| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
| |
Prior this patch, we remember id_ctx->srv_opts in sudo request to switch
the latest usn values. This works fine most of the time but it may cause
a crash.
If we have two concurrent sudo refresh and one of these fails, it causes
failover to try the next server and possibly replacing the old srv_opts
with new one and it causes an access after free in the other refresh.
|
| |
|
|
|
|
|
|
| |
Since sysdb_search_user_by_upn() searches the whole cache we have to set
the domain so that it matches the result.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 9b8fcf685c5ca70a5067a621385bcdc8d9fd6469)
|
| |
|
|
|
|
|
|
|
|
|
| |
If Kerberos principals or email address have the same domain suffix as
the domain itself the first user lookup by name might have already added
the name to the negative cache and the second lookup by UPN/email will
skip the domain because of the neg cache entry. To avoid this a special
name with a '@' prefix is used here.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 62df78512145db94b51c5573d4df1737197e368a)
|
| |
|
|
|
|
|
|
|
| |
Currently we only search for UPNs if the domain part of the name was not
know, with Kerberos aliases and email addresses we have to do this even
if the domain name is a know domain.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 3381d9736b698d6111d10e219a0b5b898a4c757c)
|
| |
|
|
|
|
|
|
|
| |
Currently we only search for UPNs if the domain part of the name was not
know, with Kerberos aliases and email addresses we have to do this even
if the domain name is a know domain.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 447b1da857368678990b54cd6b9cfed940357c44)
|
| |
|
|
|
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit ce68b4ff25cbd52935a540046f0412ce869a27a5)
(cherry picked from commit 09ba77f7de5011d4871fd261ab5291649f025404)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
If a referral returned during AD GPO processing cannot be assigned to a
known domain, at the moment SSSD accesses memory that was freed
previously with ldap_free_urldesc().
This patch moves the ldap_free_urldesc() call to both the error handler
and the success branch after we are done working with the LDAPURLDesc
instance.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
(cherry picked from commit 381bc154ef06fd3cc0660ce0fd62504367f420f5)
(cherry picked from commit d3f5675022b398b60252cc4cd712edc481d89b70)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since dbus-1.11.18 DBUS_COOKIE_SHA1 respect $HOME variable
and fallback to value returned from getpwnam only if env HOME
does not exist. It caused problem for dbus communication
between sssd processes because local user usually do not have
directory $HOME/.dbus-keyrings/. And directory created in cwrap
environment is problmatic
[build@host ~]$ ls -ld ~/.dbus-keyrings/
drw-------. 2 build build 6 Oct 3 10:44 /home/build/.dbus-keyrings/
[buildhost ~]$ ls -lna ~/.dbus-keyrings/
ls: cannot access '/home/build/.dbus-keyrings/.': Permission denied
ls: cannot access '/home/build/.dbus-keyrings/..': Permission denied
total 0
d????????? ? ? ? ? ? .
d????????? ? ? ? ? ? ..
[build@host ~]$ touch ~/.dbus-keyrings/test
touch: cannot touch '/home/build/.dbus-keyrings/test': Permission denied
Other alternative would be to set env variable HOME to the
same value as in fake passwd file:
HOME=$(abs_builddir)/root
Related dbus bug:
https://bugs.freedesktop.org/show_bug.cgi?id=101960
Resolves:
https://pagure.io/SSSD/sssd/issue/3531
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
(cherry picked from commit 82c36227e36de155b13e6eb7cfa3e80a25774157)
(cherry picked from commit ff2ff94a1cdb98a55a2d8a3c3bbe06e1fb948d5a)
|
| |
|
|
|
|
|
|
|
|
|
| |
It is read only from "[sssd]" section.
Resolves:
https://pagure.io/SSSD/sssd/issue/3511
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 895584001760e8188db486bc39f9938624822d35)
(cherry picked from commit 69e61a52493a8c143f83763c2dd783cabea5c9f4)
|
| |
|
|
|
|
|
|
| |
s/dictonary/dictionary/g
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit e7fd33642a16cbb2cd814d3578c28affcf16f68c)
(cherry picked from commit 0d5e92b3ce507f8c46d3605729abc69d8310ff93)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The python module pysss_nss_idmap contains few module constants
which should be used (based on python documentation) for checking
type of results.
e.g.
getsidbyid(...)
getsidbyid(id or list/tuple of id) -> dict(id => dict(results))
Returns a dictionary with a dictionary of results for each given
POSIX ID. The result dictionary contains the SID and the type of the
object which can be accessed with the key constants SID_KEY and
TYPE_KEY, respectively.
However, type of module constant and type of returned key had different type
with python3 due to different handling of strings. This patch unifies it
to string. The same as it is in python2.
Resolves:
https://pagure.io/SSSD/sssd/issue/3491
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit cc4d6435ef49738a02ddfc6072f1197d7f8f7319)
(cherry picked from commit 76d0f9091c43676957ae8f62f1c84fb3c25ce563)
|
| |
|
|
|
|
|
|
|
| |
Some kind of comments are recognized by gcc7 but they are ignored with
-Wimplicit-fallthrough=5 and only attributes disable the warning.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
(cherry picked from commit 2e505786d6d9d537f5b6631099862f6b93e2e687)
(cherry picked from commit ff9d6533654d4529e681fbbfa6f118f975e5a333)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
In order to do so two new functions have been introduced and
test_sss_ncache_prepopulate() has been modified in order to ensure that
root's uid and gid are always added to the negative cache.
Related: https://pagure.io/SSSD/sssd/issue/3460
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit b4b3d0642120ca05f63959fe2f317a6b93031929)
(cherry picked from commit 7e48fb252d1cf032d9aa11bbad1366d753ed081d)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As "root" is not handled by SSSD, let's add its uid and gid to the
negative cache as well. The reason it's added without specifying a
domain is to follow how the negative cache is used by cache req's code
when searching something by id.
As the negative cache check for uid/gid, in the cache req code, is done
after resolving the name, we can save one LDAP call to the data
provider.
Related: https://pagure.io/SSSD/sssd/issue/3460
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 3ad33ca77044f9a9d18f7def271b0beb180e567b)
(cherry picked from commit 90b4882537bf7a9b4aededf5acc767dcf0fe4c61)
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
When a user or group is added to the negative cache, we should descend
to all subdomains as well.
Related: https://pagure.io/SSSD/sssd/issue/3460
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 9908bdc9755e744c3e2c7c746a4edf95f9083ef5)
(cherry picked from commit 343f62458f923b1198f3924f2cdcc05b45a2bde0)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Simply modify test_sss_ncache_prepopulate() in order to ensure that
"root" user and group are always added to the negative cache, no matter
whether they're set as part of the filter_users or filter_groups
options.
Related: https://pagure.io/SSSD/sssd/issue/3460
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit e54764d62bfcc48770d9b2578132979aa58636e5)
(cherry picked from commit cfc62a3cc9683a78e5a5ccb31c7e5094c1b91a91)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The current code only adds "root" to the negative cache in case there's
any other user or group set up in to be added.
As SSSD doesn't handle "root", it should *always* be added to the
negative cache.
Related: https://pagure.io/SSSD/sssd/issue/3460
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 1e7b7da3aa56060c26f8ba1c08318cdee77753ea)
(cherry picked from commit 2ad3a17831f33629faaa334804636ef367e2fafb)
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The comments help to understand which part of the code is dealing with
users or groups of specific or non-specific domain filters.
Related: https://pagure.io/SSSD/sssd/issue/3460
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit b54d79cf3c8017e186b5ea7cdc383746233db39b)
(cherry picked from commit 1d3d2a86b89aa3a24dbe8ffa770f1a28b645ee07)
|
| |
|
|
|
|
| |
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
(cherry picked from commit ed7767aa1e3a9bc2027aa6f5f8bdc2c928e9958e)
(cherry picked from commit 57e1ace1c370026044b4ccebcaa131bed4c1be3f)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Samba-4.6 change behaviour of few functions
New version of code make sure session info for user is stored in cache.
It is a performance optimisation to prevent contacting KDC for each
session. More details in samba bug
https://bugzilla.samba.org/show_bug.cgi?id=11259
Old return code WBC_SSSD_NOT_IMPLEMENTED was translated
to NT_STATUS_LOGON_FAILURE which caused many failures.
[2017/08/21 11:34:15.044321, 5, pid=27742, effective(0, 0), real(0, 0)]
../libcli/security/security_token.c:53(security_token_debug)
Security token: (NULL)
[2017/08/21 11:34:15.044330, 5, pid=27742, effective(0, 0), real(0, 0)]
../source3/auth/token_util.c:640(debug_unix_user_token)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2017/08/21 11:34:15.044349, 4, pid=27742, effective(0, 0), real(0, 0)]
../source3/smbd/sec_ctx.c:439(pop_sec_ctx)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2017/08/21 11:34:15.044360, 1, pid=27742, effective(0, 0), real(0, 0)]
../source3/smbd/sesssetup.c:290(reply_sesssetup_and_X_spnego)
Failed to generate session_info (user and group token) for session
setup: NT_STATUS_LOGON_FAILURE
Resolves:
https://pagure.io/SSSD/sssd/issue/3461
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit 725d04cd21016dc6092a9f03cd363bb83d7c054c)
(cherry picked from commit aede6a1f4412f133e4b3fd76944f764d76fc4868)
(cherry picked from commit 260062d946e7cc265e2671f88b1662276431c0bb)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The IPA HBAC code used to read the group members from the
originalMemberOf attribute value for performance reasons. However,
especially on IPA clients trusting an AD domain, the originalMemberOf
attribute value is often not synchronized correctly.
Instead of going through the work of maintaining both member/memberOf
and originalMemberOf, let's just do an ASQ search for the group names of
the groups the user is a member of in the cache and read their
SYSBD_NAME attribute.
To avoid clashing between similarly-named groups in IPA and in AD, we
look at the container of the group.
Resolves:
https://pagure.io/SSSD/sssd/issue/3382
(cherry picked from commit c92e49144978ad3b6c9fffa8803ebdad8f6f5b18)
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
This is a short term fix to un-break the unit tests. The proper fix
would be to create the certificates at runtime during the tests.
Related to https://pagure.io/SSSD/sssd/issue/3436
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 2ccfa9502abf52941d8b6e44b5f7cfdd13311a2d)
(cherry picked from commit a3f85d196d14d2699af3ccd87c69c89287ce09fa)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
SSSDConfig internally handle debug_level as an integer.
But in case of bitmask version of debug_level (>=16)
it stored value as a decimal which is confusing
e.g.
debug_level = 8176
vs.
debug_level = 0x1ff0
Resolves:
https://pagure.io/SSSD/sssd/issue/3410
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit fca26b76f23ee4457d6796b19892ed97362b6c8d)
(cherry picked from commit 712f1cc9acb8b71e6906d7a168a045920d491d96)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
debug_level is usually defined as decimal value <= 10
or as a hexadecimal value which is used as a bitmask
Parsing of hexadecimal value was partially fixed by commit
7fac271ccebb84743c39f553eb5ec013cf1d10aa but only for
sssd domains. It was not fixed for sssd services.
File "/usr/share/authconfig/authinfo.py", line 3142, in writeSSSDPAM
pam = self.sssdConfig.get_service('pam')
File "/usr/lib/python3.6/site-packages/SSSDConfig/__init__.py", line 1620, in get_service
service.set_option(opt['name'], opt['value'])
File "/usr/lib/python3.6/site-packages/SSSDConfig/__init__.py", line 932, in set_option
(option_schema[0], optionname, type(value)))
TypeError: Expected <class 'int'> for debug_level, received <class 'str'>
Resolves:
https://pagure.io/SSSD/sssd/issue/3410
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 6df5b36008fef9c1f6dcf8f31af033a467e744c7)
(cherry picked from commit facc24ec969087bd20e58636d263553ccc97ab4e)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Option subdomain_homedir was missing from Python config API an
cfg_rules leading to config file validation failures. Add this option
into the necessary locations similar to other provider-generic domain
options.
Resolves:
https://pagure.io/SSSD/sssd/issue/3389
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
(cherry picked from commit beab60d88fc07d463f6fb3756c8f3d29bdd78827)
|
| |
|
|
|
|
|
|
|
|
| |
The session_provider used to exist a long time ago when we used to set
the SELinux context from it, but the provider had been removed for a
long time. We just forgot to remove the value from the config API and
the validator.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
(cherry picked from commit d940593e647731c0caec1fd04cf16a1b23578f32)
|
| |
|
|
|
|
|
|
| |
We should not warn about it in the validator and should allow
selinux_provider from the config API.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
(cherry picked from commit dec00197181ee8f7efbfbdadd73629f66f80f1ff)
|
| |
|
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 6d19051c50c10fc4de056ebb385c63ec0ed221cb)
|
| |
|
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit cc4d1af16820b15595b60c3df15220fb852eb897)
|
| |
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/3068
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit aeab20358006d728a284f969f92f3890498cd651)
|
| |
|
|
|
|
|
|
|
|
|
| |
Allow option "timeout" for all sevices.
Also remove unused macro CONFDB_SERVICE_TIMEOUT.
Resolves:
https://fedorahosted.org/sssd/ticket/3068
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 1b9b5477027d86a2afb2e72981253d108c5398da)
|
| |
|
|
|
|
|
|
|
|
|
| |
Fixes:
https://fedorahosted.org/sssd/ticket/3068
Option user_attributes is also available in
NSS responder, but not in PAC responder.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 0a172552ec16f3b84d127399551cad786da8fd9d)
|
| |
|
|
|
|
|
|
|
|
|
| |
We read override_space from [sssd] not
[nss] section.
Resolves:
https://fedorahosted.org/sssd/ticket/3068
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit fc04d11c2fdde0bfe280c6030df2b1d6bf15ce63)
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Currently SSSD accepts significant changes in the principal only if
krb5_use_enterprise_principal=True. But canonicalization can lead to
similar changes so they should be accepted in this case as well.
Resolves:
https://pagure.io/SSSD/sssd/issue/3408
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
(cherry picked from commit ca95807a9060e454ee68f6f30558d6f7ee968c39)
(cherry picked from commit 5d4e4b4ad8a2a1c6bc8fbad8869c9e9a4c5b8b33)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
autoreconf -if
./configure --without-ssh
make check
src/tests/cmocka/test_utils-test_sss_ssh.o: In function `test_textual_public_key':
src/tests/cmocka/test_sss_ssh.c:78: undefined reference to `sss_ssh_format_pubkey'
src/tests/cmocka/test_sss_ssh.c:82: undefined reference to `sss_ssh_format_pubkey'
src/tests/cmocka/test_sss_ssh.c:86: undefined reference to `sss_ssh_format_pubkey'
src/tests/cmocka/test_sss_ssh.c:89: undefined reference to `sss_ssh_format_pubkey'
src/tests/cmocka/test_sss_ssh.c:92: undefined reference to `sss_ssh_format_pubkey'
src/tests/cmocka/test_utils-test_sss_ssh.o:src/tests/cmocka/test_sss_ssh.c:95:
more undefined references to `sss_ssh_format_pubkey' follow
collect2: error: ld returned 1 exit status
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
(cherry picked from commit d82ffa52dd4c3bb11115b1687edc189284797329)
(cherry picked from commit f46d1474b7b249eda690e78b02adea981fbb058c)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We can fallback after a connect error, but we cannot easily fall back
once we start sending data as we may have consumed part of the buffer so
reconnecting and sending what's left would not make sense.
Therefore we now fallback on connect errors, but we issue a hard fail if
error happens after communication has been established.
Resolves:
https://pagure.io/SSSD/sssd/issue/1498
Merges: https://pagure.io/SSSD/sssd/pull-request/3383
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 244adc327f7e29ba2c7ef60bc9f732d8fe3e68c9)
(cherry picked from commit 47c80d680f41e9ac33a10873e6d78343f14ff77a)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cycle through all resolved address until one succeed or all fail.
This is needed for dual stack systems where either IPv4 or IPv6 are
improperly configured or selectively filtered at some point along the
route.
Resolves:
https://pagure.io/SSSD/sssd/issue/1498
Merges: https://pagure.io/SSSD/sssd/pull-request/3383
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 5f6232c7e6d9635c1d6b6b09f799309b6094b143)
(cherry picked from commit 078a82a38e820fbe0325a59c106263b69d2e8300)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This structure is actually a linked list, so do not mislead readers by
treating it as an array.
Resolves:
https://pagure.io/SSSD/sssd/issue/1498
Merges: https://pagure.io/SSSD/sssd/pull-request/3383
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 08084b1179bb9fc38bc22b464b3d44907107bfd3)
(cherry picked from commit c4fb93aa64abcb6abf0f43129483670e141f1423)
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Although users and groups from the forest root should be ignored SSSD
will still try to get information about the forest topology from a DC
from the forest root. So even if the forest root domain is disabled we
should makes sure it is usable for those searches.
Resolves https://pagure.io/SSSD/sssd/issue/3361
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit feeabf273aa7af580552366ce58655e6a482a0cd)
(cherry picked from commit 4e23f5398859ff23a4daf2da580bf2a40cc2023d)
|
| |
|
|
|
|
|
|
|
| |
Related to https://pagure.io/SSSD/sssd/issue/3361
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 712e5b2e4465812c00a8667c75813322373bc657)
(cherry picked from commit b5af4ce0bdfa05841c0a856868a7961269cd7bf4)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
local user
If an IPA client uses the SSH integration and a local user logs in with
SSH, the sss_ssh_authorizedkeys looks up their keys in the SSH
responder, which doesn't find the user and returns ENOENT. The
sss_ssh_authorizedkeys reports a failure on any error, including ENOENT
which produced a confusing error message in the logs.
This patch adds a new error code that handles users that are not found
by SSSD but exist on the system and also special cases root with the
same error code. Therefore, logging in as a local user no longer prints
an error message.
Resolves:
https://fedorahosted.org/sssd/ticket/3003
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit fcbcfa69f9291936f01f24b5fcb5a7672dca46f3)
|
| |
|
|
|
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
(cherry picked from commit 0a86dede8773ecce91b5bd2ae75a02f9ff89a358)
(cherry picked from commit e69c9c2b0b0f842dcfd1ff9a8f8df0cfb6668fae)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We do not want to use host principal with AD
"host/name.domain.tld@DOMAIN.TLD" because it does not work.
We need to use correct user principal for AD hosts. And we cannot
rely all fallback "*$" because of other principals in keytab.
The NetBIOS naming convention allows for 16 characters in a NetBIOS
name. Microsoft, however, limits NetBIOS names to 15 characters and
uses the 16th character as a NetBIOS suffix.
https://support.microsoft.com/en-us/help/163409/netbios-suffixes-16th-character-of-the-netbios-name
Resolves:
https://pagure.io/SSSD/sssd/issue/3329
Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit c6f1bc32774a7cf2f8678499dfbced420be3a3a1)
(cherry picked from commit fee7386e3af5e55eb3c66d8cf3533075b977a734)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
There seem to be code paths where the data is a added to the hash before
the connection is properly initialized, to avoid core dump during shut
down we only call dbus_conection_unregister_object_path() if there is a
connection.
Resolves:
https://pagure.io/SSSD/sssd/issue/3367
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 35186217d44d0138a1aedf7a4db72249b2c40e66)
(cherry picked from commit 72da8009f75cb597d436aeba78dfbd1bc30a7aa4)
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Previously we failed if semanage_is_managed returned 0 or -1 (not
managed or error). With this patch we only fail in case of error and
continue normally if selinux is not managed by libsemanage at all.
Resolves:
https://fedorahosted.org/sssd/ticket/3297
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 78a08d30b5fbf6e1e3b589e0cf67022e0c1faa33)
(cherry picked from commit 31e4bc07ea17e3e91df28260f6a517b9774b948e)
|
| |
|
|
|
|
|
|
| |
https://docs.python.org/3/whatsnew/3.6.html#deprecated-python-behavior
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 00172861b6908a72c41046e1b2b48d2b009127dd)
(cherry picked from commit 80e4d575c297358b40e2c8416bd6f22f5044a239)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Introducing valid usernames with a trailing newline character triggers
the removal of valid LDB cache entries.
Resolves:
https://pagure.io/SSSD/sssd/issue/3317
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit ee2906c1d50ab8001863b0a423fe957d4e0bcb37)
(cherry picked from commit 59868a81d99b400b9ec6aa972ed5f7de4b462ccf)
|
| |
|
|
|
|
|
|
|
|
|
| |
With this patch pam_sss checks if a conversation callback is available
before using it.
Resolves https://fedorahosted.org/sssd/ticket/3296
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 0965a77c4ff0b358d24582955cb7ae375ebaa0d2)
(cherry picked from commit ba8e3f2850e5a328bc3e732b471280fc4fa49c53)
|
| |
|
|
|
|
|
|
|
|
| |
We changed type forking into type notify as part of commit
d4063e9a21a4e203bee7e0a0144fa8cabb14cc46.
But we forgot to update template drop-in file for logging into journald.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
(cherry picked from commit 7b4704a10958bb7d3390db9eff863875d2b643f7)
(cherry picked from commit 14fe5a922c07da4c95feb65d1455d7f89d9e0f86)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In case on any krb5 related error, we tried to send string
interpretation of krb5 error to parrent in prepare_response.
However, we cannot use global krb5 context (krb5_error_ctx)
because the context is released every time in done section of
ldap_child_get_tgt_sync.
This patch rather return duplicated string to prevent use after free.
Backtrace:
#0 __strchr_sse42 () at ../sysdeps/x86_64/multiarch/strchr.S:100
100 ../sysdeps/x86_64/multiarch/strchr.S: No such file or directory.
Thread 1 (Thread 0x7fc96cad5880 (LWP 11201)):
#0 __strchr_sse42 () at ../sysdeps/x86_64/multiarch/strchr.S:100
No locals.
#1 0x00007fc96be43725 in err_fmt_fmt (msg=0x7fc96d1cf8d0 "Cannot find KDC for requested realm",
code=-1765328230,
err_fmt=<optimized out>) at kerrs.c:152
buf = {buftype = K5BUF_DYNAMIC, data = 0x7fc96d1cdb10,
space = 128, len = 0}
p = <optimized out>
s = 0xdededededededede <Address 0xdededededededede out of bounds>
#2 krb5_get_error_message (ctx=<optimized out>,
code=code@entry=-1765328230) at kerrs.c:184
std = 0x7fc96d1cf8d0 "Cannot find KDC for requested realm"
#3 0x00007fc96cb224e5 in sss_krb5_get_error_message (ctx=<optimized out>,
ec=ec@entry=-1765328230) at src/util/sss_krb5.c:424
No locals.
#4 0x00007fc96cb1fbb0 in prepare_response (rsp=<synthetic pointer>,
kerr=-1765328230, expire_time=0,
ccname=0x0,
mem_ctx=0x7fc96d1cb390) at src/providers/ldap/ldap_child.c:553
ret = <optimized out>
r = 0x7fc96d1cd8b0
krb5_msg = 0x0
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
(cherry picked from commit cb831fbbcb0dac8b6202037d4cd1a0d82db54f54)
(cherry picked from commit 7debfe2eb673d99667d9164bb2daef43ad33a200)
|
