| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
| |
The rule allowed_domain_options did not work because
of bad regex.
Resolves:
https://pagure.io/SSSD/sssd/issue/3356
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Application domains can use the same options as normal domains section
with one more additional option.
We could either duplicate all options from the domain section also in
the application domain section + add the one additional option or
add this one option to the domain section even though it is not meant
to be used there to avoid duplication of all domain options in the
rule for application section.
It would be could to enhance the validators in libini to allow
something like 'include' section in order to avoid this issue
in the future.
Resolves:
https://pagure.io/SSSD/sssd/issue/3356
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Add separate rule for subdomain sections.
Resolves:
https://pagure.io/SSSD/sssd/issue/3356
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Debug messages would always say that verify_peer and verify_host
are enabled. Even though they would be explicitly disabled.
src/responder/secrets/proxy.c:143:18: error:
address of 'cfg->verify_peer' will always evaluate to
'true' [-Werror,-Wpointer-bool-conversion]
(&cfg->verify_peer ? "true" : "false"));
~~~~~^~~~~~~~~~~ ~
src/util/debug.h:108:32: note: expanded from macro 'DEBUG'
format, ##__VA_ARGS__); \
^~~~~~~~~~~
src/responder/secrets/proxy.c:149:18: error:
address of 'cfg->verify_host' will always evaluate to
'true' [-Werror,-Wpointer-bool-conversion]
(&cfg->verify_host ? "true" : "false"));
~~~~~^~~~~~~~~~~ ~
src/util/debug.h:108:32: note: expanded from macro 'DEBUG'
format, ##__VA_ARGS__); \
^~~~~~~~~~~
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently the LDAP user lookup request errors out if e.g. there is no
matching rule for a certificate. This might cause the related domain to
go offline.
With this patch the request returns that no user was found for the given
certificate but overall result is that the request finishes
successfully.
Resolves:
https://pagure.io/SSSD/sssd/issue/3405
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The AD provider only converts SIDs to GIDs during initgroups
to improve performance. But this is not sufficient for the
org.freedesktop.sssd.infopipe.GetUserGroups method, which needs to return
names.
We need to resolve the GIDs to names ourselves in that method.
Resolves:
https://pagure.io/SSSD/sssd/issue/3392
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The ifp_user_get_attr_done() request handler was reused for both
GetUserGroups and GetUserAttrs requests. Yet, it performed output
formatting of name and nameAlias.
This is bad, because the output formatting should really be done only
during output. Also, it broke any post-processing of the returned
message which the request might do later.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
After initgroups, the group objects might not be complete, but just
stubs that contain the SID and the GID. If the caller needs to know the
group names as well, this request allows them to iterate over the list
of the groups and resolve them one-by-one.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
| |
The bug is now tracked with:
https://pagure.io/SSSD/sssd/issue/3413
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
SSSDConfig internally handle debug_level as an integer.
But in case of bitmask version of debug_level (>=16)
it stored value as a decimal which is confusing
e.g.
debug_level = 8176
vs.
debug_level = 0x1ff0
Resolves:
https://pagure.io/SSSD/sssd/issue/3410
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
debug_level is usually defined as decimal value <= 10
or as a hexadecimal value which is used as a bitmask
Parsing of hexadecimal value was partially fixed by commit
7fac271ccebb84743c39f553eb5ec013cf1d10aa but only for
sssd domains. It was not fixed for sssd services.
File "/usr/share/authconfig/authinfo.py", line 3142, in writeSSSDPAM
pam = self.sssdConfig.get_service('pam')
File "/usr/lib/python3.6/site-packages/SSSDConfig/__init__.py", line 1620, in get_service
service.set_option(opt['name'], opt['value'])
File "/usr/lib/python3.6/site-packages/SSSDConfig/__init__.py", line 932, in set_option
(option_schema[0], optionname, type(value)))
TypeError: Expected <class 'int'> for debug_level, received <class 'str'>
Resolves:
https://pagure.io/SSSD/sssd/issue/3410
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Option subdomain_homedir was missing from Python config API an
cfg_rules leading to config file validation failures. Add this option
into the necessary locations similar to other provider-generic domain
options.
Resolves:
https://pagure.io/SSSD/sssd/issue/3389
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The IPA HBAC code used to read the group members from the
originalMemberOf attribute value for performance reasons. However,
especially on IPA clients trusting an AD domain, the originalMemberOf
attribute value is often not synchronized correctly.
Instead of going through the work of maintaining both member/memberOf
and originalMemberOf, let's just do an ASQ search for the group names of
the groups the user is a member of in the cache and read their
SYSBD_NAME attribute.
To avoid clashing between similarly-named groups in IPA and in AD, we
look at the container of the group.
Resolves:
https://pagure.io/SSSD/sssd/issue/3382
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
cache_req_host_by_name_lookup should be used only by ssh responder.
But we cannot rely on this fact and therefore we should return
ERR_INTERNAL instead of EOK to catch mis-usage of the cache_req
plugin
autoreconf -if
./configure --without-ssh
make check
CCLD sssd_nss
src/responder/common/cache_req/plugins/cache_req_host_by_name.o:
In function `cache_req_host_by_name_lookup':
src/responder/common/cache_req/plugins/cache_req_host_by_name.c:48:
undefined reference to `sysdb_get_ssh_host'
collect2: error: ld returned 1 exit status
make: *** [Makefile:14285: sssd_nss] Error 1
src/tests/cmocka/test_utils-test_sss_ssh.o: In function `test_textual_public_key':
src/tests/cmocka/test_sss_ssh.c:78: undefined reference to `sss_ssh_format_pubkey'
src/tests/cmocka/test_sss_ssh.c:82: undefined reference to `sss_ssh_format_pubkey'
src/tests/cmocka/test_sss_ssh.c:86: undefined reference to `sss_ssh_format_pubkey'
src/tests/cmocka/test_sss_ssh.c:89: undefined reference to `sss_ssh_format_pubkey'
src/tests/cmocka/test_sss_ssh.c:92: undefined reference to `sss_ssh_format_pubkey'
src/tests/cmocka/test_utils-test_sss_ssh.o:src/tests/cmocka/test_sss_ssh.c:95:
more undefined references to `sss_ssh_format_pubkey' follow
collect2: error: ld returned 1 exit status
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
| |
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
| |
joined domain
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Currently SSSD accepts significant changes in the principal only if
krb5_use_enterprise_principal=True. But canonicalization can lead to
similar changes so they should be accepted in this case as well.
Resolves:
https://pagure.io/SSSD/sssd/issue/3408
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Integration test for:
https://pagure.io/SSSD/sssd/issue/3372
With https://pagure.io/SSSD/sssd/issue/3372 still broken, the unit test
wold fail because one of the concurrent klist commands would trigger a
race condition in the KCM queue code, crashing the KCM responder.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Resolves:
https://pagure.io/SSSD/sssd/issue/3372
Fixes a race condition between one client request adding an operation to
the hash table value, which was previously a linked list of operations,
while another concurrent operation would remove the last remaining
linked list element through its callback.
Instead, the hash table value is now a separate 'queue head' structure
which is only changed in a tevent request to make sure is is not
processes concurrently with adding to the queue (which is also a tevent
request).
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
dlopen-tests cannot catch it because it has to be linked with libdl
sh$ grep dlopen src/sss_client/libwbclient/
src/sss_client/libwbclient/wbc_pwd_sssd.c: ctx->dl_handle = dlopen("libnss_sss.so.2", RTLD_NOW);
sh$ nm --dynamic --undefined-only .libs/libwbclient.so | grep dlopen
U dlopen
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The extdom lookup by certificate will return the names of all matching
users, both from the IPA and trusted domains. The IPA users from the
list should not be looked up via the extdom plugin because they are
already lookup up directly. Additionally the lookup might fail and cause
an error which might prevent that the remaining users from the list are
looked up.
Resolves https://pagure.io/SSSD/sssd/issue/3407
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
| |
The implicit_files was started with each test even though was not
required.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
| |
Resolves:
https://pagure.io/SSSD/sssd/issue/3339
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Many logon applications like /bin/login or sshd canonicalize the user
name before they call pam_start() and hence the UPN is not seen by
SSSD's pam responder. But some like e.g. gdm don't and authentication
might fail if a UPN is used.
The reason is that currently the already parsed short name of the user
was used in the cache_req and hence the cache_req was not able to fall
back to the UPN lookup code. This patch uses the name originally
provided by the user as input to allow the fallback to the UPN lookup.
Resolves https://pagure.io/SSSD/sssd/issue/3240
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
| |
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
| |
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
return a valid response
If the child returns a runtime error, it is often not clear from the
domain debug logs what to do next. This patch adds a DEBUG message that
tells the admin to look into the krb5_child.log
Resolves:
https://pagure.io/SSSD/sssd/issue/2955
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When using direct AD integration, child domains did not respect
the sssd.conf configuration of search bases.
There were few issues all of which are fixed in this small
patch.
First problem was that the sdap domain list was not properly
inherited from the parent in the child domains and the children
always created their own sdap domains lists that were disconnected
from the parent context and never used.
Second issue was that the child domain did not call the function
to reinit the search bases after the sdap_domain was added to the
list of sdap domains. This caused that child domains always used
automatically detected search bases and never used the configured
ones even though they were properly read into the ID options
context attached to the subdomain.
Also there has been an issue that the sdap search bases
were rewritten by the new child domain initialization
(this only happened with more than one child domain)
because the sdap domain list was 'updated' every time
a new child domain was initialized, which caused that
only the main domain and the last child domain had proper
search bases, the others only the auto-discovered ones
(because they were overwritten with the 'update').
Resolves:
https://pagure.io/SSSD/sssd/issue/3397
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
| |
Add debug messages when 1way or 2way trusts are created.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As contacting the infopipe responder on a "filter" related call may lead
to the situation where the cr_domains' list is not populated yet (as the
domains and subdomains lists from the data provider are not processed
yet), let's explicitly call sss_dp_get_domains() for those cases and
avoid returning a wrong result to the caller.
This situation may happen only because the schedule_get_domains_task(),
that's called when the infopipe responder is initialized, may take some
time to run/finish.
While I'm not exactly sure whether it's the best solution to avoid the
"race", it seems to be sane enough to avoid the issues.
Resolves:
https://pagure.io/SSSD/sssd/issue/3387
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit 4ef0b19a introduced the following warning, as "req" may be used
without being initialized:
src/responder/common/cache_req/cache_req_search.c:
In function 'cache_req_search_done':
src/responder/common/cache_req/cache_req_search.c:467:9:
error: 'req' may be used uninitialized in this function
[-Werror=maybe-uninitialized]
tevent_req_error(req, ret);
^
src/responder/common/cache_req/cache_req_search.c:424:24:
note: 'req' was declared here
struct tevent_req *req;
^
cc1: all warnings being treated as errors
In order to fix the issue above, let's just allocate tmp_ctx after "req"
is already set.
Related:
https://pagure.io/SSSD/sssd/issue/3362
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Co-Author: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Currently only the results from one domain were returned although all
domains were searched and the results were available. Unit tests are
updated to cover this case as well.
Resolves https://pagure.io/SSSD/sssd/issue/3393
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Related:
https://pagure.io/SSSD/sssd/issue/3362
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch makes use of cache_req_ncache_filter_fn() in order to process
the result of a cache_req search and then filter out all the results
that are present in the negative cache.
The "post cache_req search" result processing is done basically in two
different cases:
- plugins which don't use name as an input token (group_by_id, user_by_id
and object_by_id), but still can be affected by filter_{users,groups}
options;
- plugins responsible for groups and users enumeration (enum_groups and
enum_users);
Resolves:
https://pagure.io/SSSD/sssd/issue/3362
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Similarly to what cache_req_create_ldb_result_from_msg() does this new
function creates a new ldb_result from a list of ldb_message.
It's going to be used in the follow-up patch where some messages from
ldb_result may be filtered and then a new ldb_result has to be created.
Related:
https://pagure.io/SSSD/sssd/issue/3362
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This function will be responsible for filtering out all the results that
we have that are also present in the negative cache.
This is useful mainly for plugins which don't use name as an input token
but can still be affected by filter_{users,groups} options.
For now this new function is not being used anywhere.
Related:
https://pagure.io/SSSD/sssd/issue/3362
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
| |
Move NSS nss_get_name_from_msg and the core of sized_output_name to the
utils to make them available to provider and other responders.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Certain operations are not supported with certain providers
causing informational Data Provider log messages to be logged as
errors or failures. This patch lowers the log level to reduce overall
log noise and ensure only critical log messages are logged when
a low debug_level value is used.
Resolves:
https://pagure.io/SSSD/sssd/issue/3287
https://pagure.io/SSSD/sssd/issue/3278
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Explicitly state that the AD provider uses Kerberos and GSSAPI for
encrypting traffic to avoid attempted custom configurations with SSL/TLS
Resolves:
https://pagure.io/SSSD/sssd/issue/3377
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
man 2 readv says that the header file "sys/uio.h" must be included
for the functions readv/writev
Previously, "sys/uio.h" was included in "sys/socket.h" in glibc.
It worked just by a change. But it will be changed in glibc-2.26.
https://sourceware.org/bugzilla/show_bug.cgi?id=21426
src/responder/kcm/kcmsrv_cmd.c: In function 'kcm_iovec_op':
src/responder/kcm/kcmsrv_cmd.c:75:15: error: implicit declaration of function
'readv'; did you mean 'read'? [-Werror=implicit-function-declaration]
src/responder/kcm/kcmsrv_cmd.c:77:15: error: implicit declaration of function
'writev'; did you mean 'write'? [-Werror=implicit-function-declaration]
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We use separate AD context for each subdomain in the server mode.
Every such context has it's own sdap_domain list witch represents
sdap options such as filter and search bases for every domain.
However AD context can only fully initialize sdap_domain structure
for the same domain for which the whole context was created, which
resulted in the other sdap_domain structures to be have automaticily
detected settings. This can cause problems if user is member of
groups from multiple domains.
Resolves:
https://pagure.io/SSSD/sssd/issue/3381
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Although the cache_req lookup found matching in multiple domains only
the results from the first domain were used. With this patch the results
from all domains are checked.
Resolves https://pagure.io/SSSD/sssd/issue/3385
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit 25699846 introduced a regression seen when an initgroup lookup is
done and there's no nested groups involved.
In this scenario the whole lookup fails due to an ENOENT returned by
rfc2307bis_nested_groups_recv(), which leads to the user removal from
sysdb causing some authentication issues.
Resolves:
https://pagure.io/SSSD/sssd/issue/3331
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Starting with rpm 4.11, it is possible to install the license using
a new file macro %license, this will separate the license files from documents
and install them in a special directory in /usr/share
rpm -q -l -p ./sssd-1.15.3-0.el7.x86_64.rpm
/usr/share/licenses/sssd-1.15.3
/usr/share/licenses/sssd-1.15.3/COPYING
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The rpm macro python_provide is defined only in fedora and epel.
This is the reason why we have fallback definition in the beginning of
spec file otherwise build on rhel would fail.
This macro is defined in file /usr/lib/rpm/macros.d/macros.python
provided by package python-rpm-macros.
sh$ rpm -qf /usr/lib/rpm/macros.d/macros.python
python-rpm-macros-3-20.fc26.noarch
sh$ grep python_provide /usr/lib/rpm/macros.d/macros.python
%python_provide() %{lua:
print("%python_provide: ERROR: ")
But this package is not installed in minimal chroot and therefore
build dependencies cannot be extracted from spec file.
sh$ mock --clean --shell 'rpm -q python-rpm-macros' 2>/dev/null
package python-rpm-macros is not installed
sh$ mock --shell 'rpm --eval "%{python_provide python-test}"' 2>/dev/null
%{python_provide python-test}
sh$ mock --resultdir . --rebuild sssd-1.15.3-0.fc26.src.rpm
...
error: line 295: Unknown tag: %{python_provide python2-sssdconfig}
...
This is the reason why it has to be used conditionally in fedora as it is shown
in example common spec file in python fedora packaging guidelines
http://fedoraproject.org/wiki/Packaging:Python#Example_common_spec_file
sh$ rpm -q --whatrequires python-rpm-macros
python2-devel-2.7.13-5.fc26.x86_64
python3-devel-3.6.0-22.fc26.x86_64
This patch reduce differences between upstream and fedora spec file.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
