| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
man 2 readv says that the header file "sys/uio.h" must be included
for the functions readv/writev
Previously, "sys/uio.h" was included in "sys/socket.h" in glibc.
It worked just by a change. But it will be changed in glibc-2.26.
https://sourceware.org/bugzilla/show_bug.cgi?id=21426
src/responder/kcm/kcmsrv_cmd.c: In function 'kcm_iovec_op':
src/responder/kcm/kcmsrv_cmd.c:75:15: error: implicit declaration of function
'readv'; did you mean 'read'? [-Werror=implicit-function-declaration]
src/responder/kcm/kcmsrv_cmd.c:77:15: error: implicit declaration of function
'writev'; did you mean 'write'? [-Werror=implicit-function-declaration]
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We use separate AD context for each subdomain in the server mode.
Every such context has it's own sdap_domain list witch represents
sdap options such as filter and search bases for every domain.
However AD context can only fully initialize sdap_domain structure
for the same domain for which the whole context was created, which
resulted in the other sdap_domain structures to be have automaticily
detected settings. This can cause problems if user is member of
groups from multiple domains.
Resolves:
https://pagure.io/SSSD/sssd/issue/3381
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Although the cache_req lookup found matching in multiple domains only
the results from the first domain were used. With this patch the results
from all domains are checked.
Resolves https://pagure.io/SSSD/sssd/issue/3385
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit 25699846 introduced a regression seen when an initgroup lookup is
done and there's no nested groups involved.
In this scenario the whole lookup fails due to an ENOENT returned by
rfc2307bis_nested_groups_recv(), which leads to the user removal from
sysdb causing some authentication issues.
Resolves:
https://pagure.io/SSSD/sssd/issue/3331
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Starting with rpm 4.11, it is possible to install the license using
a new file macro %license, this will separate the license files from documents
and install them in a special directory in /usr/share
rpm -q -l -p ./sssd-1.15.3-0.el7.x86_64.rpm
/usr/share/licenses/sssd-1.15.3
/usr/share/licenses/sssd-1.15.3/COPYING
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The rpm macro python_provide is defined only in fedora and epel.
This is the reason why we have fallback definition in the beginning of
spec file otherwise build on rhel would fail.
This macro is defined in file /usr/lib/rpm/macros.d/macros.python
provided by package python-rpm-macros.
sh$ rpm -qf /usr/lib/rpm/macros.d/macros.python
python-rpm-macros-3-20.fc26.noarch
sh$ grep python_provide /usr/lib/rpm/macros.d/macros.python
%python_provide() %{lua:
print("%python_provide: ERROR: ")
But this package is not installed in minimal chroot and therefore
build dependencies cannot be extracted from spec file.
sh$ mock --clean --shell 'rpm -q python-rpm-macros' 2>/dev/null
package python-rpm-macros is not installed
sh$ mock --shell 'rpm --eval "%{python_provide python-test}"' 2>/dev/null
%{python_provide python-test}
sh$ mock --resultdir . --rebuild sssd-1.15.3-0.fc26.src.rpm
...
error: line 295: Unknown tag: %{python_provide python2-sssdconfig}
...
This is the reason why it has to be used conditionally in fedora as it is shown
in example common spec file in python fedora packaging guidelines
http://fedoraproject.org/wiki/Packaging:Python#Example_common_spec_file
sh$ rpm -q --whatrequires python-rpm-macros
python2-devel-2.7.13-5.fc26.x86_64
python3-devel-3.6.0-22.fc26.x86_64
This patch reduce differences between upstream and fedora spec file.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
| |
We do it for other libraries.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
| |
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
It's a cosmetic change to group similar files together (e.g. man pages).
The same order is in fedora downstream spec file.
It simplifies comparison of changes between spec files.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
| |
Resolves:
https://pagure.io/SSSD/sssd/issue/3327
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
This patch also moved sss_certmap.5 from sssd-common to libsss_certmap
Resolves:
https://pagure.io/SSSD/sssd/issue/3327
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
| |
Resolves:
https://pagure.io/SSSD/sssd/issue/3327
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
| |
Resolves:
https://pagure.io/SSSD/sssd/issue/3327
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
| |
Resolves:
https://pagure.io/SSSD/sssd/issue/3327
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Patch also fixes location of translated manual pages
Resolves:
https://pagure.io/SSSD/sssd/issue/3327
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
| |
Resolves:
https://pagure.io/SSSD/sssd/issue/3327
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
| |
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
| |
The sssd-ifp.service was installed even though sssd_ifp
was not installed on systemd.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
| |
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Resolves:
https://pagure.io/SSSD/sssd/issue/3318
The ad_account_can_shortcut() function is helpful to avoid unnecessary
searches when SSSD is configured with an Active Directory domain that
uses ID-mapping in the sense that if we find that an ID is outside our
range, we can just abort the search in this domain and carry on.
This function was only used in the AD provider functions which are used
when SSSD is enrolled direcly with an AD server. This patch moves the
function to a codepath that is shared between directly enrolled SSSD and
SSSD running on an IPA server.
Apart from moving the code, there are some minor changes to the function
signature, namely the domain is passed as as struct (previously the
domain name from the DP input was passed).
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
We were rewriting the sdap_domain's search bases for only the first
sdap_domain in the list, which does not work for subdomains.
Also when search bases were already initialized in sdap_domain_subdom_add,
we should only rewrite them when they were explicitly set in sssd.conf.
Resolves:
https://pagure.io/SSSD/sssd/issue/3351
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
| |
@see also
https://bugzilla.redhat.com/show_bug.cgi?id=1260190
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
| |
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
| |
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We can fallback after a connect error, but we cannot easily fall back
once we start sending data as we may have consumed part of the buffer so
reconnecting and sending what's left would not make sense.
Therefore we now fallback on connect errors, but we issue a hard fail if
error happens after communication has been established.
Resolves:
https://pagure.io/SSSD/sssd/issue/1498
Merges: https://pagure.io/SSSD/sssd/pull-request/3383
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cycle through all resolved address until one succeed or all fail.
This is needed for dual stack systems where either IPv4 or IPv6 are
improperly configured or selectively filtered at some point along the
route.
Resolves:
https://pagure.io/SSSD/sssd/issue/1498
Merges: https://pagure.io/SSSD/sssd/pull-request/3383
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This structure is actually a linked list, so do not mislead readers by
treating it as an array.
Resolves:
https://pagure.io/SSSD/sssd/issue/1498
Merges: https://pagure.io/SSSD/sssd/pull-request/3383
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
| |
Pair-Programmed-With: Michal Židek <mzidek@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This patch improves the log message to be more information for
the SSSD user troubleshooting issues.
If the IDM POSIX group used for AD trust HBAC/SUDO operation is missing
the ipaNTSecurityIdentifier it can cause client s2n operations failures
resolving the group which resulted in the inability to login for the AD
user.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Certificates in overrides are explicitly used to map users to
certificates, so we add them to SYSDB_USER_MAPPED_CERT as well.
Resolves https://pagure.io/SSSD/sssd/issue/3373
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Although users and groups from the forest root should be ignored SSSD
will still try to get information about the forest topology from a DC
from the forest root. So even if the forest root domain is disabled we
should makes sure it is usable for those searches.
Resolves https://pagure.io/SSSD/sssd/issue/3361
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
| |
Related to https://pagure.io/SSSD/sssd/issue/3361
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When a standalone application domain was configured, for example:
-------------------------------------------------
[sssd]
domains = appdomain
[application/appdomain]
id_provider=ldap
ldap_uri = ldap://dc.ipa.test
ldap_search_base = cn=accounts,dc=ipa,dc=test
ldap_schema = rfc2307bis
sudo_provider = none
ldap_sasl_mech = gssapi
krb5_realm = IPA.TEST
krb5_server = dc.ipa.test
ldap_user_uid_number = telephonenumber
ldap_user_gid_number = mobile
ldap_user_extra_attrs = location:l
-------------------------------------------------
We would, when unrolling the application section into a domain section,
first add a domain stub, equivalent to:
-----------------------------
[domain/appdomain]
domain_type = application
-----------------------------
Which in config.ldb also contains cn. Then, whem we would add the parameters
from the [application] section, but try to add the cn again.
This didn't happen when inheriting from a POSIX domain, because there we
would set LDB_FLAG_REPLACE for any attributes that exist in the inherited
domain.
This patch skips the cn attribute both when replacing an inherited
domain's attributes and when writing a standalone application domain.
Resolves:
https://pagure.io/SSSD/sssd/issue/3355
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Instead of deriving the search base from the IPA domain name, actually
use the search base from the sdap_domain structure.
This has primarily the advantage of not matching groups in the compat
tree.
Resolves:
https://pagure.io/SSSD/sssd/issue/3378
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
NULL attribute map and a NULL list of attributes should translate into
"fetch all entry attributes"
Required for:
https://pagure.io/SSSD/sssd/issue/3378
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
| |
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Indicate whether a domain_resolution_order has been used and where
it came from.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
| |
cache_req_domain_new_list_from_string_list()
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Configurationless shortnames lookups must be allowed when a domains'
resolution order is present and the (head) domain is not enforcing the
usage of fully-qualified-names.
With this patch SSSD does not require any kind of changes from client
side for taking advantage of shortname lookups.
Related:
https://pagure.io/SSSD/sssd/issue/3001
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
With the changes that are about to happen we have to have the subdomain's
fqnames flag set by the time we populate the cr_domains list (as it
actually occurs with the real code), as this list may set its own fqnames
flag based on the subdomain's fqnames flag.
Currently the flag is set to false only when running the tests itself so
the cr_domains list doesn't get populate properly (although it still
works with the current code).
For the changes that are comming, let's introduce a new setup function
that ensures that the subdomain's fqnames flag is set up in the right
time.
Related:
https://pagure.io/SSSD/sssd/issue/3001
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
doesn't have this option set
The current code has been ignoring the domain resolution order set
globally on IPA in case there's a view but this doesn't have any domain
resolution order set.
It happens because we haven't been checking whether the view attribute
didn't exist and then we ended up populating the list cache_req domains'
list assuming that no order has been set instead of falling back to the
next preferred method.
Related:
https://pagure.io/SSSD/sssd/issue/3001
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
There was an issue in a production deployment where the admin selected a
GID outside the IDM range for a group that contained a user from the
trusted domain. This resulted in not adding a SID for the IPA group,
which in turn meant the group couldn't be resolved on the client.
This patch just improves the DEBUG message so that it's clearer for the
admins where the issue is.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Resolves:
https://pagure.io/SSSD/sssd/issue/3268
Uses the common function sized_domain_name() to format a group the user
is a member of to the appropriate format.
To see the code is working correctly, run:
dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe
/org/freedesktop/sssd/infopipe
org.freedesktop.sssd.infopipe.GetUserGroups
string:trusted_user
Where trusted_user is a user from a trusted domain that is a member of groups
from the joined domain and a trusted domain as well. The groups from the
joined domain should not be qualified, the groups from the trusted
domain should be qualified.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
These functions are used to format a name into a format that the user
configured for output, including case sensitiveness, replacing
whitespace and qualified format. They were used only in the NSS
responder, which typically returns strings to the NSS client library and
then the user.
But it makes sense to just reuse the same code in the IFP responder as
well, since it does essentially the same job.
The patch also renames sized_member_name to sized_domain_name.
Previously, the function was only used to format a group member, the IFP
responder would use the same function to format a group the user is a
member of.
Related to:
https://pagure.io/SSSD/sssd/issue/3268
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Old links are redirected to information about Fedorahosted-retirement
e.g.
https://fedorahosted.org/mailman/listinfo/sssd-devel
-> https://fedoraproject.org/wiki/Infrastructure/Fedorahosted-retirement
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
It was mainly aimed for time when stable CentOS and
rhel nightly had different versions of krb5.
Anyway, rhel7.0 and rhel <= 6.6 are already out of support
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
| |
Merges: https://pagure.io/SSSD/sssd/pull-request/3374
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We do not want to use host principal with AD
"host/name.domain.tld@DOMAIN.TLD" because it does not work.
We need to use correct user principal for AD hosts. And we cannot
rely all fallback "*$" because of other principals in keytab.
The NetBIOS naming convention allows for 16 characters in a NetBIOS
name. Microsoft, however, limits NetBIOS names to 15 characters and
uses the 16th character as a NetBIOS suffix.
https://support.microsoft.com/en-us/help/163409/netbios-suffixes-16th-character-of-the-netbios-name
Resolves:
https://pagure.io/SSSD/sssd/issue/3329
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
