| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
| |
Integration test for:
https://pagure.io/SSSD/sssd/issue/3372
With https://pagure.io/SSSD/sssd/issue/3372 still broken, the unit test
wold fail because one of the concurrent klist commands would trigger a
race condition in the KCM queue code, crashing the KCM responder.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Resolves:
https://pagure.io/SSSD/sssd/issue/3372
Fixes a race condition between one client request adding an operation to
the hash table value, which was previously a linked list of operations,
while another concurrent operation would remove the last remaining
linked list element through its callback.
Instead, the hash table value is now a separate 'queue head' structure
which is only changed in a tevent request to make sure is is not
processes concurrently with adding to the queue (which is also a tevent
request).
|
| |
|
|
|
|
|
|
| |
The implicit_files was started with each test even though was not
required.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
| |
Resolves:
https://pagure.io/SSSD/sssd/issue/3339
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Many logon applications like /bin/login or sshd canonicalize the user
name before they call pam_start() and hence the UPN is not seen by
SSSD's pam responder. But some like e.g. gdm don't and authentication
might fail if a UPN is used.
The reason is that currently the already parsed short name of the user
was used in the cache_req and hence the cache_req was not able to fall
back to the UPN lookup code. This patch uses the name originally
provided by the user as input to allow the fallback to the UPN lookup.
Resolves https://pagure.io/SSSD/sssd/issue/3240
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
| |
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
| |
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
return a valid response
If the child returns a runtime error, it is often not clear from the
domain debug logs what to do next. This patch adds a DEBUG message that
tells the admin to look into the krb5_child.log
Resolves:
https://pagure.io/SSSD/sssd/issue/2955
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When using direct AD integration, child domains did not respect
the sssd.conf configuration of search bases.
There were few issues all of which are fixed in this small
patch.
First problem was that the sdap domain list was not properly
inherited from the parent in the child domains and the children
always created their own sdap domains lists that were disconnected
from the parent context and never used.
Second issue was that the child domain did not call the function
to reinit the search bases after the sdap_domain was added to the
list of sdap domains. This caused that child domains always used
automatically detected search bases and never used the configured
ones even though they were properly read into the ID options
context attached to the subdomain.
Also there has been an issue that the sdap search bases
were rewritten by the new child domain initialization
(this only happened with more than one child domain)
because the sdap domain list was 'updated' every time
a new child domain was initialized, which caused that
only the main domain and the last child domain had proper
search bases, the others only the auto-discovered ones
(because they were overwritten with the 'update').
Resolves:
https://pagure.io/SSSD/sssd/issue/3397
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
| |
Add debug messages when 1way or 2way trusts are created.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As contacting the infopipe responder on a "filter" related call may lead
to the situation where the cr_domains' list is not populated yet (as the
domains and subdomains lists from the data provider are not processed
yet), let's explicitly call sss_dp_get_domains() for those cases and
avoid returning a wrong result to the caller.
This situation may happen only because the schedule_get_domains_task(),
that's called when the infopipe responder is initialized, may take some
time to run/finish.
While I'm not exactly sure whether it's the best solution to avoid the
"race", it seems to be sane enough to avoid the issues.
Resolves:
https://pagure.io/SSSD/sssd/issue/3387
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit 4ef0b19a introduced the following warning, as "req" may be used
without being initialized:
src/responder/common/cache_req/cache_req_search.c:
In function 'cache_req_search_done':
src/responder/common/cache_req/cache_req_search.c:467:9:
error: 'req' may be used uninitialized in this function
[-Werror=maybe-uninitialized]
tevent_req_error(req, ret);
^
src/responder/common/cache_req/cache_req_search.c:424:24:
note: 'req' was declared here
struct tevent_req *req;
^
cc1: all warnings being treated as errors
In order to fix the issue above, let's just allocate tmp_ctx after "req"
is already set.
Related:
https://pagure.io/SSSD/sssd/issue/3362
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Co-Author: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Currently only the results from one domain were returned although all
domains were searched and the results were available. Unit tests are
updated to cover this case as well.
Resolves https://pagure.io/SSSD/sssd/issue/3393
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Related:
https://pagure.io/SSSD/sssd/issue/3362
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch makes use of cache_req_ncache_filter_fn() in order to process
the result of a cache_req search and then filter out all the results
that are present in the negative cache.
The "post cache_req search" result processing is done basically in two
different cases:
- plugins which don't use name as an input token (group_by_id, user_by_id
and object_by_id), but still can be affected by filter_{users,groups}
options;
- plugins responsible for groups and users enumeration (enum_groups and
enum_users);
Resolves:
https://pagure.io/SSSD/sssd/issue/3362
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Similarly to what cache_req_create_ldb_result_from_msg() does this new
function creates a new ldb_result from a list of ldb_message.
It's going to be used in the follow-up patch where some messages from
ldb_result may be filtered and then a new ldb_result has to be created.
Related:
https://pagure.io/SSSD/sssd/issue/3362
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This function will be responsible for filtering out all the results that
we have that are also present in the negative cache.
This is useful mainly for plugins which don't use name as an input token
but can still be affected by filter_{users,groups} options.
For now this new function is not being used anywhere.
Related:
https://pagure.io/SSSD/sssd/issue/3362
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
| |
Move NSS nss_get_name_from_msg and the core of sized_output_name to the
utils to make them available to provider and other responders.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Certain operations are not supported with certain providers
causing informational Data Provider log messages to be logged as
errors or failures. This patch lowers the log level to reduce overall
log noise and ensure only critical log messages are logged when
a low debug_level value is used.
Resolves:
https://pagure.io/SSSD/sssd/issue/3287
https://pagure.io/SSSD/sssd/issue/3278
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Explicitly state that the AD provider uses Kerberos and GSSAPI for
encrypting traffic to avoid attempted custom configurations with SSL/TLS
Resolves:
https://pagure.io/SSSD/sssd/issue/3377
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
man 2 readv says that the header file "sys/uio.h" must be included
for the functions readv/writev
Previously, "sys/uio.h" was included in "sys/socket.h" in glibc.
It worked just by a change. But it will be changed in glibc-2.26.
https://sourceware.org/bugzilla/show_bug.cgi?id=21426
src/responder/kcm/kcmsrv_cmd.c: In function 'kcm_iovec_op':
src/responder/kcm/kcmsrv_cmd.c:75:15: error: implicit declaration of function
'readv'; did you mean 'read'? [-Werror=implicit-function-declaration]
src/responder/kcm/kcmsrv_cmd.c:77:15: error: implicit declaration of function
'writev'; did you mean 'write'? [-Werror=implicit-function-declaration]
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We use separate AD context for each subdomain in the server mode.
Every such context has it's own sdap_domain list witch represents
sdap options such as filter and search bases for every domain.
However AD context can only fully initialize sdap_domain structure
for the same domain for which the whole context was created, which
resulted in the other sdap_domain structures to be have automaticily
detected settings. This can cause problems if user is member of
groups from multiple domains.
Resolves:
https://pagure.io/SSSD/sssd/issue/3381
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Although the cache_req lookup found matching in multiple domains only
the results from the first domain were used. With this patch the results
from all domains are checked.
Resolves https://pagure.io/SSSD/sssd/issue/3385
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit 25699846 introduced a regression seen when an initgroup lookup is
done and there's no nested groups involved.
In this scenario the whole lookup fails due to an ENOENT returned by
rfc2307bis_nested_groups_recv(), which leads to the user removal from
sysdb causing some authentication issues.
Resolves:
https://pagure.io/SSSD/sssd/issue/3331
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Starting with rpm 4.11, it is possible to install the license using
a new file macro %license, this will separate the license files from documents
and install them in a special directory in /usr/share
rpm -q -l -p ./sssd-1.15.3-0.el7.x86_64.rpm
/usr/share/licenses/sssd-1.15.3
/usr/share/licenses/sssd-1.15.3/COPYING
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The rpm macro python_provide is defined only in fedora and epel.
This is the reason why we have fallback definition in the beginning of
spec file otherwise build on rhel would fail.
This macro is defined in file /usr/lib/rpm/macros.d/macros.python
provided by package python-rpm-macros.
sh$ rpm -qf /usr/lib/rpm/macros.d/macros.python
python-rpm-macros-3-20.fc26.noarch
sh$ grep python_provide /usr/lib/rpm/macros.d/macros.python
%python_provide() %{lua:
print("%python_provide: ERROR: ")
But this package is not installed in minimal chroot and therefore
build dependencies cannot be extracted from spec file.
sh$ mock --clean --shell 'rpm -q python-rpm-macros' 2>/dev/null
package python-rpm-macros is not installed
sh$ mock --shell 'rpm --eval "%{python_provide python-test}"' 2>/dev/null
%{python_provide python-test}
sh$ mock --resultdir . --rebuild sssd-1.15.3-0.fc26.src.rpm
...
error: line 295: Unknown tag: %{python_provide python2-sssdconfig}
...
This is the reason why it has to be used conditionally in fedora as it is shown
in example common spec file in python fedora packaging guidelines
http://fedoraproject.org/wiki/Packaging:Python#Example_common_spec_file
sh$ rpm -q --whatrequires python-rpm-macros
python2-devel-2.7.13-5.fc26.x86_64
python3-devel-3.6.0-22.fc26.x86_64
This patch reduce differences between upstream and fedora spec file.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
| |
We do it for other libraries.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
| |
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
It's a cosmetic change to group similar files together (e.g. man pages).
The same order is in fedora downstream spec file.
It simplifies comparison of changes between spec files.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
| |
Resolves:
https://pagure.io/SSSD/sssd/issue/3327
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
This patch also moved sss_certmap.5 from sssd-common to libsss_certmap
Resolves:
https://pagure.io/SSSD/sssd/issue/3327
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
| |
Resolves:
https://pagure.io/SSSD/sssd/issue/3327
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
| |
Resolves:
https://pagure.io/SSSD/sssd/issue/3327
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
| |
Resolves:
https://pagure.io/SSSD/sssd/issue/3327
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Patch also fixes location of translated manual pages
Resolves:
https://pagure.io/SSSD/sssd/issue/3327
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
| |
Resolves:
https://pagure.io/SSSD/sssd/issue/3327
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
| |
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
| |
The sssd-ifp.service was installed even though sssd_ifp
was not installed on systemd.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
| |
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Resolves:
https://pagure.io/SSSD/sssd/issue/3318
The ad_account_can_shortcut() function is helpful to avoid unnecessary
searches when SSSD is configured with an Active Directory domain that
uses ID-mapping in the sense that if we find that an ID is outside our
range, we can just abort the search in this domain and carry on.
This function was only used in the AD provider functions which are used
when SSSD is enrolled direcly with an AD server. This patch moves the
function to a codepath that is shared between directly enrolled SSSD and
SSSD running on an IPA server.
Apart from moving the code, there are some minor changes to the function
signature, namely the domain is passed as as struct (previously the
domain name from the DP input was passed).
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
We were rewriting the sdap_domain's search bases for only the first
sdap_domain in the list, which does not work for subdomains.
Also when search bases were already initialized in sdap_domain_subdom_add,
we should only rewrite them when they were explicitly set in sssd.conf.
Resolves:
https://pagure.io/SSSD/sssd/issue/3351
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
| |
@see also
https://bugzilla.redhat.com/show_bug.cgi?id=1260190
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
| |
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
| |
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We can fallback after a connect error, but we cannot easily fall back
once we start sending data as we may have consumed part of the buffer so
reconnecting and sending what's left would not make sense.
Therefore we now fallback on connect errors, but we issue a hard fail if
error happens after communication has been established.
Resolves:
https://pagure.io/SSSD/sssd/issue/1498
Merges: https://pagure.io/SSSD/sssd/pull-request/3383
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cycle through all resolved address until one succeed or all fail.
This is needed for dual stack systems where either IPv4 or IPv6 are
improperly configured or selectively filtered at some point along the
route.
Resolves:
https://pagure.io/SSSD/sssd/issue/1498
Merges: https://pagure.io/SSSD/sssd/pull-request/3383
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This structure is actually a linked list, so do not mislead readers by
treating it as an array.
Resolves:
https://pagure.io/SSSD/sssd/issue/1498
Merges: https://pagure.io/SSSD/sssd/pull-request/3383
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
| |
Pair-Programmed-With: Michal Židek <mzidek@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
