| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
| |
src/tools/files.c: In function ‘copy_file_contents’:
src/tools/files.c:413:12: error: ‘ret’ may be used uninitialized in this
function [-Werror=maybe-uninitialized]
return ret;
^~~
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit c2e3176eaff7c219d63f328570a79f6e5b6f4aec)
|
| |
|
|
|
|
|
|
| |
functionality
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit b5797517abb117cff7330acc894b71deda74be3d)
|
| |
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
In most cases when sbus request parsing finishes, the request is handled
internally and a reply is sent to the caller. However, in handlers that
are parsed and handled completely manually, we might want to be notified
about this case so that the called of sbus_request_parse_or_finish()
aborts the request and doesn't proceed with using the sbus request which
is already freed internally in sbus_request_parse_or_finish().
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Since commit 5a5f1e1053415efaa99bb4d5bc7ce7ac0a95b757 the view name
lookup is the last step in the subdomain lookup request. In case of an
error the request should be finished and no previous step should be
called again.
Resolves https://fedorahosted.org/sssd/ticket/2993
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 57d8b4b9254442a568838cb60ea16068965f2df0)
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
This is done to make sure the memberof module does not leak memory.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 883fb900f7c6b202cf0b6d8268ffa626ab8a1be9)
|
| |
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 27a0be2bb6f21f66527e0edea4ed2cb4b5cafa53)
|
| |
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit c07fb3f111b4dc2780fa4e1408ea04cd36e95a4d)
|
| |
|
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit f818dba78f3e2f3d53ba072e42ac662d2f49edad)
|
| |
|
|
|
|
|
|
| |
structure be_ptask_sync_ctx was not released anywhere when
be_ptask_create_sync was used.
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit cf9a3fd55a39e839636bd15064b4b002b2c5b2f6)
|
| |
|
|
|
|
|
|
|
|
| |
Test for users with fully-qualified and mixed-cased names are added.
Resolves:
https://fedorahosted.org/sssd/ticket/2989
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 32dd0dd34193a7566d83adf6845f5194decc3304)
|
| |
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2989
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit e45096aead1d2e2b8f8b2b386b420c5f62ad07d3)
|
| |
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2989
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 3a8b5ccf7c27b72054e1d8b3ab355cb1e28efda9)
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
DNs of existing objects can not be generate reliable because the use of
fully qualified names and upper and lower cases in names has to be
considered. The most reliable way to get the DN is to search the object
and take the DN from the result.
Resolves:
https://fedorahosted.org/sssd/ticket/2989
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit e6e2d1575ac7feb3494649f94ef51ef13cbdce48)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
LDB functions ldb_dn_get_component_val and ldb_dn_get_rdn_val
validate dn before returning component value.
It should be valid DN according to RFC4514.
IPA/389ds might return problematic DN due to replication conflicts.
e.g. "cn=System: Read Service Delegations+nsuniqueid=b0736336-d06e11e5-8e8acabe-ce8d458d,cn=permissions,dc=example,dc=com"
It's better to check return value of these LDb function rather than
crash because of dereference of NULL pointer.
Resolves:
https://fedorahosted.org/sssd/ticket/2980
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit 22eead9590e11c7adab33ec5ab8b46d3c3cb4406)
|
| |
|
|
|
|
|
|
|
|
|
| |
Even though at this time the MSDN documentation at:
https://msdn.microsoft.com/en-us/library/cc223272.aspx
still claims that "7" is a value of DS_BEHAVIOR_WINTHRESHOLD, testing
with Windows Server 2016 Preview already shows that server reporting a
new value of Domain Controller Functionality.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit c6fb6dbdfc3084c870714a8782d2bf89d8aec209)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Initgroup requests use global catalog for LDAP queries.
Only port for global catalog is marked as offline
if request fails due to problems with connection.
However, GPO code uses standard LDAP port for
retrieving of target DNs and other information.
Previously, GPOs were processed in offline mode only
if there were issues with connection to AD server.
But connection can be cached and ldap search can still fail.
Resolves:
https://fedorahosted.org/sssd/ticket/2964
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit bdd533146cb2da71b7c39ad0efa2e5baca7257eb)
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
There are many calls of umask function with 0177 argument. This patch
add new constant SSS_DFL_UMASK which stands for 0177. So all occurences
of umask(0177) (except responder code) are replaced by constant
SSS_DFL_UMASK.
Resolves:
https://fedorahosted.org/sssd/ticket/2424
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit c299f997e20011536e365bc18e59e73f68629d2c)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
There are many calls of umask function with 077 argument. This patch
add new constant SSS_DFL_X_UMASK which stands fot 077. So all
occurences of umask(077) are replaced by constant SSS_DFL_X_UMASK.
Resolves:
https://fedorahosted.org/sssd/ticket/2424
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit f8e337540d280f944098cd4dd7d670e2f7166b54)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The parent directory has to have execute bit if we want to create
subdirectories or read files there.
sh-4.3$ mkdir dir
sh-4.3$ echo "test" > dir/test_file
sh-4.3$ chmod 644 dir/
sh-4.3$ ls dir/
test_file
sh-4.3$ cat dir/test_file
cat: dir/test_file: Permission denied
It was not probelm for sssd in root mode
because root has by default capbilities DAC_OVERRIDE and DAC_READ_SEARCH
which bypass file read, write, and execute permission checks
and directory read and execute permission checks
Resolves:
https://fedorahosted.org/sssd/ticket/2962
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit d0e0cf6ee47ab538efc47c7882f498f1b5e0f0c7)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The default umask(0177) inherited from sssd_be is to strict
for gpo_child in non-root mode. mkdir creates directories with only "rw"
permission for owner.
The man 1 chmod says: "execute (or search for directories) (x)"
In another words, execute bit is required for directories.
sh-4.3$ mkdir dir
sh-4.3$ chmod 600 dir/
sh-4.3$ mkdir dir/subdir
mkdir: cannot create directory ‘dir/subdir’: Permission denied
Resolves:
https://fedorahosted.org/sssd/ticket/2962
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 192126738fa82c5624f4740147426c552126c602)
|
| |
|
|
|
|
|
|
|
|
|
| |
libcmocka and cwrap is available in epel
which is used by mock.
This patch also remove superfluous for checking fedora.
Fedora < 20 is not suported for very long time.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 0befc9ae024cf8c9a2d42ab21591699e659dd420)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There is an overhead caused by SELinux after fixing memory leak
in krb5. https://bugzilla.redhat.com/show_bug.cgi?id=1311287.
The overhead is mainly visible with valgrind and moreover
it causes failures due to timeouts.
sh$ time libtool --mode=execute ./test_ipa_subdom_server
enabled/permissive SELinux
real 0m7.976s
user 0m6.680s
sys 0m0.189s
disabled SELinux
real 0m2.111s
user 0m0.071s
sys 0m0.043s
valgrind + enabled/permissive SELinux
real 2m7.310s
user 2m17.080s
sys 0m0.786s
valgrind + disabled SELinux
real 0m5.510s
user 0m3.396s
sys 0m0.309s
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 1510d1264b44c437b8270e0a5a239e8624933c3d)
|
| |
|
|
|
| |
Reviewed-by: Pavel Reichl <preichl@redhat.com>
(cherry picked from commit 37bdd235705639174631963ab13404e409da926d)
|
| |
|
|
|
|
|
|
| |
make-check-wrap had to be used due to missing LOG_COMPILER
on rhel6 which is enabled with parallel test harness
Reviewed-by: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
(cherry picked from commit 444a82bd6d68c6f23e05d523ff92d328f6b2ec05)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Parallel test harness[1] is enabled by default with new versions
of automake. However, automake on rhel6 (1.11.1-4) still uses
serial test harness by default even though it also contains parallel
test harness.
Downside of serial test is that output of all test are mixed together and
is not in separate log files as with parallel test harness. Another problem
is slow execution test with valgrind due to missing parallelisation. It's
approximately 4-5 minutes slower on machine with 4 CPUs.
The automake option parallel-tests is kept for backward-compatibility in new
versions of automake, since the parallel test harness is the default there.
[1] http://www.gnu.org/software/automake/manual/html_node/Parallel-Test-Harness.html#Parallel-Test-Harness
[2] http://www.gnu.org/software/automake/manual/html_node/Serial-Test-Harness.html#Serial-Test-Harness
Reviewed-by: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
(cherry picked from commit 5ebdc2391e96cfcc86ebdb8f223e159c00a0d82b)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
We should log error messages generated by
libini if there are problems with parsing
gpo files.
Related to:
https://fedorahosted.org/sssd/ticket/2751
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit dad416a9b0095e1c423b7da65db7c636fa69e614)
|
| |
|
|
|
|
|
|
|
| |
libldb is not consistent with appending line feed
in debug messages. AS a result of this two messages can be on the same line
in sssd log files. Which makes analyzing log files more difficult.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 7c30eade4ae794ed809845f2ef70dda849b6e7c9)
|
| |
|
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 558ec7d717735bb16c210c675c2cc5bee1da4576)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
We were unable to parse modifyTimestamp where a non-numeric part
(timezone) was involved. The format is YYYYMMDDHHmmssZ. It may
also contain fraction or different timezone, everytime separated
from the datetime by character. This patch gets the numberic part
and then appends the string part again to get value usable in filter.
Resolves:
https://fedorahosted.org/sssd/ticket/2970
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit ef5e33f7db1e314226b0077596e38ef16305cba5)
|
| |
|
|
|
|
|
|
|
|
| |
FreeIPA versions older than 3.1 have rdn sudoCmd instead of ipaUniqueID.
Resolves:
https://fedorahosted.org/sssd/ticket/2969
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 84060f52e782b079337ee7a99bb7ad17e8c84fbb)
|
| |
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit b0c4eb194cf1414d3440e0cccfb9af9074388c08)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
There are different expectations about how the pam_message array is
organized, details can be found in the pam_conv man page. E.g. sudo was
not able to handle the Linux-PAM style but expected the Solaris PAM
style. With this patch both styles should work as expected.
Resolves https://fedorahosted.org/sssd/ticket/2971
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 957e0a8675359d90fa50067b704578d01f565bba)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We have a function sss_cli_check_socket which checks
socket in client code. The socket is reopened in case of some
issues e.g. responder terminated connections ...
We use syscall poll for checking status of socket.
It's not 100% reliable method because there is still
chance that responder will terminate socket after this check.
Here is a schema of sss_*_make_request functions:
sss_cli_check_socket
sss_cli_make_request_nochecks {
sss_cli_send_req {
poll
send
}
sss_cli_recv_rep {
poll
read
}
}
The syscall pool does not return EPIPE directly but we convert
special revents from poll to EPIPE. As it was mentioned earlier,
checking of socket in the sss_cli_check_socket is not 100% reliable.
It can happen very rarely due to TOCTOU issue (Time of check to time of use)
We can return EPIPE from the sss_cli_make_request_nochecks function
in case of failure in poll in sss_cli_send_req. The send function
in sss_cli_send_req can also return EPIPE is responder close socket
in the same time. The send function can succeed in sss_cli_send_req
but it does not mean that responder read the message. It can happen
that timer for closing socket can be handled before reading a message.
Therefore there is a still a chance that we might return EPIPE in case
of failure in poll in sss_cli_recv_rep.
Therefore we need to reconnect to responder(sss_cli_check_socket)
in case of EPIPE returned from sss_cli_make_request_nochecks and
try to do the same request one more time.
Resolves:
https://fedorahosted.org/sssd/ticket/2626
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 6748a4c9d75db997c724c1dcea541e0047742f52)
|
| |
|
|
|
|
|
| |
Patch for #2626 will be simpler with this small refactoring
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit a452d199bc125e8d53033d7c00383b4a275ab85e)
|
| |
|
|
|
|
|
|
|
|
|
| |
Adds a test that tests a complex nested group hierarchy. Also defines
the talloc chunk for group members to 1 to make sure the realloc branch
is always tested.
Unit test for: https://fedorahosted.org/sssd/ticket/2522
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit c6bda70d6131b5e8cd760ad690fae001d1765547)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Warnings are emited from macro generated code in dlinklist.h
e.g.
src/ldb_modules/memberof.c:4209:13: error: statement is indented as if it were
guarded by... [-Werror=misleading-indentation]
DLIST_DEMOTE(ctx->group_list, grp, struct mbof_member *);
^~~~~~~~~~~~
src/ldb_modules/memberof.c:4209:13: note: ...this ‘if’ clause, but it is not
src/ldb_modules/memberof.c: In function ‘mbof_member_update’:
src/ldb_modules/memberof.c:4305:9: error: statement is indented as if it were
guarded by... [-Werror=misleading-indentation]
DLIST_PROMOTE(ctx->group_list, mem);
^~~~~~~~~~~~~
src/ldb_modules/memberof.c:4305:9: note: ...this ‘if’ clause, but it is not
src/ldb_modules/memberof.c: In function ‘mbof_rcmp_update’:
src/ldb_modules/memberof.c:4408:9: error: statement is indented as if it were
guarded by... [-Werror=misleading-indentation]
DLIST_REMOVE(ctx->user_list, x);
^~~~~~~~~~~~
src/util/crypto/nss/nss_obfuscate.c: In function ‘sss_password_decrypt’:
src/util/crypto/nss/nss_obfuscate.c:419:5: error: statement is indented
as if it were guarded by... [-Werror=misleading-indentation]
SAFEALIGN_COPY_UINT16_CHECK(&meth, obfbuf+p, obflen, &p);
^~~~~~~~~~~~~~~~~~~~~~~~~~~
src/python/pyhbac.c: In function ‘PyInit_pyhbac’:
src/python/pyhbac.c:1987:5: error: statement is indented as if it were
guarded by... [-Werror=misleading-indentation]
TYPE_READY(m, pyhbac_hbacrule_type, "HbacRule");
^~~~~~~~~~
src/python/pyhbac.c:1987:5: note: ...this ‘if’ clause, but it is not
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit c6278b2fa4a7ea389ed4086b2def16e0e6cbb184)
|
| |
|
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit fee2997ff25938bca8dd8e3df1d6a5a44b5b7698)
|
| |
|
|
|
|
|
|
|
|
|
| |
This allows configuration with id_provider = proxy
and sudo_provider = ipa when someone needs to fetch
rules for local users.
https://fedorahosted.org/sssd/ticket/2972
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 991c9f47fcb24704b880f60ab8ee77cfda056e2c)
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2959
In case no previous delete operation occured, the del_ctx->muops pointer we
allocate the diff structure was would be NULL, effectivelly leaking the
diff array during the memberof processing.
Allocating on del_ctx is safer as that pointer is always allocated and
prevents the leak.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Ticket:
https://fedorahosted.org/sssd/ticket/2785
Test local domain tool with wrong LC_ALL
environment variable value.
NOTE: The memory cache files are not deleted
properly in the test teardown to work around the
problem described in ticket
https://fedorahosted.org/sssd/ticket/2726
Once the ticket above is solved, the teardown
will be updated to remove the memory cache
files.
Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit 586f512ab8b6e5a03349598846141f43c1d505b8)
|
| |
|
|
|
|
|
|
|
|
| |
For now the libsemanage can not be used inside
intgcheck tests. See the tracking ticket
for this issue:
https://fedorahosted.org/sssd/ticket/2859
Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit f1b9f9370b50a3d001722737f2538f5d3bb40e9c)
|
| |
|
|
|
|
|
|
|
| |
Failed setlocale call could cause unexpected
behaviour. It is better to generate DEBUG
message if this happens.
Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit a0c8aae6b31867f29e83e4f8a2a7ef037a82569e)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
setlocale needs some environment variables
to be set in order to work. These variables
are not present in some special cases. We
should not fail completely in these cases
but continue with the compatible C locale.
Resolves:
https://fedorahosted.org/sssd/ticket/2785
Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit 43e06ff39584570817949dc5de118d2b7ca854c1)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If a fo_resolve_service callback would modify the server->common member
in any way, for example by dereferencing the server and lowering the
refcount to 0, which would free the common structure, then the next
iteration of fo_resolve_service_done would access memory that was
already gone.
Please see
https://tevent.samba.org/group__tevent__request.html#ga09373077d0b39e321a196a86bfebf280
for more details.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit a92f68763a57b211a1bf6b80b6dd80c4a1aa2738)
|
| |
|
|
|
|
|
|
| |
src/providers/fail_over.c: In function ‘fo_ref_server’:
src/providers/fail_over.c:861: warning: value computed is not used
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit acd615cffd144b69e2558a0fc45c6966423f2d02)
|
| |
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2829
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 10c07e188323a2f9824b5e34379f3b1a9b37759e)
|
| |
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 4a4af8e1b6a9bab7c7a34d86055a400376e3829e)
|
