summaryrefslogtreecommitdiffstats
path: root/src/providers/krb5
Commit message (Collapse)AuthorAgeFilesLines
* Allocate on top of a talloc context, not NULLJakub Hrozek2012-08-081-0/+3
|
* Primary server support: new options in krb5 providerJan Zeleny2012-08-013-4/+17
| | | | | | This patch adds support for new config options krb5_backup_server and krb5_backup_kpasswd. The description of this option's functionality is included in man page in one of previous patches.
* Primary server support: krb5 adaptationJan Zeleny2012-08-013-49/+94
| | | | | | This patch adds support for the primary server functionality into krb5 provider. No backup servers are added at the moment, just the basic support is in place.
* Primary server support: basic support in failover codeJan Zeleny2012-08-011-1/+1
| | | | | | | | Now there are two list of servers for each service. If currently selected server is only backup, then an event will be scheduled which tries to get connection to one of primary servers and if it succeeds, it starts using this server instead of the one which is currently connected to.
* Fix uninitialized valuesNick Guay2012-07-182-2/+2
| | | | https://fedorahosted.org/sssd/ticket/1379
* Cast uid_t to unsigned long long in DEBUG messagesJakub Hrozek2012-07-101-3/+3
|
* Print based on pointer contents not addressJakub Hrozek2012-07-101-1/+3
|
* Fix uninitialized memcpy errorStephen Gallagher2012-07-091-0/+2
| | | | Coverity #12784
* heimdal: use sss_krb5_princ_realm to access realmRambaldi2012-07-091-4/+11
|
* Revert commit 4c157ecedd52602f75574605ef48d0c48e9bfbe8Stef Walter2012-07-061-21/+0
| | | | | | | | * This broke corner cases when used with default_tkt_types = des-cbc-crc and DES enabled on an AD domain. * This is fixed in kerberos instead, in a more correct way and in a way which we cannot replicate.
* AD: Add AD auth and chpass providersStephen Gallagher2012-07-061-0/+4
| | | | | | These new providers take advantage of existing code for the KRB5 provider, providing sensible defaults for operating against an Active Directory 2008 R2 or later server.
* KRB5: Create a common init routine for krb5_child optionsStephen Gallagher2012-07-063-53/+129
| | | | | This will reduce code duplication between the krb5, ipa and ad providers
* KRB5: Drop memctx parameter of krb5_try_kdcipStephen Gallagher2012-07-062-13/+15
| | | | | | | | | | | | | | | | This function is not supposed to return any newly-allocated memory directly. It was actually leaking the memory for krb5_servers if krb5_kdcip was being used, though it was undetectable because it was allocated on the provided memctx. This patch removes the memctx parameter and allocates krb5_servers temporarily on NULL and ensures that it is freed on all exit conditions. It is not necessary to retain this memory, as dp_opt_set_string() performs a talloc_strdup onto the appropriate context internally. It also updates the DEBUG messages for this function to the appropriate new macro levels.
* KRB5: Some logging enhancements for krb5_childStephen Gallagher2012-07-061-6/+13
|
* KRB5: Initialize the credential cache type properlyStephen Gallagher2012-06-291-0/+11
| | | | | | | | | We weren't guaranteeing that the cctype-specific callbacks were initialized before using them. This bug only presented itself for users who were logging in without a ccacheFile attribute in the LDB (for example, first-time logins).
* Move some debug lines to new debug log levelsStef Walter2012-06-202-4/+4
| | | | | | | * These are common lines of debug output when starting up sssd https://bugzilla.redhat.com/show_bug.cgi?id=811113
* KRB5: Avoid shadowing dirnameStephen Gallagher2012-06-151-20/+21
| | | | | The variable 'dirname' is a publicly declared variable in libgen.h on older systems such as RHEL 5
* KRB5: Auto-detect DIR cache support in configureStephen Gallagher2012-06-154-5/+33
| | | | | | We can't support the DIR cache features in systems with kerberos libraries older than 1.10. Make sure we don't build it on those systems.
* KRB5: Update DEBUG macros for create_ccache_dir and find_ccdir_parent_dataStephen Gallagher2012-06-151-17/+30
|
* Make krb5_ccname_template and krb5_ccachedir configurableJakub Hrozek2012-06-141-2/+2
|
* Use Kerberos context in KRB5_DEBUGJakub Hrozek2012-06-142-55/+61
| | | | | Passing Kerberos context to sss_krb5_get_error_message will allow us to get better error messages.
* Add support for storing credential caches in the DIR: back endJakub Hrozek2012-06-145-70/+510
| | | | https://fedorahosted.org/sssd/ticket/974
* Add a credential cache back end structureJakub Hrozek2012-06-147-148/+382
| | | | | | To be able to add support for new credential cache types easily, this patch creates a new structure sss_krb5_cc_be that defines common operations with a credential cache, such as create, check if used or remove.
* Handle trailing slash in the ccname templateJakub Hrozek2012-06-141-8/+14
| | | | | | With the DIR cache support, it's perfectly legal to specify a ccname directory that ends with a slash. The create_dir function did not handle that situation correctly.
* Split parse_krb5_child_response so it can be reusedJakub Hrozek2012-06-143-119/+170
| | | | | krb5-child-test will be another consumer. It also makes the code more readable by splitting a huge function.
* Allow redefining the KRB5_CHILD pathJakub Hrozek2012-06-141-3/+7
| | | | | The krb5-child-test will want to run the child from the current directory.
* Provide more debugging in krb5_child and ldap_childJakub Hrozek2012-06-141-13/+65
| | | | https://fedorahosted.org/sssd/ticket/1225
* Two small krb5_child fixesJakub Hrozek2012-06-141-3/+10
| | | | | * Allocation check was missing * a DEBUG statement overwrote errno
* added DEBUG messages to krb5_child and ldap_childNick Guay2012-05-311-3/+12
|
* Only reset kpasswd server status when performing a chpass operationJakub Hrozek2012-05-071-2/+3
| | | | https://fedorahosted.org/sssd/ticket/1316
* Limit krb5_get_init_creds_keytab() to etypes in keytabStef Walter2012-05-071-0/+21
| | | | | | | | | * Load the enctypes for the keys in the keytab and pass them to krb5_get_init_creds_keytab(). * This fixes the problem where the server offers a enctype that krb5 supports, but we don't have a key for in the keytab. https://bugzilla.redhat.com/show_bug.cgi?id=811375
* Remove erroneous failure message in find_principal_in_keytabStef Walter2012-05-071-1/+3
| | | | | * When it's actually a failure, then the callers will print a message. Fine tune this.
* If canon'ing principals, write ccache with updated default principalStef Walter2012-05-041-2/+6
| | | | | | | | | | | * When calling krb5_get_init_creds_keytab() with krb5_get_init_creds_opt_set_canonicalize() the credential principal can get updated. * Create the cache file with the correct default credential. * LDAP GSSAPI SASL would fail due to the mismatched credentials before this patch. https://bugzilla.redhat.com/show_bug.cgi?id=811518
* Modify behavior of pam_pwd_expiration_warningJan Zeleny2012-05-041-4/+27
| | | | | | | | | | | | | | | | | | New option pwd_expiration_warning is introduced which can be set per domain and can override the value specified by the original pam_pwd_expiration_warning. If the value of expiration warning is set to zero, the filter isn't apllied at all - if backend server returns the warning, it will be automatically displayed. Default value for Kerberos: 7 days Default value for LDAP: don't apply the filter Technical note: default value when creating the domain is -1. This is important so we can distinguish between "no value set" and 0. Without this possibility it would be impossible to set different values for LDAP and Kerberos provider.
* Convert read and write operations to sss_atomic_readJakub Hrozek2012-04-202-46/+31
| | | | https://fedorahosted.org/sssd/ticket/1209
* Clean up log messages about keytab_nameStephen Gallagher2012-04-051-2/+4
| | | | | | | | | There were many places where we were printing (null) to the logs because a NULL keytab name tells libkrb5 to use its configured default instead of a particular path. This patch should clean up all uses of this to print "default" in the logs. https://fedorahosted.org/sssd/ticket/1288
* Add terminator for dp_optionStephen Gallagher2012-03-281-1/+2
|
* Put dp_option maps in their own fileStephen Gallagher2012-03-282-18/+47
| | | | There is no functional change due to this patch.
* Detect cycle in the fail over on subsequent resolve requests onlyJakub Hrozek2012-03-081-17/+15
|
* krb5_child: set debugging soonerJakub Hrozek2012-03-061-12/+18
|
* Only do one cycle when resolving a serverJakub Hrozek2012-03-061-7/+12
| | | | https://fedorahosted.org/sssd/ticket/1214
* IPA: Set the DNS discovery domain to match ipa_domainStephen Gallagher2012-03-011-1/+1
| | | | https://fedorahosted.org/sssd/ticket/1217
* KRB5: Add syslog messages for Kerberos failuresStephen Gallagher2012-01-311-0/+1
| | | | https://fedorahosted.org/sssd/ticket/1137
* Do not call krb5_child when changing passwords and provider went offlineJakub Hrozek2012-01-061-1/+11
| | | | https://fedorahosted.org/sssd/ticket/1131
* Add compatibility layer for Heimdal Kerberos implementationStephen Gallagher2011-12-222-8/+12
|
* Honor case sensitive flag when creating the ccname templateJakub Hrozek2011-12-213-5/+17
|
* Securely set umask when using mkstempStephen Gallagher2011-12-192-0/+6
| | | | Coverity 12394, 12395, 12396, 12397 and 12398
* Move child_common routines to utilStephen Gallagher2011-12-195-5/+5
|
* Set more strict permissions on keyringSimo Sorce2011-11-221-1/+1
| | | | | We want to confine access to the keyring to the current process and not let root easily peek into the keyring contents.
* Fixed unchecked value of setenv() in check_and_export_options()Jan Zeleny2011-11-221-2/+5
| | | | https://fedorahosted.org/sssd/ticket/1080
generated by cgit (git 2.34.1) at 2024-05-03 04:58:08 +0000