| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Let's avoid setting a domain's property directly from cr_domain code.
In order to do so, let's introduce a setter, which may help us in the
future whenever we decide to make sss_domain_info an opaque structure.
For completeness, a getter has also been introduced and used in the
usertools code.
Related:
https://pagure.io/SSSD/sssd/issue/3403
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As some regressions have been caused by not handling properly naming
conflicts when using shortnames, last explicitly use fully qualified
names as output in the following situations:
- domain resolution order is set;
- a trusted domain has been using `use_fully_qualified_name = false`
In both cases we want to ensure that even handling shortnames as input,
the output will always be fully qualified.
As part of this patch, our tests ended up being modified to reflect the
changes done. In other words, the tests related to shortnames now return
expect as return a fully qualified name for trusted domains.
Resolves:
https://pagure.io/SSSD/sssd/issue/3403
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
| |
This reverts commit 35f29b17699c3d52f77857c530300318b14148f8.
Workaround is not required anymore.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There was a bug in valgrind < 3.13 which override some log files
and therefore there was missing errors for shell wrappers generated
by libtool for dummy-child.
https://bugs.kde.org/show_bug.cgi?id=162848
We could add more suppressions for errors/leaks in bash to our suppression
file but dummy child is built just for test purposes. Another possible solution
would to avoid linking dummy-child with internal libraries; So libtool
would not generate shell wrapper for dummy-child.
But the simplest think is to ignore all errors for dummy-child.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Use the appropriate methods for searching users and groups bv timestamp.
Resolves:
https://pagure.io/SSSD/sssd/issue/3369
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
These new two sysdb methods are going to be used, at least for now,
uniquely and exclusively in the cleanup task.
The reason for adding those is that during the cleanup task a timestamp
search is done in the persistent cache, which doesn't have the updated
timestamps, returning then a wrong result that ends up in having all the
users being removed from the cache.
The persistent cache doesn't have its entries' timestamps updated
because those are kept updated in the timestamp cache, therefore these
new two methods end up doing:
- if the timestamp cache is present:
- search for the entries solely in the timestamp cache;
- get the needed attributes from these entries from the persistent
cache;
- otherwise:
- search for the entries in the persistent cache;
- merge its results with timestamp cache's results;
Related:
https://pagure.io/SSSD/sssd/issue/3369
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Similarly to what has been in the previous commit (expiring an entry
also in the timestamp cache), we should do the same when invalidating an
entry.
Related:
https://pagure.io/SSSD/sssd/issue/3369
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As the cleanup task will start using new methods for searching the users
and groups which have to be cleaned up, SSSD starts relying more in a
more consistent state of the timestamp cache on pretty much everything
related to the cleanup task.
One of the things that would cause SSSD some problems is not having the
ghost user expired in the persistent cache but not in the timestamp
cache.
With this patch, the entry is also expired in the timestamp cache when
it's present.
Related:
https://pagure.io/SSSD/sssd/issue/3369
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
In order to make this function re-usable in different parts of our code,
let's start passing an already built filter to it instead of having the
specific code building the name filter there.
Related:
https://pagure.io/SSSD/sssd/issue/3369
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This function will be used in the follow-up patches. As it's going to be
"exposed", let's also rename it from search_ts_matches() to
sysdb_search_ts_matches().
Related:
https://pagure.io/SSSD/sssd/issue/3369
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This change affects sysdb_search_ts_{users,groups} functions and is
mainly needed in order to avoid breaking our current tests due to the
changes planned for fixing https://pagure.io/SSSD/sssd/issue/3369.
Related:
https://pagure.io/SSSD/sssd/issue/3369
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Similar as in https://pagure.io/SSSD/sssd/issue/3426 enterprise
principals should be avoided while requesting a kadmin/changepw@REALM
principal for a password change.
Resolves https://pagure.io/SSSD/sssd/issue/3419
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
| |
Resolves: https://pagure.io/SSSD/sssd/issue/3431
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
| |
This bug was introduced in 37d2194cc9ea4d0254c88a3419e2376572562bab
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
| |
Found by coverity.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
org.freedekstop.sssd.infopipe.Users.User gets two new attributes:
- domain: object path of user's domain
- domainname: user's domain name
org.freedekstop.sssd.infopipe.GetUserAttr can now request new attribute:
- domainname: user's domain name
Resolves:
https://pagure.io/SSSD/sssd/issue/2714
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
| |
Resolves:
https://pagure.io/SSSD/sssd/issue/3428
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Add verbose option to sssctl domain-list, when this option is provided
SSSD will print the domain type(primary or trusted domain) retrieved
from infopipe API, in addition to the domain name.
Resolves:
https://pagure.io/SSSD/sssd/issue/3065
Reviewed-by: Michal Židek <mzidek@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
| |
Patch also replace util.h on place where it was not needed directly
and directly include required header files.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
| |
They are mostly required for macros MAX/MIN which were not used
in these modules.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
| |
limits.h is not used directly by util/util.h. The header file limits.h
must be included in 17 files and after removing it from util.h it had to be
added only to 4 missing files
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
| |
ctype.h is not used directly by util/util.h. The header file ctype.h
must be included in 32 files and after removing it from util.h it had to be
added only to 8 missing files
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
| |
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
fcntl.h is not used directly by util/util.h. The header file fcntl.h
must be included in 49 files and after removing it from util.h it had to be
added only to 7 missing file which were using either directly syscall fcntl
or syscall open.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
| |
signal.h is not used directly by util/util.h. The header file signal.h
must be included in 19 files and after removing it from util.h it had to be
added only to 12 missing files. And util.util.h is included in 381 files
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
| |
signal.h is not used directly by util/util.h. The header file signal.h
must be included in 8 files and removing it from util.h it had to be
added only to 5 missing file. But util/util.h is include in 377 files
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
| |
They are not required for any prototype in util/util.h
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
| |
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently using enterprise principals during password changes does not
work reliable.
First there is a special behavior if canonicalization, which in general
should be used together with enterprise principals, is enabled with AD,
see https://pagure.io/SSSD/sssd/issue/1405 and
https://pagure.io/SSSD/sssd/issue/1615 for details. As a result of this
SSSD currently disables canonicalization during password changes.
Additionally it looks like MIT Kerberos does not handle canonicalized
principals well, even if canonicalization is enabled, if not the default
krbtgt/REALM@REALM but kadmin/changepw@REALM is requested. Since it is
currently not clear what is the expected behavior here it make sense to
completely disable enterprise principals during password changes for the
time being.
Resolves https://pagure.io/SSSD/sssd/issue/3426
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The added test is quite simple and basically ensures that when some
shortcut is taken in the cache_req_send() SSSD still filters out the
already cached users/groups.
The real situation the test tries to test is:
- getent passwd 1002
- sleep(2)
- getent passwd 1002
- getent group 2002
- sleep(2)
- getent group 2002
(Considering entry_negative_timeout = 1 in [nss] section of sssd.conf).
Related:
https://pagure.io/SSSD/sssd/issue/3362
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
cache_req_send() may take some shortcuts in case the object is found in
the cache and it's still valid.
This behaviour may lead to exposing filtered users and groups when
they're searched by their uid/gid.
A solution for this issue was proposed on 4ef0b19a but, unfortunately,
didn't take into consideration that this shortcut could be taken.
There are basically two really easy ways to test this issue:
1) Using enumeration:
- Set "enumerate = True" in the domain section
- restart SSSD cleaning up the cache;
- getent passwd <uid of a user who is part of the filter_users>
- Wait a little bit till the entry_negative_timeout is expired
- getent passwd <same uid used above>
2) Not using enumeration:
- getent passwd <uid of a user who is part of the filter_users>
- Wait a little bit till the entry_negative_timeout is expired
- getent passwd <same uid used above>
A test covering this code path will be added in the follow-up commit.
Resolves:
https://pagure.io/SSSD/sssd/issue/3362
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Let's make the result and input/output argument for
_search_ncache_filter() and free it inside the function whenever it's
needed instead of leaving this responsibility for the caller.
Related:
https://pagure.io/SSSD/sssd/issue/3362
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
src/sss_client/pam_sss.c: In function ‘eval_response’:
src/sss_client/pam_sss.c:998:64: error: comparison between pointer and zero character constant [-Werror=pointer-compare]
if (type == SSS_PAM_CERT_INFO && pi->cert_user == '\0') {
^~
src/sss_client/pam_sss.c:998:50: note: did you mean to dereference the pointer?
if (type == SSS_PAM_CERT_INFO && pi->cert_user == '\0') {
^
src/sss_client/pam_sss.c:1010:42: error: comparison between pointer and zero character constant [-Werror=pointer-compare]
&& pi->cert_user != '\0') {
^~
src/sss_client/pam_sss.c:1010:28: note: did you mean to dereference the pointer?
&& pi->cert_user != '\0') {
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
| |
Add test case with wrong subdomain section format, where the too many
domains are used to identify the trusted domain instead of just the
connected domain and the one trusted domain that is being configured.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Recent patches which adds support for PKINIT in krb5_child changed a
return code which is used to indicate to the IPA provider that password
migration should be tried.
With this patch krb5_child properly returns PAM_CRED_ERR as expected by
the IPA provider in this case.
Resolves:
https://pagure.io/SSSD/sssd/issue/3394
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Since there are cases where the user name is not entered directly but
determined by other means the user-checks should show the name of the
user used for authentication.
Related to https://pagure.io/SSSD/sssd/issue/3395
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Since sysdb_get_certmap() returns the user name hint information as well
it should return a result even if there are no certmaps.
Related to https://pagure.io/SSSD/sssd/issue/3395
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
If the PAM client didn't send a user name and promtusername is enable
the PAM responder will tell pam_sss to ask for an optional user name as
well.
Resolves:
https://pagure.io/SSSD/sssd/issue/3395
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
| |
Related to https://pagure.io/SSSD/sssd/issue/3395
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
The new response type SSS_PAM_CERT_INFO_WITH_HINT is equivalent to
SSS_PAM_CERT_INFO but tells pam_sss to prompt for an option user name as
well.
Resolves:
https://pagure.io/SSSD/sssd/issue/3395
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
| |
Currently a name is provided for test_pam_preauth_cert_no_logon_name()
so it is not a no-logon-name test. This patch removes the name and adds
the now missing mocked reply manually.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
| |
Make certificate mapping data available to the responders.
Related to https://pagure.io/SSSD/sssd/issue/3395
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The domain type (posix or not) was being sent to the krb5_child always,
but the buffer only had enough space in case of authentication, not
authorization. Bug was introduced in the commit
861ab44e8148208425b67c4711bc8fade10fd3ed
This patch makes the buffer one uint32_t unit larger.
To reproduce, just set up sssd.conf with:
access_provider = krb5
Without the patch, you would see messages like:
==14111== Invalid write of size 2
==14111== at 0x4C3041B: memcpy@@GLIBC_2.14 (vg_replace_strmem.c:1018)
==14111== by 0xE0EE275: safealign_memcpy (util_safealign.h:51)
==14111== by 0xE0EECB3: create_send_buffer (krb5_child_handler.c:239)
==14111== by 0xE0EFDDE: handle_child_send (krb5_child_handler.c:529)
==14111== by 0xE0EDEDD: krb5_access_send (krb5_access.c:149)
==14111== by 0xE0ED32F: krb5_pam_handler_send (krb5_auth.c:1250)
==14111== by 0x418868: file_dp_request (dp_request.c:254)
==14111== by 0x418976: dp_req_send (dp_request.c:300)
==14111== by 0x41C25F: dp_pam_handler (dp_target_auth.c:219)
==14111== by 0x52B3456: sbus_request_invoke_or_finish (sssd_dbus_request.c:71)
==14111== by 0x52B0F37: sbus_message_handler_got_caller_id (sssd_dbus_interface.c:1048)
==14111== by 0x923C923: tevent_common_loop_immediate (tevent_immediate.c:135)
==14111== Address 0x126ab506 is 150 bytes inside a block of size 151 alloc'd
==14111== at 0x4C2BBAD: malloc (vg_replace_malloc.c:299)
==14111== by 0x944D7F4: __talloc_with_prefix (talloc.c:698)
==14111== by 0x944D7F4: __talloc (talloc.c:739)
==14111== by 0x944D7F4: _talloc_named_const (talloc.c:896)
==14111== by 0x944D7F4: talloc_named_const (talloc.c:1675)
==14111== by 0xE0EE7B6: create_send_buffer (krb5_child_handler.c:185)
==14111== by 0xE0EFDDE: handle_child_send (krb5_child_handler.c:529)
==14111== by 0xE0EDEDD: krb5_access_send (krb5_access.c:149)
==14111== by 0xE0ED32F: krb5_pam_handler_send (krb5_auth.c:1250)
==14111== by 0x418868: file_dp_request (dp_request.c:254)
==14111== by 0x418976: dp_req_send (dp_request.c:300)
==14111== by 0x41C25F: dp_pam_handler (dp_target_auth.c:219)
==14111== by 0x52B3456: sbus_request_invoke_or_finish (sssd_dbus_request.c:71)
==14111== by 0x52B0F37: sbus_message_handler_got_caller_id (sssd_dbus_interface.c:1048)
==14111== by 0x923C923: tevent_common_loop_immediate (tevent_immediate.c:135)
Resolves:
https://pagure.io/SSSD/sssd/issue/3418
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* enable few tests
* malformed configuration file due to missing closing ']'
* fix few expected failures
* add few sections into whitelist test
* crash in test if count of expected failures is different then real
value
[ RUN ] config_check_test_bad_subdom_option_name
[rule/allowed_domain_options]: Attribute 'debug_leTYPOvel' is not allowed in section 'domain/A.test/B.A.test'. Check for typos.
[rule/allowed_subdomain_options]: Attribute 'debug_leTYPOvel' is not allowed in section 'domain/A.test/B.A.test'. Check for typos.
[ ERROR ] --- Test failed with exception: Segmentation fault(11)
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Issues is subdomain sections e.g. "[domain/A.test/B.A.test]" were
reported twice.
[rule/allowed_domain_options]: Attribute 'debug_leTYPOvel' is not allowed in section 'domain/A.test/B.A.test'. Check for typos.
[rule/allowed_subdomain_options]: Attribute 'debug_leTYPOvel' is not allowed in section 'domain/A.test/B.A.test'. Check for typos.
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This patch adds new sssd specific validator. In the future we
can add more checks in it, but currently it only checks if
the option inherit_from is used on normal domain and reports
error if it is.
Resolves:
https://pagure.io/SSSD/sssd/issue/3356
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Use the same restrictions for application domains that we use for
normal domain.
Resolves:
https://pagure.io/SSSD/sssd/issue/3356
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
| |
Add infrastructure for unit tests for validators.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
