| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Related to:
https://pagure.io/SSSD/sssd/issue/3310
The following changes were done to the Kerberos authentication code
in order to support authentication in a non-POSIX environment:
- delayed authentication is disabled in non-POSIX domains
- when a user logs in in a non-POSIX domain, SSSD uses a
MEMORY:$username ccache and destroys is then krb5_child finishes
so that just the numeric result is used
- krb5_child doesn't drop privileges in this configuration because
there is nothing to drop privileges to
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Related to:
https://pagure.io/SSSD/sssd/issue/3310
If a request comes towards an application domain, we can drop the part
of the filter that asserts that the object has a valid UID/GID. Instead,
we just search by name.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Related to:
https://pagure.io/SSSD/sssd/issue/3310
If a user being saved by the LDAP provider does not have a UID or GID
and the domain type is application, we save the user entry as non-POSIX.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Without this the lookup by certificate for AD users on an IPA client
will just error out.
Related to https://pagure.io/SSSD/sssd/issue/3050
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Get a list of users mapped to a certificate back from the IPA server,
look them up and store them together with the certificate used for the
search as mapped attribute to the cache.
Related to https://pagure.io/SSSD/sssd/issue/3050
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Allow the usage of the mapped attribute for the lookup of AD users on
IPA clients as already used for the normal LDAP lookup.
Related to https://pagure.io/SSSD/sssd/issue/3050
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
If pkinit is not available for a user but other authentication methods
are SSSD should still fall back to local certificate based
authentication if Smartcard credentials are provided.
Resolves https://pagure.io/SSSD/sssd/issue/3343
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ipaDomainsResolutionOrder provides a list of domains that have to be
looked up firstly during cache_req searches.
This commit only fetches this list from the server and stores its value
at sysdb so we can make use of it later on this patch series.
There are no tests for newly introduced sysdb methods are those are
basically only calling sysdb_update_domain_resolution_order(),
sysdb_get_domain_resolution_order() and
sysdb_get_use_domain_resolution_order() which are have tests written
for.
Related:
https://pagure.io/SSSD/sssd/issue/3001
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This method got renamed in order to match better with what it does
currently.
Related:
https://pagure.io/SSSD/sssd/issue/3001
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ipaDomainsResolutionOrder provides a list of domains that have to be
looked up firstly during cache_req searches.
This commit only fetches this list from the server and stores its value
at sysdb so we can make use of it later on this patch series.
There are no tests for newly introduced sysdb methods are those are
basically only calling sysdb_update_domain_resolution_order(),
sysdb_get_domain_resolution_order() and
sysdb_get_use_domain_resolution_order() which are have tests written
for.
Related:
https://pagure.io/SSSD/sssd/issue/3001
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Allow option use_fully_qualified_names in subdomain section.
This option was recently added to subdomain_inherit.
Resolves:
https://pagure.io/SSSD/sssd/issue/3337
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
This is a utility function that replaces the create_subdom_conf_path().
Differently than the latter, it only takes one parameter and is going to
be used in a few different places (thus adding it to util.h).
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukas Slebodnik <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add log messages to provide useful debug logging surrounding
IPA client extended operations to the IPA Server during AD trust
requests to retrieve information. Print more details about the
objects requested and received during the ipa_s2n operations.
This will improve log analysis and troubleshooting efforts during AD
trust user and group resolution failures on IPA clients, such as missing
groups.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
| |
Add a function to convert request_types to string allowing the
ability to print request type information for ipa_s2n functions during
IPA client operations.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Read certificate mapping data from the IPA server and configure the
certificate mapping library accordingly.
Related to https://pagure.io/SSSD/sssd/issue/3050
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Use certificate mapping library if available to lookup a user by
certificate in LDAP.
Related to https://pagure.io/SSSD/sssd/issue/3050
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Store the certificate used to lookup a user as mapped attribute in the
cached user object.
Related to https://pagure.io/SSSD/sssd/issue/3050
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
mapped_attrs can be a list of sysdb_attrs which are not available on
the server side but should be store with the cached user entry. This is
needed e.g. when the input to look up the user in LDAP is not an
attribute which is stored in LDAP but some data where LDAP attributes
are extracted from. The current use case is the certificate mapping
library which can create LDAP search filters based on content of the
certificate. To allow upcoming cache lookup to use the input directly it
is stored in the user object in the cache.
Related to https://pagure.io/SSSD/sssd/issue/3050
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Allow following options in the subdomain section:
ad_server
ad_backup_server
Resolves:
https://pagure.io/SSSD/sssd/issue/2599
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Added new trusted domain section in the
sssd.conf were the search bases for the
trusted domain can be specified.
Resolves:
https://pagure.io/SSSD/sssd/issue/2599
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
It is possible to have duplicit members in local files (/etc/group).
This patch removes duplicity in groups in proxy provider.
Resolves:
https://pagure.io/SSSD/sssd/issue/3314
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Lookups by certificates can return more than one result. With this patch
the IPA provider will check for overrides for all returned users.
Related to https://pagure.io/SSSD/sssd/issue/3050
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
| |
Related to https://pagure.io/SSSD/sssd/issue/3050
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
domain
The search-by-UPN functions always searched for the whole domain. In
some cases, the caller depends on the result coming from the domain
specified by the 'domain' parameter. This is the case in the cache_req
code at least. Even though it should be safe to just switch to always
searching the whole domain, in order to allow us to examine the code
carefully and test each codepath, let's introduce a boolean option to
the search functions. Currently it defaults to false in all codepaths
and as we test the individual ones, we can flip the option to true until
we finally remove the option altogether.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
PAM responder has been already taking advantage of the cache_req
interface, so this patch is just replacing some code that performs
initgroups lookups by using cache_req to do so.
Resolves:
https://fedorahosted.org/sssd/ticket/1126
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
| |
"grp_iter->gr_mem" is an array of strings and not just a string.
We tried to compare first string to NULL (acctually '\0')
But after that we iterated over the array to find count of members
and we check for NULL one more time.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
There were two bugs in the files provider reallocation logic:
1) the reallocated array was not NULL-terminated properly
2) talloc_get_size was used in place of talloc_array_length
This bug could have resulted in a crash when the passwd or groups file
contained more than FILES_REALLOC_CHUNK entries.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
| |
Resolves https://fedorahosted.org/sssd/ticket/3231
Reviewed-by: Petr Cech <pcech@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
If there is an error after calling talloc_realloc() the caller cannot
free the memory properly because neither src_map nor _map were pointing
to a valid memory location. With this patch _map will always point to
the current valid location so that it can always be used with
talloc_free().
Reviewed-by: Petr Cech <pcech@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
If the realm is not added to the nsupdate message, the SSSD Debug log
message should inform about utilizing autodiscovered realm.
Resolves:
https://fedorahosted.org/sssd/ticket/3220
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Continue to send PTR record update in situations where the nsupdate
child forward zone updates are successful but nsupdate returns non-zero
Resolves:
https://fedorahosted.org/sssd/ticket/3227
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Unused value was immediately overwritten.
Resolves:
https://fedorahosted.org/sssd/ticket/3309
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adds a new provider type "files". The provider watches the UNIX password
and group databases for changes using inotify and propagates its
contents to the sysdb.
The files provider is only built on platforms that support the inotify
interface, polling or loading the entries on-deman is not supported.
During initialization, the files are loaded from the environment
variables SSS_FILES_PASSWD and SSS_FILES_GROUP, defaulting to
/etc/passwd and /etc/group respectively. Loading the files from
environment variables is mostly implemented for tests that need to load
nss_wrapped files.
The files provider is a bit different from other provider types in the
sense that it always enumerates full contents of the database.
Therefore, the requests from Data Provider are always just replied to
with success. Enumerating the contents is done in full at the moment,
all users and all groups are removed and added anew. Modifying the
passwd and group databses should be rare enough for this to be
justified and we can optimize the code later.
Since with large databases, the cache update might take a bit of time,
we signal the responders to disable the files domain once we receive the
inotify notification and re-enable the files domain after the update is
finished. The idea is that the NSS configuration would still contain
"files" after "sss" so that if the domain is disabled, libc would fall
back to a direct "files" lookup.
Resolves:
https://fedorahosted.org/sssd/ticket/3262
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
| |
Adds an interfae to the Data Provider that allows the DP to notify the
NSS responder to invalidate its memory cache records.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
| |
Adds a an interface that allows the Data Provider to notify responders
to drop their negative cache.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
| |
Adds functions to the interface Data Provider publishes towards back
ends that allows the back ends to notify responders that a domain has
been enabled or disabled.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is a new domain state that indicates to the responder that it
should always send a DP request because the provider is rebuilding the
cache.
Currently it will be only used by the files provider when it is updating
the cache to make sure sssd always returns current data and updating the
cache from files is not as racy.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
from sssd.conf
If the sssd.conf domain name was different from the joined domain name,
but sssd was joined to the forest root, the AD subdomains code considered
sssd joined to a non-root domain and tried to discover the forest root.
This could be reproduced by joining sssd to a domain, for example
win.trust.test but calling the sssd.conf domain otherwise, for example:
[domain/addomain]
ad_domain = win.trust.test
This is/was a frequent use-case in the RHEL world, where authconfig
often names the sssd.conf domain 'default'.
Without the patch, the trusted domains were not detected.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently in order to match multiple LDAP search results we
use two different functions - we have sysdb_try_to_find_expected_dn()
but also sdap_object_in_domain().
This patch removes sysdb_try_to_find_expected_dn() and add new
sdap_search_initgr_user_in_batch() based on sdap_object_in_domain().
This function covers necessary logic.
Resolves:
https://fedorahosted.org/sssd/ticket/3230
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Add boolean to convert_attributes function and pass boolean as argument
to sudo conversion functions to add logic for skipping unexpected
entries like replication conflicts.
Resolves:
https://fedorahosted.org/sssd/ticket/3288
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
| |
It should be more clear to administrators that when SSSD internal
port status is set as PORT_NOT_WORKING, this does not directly relate
to an assumed network port-related issue.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In case on any krb5 related error, we tried to send string
interpretation of krb5 error tb parrent in prepare_response.
However, we cannot use global krb5 context (krb5_error_ctx)
because the context is every time released in done section of
ldap_child_get_tgt_sync.
This patch rather return duplicated string to prevent use after free.
Backtrace:
#0 __strchr_sse42 () at ../sysdeps/x86_64/multiarch/strchr.S:100
100 ../sysdeps/x86_64/multiarch/strchr.S: No such file or directory.
Thread 1 (Thread 0x7fc96cad5880 (LWP 11201)):
#0 __strchr_sse42 () at ../sysdeps/x86_64/multiarch/strchr.S:100
No locals.
#1 0x00007fc96be43725 in err_fmt_fmt (msg=0x7fc96d1cf8d0 "Cannot find KDC for requested realm",
code=-1765328230,
err_fmt=<optimized out>) at kerrs.c:152
buf = {buftype = K5BUF_DYNAMIC, data = 0x7fc96d1cdb10,
space = 128, len = 0}
p = <optimized out>
s = 0xdededededededede <Address 0xdededededededede out of bounds>
#2 krb5_get_error_message (ctx=<optimized out>,
code=code@entry=-1765328230) at kerrs.c:184
std = 0x7fc96d1cf8d0 "Cannot find KDC for requested realm"
#3 0x00007fc96cb224e5 in sss_krb5_get_error_message (ctx=<optimized out>,
ec=ec@entry=-1765328230) at src/util/sss_krb5.c:424
No locals.
#4 0x00007fc96cb1fbb0 in prepare_response (rsp=<synthetic pointer>,
kerr=-1765328230, expire_time=0,
ccname=0x0,
mem_ctx=0x7fc96d1cb390) at src/providers/ldap/ldap_child.c:553
ret = <optimized out>
r = 0x7fc96d1cd8b0
krb5_msg = 0x0
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
|
|
|
|
|
| |
Some kind of comments are recognized by gcc7 but they are ignored with
-Wimplicit-fallthrough=5 and only attributes disable the warning.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|