| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
| |
Add support for specifying the shell used for recording user sessions,
at configure time.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
| |
Also remove --disable-libcurl since it doesn't make sense.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
In order for the KCM server to work with ccaches stored in different
locations, implement a middle-man between the KCM server and the ccache
storage.
This module has asynchronous API because we can't assume anything about
where the ccaches are stored.
Reviewed-by: Michal Židek <mzidek@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adds the initial build of the Kerberos Cache Manager responder (KCM).
This is a deamon that is capable of holding and storing Kerberos
ccaches. When KCM is used, the kerberos libraries (invoked through e.g.
kinit) are referred to as a 'client' and the KCM deamon is referred to
as 'server'.
At the moment, only the Heimdal implementation of Kerberos implements the
KCM server:
https://www.h5l.org/manual/HEAD/info/heimdal/Credential-cache-server-_002d-KCM.html
This patch adds a KCM server to SSSD.
In MIT, only the 'client-side' support was added:
http://k5wiki.kerberos.org/wiki/Projects/KCM_client
This page also describes the protocol between the client and the server.
The client is capable of talking to the server over either UNIX sockets
(Linux, most Unixes) or Mach RPC (macOS). Our server only implements the
UNIX sockets way and should be socket-activated by systemd, although can
in theory be also ran explicitly.
The KCM server only builds if the configuration option "--with-kcm" is
enabled. It is packaged in a new subpackage sssd-kcm in order to allow
distributions to enable the KCM credential caches by installing this
subpackage only, without the rest of the SSSD. The sssd-kcm subpackage
also includes a krb5.conf.d snippet that allows the admin to just uncomment
the KCM defaults and instructs them to start the socket.
The server can be configured in sssd.conf in the "[kcm]" section.
By default, the server only listens on the same socket path the Heimdal
server uses, which is "/var/run/.heim_org.h5l.kcm-socket". This is,
however, configurable.
The file src/responder/kcm/kcm.h is more or less directly imported from
the MIT Kerberos tree, with an additional sentinel code and some
comments. Not all KCM operations are implemented, only those that also
the MIT client implements. That said, this KCM server should also be
usable with a Heimdal client, although no special testing was with this
hybrid.
The patch also adds several error codes that will be used in later
patches.
Related to:
https://pagure.io/SSSD/sssd/issue/2887
Reviewed-by: Michal Židek <mzidek@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
With this library it would be possible to map certificates and users not
only by adding the full certificate to the user's LDAP object but by
adding e.g. only parts like the issuer and subject name. Additionally
the library is also able to flexible select/match certificates based on
values in the certificate.
Details about mapping and matching rules can be found in the included
man page.
Related to https://pagure.io/SSSD/sssd/issue/3050
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
| |
Currently libcurl is optional and if not present, just silently skipped.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
| |
Some kind of comments are recognized by gcc7 but they are ignored with
-Wimplicit-fallthrough=5 and only attributes disable the warning.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As part of the effort of making all responders socket-activatable (or,
in the IFP case, dbus-activatable), let's make the IFP responder ready
for this by providing its systemd's units.
Related:
https://fedorahosted.org/sssd/ticket/2243
Resolves:
https://fedorahosted.org/sssd/ticket/3129
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
libsss_config has been used only by OpenLMI and the project has been
deprecated making, then, no sense to keep the support on SSSD.
Distros that, for some reason, are still packing and distributing
OpenLMI can stick to SSSD 1.14 branch.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The client code is not cancellation-safe, an application which
has cancelled an NSS operation will experience subtle bugs,
hence thread cancellation is deferred until completion of client
operations.
Resolves:
https://fedorahosted.org/sssd/ticket/3156
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Florian Weimer <fweimer@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The posix realime extensions defines timer_* functions
but it does not mention library with these functions.
http://www.unix.org/version2/whatsnew/realtime.html
The autoconf macro AC_SEARCH_LIBS firstly check the function
timer_create with no libraries, then for each library listed
in 2nd parameter. Possible libraries librt and libposix4
were used in nspr for similar detection.
Reviewed-by: Joakim Tjernlund <joakim.tjernlund@infinera.com>
|
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Prepares autoconf for the new Secrets Provider dependencies
Related:
https://fedorahosted.org/sssd/ticket/2913
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Prepares autoconf for the new Secrets Provider
Related:
https://fedorahosted.org/sssd/ticket/2913
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The macro AM_COND_IF must be called after AM_CONDITIONAL
Otherwise it will consider that condition is true.
As a result of this the header file config.h had defined
macro HAVE_SYSTEMD on all platforms
Our macro AM_CHECK_SYSTEMD was removed becuase it was needed
in src/external/systemd.m4 and should not be invoked later
in configure.ac
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
| |
With this plugin winbind can use the same id-mapping as SSSD which makes
it possible to run both together in a consistent way.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Actually adds marks for sysdb transactions that receive the transaction
nesting level as an argument. The nesting is passed on from probes to
marks along with a human-friendly description.
The transaction commit is decorated with two probes, before and after.
This would allow the caller to distinguish between the time we spend in
the transaction (which might be important, because if a transaction is
active on an ldb context, even the readers are blocked before the
transaction completes) and the time we spend commiting the transaction
(which is important because that's when the disk writes occur)
The probes would be installed into /usr/share/systemtap/tapset on RHEL
and Fedora. This is in line with systemtap's paths which are described
in detail in "man 7 stappaths".
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adds infrastructure that generatest the probes.h and probes.o from the
dtrace probes.d file. The probes.d file is empty except for the provider
name in this commit, its content will be added with later commits that
actually add some content. The probes.d file is always distributed in
the tarball so that distributions can optionally enable systemtap
support.
The generation is done using the "dtrace" command because the probes.d file
is compatible with the Solaris dtrace format. Please see "man 1 dtrace"
for more information on the dtrace format and the command line tool.
In order to make libtool happy, a fake libtool object is generated. This
hunk was taken from the libvirt code.
The AM_V_GEN macro is used to make the build compatible with the silent
build configuration.
To enable systemtap probing, configure sssd with:
--enable-systemtap
In order to do so, the 'dtrace' command-line utility must be installed.
On Fedora and RHEL, this package is installed as part of the
"systemtap-sdt-devel" package.
You'll also want the 'systemtap' package installed as well as the matching
versions of kernel-devel and kernel-debuginfo on your machine.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Parallel test harness[1] is enabled by default with new versions
of automake. However, automake on rhel6 (1.11.1-4) still uses
serial test harness by default even though it also contains parallel
test harness.
Downside of serial test is that output of all test are mixed together and
is not in separate log files as with parallel test harness. Another problem
is slow execution test with valgrind due to missing parallelisation. It's
approximately 4-5 minutes slower on machine with 4 CPUs.
The automake option parallel-tests is kept for backward-compatibility in new
versions of automake, since the parallel test harness is the default there.
[1] http://www.gnu.org/software/automake/manual/html_node/Parallel-Test-Harness.html#Parallel-Test-Harness
[2] http://www.gnu.org/software/automake/manual/html_node/Serial-Test-Harness.html#Serial-Test-Harness
Reviewed-by: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Moving the library to the lib directory will force maintainers to think
twice about changes, because it would be obvious this is a library.
Also don't use includes from sssd source tree paths, but add the util
path to Makefile's CFLAGS so that other projects can copy the
hbac_evaluator.c file verbatim.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
| |
WORDS_BIGENDIAN, HAVE_BIG_ENDIAN and HAVE_LITTLE_ENDIAN are needed by
Samba. See Samba's byteorder.h header for an example.
Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
| |
The AC_PROG_LIBTOOL macro is obsoleted since libtool 2.0
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To only operation of p11_child which requires special privileges is the
communication to pcscd which handles the Smartcard access. pcscd uses
policy-kit for access control so access can easily be configured by
dropping config snippets into the right directory.
If SSSD is configured to run as un-privileged user this patch creates
the needed config snippet for policy-kit and installs it in a suitable
directory. As a result p11_child does not have to be installed with
SETUID or SETGID bits set.
Resolves https://fedorahosted.org/sssd/ticket/2755 by making it obsolete
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
| |
libdbus abort()s when a string argument is not valid UTF-8. Since the
arguments sometimes come from untrusted sources, it's better to check
the string validity explicitly.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The function gettext was not detected properly with strict
cflags even thought it was part of glibc.
sh$ CFLAGS="-Werror" ./configure
sh$ grep gt_cv_func_gnugettext config.log
gt_cv_func_gnugettext1_libc=no
gt_cv_func_gnugettext1_libintl=no
sh$ objdump -T /lib64/libc.so.6 | grep gettext
000000000002fc60 w DF .text 0000000000000010 GLIBC_2.2.5 dcngettext
000000000002dc70 w DF .text 000000000000000f GLIBC_2.2.5 dcgettext
000000000002fc80 w DF .text 0000000000000016 GLIBC_2.2.5 ngettext
000000000002dc90 w DF .text 000000000000000f GLIBC_2.2.5 gettext
000000000002dc70 g DF .text 000000000000000f GLIBC_2.2.5 __dcgettext
000000000002dc80 w DF .text 000000000000000a GLIBC_2.2.5 dgettext
000000000002dc80 g DF .text 000000000000000a GLIBC_2.2.5 __dgettext
000000000002fc70 w DF .text 000000000000000b GLIBC_2.2.5 dngettext
Reviewed-by: Petr Cech <pcech@redhat.com>
|
|
|
|
| |
Reviewed-by: Petr Cech <pcech@redhat.com>
|
|
|
|
|
|
| |
There aren't any documented files in directory src/sss_client/sudo/
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the configure was called with stricter flags (-Werror=unused-variable)
then configure script did not detect tread safe initialisation.
As a result of this client code was not build with mutexes.
conftest.c: In function 'main':
conftest.c:39:17: error: unused variable 'm' [-Werror=unused-variable]
pthread_mutex_t m = PTHREAD_MUTEX_INITIALIZER;
^
cc1: all warnings being treated as errors
configure:15331: $? = 1
configure:15338: WARNING: Pthread library not found! Clients will not be thread safe...
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There were errors in configure script when /bin/sh was not bash
./configure: 15889: test: xfedora: unexpected operator
./configure: 19981: test: xyes: unexpected operator
./configure: 23103: test: x1: unexpected operator
The equality operator "==" works in bash but it's not a standard.
The man page test(1) also does not mention it.
There is only short version "="
STRING1 = STRING2
the strings are equal
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We already require GNU make extenstions to build
manual pages.
src/man/Makefile.am:46: warning: wildcard $(srcdir: non-POSIX variable name
src/man/Makefile.am:46: (probably a GNU make extension)
src/man/Makefile.am:125: warning: wildcard $(srcdir: non-POSIX variable name
src/man/Makefile.am:125: (probably a GNU make extension)
src/man/Makefile.am:128: warning: addprefix $(srcdir: non-POSIX variable name
src/man/Makefile.am:128: (probably a GNU make extension)
src/man/Makefile.am:128: warning: shell grep '\[type:docbook\]' $(PO4A_CONFIG: non-POSIX variable name
src/man/Makefile.am:128: (probably a GNU make extension)
src/man/Makefile.am:129: warning: filter-out $(CFG_PAGES: non-POSIX variable name
src/man/Makefile.am:129: (probably a GNU make extension)
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
| |
Related to https://fedorahosted.org/sssd/ticket/2596
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Uses the ipa-getkeytab call to retrieve keytabs for one-way trust
relationships.
https://fedorahosted.org/sssd/ticket/2636
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add "intgcheck" make target. Update CI to use it.
The "intgcheck" target configures and builds sssd in a sub-directory,
installs it into a prefix in another sub-directory, and then makes the
"intgcheck-installed" target from within src/tests/intg in that separate
build.
The "intgcheck-installed" target in src/tests/intg runs py.test for all
tests it can find in that directory, under fakeroot and
nss_wrapper/uid_wrapper environments emulating running under root.
It also adds the value of INTGCHECK_PYTEST_ARGS environment/make
variable to the py.test command line. You can use it to pass additional
py.test options, such as specifying a subset of tests to run. See
"py.test --help" output.
There are only two test suites in src/tests/intg at the moment:
ent_test.py and ldap_test.py.
The ent_test.py runs tests on ent.py - a module of assertion functions
for checking entries in NSS database (passwd and group), for use in
actual tests. The ent_test.py suite can be used as ent.py usage
reference.
The ldap_test.py suite sets up and starts a slapd instance, adds a few
user and group entries, configures and starts sssd and verifies that
those users and groups are retrieved correctly using various NSS
functions. The tests are very basic at the moment.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When a user enrolls a system against Active Directory, the expectation
is that the client will honor the centrally-managed settings. In the
past, we avoided changing the default (and left it in permissive mode,
to warn admins that the security policy wasn't being honored) in order
to avoid breaking existing Active Directory enrollments.
However, sufficient time has likely passed for users to become
accustomed to using GPOs to manage access-control for their systems.
This patch changes the default to enforcing and adds a configure flag
for distributions to use if they wish to provide a different default
value.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2574
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
|
|
|
|
|
|
|
| |
The script python-config was not available in older versions of python.
This patch simplify detection of python CFLAGS and LDFLAGS and increase
minimal required version of python to 2.6
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
|
|
|
|
|
|
| |
Macro AC_PROG_MKDIR_P need to be used just conditionally
This patch also fixes fallback of macro MKDIR_P
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
* fix hashbangs
* remove strict requirements of python2 in build system
Resolves:
https://fedorahosted.org/sssd/ticket/2017
Reviewed-by: Petr Viktorin <pviktori@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/1884
Adds an internal resolver function that reads the TTL for SRV records as
specified by RFC-2181. Several internal c-ares definitions are used
until c-ares contains a function that exposes all this information via a
parsing function.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Adds a new configure-time option that lets you select the user to run
SSSD as. The default is 'root' for backwards compatibility.
The directories the deamon stores its private data at are also created
as owned by this user during install time.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
sssd's configure.ac (abridged) contains these lines:
AC_INIT([sssd], ...)
m4_ifdef([AC_USE_SYSTEM_EXTENSIONS],
[AC_USE_SYSTEM_EXTENSIONS], [AC_GNU_SOURCE])
AC_CONFIG_AUX_DIR([build])
When turned into configure, this will be emitted:
ac_aux_dir=
for ac_dir in build "$srcdir"/build; do
if test -f "$ac_dir/install-sh"; then
ac_aux_dir=$ac_dir
ac_install_sh="$ac_aux_dir/install-sh -c"
break
However, with automake commit v1.14.1-36-g7bc5927, this will be emitted
instead:
ac_aux_dir=
for ac_dir in "$srcdir" "$srcdir/.." "$srcdir/../.."; do
if test -f "$ac_dir/install-sh"; then
ac_aux_dir=$ac_dir
ac_install_sh="$ac_aux_dir/install-sh -c"
break
As configure no longer looks into build/ for install-sh, running
./configure fails:
configure: error: cannot find install-sh, install.sh,
or shtool in "." "./.." "./../.."
I think the error is that someone placed AC_BUILD_AUX_DIR
too late. Move it upwards.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
| |
Adds a unit test using the nss_wrapper and uid_wrapper libraries that
exercises the ability to become another user.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
| |
Unit testing the utilities to become another user requires the use of
the cwrap libraries. This patch augments our build system with macros to
detect the nss_wrapper and and uid_wrapper libraries.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
| |
It was suggested by the Fedora automake maintainer to use the autoconf
macro $(MKDIR_P) instead of calling "mkdir -p" directly as the macro is
more portable and might actually expand to something else than "mkdir
-p" on some platforms (usually it would be a variant of install.sh)
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|