sssd.git, branch subdomain-password-authentication Unnamed repository; edit this file to name it for gitweb. Only build extract_and_send_pac on platforms that support it 2012-10-30T08:45:19+00:00 Jakub Hrozek jhrozek@redhat.com 2012-10-29T10:04:30+00:00 6a34a21cb2f0447350b9b9f6e4ab010463f6be53 






Include talloc log in our debug facility
2012-10-29T16:15:37+00:00

Michal Zidek
mzidek@redhat.com

2012-10-15T13:24:15+00:00

9e2c64c6d4f5560e27207193efea6536a566865e

https://fedorahosted.org/sssd/ticket/1495





https://fedorahosted.org/sssd/ticket/1495







Free the internal DP request
2012-10-29T16:10:02+00:00

Jakub Hrozek
jhrozek@redhat.com

2012-10-23T21:25:27+00:00

644db36ab1111b88abca57d2438b72d618403dde












Make sub-domains case-insensitive
2012-10-26T08:32:06+00:00

Sumit Bose
sbose@redhat.com

2012-10-26T07:28:45+00:00

ac7a7ee3d1e138818a1ed78758f7dd3c3306a56b

Currently the only type of supported sub-domains are AD domains which
are not case-sensitive. To make it easier for Windows user we make
sub-domains case-insensitive as well which allows to write the username
in any case at the login prompt.

If support for other types of sub-domains is added it might be necessary
to set the case-sensitive flag based on the domain type.





Currently the only type of supported sub-domains are AD domains which
are not case-sensitive. To make it easier for Windows user we make
sub-domains case-insensitive as well which allows to write the username
in any case at the login prompt.

If support for other types of sub-domains is added it might be necessary
to set the case-sensitive flag based on the domain type.







sss_parse_name_for_domains: always return the canonical domain name
2012-10-26T08:32:06+00:00

Sumit Bose
sbose@redhat.com

2012-10-25T20:03:17+00:00

bfc3b766d8774186307dc43c187a014b4803e98c

Domains may have a flat or short name to save some keystrokes when
typing fully qualified user names. Internally sssd will always use the
canonical name to allow consistent processing.





Domains may have a flat or short name to save some keystrokes when
typing fully qualified user names. Internally sssd will always use the
canonical name to allow consistent processing.







krb5_auth: update with correct UPN if needed
2012-10-26T08:32:06+00:00

Sumit Bose
sbose@redhat.com

2012-10-24T08:01:09+00:00

7c4845bd0efb1dcb44b5be52923c539316725693

The Active Directory KDC handles request case in-sensitive and it might
not always to possible to guess the UPN with the correct case. We check
if the returned principal has a different case then the one used in the
request and updates the principal if needed. This will help using calls
from the Kerberos client libraries later on which would otherwise fail
because the principal is handled case sensitive by those libraries.





The Active Directory KDC handles request case in-sensitive and it might
not always to possible to guess the UPN with the correct case. We check
if the returned principal has a different case then the one used in the
request and updates the principal if needed. This will help using calls
from the Kerberos client libraries later on which would otherwise fail
because the principal is handled case sensitive by those libraries.







Use find_or_guess_upn() where needed
2012-10-26T08:32:06+00:00

Sumit Bose
sbose@redhat.com

2012-10-24T07:47:21+00:00

964628ab89229e9266adc5f4f8a26222734788b7












Add new call find_or_guess_upn()
2012-10-26T08:32:05+00:00

Sumit Bose
sbose@redhat.com

2012-10-24T07:33:23+00:00

29c0fdd1838a4b9892146f7019d12811c1d0d59b

With the current approach the upn was either a pointer to a const string
in a ldb_message or a string created with the help of talloc. This new
function always makes it a talloc'ed value.

Additionally krb5_get_simple_upn() is enhanced to handle sub-domains as
well.





With the current approach the upn was either a pointer to a const string
in a ldb_message or a string created with the help of talloc. This new
function always makes it a talloc'ed value.

Additionally krb5_get_simple_upn() is enhanced to handle sub-domains as
well.







krb5_child: send back the client principal
2012-10-26T08:32:05+00:00

Sumit Bose
sbose@redhat.com

2012-10-23T19:30:17+00:00

d3dca30d3a6feba062d0299718d1a9fcdc8b9d17

In general Kerberos is case sensitive but the KDC of Active Directory
typically handles request case in-sensitive. In the case where we guess
a user principal by combining the user name and the realm and are not
sure about the cases of the letters used in the user name we might get a
valid ticket from the AD KDC but are not able to access it with the
Kerberos client library because we assume a wrong case.

The client principal in the returned credentials will always have the
right cases. To be able to update the cache user principal name the
krb5_child will return the principal for further processing.





In general Kerberos is case sensitive but the KDC of Active Directory
typically handles request case in-sensitive. In the case where we guess
a user principal by combining the user name and the realm and are not
sure about the cases of the letters used in the user name we might get a
valid ticket from the AD KDC but are not able to access it with the
Kerberos client library because we assume a wrong case.

The client principal in the returned credentials will always have the
right cases. To be able to update the cache user principal name the
krb5_child will return the principal for further processing.







krb5_mod_ccname: replace wrong memory context
2012-10-26T08:32:05+00:00

Sumit Bose
sbose@redhat.com

2012-10-23T18:41:15+00:00

cac29dc2ece94180de33b52c113865bbab49b252