2ae3 






PAC: use SID instead of GID to search for groups
2013-08-26T09:44:42+00:00

Sumit Bose
sbose@redhat.com

2013-08-08T16:29:48+00:00

05cf2b70adde257df3657f449635c917b0e96a52

With the support of POSIX IDs managed on the AD side we may find
non-POSIX groups, i.e. groups which do not have a GID assigned in AD, in
the PAC. Since in this case all cached groups have a SDI attribute it is
more reliable to search the groups by SID instead of GID.





With the support of POSIX IDs managed on the AD side we may find
non-POSIX groups, i.e. groups which do not have a GID assigned in AD, in
the PAC. Since in this case all cached groups have a SDI attribute it is
more reliable to search the groups by SID instead of GID.







PAC: do not fail if a single group cannot be added/removed
2013-08-26T09:44:42+00:00

Sumit Bose
sbose@redhat.com

2013-08-08T14:56:06+00:00

76916fe11832bcd84e033c0cc2329def278d642d

When processing a list of groups we try to process as much as possible
only not stop on the first error.





When processing a list of groups we try to process as much as possible
only not stop on the first error.







PAC: read user DN instead of constructing it
2013-08-26T09:44:42+00:00

Sumit Bose
sbose@redhat.com

2013-08-08T12:09:42+00:00

5aab4d1092681508cdf32777efdb2a7e5e6e3f0a

To avoid issues with case-sensitivity it is more reliable to search the
user entry in the cache and use the returned DN instead of constructing
it.





To avoid issues with case-sensitivity it is more reliable to search the
user entry in the cache and use the returned DN instead of constructing
it.







PAC: handle non-POSIX groups in cache
2013-08-26T09:44:42+00:00

Sumit Bose
sbose@redhat.com

2013-08-08T10:35:12+00:00

e5aa9ba0df9f30e32a86453727beabed8a9e4e27

Since the DN of the group is used to remove a membership it is not
necessary to check if the GID is valid.





Since the DN of the group is used to remove a membership it is not
necessary to check if the GID is valid.







PAC: do not create users with missing GID
2013-08-26T09:44:42+00:00

Sumit Bose
sbose@redhat.com

2013-08-06T09:10:10+00:00

5c28b1bdb9f180590bdfec947bd2df52351912a8

If the user entry does not exist in the cache and a primary GID cannot
be found it does not make sense to create a user entry.





If the user entry does not exist in the cache and a primary GID cannot
be found it does not make sense to create a user entry.







PAC: if user entry already exists keep it
2013-08-26T09:44:42+00:00

Sumit Bose
sbose@redhat.com

2013-08-01T10:40:24+00:00

1e9930690691360d8963eecea4918b36b6d51013

Currently the PAC responder deletes a user entry and recreates it if
some attributes seems to be different.

Two of the attributes where the home directory and the shell of the
user. Those two attributes are not available from the PAC but where
generates by the PAC responder. The corresponding ID provider might have
better means to determine those attributes, e.g. read them from LDAP, so
we shouldn't change them here.

The third attribute is the user name. Since the PAC responder does
lookups only based on the UID we can wait until the ID provider updates
the entry.

Fixes https://fedorahosted.org/sssd/ticket/1996





Currently the PAC responder deletes a user entry and recreates it if
some attributes seems to be different.

Two of the attributes where the home directory and the shell of the
user. Those two attributes are not available from the PAC but where
generates by the PAC responder. The corresponding ID provider might have
better means to determine those attributes, e.g. read them from LDAP, so
we shouldn't change them here.

The third attribute is the user name. Since the PAC responder does
lookups only based on the UID we can wait until the ID provider updates
the entry.

Fixes https://fedorahosted.org/sssd/ticket/1996







pam: Bad debug message format and parameter.
2013-08-22T18:11:51+00:00

Michal Zidek
mzidek@redhat.com

2013-08-20T13:35:15+00:00

8f1ba6b89634aebdb7fa2dff72aeed9b3058c765












mmap_cache: Use sss_atomic_write_s instead of write.
2013-08-22T17:42:31+00:00

Michal Zidek
mzidek@redhat.com

2013-08-21T13:26:36+00:00

1f7fb30cc25765e54841e5d5f4192c12e3b29a16

Use sss_atomic_write_s() instead of write() in
sss_mc_save_corrupted(). Also unlink() the file if no data
were written.

It is better to use sss_atomic_write_s instead of write





Use sss_atomic_write_s() instead of write() in
sss_mc_save_corrupted(). Also unlink() the file if no data
were written.

It is better to use sss_atomic_write_s instead of write







mmap_cache: Store corrupted mmap cache before reset
2013-08-19T20:24:41+00:00

Michal Zidek
mzidek@redhat.com

2013-08-12T14:23:59+00:00

f9091077bfbb09f052d08e25ac5e00af0baa6dfb

This patch adds function to store corrupted mmap cache file to
disk for further analysis.





This patch adds function to store corrupted mmap cache file to
disk for further analysis.