sssd.git/src/providers, branch gdm_sc_fix Unnamed repository; edit this file to name it for gitweb. KRB5: Send the output username, not internal fqname to krb5_child 2016-09-08T21:04:30+00:00 Jakub Hrozek jhrozek@redhat.com 2016-09-07T10:07:36+00:00 fedfb7c62b4efa89d18d0d3a7895a2a34ec4ce42 krb5_child calls krb5_kuserok() during the access phase which checks if a particular user is allowed to authenticate as a particular principal. We used to pass the internal fqname to krb5_kuserok() which broke the functionality and all users were denied access. This patch changes that to send the 'output' username to krb5_child, because that's the username the system receives through getpwnam() or getpwuid() anyway. The patch also adds a new structure member fo the krb5child_req structure to avoid reusing the pd->user variable but have an explicit one that serves as the input for the child process. Resolves: https://fedorahosted.org/sssd/ticket/3172 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
krb5_child calls krb5_kuserok() during the access phase which checks if
a particular user is allowed to authenticate as a particular principal.
We used to pass the internal fqname to krb5_kuserok() which broke the
functionality and all users were denied access.

This patch changes that to send the 'output' username to krb5_child,
because that's the username the system receives through getpwnam() or
getpwuid() anyway. The patch also adds a new structure member fo the
krb5child_req structure to avoid reusing the pd->user variable but have
an explicit one that serves as the input for the child process.

Resolves:
https://fedorahosted.org/sssd/ticket/3172

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
sdap_initgr_nested_get_membership_diff: use fully-qualified names 2016-09-01T11:48:59+00:00 Sumit Bose sbose@redhat.com 2016-08-30T15:30:10+00:00 5bd3bef4a655fdfacd2f5df8a2343fe7bc68a771 I think this is a leftover from the change to use fully-qualified names in sysdb. To verify this you can create a nested group in IPA. Without this patch the id command will only show the groups the user is a direct member of. With the patch the indirect groups memberships should be shown as well. https://fedorahosted.org/sssd/ticket/3163 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
I think this is a leftover from the change to use fully-qualified names
in sysdb. To verify this you can create a nested group in IPA. Without
this patch the id command will only show the groups the user is a direct
member of. With the patch the indirect groups memberships should be
shown as well.

https://fedorahosted.org/sssd/ticket/3163

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
dyndns: fix typo and unify ipa with ad debug message when off 2016-08-30T12:30:53+00:00 Pavel Březina pbrezina@redhat.com 2016-08-04T12:10:09+00:00 b3851e86af91dc1aa6e265d5b2e4279b2611ff43 Reviewed-by: Petr Čech <pcech@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
Reviewed-by: Petr Čech <pcech@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
PROXY: Use right name in ldap filter 2016-08-30T08:44:52+00:00 Lukas Slebodnik lslebodn@redhat.com 2016-08-26T12:57:22+00:00 b4c6060b10b14257e6f01038ae44e46c5a429f33 We used internal fq name in ldap filter with id_provider proxy to files and auth provider ldap [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=testuser1@ldap)(objectclass=posixAccount))][dc=example,dc=com]. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
We used internal fq name in ldap filter
with id_provider proxy to files and auth provider
ldap

[sssd[be[LDAP]]] [sdap_get_generic_ext_step]
    (0x0400): calling ldap_search_ext with
    [(&(uid=testuser1@ldap)(objectclass=posixAccount))][dc=example,dc=com].

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
PROXY: Share common code of save_{group,user}() 2016-08-27T08:00:03+00:00 Fabiano Fidêncio fidencio@redhat.com 2016-08-24T12:28:42+00:00 69e8b7fcb9e3dc814a9ffc2a97fa656521cc4505 These two functions (save_user() and save_group()) share, between themselves, the code preparing the attributes that are going to be stored in the sysdb. This patch basically splits this code out of those functions and introduces the new prepare_attrs_for_saving_ops(). Related: https://fedorahosted.org/sssd/ticket/3134 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
These two functions (save_user() and save_group()) share, between
themselves, the code preparing the attributes that are going to be
stored in the sysdb.

This patch basically splits this code out of those functions and
introduces the new prepare_attrs_for_saving_ops().

Related:
https://fedorahosted.org/sssd/ticket/3134

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
PROXY: Mention that save_user()'s parameters are already qualified 2016-08-27T08:00:03+00:00 Fabiano Fidêncio fidencio@redhat.com 2016-08-24T11:32:10+00:00 9900d2b153ebb7d994ccd05275f18b973556d5b3 Those comments are similar to what we have in the save_group() function. Related: https://fedorahosted.org/sssd/ticket/3134 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
Those comments are similar to what we have in the save_group() function.

Related:
https://fedorahosted.org/sssd/ticket/3134

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
PROXY: Remove cache_timeout attribute from save_group() 2016-08-27T08:00:03+00:00 Fabiano Fidêncio fidencio@redhat.com 2016-08-24T11:29:17+00:00 221d70ae3c5b7bc7384f57ffd3f88f89a3e6ae6a As this function already receives a struct sss_domain_info * parameter as argument, we can simply get the cache_timeout attribute by accessing domain->group_timeout. Related: https://fedorahosted.org/sssd/ticket/3134 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
As this function already receives a struct sss_domain_info * parameter
as argument, we can simply get the cache_timeout attribute by accessing
domain->group_timeout.

Related:
https://fedorahosted.org/sssd/ticket/3134

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
PROXY: Remove cache_timeout attribute from save_user() 2016-08-27T08:00:03+00:00 Fabiano Fidêncio fidencio@redhat.com 2016-08-24T11:25:44+00:00 2537fe318a3866780abca100cf6eb7c258f9d02b As this function already receives a struct sss_domain_info * parameter as argument, we can simply get the cache_timeout attribute by accessing domain->user_timeout. Related: https://fedorahosted.org/sssd/ticket/3134 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
As this function already receives a struct sss_domain_info * parameter
as argument, we can simply get the cache_timeout attribute by accessing
domain->user_timeout.

Related:
https://fedorahosted.org/sssd/ticket/3134

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
PROXY: Remove lowercase attribute from save_user() 2016-08-27T08:00:03+00:00 Fabiano Fidêncio fidencio@redhat.com 2016-08-24T11:16:31+00:00 413aef1529fb3d5ed4d0f38e219f5456d7fe3ae0 As this function already receives a struct sss_domain_info * parameter as argument, we can simply check whether we will need a lowercase name by accessing domain->case_sensitive. Related: https://fedorahosted.org/sssd/ticket/3134 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
As this function already receives a struct sss_domain_info * parameter
as argument, we can simply check whether we will need a lowercase name
by accessing domain->case_sensitive.

Related:
https://fedorahosted.org/sssd/ticket/3134

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
IPA: Parse qualified names when guessing AD user principal 2016-08-26T19:17:16+00:00 Jakub Hrozek jhrozek@redhat.com 2016-08-09T20:08:27+00:00 0302e3e7b3b06b809bd63c7911a42ab3e0a7ebf9 Most AD users store their UPN in an attribute. If they don't, or the sssd was configured (typically in earlier versions to work around a bug) to not look at the principal attribute, then sssd is supposed to guess the attribute. That currently doesn't work in 1.14, because the username is already qualified and then we also append the realm name to it. We need to parse the simple username from the qualified name first. The issue can be reproduced simply by authenticating as the Administrator account in IPA-AD trust setups. Resolves: https://fedorahosted.org/sssd/ticket/3127 Reviewed-by: Sumit Bose <sbose@redhat.com> 
Most AD users store their UPN in an attribute. If they don't, or the sssd
was configured (typically in earlier versions to work around a bug) to not
look at the principal attribute, then sssd is supposed to guess
the attribute.

That currently doesn't work in 1.14, because the username is already
qualified and then we also append the realm name to it. We need to parse
the simple username from the qualified name first.

The issue can be reproduced simply by authenticating as the Administrator
account in IPA-AD trust setups.

Resolves:
https://fedorahosted.org/sssd/ticket/3127

Reviewed-by: Sumit Bose <sbose@redhat.com>