| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
| |
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add an explanatory message to be logged once, at the start-up,
mentioning that in case enumeration is not enabled, getent passwd won't
return all users by design.
The debug level chosen to show the message is SSS_LOG_NOTICE.
Resolves:
https://pagure.io/SSSD/sssd/issue/2301
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The sudo responder code didn't take views into account when looking for
rules, which resulted in sudo rules being ignored if the user's name was
overriden.
Please see the ticket for a detailed info on how to reproduce the bug.
Resolves:
https://pagure.io/SSSD/sssd/issue/3488
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We always check negcache after getting data from backend since commit
4c09cd008967c5c0ec358dc658ffc6fc1cef2697 because we usually do have a name
in begging of requests "* by ID".
We were not interested in name in request sid by id before. However, function
cache_req_search_ncache_filter always expect name otherwise it returns
ERR_INTERNAL.
[sssd[nss]] [cache_req_set_plugin] (0x2000): CR #8: Setting "Object by ID" plugin
[sssd[nss]] [cache_req_send] (0x0400): CR #8: New request 'Object by ID'
[sssd[nss]] [cache_req_select_domains] (0x0400): CR #8: Performing a multi-domain search
[sssd[nss]] [cache_req_search_domains] (0x0400): CR #8: Search will check the cache and check the data provider
[sssd[nss]] [cache_req_validate_domain_type] (0x2000): Request type POSIX-only for domain sssdad2012r2.com type POSIX is valid
[sssd[nss]] [cache_req_set_domain] (0x0400): CR #8: Using domain [sssdad2012r2.com]
[sssd[nss]] [cache_req_search_send] (0x0400): CR #8: Looking up ID:233600513@sssdad2012r2.com
[sssd[nss]] [cache_req_search_ncache] (0x0400): CR #8: Checking negative cache for [ID:233600513@sssdad2012r2.com]
[sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/UID/sssdad2012r2.com/233600513]
[sssd[nss]] [cache_req_search_ncache] (0x0400): CR #8: [ID:233600513@sssdad2012r2.com] is not present in negative cache
[sssd[nss]] [cache_req_search_cache] (0x0400): CR #8: Looking up [ID:233600513@sssdad2012r2.com] in cache
[sssd[nss]] [cache_req_search_send] (0x0400): CR #8: Returning [ID:233600513@sssdad2012r2.com] from cache
[sssd[nss]] [cache_req_search_ncache_filter] (0x0400): CR #8: Filtering out results by negative cache
[sssd[nss]] [cache_req_search_ncache_filter] (0x0020): CR #8: sss_get_name_from_msg() returned NULL, which should never happen in this scenario!
[sssd[nss]] [cache_req_process_result] (0x0400): CR #8: Finished: Error 1432158209: Internal Error
[sssd[nss]] [nss_protocol_done] (0x4000): Sending reply: error [1432158209]: Internal Error
[sssd[nss]] [client_recv] (0x0200): Client disconnected!
Resolves:
https://pagure.io/SSSD/sssd/issue/3485
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Add a special value for all the quota-like settings that means 'no
limit'.
Because the responder also had a global limit on the size of the
accepted body (64kiB), this patch also removes the hardcoded limit and
instead keep track of the biggest quota value on startup.
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Adds a new option max_uid_secrets that allows to set a limit of secrets
for this particular client so that the user cannot starve other users.
Resolves:
https://pagure.io/SSSD/sssd/issue/3363
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This would differentiate between out-of-capacity errors for secrets and
for KCM as they are two independent trees as far as sssd-secrets is
concerned.
The quotas for /kcm are also different in their defaults. For the /secrets
hive, we presume a large amount of small secrets. For the /kcm hive, we
presume a small amount of large secrets, because the secret is a ccache
which contains multiple credentials.
The operations are also passed in a struct quota from the local request
context instead of local_context. The quota is assigned to the request
context when the hive is selected.
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
This will make it possible to reuse the basedn name later for the "hive"
base DN in order to differentiate quotas for different hives.
There is no functional change in this patch.
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
subsection
This patch makes obsoletes the old way of configuring quotas for the
secrets responder. Instead, adds a new way of configuring each hive
separately in a configuration subsection, e.g.
[secrets/secrets]
max_secrets = 123
The old way is still supported as a backwards-compatible method.
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Adds two new structures to hold the quotas and associate a quota with a hive.
This is just an internal change for now, but will allow us to read quota
configuration from per-hive sections later.
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Since we started using libcurl for the proxy provider, there is no point
in initializing or linking against c-ares.
If we want to explicitly use a resolver in the future, we should use
libcurl callbacks.
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
| |
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As "root" is not handled by SSSD, let's add its uid and gid to the
negative cache as well. The reason it's added without specifying a
domain is to follow how the negative cache is used by cache req's code
when searching something by id.
As the negative cache check for uid/gid, in the cache req code, is done
after resolving the name, we can save one LDAP call to the data
provider.
Related: https://pagure.io/SSSD/sssd/issue/3460
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This code path can be easily triggered by calling `id 0` after applying
the previous patch in this series and SSSD should not error out in this
case.
As SSSD doesn't handle "root", this entry never will be part of the
memcache and EOK can be safely returned there.
Related: https://pagure.io/SSSD/sssd/issue/3460
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This code path can be easily triggered by calling `id 0` and SSSD should
not error out in this case.
Previous patches in this series already add uid and gid 0 to the
negative cache and we can properly handle this situation.
Related: https://pagure.io/SSSD/sssd/issue/3460
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
When a user or group is added to the negative cache, we should descend
to all subdomains as well.
Related: https://pagure.io/SSSD/sssd/issue/3460
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The current code only adds "root" to the negative cache in case there's
any other user or group set up in to be added.
As SSSD doesn't handle "root", it should *always* be added to the
negative cache.
Related: https://pagure.io/SSSD/sssd/issue/3460
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
The comments help to understand which part of the code is dealing with
users or groups of specific or non-specific domain filters.
Related: https://pagure.io/SSSD/sssd/issue/3460
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In order to provide FleetCommander[0] integration, a session provider
has been introduced for IPA. The design of this feature and more
technical details can be found at [1] and [2], which are the design
pages of both freeIPA and SSSD parts.
As there's no way to test freeIPA integration with our upstream tests,
no test has been provided yet.
Is also worth to mention that the name "deskprofile" has been chosen
instead of "fleetcmd" in order to match with the freeIPA plugin. It
means that, for consistence, all source files, directories created,
options added, functions prefixes and so on are following the choice
accordingly.
[0]: https://wiki.gnome.org/Projects/FleetCommander
[1]: https://github.com/abbra/freeipa-desktop-profile/blob/master/plugin/Feature.mediawiki
[2]: https://docs.pagure.org/SSSD.sssd/design_pages/fleet_commander_integration.html
Resolves:
https://pagure.io/SSSD/sssd/issue/2995
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
By allocating the number of entries when actually copying the list we
can avoid situations where users request an enourmous amount of results
but the number of results got from the backend are just a few.
With this new approach we end up allocating the whole list more
frequently but we avoid not returning valid results because the
requested number of enties is too big (note that if the amount of
results is too big as well, there's nothing much we can do).
A simple reproducer for this issue can be the really extreme call:
$ dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe \
/org/freedesktop/sssd/infopipe/Users \
org.freedesktop.sssd.infopipe.Users.ListByName string:"*" uint32:"-1"
The example pasted above would try to allocate an array of MAX_UINT32
size, which would fail directly.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Now ifp_list_ctx_remaining_capacity() returns an errno_t and receives
the count as an output parameter. It allows better handling and error
reporting in case something goes wrong internally in this function.
Related:
https://pagure.io/SSSD/sssd/issue/3306
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
If we set limit to 0 it means that result is unlimited. Internally we
restrict number of result by allocation of result array.
In unlimited case there was a bug and zero array was allocated.
This fix allocates neccessary array when we know real result size.
Resolves:
https://pagure.io/SSSD/sssd/issue/3306
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
This patch fixes asterisk in filter of the ListByName Groups' method,
which ends up calling ifp_groups_list_copy() with a NULL pointer.
Resolves:
https://pagure.io/SSSD/sssd/issue/3305
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
If a large number of rules is expired at one time the ldap filter may
become too large to be processed by server. This commits adds a new
option "sudo_threshold" to sudo responder. If the threshold is
exceeded a full refreshed is done instead of rules refresh.
Resolves:
https://pagure.io/SSSD/sssd/issue/3478
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Usually is okay that there are no ghost attributes for a group as it
basically just means that the group either has no members or all members
have been previously fully resolved.
Resolves:
https://pagure.io/SSSD/sssd/issue/3315
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
| |
Setting ret as EOK in case everything goes well.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Add exporting of original user shell (as returned by NSS) as an
environment variable for use by tlog-rec-session, when session recording
is enabled for the user. This lets tlog-rec-session start the actual
user shell, after tlog-rec-session is started in its place.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Substitute the configured session recording shell when unconditional
session recording is enabled (scope = all), or when selective session
recording is enabled (scope = some), and the user has the
sessionRecording attribute set to true.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
After entires are retrieved by cache_req for user info requests (except
initgr), overlay them with sessionRecording attribute retrieved from an
initgr request made additionally for each entry.
Do not do additional initgr requests with selective session recording
enabled, if we don't have any group names to match against in session
recording configuration. Only do user name matches instead.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
| |
Add session recording configuration loading to the common responder
initialization. To be used for substituting the user shell when
session recording is enabled.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Move nss_get_shell_override to common responder utils and rename it to
sss_resp_get_shell_override to make it available to other responders. In
particular let PAM responder use it to provide original shell when it is
overriden for session recording.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Move all the shell-related options from the NSS responder context to the
common responder context, so they can be used by other responders for
retrieving original user shell, when it is overrided for session
recording.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
| |
The num_results field in struct cache_req_state was only set in case of
well-known objects, set it also for the regular results for uniformity,
and for later use by session recording code.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
| |
Temporary workaround:
https://pagure.io/SSSD/sssd/issue/3386
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The client_idle_handler() function tried to schedule another tevent
timer to check for idle client connections in case the current
connection was still valid, but in doing so, it also stored the current
time into the last_request_time field of the client context.
This kept the connection always alive, because the last_request_time
could then never be older than the timeout.
This patch changes the setup_client_idle_timer() function to only do
what the synopsis says and set the idle timer. The caller (usually the
function that accepts the connection) is supposed to store the request
time itself.
Resolves:
https://pagure.io/SSSD/sssd/issue/3448
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Only the 'local' provider will use the 'local' auth provider, for all
other id providers the configured auth provider in the backend should
be checked.
Resolves https://pagure.io/SSSD/sssd/issue/3447
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
During the domain update the views related objects are read form the
cache and added to the domain object accordingly. This is needed to make
sure that both providers properly work with local overrides.
Resolves to https://pagure.io/SSSD/sssd/issue/3391
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Let's avoid setting a domain's property directly from cr_domain code.
In order to do so, let's introduce a setter, which may help us in the
future whenever we decide to make sss_domain_info an opaque structure.
For completeness, a getter has also been introduced and used in the
usertools code.
Related:
https://pagure.io/SSSD/sssd/issue/3403
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As some regressions have been caused by not handling properly naming
conflicts when using shortnames, last explicitly use fully qualified
names as output in the following situations:
- domain resolution order is set;
- a trusted domain has been using `use_fully_qualified_name = false`
In both cases we want to ensure that even handling shortnames as input,
the output will always be fully qualified.
As part of this patch, our tests ended up being modified to reflect the
changes done. In other words, the tests related to shortnames now return
expect as return a fully qualified name for trusted domains.
Resolves:
https://pagure.io/SSSD/sssd/issue/3403
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
| |
This bug was introduced in 37d2194cc9ea4d0254c88a3419e2376572562bab
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
org.freedekstop.sssd.infopipe.Users.User gets two new attributes:
- domain: object path of user's domain
- domainname: user's domain name
org.freedekstop.sssd.infopipe.GetUserAttr can now request new attribute:
- domainname: user's domain name
Resolves:
https://pagure.io/SSSD/sssd/issue/2714
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
| |
Resolves:
https://pagure.io/SSSD/sssd/issue/3428
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
fcntl.h is not used directly by util/util.h. The header file fcntl.h
must be included in 49 files and after removing it from util.h it had to be
added only to 7 missing file which were using either directly syscall fcntl
or syscall open.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
| |
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
cache_req_send() may take some shortcuts in case the object is found in
the cache and it's still valid.
This behaviour may lead to exposing filtered users and groups when
they're searched by their uid/gid.
A solution for this issue was proposed on 4ef0b19a but, unfortunately,
didn't take into consideration that this shortcut could be taken.
There are basically two really easy ways to test this issue:
1) Using enumeration:
- Set "enumerate = True" in the domain section
- restart SSSD cleaning up the cache;
- getent passwd <uid of a user who is part of the filter_users>
- Wait a little bit till the entry_negative_timeout is expired
- getent passwd <same uid used above>
2) Not using enumeration:
- getent passwd <uid of a user who is part of the filter_users>
- Wait a little bit till the entry_negative_timeout is expired
- getent passwd <same uid used above>
A test covering this code path will be added in the follow-up commit.
Resolves:
https://pagure.io/SSSD/sssd/issue/3362
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Let's make the result and input/output argument for
_search_ncache_filter() and free it inside the function whenever it's
needed instead of leaving this responsibility for the caller.
Related:
https://pagure.io/SSSD/sssd/issue/3362
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
If the PAM client didn't send a user name and promtusername is enable
the PAM responder will tell pam_sss to ask for an optional user name as
well.
Resolves:
https://pagure.io/SSSD/sssd/issue/3395
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
| |
Related to https://pagure.io/SSSD/sssd/issue/3395
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
| |
Make certificate mapping data available to the responders.
Related to https://pagure.io/SSSD/sssd/issue/3395
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Debug messages would always say that verify_peer and verify_host
are enabled. Even though they would be explicitly disabled.
src/responder/secrets/proxy.c:143:18: error:
address of 'cfg->verify_peer' will always evaluate to
'true' [-Werror,-Wpointer-bool-conversion]
(&cfg->verify_peer ? "true" : "false"));
~~~~~^~~~~~~~~~~ ~
src/util/debug.h:108:32: note: expanded from macro 'DEBUG'
format, ##__VA_ARGS__); \
^~~~~~~~~~~
src/responder/secrets/proxy.c:149:18: error:
address of 'cfg->verify_host' will always evaluate to
'true' [-Werror,-Wpointer-bool-conversion]
(&cfg->verify_host ? "true" : "false"));
~~~~~^~~~~~~~~~~ ~
src/util/debug.h:108:32: note: expanded from macro 'DEBUG'
format, ##__VA_ARGS__); \
^~~~~~~~~~~
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
