sssd.git/src/sss_client, branch memberof_default_view Unnamed repository; edit this file to name it for gitweb. PAM/KRB5: optional otp and password prompting 2016-07-07T10:39:36+00:00 Sumit Bose sbose@redhat.com 2016-05-26T11:20:59+00:00 78027feeb56d6fe216f699be86a4716aaef3f628 Depending on the available Kerberos pre-authentication methods pam_sss will prompt the user for a password, 2 authentication factors or both. Resolves https://fedorahosted.org/sssd/ticket/2988 Reviewed-by: Nathaniel McCallum <npmccallum@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
Depending on the available Kerberos pre-authentication methods pam_sss
will prompt the user for a password, 2 authentication factors or both.

Resolves https://fedorahosted.org/sssd/ticket/2988

Reviewed-by: Nathaniel McCallum <npmccallum@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
SSH: Do not print an error message if sss_ssh_authorizedkeys is asked for a local user 2016-07-01T13:28:33+00:00 Jakub Hrozek jhrozek@redhat.com 2016-04-28T08:31:45+00:00 fcbcfa69f9291936f01f24b5fcb5a7672dca46f3 If an IPA client uses the SSH integration and a local user logs in with SSH, the sss_ssh_authorizedkeys looks up their keys in the SSH responder, which doesn't find the user and returns ENOENT. The sss_ssh_authorizedkeys reports a failure on any error, including ENOENT which produced a confusing error message in the logs. This patch adds a new error code that handles users that are not found by SSSD but exist on the system and also special cases root with the same error code. Therefore, logging in as a local user no longer prints an error message. Resolves: https://fedorahosted.org/sssd/ticket/3003 Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
If an IPA client uses the SSH integration and a local user logs in with
SSH, the sss_ssh_authorizedkeys looks up their keys in the SSH
responder, which doesn't find the user and returns ENOENT. The
sss_ssh_authorizedkeys reports a failure on any error, including ENOENT
which produced a confusing error message in the logs.

This patch adds a new error code that handles users that are not found
by SSSD but exist on the system and also special cases root with the
same error code. Therefore, logging in as a local user no longer prints
an error message.

Resolves:
https://fedorahosted.org/sssd/ticket/3003

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
nss-idmap: add sss_nss_getnamebycert() 2016-06-09T14:12:25+00:00 Sumit Bose sbose@redhat.com 2016-04-26T11:13:43+00:00 9c88f837ffacf6548c13825589b327de1a5525f3 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
NSS: add SSS_NSS_GETNAMEBYCERT request 2016-06-09T14:12:25+00:00 Sumit Bose sbose@redhat.com 2016-04-25T14:09:48+00:00 1a45124f3f300f9afdcb08eab0938e5e7d0534d9 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
PAM: add pam_sss option allow_missing_name 2016-06-09T11:08:26+00:00 Sumit Bose sbose@redhat.com 2016-03-14T16:27:01+00:00 325ed9f92f1ea1f348fd7913229faecf3dc1d40b With this option SSSD can be used with the gdm Smartcard feature. Resolves: https://fedorahosted.org/sssd/ticket/2941 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
With this option SSSD can be used with the gdm Smartcard feature.

Resolves:
https://fedorahosted.org/sssd/ticket/2941

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
libwbclient: wbcSidsToUnixIds() don't fail on errors 2016-06-07T09:44:44+00:00 Sumit Bose sbose@redhat.com 2016-06-02T19:01:11+00:00 52f1093ef3d7c44132ec10c57436865b2cbb19d7 Resolves: https://fedorahosted.org/sssd/ticket/3028 Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com> 
Resolves: https://fedorahosted.org/sssd/ticket/3028

Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
pam_sss: reorder pam_message array 2016-03-14T13:06:17+00:00 Sumit Bose sbose@redhat.com 2016-03-07T16:07:16+00:00 957e0a8675359d90fa50067b704578d01f565bba There are different expectations about how the pam_message array is organized, details can be found in the pam_conv man page. E.g. sudo was not able to handle the Linux-PAM style but expected the Solaris PAM style. With this patch both styles should work as expected. Resolves https://fedorahosted.org/sssd/ticket/2971 Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
There are different expectations about how the pam_message array is
organized, details can be found in the pam_conv man page. E.g. sudo was
not able to handle the Linux-PAM style but expected the Solaris PAM
style. With this patch both styles should work as expected.

Resolves https://fedorahosted.org/sssd/ticket/2971

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
CLIENT: Retry request after EPIPE 2016-03-11T10:46:15+00:00 Lukas Slebodnik lslebodn@redhat.com 2016-02-17T14:21:55+00:00 6748a4c9d75db997c724c1dcea541e0047742f52 We have a function sss_cli_check_socket which checks socket in client code. The socket is reopened in case of some issues e.g. responder terminated connections ... We use syscall poll for checking status of socket. It's not 100% reliable method because there is still chance that responder will terminate socket after this check. Here is a schema of sss_*_make_request functions: sss_cli_check_socket sss_cli_make_request_nochecks { sss_cli_send_req { poll send } sss_cli_recv_rep { poll read } } The syscall pool does not return EPIPE directly but we convert special revents from poll to EPIPE. As it was mentioned earlier, checking of socket in the sss_cli_check_socket is not 100% reliable. It can happen very rarely due to TOCTOU issue (Time of check to time of use) We can return EPIPE from the sss_cli_make_request_nochecks function in case of failure in poll in sss_cli_send_req. The send function in sss_cli_send_req can also return EPIPE is responder close socket in the same time. The send function can succeed in sss_cli_send_req but it does not mean that responder read the message. It can happen that timer for closing socket can be handled before reading a message. Therefore there is a still a chance that we might return EPIPE in case of failure in poll in sss_cli_recv_rep. Therefore we need to reconnect to responder(sss_cli_check_socket) in case of EPIPE returned from sss_cli_make_request_nochecks and try to do the same request one more time. Resolves: https://fedorahosted.org/sssd/ticket/2626 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
We have a function sss_cli_check_socket which checks
socket in client code. The socket is reopened in case of some
issues e.g. responder terminated connections ...

We use syscall poll for checking status of socket.
It's not 100% reliable method because there is still
chance that responder will terminate socket after this check.

Here is a schema of sss_*_make_request functions:
    sss_cli_check_socket
    sss_cli_make_request_nochecks {
       sss_cli_send_req {
           poll
           send
       }
       sss_cli_recv_rep {
           poll
           read
       }
    }

The syscall pool does not return EPIPE directly but we convert
special revents from poll to EPIPE. As it was mentioned earlier,
checking of socket in the sss_cli_check_socket is not 100% reliable.
It can happen very rarely due to TOCTOU issue (Time of check to time of use)

We can return EPIPE from the sss_cli_make_request_nochecks function
in case of failure in poll in sss_cli_send_req. The send function
in sss_cli_send_req can also return EPIPE is responder close socket
in the same time. The send function can succeed in sss_cli_send_req
but it does not mean that responder read the message. It can happen
that timer for closing socket can be handled before reading a message.
Therefore there is a still a chance that we might return EPIPE in case
of failure in poll in sss_cli_recv_rep.

Therefore we need to reconnect to responder(sss_cli_check_socket)
in case of EPIPE returned from sss_cli_make_request_nochecks and
try to do the same request one more time.

Resolves:
https://fedorahosted.org/sssd/ticket/2626

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
CLIENT: Reduce code duplication 2016-03-11T10:46:11+00:00 Lukas Slebodnik lslebodn@redhat.com 2016-02-26T15:06:50+00:00 a452d199bc125e8d53033d7c00383b4a275ab85e Patch for #2626 will be simpler with this small refactoring Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Patch for #2626 will be simpler with this small refactoring

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
nfs idmap: fix infinite loop 2016-01-05T11:40:11+00:00 Sumit Bose sbose@redhat.com 2015-12-18T12:16:29+00:00 2a256e4e4b64891fe846e933589506daa68aa13e Resolves: https://fedorahosted.org/sssd/ticket/2909 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Noam Meltzer <tsnoam@gmail.com> 
Resolves:
https://fedorahosted.org/sssd/ticket/2909

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Noam Meltzer <tsnoam@gmail.com>