| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
src/sss_client/libwbclient/wbc_pam_sssd.c: In function ‘wbcAuthenticateUserEx’:
src/sss_client/libwbclient/wbc_pam_sssd.c:52:5: error: statement with no effect [-Werror=unused-value]
WBC_ERR_WINBIND_NOT_AVAILABLE;
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/sss_client/libwbclient/wbc_pam_sssd.c:53:1: error: control reaches end of non-void function [-Werror=return-type]
}
^
Related to:
https://pagure.io/SSSD/sssd/issue/3461
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Samba-4.6 change behaviour of few functions
New version of code make sure session info for user is stored in cache.
It is a performance optimisation to prevent contacting KDC for each
session. More details in samba bug
https://bugzilla.samba.org/show_bug.cgi?id=11259
Old return code WBC_SSSD_NOT_IMPLEMENTED was translated
to NT_STATUS_LOGON_FAILURE which caused many failures.
[2017/08/21 11:34:15.044321, 5, pid=27742, effective(0, 0), real(0, 0)]
../libcli/security/security_token.c:53(security_token_debug)
Security token: (NULL)
[2017/08/21 11:34:15.044330, 5, pid=27742, effective(0, 0), real(0, 0)]
../source3/auth/token_util.c:640(debug_unix_user_token)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2017/08/21 11:34:15.044349, 4, pid=27742, effective(0, 0), real(0, 0)]
../source3/smbd/sec_ctx.c:439(pop_sec_ctx)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2017/08/21 11:34:15.044360, 1, pid=27742, effective(0, 0), real(0, 0)]
../source3/smbd/sesssetup.c:290(reply_sesssetup_and_X_spnego)
Failed to generate session_info (user and group token) for session
setup: NT_STATUS_LOGON_FAILURE
Resolves:
https://pagure.io/SSSD/sssd/issue/3461
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If a large number of rules is expired at one time the ldap filter may
become too large to be processed by server. This commits adds a new
option "sudo_threshold" to sudo responder. If the threshold is
exceeded a full refreshed is done instead of rules refresh.
Resolves:
https://pagure.io/SSSD/sssd/issue/3478
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In cwrap environment, we start sssd_kcm and sssd_secrets ourself
and not by systemd socket activation. Our approach is to wait a second in
a loop till socket is available. However sometimes 1 second is not enough.
Patch increases wait timeout from 1 second to 10 and it seems to be enough even
when processes were executed with valgrind.
Traceback (most recent call last):
File "src/tests/intg/test_secrets.py", line 419, in setup_for_cli_timeout_test
return create_sssd_secrets_fixture(request)
File "src/tests/intg/test_secrets.py", line 82, in create_sssd_secrets_fixture
assert os.path.exists(sock_path)
AssertionError: assert False
+ where False = <function exists at 0x7f6c1cf520c8>('/tmp/sssd-intg.cdv0namx/var/run/secrets.socket')
+ where <function exists at 0x7f6c1cf520c8> = <module 'posixpath' from '/usr/lib64/python2.7/posixpath.pyc'>.exists
+ where <module 'posixpath' from '/usr/lib64/python2.7/posixpath.pyc'> = os.path
Resolves:
https://pagure.io/SSSD/sssd/issue/3481
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
| |
It was removed from epel
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
|
|
|
|
| |
Merges: https://pagure.io/SSSD/sssd/pull-request/3456
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
|
|
| |
Merges: https://pagure.io/SSSD/sssd/pull-request/3456
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We add udp_preference_limit = 0 to krb5 snippet if ad provider is
used. This option enable TCP connection before UDP, when sending
a message to the KDC.
Resolves:
https://pagure.io/SSSD/sssd/issue/3254
Signed-off-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
add_remove fails quite often in enumeration test. The reason of failures
is not obvious and will take some time to investigate it.
Failures blocks testing of other patches therefore its better to disable
tests. (pytest run functions/methods which start with "test")
Temporary workaround for:
https://pagure.io/SSSD/sssd/issue/3463
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
The warning still make a sense and should be there.
Patch also fixes header guards due t changed location.
Related to:
https://pagure.io/SSSD/sssd/issue/1898
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Usually is okay that there are no ghost attributes for a group as it
basically just means that the group either has no members or all members
have been previously fully resolved.
Resolves:
https://pagure.io/SSSD/sssd/issue/3315
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
|
|
| |
The main change is a new member of the wbcAuthErrorInfo struct.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
These are the header files which are used by both client and server:
src/util/io.h
src/util/murmurhash3.h
src/util/util_safealign.h
This patch is about moving these header files to special folder
(src/shared). It will be easier to identify these headers when looking
for them in the src tree.
util_safalign.h is renamed as safalign.h because util_ namespace is
appropriate when this file belonged to the util's folder which is no
longer the case.
Resolves:
https://pagure.io/SSSD/sssd/issue/1898
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Let's ensure that running `make intgcheck-*` doesn't fail when done
locally.
As --with-session-recording=/bin/false is now set in the Makefile.am,
there's no need to set it in contrib/ci/configure.sh. Thus, the option
has been removed from there.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
| |
Setting ret as EOK in case everything goes well.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
|
|
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
| |
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
| |
Add basic tests for all base combinations of session recording
configuration options.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Add exporting of original user shell (as returned by NSS) as an
environment variable for use by tlog-rec-session, when session recording
is enabled for the user. This lets tlog-rec-session start the actual
user shell, after tlog-rec-session is started in its place.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Substitute the configured session recording shell when unconditional
session recording is enabled (scope = all), or when selective session
recording is enabled (scope = some), and the user has the
sessionRecording attribute set to true.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
After entires are retrieved by cache_req for user info requests (except
initgr), overlay them with sessionRecording attribute retrieved from an
initgr request made additionally for each entry.
Do not do additional initgr requests with selective session recording
enabled, if we don't have any group names to match against in session
recording configuration. Only do user name matches instead.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
| |
Add sessionRecording attribute to user entries on initgr request in data
provider, specifying if the user name or groups match the ones with
session recording enabled.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
| |
Call sysdb_master_domain_update for backend domain upon initialization
to make view information available for later use by session recording
code, which will need to access overridden user and group names.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
| |
Add loading and storing the override_space configuration option to data
provider. That will be needed for formatting output user and group names
for matching against session recording configuration.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
| |
Add a macro for sessionRecording attribute to sysdb.h.
To be used for storing a boolean attribute signifying if session
recording is enabled for the user.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
| |
Add session recording configuration loading to the data provider
initialization. To be used for matching users and groups with session
recording enabled.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
| |
Add session recording configuration loading to the common responder
initialization. To be used for substituting the user shell when
session recording is enabled.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
| |
Add an util module for loading session recording configuration.
To be used by responders and data provider.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
| |
Add support for specifying the shell used for recording user sessions,
at configure time.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add information on "session_recording" config section, having three
options: "scope", "users", and "groups".
The section is intended for disabling session recording ("scope = none",
default), enabling session recording for all users ("scope = all"), and
enabling it for some specific users and/or groups ("scope = some",
"users = <users>", "groups = <groups>").
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Move nss_get_shell_override to common responder utils and rename it to
sss_resp_get_shell_override to make it available to other responders. In
particular let PAM responder use it to provide original shell when it is
overriden for session recording.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Move all the shell-related options from the NSS responder context to the
common responder context, so they can be used by other responders for
retrieving original user shell, when it is overrided for session
recording.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
| |
The num_results field in struct cache_req_state was only set in case of
well-known objects, set it also for the regular results for uniformity,
and for later use by session recording code.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
| |
Merges: https://pagure.io/SSSD/sssd/pull-request/3456
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
| |
Reviewed-by: N/A
|
|
|
|
| |
Reviewed-by: N/A
|
|
|
|
|
|
|
|
|
|
|
| |
This prevents error messages like:
[!] Locale mappings are now handled using locale aliases on the server, so locale mappings in the project config file (zanata.xml) are now deprecated.
Please add a locale alias in the project language settings to replace each locale mapping in zanata.xml, then remove the <locales> section from zanata.xml
See also:
http://docs.zanata.org/en/release/client/configuration/
Reviewed-by: N/A
|
|
|
|
| |
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The file kcm_default_ccache must enable KCM ccache by default
without any modification of the file.
/etc/krb5.conf.d/ is fedora/el7 specific and it is not allowed to
enable or start systemd services in scriptlets. It would result in
broken krb5 configuration. Therefore krb5 configuration snippet was
moved from /etc/krb5.conf.d/ -> /usr/share/sssd-kcm. And each downstream
distribution should enable systemd services + change krb5 configuration
in it's own way.
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If sss_idmap_unix_to_sid() returns an error we can assume that the given
POSIX ID is not from the current domain and can be skipped. This is e.g.
the case in the IPA provider if a POSIX ID used in the IPA domain is
checked in a trusted id-mapped AD domain before the IPA domain is
checked.
Resolves https://pagure.io/SSSD/sssd/issue/3452
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
expired TGT
Since 1.14.2 and in particular commit
d3348f49260998880bb7cd3b2fb72d562b1b7a64 we return ERR_NETWORK_IO for any
krb5_child operations that receive KRB5KRB_AP_ERR_TKT_EXPIRED from libkrb5.
However, when the action that krb5_child performs is ticket renewal and
the ticket is totally expired, this can send the SSSD into offline mode.
Instead, this patch converts the KRB5KRB_AP_ERR_TKT_EXPIRED code into
sssd-internal ERR_CREDS_EXPIRED which map_krb5_error() won't map
anymore.
The effect on the deamon is that just the single renewal fails, but
the failover code is not called and therefore sssd doesn't switch into
offline mode.
Resolves:
https://pagure.io/SSSD/sssd/issue/3406
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Tested-by: Joakim Tjernlund <Joakim.Tjernlund@infinera.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Calling setup and teardown on every encryption cases issues like the one
described in https://bugzilla.redhat.com/show_bug.cgi?id=1456151
eventually.
Similarly to other crypto functions, don't tear down NSS by calling
NSS_Shutdown. Let the OS reclaim the resources.
Resolves:
https://pagure.io/SSSD/sssd/issue/3424
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
| |
Temporary workaround:
https://pagure.io/SSSD/sssd/issue/3386
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Related to https://pagure.io/SSSD/sssd/issue/1960
Related to https://pagure.io/SSSD/sssd/issue/1938
Related to https://pagure.io/SSSD/sssd/issue/1844
Related to https://pagure.io/SSSD/sssd/issue/1593
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit 925a14d50edf0e3b800ce659b10b771ae1cde293.
It broke a test for enumerate nested groups if they are part
of non POSIX groups https://pagure.io/SSSD/sssd/issue/2406
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
| |
To ensure the client timeout is not too low and clients do not reconnect
too often, the client_idle_timeout is forced to be 10 seconds minimum.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The secrets responder test was chosen even though the bug was in the generic
responder code b/c it runs a single responder process, so it's trivial to
read the PID of the responder under test.
Changes subprocess.call() for os.execv() so that the setup function can
return the secret responder PID right away.
The client timeout in the test has to be at least 10 seconds because
internally, the responders don't allow a shorter timeout.
Regression test for https://pagure.io/SSSD/sssd/issue/3448
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The client_idle_handler() function tried to schedule another tevent
timer to check for idle client connections in case the current
connection was still valid, but in doing so, it also stored the current
time into the last_request_time field of the client context.
This kept the connection always alive, because the last_request_time
could then never be older than the timeout.
This patch changes the setup_client_idle_timer() function to only do
what the synopsis says and set the idle timer. The caller (usually the
function that accepts the connection) is supposed to store the request
time itself.
Resolves:
https://pagure.io/SSSD/sssd/issue/3448
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|