| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
| |
Setting ret as EOK in case everything goes well.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
|
| |
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
| |
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
| |
Add basic tests for all base combinations of session recording
configuration options.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Add exporting of original user shell (as returned by NSS) as an
environment variable for use by tlog-rec-session, when session recording
is enabled for the user. This lets tlog-rec-session start the actual
user shell, after tlog-rec-session is started in its place.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Substitute the configured session recording shell when unconditional
session recording is enabled (scope = all), or when selective session
recording is enabled (scope = some), and the user has the
sessionRecording attribute set to true.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
After entires are retrieved by cache_req for user info requests (except
initgr), overlay them with sessionRecording attribute retrieved from an
initgr request made additionally for each entry.
Do not do additional initgr requests with selective session recording
enabled, if we don't have any group names to match against in session
recording configuration. Only do user name matches instead.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
| |
Add sessionRecording attribute to user entries on initgr request in data
provider, specifying if the user name or groups match the ones with
session recording enabled.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
| |
Call sysdb_master_domain_update for backend domain upon initialization
to make view information available for later use by session recording
code, which will need to access overridden user and group names.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
| |
Add loading and storing the override_space configuration option to data
provider. That will be needed for formatting output user and group names
for matching against session recording configuration.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
| |
Add a macro for sessionRecording attribute to sysdb.h.
To be used for storing a boolean attribute signifying if session
recording is enabled for the user.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
| |
Add session recording configuration loading to the data provider
initialization. To be used for matching users and groups with session
recording enabled.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
| |
Add session recording configuration loading to the common responder
initialization. To be used for substituting the user shell when
session recording is enabled.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
| |
Add an util module for loading session recording configuration.
To be used by responders and data provider.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
| |
Add support for specifying the shell used for recording user sessions,
at configure time.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Add information on "session_recording" config section, having three
options: "scope", "users", and "groups".
The section is intended for disabling session recording ("scope = none",
default), enabling session recording for all users ("scope = all"), and
enabling it for some specific users and/or groups ("scope = some",
"users = <users>", "groups = <groups>").
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Move nss_get_shell_override to common responder utils and rename it to
sss_resp_get_shell_override to make it available to other responders. In
particular let PAM responder use it to provide original shell when it is
overriden for session recording.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Move all the shell-related options from the NSS responder context to the
common responder context, so they can be used by other responders for
retrieving original user shell, when it is overrided for session
recording.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
| |
The num_results field in struct cache_req_state was only set in case of
well-known objects, set it also for the regular results for uniformity,
and for later use by session recording code.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
| |
Merges: https://pagure.io/SSSD/sssd/pull-request/3456
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
| |
Reviewed-by: N/A
|
| |
|
|
| |
Reviewed-by: N/A
|
| |
|
|
|
|
|
|
|
|
|
| |
This prevents error messages like:
[!] Locale mappings are now handled using locale aliases on the server, so locale mappings in the project config file (zanata.xml) are now deprecated.
Please add a locale alias in the project language settings to replace each locale mapping in zanata.xml, then remove the <locales> section from zanata.xml
See also:
http://docs.zanata.org/en/release/client/configuration/
Reviewed-by: N/A
|
| |
|
|
| |
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The file kcm_default_ccache must enable KCM ccache by default
without any modification of the file.
/etc/krb5.conf.d/ is fedora/el7 specific and it is not allowed to
enable or start systemd services in scriptlets. It would result in
broken krb5 configuration. Therefore krb5 configuration snippet was
moved from /etc/krb5.conf.d/ -> /usr/share/sssd-kcm. And each downstream
distribution should enable systemd services + change krb5 configuration
in it's own way.
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
If sss_idmap_unix_to_sid() returns an error we can assume that the given
POSIX ID is not from the current domain and can be skipped. This is e.g.
the case in the IPA provider if a POSIX ID used in the IPA domain is
checked in a trusted id-mapped AD domain before the IPA domain is
checked.
Resolves https://pagure.io/SSSD/sssd/issue/3452
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
expired TGT
Since 1.14.2 and in particular commit
d3348f49260998880bb7cd3b2fb72d562b1b7a64 we return ERR_NETWORK_IO for any
krb5_child operations that receive KRB5KRB_AP_ERR_TKT_EXPIRED from libkrb5.
However, when the action that krb5_child performs is ticket renewal and
the ticket is totally expired, this can send the SSSD into offline mode.
Instead, this patch converts the KRB5KRB_AP_ERR_TKT_EXPIRED code into
sssd-internal ERR_CREDS_EXPIRED which map_krb5_error() won't map
anymore.
The effect on the deamon is that just the single renewal fails, but
the failover code is not called and therefore sssd doesn't switch into
offline mode.
Resolves:
https://pagure.io/SSSD/sssd/issue/3406
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Tested-by: Joakim Tjernlund <Joakim.Tjernlund@infinera.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Calling setup and teardown on every encryption cases issues like the one
described in https://bugzilla.redhat.com/show_bug.cgi?id=1456151
eventually.
Similarly to other crypto functions, don't tear down NSS by calling
NSS_Shutdown. Let the OS reclaim the resources.
Resolves:
https://pagure.io/SSSD/sssd/issue/3424
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
| |
Temporary workaround:
https://pagure.io/SSSD/sssd/issue/3386
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Related to https://pagure.io/SSSD/sssd/issue/1960
Related to https://pagure.io/SSSD/sssd/issue/1938
Related to https://pagure.io/SSSD/sssd/issue/1844
Related to https://pagure.io/SSSD/sssd/issue/1593
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
This reverts commit 925a14d50edf0e3b800ce659b10b771ae1cde293.
It broke a test for enumerate nested groups if they are part
of non POSIX groups https://pagure.io/SSSD/sssd/issue/2406
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
| |
To ensure the client timeout is not too low and clients do not reconnect
too often, the client_idle_timeout is forced to be 10 seconds minimum.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The secrets responder test was chosen even though the bug was in the generic
responder code b/c it runs a single responder process, so it's trivial to
read the PID of the responder under test.
Changes subprocess.call() for os.execv() so that the setup function can
return the secret responder PID right away.
The client timeout in the test has to be at least 10 seconds because
internally, the responders don't allow a shorter timeout.
Regression test for https://pagure.io/SSSD/sssd/issue/3448
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The client_idle_handler() function tried to schedule another tevent
timer to check for idle client connections in case the current
connection was still valid, but in doing so, it also stored the current
time into the last_request_time field of the client context.
This kept the connection always alive, because the last_request_time
could then never be older than the timeout.
This patch changes the setup_client_idle_timer() function to only do
what the synopsis says and set the idle timer. The caller (usually the
function that accepts the connection) is supposed to store the request
time itself.
Resolves:
https://pagure.io/SSSD/sssd/issue/3448
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
| |
Since the README.md is more or less what the wiki front page used to be,
it makes sense, especially for Github users, to point to our releases
from README.md
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
| |
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
| |
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
| |
Since we keep a code mirror on github but disable notifications there,
it might be nice to hint to users where they can actually file a ticket.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
User and group override have been failing when using it with files provider.
This test helps us to avoid such regression in the future.
As mentioned in the comment added to the test's code, there's an issue
in nss_wrapper [0] and nss_wrapper always looks into the files first
before using the NSS module, causing a test failure in case the
fully-qualified name is not used when looking up for the original (not
overriden) user and group.
Related:
https://pagure.io/SSSD/sssd/issue/3391
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
| |
Changes done for section ipa_server_mode since description of section was bit vague. Text is re-phrased for better understanding.
Resolves: https://pagure.io/SSSD/sssd/issue/3404
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
process be killed
Text added in timeout section of sssd.conf man page describing number of heartbeat missed before process self kills itself.
Resolves: https://pagure.io/SSSD/sssd/issue/3398
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Only the 'local' provider will use the 'local' auth provider, for all
other id providers the configured auth provider in the backend should
be checked.
Resolves https://pagure.io/SSSD/sssd/issue/3447
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
During the domain update the views related objects are read form the
cache and added to the domain object accordingly. This is needed to make
sure that both providers properly work with local overrides.
Resolves to https://pagure.io/SSSD/sssd/issue/3391
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently the files provider refreshes the cached user and group data by
deleting all objects and adding them again. This might not be the most
efficient way performance wise but helps to avoid additional code for
updates.
To handle overrides efficiently the override data is stored in a
separate sub-tree and attributes with the DNs link the original and the
override object together. During the removal of the users and groups
this attribute pointing to the override is removed from the original
attribute as well. To make sure overrides are still applied after a
refresh the attribute is added back after the original objects are read
from the source files.
Resolves https://pagure.io/SSSD/sssd/issue/3391
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Add function to copy search bases from one sdap_domain to
another.
Resolves:
https://pagure.io/SSSD/sssd/issue/3435
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
| |
Add code to the existing zero nesting level test, check group list and
ensure nested groups are intentionally skipped and filtered out.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Correct an issue with nesting level comparison of option
ldap_group_nesting_level to ensure that setting nesting level 0
will avoid parent group of group searches.
Resolves:
https://pagure.io/SSSD/sssd/issue/3425
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
This is a short term fix to un-break the unit tests. The proper fix
would be to create the certificates at runtime during the tests.
Related to https://pagure.io/SSSD/sssd/issue/3436
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Update parent sdap_list with newly created subdomain sdap domain.
Preiously, we inherited the parent sdap_list and used it also in the
subdomain's context (this was introduced recently with commit
c4ddb9ccab670f9c0d0377680237b62f9f91c496), but it caused problems
that were difficult to debug (we somewhere rewrite part of the list
incorrectly).
This patch reverses to the previous bahavior, where every subdomain
has it's own sdap_list, however this time the parrent domain's
sdap_list is updated so that it has correct information about
search bases of the child domains.
We should ideally have just one sdap_list to avoid the updating
completely, but this would require more refactoring in the sdap
code.
Resolves:
https://pagure.io/SSSD/sssd/issue/3421
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
