| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
| |
The pong method is deprecated since we started using the watchdog. Since
this is dead code, it makes sense to just remove it.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/3060
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/3060
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
We covered diference between case sensitive and case insensitive
domains. If domain is case insensitive we add lowercase form of
sudoUser to local sysdb cache.
Resolves:
https://fedorahosted.org/sssd/ticket/3203
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
If domain is not case sensitive we add lowercase form of usernames
to sudoUser attributes. So we actually able to apply sudoRule on
user Administrator@... with login admnistrator@...
Resolves:
https://fedorahosted.org/sssd/ticket/3203
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
It makes little sense to set up watchdog for monitor because there is no
entity that would restart the monitor. Therefore we should disable the
watchdog for monitor process.
Resolves:
https://fedorahosted.org/sssd/ticket/3232
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The posix realime extensions defines timer_* functions
but it does not mention library with these functions.
http://www.unix.org/version2/whatsnew/realtime.html
The autoconf macro AC_SEARCH_LIBS firstly check the function
timer_create with no libraries, then for each library listed
in 2nd parameter. Possible libraries librt and libposix4
were used in nspr for similar detection.
Reviewed-by: Joakim Tjernlund <joakim.tjernlund@infinera.com>
|
| |
|
|
|
|
|
|
|
|
| |
Includes instructions and example for AD nested group access
Related to https://fedorahosted.org/sssd/ticket/3218
Signed-off-by: Mike Ely <github@taupehat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In cases where the domain name in sssd.conf does not match the AD
domain, our previous matching process wouldn't match. This patch
augments the matching as follows:
- the search base is known to sysdb_try_to_find_expected_dn and is
expected to be non-NULL
- the existing matching is ran first
- during the search base, matching, all the non-DC components are
stripped from the search base to 'canonicalize' the search base
- if only a single entry that matches with a non-DC DN component
(matching with a DC component would mean the DN comes from a
different domain) then this entry is a match and is returned
Resolves:
https://fedorahosted.org/sssd/ticket/3199
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
The function sysdb_try_to_find_expected_dn was performing several matching
algorithms and thus it was getting big and hard to extend. This patch
doesn't contain any functional changes, only shuffles the code around
and splits the monolithic sysdb_try_to_find_expected_dn function into
smaller blocks.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Currently the main use-case for this new option is to not set the
KRB5CCNAME environment varible for services like 'sudo-i'.
Resolves https://fedorahosted.org/sssd/ticket/2296
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
If a user from a trusted domain in the same forest is a direct or
indirect member of domain local groups from the local domain those
memberships must be resolved as well. Since those domain local groups
are not valid in the trusted domain a DC from the trusted domain which
is used to lookup the user data is not aware of them. As a consequence
those memberships must be resolved against a local DC in a second step.
Resolves https://fedorahosted.org/sssd/ticket/3206
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
| |
sdap_nested_groups_store() and rfc2307bis_nested_groups_send/recv() will
be reused for domain local group lookups.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Currently sysdb_get_direct_parents() only return direct parents from the
same domain as the child object. In setups with sub-domains this might
not be sufficient. A new option parent_dom is added which allows to
specify a domain the direct parents should be lookup up in. If it is
NULL the whole cache is searched.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Allow passing flags for command specific initialization. Currently
only one flag is available to skip the confdb initialization which is
required to improve config-check command.
Resolves:
https://fedorahosted.org/sssd/ticket/3209
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
| |
Reviewed-by: Petr Čech <pcech@redhat.com>
|
| |
|
|
|
|
|
|
| |
The library winbind_idmap_sss.so is build only when building
with samba. The library libdlopen_test_providers.so was moved
to the group of libraries build for testing purposes.
Reviewed-by: Petr Čech <pcech@redhat.com>
|
| |
|
|
|
|
|
|
| |
nfsidmap plugin(sss.so) and libsss_cert.so were not checked.
Few libraries which are build for testing purposes were added to the list
otherwise we would not be able to detect unchecked libraries.
Reviewed-by: Petr Čech <pcech@redhat.com>
|
| |
|
|
| |
Reviewed-by: Petr Čech <pcech@redhat.com>
|
| |
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
| |
winbindplugindir is defined only when BUILD_SAMBA is on. Also the file
doesn't exist when BUILD_SAMBA is off, so installation will fail.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
libsss_crypto provide 2 pairs of encrypt + decrypt functions.
sss_password_encrypt + sss_password_decrypt and more generic
sss_encrypt + sss_decrypt.
The name of one test case was a little bit confusing.
It evokes that different pair of functions were tested.
Reviewed-by: Christian Heimes <cheimes@redhat.com>
|
| |
|
|
| |
Reviewed-by: Christian Heimes <cheimes@redhat.com>
|
| |
|
|
|
|
|
|
| |
sss_decrypt failed even though should pass because
we were checking wrong value of CRYPTO_memcmp.
Nobody noticed that because there was not a unit test :-)
Reviewed-by: Christian Heimes <cheimes@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The test test_ad_subdom should be compiled only if samba build is enabled.
In file included from src/tests/cmocka/test_ad_subdomains.c:39:0:
./src/providers/ad/ad_subdomains.c:35:17: fatal error: ndr.h: No such file or directory
#include <ndr.h>
^
compilation terminated.
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
| |
EVP_MD_CTX and EVP_CIPHER_CTX are opaque in openssl-1.1
Reviewed-by: Tomas Mraz <tmraz@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
| |
This patch switch the old switch-based cache req code to
the new plugin-based.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
| |
This patch adds all existing functionality into plugins.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
cache_req grown quite big from the original code and it turned out
that using switch statements to branch code for different cases
makes the code quite hard to read and further extend and any
modification to the logic itself is difficult.
This patch changes the switch statements to plugins with small
functions and separates logic into multiple modules. This gives
us better control over the code and improves readability and
maintainability while keeping code duplication to minimum.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Petr Cech <pcech@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Dlopen test was added to blacklist due to following reason:
> Disable running dlopen-tests under Valgrind as their use of dlclose
> makes Valgrind drop symbols and produce meaningless backtraces, which
> cannot be matched with specific suppressions.
It's true that dlclose makes meaningless backtraces but backtraces should
not be generated otherwise there is a bug in some library which need to be
fixed and not suppressed.
Reviewed-by: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
The current code checks only for "HAVE_PYTHON_BINDINGS", which is not
even a valid check. Let's do the proper check according to the python
version (HAVE_PYTHON2_BINDINGS or HAVE_PYTHON3_BINDINGS).
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2940
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2940
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
This patch adds wbcCtxUnixIdsToSids() and wbcUnixIdsToSids() to SSSD's
libwbclient and implements the latter.
Resolves:
https://fedorahosted.org/sssd/ticket/3181
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
| |
In order for sssctl to work on platforms that do not use systemd,
we need to require /sbin/service them for sssd-tools so that the binary
can be invoked.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
| |
If the target platform does not have the service executable, we must not
fail the build, but proceed, just disabling the functionality in sssctl.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
| |
The shell is executed for invocation of the service binary.
Therefore it is better to search the binary only in safe paths.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
If systemd is used we leverage it's D-Bus API instead of running systemctl.
Resolves:
https://fedorahosted.org/sssd/ticket/3056
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
When adding support for UPNs, email addresses and aliases the
SSS_NSS_GETSIDBYNAME and SSS_NSS_GETORIGBYNAME request were forgotten.
This patch adds the missing support because it might be irritating if
getpwnam() can resolve the name but the other requests fail. The same
logic as for the plain user lookup is used, this add some code
duplication which is expected to be removed when the nss responder will
be switched to use the new cache_req code.
Resolves https://fedorahosted.org/sssd/ticket/3194
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Print informational message and exit when multiple arguments are provided
for single-argument options with sss_cache
Resolves:
https://fedorahosted.org/sssd/ticket/3180
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
