| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
| |
Implements a python module that allows to load the nss_sss module and
simulate calling getpw* functions from tests.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Every module that reads the sssd_nss module directly copied around the
same definition of NSS constants. This commit moves them into a single
file to avoid code duplication.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
The fixtures will be useful for tests that set up and restore a user and
group database. While it would be possible to import them already, the
functions were previously used in a test and importing from a test seems
a bit like a hack.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
| |
The pwfield was not documented at all previously. In addition, document
the different defaults for remote provider and the file provider.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
| |
In order to make it possible for files provider users to authenticate
with pam_unix, default to "x" as the pwfield of users from the files
domain.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Previously, the pwfield option was only configurable at the NSS level.
Because it's important for the files provider to report "x" as the
pwfield instead of "*" which is the SSSD default, this commit makes the
pwfield configurable at the domain level.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
| |
Since the files provider always mirrors the whole passwd and group
contents, the files domain should always permit its contents to be
enumerated.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adds a new provider type "files". The provider watches the UNIX password
and group databases for changes using inotify and propagates its
contents to the sysdb.
The files provider is only built on platforms that support the inotify
interface, polling or loading the entries on-deman is not supported.
During initialization, the files are loaded from the environment
variables SSS_FILES_PASSWD and SSS_FILES_GROUP, defaulting to
/etc/passwd and /etc/group respectively. Loading the files from
environment variables is mostly implemented for tests that need to load
nss_wrapped files.
The files provider is a bit different from other provider types in the
sense that it always enumerates full contents of the database.
Therefore, the requests from Data Provider are always just replied to
with success. Enumerating the contents is done in full at the moment,
all users and all groups are removed and added anew. Modifying the
passwd and group databses should be rare enough for this to be
justified and we can optimize the code later.
Since with large databases, the cache update might take a bit of time,
we signal the responders to disable the files domain once we receive the
inotify notification and re-enable the files domain after the update is
finished. The idea is that the NSS configuration would still contain
"files" after "sss" so that if the domain is disabled, libc would fall
back to a direct "files" lookup.
Resolves:
https://fedorahosted.org/sssd/ticket/3262
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The files provider was "blacklisted" for a long time, because very old
(pre-1.0) versions of sssd had the capability to create users and groups
by calling into the shadow-utils binaries directly which was later
removed.
Since nobody is (hopefully) running these ancient versions anymore and
we are about to re-enable the files provider, we can remove this check.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adds a reusable module for watching files using the Linux-specific
inotify(7) interface. Adds the possibility to watch the file's parent
directory as well to make it possible to watch moves into the directory
and allow watching file that doesn't exist at the time the watch is
created.
This interface is needed to implement the files provider, so this commit
is related to:
https://fedorahosted.org/sssd/ticket/2228
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
| |
It makes no sense to contact the Data Provider with the files provider
except when the files provider is updating itself.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
| |
This is to avoid a needless round-trip between the responder and the
back end for domains that do not have a traditional back end such as
local or files.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
| |
Adds an interfae to the Data Provider that allows the DP to notify the
NSS responder to invalidate its memory cache records.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
| |
Adds a an interface that allows the Data Provider to notify responders
to drop their negative cache.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
| |
Adds functions to the interface Data Provider publishes towards back
ends that allows the back ends to notify responders that a domain has
been enabled or disabled.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
| |
Adds two new responder sbus interface functions: ResetNegcacheUsers and
ResetNegcacheGroups. These functions can be called by a Data Provider to
signal to a responder that it should drop its negative cache.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Adds a generic responder s-bus interface that all responders implement.
The interface currently contains methods that make it possible for a sssd
domain to be marked as active or inconsistent by a back end.
In the future, this commit will be superseded by sbus signals.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This is a new domain state that indicates to the responder that it
should always send a DP request because the provider is rebuilding the
cache.
Currently it will be only used by the files provider when it is updating
the cache to make sure sssd always returns current data and updating the
cache from files is not as racy.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
| |
consistency
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Adds three new NSS interface sbus methods to disable memory caches of
users, groups and initgroups. It's enough to add this interface to the
NSS responder because the NSS responder is the only writer to the memory
cache.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
| |
Adds a negative cache API to reset negatively cached users and groups.
This will be used when the files back end finishes enumeration to make
sure all results are available.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The current code doesn't handle the situation where lowercasing the
sudoUser attribute would yield the same value again.
For example:
sudoUser: TUSER
sudoUser tuser
would break.
This patch switches to using the utility function
sysdb_attrs_add_lower_case_string() which already checks for duplicates.
Resolves:
https://fedorahosted.org/sssd/ticket/3301
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When using only the local provider with socket-activated services SSSD
ends up never notifying systemd its startup has been done, as notifying
systemd is done *only* when a service (provider or responder) is started
up, leading SSSD's startup to fail due to a timeout.
So, in order to avoid this situation, let's just notify the startup
earlier in case we have *only* socket-activated services and the *only*
provider set up is the LOCAL one.
Resolves:
https://fedorahosted.org/sssd/ticket/3299
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This new function will be used later on in this series as we also will
need to notify systemd that we're up in at least one more scenario (for
now).
Related:
https://fedorahosted.org/sssd/ticket/3299
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
| |
We need to always lookup host in DP first to update host certificates so
we are consinstent during ssh authentication.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
| |
Those macros are the same so there is no functional difference.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
There was a linking fialure on debian:
/usr/bin/ld: src/tests/cmocka/test_sdap_initgr-test_sdap_initgr.o:
undefined reference to symbol 'hash_iterate@@DHASH_0.4.3'
//usr/lib64/libdhash.so.1: error adding symbols: DSO missing from command line
collect2: error: ld returned 1 exit status
This patch adds some missing libraries and remove unnecessary libraries.
Bug was intoduced in commit 0b7ded15e53b3f31f1570c366f04bc41e5761929
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
from sssd.conf
If the sssd.conf domain name was different from the joined domain name,
but sssd was joined to the forest root, the AD subdomains code considered
sssd joined to a non-root domain and tried to discover the forest root.
This could be reproduced by joining sssd to a domain, for example
win.trust.test but calling the sssd.conf domain otherwise, for example:
[domain/addomain]
ad_domain = win.trust.test
This is/was a frequent use-case in the RHEL world, where authconfig
often names the sssd.conf domain 'default'.
Without the patch, the trusted domains were not detected.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This is a bigger change since both supported commands could be
rewritten for cache_req and the logic could be deleted. I decided
to also split the file into more modules and follow similar pattern
as with nss responder.
Resolves:
https://fedorahosted.org/sssd/ticket/1126
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
| |
This will allow to use cache req even for object that do not use
account request such as hosts.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Some sysdb methods doesn't return ldb_result as output but return
ldb_message instead. Changing sysdb to be consistent is too big
so I added this helper function that will wrap resulting message
into ldb_result.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
| |
Sometime is is desirable to aquire more attribute from user object
than SYSDB_PW_ATTRS set. such as user's public key.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
| |
This will be used in the next plugin "host by name" where
it is not desirable to use default domain suffix if set.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
It is not always desirable to consider default_domain from configuration
but expect none instead. For example when we search host certificates.
This is currently not used in this patch since host lookups parse
name directly with sss_parse_name but it will be used in the next
patch.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
We store fully qualified name in sysdb so there is no need to append
the domain part again which result in name@domain@domain string.
This field is not actually used in ssh client so it doesn't cause
any issue but we should stay correct here.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
SSH responder returned invalid number of certificates when
original ad pubkey attribute was not empty. Since we always
return all certificates to the client we should add number
of results to the output not override it.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This patch provides tests for core logic of
sdap_search_initgr_user_in_batch() function. This function replaces
old approach with sysdb_try_to_find_expected_dn() function.
Resolves:
https://fedorahosted.org/sssd/ticket/3230
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Function create_multidom_test_ctx() prepares test environment for
multidomains. This patch enables setting of different params for
each domain.
Resolves:
https://fedorahosted.org/sssd/ticket/3230
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently in order to match multiple LDAP search results we
use two different functions - we have sysdb_try_to_find_expected_dn()
but also sdap_object_in_domain().
This patch removes sysdb_try_to_find_expected_dn() and add new
sdap_search_initgr_user_in_batch() based on sdap_object_in_domain().
This function covers necessary logic.
Resolves:
https://fedorahosted.org/sssd/ticket/3230
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Add test to ensure conflict entries return ENOENT
Resolves:
https://fedorahosted.org/sssd/ticket/3288
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Add boolean to convert_attributes function and pass boolean as argument
to sudo conversion functions to add logic for skipping unexpected
entries like replication conflicts.
Resolves:
https://fedorahosted.org/sssd/ticket/3288
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
This reverts part of commit 59744cff6edb106ae799b2321cb8731edadf409a.
Removed is copying of default configuration into /etc/sssd/sssd.conf
Sample configurations is still part of installation.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
| |
We changed type forking into type notify as part of commit
d4063e9a21a4e203bee7e0a0144fa8cabb14cc46.
But we forgot to update template drop-in file for logging into journald.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
| |
These changes are leftovers from commit 78b4b7e.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
| |
It should be more clear to administrators that when SSSD internal
port status is set as PORT_NOT_WORKING, this does not directly relate
to an assumed network port-related issue.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In case on any krb5 related error, we tried to send string
interpretation of krb5 error tb parrent in prepare_response.
However, we cannot use global krb5 context (krb5_error_ctx)
because the context is every time released in done section of
ldap_child_get_tgt_sync.
This patch rather return duplicated string to prevent use after free.
Backtrace:
#0 __strchr_sse42 () at ../sysdeps/x86_64/multiarch/strchr.S:100
100 ../sysdeps/x86_64/multiarch/strchr.S: No such file or directory.
Thread 1 (Thread 0x7fc96cad5880 (LWP 11201)):
#0 __strchr_sse42 () at ../sysdeps/x86_64/multiarch/strchr.S:100
No locals.
#1 0x00007fc96be43725 in err_fmt_fmt (msg=0x7fc96d1cf8d0 "Cannot find KDC for requested realm",
code=-1765328230,
err_fmt=<optimized out>) at kerrs.c:152
buf = {buftype = K5BUF_DYNAMIC, data = 0x7fc96d1cdb10,
space = 128, len = 0}
p = <optimized out>
s = 0xdededededededede <Address 0xdededededededede out of bounds>
#2 krb5_get_error_message (ctx=<optimized out>,
code=code@entry=-1765328230) at kerrs.c:184
std = 0x7fc96d1cf8d0 "Cannot find KDC for requested realm"
#3 0x00007fc96cb224e5 in sss_krb5_get_error_message (ctx=<optimized out>,
ec=ec@entry=-1765328230) at src/util/sss_krb5.c:424
No locals.
#4 0x00007fc96cb1fbb0 in prepare_response (rsp=<synthetic pointer>,
kerr=-1765328230, expire_time=0,
ccname=0x0,
mem_ctx=0x7fc96d1cb390) at src/providers/ldap/ldap_child.c:553
ret = <optimized out>
r = 0x7fc96d1cd8b0
krb5_msg = 0x0
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
| |
This patch reuses sss_ptr_hash module introduced in NSS patches in sbus code.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
