| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
| |
When removing the old data provider I noticed that those functions
are not used at all.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Reverse data provider interface is moved to a better location in
NSS responder. All responders now can have an sbus interface
defined per data provider connection. The unused old data provider
interface is removed.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
| |
We want to use custom interface for proxy provider so we do not
abuse the data provider one. This way we gain more control over
it and we can remove the old interface entirely.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When a talloc-bound message was freed by removing all references
to it with dbus_message_unref we failed to free the talloc context
and thus leaking memory or unreferencing invalid message when
the parent context is freed.
This patch allows to bound dbus message to talloc in the way that
allows us to free the message by both talloc and dbus api.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
sssd-1.14.1/src/lib/sifp/sss_sifp_dbus.c:51: check_return:
Calling "dbus_message_append_args_valist" without checking return value
(as is done elsewhere 4 out of 5 times).
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/3069
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
| |
This way we completely move D-Bus memory management to talloc and
we reduce number of code lines needed to send and receive reply.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
This patch adds the ability to hook DBusMessage to a talloc context
to remove the need of calling dbus_message_unref(). It also provides
an automatical way to detect error in a reply so the caller does
not need to parse it manually and the whole code around DBusError
can be avoided.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This simplifies error handling in sbus requests since we avoid
creating DBusError and checking for NULL manually. It removes
few lines of code.
This patch does not replace all calls to sbus_request_fail_and_finish
since sometimes it is desirable to create the error manualy. But
it replaces it in most recent places.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
In cases where the InfoPipe servers just as a middle-man between
the DataProvider and a client we can simply forward the reply
reducing amount of coded needed in the InfoPipe.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/3114
We failed GPO procesing if the gPCMachineExtensionNames
attribute contained just whitespaces. This coused
failures in some server settings.
Comment from Alexander Bokovoy quoting:
You should use MS-GPOL spec. 2.2.4 'GPO Search' section says that when
processing gPCMachineExtensionNames, "Group Policy processing terminates
at the first <CSE GUIDn> out of sequence."
Since ' ' (space only) does not fall into defined syntax for
gPCMachineExtensionNames, this Group Policy processing is stopped and
its CSE GUIDs are set to 'empty list'.
Because of the 3.2.5.1.10 'Extension Protocol Sequences' language
------------------------------------------------------------------------
The Group Policy client MUST evaluate the subset of the abstract element
Filtered GPO list separately for each Group Policy extension by
including in the subset only those GPOs whose gPCUserExtensionNames (for
user policy mode) or gPCMachineExtensionNames (for computer policy mode)
attributes contain CSE GUID that correspond to the Group Policy
extension. If the CSE GUID corresponding to the Group Policy extension
is present in Extension List, it is invoked using the
Implementation Identifier field. Applicability is determined as
specified in section 3.2.1.5. The Group Policy Registry Extension MUST
always execute first. All other applicable Group Policy extensions in
the Extension List MUST be loaded and executed in Extension List order.
A failure in any Group Policy extension sequence MUST NOT affect the
execution of other Group Policy extensions.
-------------------------------------------------------------------------
I think we can practically treat wrong content of
gPCMachineExtensionNames (and gPCUserExtensionNames) as inability of the
GPO to pass through the Filtered GPO list. Thus, the GPO would be
ignored.
Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
| |
Use the full simple access control handlers, just like SSSD does in the
tests.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
| |
To make it possible to call the whole DP handler in the unit test, not
just the evaluator part.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Luckily this error was hidden by the fact that SSSD didn't start at all
when an unparseable name was encountered after startup. Otherwise, this
would have been a security issue.
Nonetheless, we should just fail and deny access if we can't parse a
name in a simple access list.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
It's not required to parse names on SSSD startup in the simple access
provider. We can instead just parse the name when the access request is
processed.
Resolves:
https://fedorahosted.org/sssd/ticket/3101
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The child process finished faster then it has handled by parent
and therefore it timed out. It's the similar solution as in
b3074dca3acebd91437ef13d3329d6d65d655215
[ RUN ] dyndns_test_error
(Fri Jul 29 16:12:00:621444 2016) [sssd] [nsupdate_child_timeout] (0x0020):
Timeout reached for dynamic DNS update
Could not run the test - check test fixtures
[ ERROR ] dyndns_test_error
Reviewed-by: Petr Čech <pcech@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The usage of modifyTimestamp needn't be a reliable way
for detecting of changes in user entry in LDAP.
The authorisation need to rely current data from LDAP
and therefore we will temporary disable optimisation with
modifyTimestamp and we will rather rely on deep comparison
of attributes. In he future, it might be changed and
responders might control the optimization level.
Resolves:
https://fedorahosted.org/sssd/ticket/3110
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
After refactoring of sysdb, we get and internal fully qualified
name from backend in org.freedesktop.sssd.dataprovider_rev.initgrCheck
Previously we got short name and we created fq name in
nss_update_initgr_memcache. Memory cache still need to use short names
if it was specified.
This patch uses right name in different places.
Reviewed-by: Petr Cech <pcech@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
sh-4.2# getent netgroup -s sss QAUsers
QAUsers ( ,qa1,example.com) ( ,qa2,example.com) ( ,qa3,example.com)
sh-4.2# getent netgroup -s sss QASystems
QASystems (qahost1.example.com,,) (qahost2.lab.eng.pnq.redhat.com,,)
sh-4.2# getent netgroup -s sss test
sh-4.2# echo $?
2
sh-4.2# python
Python 2.7.5 (default, Aug 2 2016, 04:20:16)
[GCC 4.8.5 20150623 (Red Hat 4.8.5-4)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import sssd_netgroup
>>> sssd_netgroup.get_sssd_netgroups('QAUsers')
(1, 0, [(None, 'qa1', 'example.com'), (None, 'qa2', 'example.com'), (None, 'qa3', 'example.com')])
>>> sssd_netgroup.get_sssd_netgroups('QASystems')
(1, 0, [('qahost1.example.com', None, None), ('qahost2.lab.eng.pnq.redhat.com', None, None)])
>>> sssd_netgroup.get_sssd_netgroups('test')
(0, 0, [])
>>>
Reviewed-by: Petr Čech <pcech@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The path to sssd nss module (libsss_nss.so) was
relative to prefix and expected subdirectory "lib".
32bit and 64bit platforms and different distributions
use different paths. This patch allows to use python module sssd_id
even with real module and not just integration tests.
It is just required to prepare "config.py" with right path.
e.g.
cd ~/sssd/src/tests/intg
[~/sssd/src/tests/intg]$ echo "NSS_MODULE_DIR = '/usr/lib64'" > config.py
[~/sssd/src/tests/intg]$ python
Python 2.7.12 (default, Jul 18 2016, 09:57:01)
[GCC 6.1.1 20160621 (Red Hat 6.1.1-3)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import sssd_id
>>> sssd_id.get_user_gids('user')
(1, 0, [5977, 1070, 5845, 1076, 1074, 10327, 5975, 5766])
Reviewed-by: Petr Čech <pcech@redhat.com>
|
| |
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/3068
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
| |
Reviewed-by: Petr Cech <pcech@redhat.com>
|
| |
|
|
|
|
|
| |
Remove all entries in a directory but will
not remove the directory itself.
Reviewed-by: Petr Cech <pcech@redhat.com>
|
| |
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2978
Reviewed-by: Fabiano Fidêncio <fabiano@fidencio.org>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
sssd_nss can set different negative timeout for local users
and groups. However, checking whether user/group is local
is quite expensive operation. We can avoid such operations
if local_negative_timeout is not set.
This fix improve performance(40%) of lookup non-existing
entries in offline mode and with disabled local_negative_timeout.
sh$ cat pok.sh
for i in {1..10000}; do
getent passwd -s sss temp$i
getent group -s sss temp$i
done
#without patch
sh $time /bin/bash pok.sh
real 0m41.534s
user 0m3.580s
sys 0m14.202s
#with patch
sh $time /bin/bash pok.sh
real 0m26.686s
user 0m3.292s
sys 0m13.165s
Resolves:
https://fedorahosted.org/sssd/ticket/3122
Reviewed-by: Petr Cech <pcech@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
sssctl COMMAND --help should print at least
generic help, even if the command does not
accept any command specific options.
Resolves:
https://fedorahosted.org/sssd/ticket/3086
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/3111
Reviewed-by: Petr Cech <pcech@redhat.com>
|
| |
|
|
|
|
| |
We should fail the request if sss_parse_internal_fqname() fails.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
| |
This patch adds right pam error code for sssd offline state.
Resolves:
https://fedorahosted.org/sssd/ticket/3109
|
| |
|
|
|
|
|
|
|
|
|
| |
The commit dc30c60f166ad9adc63a47a1013508a71624ac87
changed the logic in NULL check
- if (protocol) {
+ if (protocol == NULL) {
Found by Coverity:
Reviewed-by: Petr Čech <pcech@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When no users are found during the search users process, just log (at
TRACEL_ALL level) that zero users were retrieve and avoid logging (at
OP_FAILURE level) that a failure has occurred, which may end up
misleading admins, giving them the impression that something wrong has
happened.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Resolves:
https://fedorahosted.org/sssd/ticket/3089
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
| |
The message in SSS_TOOL_DELIMITER should be translated.
Reviewed-by: Petr Čech <pcech@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
This patch fixes the issue with empty string recieving from D-Bus.
Data providers obtains NULL. So this is simple conversin.
Resolves:
https://fedorahosted.org/sssd/ticket/3084
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
| |
This reverts commit aa58e216c1f794bd335151f19e79adbb3ddf4c73.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
This debug message used to confuse our users. So this patch changes it.
Old version: "Trust direction of %s is %s\n"
New version: "Trust type of [%s]: %s\n"
Resolves:
https://fedorahosted.org/sssd/ticket/3090
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
current time
sysdb is already able to retrieve the current timestamp if the caller
doesn't specify it. However, for the timestamp cache this came too late
and the timestamp cache used zero as the 'now' time.
Resolves:
https://fedorahosted.org/sssd/ticket/3064
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There was a crash in nss responder when a group contained
a user with special charactes which shoudl be sanitized before
using in filter.
==31651== Conditional jump or move depends on uninitialised value(s)
==31651== at 0x8BEA7DE: _talloc_steal_loc (talloc.c:1215)
==31651== by 0x5264889: sysdb_get_user_members_recursively (sysdb_ops.c:4759)
==31651== by 0x5278F61: sysdb_add_group_member_overrides (sysdb_views.c:1375)
==31651== by 0x526677C: sysdb_getgrnam_with_views (sysdb_search.c:799)
==31651== by 0x1172F6: nss_cmd_getgrnam_search (nsssrv_cmd.c:3168)
==31651== by 0x119C67: nss_cmd_getby_dp_callback (nsssrv_cmd.c:1382)
==31651== by 0x10FD14: nsssrv_dp_send_acct_req_done (nsssrv_cmd.c:916)
==31651== by 0x12898B: sss_dp_internal_get_done (responder_dp.c:791)
==31651== by 0x58FF861: complete_pending_call_and_unlock (dbus-connection.c:2314)
==31651== by 0x5902B50: dbus_connection_dispatch (dbus-connection.c:4580)
==31651== by 0x527F261: sbus_dispatch (sssd_dbus_connection.c:96)
==31651== by 0x89D8B4E: tevent_common_loop_timer_delay (tevent_timed.c:341)
Resolves:
https://fedorahosted.org/sssd/ticket/3121
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
==32577== Conditional jump or move depends on uninitialised value(s)
==32577== at 0x140DCE10: sdap_process_missing_member_2307 (sdap_async_groups.c:1556)
==32577== by 0x140DCE10: sdap_process_group_members_2307 (sdap_async_groups.c:1625)
==32577== by 0x140DCE10: sdap_process_group_send (sdap_async_groups.c:1298)
==32577== by 0x140DCE10: sdap_get_groups_process (sdap_async_groups.c:2130)
==32577== by 0x140CFDA8: generic_ext_search_handler.isra.3 (sdap_async.c:1688)
==32577== by 0x140D2416: sdap_get_generic_op_finished (sdap_async.c:1578)
==32577== by 0x140D0DFC: sdap_process_message (sdap_async.c:353)
==32577== by 0x140D0DFC: sdap_process_result (sdap_async.c:197)
==32577== by 0x8BF1B4E: tevent_common_loop_timer_delay (tevent_timed.c:341)
==32577== by 0x8BF2B59: epoll_event_loop_once (tevent_epoll.c:911)
==32577== by 0x8BF1256: std_event_loop_once (tevent_standard.c:114)
==32577== by 0x8BED40C: _tevent_loop_once (tevent.c:533)
==32577== by 0x8BED5AA: tevent_common_loop_wait (tevent.c:637)
==32577== by 0x8BF11F6: std_event_loop_wait (tevent_standard.c:140)
==32577== by 0x529DD02: server_loop (server.c:702)
==32577== by 0x110951: main (data_provider_be.c:587)
Resolves:
https://fedorahosted.org/sssd/ticket/3121
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It caused an errors.
(Tue Aug 2 06:29:39 2016) [sssd[be[LDAP]]] [sysdb_cache_search_users]
(0x2000): Search users with filter:
(&(objectclass=user)(nameAlias=t(u)ser@ldap))
(Tue Aug 2 06:29:39 2016) [sssd[be[LDAP]]] [sysdb_cache_search_users]
(0x0080): Error: 5 (Input/output error)
Resolves:
https://fedorahosted.org/sssd/ticket/3121
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Use TOPIC-ACTION pattern for sssctl command
names.
Resolves:
https://fedorahosted.org/sssd/ticket/3087
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Syntax errors in configuration files
prevent SSSD or sssctl to start completely.
It would be good to display these errors
by default with the highest level.
Reviewed-by: Petr Čech <pcech@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Currently ret, which is -1, is passed to strerror() instead of errno.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Related:
https://fedorahosted.org/sssd/ticket/3094
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Be explicit that it may happen when SELinux is disabled and also suggest
to enable SELinux.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Related:
https://fedorahosted.org/sssd/ticket/3094
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
As this is not FATAL and may happen when SELinux is disabled, let's just
decrease the debug level to MINOR_FAILURE
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Related:
https://fedorahosted.org/sssd/ticket/3094
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Fabiano Fidêncio <fabiano@fidencio.org>
|
| |
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/3093
Because we compare the list of LDAP names with the list of sysdb names,
we need to qualify the list of LDAP names before running the diff.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
