| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
| |
The description of ipa_hostname config option doesn't mention it must be
fully-qualified, although when using a non-fully qualified name IPA
server may behave weirdly. Thus, let's add this info the the man page.
Related: https://pagure.io/SSSD/sssd/issue/1946
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
| |
It is read only from "[sssd]" section.
Resolves:
https://pagure.io/SSSD/sssd/issue/3511
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
| |
s/dictonary/dictionary/g
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The python module pysss_nss_idmap contains few module constants
which should be used (based on python documentation) for checking
type of results.
e.g.
getsidbyid(...)
getsidbyid(id or list/tuple of id) -> dict(id => dict(results))
Returns a dictionary with a dictionary of results for each given
POSIX ID. The result dictionary contains the SID and the type of the
object which can be accessed with the key constants SID_KEY and
TYPE_KEY, respectively.
However, type of module constant and type of returned key had different type
with python3 due to different handling of strings. This patch unifies it
to string. The same as it is in python2.
Resolves:
https://pagure.io/SSSD/sssd/issue/3491
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit 9375eae59550437c85ada9212be430a4242b25a4.
Patch introduced difference between python2 and python3.
constant should be strings in both versions.
sh$ python2
Python 2.7.13 (default, Aug 16 2017, 12:56:26)
[GCC 7.1.1 20170802 (Red Hat 7.1.1-7)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import pysss_nss_idmap
>>> type(pysss_nss_idmap.SID_KEY)
<type 'str'>
sh$ python3
Python 3.6.2 (default, Sep 1 2017, 12:03:48)
[GCC 7.1.1 20170802 (Red Hat 7.1.1-7)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import pysss_nss_idmap
>>> type(pysss_nss_idmap.SID_KEY)
<class 'bytes'>
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Weak dependencies are intentionally disabled. If we need them
then they should be explicitly specified because they are not weak.
Resolves:
https://pagure.io/SSSD/sssd/issue/2809
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
|
|
|
|
|
| |
Directory is part of make list SSSD_USER_DIRS and therefore
should have such owner&mode also in spec file
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The sudo responder code didn't take views into account when looking for
rules, which resulted in sudo rules being ignored if the user's name was
overriden.
Please see the ticket for a detailed info on how to reproduce the bug.
Resolves:
https://pagure.io/SSSD/sssd/issue/3488
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
| |
Provide information for administrators and users to utilize
SSSD systemtap infrastructure.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Run this script using stap as root and Ctrl-C to print the summary
report
stap -v /usr/share/sssd/systemtap/dp_request.stp
This script will use the data provider request probe markers to provide
elapsed time of each request and more information about the slowest
request in the summary report.
Resolves:
https://pagure.io/SSSD/sssd/issue/3061
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add the ability to analyze performance and monitor Data Provider
requests at a high-level, probes fire when a request is sent and when
a request is completed.
Request name, domain, target, method, and return code information
is passed as target variables to the systemtap probe tapsets which
can be used in systemtap scripts.
Resolves:
https://pagure.io/SSSD/sssd/issue/3061
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
sysdb_master_domain_update() can only set the view name properly if it was not
set before but it might be called multiple times before the view name is
available if the cache is empty. Since ipa_apply_view() keeps track if
the view name was already set at startup or not the name can safely be
cleaned here before sysdb_master_domain_update() is called.
Resolves:
https://pagure.io/SSSD/sssd/issue/3501
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We always check negcache after getting data from backend since commit
4c09cd008967c5c0ec358dc658ffc6fc1cef2697 because we usually do have a name
in begging of requests "* by ID".
We were not interested in name in request sid by id before. However, function
cache_req_search_ncache_filter always expect name otherwise it returns
ERR_INTERNAL.
[sssd[nss]] [cache_req_set_plugin] (0x2000): CR #8: Setting "Object by ID" plugin
[sssd[nss]] [cache_req_send] (0x0400): CR #8: New request 'Object by ID'
[sssd[nss]] [cache_req_select_domains] (0x0400): CR #8: Performing a multi-domain search
[sssd[nss]] [cache_req_search_domains] (0x0400): CR #8: Search will check the cache and check the data provider
[sssd[nss]] [cache_req_validate_domain_type] (0x2000): Request type POSIX-only for domain sssdad2012r2.com type POSIX is valid
[sssd[nss]] [cache_req_set_domain] (0x0400): CR #8: Using domain [sssdad2012r2.com]
[sssd[nss]] [cache_req_search_send] (0x0400): CR #8: Looking up ID:233600513@sssdad2012r2.com
[sssd[nss]] [cache_req_search_ncache] (0x0400): CR #8: Checking negative cache for [ID:233600513@sssdad2012r2.com]
[sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/UID/sssdad2012r2.com/233600513]
[sssd[nss]] [cache_req_search_ncache] (0x0400): CR #8: [ID:233600513@sssdad2012r2.com] is not present in negative cache
[sssd[nss]] [cache_req_search_cache] (0x0400): CR #8: Looking up [ID:233600513@sssdad2012r2.com] in cache
[sssd[nss]] [cache_req_search_send] (0x0400): CR #8: Returning [ID:233600513@sssdad2012r2.com] from cache
[sssd[nss]] [cache_req_search_ncache_filter] (0x0400): CR #8: Filtering out results by negative cache
[sssd[nss]] [cache_req_search_ncache_filter] (0x0020): CR #8: sss_get_name_from_msg() returned NULL, which should never happen in this scenario!
[sssd[nss]] [cache_req_process_result] (0x0400): CR #8: Finished: Error 1432158209: Internal Error
[sssd[nss]] [nss_protocol_done] (0x4000): Sending reply: error [1432158209]: Internal Error
[sssd[nss]] [client_recv] (0x0200): Client disconnected!
Resolves:
https://pagure.io/SSSD/sssd/issue/3485
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Older version of gcc(e.g. gcc-4.8.5-11.el7) had a false positive warning
with c99 struct initialisation "{ 0 }".
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=53119
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=64709
CC src/lib/certmap/libsss_certmap_la-sss_cert_content_nss.lo
src/lib/certmap/sss_cert_content_nss.c:
In function 'add_pkinit_princ_to_san_list':
src/lib/certmap/sss_cert_content_nss.c:475:12:
error: missing braces around initializer [-Werror=missing-braces]
struct kerberos_principal_name kname = { 0 };
^
src/lib/certmap/sss_cert_content_nss.c:475:12:
error: (near initialization for 'kname.realm') [-Werror=missing-braces]
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The libselinux function getseuserbyname is more reliable method to retrieve
SELinux usernames then functions from libsemanage `semanage_user_query`
and is recommended by libsemanage developers.
Replace get_seuser function with getseuserbyname.
Resolves:
https://pagure.io/SSSD/sssd/issue/3308
Reviewed-by: Michal Židek <mzidek@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Petr Lautrbach <plautrba@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
per-client section
Resolves:
https://pagure.io/SSSD/sssd/issue/3417
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
|
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
The OpenSSL 1.1 API is used but there is a short macro block which
should added the needed compatibility if and older OpenSSL version is
used.
Related to https://pagure.io/SSSD/sssd/issue/3050
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
PR generated to include explaination for ipa ad trust sssd configuration
where ad has a child domain. Explanation is added to 'TRUSTED DOMAIN
SECTION'. Also an example is included to better understanding.
Resolves: https://pagure.io/SSSD/sssd/issue/3399
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Methods for searching the users, groups and entries by their orig dn
have been introduced in one of the previous commit.
Let's make use of those whenever it makes sense.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Methods for searching the users, groups and entries by their orig dn
have been introduced in one of the previous commit.
Let's make use of those whenever it makes sense.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Methods for searching the users, groups and entries by their orig dn
have been introduced in one of the previous commit.
Let's make use of those whenever it makes sense.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Methods for searching the users, groups and entries by their orig dn
have been introduced in one of the previous commit.
Let's make use of those whenever it makes sense.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
| |
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Three new methods have been added to sysdb's API in order to perform
search by the orig dn (which is quite common in SSSD's code base).
A common/base method called sysdb_search_by_orig_dn() is the most
important one and then a few other helpers for searching users and
groups groups directly.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In some cases, IPA masters end up having a broken SSSD configuration
that also includes the SRV records. This can cause the kdcinfo files to
point to a different master which uses a different PKINIT certificate
which is only valid for that IPA master. This can result e.g. in webui
not working.
This patch prevents the kdcinfo files from being generated on the IPA
masters, but keep generating them on the clients.
Not generating kdcinfo files on masters has no negative performance
impact, because libkrb5 is configured via krb5.conf to point to self
anyway.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Resolves:
https://pagure.io/SSSD/sssd/issue/3473
We're being quite strict in test_idle_timeout when checking for the
number of open fds which leads to spurious failures like:
=================================== FAILURES ===================================
______________________________ test_idle_timeout _______________________________
Traceback (most recent call last):
File "/var/lib/jenkins/workspace/ci/label/fedora23/src/tests/intg/test_secrets.py", line 427, in test_idle_timeout
assert nfds_pre + 1 == nfds_conn
AssertionError: assert (27 + 1) == 27
==================== 1 failed, 221 passed in 473.37 seconds ====================
This is just a check that "a" connection was opened, so we don't have to
check for exact match, but just for larger-or-equal.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a special value for all the quota-like settings that means 'no
limit'.
Because the responder also had a global limit on the size of the
accepted body (64kiB), this patch also removes the hardcoded limit and
instead keep track of the biggest quota value on startup.
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Adds a new option max_uid_secrets that allows to set a limit of secrets
for this particular client so that the user cannot starve other users.
Resolves:
https://pagure.io/SSSD/sssd/issue/3363
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
regular non-ccache secrets
Test that even when we store the maximum number of secrets, we can still
store kerberos credentials, but only until we reach the max_secrets
limit as well.
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This would differentiate between out-of-capacity errors for secrets and
for KCM as they are two independent trees as far as sssd-secrets is
concerned.
The quotas for /kcm are also different in their defaults. For the /secrets
hive, we presume a large amount of small secrets. For the /kcm hive, we
presume a small amount of large secrets, because the secret is a ccache
which contains multiple credentials.
The operations are also passed in a struct quota from the local request
context instead of local_context. The quota is assigned to the request
context when the hive is selected.
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
This will make it possible to reuse the basedn name later for the "hive"
base DN in order to differentiate quotas for different hives.
There is no functional change in this patch.
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
subsection
This patch makes obsoletes the old way of configuring quotas for the
secrets responder. Instead, adds a new way of configuring each hive
separately in a configuration subsection, e.g.
[secrets/secrets]
max_secrets = 123
The old way is still supported as a backwards-compatible method.
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Adds two new structures to hold the quotas and associate a quota with a hive.
This is just an internal change for now, but will allow us to read quota
configuration from per-hive sections later.
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since we started using libcurl for the proxy provider, there is no point
in initializing or linking against c-ares.
If we want to explicitly use a resolver in the future, we should use
libcurl callbacks.
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
| |
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
After the recent changes in commit a5e134b22aa27ff6cd66a7ff47089788ebc098a1
to fix ticket #3394, the PAM_CRED_ERR error would try to start migration
for any account. Further down the request, a sysdb search would try to find
the user in the joined domain only because the migration code presumes the
user is in the IPA domain which would error out and return System Error
to the PAM client.
This patch changes the migration somewhat to only attempt the migration
for IPA users.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
https://fedoraproject.org/wiki/Packaging:UnownedDirectories
sh$ rpm -qf /usr/lib64/sssd/conf/ /usr/lib64/sssd/conf/sssd.conf
file /usr/lib64/sssd/conf is not owned by any package
sssd-common-1.15.3-2.fc27.x86_64
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
There are format warnings when compiling on 32bit. One is about time_t
where %ld should be used and the other is about size_t where %zu should
be used.
Related to https://pagure.io/SSSD/sssd/issue/2995
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When using python3 getsidbyname() and getnamebysid() expect the key as
bytes instead of strings, and currently those are defined as strings.
So, in order to avoid people working around this by doing
`pysss_nss_idmap.SID_KEY.encode('utf-8')` let's make their life easier
and properly have those constants defined as bytes.
Resolves: https://pagure.io/SSSD/sssd/issue/3491
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Michal Židek <mzidek@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
sdap_id_conn_data_set_expire_timer() failed
Marking the whole backend as offline because
sdap_id_conn_data_set_expire_timer() failed doesn't look any right and
from now on let's avoiding doing so.
Related: https://pagure.io/SSSD/sssd/issue/2976
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
This new debug message may help us when debugging the cases where a
backend was marked offline but it shouldn't be.
Related: https://pagure.io/SSSD/sssd/issue/2976
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
If the domain_type parameter contained an invalid value, the error
branch wouldn't have set the 'ret' parameter to an error condition,
which might crash sssd.
The same problem occured with CONFDB_DOMAIN_CASE_SENSITIVE
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
invalid value is set
The code as it was seemed wrong as when an invalid value as set we
neither error out nor set a default valid value there.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It is expected that the an2ln plugin function returns KRB5_LNAME_NOTRANS
to indicate that no mapping can be determined and other an2ln methods
can be tried. Currently SSSD's localauth plugin returns
KRB5_PLUGIN_NO_HANDLE which sould only be used for the userok plugin
function.
Resolves https://pagure.io/SSSD/sssd/issue/3459
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
|
|
| |
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|