| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
| |
Prior this patch, we remember id_ctx->srv_opts in sudo request to switch
the latest usn values. This works fine most of the time but it may cause
a crash.
If we have two concurrent sudo refresh and one of these fails, it causes
failover to try the next server and possibly replacing the old srv_opts
with new one and it causes an access after free in the other refresh.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Instead of requiring that admins enable and look at our logs, let's log
to syslog what's the DP status.
Resolves:
https://pagure.io/SSSD/sssd/issue/3307
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
| |
Related: https://pagure.io/SSSD/sssd/issue/3307
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
| |
Resolves:
https://pagure.io/SSSD/sssd/issue/3545
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
| |
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
FakeAD is openldap with ldif schema which allows to load static data
from real AD. Instance of class will also contain some predefined
users/groups which can be used for basic sanity testing in sssd of AD features.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
| |
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Patch prepends path to sssd python modules; so we will be
able to import them without any issue and they will be preferred over
system modules.
sh$[/tmp/sssd-intg.3gb4hzpn/var/log/sssd] python2
Python 2.7.13 (default, Aug 16 2017, 12:56:26)
[GCC 7.1.1 20170802 (Red Hat 7.1.1-7)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import SSSDConfig
>>> print(SSSDConfig.__file__)
/tmp/sssd-intg.3gb4hzpn/lib/python2.7/site-packages/SSSDConfig/__init__.pyc
>>> import pyhbac
>>> print(pyhbac.__file__)
/tmp/sssd-intg.3gb4hzpn/lib64/python2.7/site-packages/pyhbac.so
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
http://stackoverflow.com/questions/9698614/super-raises-typeerror-must-be-type-not-classobj-for-new-style-class
========================== ERRORS ===========================
_______ ERROR at setup of test_regression_ticket2163 ________
Traceback (most recent call last):
File "src/tests/intg/test_pysss_nss_idmap.py", line 48, in ad_inst
instance.teardown()
File "src/tests/intg/ds_openldap.py", line 371, in teardown
super(FakeAD, self).teardown()
TypeError: super() argument 1 must be type, not classobj
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
| |
It will allow to prefer locally built python modules
in integration tests.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
intg/bld/src/tests/intg/config.py:5:7: E221 multiple spaces before operator
intg/bld/src/tests/intg/config.py:6:11: E221 multiple spaces before operator
intg/bld/src/tests/intg/config.py:7:15: E221 multiple spaces before operator
intg/bld/src/tests/intg/config.py:8:12: E221 multiple spaces before operator
intg/bld/src/tests/intg/config.py:9:10: E221 multiple spaces before operator
intg/bld/src/tests/intg/config.py:10:8: E221 multiple spaces before operator
intg/bld/src/tests/intg/config.py:11:9: E221 multiple spaces before operator
intg/bld/src/tests/intg/config.py:12:13: E221 multiple spaces before operator
intg/bld/src/tests/intg/config.py:13:9: E221 multiple spaces before operator
intg/bld/src/tests/intg/config.py:14:12: E221 multiple spaces before operator
intg/bld/src/tests/intg/config.py:15:11: E221 multiple spaces before operator
intg/bld/src/tests/intg/config.py:16:13: E221 multiple spaces before operator
intg/bld/src/tests/intg/config.py:17:12: E221 multiple spaces before operator
intg/bld/src/tests/intg/config.py:18:13: E221 multiple spaces before operator
intg/bld/src/tests/intg/config.py:20:11: E221 multiple spaces before operator
intg/bld/src/tests/intg/config.py:21:7: E221 multiple spaces before operator
intg/bld/src/tests/intg/config.py:22:11: E221 multiple spaces before operator
intg/bld/src/tests/intg/config.py:23:7: E221 multiple spaces before operator
pep8 will prevent reformatting in case of added new options
e.g. 53a4219e2f51cd0443931aa931505bf0b4bf5a45
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
| |
Related to old bug
https://pagure.io/SSSD/sssd/issue/1224
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
There is missing command name in help
sh# sssctl debug-level --help
Usage: DEBUG_LEVEL_TO_SET
-c, --config=STRING Specify a non-default config file
Help options:
-?, --help Show this help message
--usage Display brief usage message
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
| |
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
This patch sanitizes the input for sysdb searches by UPN/email, SID and
UUID.
This security issue was assigned CVE-2017-12173
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
In case add_pam_cert_response() failed pam_status has to be set to
PAM_AUTHINFO_UNAVAIL. Although it's done properly in the code,
pam_status was overwritten just after the if block with PAM_SUCCESS.
The original faulty code was added as part of 32474fa2f0.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
If a referral returned during AD GPO processing cannot be assigned to a
known domain, at the moment SSSD accesses memory that was freed
previously with ldap_free_urldesc().
This patch moves the ldap_free_urldesc() call to both the error handler
and the success branch after we are done working with the LDAPURLDesc
instance.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
| |
Several memory allocations across the KCM codebase did not check their
result for NULL. This patch fixes that.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Inside the tevent request, we should use 'state' as the intermediate
memory context and steal the result up to 'mem_ctx' on success.
'mem_ctx' itself should only be used to create the tevent_req as the
first thing during the request creation.
However, this bug is not very severe as the mem_ctx was always the KCM
operation memory context, so the memory was freed when the operation
terminated.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
This is not a big deal as the mem_ctx parameter of the operation is
typically just a short-lived operation context. Nonetheless, it is best
practice to not rely on how the memory context is set up in utility
functions.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Resolves:
https://pagure.io/SSSD/sssd/issue/3517
Signed-off-by: Lukas Slebodnik <lslebodn@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
IPA and AD providers default to userCertificate;binary for the
ldap_user_certificate option. It will be good to default that value
also for the generic LDAP provider.
Resolves:
https://pagure.io/SSSD/sssd/issue/3499
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since dbus-1.11.18 DBUS_COOKIE_SHA1 respect $HOME variable
and fallback to value returned from getpwnam only if env HOME
does not exist. It caused problem for dbus communication
between sssd processes because local user usually do not have
directory $HOME/.dbus-keyrings/. And directory created in cwrap
environment is problmatic
[build@host ~]$ ls -ld ~/.dbus-keyrings/
drw-------. 2 build build 6 Oct 3 10:44 /home/build/.dbus-keyrings/
[buildhost ~]$ ls -lna ~/.dbus-keyrings/
ls: cannot access '/home/build/.dbus-keyrings/.': Permission denied
ls: cannot access '/home/build/.dbus-keyrings/..': Permission denied
total 0
d????????? ? ? ? ? ? .
d????????? ? ? ? ? ? ..
[build@host ~]$ touch ~/.dbus-keyrings/test
touch: cannot touch '/home/build/.dbus-keyrings/test': Permission denied
Other alternative would be to set env variable HOME to the
same value as in fake passwd file:
HOME=$(abs_builddir)/root
Related dbus bug:
https://bugs.freedesktop.org/show_bug.cgi?id=101960
Resolves:
https://pagure.io/SSSD/sssd/issue/3531
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Add sssctl cache-expire as a wrapper for the sss_cache utility to
invalidate cached objects.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The sss_debuglevel binary is replaced by a shell wrapper calling
sssctl debug-level as part of merging sss_debuglevel into sssctl.
The wrapper will redirect sss_debuglevel to the sssctl debug-level
command performing the same task. The sss_debuglevel(8) man page is
updated to indicate that sss_debuglevel is deprecated and functionality
exists now in sssctl.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Move code from sss_debuglevel to sssctl_logs.c and add new debug-logs
sssctl command to perform the same task of changing debug level
dynamically.
POPT_CONTEXT_KEEP_FIRST Flag added to poptGetContext call in
sssctl_debug_level() to fix argument parsing.
Resolves:
https://pagure.io/SSSD/sssd/issue/3057
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
src/responder/common/cache_req/cache_req.c: In function 'cache_req_add_result':
src/responder/common/cache_req/cache_req.c:587: error: declaration of 'index' shadows a global declaration
/usr/include/string.h:489: error: shadowed declaration is here
src/responder/nss/nss_cmd.c:387: error: declaration of 'index' shadows a global declaration
/usr/include/string.h:489: error: shadowed declaration is here
src/responder/nss/nss_cmd.c: In function 'nss_getent_get_result':
src/responder/nss/nss_cmd.c:433: error: declaration of 'index' shadows a global declaration
/usr/include/string.h:489: error: shadowed declaration is here
src/responder/nss/nss_cmd.c: In function 'nss_endent':
src/responder/nss/nss_cmd.c:671: error: declaration of 'index' shadows a global declaration
/usr/include/string.h:489: error: shadowed declaration is here
src/responder/nss/nss_protocol_netgr.c: In function 'nss_protocol_fill_netgrent':
src/responder/nss/nss_protocol_netgr.c:113: error: declaration of 'index' shadows a global declaration
/usr/include/string.h:489: error: shadowed declaration is here
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
| |
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
| |
This warning only happens when building SSSD on RHEL6.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
| |
As done for the attr_name_fn to avoid "-Wshadow", let's be consistent
and do the same for all the other sssctl_attr_fn functions.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
| |
This warning only happens when building SSSD on RHEL6.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
| |
This warning only happens when building SSSD on RHEL6.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
| |
This warning only happens when building SSSD on RHEL6.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
| |
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
| |
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
| |
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
| |
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add an explanatory message to be logged once, at the start-up,
mentioning that in case enumeration is not enabled, getent passwd won't
return all users by design.
The debug level chosen to show the message is SSS_LOG_NOTICE.
Resolves:
https://pagure.io/SSSD/sssd/issue/2301
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
SSSD's plugin for MIT Kerberos to send the PAC to the PAC responder
currently uses sss_pac_make_request() which does not protect the
communication with the PAC responder with a mutex as e.g. the NSS and
PAM clients.
If an application using threads loads this plugin via libkrb5 in
different threads and is heavily processing Kerberos tickets with PACs
chances are that two threads try to communicate with SSSD at once. In
this case one of the threads will miss a reply and will wait for it
until the default client timeout of 300s is passed.
This patch adds a call which uses a mutex to protect the communication
which will avoid the 300s delay mentioned above.
Resolves:
https://pagure.io/SSSD/sssd/issue/3518
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
| |
A unit test for the recent changes from
0526dde7f3d4089617c0f4a6a85f83e9d266c9f1 is added.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Currently it happens for default domain, if someone configures
different ldap_idmap_default_domain_sid for two domains in
sssd.conf. There is no check preventing this in sdap_idmap.c, it's simply:
sdap_idmap_add_domain(idmap_ctx, dom_name,sid_str, 0). However, I believe
here is the best place to check it since there may be different use of
sss_idmap_calculate_ranges in the future.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
domain_resolution_order
As the output of all commands when using domain_resolution_order is
fully-qualified, even when using shortnames, let's add a note in the man
page to make it explicit. Also, let's suggest a possible workaround for
this having the output non fully-qualified and also mention the problems
that the possible workaround may cause.
Resolves: https://pagure.io/SSSD/sssd/issue/3513
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
| |
Resolves https://pagure.io/SSSD/sssd/issue/3472
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
This patch fixes a use-after-free in the AD provider part and
initializes the certmap_ctx with data from the cache at startup.
Related to https://pagure.io/SSSD/sssd/issue/3508
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
If there are only OIDs in a <EKU> part of a matching rule a NULL pointer
dereference might occur.
Related to https://pagure.io/SSSD/sssd/issue/3508
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
INFO: Installed packages:
Start: build phase for sssd-1.15.4-0.el7.src.rpm
Start: build setup for sssd-1.15.4-0.el7.src.rpm
error: unmatched (
error: unmatched (
error: /builddir/build/SPECS/sssd.spec:56: bad %if condition
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Some users change the IPA hostname post-install which results in
strange bugs. Code change make sure that the ipa_hostname contains
at least one domain component.
Resolves: https://pagure.io/SSSD/sssd/issue/1946
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
The description of ipa_hostname config option doesn't mention it must be
fully-qualified, although when using a non-fully qualified name IPA
server may behave weirdly. Thus, let's add this info the the man page.
Related: https://pagure.io/SSSD/sssd/issue/1946
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
