sssd.git/src/providers/ad, branch certificate_mapping Unnamed repository; edit this file to name it for gitweb. AD: Use ad_domain to match forest root domain, not the configured domain from sssd.conf 2017-02-08T10:17:51+00:00 Jakub Hrozek jhrozek@redhat.com 2017-02-07T10:05:47+00:00 e947a871f7d3cfc4389e981a147fe10bedca0569 If the sssd.conf domain name was different from the joined domain name, but sssd was joined to the forest root, the AD subdomains code considered sssd joined to a non-root domain and tried to discover the forest root. This could be reproduced by joining sssd to a domain, for example win.trust.test but calling the sssd.conf domain otherwise, for example: [domain/addomain] ad_domain = win.trust.test This is/was a frequent use-case in the RHEL world, where authconfig often names the sssd.conf domain 'default'. Without the patch, the trusted domains were not detected. Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
If the sssd.conf domain name was different from the joined domain name,
but sssd was joined to the forest root, the AD subdomains code considered
sssd joined to a non-root domain and tried to discover the forest root.

This could be reproduced by joining sssd to a domain, for example
win.trust.test but calling the sssd.conf domain otherwise, for example:
[domain/addomain]
ad_domain = win.trust.test

This is/was a frequent use-case in the RHEL world, where authconfig
often names the sssd.conf domain 'default'.

Without the patch, the trusted domains were not detected.

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Suppres implicit-fallthrough from gcc 7 2017-02-01T13:10:44+00:00 Lukas Slebodnik lslebodn@redhat.com 2017-01-30T11:17:25+00:00 2e505786d6d9d537f5b6631099862f6b93e2e687 Some kind of comments are recognized by gcc7 but they are ignored with -Wimplicit-fallthrough=5 and only attributes disable the warning. Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> 
Some kind of comments are recognized by gcc7 but they are ignored with
-Wimplicit-fallthrough=5 and only attributes disable the warning.

Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
gpo: Improve debug messages 2017-01-25T14:50:01+00:00 Michal Židek mzidek@redhat.com 2017-01-19T10:44:32+00:00 47680083e7e4bf5c433657171bf84cceacc83339 Improve debug messages during security filtering. It was not possible to figure out why the GPO was filtered by reading the logs, because we use the same debug message in various cases. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
Improve debug messages during security filtering. It was not possible
to figure out why the GPO was filtered by reading the logs, because
we use the same debug message in various cases.

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
GPO: Skip GPOs without gPCFunctionalityVersion 2017-01-25T14:50:01+00:00 Michal Židek mzidek@redhat.com 2016-12-15T14:16:51+00:00 6a490b312075d2588ad87bbb8a63466f1ac6a106 We falsely stopped GPO processing when Group Policy Container in AD did not contain gPCFunctionalityVersion. Such GPOs should be ignored by SSSD according to MS-GPOL: https://msdn.microsoft.com/en-us/library/cc232538.aspx Resolves: https://fedorahosted.org/sssd/ticket/3269 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
We falsely stopped GPO processing when Group Policy Container
in AD did not contain gPCFunctionalityVersion. Such GPOs
should be ignored by SSSD according to MS-GPOL:
https://msdn.microsoft.com/en-us/library/cc232538.aspx

Resolves:
https://fedorahosted.org/sssd/ticket/3269

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
IPA/AD: check auth ctx before using it 2016-11-10T20:50:22+00:00 Sumit Bose sbose@redhat.com 2016-11-08T10:51:57+00:00 ea11ed3ea6291488dd762033246edc4ce3951aeb In e6b6b9fa79c67d7d2698bc7e33d2e2f6bb53d483 a feature was introduced to set the 'canonicalize' option in the system-wide Kerberos configuration according to the settings in SSSD if the AD or IPA provider were used. Unfortunately the patch implied that the auth provider is the same as the id provider which might not always be the case. A different auth provider caused a crash in the backend which is fixed by this patch. Resolves https://fedorahosted.org/sssd/ticket/3234 Reviewed-by: Petr Cech <pcech@redhat.com> 
In e6b6b9fa79c67d7d2698bc7e33d2e2f6bb53d483 a feature was introduced to
set the 'canonicalize' option in the system-wide Kerberos configuration
according to the settings in SSSD if the AD or IPA provider were used.
Unfortunately the patch implied that the auth provider is the same as
the id provider which might not always be the case. A different auth
provider caused a crash in the backend which is fixed by this patch.

Resolves https://fedorahosted.org/sssd/ticket/3234

Reviewed-by: Petr Cech <pcech@redhat.com>
Remove double semicolon at the end of line 2016-09-21T13:10:11+00:00 Lukas Slebodnik lslebodn@redhat.com 2016-09-17T19:05:36+00:00 b9941359b3181c42f415530d5ccad0f4664d85fa Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
dyndns: fix typo and unify ipa with ad debug message when off 2016-08-30T12:30:53+00:00 Pavel Březina pbrezina@redhat.com 2016-08-04T12:10:09+00:00 b3851e86af91dc1aa6e265d5b2e4279b2611ff43 Reviewed-by: Petr Čech <pcech@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
Reviewed-by: Petr Čech <pcech@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
AD_PROVIDER: ad_enabled_domains - other then master 2016-08-17T14:08:58+00:00 Petr Cech pcech@redhat.com 2016-06-27T09:51:30+00:00 ba26252f43409a2e4c3d2396e4e7a21584bd725a We can skip looking up other domains if option ad_enabled_domains doesn't contain them. Resolves: https://fedorahosted.org/sssd/ticket/2828 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
We can skip looking up other domains if
option ad_enabled_domains doesn't contain them.

Resolves:
https://fedorahosted.org/sssd/ticket/2828

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
AD_PROVIDER: ad_enabled_domains - only master 2016-08-17T14:08:43+00:00 Petr Cech pcech@redhat.com 2016-06-21T07:48:52+00:00 49f38702e62bbd1728757063ba407444e6270952 We can skip looking up other domains if option ad_enabled_domains contains only master domain. Resolves: https://fedorahosted.org/sssd/ticket/2828 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
We can skip looking up other domains if option ad_enabled_domains
contains only master domain.

Resolves:
https://fedorahosted.org/sssd/ticket/2828

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
AD_PROVIDER: Initializing of ad_enabled_domains 2016-08-17T14:08:36+00:00 Petr Cech pcech@redhat.com 2016-06-21T06:34:15+00:00 a82baf596bac1fdac6addca6419d8992111a8aa2 We add ad_enabled_domains into ad_subdomains_ctx. Resolves: https://fedorahosted.org/sssd/ticket/2828 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
We add ad_enabled_domains into ad_subdomains_ctx.

Resolves:
https://fedorahosted.org/sssd/ticket/2828

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>