| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
| |
Skip domains without enumeration if a plug-in requires it.
This is preparation for enumeration support inside cache_req.
Resolves:
https://fedorahosted.org/sssd/ticket/3151
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
This is preparation for enumeration support inside cache_req.
Resolves:
https://fedorahosted.org/sssd/ticket/3151
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
In enumeration calls we want to get objects from all domains, not
only from the first matched domain. We move the cache search result
into a structure that contains combination of domain and ldb_result.
This is preparation for enumeration support inside cache_req.
Resolves:
https://fedorahosted.org/sssd/ticket/3151
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
If we always want to contact the data provider to fetch data,
we don't need to search the cache prior to this call.
Resolves:
https://fedorahosted.org/sssd/ticket/3151
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
If overriden name was provided we stole already freed value.
Name is attached to "user" talloc context which we freed before
stealing the value. This caused crash in SSSD.
Resolves:
https://fedorahosted.org/sssd/ticket/3151
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
| |
Now, we return the original name, assuming it is a shortname,
instead of returning an error.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
| |
So we do not depend on #include order.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Global names context is used to parse AD well known SIDs and names
into its opposite. This patch moves definition of this parameter
from nss responder into common responder context so it can be
used also by other responders.
This change will be use to enable looking up well known SIDs and
names directly in cache_req.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Add basic tests for sssctl user/group-show commands. This includes
regression test for ticket #3235.
Resolves:
https://fedorahosted.org/sssd/ticket/3235
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Lowercase the filter in case insensitive domains.
Resolves:
https://fedorahosted.org/sssd/ticket/3235
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Also search by alias when using sssctl to query the cache.
Resolves:
https://fedorahosted.org/sssd/ticket/3235
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
The domain case sensitivity was wrongly set in the domain
context after initialization if the provider was AD.
Resolves:
https://fedorahosted.org/sssd/ticket/3235
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When ldap doesn't contain any sudorule during the initial full refresh,
usn is set to 1 instead of remaining unset and we are trying to
search modifyTimestamp>=1 during smart refresh which doesn't return any result
on openldap servers.
Resolves:
https://fedorahosted.org/sssd/ticket/3257
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
| |
If the script measured an 'id' run from the cache, there would be no
transactions and dereferencing the aggrefate would throw an error.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When both TEVENT_FD_WRITE and TEVENT_FD_READ are set, and an error/EOF
occurs when reading from the socket, we will get a use after free
in the second call ares_process_fd. The first call will free the watch
structure via a callback.
Prevent this by calling ares_process_fd only once.
Invalid read of size 4
at fd_input_available (async_resolv.c:147)
by epoll_event_loop (tevent_epoll.c:728)
by epoll_event_loop_once (tevent_epoll.c:926)
by std_event_loop_once (tevent_standard.c:114)
by _tevent_loop_once (tevent.c:533)
by tevent_common_loop_wait (tevent.c:637)
by std_event_loop_wait (tevent_standard.c:140)
by server_loop (server.c:702)
by main (data_provider_be.c:587)
Address ... is 112 bytes inside a block of size 136 free'd
at free (vg_replace_malloc.c:530)
by _talloc_free_internal (talloc.c:1116)
by _talloc_free (talloc.c:1647)
by ares__close_sockets (ares__close_sockets.c:50)
by handle_error (ares_process.c:679)
by read_tcp_data (ares_process.c:391)
by processfds (ares_process.c:138)
by fd_input_available (async_resolv.c:144)
by epoll_event_loop (tevent_epoll.c:728)
by epoll_event_loop_once (tevent_epoll.c:926)
by std_event_loop_once (tevent_standard.c:114)
by _tevent_loop_once (tevent.c:533)
by tevent_common_loop_wait (tevent.c:637)
by std_event_loop_wait (tevent_standard.c:140)
by server_loop (server.c:702)
Resolves:
https://fedorahosted.org/sssd/ticket/3250
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
This method has been only used by OpenLMI, which has been deprecated and
its support dropped from SSSD on commit 99b2352.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
| |
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In commit eeecc48d22a28bb69da56f6ffd8824163fc9bf00 we disabled
default_domain_suffix for the SSH responder, but in a wrong way -- we
disabled the functionality completely, also for users, not only for
computers. This might have been correct at the time, since SSH keys in ID
overrides are a relatively new feature, but it's definitely not correct
in general.
Instead, this patch restores the use of default_domain_suffix, but only
for looking up public keys of users, not of computers.
Resolves:
https://fedorahosted.org/sssd/ticket/3259
Reviewed-by: Petr Cech <pcech@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
dbus-1.11.8 added attributes for format string check to
few functions in public header files. And therefore there is a warning.
src/lib/sifp/sss_sifp_utils.c: In function ‘sss_sifp_set_io_error’:
src/lib/sifp/sss_sifp_utils.c:44:5: error: format not a string literal
and no format arguments [-Werror=format-security]
dbus_set_error(ctx->io_error, error->name, error->message);
^~~~~~~~~~~~~~
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The errno is macro expandee into '(*__errno_location ())'.
The reason is that errno is private in glibc and and the
function __errno_location return address of private errno.
sh$ objdump -T /lib64/libc.so.6 | grep errno
00000010 g D .tbss 00000004 GLIBC_PRIVATE errno
000208a0 g DF .text 00000011 GLIBC_2.2.5 __errno_location
001366b0 g DF .text 0000005f GLIBC_2.2.5 clnt_sperrno
00136710 g DF .text 00000074 GLIBC_2.2.5 clnt_perrno
00000064 g D .tbss 00000004 GLIBC_PRIVATE __h_errno
0011aad0 g DF .text 00000011 GLIBC_2.2.5 __h_errno_location
It looks like clang static analyzer assume that value can be
changed due to function call.
errno = 0;
val = strtol(values[0], NULL, 0);
// Taking true branch => assuming "errno != 0"
if (errno) {
ret = errno;
// errno was stored to ret but clang later assumes
// that ret can be 0
goto failed;
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/697
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The internal header file "util/util.h" was removed from sss_utf8.h
as part of commit de5fa34860886ad68fba5e739987e16c342e8f14.
It was neccessary to ensure libipa_hbac can be build with C90
compatible compiler.
This header file includes many system header file and after
this change caused missing declaration of the function free()
src/util/sss_utf8.c: In function ‘sss_utf8_free’:
src/util/sss_utf8.c:40:12: error: implicit declaration of function ‘free’
[-Werror=implicit-function-declaration]
return free(ptr);
^~~~
src/util/sss_utf8.c:40:12: warning: incompatible implicit declaration
of built-in function ‘free’
src/util/sss_utf8.c:40:12: note: include ‘<stdlib.h>’ or provide
a declaration of ‘free’
cc1: some warnings being treated as errors
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The WEXITSTATUS is defined in stdlib.h on linux.
There is a nice comment in stdlib.h:
/* Define the macros <sys/wait.h> also would define this way. */
It's better to not rely on this and use more platfom friendly
way with including "sys/wait.h". For example the libc on FreeBSD
does not provide WEXITSTATUS in stdlib.h.
I found this macro mentioned only in the manual page for wait(2)
and there is mentioned just the "sys/wait.h" and not "stdlib.h"
src/tools/sssctl/sssctl.c: In function 'sssctl_run_command':
src/tools/sssctl/sssctl.c:110: error: implicit declaration of function
'WEXITSTATUS'
gmake[2]: *** [Makefile:22383: src/tools/sssctl/sssctl-sssctl.o] Error 1
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
| |
The function sysdb_get_sudo_filter was removed as part of
ticket #2919
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Include internal wrapper header file for endian related functions.
The "util/sss_endian.h" include available header file on different
platform or it provides compatible macros in the worst case.
Breakage noticed when building SSSD on FreeBSD
CC src/util/cert/nss/libsss_cert_la-cert.lo
src/util/cert/nss/cert.c: In function 'cert_to_ssh_key':
src/util/cert/nss/cert.c:358: error: implicit declaration of function 'htobe32'
gmake[2]: *** [Makefile:12421: src/util/cert/nss/libsss_cert_la-cert.lo] Error 1
gmake[2]: Leaving directory '/root/sssd_from_git'
gmake[1]: *** [Makefile:20050: all-recursive] Error 1
gmake[1]: Leaving directory '/root/sssd_from_git'
gmake: *** [Makefile:7116: all] Error 2
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
libsss_config has been used only by OpenLMI and the project has been
deprecated making, then, no sense to keep the support on SSSD.
Distros that, for some reason, are still packing and distributing
OpenLMI can stick to SSSD 1.14 branch.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The client code is not cancellation-safe, an application which
has cancelled an NSS operation will experience subtle bugs,
hence thread cancellation is deferred until completion of client
operations.
Resolves:
https://fedorahosted.org/sssd/ticket/3156
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Florian Weimer <fweimer@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/3169
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Otherwise we will have an 507 error in case any secret is added by any
of the tests that may be implemented in the future.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
| |
Reviewed-by: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch solved a regression caused by the recent patches
to lowercase sudoUser -- in case sudoUser is missing completely,
we abort the processing of this rule and all others.
With this patch, we return ERR_MALFORMED_ENTRY and gracefully
skip the malformed rule instead.
Resolves:
https://fedorahosted.org/sssd/ticket/3241
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
The option krb5_map_user is empty by default.
Therefore we should not confuse users wih warning
(Fri Nov 15 09:58:49 2016) [sssd[be[example.com]]] [parse_krb5_map_user]
(0x0200): Warning: krb5_map_user is empty!
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
| |
This typo prevented HAVE_INOTIFY from ever being set and as an effect,
prevented /etc/resolv.conf inotify detection from working
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
When the sssd is set to not resolve nested groups with RFC2307bis, then
the LDAP provider takes a different path. We didn't qualify the ghost
users in this case.
Resolves:
https://fedorahosted.org/sssd/ticket/3236
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Update man pages for any IPA provider config options that differ from
ldap/krb5 provider back-end defaults
Resolves:
https://fedorahosted.org/sssd/ticket/3214
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Update man pages for any AD provider config options that differ from
ldap/krb5 provider back-end defaults
Resolves:
https://fedorahosted.org/sssd/ticket/3214
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We lowercase the keys to the hash table used to store netgroups
but do not lowercase it when reading the table. This results
in nested netgroups not being found when they should and
the processing fails.
The lowercasing does not seem to be necessary anymore (not
sure if it ever was) so we can skip it.
Resolves:
https://fedorahosted.org/sssd/ticket/3159
Reviewed-by: Petr Cech <pcech@redhat.com>
|
| |
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
There are options (the proxying related ones) that only apply to the
secrets' subsections. In order to make config API able to catch those,
let's create a new section called allowed_sec_users_options) and move
there these proxying options.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
We have been matching an invalid subsection of the secrets' section,
like:
[secrets/users/]
Let's ensure that we only match the following cases:
[secrets]
[secrets/users/[0-9]+]
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
In e6b6b9fa79c67d7d2698bc7e33d2e2f6bb53d483 a feature was introduced to
set the 'canonicalize' option in the system-wide Kerberos configuration
according to the settings in SSSD if the AD or IPA provider were used.
Unfortunately the patch implied that the auth provider is the same as
the id provider which might not always be the case. A different auth
provider caused a crash in the backend which is fixed by this patch.
Resolves https://fedorahosted.org/sssd/ticket/3234
Reviewed-by: Petr Cech <pcech@redhat.com>
|
| |
|
|
|
|
|
| |
The shutDown method has not been used or set for a long time. Trim the
internal interface by removing all references to this internal method.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
