| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
| |
There was an issue in a production deployment where the admin selected a
GID outside the IDM range for a group that contained a user from the
trusted domain. This resulted in not adding a SID for the IPA group,
which in turn meant the group couldn't be resolved on the client.
This patch just improves the DEBUG message so that it's clearer for the
admins where the issue is.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Previously we failed if semanage_is_managed returned 0 or -1 (not
managed or error). With this patch we only fail in case of error and
continue normally if selinux is not managed by libsemanage at all.
Resolves:
https://fedorahosted.org/sssd/ticket/3297
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
To avoid crash.
Resolves:
https://pagure.io/SSSD/sssd/issue/3358
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Without this the lookup by certificate for AD users on an IPA client
will just error out.
Related to https://pagure.io/SSSD/sssd/issue/3050
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Get a list of users mapped to a certificate back from the IPA server,
look them up and store them together with the certificate used for the
search as mapped attribute to the cache.
Related to https://pagure.io/SSSD/sssd/issue/3050
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Allow the usage of the mapped attribute for the lookup of AD users on
IPA clients as already used for the normal LDAP lookup.
Related to https://pagure.io/SSSD/sssd/issue/3050
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ipaDomainsResolutionOrder provides a list of domains that have to be
looked up firstly during cache_req searches.
This commit only fetches this list from the server and stores its value
at sysdb so we can make use of it later on this patch series.
There are no tests for newly introduced sysdb methods are those are
basically only calling sysdb_update_domain_resolution_order(),
sysdb_get_domain_resolution_order() and
sysdb_get_use_domain_resolution_order() which are have tests written
for.
Related:
https://pagure.io/SSSD/sssd/issue/3001
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This method got renamed in order to match better with what it does
currently.
Related:
https://pagure.io/SSSD/sssd/issue/3001
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ipaDomainsResolutionOrder provides a list of domains that have to be
looked up firstly during cache_req searches.
This commit only fetches this list from the server and stores its value
at sysdb so we can make use of it later on this patch series.
There are no tests for newly introduced sysdb methods are those are
basically only calling sysdb_update_domain_resolution_order(),
sysdb_get_domain_resolution_order() and
sysdb_get_use_domain_resolution_order() which are have tests written
for.
Related:
https://pagure.io/SSSD/sssd/issue/3001
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Allow option use_fully_qualified_names in subdomain section.
This option was recently added to subdomain_inherit.
Resolves:
https://pagure.io/SSSD/sssd/issue/3337
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
This is a utility function that replaces the create_subdom_conf_path().
Differently than the latter, it only takes one parameter and is going to
be used in a few different places (thus adding it to util.h).
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukas Slebodnik <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Add log messages to provide useful debug logging surrounding
IPA client extended operations to the IPA Server during AD trust
requests to retrieve information. Print more details about the
objects requested and received during the ipa_s2n operations.
This will improve log analysis and troubleshooting efforts during AD
trust user and group resolution failures on IPA clients, such as missing
groups.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
| |
Add a function to convert request_types to string allowing the
ability to print request type information for ipa_s2n functions during
IPA client operations.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Read certificate mapping data from the IPA server and configure the
certificate mapping library accordingly.
Related to https://pagure.io/SSSD/sssd/issue/3050
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Use certificate mapping library if available to lookup a user by
certificate in LDAP.
Related to https://pagure.io/SSSD/sssd/issue/3050
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Allow following options in the subdomain section:
ad_server
ad_backup_server
Resolves:
https://pagure.io/SSSD/sssd/issue/2599
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Added new trusted domain section in the
sssd.conf were the search bases for the
trusted domain can be specified.
Resolves:
https://pagure.io/SSSD/sssd/issue/2599
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Lookups by certificates can return more than one result. With this patch
the IPA provider will check for overrides for all returned users.
Related to https://pagure.io/SSSD/sssd/issue/3050
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
| |
Related to https://pagure.io/SSSD/sssd/issue/3050
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
domain
The search-by-UPN functions always searched for the whole domain. In
some cases, the caller depends on the result coming from the domain
specified by the 'domain' parameter. This is the case in the cache_req
code at least. Even though it should be safe to just switch to always
searching the whole domain, in order to allow us to examine the code
carefully and test each codepath, let's introduce a boolean option to
the search functions. Currently it defaults to false in all codepaths
and as we test the individual ones, we can flip the option to true until
we finally remove the option altogether.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Unused value was immediately overwritten.
Resolves:
https://fedorahosted.org/sssd/ticket/3309
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Add boolean to convert_attributes function and pass boolean as argument
to sudo conversion functions to add logic for skipping unexpected
entries like replication conflicts.
Resolves:
https://fedorahosted.org/sssd/ticket/3288
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Structure member attr_type was set to BE_ATTR_CORE on all places
and there was a single place src/providers/ldap/ldap_id.c where
we checked to other values. It is not used anymore; it's better to
remove it.
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We lowercase the keys to the hash table used to store netgroups
but do not lowercase it when reading the table. This results
in nested netgroups not being found when they should and
the processing fails.
The lowercasing does not seem to be necessary anymore (not
sure if it ever was) so we can skip it.
Resolves:
https://fedorahosted.org/sssd/ticket/3159
Reviewed-by: Petr Cech <pcech@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
In e6b6b9fa79c67d7d2698bc7e33d2e2f6bb53d483 a feature was introduced to
set the 'canonicalize' option in the system-wide Kerberos configuration
according to the settings in SSSD if the AD or IPA provider were used.
Unfortunately the patch implied that the auth provider is the same as
the id provider which might not always be the case. A different auth
provider caused a crash in the backend which is fixed by this patch.
Resolves https://fedorahosted.org/sssd/ticket/3234
Reviewed-by: Petr Cech <pcech@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
without this patch, valgrind was reporting:
==30955== Conditional jump or move depends on uninitialised value(s)
==30955== at 0xDBBACC3: ipa_subdomains_slave_search_done (ipa_subdomains.c:1111)
==30955== by 0xE73B34D: sdap_search_bases_ex_done (sdap_ops.c:222)
==30955== by 0xE6FFA98: sdap_get_generic_done (sdap_async.c:1872)
==30955== by 0xE6FF4E2: generic_ext_search_handler (sdap_async.c:1689)
==30955== by 0xE6FF840: sdap_get_and_parse_generic_done (sdap_async.c:1797)
==30955== by 0xE6FEFB5: sdap_get_generic_op_finished (sdap_async.c:1579)
==30955== by 0xE6FB1D2: sdap_process_message (sdap_async.c:353)
==30955== by 0xE6FAD51: sdap_process_result (sdap_async.c:197)
==30955== by 0xE6FAA14: sdap_ldap_next_result (sdap_async.c:145)
==30955== by 0x8E157FF: tevent_common_loop_timer_delay (tevent_timed.c:341)
==30955== by 0x8E16809: epoll_event_loop_once (tevent_epoll.c:911)
==30955== by 0x8E14F09: std_event_loop_once (tevent_standard.c:114)
==30955==
Resolves:
https://fedorahosted.org/sssd/ticket/3213
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
| |
Reviewed-by: Petr Čech <pcech@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Most AD users store their UPN in an attribute. If they don't, or the sssd
was configured (typically in earlier versions to work around a bug) to not
look at the principal attribute, then sssd is supposed to guess
the attribute.
That currently doesn't work in 1.14, because the username is already
qualified and then we also append the realm name to it. We need to parse
the simple username from the qualified name first.
The issue can be reproduced simply by authenticating as the Administrator
account in IPA-AD trust setups.
Resolves:
https://fedorahosted.org/sssd/ticket/3127
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
GSSAPI is dependent on DNS with hostnames and we should warn about this.
Resolves:
https://fedorahosted.org/sssd/ticket/2789
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
| |
We should fail the request if sss_parse_internal_fqname() fails.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
This debug message used to confuse our users. So this patch changes it.
Old version: "Trust direction of %s is %s\n"
New version: "Trust type of [%s]: %s\n"
Resolves:
https://fedorahosted.org/sssd/ticket/3090
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
| |
Adding email-addresses from the local domain to the alias names is
strictly not needed by might help to speed up lookups in the NSS
responder.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Currently the user name used in the extdom exop request is
unconditionally set to the short name. While this is correct for the
general name based lookups it breaks UPN/email based lookups where the
name part after the @-sign might not match to domain name. I guess this
was introduce during the sysdb refactoring.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
| |
Some messages did not have errno or name of problematic file.
There was also improper use of negative value.
The function strerror was called with -1 instead of errno
Reviewed-by: Petr Čech <pcech@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
If there are alternative UPN suffixes found on the server we can safely
assume that the IPA server supports enterprise principals.
Resolves https://fedorahosted.org/sssd/ticket/3018
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
| |
sysdb_subdomain_store() and sysdb_update_subdomains() can now update
upn_suffixes as well.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
| |
sysdb_master_domain_update() and sysdb_master_domain_add_info() are now
aware of the UPN suffix attribute.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes:
https://fedorahosted.org/sssd/ticket/3076
We segfaulted in this area once. This patch
makes the code more defensive and adds
some DEBUG messages.
Normally the structures are filled in online
and/or resolve callbacks.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
| |
When converting from the native IPA schema to the sysdb sudo schema,
qualify sudoUser attributes that contain user and group names.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
| |
libselinux uses getpwnam() to retrieve the user data, therefore we
qualify the data with sss_output_name() before calling libselinux.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
