| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
| |
Integration test for:
https://pagure.io/SSSD/sssd/issue/3372
With https://pagure.io/SSSD/sssd/issue/3372 still broken, the unit test
wold fail because one of the concurrent klist commands would trigger a
race condition in the KCM queue code, crashing the KCM responder.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Resolves:
https://pagure.io/SSSD/sssd/issue/3372
Fixes a race condition between one client request adding an operation to
the hash table value, which was previously a linked list of operations,
while another concurrent operation would remove the last remaining
linked list element through its callback.
Instead, the hash table value is now a separate 'queue head' structure
which is only changed in a tevent request to make sure is is not
processes concurrently with adding to the queue (which is also a tevent
request).
|
| |
|
|
|
|
|
|
| |
The implicit_files was started with each test even though was not
required.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
| |
Resolves:
https://pagure.io/SSSD/sssd/issue/3339
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Many logon applications like /bin/login or sshd canonicalize the user
name before they call pam_start() and hence the UPN is not seen by
SSSD's pam responder. But some like e.g. gdm don't and authentication
might fail if a UPN is used.
The reason is that currently the already parsed short name of the user
was used in the cache_req and hence the cache_req was not able to fall
back to the UPN lookup code. This patch uses the name originally
provided by the user as input to allow the fallback to the UPN lookup.
Resolves https://pagure.io/SSSD/sssd/issue/3240
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
| |
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
return a valid response
If the child returns a runtime error, it is often not clear from the
domain debug logs what to do next. This patch adds a DEBUG message that
tells the admin to look into the krb5_child.log
Resolves:
https://pagure.io/SSSD/sssd/issue/2955
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When using direct AD integration, child domains did not respect
the sssd.conf configuration of search bases.
There were few issues all of which are fixed in this small
patch.
First problem was that the sdap domain list was not properly
inherited from the parent in the child domains and the children
always created their own sdap domains lists that were disconnected
from the parent context and never used.
Second issue was that the child domain did not call the function
to reinit the search bases after the sdap_domain was added to the
list of sdap domains. This caused that child domains always used
automatically detected search bases and never used the configured
ones even though they were properly read into the ID options
context attached to the subdomain.
Also there has been an issue that the sdap search bases
were rewritten by the new child domain initialization
(this only happened with more than one child domain)
because the sdap domain list was 'updated' every time
a new child domain was initialized, which caused that
only the main domain and the last child domain had proper
search bases, the others only the auto-discovered ones
(because they were overwritten with the 'update').
Resolves:
https://pagure.io/SSSD/sssd/issue/3397
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
| |
Add debug messages when 1way or 2way trusts are created.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As contacting the infopipe responder on a "filter" related call may lead
to the situation where the cr_domains' list is not populated yet (as the
domains and subdomains lists from the data provider are not processed
yet), let's explicitly call sss_dp_get_domains() for those cases and
avoid returning a wrong result to the caller.
This situation may happen only because the schedule_get_domains_task(),
that's called when the infopipe responder is initialized, may take some
time to run/finish.
While I'm not exactly sure whether it's the best solution to avoid the
"race", it seems to be sane enough to avoid the issues.
Resolves:
https://pagure.io/SSSD/sssd/issue/3387
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit 4ef0b19a introduced the following warning, as "req" may be used
without being initialized:
src/responder/common/cache_req/cache_req_search.c:
In function 'cache_req_search_done':
src/responder/common/cache_req/cache_req_search.c:467:9:
error: 'req' may be used uninitialized in this function
[-Werror=maybe-uninitialized]
tevent_req_error(req, ret);
^
src/responder/common/cache_req/cache_req_search.c:424:24:
note: 'req' was declared here
struct tevent_req *req;
^
cc1: all warnings being treated as errors
In order to fix the issue above, let's just allocate tmp_ctx after "req"
is already set.
Related:
https://pagure.io/SSSD/sssd/issue/3362
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Co-Author: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Currently only the results from one domain were returned although all
domains were searched and the results were available. Unit tests are
updated to cover this case as well.
Resolves https://pagure.io/SSSD/sssd/issue/3393
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Related:
https://pagure.io/SSSD/sssd/issue/3362
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch makes use of cache_req_ncache_filter_fn() in order to process
the result of a cache_req search and then filter out all the results
that are present in the negative cache.
The "post cache_req search" result processing is done basically in two
different cases:
- plugins which don't use name as an input token (group_by_id, user_by_id
and object_by_id), but still can be affected by filter_{users,groups}
options;
- plugins responsible for groups and users enumeration (enum_groups and
enum_users);
Resolves:
https://pagure.io/SSSD/sssd/issue/3362
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Similarly to what cache_req_create_ldb_result_from_msg() does this new
function creates a new ldb_result from a list of ldb_message.
It's going to be used in the follow-up patch where some messages from
ldb_result may be filtered and then a new ldb_result has to be created.
Related:
https://pagure.io/SSSD/sssd/issue/3362
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This function will be responsible for filtering out all the results that
we have that are also present in the negative cache.
This is useful mainly for plugins which don't use name as an input token
but can still be affected by filter_{users,groups} options.
For now this new function is not being used anywhere.
Related:
https://pagure.io/SSSD/sssd/issue/3362
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
| |
Move NSS nss_get_name_from_msg and the core of sized_output_name to the
utils to make them available to provider and other responders.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Certain operations are not supported with certain providers
causing informational Data Provider log messages to be logged as
errors or failures. This patch lowers the log level to reduce overall
log noise and ensure only critical log messages are logged when
a low debug_level value is used.
Resolves:
https://pagure.io/SSSD/sssd/issue/3287
https://pagure.io/SSSD/sssd/issue/3278
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Explicitly state that the AD provider uses Kerberos and GSSAPI for
encrypting traffic to avoid attempted custom configurations with SSL/TLS
Resolves:
https://pagure.io/SSSD/sssd/issue/3377
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
man 2 readv says that the header file "sys/uio.h" must be included
for the functions readv/writev
Previously, "sys/uio.h" was included in "sys/socket.h" in glibc.
It worked just by a change. But it will be changed in glibc-2.26.
https://sourceware.org/bugzilla/show_bug.cgi?id=21426
src/responder/kcm/kcmsrv_cmd.c: In function 'kcm_iovec_op':
src/responder/kcm/kcmsrv_cmd.c:75:15: error: implicit declaration of function
'readv'; did you mean 'read'? [-Werror=implicit-function-declaration]
src/responder/kcm/kcmsrv_cmd.c:77:15: error: implicit declaration of function
'writev'; did you mean 'write'? [-Werror=implicit-function-declaration]
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We use separate AD context for each subdomain in the server mode.
Every such context has it's own sdap_domain list witch represents
sdap options such as filter and search bases for every domain.
However AD context can only fully initialize sdap_domain structure
for the same domain for which the whole context was created, which
resulted in the other sdap_domain structures to be have automaticily
detected settings. This can cause problems if user is member of
groups from multiple domains.
Resolves:
https://pagure.io/SSSD/sssd/issue/3381
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Although the cache_req lookup found matching in multiple domains only
the results from the first domain were used. With this patch the results
from all domains are checked.
Resolves https://pagure.io/SSSD/sssd/issue/3385
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit 25699846 introduced a regression seen when an initgroup lookup is
done and there's no nested groups involved.
In this scenario the whole lookup fails due to an ENOENT returned by
rfc2307bis_nested_groups_recv(), which leads to the user removal from
sysdb causing some authentication issues.
Resolves:
https://pagure.io/SSSD/sssd/issue/3331
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Resolves:
https://pagure.io/SSSD/sssd/issue/3318
The ad_account_can_shortcut() function is helpful to avoid unnecessary
searches when SSSD is configured with an Active Directory domain that
uses ID-mapping in the sense that if we find that an ID is outside our
range, we can just abort the search in this domain and carry on.
This function was only used in the AD provider functions which are used
when SSSD is enrolled direcly with an AD server. This patch moves the
function to a codepath that is shared between directly enrolled SSSD and
SSSD running on an IPA server.
Apart from moving the code, there are some minor changes to the function
signature, namely the domain is passed as as struct (previously the
domain name from the DP input was passed).
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
We were rewriting the sdap_domain's search bases for only the first
sdap_domain in the list, which does not work for subdomains.
Also when search bases were already initialized in sdap_domain_subdom_add,
we should only rewrite them when they were explicitly set in sssd.conf.
Resolves:
https://pagure.io/SSSD/sssd/issue/3351
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
| |
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
| |
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We can fallback after a connect error, but we cannot easily fall back
once we start sending data as we may have consumed part of the buffer so
reconnecting and sending what's left would not make sense.
Therefore we now fallback on connect errors, but we issue a hard fail if
error happens after communication has been established.
Resolves:
https://pagure.io/SSSD/sssd/issue/1498
Merges: https://pagure.io/SSSD/sssd/pull-request/3383
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cycle through all resolved address until one succeed or all fail.
This is needed for dual stack systems where either IPv4 or IPv6 are
improperly configured or selectively filtered at some point along the
route.
Resolves:
https://pagure.io/SSSD/sssd/issue/1498
Merges: https://pagure.io/SSSD/sssd/pull-request/3383
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This structure is actually a linked list, so do not mislead readers by
treating it as an array.
Resolves:
https://pagure.io/SSSD/sssd/issue/1498
Merges: https://pagure.io/SSSD/sssd/pull-request/3383
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
| |
Pair-Programmed-With: Michal Židek <mzidek@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This patch improves the log message to be more information for
the SSSD user troubleshooting issues.
If the IDM POSIX group used for AD trust HBAC/SUDO operation is missing
the ipaNTSecurityIdentifier it can cause client s2n operations failures
resolving the group which resulted in the inability to login for the AD
user.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Certificates in overrides are explicitly used to map users to
certificates, so we add them to SYSDB_USER_MAPPED_CERT as well.
Resolves https://pagure.io/SSSD/sssd/issue/3373
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Although users and groups from the forest root should be ignored SSSD
will still try to get information about the forest topology from a DC
from the forest root. So even if the forest root domain is disabled we
should makes sure it is usable for those searches.
Resolves https://pagure.io/SSSD/sssd/issue/3361
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
| |
Related to https://pagure.io/SSSD/sssd/issue/3361
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When a standalone application domain was configured, for example:
-------------------------------------------------
[sssd]
domains = appdomain
[application/appdomain]
id_provider=ldap
ldap_uri = ldap://dc.ipa.test
ldap_search_base = cn=accounts,dc=ipa,dc=test
ldap_schema = rfc2307bis
sudo_provider = none
ldap_sasl_mech = gssapi
krb5_realm = IPA.TEST
krb5_server = dc.ipa.test
ldap_user_uid_number = telephonenumber
ldap_user_gid_number = mobile
ldap_user_extra_attrs = location:l
-------------------------------------------------
We would, when unrolling the application section into a domain section,
first add a domain stub, equivalent to:
-----------------------------
[domain/appdomain]
domain_type = application
-----------------------------
Which in config.ldb also contains cn. Then, whem we would add the parameters
from the [application] section, but try to add the cn again.
This didn't happen when inheriting from a POSIX domain, because there we
would set LDB_FLAG_REPLACE for any attributes that exist in the inherited
domain.
This patch skips the cn attribute both when replacing an inherited
domain's attributes and when writing a standalone application domain.
Resolves:
https://pagure.io/SSSD/sssd/issue/3355
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Instead of deriving the search base from the IPA domain name, actually
use the search base from the sdap_domain structure.
This has primarily the advantage of not matching groups in the compat
tree.
Resolves:
https://pagure.io/SSSD/sssd/issue/3378
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
NULL attribute map and a NULL list of attributes should translate into
"fetch all entry attributes"
Required for:
https://pagure.io/SSSD/sssd/issue/3378
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
| |
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Indicate whether a domain_resolution_order has been used and where
it came from.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
| |
cache_req_domain_new_list_from_string_list()
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Configurationless shortnames lookups must be allowed when a domains'
resolution order is present and the (head) domain is not enforcing the
usage of fully-qualified-names.
With this patch SSSD does not require any kind of changes from client
side for taking advantage of shortname lookups.
Related:
https://pagure.io/SSSD/sssd/issue/3001
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
With the changes that are about to happen we have to have the subdomain's
fqnames flag set by the time we populate the cr_domains list (as it
actually occurs with the real code), as this list may set its own fqnames
flag based on the subdomain's fqnames flag.
Currently the flag is set to false only when running the tests itself so
the cr_domains list doesn't get populate properly (although it still
works with the current code).
For the changes that are comming, let's introduce a new setup function
that ensures that the subdomain's fqnames flag is set up in the right
time.
Related:
https://pagure.io/SSSD/sssd/issue/3001
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
doesn't have this option set
The current code has been ignoring the domain resolution order set
globally on IPA in case there's a view but this doesn't have any domain
resolution order set.
It happens because we haven't been checking whether the view attribute
didn't exist and then we ended up populating the list cache_req domains'
list assuming that no order has been set instead of falling back to the
next preferred method.
Related:
https://pagure.io/SSSD/sssd/issue/3001
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
There was an issue in a production deployment where the admin selected a
GID outside the IDM range for a group that contained a user from the
trusted domain. This resulted in not adding a SID for the IPA group,
which in turn meant the group couldn't be resolved on the client.
This patch just improves the DEBUG message so that it's clearer for the
admins where the issue is.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Resolves:
https://pagure.io/SSSD/sssd/issue/3268
Uses the common function sized_domain_name() to format a group the user
is a member of to the appropriate format.
To see the code is working correctly, run:
dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe
/org/freedesktop/sssd/infopipe
org.freedesktop.sssd.infopipe.GetUserGroups
string:trusted_user
Where trusted_user is a user from a trusted domain that is a member of groups
from the joined domain and a trusted domain as well. The groups from the
joined domain should not be qualified, the groups from the trusted
domain should be qualified.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
These functions are used to format a name into a format that the user
configured for output, including case sensitiveness, replacing
whitespace and qualified format. They were used only in the NSS
responder, which typically returns strings to the NSS client library and
then the user.
But it makes sense to just reuse the same code in the IFP responder as
well, since it does essentially the same job.
The patch also renames sized_member_name to sized_domain_name.
Previously, the function was only used to format a group member, the IFP
responder would use the same function to format a group the user is a
member of.
Related to:
https://pagure.io/SSSD/sssd/issue/3268
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
