| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
| |
Call sysdb_master_domain_update for backend domain upon initialization
to make view information available for later use by session recording
code, which will need to access overridden user and group names.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
| |
Add loading and storing the override_space configuration option to data
provider. That will be needed for formatting output user and group names
for matching against session recording configuration.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
| |
Add a macro for sessionRecording attribute to sysdb.h.
To be used for storing a boolean attribute signifying if session
recording is enabled for the user.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
| |
Add session recording configuration loading to the data provider
initialization. To be used for matching users and groups with session
recording enabled.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
| |
Add session recording configuration loading to the common responder
initialization. To be used for substituting the user shell when
session recording is enabled.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
| |
Add an util module for loading session recording configuration.
To be used by responders and data provider.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
| |
Add support for specifying the shell used for recording user sessions,
at configure time.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Add information on "session_recording" config section, having three
options: "scope", "users", and "groups".
The section is intended for disabling session recording ("scope = none",
default), enabling session recording for all users ("scope = all"), and
enabling it for some specific users and/or groups ("scope = some",
"users = <users>", "groups = <groups>").
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Move nss_get_shell_override to common responder utils and rename it to
sss_resp_get_shell_override to make it available to other responders. In
particular let PAM responder use it to provide original shell when it is
overriden for session recording.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Move all the shell-related options from the NSS responder context to the
common responder context, so they can be used by other responders for
retrieving original user shell, when it is overrided for session
recording.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
| |
The num_results field in struct cache_req_state was only set in case of
well-known objects, set it also for the regular results for uniformity,
and for later use by session recording code.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
| |
Merges: https://pagure.io/SSSD/sssd/pull-request/3456
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
| |
Reviewed-by: N/A
|
| |
|
|
| |
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
If sss_idmap_unix_to_sid() returns an error we can assume that the given
POSIX ID is not from the current domain and can be skipped. This is e.g.
the case in the IPA provider if a POSIX ID used in the IPA domain is
checked in a trusted id-mapped AD domain before the IPA domain is
checked.
Resolves https://pagure.io/SSSD/sssd/issue/3452
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
expired TGT
Since 1.14.2 and in particular commit
d3348f49260998880bb7cd3b2fb72d562b1b7a64 we return ERR_NETWORK_IO for any
krb5_child operations that receive KRB5KRB_AP_ERR_TKT_EXPIRED from libkrb5.
However, when the action that krb5_child performs is ticket renewal and
the ticket is totally expired, this can send the SSSD into offline mode.
Instead, this patch converts the KRB5KRB_AP_ERR_TKT_EXPIRED code into
sssd-internal ERR_CREDS_EXPIRED which map_krb5_error() won't map
anymore.
The effect on the deamon is that just the single renewal fails, but
the failover code is not called and therefore sssd doesn't switch into
offline mode.
Resolves:
https://pagure.io/SSSD/sssd/issue/3406
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Tested-by: Joakim Tjernlund <Joakim.Tjernlund@infinera.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Calling setup and teardown on every encryption cases issues like the one
described in https://bugzilla.redhat.com/show_bug.cgi?id=1456151
eventually.
Similarly to other crypto functions, don't tear down NSS by calling
NSS_Shutdown. Let the OS reclaim the resources.
Resolves:
https://pagure.io/SSSD/sssd/issue/3424
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
| |
Temporary workaround:
https://pagure.io/SSSD/sssd/issue/3386
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Related to https://pagure.io/SSSD/sssd/issue/1960
Related to https://pagure.io/SSSD/sssd/issue/1938
Related to https://pagure.io/SSSD/sssd/issue/1844
Related to https://pagure.io/SSSD/sssd/issue/1593
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
This reverts commit 925a14d50edf0e3b800ce659b10b771ae1cde293.
It broke a test for enumerate nested groups if they are part
of non POSIX groups https://pagure.io/SSSD/sssd/issue/2406
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
| |
To ensure the client timeout is not too low and clients do not reconnect
too often, the client_idle_timeout is forced to be 10 seconds minimum.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The secrets responder test was chosen even though the bug was in the generic
responder code b/c it runs a single responder process, so it's trivial to
read the PID of the responder under test.
Changes subprocess.call() for os.execv() so that the setup function can
return the secret responder PID right away.
The client timeout in the test has to be at least 10 seconds because
internally, the responders don't allow a shorter timeout.
Regression test for https://pagure.io/SSSD/sssd/issue/3448
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The client_idle_handler() function tried to schedule another tevent
timer to check for idle client connections in case the current
connection was still valid, but in doing so, it also stored the current
time into the last_request_time field of the client context.
This kept the connection always alive, because the last_request_time
could then never be older than the timeout.
This patch changes the setup_client_idle_timer() function to only do
what the synopsis says and set the idle timer. The caller (usually the
function that accepts the connection) is supposed to store the request
time itself.
Resolves:
https://pagure.io/SSSD/sssd/issue/3448
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
User and group override have been failing when using it with files provider.
This test helps us to avoid such regression in the future.
As mentioned in the comment added to the test's code, there's an issue
in nss_wrapper [0] and nss_wrapper always looks into the files first
before using the NSS module, causing a test failure in case the
fully-qualified name is not used when looking up for the original (not
overriden) user and group.
Related:
https://pagure.io/SSSD/sssd/issue/3391
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
| |
Changes done for section ipa_server_mode since description of section was bit vague. Text is re-phrased for better understanding.
Resolves: https://pagure.io/SSSD/sssd/issue/3404
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
process be killed
Text added in timeout section of sssd.conf man page describing number of heartbeat missed before process self kills itself.
Resolves: https://pagure.io/SSSD/sssd/issue/3398
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Only the 'local' provider will use the 'local' auth provider, for all
other id providers the configured auth provider in the backend should
be checked.
Resolves https://pagure.io/SSSD/sssd/issue/3447
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
During the domain update the views related objects are read form the
cache and added to the domain object accordingly. This is needed to make
sure that both providers properly work with local overrides.
Resolves to https://pagure.io/SSSD/sssd/issue/3391
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently the files provider refreshes the cached user and group data by
deleting all objects and adding them again. This might not be the most
efficient way performance wise but helps to avoid additional code for
updates.
To handle overrides efficiently the override data is stored in a
separate sub-tree and attributes with the DNs link the original and the
override object together. During the removal of the users and groups
this attribute pointing to the override is removed from the original
attribute as well. To make sure overrides are still applied after a
refresh the attribute is added back after the original objects are read
from the source files.
Resolves https://pagure.io/SSSD/sssd/issue/3391
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Add function to copy search bases from one sdap_domain to
another.
Resolves:
https://pagure.io/SSSD/sssd/issue/3435
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
| |
Add code to the existing zero nesting level test, check group list and
ensure nested groups are intentionally skipped and filtered out.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Correct an issue with nesting level comparison of option
ldap_group_nesting_level to ensure that setting nesting level 0
will avoid parent group of group searches.
Resolves:
https://pagure.io/SSSD/sssd/issue/3425
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
This is a short term fix to un-break the unit tests. The proper fix
would be to create the certificates at runtime during the tests.
Related to https://pagure.io/SSSD/sssd/issue/3436
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Update parent sdap_list with newly created subdomain sdap domain.
Preiously, we inherited the parent sdap_list and used it also in the
subdomain's context (this was introduced recently with commit
c4ddb9ccab670f9c0d0377680237b62f9f91c496), but it caused problems
that were difficult to debug (we somewhere rewrite part of the list
incorrectly).
This patch reverses to the previous bahavior, where every subdomain
has it's own sdap_list, however this time the parrent domain's
sdap_list is updated so that it has correct information about
search bases of the child domains.
We should ideally have just one sdap_list to avoid the updating
completely, but this would require more refactoring in the sdap
code.
Resolves:
https://pagure.io/SSSD/sssd/issue/3421
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Let's avoid setting a domain's property directly from cr_domain code.
In order to do so, let's introduce a setter, which may help us in the
future whenever we decide to make sss_domain_info an opaque structure.
For completeness, a getter has also been introduced and used in the
usertools code.
Related:
https://pagure.io/SSSD/sssd/issue/3403
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As some regressions have been caused by not handling properly naming
conflicts when using shortnames, last explicitly use fully qualified
names as output in the following situations:
- domain resolution order is set;
- a trusted domain has been using `use_fully_qualified_name = false`
In both cases we want to ensure that even handling shortnames as input,
the output will always be fully qualified.
As part of this patch, our tests ended up being modified to reflect the
changes done. In other words, the tests related to shortnames now return
expect as return a fully qualified name for trusted domains.
Resolves:
https://pagure.io/SSSD/sssd/issue/3403
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Use the appropriate methods for searching users and groups bv timestamp.
Resolves:
https://pagure.io/SSSD/sssd/issue/3369
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
These new two sysdb methods are going to be used, at least for now,
uniquely and exclusively in the cleanup task.
The reason for adding those is that during the cleanup task a timestamp
search is done in the persistent cache, which doesn't have the updated
timestamps, returning then a wrong result that ends up in having all the
users being removed from the cache.
The persistent cache doesn't have its entries' timestamps updated
because those are kept updated in the timestamp cache, therefore these
new two methods end up doing:
- if the timestamp cache is present:
- search for the entries solely in the timestamp cache;
- get the needed attributes from these entries from the persistent
cache;
- otherwise:
- search for the entries in the persistent cache;
- merge its results with timestamp cache's results;
Related:
https://pagure.io/SSSD/sssd/issue/3369
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Similarly to what has been in the previous commit (expiring an entry
also in the timestamp cache), we should do the same when invalidating an
entry.
Related:
https://pagure.io/SSSD/sssd/issue/3369
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As the cleanup task will start using new methods for searching the users
and groups which have to be cleaned up, SSSD starts relying more in a
more consistent state of the timestamp cache on pretty much everything
related to the cleanup task.
One of the things that would cause SSSD some problems is not having the
ghost user expired in the persistent cache but not in the timestamp
cache.
With this patch, the entry is also expired in the timestamp cache when
it's present.
Related:
https://pagure.io/SSSD/sssd/issue/3369
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
In order to make this function re-usable in different parts of our code,
let's start passing an already built filter to it instead of having the
specific code building the name filter there.
Related:
https://pagure.io/SSSD/sssd/issue/3369
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This function will be used in the follow-up patches. As it's going to be
"exposed", let's also rename it from search_ts_matches() to
sysdb_search_ts_matches().
Related:
https://pagure.io/SSSD/sssd/issue/3369
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This change affects sysdb_search_ts_{users,groups} functions and is
mainly needed in order to avoid breaking our current tests due to the
changes planned for fixing https://pagure.io/SSSD/sssd/issue/3369.
Related:
https://pagure.io/SSSD/sssd/issue/3369
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Similar as in https://pagure.io/SSSD/sssd/issue/3426 enterprise
principals should be avoided while requesting a kadmin/changepw@REALM
principal for a password change.
Resolves https://pagure.io/SSSD/sssd/issue/3419
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
| |
Resolves: https://pagure.io/SSSD/sssd/issue/3431
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
| |
This bug was introduced in 37d2194cc9ea4d0254c88a3419e2376572562bab
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
| |
Found by coverity.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
org.freedekstop.sssd.infopipe.Users.User gets two new attributes:
- domain: object path of user's domain
- domainname: user's domain name
org.freedekstop.sssd.infopipe.GetUserAttr can now request new attribute:
- domainname: user's domain name
Resolves:
https://pagure.io/SSSD/sssd/issue/2714
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
| |
Resolves:
https://pagure.io/SSSD/sssd/issue/3428
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
