sssd.git/src/providers/ad, branch sudo Unnamed repository; edit this file 'description' to name the repository. GPO: Don't use freed LDAPURLDesc if domain for AD DC cannot be found 2017-10-05T18:01:43+00:00 Jakub Hrozek jhrozek@redhat.com 2017-09-20T20:26:20+00:00 381bc154ef06fd3cc0660ce0fd62504367f420f5 If a referral returned during AD GPO processing cannot be assigned to a known domain, at the moment SSSD accesses memory that was freed previously with ldap_free_urldesc(). This patch moves the ldap_free_urldesc() call to both the error handler and the success branch after we are done working with the LDAPURLDesc instance. Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> 
If a referral returned during AD GPO processing cannot be assigned to a
known domain, at the moment SSSD accesses memory that was freed
previously with ldap_free_urldesc().

This patch moves the ldap_free_urldesc() call to both the error handler
and the success branch after we are done working with the LDAPURLDesc
instance.

Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
UTIL: Set udp_preference_limit=0 in krb5 snippet 2017-08-14T13:26:29+00:00 Petr Čech pcech@redhat.com 2017-03-28T12:35:22+00:00 6bd6571dfe97fb9c6ce9040c3fcfb4965f95eda1 We add udp_preference_limit = 0 to krb5 snippet if ad provider is used. This option enable TCP connection before UDP, when sending a message to the KDC. Resolves: https://pagure.io/SSSD/sssd/issue/3254 Signed-off-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Robbie Harwood <rharwood@redhat.com> 
We add udp_preference_limit = 0 to krb5 snippet if ad provider is
used. This option enable TCP connection before UDP, when sending
a message to the KDC.

Resolves:
https://pagure.io/SSSD/sssd/issue/3254

Signed-off-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
Fix minor typos 2017-07-26T15:46:11+00:00 Yuri Chornoivan yurchor@ukr.net 2017-07-26T13:45:35+00:00 77e5c3fc26085f18277a70ffbd6351a8130963e7 Merges: https://pagure.io/SSSD/sssd/pull-request/3456 Reviewed-by: Michal Židek <mzidek@redhat.com> 
Merges: https://pagure.io/SSSD/sssd/pull-request/3456

Reviewed-by: Michal Židek <mzidek@redhat.com>
ad_account_can_shortcut: shortcut if ID is unknown 2017-07-25T08:48:55+00:00 Sumit Bose sbose@redhat.com 2017-07-20T18:01:14+00:00 a406b52a0d20e0ec502f52d63dee293636d1443a If sss_idmap_unix_to_sid() returns an error we can assume that the given POSIX ID is not from the current domain and can be skipped. This is e.g. the case in the IPA provider if a POSIX ID used in the IPA domain is checked in a trusted id-mapped AD domain before the IPA domain is checked. Resolves https://pagure.io/SSSD/sssd/issue/3452 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
If sss_idmap_unix_to_sid() returns an error we can assume that the given
POSIX ID is not from the current domain and can be skipped. This is e.g.
the case in the IPA provider if a POSIX ID used in the IPA domain is
checked in a trusted id-mapped AD domain before the IPA domain is
checked.

Resolves https://pagure.io/SSSD/sssd/issue/3452

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
SDAP: Add sdap_domain_copy_search_bases 2017-07-11T10:09:48+00:00 Michal Židek mzidek@redhat.com 2017-06-21T11:01:40+00:00 386c5f2e134beb6fcfc474f347e226ac0dedfef5 Add function to copy search bases from one sdap_domain to another. Resolves: https://pagure.io/SSSD/sssd/issue/3435 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> 
Add function to copy search bases from one sdap_domain to
another.

Resolves:
https://pagure.io/SSSD/sssd/issue/3435

Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
SDAP: Update parent sdap_list 2017-06-21T09:36:51+00:00 Michal Židek mzidek@redhat.com 2017-06-14T17:02:10+00:00 630aea13063c4b242b3433d16ca4346a1a38429b Update parent sdap_list with newly created subdomain sdap domain. Preiously, we inherited the parent sdap_list and used it also in the subdomain's context (this was introduced recently with commit c4ddb9ccab670f9c0d0377680237b62f9f91c496), but it caused problems that were difficult to debug (we somewhere rewrite part of the list incorrectly). This patch reverses to the previous bahavior, where every subdomain has it's own sdap_list, however this time the parrent domain's sdap_list is updated so that it has correct information about search bases of the child domains. We should ideally have just one sdap_list to avoid the updating completely, but this would require more refactoring in the sdap code. Resolves: https://pagure.io/SSSD/sssd/issue/3421 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Update parent sdap_list with newly created subdomain sdap domain.

Preiously, we inherited the parent sdap_list and used it also in the
subdomain's context (this was introduced recently with commit
c4ddb9ccab670f9c0d0377680237b62f9f91c496), but it caused problems
that were difficult to debug (we somewhere rewrite part of the list
incorrectly).

This patch reverses to the previous bahavior, where every subdomain
has it's own sdap_list, however this time the parrent domain's
sdap_list is updated so that it has correct information about
search bases of the child domains.

We should ideally have just one sdap_list to avoid the updating
completely, but this would require more refactoring in the sdap
code.

Resolves:
https://pagure.io/SSSD/sssd/issue/3421

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
GPO: Fix typo in DEBUG message 2017-06-21T09:35:59+00:00 Michal Židek mzidek@redhat.com 2017-06-07T12:37:42+00:00 b1d34059533eb50f6e5a4ac7b6fa1bb6fa60a445 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
AD SUBDOMAINS: Fix search bases for child domains 2017-05-19T14:43:46+00:00 Michal Židek mzidek@redhat.com 2017-05-09T09:21:02+00:00 c4ddb9ccab670f9c0d0377680237b62f9f91c496 When using direct AD integration, child domains did not respect the sssd.conf configuration of search bases. There were few issues all of which are fixed in this small patch. First problem was that the sdap domain list was not properly inherited from the parent in the child domains and the children always created their own sdap domains lists that were disconnected from the parent context and never used. Second issue was that the child domain did not call the function to reinit the search bases after the sdap_domain was added to the list of sdap domains. This caused that child domains always used automatically detected search bases and never used the configured ones even though they were properly read into the ID options context attached to the subdomain. Also there has been an issue that the sdap search bases were rewritten by the new child domain initialization (this only happened with more than one child domain) because the sdap domain list was 'updated' every time a new child domain was initialized, which caused that only the main domain and the last child domain had proper search bases, the others only the auto-discovered ones (because they were overwritten with the 'update'). Resolves: https://pagure.io/SSSD/sssd/issue/3397 Reviewed-by: Sumit Bose <sbose@redhat.com> 
When using direct AD integration, child domains did not respect
the sssd.conf configuration of search bases.

There were few issues all of which are fixed in this small
patch.

First problem was that the sdap domain list was not properly
inherited from the parent in the child domains and the children
always created their own sdap domains lists that were disconnected
from the parent context and never used.

Second issue was that the child domain did not call the function
to reinit the search bases after the sdap_domain was added to the
list of sdap domains. This caused that child domains always used
automatically detected search bases and never used the configured
ones even though they were properly read into the ID options
context attached to the subdomain.

Also there has been an issue that the sdap search bases
were rewritten by the new child domain initialization
(this only happened with more than one child domain)
because the sdap domain list was 'updated' every time
a new child domain was initialized, which caused that
only the main domain and the last child domain had proper
search bases, the others only the auto-discovered ones
(because they were overwritten with the 'update').

Resolves:
https://pagure.io/SSSD/sssd/issue/3397

Reviewed-by: Sumit Bose <sbose@redhat.com>
AD: Add debug messages 2017-05-19T14:43:41+00:00 Michal Židek mzidek@redhat.com 2017-05-04T13:10:55+00:00 b4ca0da4d8d70bcfbd4f809f3b3b094d43d64cfc Add debug messages when 1way or 2way trusts are created. Reviewed-by: Sumit Bose <sbose@redhat.com> 
Add debug messages when 1way or 2way trusts are created.

Reviewed-by: Sumit Bose <sbose@redhat.com>
AD: Make ad_account_can_shortcut() reusable by SSSD on an IPA server 2017-05-02T14:55:18+00:00 Jakub Hrozek jhrozek@redhat.com 2017-04-24T08:13:44+00:00 dfe05f505dcfea16e7d66ca1a44206aa2570e861 Resolves: https://pagure.io/SSSD/sssd/issue/3318 The ad_account_can_shortcut() function is helpful to avoid unnecessary searches when SSSD is configured with an Active Directory domain that uses ID-mapping in the sense that if we find that an ID is outside our range, we can just abort the search in this domain and carry on. This function was only used in the AD provider functions which are used when SSSD is enrolled direcly with an AD server. This patch moves the function to a codepath that is shared between directly enrolled SSSD and SSSD running on an IPA server. Apart from moving the code, there are some minor changes to the function signature, namely the domain is passed as as struct (previously the domain name from the DP input was passed). Reviewed-by: Michal Židek <mzidek@redhat.com> 
Resolves:
    https://pagure.io/SSSD/sssd/issue/3318

The ad_account_can_shortcut() function is helpful to avoid unnecessary
searches when SSSD is configured with an Active Directory domain that
uses ID-mapping in the sense that if we find that an ID is outside our
range, we can just abort the search in this domain and carry on.

This function was only used in the AD provider functions which are used
when SSSD is enrolled direcly with an AD server. This patch moves the
function to a codepath that is shared between directly enrolled SSSD and
SSSD running on an IPA server.

Apart from moving the code, there are some minor changes to the function
signature, namely the domain is passed as as struct (previously the
domain name from the DP input was passed).

Reviewed-by: Michal Židek <mzidek@redhat.com>