| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently using enterprise principals during password changes does not
work reliable.
First there is a special behavior if canonicalization, which in general
should be used together with enterprise principals, is enabled with AD,
see https://pagure.io/SSSD/sssd/issue/1405 and
https://pagure.io/SSSD/sssd/issue/1615 for details. As a result of this
SSSD currently disables canonicalization during password changes.
Additionally it looks like MIT Kerberos does not handle canonicalized
principals well, even if canonicalization is enabled, if not the default
krbtgt/REALM@REALM but kadmin/changepw@REALM is requested. Since it is
currently not clear what is the expected behavior here it make sense to
completely disable enterprise principals during password changes for the
time being.
Resolves https://pagure.io/SSSD/sssd/issue/3426
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The added test is quite simple and basically ensures that when some
shortcut is taken in the cache_req_send() SSSD still filters out the
already cached users/groups.
The real situation the test tries to test is:
- getent passwd 1002
- sleep(2)
- getent passwd 1002
- getent group 2002
- sleep(2)
- getent group 2002
(Considering entry_negative_timeout = 1 in [nss] section of sssd.conf).
Related:
https://pagure.io/SSSD/sssd/issue/3362
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
cache_req_send() may take some shortcuts in case the object is found in
the cache and it's still valid.
This behaviour may lead to exposing filtered users and groups when
they're searched by their uid/gid.
A solution for this issue was proposed on 4ef0b19a but, unfortunately,
didn't take into consideration that this shortcut could be taken.
There are basically two really easy ways to test this issue:
1) Using enumeration:
- Set "enumerate = True" in the domain section
- restart SSSD cleaning up the cache;
- getent passwd <uid of a user who is part of the filter_users>
- Wait a little bit till the entry_negative_timeout is expired
- getent passwd <same uid used above>
2) Not using enumeration:
- getent passwd <uid of a user who is part of the filter_users>
- Wait a little bit till the entry_negative_timeout is expired
- getent passwd <same uid used above>
A test covering this code path will be added in the follow-up commit.
Resolves:
https://pagure.io/SSSD/sssd/issue/3362
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Let's make the result and input/output argument for
_search_ncache_filter() and free it inside the function whenever it's
needed instead of leaving this responsibility for the caller.
Related:
https://pagure.io/SSSD/sssd/issue/3362
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
src/sss_client/pam_sss.c: In function ‘eval_response’:
src/sss_client/pam_sss.c:998:64: error: comparison between pointer and zero character constant [-Werror=pointer-compare]
if (type == SSS_PAM_CERT_INFO && pi->cert_user == '\0') {
^~
src/sss_client/pam_sss.c:998:50: note: did you mean to dereference the pointer?
if (type == SSS_PAM_CERT_INFO && pi->cert_user == '\0') {
^
src/sss_client/pam_sss.c:1010:42: error: comparison between pointer and zero character constant [-Werror=pointer-compare]
&& pi->cert_user != '\0') {
^~
src/sss_client/pam_sss.c:1010:28: note: did you mean to dereference the pointer?
&& pi->cert_user != '\0') {
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
| |
Add test case with wrong subdomain section format, where the too many
domains are used to identify the trusted domain instead of just the
connected domain and the one trusted domain that is being configured.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Recent patches which adds support for PKINIT in krb5_child changed a
return code which is used to indicate to the IPA provider that password
migration should be tried.
With this patch krb5_child properly returns PAM_CRED_ERR as expected by
the IPA provider in this case.
Resolves:
https://pagure.io/SSSD/sssd/issue/3394
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Since there are cases where the user name is not entered directly but
determined by other means the user-checks should show the name of the
user used for authentication.
Related to https://pagure.io/SSSD/sssd/issue/3395
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Since sysdb_get_certmap() returns the user name hint information as well
it should return a result even if there are no certmaps.
Related to https://pagure.io/SSSD/sssd/issue/3395
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
If the PAM client didn't send a user name and promtusername is enable
the PAM responder will tell pam_sss to ask for an optional user name as
well.
Resolves:
https://pagure.io/SSSD/sssd/issue/3395
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
| |
Related to https://pagure.io/SSSD/sssd/issue/3395
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
The new response type SSS_PAM_CERT_INFO_WITH_HINT is equivalent to
SSS_PAM_CERT_INFO but tells pam_sss to prompt for an option user name as
well.
Resolves:
https://pagure.io/SSSD/sssd/issue/3395
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
| |
Currently a name is provided for test_pam_preauth_cert_no_logon_name()
so it is not a no-logon-name test. This patch removes the name and adds
the now missing mocked reply manually.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
| |
Make certificate mapping data available to the responders.
Related to https://pagure.io/SSSD/sssd/issue/3395
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The domain type (posix or not) was being sent to the krb5_child always,
but the buffer only had enough space in case of authentication, not
authorization. Bug was introduced in the commit
861ab44e8148208425b67c4711bc8fade10fd3ed
This patch makes the buffer one uint32_t unit larger.
To reproduce, just set up sssd.conf with:
access_provider = krb5
Without the patch, you would see messages like:
==14111== Invalid write of size 2
==14111== at 0x4C3041B: memcpy@@GLIBC_2.14 (vg_replace_strmem.c:1018)
==14111== by 0xE0EE275: safealign_memcpy (util_safealign.h:51)
==14111== by 0xE0EECB3: create_send_buffer (krb5_child_handler.c:239)
==14111== by 0xE0EFDDE: handle_child_send (krb5_child_handler.c:529)
==14111== by 0xE0EDEDD: krb5_access_send (krb5_access.c:149)
==14111== by 0xE0ED32F: krb5_pam_handler_send (krb5_auth.c:1250)
==14111== by 0x418868: file_dp_request (dp_request.c:254)
==14111== by 0x418976: dp_req_send (dp_request.c:300)
==14111== by 0x41C25F: dp_pam_handler (dp_target_auth.c:219)
==14111== by 0x52B3456: sbus_request_invoke_or_finish (sssd_dbus_request.c:71)
==14111== by 0x52B0F37: sbus_message_handler_got_caller_id (sssd_dbus_interface.c:1048)
==14111== by 0x923C923: tevent_common_loop_immediate (tevent_immediate.c:135)
==14111== Address 0x126ab506 is 150 bytes inside a block of size 151 alloc'd
==14111== at 0x4C2BBAD: malloc (vg_replace_malloc.c:299)
==14111== by 0x944D7F4: __talloc_with_prefix (talloc.c:698)
==14111== by 0x944D7F4: __talloc (talloc.c:739)
==14111== by 0x944D7F4: _talloc_named_const (talloc.c:896)
==14111== by 0x944D7F4: talloc_named_const (talloc.c:1675)
==14111== by 0xE0EE7B6: create_send_buffer (krb5_child_handler.c:185)
==14111== by 0xE0EFDDE: handle_child_send (krb5_child_handler.c:529)
==14111== by 0xE0EDEDD: krb5_access_send (krb5_access.c:149)
==14111== by 0xE0ED32F: krb5_pam_handler_send (krb5_auth.c:1250)
==14111== by 0x418868: file_dp_request (dp_request.c:254)
==14111== by 0x418976: dp_req_send (dp_request.c:300)
==14111== by 0x41C25F: dp_pam_handler (dp_target_auth.c:219)
==14111== by 0x52B3456: sbus_request_invoke_or_finish (sssd_dbus_request.c:71)
==14111== by 0x52B0F37: sbus_message_handler_got_caller_id (sssd_dbus_interface.c:1048)
==14111== by 0x923C923: tevent_common_loop_immediate (tevent_immediate.c:135)
Resolves:
https://pagure.io/SSSD/sssd/issue/3418
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* enable few tests
* malformed configuration file due to missing closing ']'
* fix few expected failures
* add few sections into whitelist test
* crash in test if count of expected failures is different then real
value
[ RUN ] config_check_test_bad_subdom_option_name
[rule/allowed_domain_options]: Attribute 'debug_leTYPOvel' is not allowed in section 'domain/A.test/B.A.test'. Check for typos.
[rule/allowed_subdomain_options]: Attribute 'debug_leTYPOvel' is not allowed in section 'domain/A.test/B.A.test'. Check for typos.
[ ERROR ] --- Test failed with exception: Segmentation fault(11)
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Issues is subdomain sections e.g. "[domain/A.test/B.A.test]" were
reported twice.
[rule/allowed_domain_options]: Attribute 'debug_leTYPOvel' is not allowed in section 'domain/A.test/B.A.test'. Check for typos.
[rule/allowed_subdomain_options]: Attribute 'debug_leTYPOvel' is not allowed in section 'domain/A.test/B.A.test'. Check for typos.
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This patch adds new sssd specific validator. In the future we
can add more checks in it, but currently it only checks if
the option inherit_from is used on normal domain and reports
error if it is.
Resolves:
https://pagure.io/SSSD/sssd/issue/3356
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Use the same restrictions for application domains that we use for
normal domain.
Resolves:
https://pagure.io/SSSD/sssd/issue/3356
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
| |
Add infrastructure for unit tests for validators.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
The rule allowed_domain_options did not work because
of bad regex.
Resolves:
https://pagure.io/SSSD/sssd/issue/3356
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Application domains can use the same options as normal domains section
with one more additional option.
We could either duplicate all options from the domain section also in
the application domain section + add the one additional option or
add this one option to the domain section even though it is not meant
to be used there to avoid duplication of all domain options in the
rule for application section.
It would be could to enhance the validators in libini to allow
something like 'include' section in order to avoid this issue
in the future.
Resolves:
https://pagure.io/SSSD/sssd/issue/3356
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Add separate rule for subdomain sections.
Resolves:
https://pagure.io/SSSD/sssd/issue/3356
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Debug messages would always say that verify_peer and verify_host
are enabled. Even though they would be explicitly disabled.
src/responder/secrets/proxy.c:143:18: error:
address of 'cfg->verify_peer' will always evaluate to
'true' [-Werror,-Wpointer-bool-conversion]
(&cfg->verify_peer ? "true" : "false"));
~~~~~^~~~~~~~~~~ ~
src/util/debug.h:108:32: note: expanded from macro 'DEBUG'
format, ##__VA_ARGS__); \
^~~~~~~~~~~
src/responder/secrets/proxy.c:149:18: error:
address of 'cfg->verify_host' will always evaluate to
'true' [-Werror,-Wpointer-bool-conversion]
(&cfg->verify_host ? "true" : "false"));
~~~~~^~~~~~~~~~~ ~
src/util/debug.h:108:32: note: expanded from macro 'DEBUG'
format, ##__VA_ARGS__); \
^~~~~~~~~~~
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently the LDAP user lookup request errors out if e.g. there is no
matching rule for a certificate. This might cause the related domain to
go offline.
With this patch the request returns that no user was found for the given
certificate but overall result is that the request finishes
successfully.
Resolves:
https://pagure.io/SSSD/sssd/issue/3405
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The AD provider only converts SIDs to GIDs during initgroups
to improve performance. But this is not sufficient for the
org.freedesktop.sssd.infopipe.GetUserGroups method, which needs to return
names.
We need to resolve the GIDs to names ourselves in that method.
Resolves:
https://pagure.io/SSSD/sssd/issue/3392
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The ifp_user_get_attr_done() request handler was reused for both
GetUserGroups and GetUserAttrs requests. Yet, it performed output
formatting of name and nameAlias.
This is bad, because the output formatting should really be done only
during output. Also, it broke any post-processing of the returned
message which the request might do later.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
After initgroups, the group objects might not be complete, but just
stubs that contain the SID and the GID. If the caller needs to know the
group names as well, this request allows them to iterate over the list
of the groups and resolve them one-by-one.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
| |
The bug is now tracked with:
https://pagure.io/SSSD/sssd/issue/3413
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
SSSDConfig internally handle debug_level as an integer.
But in case of bitmask version of debug_level (>=16)
it stored value as a decimal which is confusing
e.g.
debug_level = 8176
vs.
debug_level = 0x1ff0
Resolves:
https://pagure.io/SSSD/sssd/issue/3410
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
debug_level is usually defined as decimal value <= 10
or as a hexadecimal value which is used as a bitmask
Parsing of hexadecimal value was partially fixed by commit
7fac271ccebb84743c39f553eb5ec013cf1d10aa but only for
sssd domains. It was not fixed for sssd services.
File "/usr/share/authconfig/authinfo.py", line 3142, in writeSSSDPAM
pam = self.sssdConfig.get_service('pam')
File "/usr/lib/python3.6/site-packages/SSSDConfig/__init__.py", line 1620, in get_service
service.set_option(opt['name'], opt['value'])
File "/usr/lib/python3.6/site-packages/SSSDConfig/__init__.py", line 932, in set_option
(option_schema[0], optionname, type(value)))
TypeError: Expected <class 'int'> for debug_level, received <class 'str'>
Resolves:
https://pagure.io/SSSD/sssd/issue/3410
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Option subdomain_homedir was missing from Python config API an
cfg_rules leading to config file validation failures. Add this option
into the necessary locations similar to other provider-generic domain
options.
Resolves:
https://pagure.io/SSSD/sssd/issue/3389
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The IPA HBAC code used to read the group members from the
originalMemberOf attribute value for performance reasons. However,
especially on IPA clients trusting an AD domain, the originalMemberOf
attribute value is often not synchronized correctly.
Instead of going through the work of maintaining both member/memberOf
and originalMemberOf, let's just do an ASQ search for the group names of
the groups the user is a member of in the cache and read their
SYSBD_NAME attribute.
To avoid clashing between similarly-named groups in IPA and in AD, we
look at the container of the group.
Resolves:
https://pagure.io/SSSD/sssd/issue/3382
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
cache_req_host_by_name_lookup should be used only by ssh responder.
But we cannot rely on this fact and therefore we should return
ERR_INTERNAL instead of EOK to catch mis-usage of the cache_req
plugin
autoreconf -if
./configure --without-ssh
make check
CCLD sssd_nss
src/responder/common/cache_req/plugins/cache_req_host_by_name.o:
In function `cache_req_host_by_name_lookup':
src/responder/common/cache_req/plugins/cache_req_host_by_name.c:48:
undefined reference to `sysdb_get_ssh_host'
collect2: error: ld returned 1 exit status
make: *** [Makefile:14285: sssd_nss] Error 1
src/tests/cmocka/test_utils-test_sss_ssh.o: In function `test_textual_public_key':
src/tests/cmocka/test_sss_ssh.c:78: undefined reference to `sss_ssh_format_pubkey'
src/tests/cmocka/test_sss_ssh.c:82: undefined reference to `sss_ssh_format_pubkey'
src/tests/cmocka/test_sss_ssh.c:86: undefined reference to `sss_ssh_format_pubkey'
src/tests/cmocka/test_sss_ssh.c:89: undefined reference to `sss_ssh_format_pubkey'
src/tests/cmocka/test_sss_ssh.c:92: undefined reference to `sss_ssh_format_pubkey'
src/tests/cmocka/test_utils-test_sss_ssh.o:src/tests/cmocka/test_sss_ssh.c:95:
more undefined references to `sss_ssh_format_pubkey' follow
collect2: error: ld returned 1 exit status
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
| |
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
| |
joined domain
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Currently SSSD accepts significant changes in the principal only if
krb5_use_enterprise_principal=True. But canonicalization can lead to
similar changes so they should be accepted in this case as well.
Resolves:
https://pagure.io/SSSD/sssd/issue/3408
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Integration test for:
https://pagure.io/SSSD/sssd/issue/3372
With https://pagure.io/SSSD/sssd/issue/3372 still broken, the unit test
wold fail because one of the concurrent klist commands would trigger a
race condition in the KCM queue code, crashing the KCM responder.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Resolves:
https://pagure.io/SSSD/sssd/issue/3372
Fixes a race condition between one client request adding an operation to
the hash table value, which was previously a linked list of operations,
while another concurrent operation would remove the last remaining
linked list element through its callback.
Instead, the hash table value is now a separate 'queue head' structure
which is only changed in a tevent request to make sure is is not
processes concurrently with adding to the queue (which is also a tevent
request).
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
dlopen-tests cannot catch it because it has to be linked with libdl
sh$ grep dlopen src/sss_client/libwbclient/
src/sss_client/libwbclient/wbc_pwd_sssd.c: ctx->dl_handle = dlopen("libnss_sss.so.2", RTLD_NOW);
sh$ nm --dynamic --undefined-only .libs/libwbclient.so | grep dlopen
U dlopen
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The extdom lookup by certificate will return the names of all matching
users, both from the IPA and trusted domains. The IPA users from the
list should not be looked up via the extdom plugin because they are
already lookup up directly. Additionally the lookup might fail and cause
an error which might prevent that the remaining users from the list are
looked up.
Resolves https://pagure.io/SSSD/sssd/issue/3407
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
| |
The implicit_files was started with each test even though was not
required.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
| |
Resolves:
https://pagure.io/SSSD/sssd/issue/3339
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
