| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since dbus-1.11.18 DBUS_COOKIE_SHA1 respect $HOME variable
and fallback to value returned from getpwnam only if env HOME
does not exist. It caused problem for dbus communication
between sssd processes because local user usually do not have
directory $HOME/.dbus-keyrings/. And directory created in cwrap
environment is problmatic
[build@host ~]$ ls -ld ~/.dbus-keyrings/
drw-------. 2 build build 6 Oct 3 10:44 /home/build/.dbus-keyrings/
[buildhost ~]$ ls -lna ~/.dbus-keyrings/
ls: cannot access '/home/build/.dbus-keyrings/.': Permission denied
ls: cannot access '/home/build/.dbus-keyrings/..': Permission denied
total 0
d????????? ? ? ? ? ? .
d????????? ? ? ? ? ? ..
[build@host ~]$ touch ~/.dbus-keyrings/test
touch: cannot touch '/home/build/.dbus-keyrings/test': Permission denied
Other alternative would be to set env variable HOME to the
same value as in fake passwd file:
HOME=$(abs_builddir)/root
Related dbus bug:
https://bugs.freedesktop.org/show_bug.cgi?id=101960
Resolves:
https://pagure.io/SSSD/sssd/issue/3531
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Add sssctl cache-expire as a wrapper for the sss_cache utility to
invalidate cached objects.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The sss_debuglevel binary is replaced by a shell wrapper calling
sssctl debug-level as part of merging sss_debuglevel into sssctl.
The wrapper will redirect sss_debuglevel to the sssctl debug-level
command performing the same task. The sss_debuglevel(8) man page is
updated to indicate that sss_debuglevel is deprecated and functionality
exists now in sssctl.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Move code from sss_debuglevel to sssctl_logs.c and add new debug-logs
sssctl command to perform the same task of changing debug level
dynamically.
POPT_CONTEXT_KEEP_FIRST Flag added to poptGetContext call in
sssctl_debug_level() to fix argument parsing.
Resolves:
https://pagure.io/SSSD/sssd/issue/3057
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
src/responder/common/cache_req/cache_req.c: In function 'cache_req_add_result':
src/responder/common/cache_req/cache_req.c:587: error: declaration of 'index' shadows a global declaration
/usr/include/string.h:489: error: shadowed declaration is here
src/responder/nss/nss_cmd.c:387: error: declaration of 'index' shadows a global declaration
/usr/include/string.h:489: error: shadowed declaration is here
src/responder/nss/nss_cmd.c: In function 'nss_getent_get_result':
src/responder/nss/nss_cmd.c:433: error: declaration of 'index' shadows a global declaration
/usr/include/string.h:489: error: shadowed declaration is here
src/responder/nss/nss_cmd.c: In function 'nss_endent':
src/responder/nss/nss_cmd.c:671: error: declaration of 'index' shadows a global declaration
/usr/include/string.h:489: error: shadowed declaration is here
src/responder/nss/nss_protocol_netgr.c: In function 'nss_protocol_fill_netgrent':
src/responder/nss/nss_protocol_netgr.c:113: error: declaration of 'index' shadows a global declaration
/usr/include/string.h:489: error: shadowed declaration is here
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
| |
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
| |
This warning only happens when building SSSD on RHEL6.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
| |
As done for the attr_name_fn to avoid "-Wshadow", let's be consistent
and do the same for all the other sssctl_attr_fn functions.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
| |
This warning only happens when building SSSD on RHEL6.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
| |
This warning only happens when building SSSD on RHEL6.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
| |
This warning only happens when building SSSD on RHEL6.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
| |
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
| |
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
| |
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
| |
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add an explanatory message to be logged once, at the start-up,
mentioning that in case enumeration is not enabled, getent passwd won't
return all users by design.
The debug level chosen to show the message is SSS_LOG_NOTICE.
Resolves:
https://pagure.io/SSSD/sssd/issue/2301
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
SSSD's plugin for MIT Kerberos to send the PAC to the PAC responder
currently uses sss_pac_make_request() which does not protect the
communication with the PAC responder with a mutex as e.g. the NSS and
PAM clients.
If an application using threads loads this plugin via libkrb5 in
different threads and is heavily processing Kerberos tickets with PACs
chances are that two threads try to communicate with SSSD at once. In
this case one of the threads will miss a reply and will wait for it
until the default client timeout of 300s is passed.
This patch adds a call which uses a mutex to protect the communication
which will avoid the 300s delay mentioned above.
Resolves:
https://pagure.io/SSSD/sssd/issue/3518
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
| |
A unit test for the recent changes from
0526dde7f3d4089617c0f4a6a85f83e9d266c9f1 is added.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Currently it happens for default domain, if someone configures
different ldap_idmap_default_domain_sid for two domains in
sssd.conf. There is no check preventing this in sdap_idmap.c, it's simply:
sdap_idmap_add_domain(idmap_ctx, dom_name,sid_str, 0). However, I believe
here is the best place to check it since there may be different use of
sss_idmap_calculate_ranges in the future.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
domain_resolution_order
As the output of all commands when using domain_resolution_order is
fully-qualified, even when using shortnames, let's add a note in the man
page to make it explicit. Also, let's suggest a possible workaround for
this having the output non fully-qualified and also mention the problems
that the possible workaround may cause.
Resolves: https://pagure.io/SSSD/sssd/issue/3513
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
| |
Resolves https://pagure.io/SSSD/sssd/issue/3472
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
This patch fixes a use-after-free in the AD provider part and
initializes the certmap_ctx with data from the cache at startup.
Related to https://pagure.io/SSSD/sssd/issue/3508
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
If there are only OIDs in a <EKU> part of a matching rule a NULL pointer
dereference might occur.
Related to https://pagure.io/SSSD/sssd/issue/3508
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
INFO: Installed packages:
Start: build phase for sssd-1.15.4-0.el7.src.rpm
Start: build setup for sssd-1.15.4-0.el7.src.rpm
error: unmatched (
error: unmatched (
error: /builddir/build/SPECS/sssd.spec:56: bad %if condition
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Some users change the IPA hostname post-install which results in
strange bugs. Code change make sure that the ipa_hostname contains
at least one domain component.
Resolves: https://pagure.io/SSSD/sssd/issue/1946
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
The description of ipa_hostname config option doesn't mention it must be
fully-qualified, although when using a non-fully qualified name IPA
server may behave weirdly. Thus, let's add this info the the man page.
Related: https://pagure.io/SSSD/sssd/issue/1946
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
It is read only from "[sssd]" section.
Resolves:
https://pagure.io/SSSD/sssd/issue/3511
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
| |
s/dictonary/dictionary/g
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The python module pysss_nss_idmap contains few module constants
which should be used (based on python documentation) for checking
type of results.
e.g.
getsidbyid(...)
getsidbyid(id or list/tuple of id) -> dict(id => dict(results))
Returns a dictionary with a dictionary of results for each given
POSIX ID. The result dictionary contains the SID and the type of the
object which can be accessed with the key constants SID_KEY and
TYPE_KEY, respectively.
However, type of module constant and type of returned key had different type
with python3 due to different handling of strings. This patch unifies it
to string. The same as it is in python2.
Resolves:
https://pagure.io/SSSD/sssd/issue/3491
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit 9375eae59550437c85ada9212be430a4242b25a4.
Patch introduced difference between python2 and python3.
constant should be strings in both versions.
sh$ python2
Python 2.7.13 (default, Aug 16 2017, 12:56:26)
[GCC 7.1.1 20170802 (Red Hat 7.1.1-7)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import pysss_nss_idmap
>>> type(pysss_nss_idmap.SID_KEY)
<type 'str'>
sh$ python3
Python 3.6.2 (default, Sep 1 2017, 12:03:48)
[GCC 7.1.1 20170802 (Red Hat 7.1.1-7)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import pysss_nss_idmap
>>> type(pysss_nss_idmap.SID_KEY)
<class 'bytes'>
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Weak dependencies are intentionally disabled. If we need them
then they should be explicitly specified because they are not weak.
Resolves:
https://pagure.io/SSSD/sssd/issue/2809
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
| |
Directory is part of make list SSSD_USER_DIRS and therefore
should have such owner&mode also in spec file
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The sudo responder code didn't take views into account when looking for
rules, which resulted in sudo rules being ignored if the user's name was
overriden.
Please see the ticket for a detailed info on how to reproduce the bug.
Resolves:
https://pagure.io/SSSD/sssd/issue/3488
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
| |
Provide information for administrators and users to utilize
SSSD systemtap infrastructure.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Run this script using stap as root and Ctrl-C to print the summary
report
stap -v /usr/share/sssd/systemtap/dp_request.stp
This script will use the data provider request probe markers to provide
elapsed time of each request and more information about the slowest
request in the summary report.
Resolves:
https://pagure.io/SSSD/sssd/issue/3061
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add the ability to analyze performance and monitor Data Provider
requests at a high-level, probes fire when a request is sent and when
a request is completed.
Request name, domain, target, method, and return code information
is passed as target variables to the systemtap probe tapsets which
can be used in systemtap scripts.
Resolves:
https://pagure.io/SSSD/sssd/issue/3061
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
sysdb_master_domain_update() can only set the view name properly if it was not
set before but it might be called multiple times before the view name is
available if the cache is empty. Since ipa_apply_view() keeps track if
the view name was already set at startup or not the name can safely be
cleaned here before sysdb_master_domain_update() is called.
Resolves:
https://pagure.io/SSSD/sssd/issue/3501
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We always check negcache after getting data from backend since commit
4c09cd008967c5c0ec358dc658ffc6fc1cef2697 because we usually do have a name
in begging of requests "* by ID".
We were not interested in name in request sid by id before. However, function
cache_req_search_ncache_filter always expect name otherwise it returns
ERR_INTERNAL.
[sssd[nss]] [cache_req_set_plugin] (0x2000): CR #8: Setting "Object by ID" plugin
[sssd[nss]] [cache_req_send] (0x0400): CR #8: New request 'Object by ID'
[sssd[nss]] [cache_req_select_domains] (0x0400): CR #8: Performing a multi-domain search
[sssd[nss]] [cache_req_search_domains] (0x0400): CR #8: Search will check the cache and check the data provider
[sssd[nss]] [cache_req_validate_domain_type] (0x2000): Request type POSIX-only for domain sssdad2012r2.com type POSIX is valid
[sssd[nss]] [cache_req_set_domain] (0x0400): CR #8: Using domain [sssdad2012r2.com]
[sssd[nss]] [cache_req_search_send] (0x0400): CR #8: Looking up ID:233600513@sssdad2012r2.com
[sssd[nss]] [cache_req_search_ncache] (0x0400): CR #8: Checking negative cache for [ID:233600513@sssdad2012r2.com]
[sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/UID/sssdad2012r2.com/233600513]
[sssd[nss]] [cache_req_search_ncache] (0x0400): CR #8: [ID:233600513@sssdad2012r2.com] is not present in negative cache
[sssd[nss]] [cache_req_search_cache] (0x0400): CR #8: Looking up [ID:233600513@sssdad2012r2.com] in cache
[sssd[nss]] [cache_req_search_send] (0x0400): CR #8: Returning [ID:233600513@sssdad2012r2.com] from cache
[sssd[nss]] [cache_req_search_ncache_filter] (0x0400): CR #8: Filtering out results by negative cache
[sssd[nss]] [cache_req_search_ncache_filter] (0x0020): CR #8: sss_get_name_from_msg() returned NULL, which should never happen in this scenario!
[sssd[nss]] [cache_req_process_result] (0x0400): CR #8: Finished: Error 1432158209: Internal Error
[sssd[nss]] [nss_protocol_done] (0x4000): Sending reply: error [1432158209]: Internal Error
[sssd[nss]] [client_recv] (0x0200): Client disconnected!
Resolves:
https://pagure.io/SSSD/sssd/issue/3485
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Older version of gcc(e.g. gcc-4.8.5-11.el7) had a false positive warning
with c99 struct initialisation "{ 0 }".
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=53119
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=64709
CC src/lib/certmap/libsss_certmap_la-sss_cert_content_nss.lo
src/lib/certmap/sss_cert_content_nss.c:
In function 'add_pkinit_princ_to_san_list':
src/lib/certmap/sss_cert_content_nss.c:475:12:
error: missing braces around initializer [-Werror=missing-braces]
struct kerberos_principal_name kname = { 0 };
^
src/lib/certmap/sss_cert_content_nss.c:475:12:
error: (near initialization for 'kname.realm') [-Werror=missing-braces]
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The libselinux function getseuserbyname is more reliable method to retrieve
SELinux usernames then functions from libsemanage `semanage_user_query`
and is recommended by libsemanage developers.
Replace get_seuser function with getseuserbyname.
Resolves:
https://pagure.io/SSSD/sssd/issue/3308
Reviewed-by: Michal Židek <mzidek@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Petr Lautrbach <plautrba@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
per-client section
Resolves:
https://pagure.io/SSSD/sssd/issue/3417
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
|
| |
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
The OpenSSL 1.1 API is used but there is a short macro block which
should added the needed compatibility if and older OpenSSL version is
used.
Related to https://pagure.io/SSSD/sssd/issue/3050
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
PR generated to include explaination for ipa ad trust sssd configuration
where ad has a child domain. Explanation is added to 'TRUSTED DOMAIN
SECTION'. Also an example is included to better understanding.
Resolves: https://pagure.io/SSSD/sssd/issue/3399
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Methods for searching the users, groups and entries by their orig dn
have been introduced in one of the previous commit.
Let's make use of those whenever it makes sense.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Methods for searching the users, groups and entries by their orig dn
have been introduced in one of the previous commit.
Let's make use of those whenever it makes sense.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Methods for searching the users, groups and entries by their orig dn
have been introduced in one of the previous commit.
Let's make use of those whenever it makes sense.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Methods for searching the users, groups and entries by their orig dn
have been introduced in one of the previous commit.
Let's make use of those whenever it makes sense.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
