| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 63af9215ea9114062fd87003161e6b5982bf9b1f)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The Global Catalog of AD contains some information about all users and
groups in an AD forest. Users from different domain in the forest can
have the same name. The most obvious example is the Administrator user
which is present in all domains. Although SSSD uses a domain specific
search base for looking up users in the GC the search might still return
multiple results if there is a user with the same name in one of the
child (or grand-child ...) domains because of the hierarchic nature of
the LDAP tree. Limiting the search depth would not help because users
can be created in deeply nested OUs.
Currently SSSD expects in this case that the user object is store in
CN=Users or below. This works for all default users like Administrator
but in general users can be created anywhere in the directory tree. If a
user is created outside of CN=Users and there is a user with the same
name in a child domain the initgroups command to look up the
group-memberships of the user fails because it is not clear which of the
two results should be used (initgroups for the child domain user works
fine).
This patch adds an additional scheme to select the right result based on
the domain component attribute name 'dc'. This attribute indicates an
additional component in the domain name and hence a child domain. So as
long as the result contains a dc component following out search base it
cannot be the object we are looking for. This scheme includes the old
CN=Users based one but since it is more expensive I kept the old scheme
which so far worked all the time and only use the new one if the old one
fails.
Resolves https://fedorahosted.org/sssd/ticket/2961
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 5ff7a765434ed0b4d37564ade26d7761d06f81c3)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the user is not found by cert lookup when the user is already
cached, two things may happen:
1) cert was removed from the user object
2) user was removed
Instead of issuing another cert lookup we will just remove cert
attribute from the cache not touching the expiration timestamp so
the user may be updated later when needed.
Resolves:
https://fedorahosted.org/sssd/ticket/2934
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit 659232f194f83ec7c450ce89c3fd41e4e74409f2)
|
| |
|
|
|
|
|
|
|
|
| |
/usr/bin/yum is provided by the dnf-yum package and call /usr/bin/dnf
on new fedora distributions. We should directly use old style yum
which was renamed to /usr/bin/yum-deprecated and is still part of
the yum package.
Reviewed-by: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
(cherry picked from commit 73585f9af928913200999c5b3b983bb9266ee266)
|
| |
|
|
|
|
|
|
|
| |
Gone are the days when all systems used GDM or KDM. We need to support
other display managers in the default configuration to avoid issues
when enrolled in AD domains.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 293cf52a00c9c67f0ad8f264027f81c020854f66)
|
| |
|
|
|
|
|
|
|
|
| |
The Cockpit Project is an administrative console that is gaining in
popularity and is a default component on some operating systems (such
as Fedora Server). Since it is becoming more common, we should ensure
that it is part of the standard mapping.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 0e799bc491f636c69657d1678af13d23bf7b7c10)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the idview name cannot be read from cache this either means that the
cache was empty or the name wasn't written because of an error. In the
case of an error SSSD would assume that the default view was used. If
the new view is different from the default view the override data must be
invalidated. Since the sysdb call to invalidate the override data would
work with an empty cache as well and do nothing it is safe to call it on
both cases.
Related to https://fedorahosted.org/sssd/ticket/2960
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit b5d48539966aefbea703377ba2ebcb67f9cf88b8)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently the IPA subdomain provider returns with a error if there is no
master domain record found. Since this record contains data which is
only needed to create a trust with AD, like e.g. the IPA domain SID,
this record is only created by ipa-adtrust-install. But the idview name
is read after the master domain record. To make the idview feature work
with a plain FreeIPA setup without running ipa-adtrust-install the
missing master domain record should be handled gracefully and the
following lookup should run as well.
Resolves https://fedorahosted.org/sssd/ticket/2960
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit b25d33b0a775e2337014a334699156ac56b08f9b)
|
| |
|
|
|
|
|
|
|
|
| |
WORDS_BIGENDIAN, HAVE_BIG_ENDIAN and HAVE_LITTLE_ENDIAN are needed by
Samba. See Samba's byteorder.h header for an example.
Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit faa16fc9f0c9a02b26497e7cf148a92586144c08)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2522
Currently the approach is not optimized for performance, because each
external member is resolved in a full transaction to make sure even ID
views and similar information is processed.
In future, we should implement https://fedorahosted.org/sssd/ticket/2943
we will again be able to process all the data in a single transaction.
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit c32266e79f9d4bebd0c31eaa8d6fa26050e7fb3e)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2522
Adds a pluggable interface that is able to resolve the IPA group's
external members. At the moment, the request calls the full be_
interface to make sure all corner cases like id-views are handled
internally.
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit e2d96566aeb881bd89e5c9236d663f6a9a88019a)
|
| |
|
|
|
|
|
|
| |
Required for:
https://fedorahosted.org/sssd/ticket/2522
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit 3cf7fdfcaedb986f42a6640e26aa057007b64045)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There are three functions at API of colondb wrapper:
* sss_colondb_open()
* sss_colondb_readline()
* sss_colondb_writeline()
This patch adds tests for all of them.
We test those cases:
* open nonexisting file for read
* open nonexisting file for write
* open existing empty file for read
* open existing file with records for read
* open existing empty file for write
* open existing file with records for write
* write to empty file
* write to file with existing records
* sss_colondb_open()
* sss_colondb_readline()
* sss_colondb_write_line()
* write to empty file and read it
Resolves:
https://fedorahosted.org/sssd/ticket/2764
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit b590f44c06158485357d69cc5b24d5af05f1bb95)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The colondb API provides three function:
* sss_colondb_open()
* sss_colondb_write_field()
* sss_colondb_read_field()
It is not obvious that sss_colondb_open() add destructor on talloc
context which close the colondb during free context. And there is
expectation that SSS_COLONDB_SENTINEL is type of last item in line.
So this patch adds simple lightening comments in doxygen style.
Resolves:
https://fedorahosted.org/sssd/ticket/2764
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit cf1109e30320a994187edeb438ac7cdc36f0dd2b)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes buffer freeing in case if getline() failed
in function sss_colondb_readline().
ssize_t getline(char **lineptr, size_t *n, FILE *stream);
If *lineptr is set to NULL and *n is set 0 before the call, then
getline() will allocate a buffer for storing the line. This buffer
should be freed by the user program even if getline() failed.
man 3 getline
This patch fix buffer freeing in case if getline() failed.
Resolves:
https://fedorahosted.org/sssd/ticket/2764
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 2dd75ea79a57615808754c0ce550786edbc17d69)
|
| |
|
|
|
|
|
|
|
|
|
| |
The variable line was initialized to NULL.
The we created temporary context tmp_ctx.
We use talloc_asprintf_append to append string to line which is initially
NULL and therefore new context which was not connected to tmp_ctx.
man 3 talloc_string -> talloc_asprintf_append
Reviewed-by: Petr Cech <pcech@redhat.com>
(cherry picked from commit 6977d7c84145ac69195be58b3330861b9b8a3b72)
|
| |
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2493
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit 6e2822b151c21ce6e3287a0cf25d40e9f10a6127.
The function chown_debug_file is called before initialization
of debug stuff in sssd. Therefore variable debug_file cannot be
initialized. Therefore reverted commit completely turned off
changing owner of debug files. Side effect of this change
was that annoying error messages was not logged in case of
journald.
Resolves:
https://fedorahosted.org/sssd/ticket/2938
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit f6c1f6a561bdd5b4bba03c02988a724da3dad387)
|
| |
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 22bbd95a48d21452fa5bb1a96b43334503bf8132)
|
| |
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 2a44a8c6683cfea218ee5329bcfad953dfeb6746)
|
| |
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 42604cc8d11743febf5aa892cb3a7d3c32bfed48)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Attached patch should siplify troubleshoting of
issues with permission of krb5.conf. It's not clear from
krb5_child.log even with full debug level.
[sss_get_ccache_name_for_principal] (0x4000):
Location: [FILE:/tmp/krb5cc_12069_XXXXXX]
[sss_get_ccache_name_for_principal] (0x2000):
krb5_cc_cache_match failed: [-1765328243]
[Can't find client principal user@EXAMPLE.COM in cache collection]
[create_ccache] (0x0020): 735: [13][Permission denied]
Resolves:
https://fedorahosted.org/sssd/ticket/2931
Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit 38f251e531b1c68e70eaa98dfecaf78da5f36ccc)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
I can reproduce it only with clang.
But it's tipical off by one error.
sh$ ./sss_idmap-tests
Running suite(s): IDMAP
Segmentation fault (core dumped)
Running suite(s): IDMAP
==2644== Process terminating with default action of signal 11 (SIGSEGV)
==2644== Access not within mapped region at address 0xA08F430
==2644== at 0x4C2CC53: strcmp (vg_replace_strmem.c:842)
==2644== by 0x4060DA: idmap_test_sid2uid_additional_secondary_slices (sss_idmap-tests.c:451)
==2644== by 0x503C78A: ??? (in /usr/lib64/libcheck.so.0.0.0)
==2644== by 0x503CB7C: srunner_run (in /usr/lib64/libcheck.so.0.0.0)
==2644== by 0x4061EE: main (sss_idmap-tests.c:965)
==2644== If you believe this happened as a result of a stack
==2644== overflow in your program's main thread (unlikely but
==2644== possible), you can try to increase the size of the
==2644== main thread stack using the --main-stacksize= flag.
==2644== The main thread stack size used in this run was 8388608.
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit 4f3a996561445ba82c854bb2b674f975f596e884)
|
| |
|
|
|
|
|
| |
Required by:
https://fedorahosted.org/sssd/ticket/2839
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 09092b6535b711b9b734ed0c047c671de9e6cafd)
|
| |
|
|
|
|
|
|
|
|
| |
Tested against Windows Server 2012.
Resolves:
https://fedorahosted.org/sssd/ticket/2839
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 4180d485829969d4626cc7d49d2b5f7146512f21)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add code to distinquish state when account is locked in Active
Directory server.
Tested against Windows Server 2012
This patch is best effort only as decision whether account is actually
locked is based on parsing error message returned by AD. The format and
content of this error message might be subject of change in future
releases and also can be modified by AD administrators.
If account is locked bind operation is expected to return following
error message:
-----------------------------------------------------------------------
Invalid credentials(49), 80090308: LdapErr: DSID-0C0903C5, comment:
AcceptSecurityContext error, data 775, v23f0
-----------------------------------------------------------------------
Where sub string 'data 775' implies that account is locked
(ERROR_ACCOUNT_LOCKED_OUT) [1]. However the 80090308 (error code
0x80090308, SEC_E_INVALID_TOKEN) is the only guaranteed part of error
string [2].
Error message is described in further detail as [3]:
-----------------------------------------------------------------------
When the server fails an LDAP operation with an error, and the server
has sufficient resources to compute a string value for the errorMessage
field of the LDAPResult, it includes a string in the errorMessage field
of the LDAPResult (see [RFC2251] section 4.1.10). The string contains
further information about the error.
The first eight characters of the errorMessage string are a 32-bit
integer, expressed in hexadecimal. Where protocol specifies the extended
error code "<unrestricted>" there is no restriction on the value of the
32-bit integer. It is recommended that implementations use a Windows
error code for the 32-bit integer in this case in order to improve
usability of the directory for clients. Where protocol specifies an
extended error code which is a Windows error code, the 32-bit integer is
the specified Windows error code. Any data after the eighth character
is strictly informational and used only for debugging. Conformant
implementations need not put any value beyond the eighth character of
the errorMessage field.
-----------------------------------------------------------------------
[1] https://msdn.microsoft.com/en-us/library/windows/desktop/ms681386%28v=vs.85%29.aspx
[2] https://social.msdn.microsoft.com/Forums/en-US/e1d600c8-60b7-4ed0-94cb-20ddd6c1a1c6/msadts-user-locking-password-policies?forum=os_windowsprotocols
[3] MS-ADTS 3.1.1.3.1.9
https://msdn.microsoft.com/en-us/library/cc223253.aspx
Resolves:
https://fedorahosted.org/sssd/ticket/2839
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit ff275f4c0b8cc1a098dbd0c5f6d52d6a93cda597)
|
| |
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2922
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit 9d17f436795a36b1b1126f444923aa847fd0f93a)
|
| |
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2865
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 4231a17e66e0809a9c3d42207b45f95429cbb46c)
|
| |
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2922
Reviewed-by: Nathaniel McCallum <npmccallum@redhat.com>
Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit d9de4b26f44a344025bbfa23104b7b67935fae35)
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
src/tools/sss_obfuscate:12:1: E302 expected 2 blank lines, found 1
src/tools/sss_obfuscate:29:80: E501 line too long (111 > 79 characters)
src/tools/sss_obfuscate:35:1: E302 expected 2 blank lines, found 1
src/tools/sss_obfuscate:47:80: E501 line too long (107 > 79 characters)
src/tools/sss_obfuscate:50:13: E265 block comment should start with '# '
src/tools/sss_obfuscate:58:17: E265 block comment should start with '# '
src/tools/sss_obfuscate:107:5: E303 too many blank lines (2)
Reviewed-by: Martin Basti <mbasti@redhat.com>
(cherry picked from commit 37ea8e70fa13ff9ba563300fb15de0e5e6185d68)
|
| |
|
|
|
|
|
|
|
|
| |
Based on patch from: Steven W. Elling <ellingsw+29044@gmail.com>
Resolves:
https://fedorahosted.org/sssd/ticket/2937
Reviewed-by: Martin Basti <mbasti@redhat.com>
(cherry picked from commit 11496692da75a330de01d5f15b7183d2439efd3c)
|
| |
|
|
|
|
|
|
|
|
|
| |
Python tests for pyhbac and pysss_murmur created symbolic
links in shared directory ".libs". It happened that both
tests created symbolic link in the same time and therefore
python2 test could try to import link to python3 module
which caused failures in tests.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 9e1de5c83371d91e200254cceef70852f5f94fd2)
|
| |
|
|
|
|
|
| |
The AC_PROG_LIBTOOL macro is obsoleted since libtool 2.0
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 700d45751e997c634504a4f22facd2edf82edea7)
|
| |
|
|
|
| |
Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit 5554a2a679f72f19f266d660a5681e3b0c657379)
|
| |
|
|
|
|
|
|
|
|
|
| |
This is needed for LOCAL view but also creates a shortcut for
server side overrides.
Resolves:
https://fedorahosted.org/sssd/ticket/2849
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 5f2b1986a16a394ecbecd16f82c7265b5b47b546)
|
| |
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 46f34279204c537a53a0fac7e3fd8022359bfa09)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When refresh_expired_interval was not zero,
the NSS responder only refreshed netgroup cache
using background periodic task and ignored
SYSDB_CACHE_EXPIRE attribute.
With this behaviour it was impossible to
get new netgroup from remote server even
after sss_cache tool was used to expire
existing entry in the cache.
Resolves:
https://fedorahosted.org/sssd/ticket/2912
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 1b8858b1611db5048592f477059ca5ad66d7ceb1)
|
| |
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2188
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit 8babbeee01e67893af4828ddfc922ecac0be4197)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Create new internal structure idmap_range_params by merging ID mapping
range relevant fields from idmap_domain_info and remove corrsponding
fields.
Resolves:
https://fedorahosted.org/sssd/ticket/2188
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit c3cdd6a644a870531092e4378cbcd1a428ff514c)
|
| |
|
|
|
|
|
|
|
|
| |
Max value of id mapping range was 1 unit too high.
Resolves:
https://fedorahosted.org/sssd/ticket/2922
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit 7db89d44b5582a0cb0a61a7aa42a2fac7ca9408f)
|
| |
|
|
|
|
|
| |
Resolves https://fedorahosted.org/sssd/ticket/2925
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit e9c42ec738c213bd5f351567c20d404a280b32d0)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2791
When a modern IPA client is connected to an old (3.x) IPA server, the
attribute dereferenced during the ID views lookup does not exist, which
triggers an error during the dereference processing and also a confusing
syslog message.
This patch suppresses the syslog message.
Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit 95c132e1a8c6bbab4be8b3a340333fadd8076122)
|
| |
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2904
Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit 8bd9ec3a8885b01a34863d22aa784e221fc422fb)
|
| |
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 8167761a1e1d7575d49babcea45937fc9cd45fdc)
|
| |
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 7fdec78178440855058be8ca1011e0b1aa45de31)
|
| |
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 5a7f17aedad34a8618765bc33342c109a6958ab5)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
AD expects its clients to renew the machine account password on a
regular basis, be default every 30 days. Even if a client does not renew
the password it might not cause issues because AD does not enforce the
renewal. But the password age might be used to identify unused machine
accounts in large environments which might get disabled or deleted
automatically.
With this patch SSSD calls an external program to check the age of the
machine account password and renew it if needed. Currently 'adcli' is
used as external program which is able to renew the password since
version 0.8.0.
Resolves https://fedorahosted.org/sssd/ticket/1041
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 5f7cd30c865046a7ea69944f7e07c85b4c43465a)
|
| |
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit e89c2cb5ec77d57ed93952dae08df51738834faf)
|
