sssd.git/src/providers/ipa, branch sudo Unnamed repository; edit this file 'description' to name the repository. IPA: sanitize name in override search filter 2017-10-18T10:35:59+00:00 Sumit Bose sbose@redhat.com 2017-10-16T09:47:46+00:00 c2dec0dc740ba426f26563563c0aea3a38f3c3c1 Resolves: https://pagure.io/SSSD/sssd/issue/3545 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> 
Resolves:
https://pagure.io/SSSD/sssd/issue/3545

Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
IPA: fix handling of certmap_ctx 2017-09-14T14:57:09+00:00 Sumit Bose sbose@redhat.com 2017-09-06T14:42:20+00:00 f2e70ec742cd7aab82b74d7e4b424ba3258da7aa This patch fixes a use-after-free in the AD provider part and initializes the certmap_ctx with data from the cache at startup. Related to https://pagure.io/SSSD/sssd/issue/3508 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
This patch fixes a use-after-free in the AD provider part and
initializes the certmap_ctx with data from the cache at startup.

Related to https://pagure.io/SSSD/sssd/issue/3508

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
IPA: check if IPA hostname is fully qualified 2017-09-13T19:03:26+00:00 AmitKumar amitkuma@redhat.com 2017-08-10T14:43:49+00:00 efa0a019f1ede87bcdd4668e70c768b222c30167 Some users change the IPA hostname post-install which results in strange bugs. Code change make sure that the ipa_hostname contains at least one domain component. Resolves: https://pagure.io/SSSD/sssd/issue/1946 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> 
Some users change the IPA hostname post-install which results in
strange bugs. Code change make sure that the ipa_hostname contains
at least one domain component.

Resolves: https://pagure.io/SSSD/sssd/issue/1946

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
ipa: make sure view name is initialized at startup 2017-09-06T14:28:26+00:00 Sumit Bose sbose@redhat.com 2017-08-31T20:30:25+00:00 f00591a4615720640cf01b1c408315b57dd397dc sysdb_master_domain_update() can only set the view name properly if it was not set before but it might be called multiple times before the view name is available if the cache is empty. Since ipa_apply_view() keeps track if the view name was already set at startup or not the name can safely be cleaned here before sysdb_master_domain_update() is called. Resolves: https://pagure.io/SSSD/sssd/issue/3501 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
sysdb_master_domain_update() can only set the view name properly if it was not
set before but it might be called multiple times before the view name is
available if the cache is empty. Since ipa_apply_view() keeps track if
the view name was already set at startup or not the name can safely be
cleaned here before sysdb_master_domain_update() is called.

Resolves:
https://pagure.io/SSSD/sssd/issue/3501

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
SELINUX: Use getseuserbyname to get IPA seuser 2017-09-06T06:17:53+00:00 Justin Stephenson jstephen@redhat.com 2017-03-09T22:21:37+00:00 cfe87ca0c4fded9cbf907697d08fa0e6c8f8ebce The libselinux function getseuserbyname is more reliable method to retrieve SELinux usernames then functions from libsemanage `semanage_user_query` and is recommended by libsemanage developers. Replace get_seuser function with getseuserbyname. Resolves: https://pagure.io/SSSD/sssd/issue/3308 Reviewed-by: Michal Židek <mzidek@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Petr Lautrbach <plautrba@redhat.com> 
The libselinux function getseuserbyname is more reliable method to retrieve
SELinux usernames then functions from libsemanage `semanage_user_query`
and is recommended by libsemanage developers.
Replace get_seuser function with getseuserbyname.

Resolves:
https://pagure.io/SSSD/sssd/issue/3308

Reviewed-by: Michal Židek <mzidek@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Petr Lautrbach <plautrba@redhat.com>
IPA: Use sysdb_search_*_by_orig_dn() in _subdomains_ext_group.c 2017-09-05T09:13:57+00:00 Fabiano Fidêncio fidencio@redhat.com 2017-06-02T12:16:30+00:00 59db26782d052ddbec633279d08e8627ca57fd41 Methods for searching the users, groups and entries by their orig dn have been introduced in one of the previous commit. Let's make use of those whenever it makes sense. Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
Methods for searching the users, groups and entries by their orig dn
have been introduced in one of the previous commit.

Let's make use of those whenever it makes sense.

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
IPA: Use sysdb_search_*_by_orig_dn() _hbac_users.c 2017-09-05T09:13:31+00:00 Fabiano Fidêncio fidencio@redhat.com 2017-06-02T11:31:43+00:00 a5e9d34fd39c0061ca284674a6fd7cad05c6056c Methods for searching the users, groups and entries by their orig dn have been introduced in one of the previous commit. Let's make use of those whenever it makes sense. Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
Methods for searching the users, groups and entries by their orig dn
have been introduced in one of the previous commit.

Let's make use of those whenever it makes sense.

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
IPA: Only generate kdcinfo files on clients 2017-09-04T14:41:46+00:00 Jakub Hrozek jhrozek@redhat.com 2017-08-15T08:20:28+00:00 a309525cc47da726461aec1f238165c17aade2a6 In some cases, IPA masters end up having a broken SSSD configuration that also includes the SRV records. This can cause the kdcinfo files to point to a different master which uses a different PKINIT certificate which is only valid for that IPA master. This can result e.g. in webui not working. This patch prevents the kdcinfo files from being generated on the IPA masters, but keep generating them on the clients. Not generating kdcinfo files on masters has no negative performance impact, because libkrb5 is configured via krb5.conf to point to self anyway. Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
In some cases, IPA masters end up having a broken SSSD configuration
that also includes the SRV records. This can cause the kdcinfo files to
point to a different master which uses a different PKINIT certificate
which is only valid for that IPA master. This can result e.g. in webui
not working.

This patch prevents the kdcinfo files from being generated on the IPA
masters, but keep generating them on the clients.

Not generating kdcinfo files on masters has no negative performance
impact, because libkrb5 is configured via krb5.conf to point to self
anyway.

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
IPA: Reword the DEBUG message about SRV resolution on IDM masters 2017-09-04T14:41:27+00:00 Jakub Hrozek jhrozek@redhat.com 2017-08-15T07:40:22+00:00 cd2b8fd423c5b6fbc3b9a466a5dedafd06362116 Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
IPA: Only attempt migration for the joined domain 2017-09-01T16:21:10+00:00 Jakub Hrozek jhrozek@redhat.com 2017-06-13T10:26:51+00:00 45e322191c7aa9390798b64ccb158ee800489945 After the recent changes in commit a5e134b22aa27ff6cd66a7ff47089788ebc098a1 to fix ticket #3394, the PAM_CRED_ERR error would try to start migration for any account. Further down the request, a sysdb search would try to find the user in the joined domain only because the migration code presumes the user is in the IPA domain which would error out and return System Error to the PAM client. This patch changes the migration somewhat to only attempt the migration for IPA users. Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
After the recent changes in commit a5e134b22aa27ff6cd66a7ff47089788ebc098a1
to fix ticket #3394, the PAM_CRED_ERR error would try to start migration
for any account. Further down the request, a sysdb search would try to find
the user in the joined domain only because the migration code presumes the
user is in the IPA domain which would error out and return System Error
to the PAM client.

This patch changes the migration somewhat to only attempt the migration
for IPA users.

Reviewed-by: Pavel Březina <pbrezina@redhat.com>