sssd.git/src/providers, branch master Unnamed repository; edit this file 'description' to name the repository. IPA: Improve DEBUG message if a group has no ipaNTSecurityIdentifier 2017-04-24T08:21:24+00:00 Jakub Hrozek jhrozek@redhat.com 2017-04-21T10:39:44+00:00 ef019268d2d112ebff3577e551cd19478d73d93b There was an issue in a production deployment where the admin selected a GID outside the IDM range for a group that contained a user from the trusted domain. This resulted in not adding a SID for the IPA group, which in turn meant the group couldn't be resolved on the client. This patch just improves the DEBUG message so that it's clearer for the admins where the issue is. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
There was an issue in a production deployment where the admin selected a
GID outside the IDM range for a group that contained a user from the
trusted domain. This resulted in not adding a SID for the IPA group,
which in turn meant the group couldn't be resolved on the client.

This patch just improves the DEBUG message so that it's clearer for the
admins where the issue is.

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
DP: Fix typo 2017-04-06T12:36:43+00:00 Pavel Březina pbrezina@redhat.com 2017-04-06T09:23:43+00:00 6a611406e805a1707ca0b9e86b6aa96e02e43ecc Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
selinux: Do not fail if SELinux is not managed 2017-04-06T11:41:33+00:00 Michal Židek mzidek@redhat.com 2017-02-08T11:01:37+00:00 78a08d30b5fbf6e1e3b589e0cf67022e0c1faa33 Previously we failed if semanage_is_managed returned 0 or -1 (not managed or error). With this patch we only fail in case of error and continue normally if selinux is not managed by libsemanage at all. Resolves: https://fedorahosted.org/sssd/ticket/3297 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
Previously we failed if semanage_is_managed returned 0 or -1 (not
managed or error). With this patch we only fail in case of error and
continue normally if selinux is not managed by libsemanage at all.

Resolves:
https://fedorahosted.org/sssd/ticket/3297

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
ipa_s2n_get_acct_info_send: provide correct req_input name 2017-04-03T14:07:45+00:00 Pavel Březina pbrezina@redhat.com 2017-04-03T10:09:44+00:00 b07bcd8b99590bd404733fa7ff1add37c55126bc To avoid crash. Resolves: https://pagure.io/SSSD/sssd/issue/3358 Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
To avoid crash.

Resolves:
https://pagure.io/SSSD/sssd/issue/3358

Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
KRB5: Authenticate users in a non-POSIX domain using a MEMORY ccache 2017-03-30T12:10:16+00:00 Jakub Hrozek jhrozek@redhat.com 2017-03-22T12:01:18+00:00 861ab44e8148208425b67c4711bc8fade10fd3ed Related to: https://pagure.io/SSSD/sssd/issue/3310 The following changes were done to the Kerberos authentication code in order to support authentication in a non-POSIX environment: - delayed authentication is disabled in non-POSIX domains - when a user logs in in a non-POSIX domain, SSSD uses a MEMORY:$username ccache and destroys is then krb5_child finishes so that just the numeric result is used - krb5_child doesn't drop privileges in this configuration because there is nothing to drop privileges to Reviewed-by: Sumit Bose <sbose@redhat.com> 
Related to:
https://pagure.io/SSSD/sssd/issue/3310

The following changes were done to the Kerberos authentication code
in order to support authentication in a non-POSIX environment:
    - delayed authentication is disabled in non-POSIX domains
    - when a user logs in in a non-POSIX domain, SSSD uses a
      MEMORY:$username ccache and destroys is then krb5_child finishes
      so that just the numeric result is used
    - krb5_child doesn't drop privileges in this configuration because
      there is nothing to drop privileges to

Reviewed-by: Sumit Bose <sbose@redhat.com>
LDAP: Relax search filters in application domains 2017-03-30T12:10:11+00:00 Jakub Hrozek jhrozek@redhat.com 2017-03-22T12:06:14+00:00 3e39806177e1cd383743ff596cb96df44a6ce8c9 Related to: https://pagure.io/SSSD/sssd/issue/3310 If a request comes towards an application domain, we can drop the part of the filter that asserts that the object has a valid UID/GID. Instead, we just search by name. Reviewed-by: Sumit Bose <sbose@redhat.com> 
Related to:
https://pagure.io/SSSD/sssd/issue/3310

If a request comes towards an application domain, we can drop the part
of the filter that asserts that the object has a valid UID/GID. Instead,
we just search by name.

Reviewed-by: Sumit Bose <sbose@redhat.com>
LDAP: save non-POSIX users in application domains 2017-03-30T12:10:06+00:00 Jakub Hrozek jhrozek@redhat.com 2017-03-22T12:06:08+00:00 ed0cdfcacc44e4e13e1524e254efa744610a87c2 Related to: https://pagure.io/SSSD/sssd/issue/3310 If a user being saved by the LDAP provider does not have a UID or GID and the domain type is application, we save the user entry as non-POSIX. Reviewed-by: Sumit Bose <sbose@redhat.com> 
Related to:
https://pagure.io/SSSD/sssd/issue/3310

If a user being saved by the LDAP provider does not have a UID or GID
and the domain type is application, we save the user entry as non-POSIX.

Reviewed-by: Sumit Bose <sbose@redhat.com>
IPA: enable AD user lookup by certificate 2017-03-29T13:09:51+00:00 Sumit Bose sbose@redhat.com 2017-03-24T14:41:37+00:00 82843754193b177275ce16f2901edac2060a3998 Without this the lookup by certificate for AD users on an IPA client will just error out. Related to https://pagure.io/SSSD/sssd/issue/3050 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Without this the lookup by certificate for AD users on an IPA client
will just error out.

Related to https://pagure.io/SSSD/sssd/issue/3050

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
IPA: lookup AD users by certificates on IPA clients 2017-03-29T13:09:48+00:00 Sumit Bose sbose@redhat.com 2017-03-24T14:40:41+00:00 2cf7becc05996eb6d8a3352d3d7b97c75652e590 Get a list of users mapped to a certificate back from the IPA server, look them up and store them together with the certificate used for the search as mapped attribute to the cache. Related to https://pagure.io/SSSD/sssd/issue/3050 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Get a list of users mapped to a certificate back from the IPA server,
look them up and store them together with the certificate used for the
search as mapped attribute to the cache.

Related to https://pagure.io/SSSD/sssd/issue/3050

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
IPA: add mapped attributes to user from trusted domains 2017-03-29T13:09:44+00:00 Sumit Bose sbose@redhat.com 2017-03-22T13:13:05+00:00 415d93196533a6fcd90889c67396ef5af5bf791a Allow the usage of the mapped attribute for the lookup of AD users on IPA clients as already used for the normal LDAP lookup. Related to https://pagure.io/SSSD/sssd/issue/3050 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Allow the usage of the mapped attribute for the lookup of AD users on
IPA clients as already used for the normal LDAP lookup.

Related to https://pagure.io/SSSD/sssd/issue/3050

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>