| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
| |
This patch improves the log message to be more information for
the SSSD user troubleshooting issues.
If the IDM POSIX group used for AD trust HBAC/SUDO operation is missing
the ipaNTSecurityIdentifier it can cause client s2n operations failures
resolving the group which resulted in the inability to login for the AD
user.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Certificates in overrides are explicitly used to map users to
certificates, so we add them to SYSDB_USER_MAPPED_CERT as well.
Resolves https://pagure.io/SSSD/sssd/issue/3373
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Although users and groups from the forest root should be ignored SSSD
will still try to get information about the forest topology from a DC
from the forest root. So even if the forest root domain is disabled we
should makes sure it is usable for those searches.
Resolves https://pagure.io/SSSD/sssd/issue/3361
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
| |
Related to https://pagure.io/SSSD/sssd/issue/3361
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When a standalone application domain was configured, for example:
-------------------------------------------------
[sssd]
domains = appdomain
[application/appdomain]
id_provider=ldap
ldap_uri = ldap://dc.ipa.test
ldap_search_base = cn=accounts,dc=ipa,dc=test
ldap_schema = rfc2307bis
sudo_provider = none
ldap_sasl_mech = gssapi
krb5_realm = IPA.TEST
krb5_server = dc.ipa.test
ldap_user_uid_number = telephonenumber
ldap_user_gid_number = mobile
ldap_user_extra_attrs = location:l
-------------------------------------------------
We would, when unrolling the application section into a domain section,
first add a domain stub, equivalent to:
-----------------------------
[domain/appdomain]
domain_type = application
-----------------------------
Which in config.ldb also contains cn. Then, whem we would add the parameters
from the [application] section, but try to add the cn again.
This didn't happen when inheriting from a POSIX domain, because there we
would set LDB_FLAG_REPLACE for any attributes that exist in the inherited
domain.
This patch skips the cn attribute both when replacing an inherited
domain's attributes and when writing a standalone application domain.
Resolves:
https://pagure.io/SSSD/sssd/issue/3355
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Instead of deriving the search base from the IPA domain name, actually
use the search base from the sdap_domain structure.
This has primarily the advantage of not matching groups in the compat
tree.
Resolves:
https://pagure.io/SSSD/sssd/issue/3378
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
NULL attribute map and a NULL list of attributes should translate into
"fetch all entry attributes"
Required for:
https://pagure.io/SSSD/sssd/issue/3378
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
| |
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Indicate whether a domain_resolution_order has been used and where
it came from.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
| |
cache_req_domain_new_list_from_string_list()
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Configurationless shortnames lookups must be allowed when a domains'
resolution order is present and the (head) domain is not enforcing the
usage of fully-qualified-names.
With this patch SSSD does not require any kind of changes from client
side for taking advantage of shortname lookups.
Related:
https://pagure.io/SSSD/sssd/issue/3001
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
With the changes that are about to happen we have to have the subdomain's
fqnames flag set by the time we populate the cr_domains list (as it
actually occurs with the real code), as this list may set its own fqnames
flag based on the subdomain's fqnames flag.
Currently the flag is set to false only when running the tests itself so
the cr_domains list doesn't get populate properly (although it still
works with the current code).
For the changes that are comming, let's introduce a new setup function
that ensures that the subdomain's fqnames flag is set up in the right
time.
Related:
https://pagure.io/SSSD/sssd/issue/3001
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
doesn't have this option set
The current code has been ignoring the domain resolution order set
globally on IPA in case there's a view but this doesn't have any domain
resolution order set.
It happens because we haven't been checking whether the view attribute
didn't exist and then we ended up populating the list cache_req domains'
list assuming that no order has been set instead of falling back to the
next preferred method.
Related:
https://pagure.io/SSSD/sssd/issue/3001
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
There was an issue in a production deployment where the admin selected a
GID outside the IDM range for a group that contained a user from the
trusted domain. This resulted in not adding a SID for the IPA group,
which in turn meant the group couldn't be resolved on the client.
This patch just improves the DEBUG message so that it's clearer for the
admins where the issue is.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Resolves:
https://pagure.io/SSSD/sssd/issue/3268
Uses the common function sized_domain_name() to format a group the user
is a member of to the appropriate format.
To see the code is working correctly, run:
dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe
/org/freedesktop/sssd/infopipe
org.freedesktop.sssd.infopipe.GetUserGroups
string:trusted_user
Where trusted_user is a user from a trusted domain that is a member of groups
from the joined domain and a trusted domain as well. The groups from the
joined domain should not be qualified, the groups from the trusted
domain should be qualified.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
These functions are used to format a name into a format that the user
configured for output, including case sensitiveness, replacing
whitespace and qualified format. They were used only in the NSS
responder, which typically returns strings to the NSS client library and
then the user.
But it makes sense to just reuse the same code in the IFP responder as
well, since it does essentially the same job.
The patch also renames sized_member_name to sized_domain_name.
Previously, the function was only used to format a group member, the IFP
responder would use the same function to format a group the user is a
member of.
Related to:
https://pagure.io/SSSD/sssd/issue/3268
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Old links are redirected to information about Fedorahosted-retirement
e.g.
https://fedorahosted.org/mailman/listinfo/sssd-devel
-> https://fedoraproject.org/wiki/Infrastructure/Fedorahosted-retirement
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
It was mainly aimed for time when stable CentOS and
rhel nightly had different versions of krb5.
Anyway, rhel7.0 and rhel <= 6.6 are already out of support
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
| |
Merges: https://pagure.io/SSSD/sssd/pull-request/3374
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We do not want to use host principal with AD
"host/name.domain.tld@DOMAIN.TLD" because it does not work.
We need to use correct user principal for AD hosts. And we cannot
rely all fallback "*$" because of other principals in keytab.
The NetBIOS naming convention allows for 16 characters in a NetBIOS
name. Microsoft, however, limits NetBIOS names to 15 characters and
uses the 16th character as a NetBIOS suffix.
https://support.microsoft.com/en-us/help/163409/netbios-suffixes-16th-character-of-the-netbios-name
Resolves:
https://pagure.io/SSSD/sssd/issue/3329
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
There seem to be code paths where the data is a added to the hash before
the connection is properly initialized, to avoid core dump during shut
down we only call dbus_conection_unregister_object_path() if there is a
connection.
Resolves:
https://pagure.io/SSSD/sssd/issue/3367
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
If the new environment variable SSSD_KRB5_LOCATOR_DISABLE is set to any
value SSSD's krb5 locator plugin is disabled. The variable is needed
because there is currently no other way than removing the plugin
completely to disable it. For a use-case see e.g.
https://bugzilla.redhat.com/show_bug.cgi?id=1072939.
Resolves:
https://pagure.io/SSSD/sssd/issue/3359
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
sssctl config-check should print a message for user
if no sssd.conf was found.
Resolves:
https://pagure.io/SSSD/sssd/issue/3330
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
| |
Related to https://pagure.io/SSSD/sssd/issue/3292
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
| |
Related to https://pagure.io/SSSD/sssd/issue/3292
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
| |
Related to https://pagure.io/SSSD/sssd/issue/3292
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
| |
Related to https://pagure.io/SSSD/sssd/issue/3292
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
The option enable_files_domain worked only if sssd
was compiled with --enable-files-domain. But manual page described
something else.
Resolves:
https://pagure.io/SSSD/sssd/issue/3340
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Previously we failed if semanage_is_managed returned 0 or -1 (not
managed or error). With this patch we only fail in case of error and
continue normally if selinux is not managed by libsemanage at all.
Resolves:
https://fedorahosted.org/sssd/ticket/3297
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
To avoid crash.
Resolves:
https://pagure.io/SSSD/sssd/issue/3358
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
The SELinux context created in get_client_cred is not talloc bound and
we were leaking it if available with each client's destruction.
Resolves:
https://pagure.io/SSSD/sssd/issue/3360
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
CC src/lib/certmap/libsss_certmap_la-sss_cert_content_nss.lo
src/lib/certmap/sss_cert_content_nss.c:25:18:
fatal error: cert.h: No such file or directory
#include <cert.h>
^
compilation terminated.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
According to RFC 7468 parser must not fail when some data are present
before the encapsulation boundary. sss_cert_pem_to_der didn't respect
this and refused valid input. Changing it's code to first locate
the certificate header fixes the issue.
Resolves:
https://pagure.io/SSSD/sssd/issue/3354
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
If custodia server does not reply with Content-Length header, curl may
wait for non-existing body of http reply if such body does not exist
(for example during POST operation when creating a container).
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
| |
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
| |
Even though configuration options auth_type = basic, username and password
are read they were not used anywhere prior this patch.
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some users may want to use TLS with unverified peer (for example if
they use self-signed certificate) or if unverified hostname (if
certificate hostname does not match with the real hostname). On the
other side it may be useful to point to a directory containing custom
certificate authorities.
This patch add three new options to secrets responder:
verify_peer => peer's certificate must be valid
verify_host => hostnames must match
capath => path to directory containing CA certs
cacert => ca certificate
cert => client certificate
key => client private key
Resolves:
https://pagure.io/SSSD/sssd/issue/3192
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
We switche to libcurl in previous patch. This just removes the unused code.
Resolves:
https://pagure.io/SSSD/sssd/issue/3192
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
We switch from http-parser to libcurl for an http client. This gaves us many
features for free such as tls and http basic authentication support instead
of implementing it on our own.
Resolves:
https://pagure.io/SSSD/sssd/issue/3192
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
| |
Also remove --disable-libcurl since it doesn't make sense.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
| |
We require newer libcurl version than is available on rhel6. We don't
ship secrets responder in rhel6 so we just disable its build.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
| |
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
| |
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
| |
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
