| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
scan-build wrongly assumes that output variable
"version" is not initialized if function sysdb_cache_connect
returns ERR_SYSDB_VERSION_TOO_OLD or ERR_SYSDB_VERSION_TOO_NEW
The reality is that output variable "version" is initialized
especially for these two case. Initialisation to NULL suppresses
these false positive reports.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
There were unused parameter struct ldb_message *cached_group
in sysdb_store_group_attrs().
This parameter was introduced by
40de79d69860ec7f04bf7795bd88b641ec42fd23
SYSDB: Check if group attributes differ before saving a group
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
I think this is a leftover from the change to use fully-qualified names
in sysdb. To verify this you can create a nested group in IPA. Without
this patch the id command will only show the groups the user is a direct
member of. With the patch the indirect groups memberships should be
shown as well.
https://fedorahosted.org/sssd/ticket/3163
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
| |
It wasn't simple to read log files from libsemanage
because they were on single line.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
| |
We ignored failures from sysdb_search_entry
Reviewed-by: Petr Čech <pcech@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Seems that wen I sent the v2 of ac35fe74 I attached the wrong pacth that
ended up being pushed.
The patch was incomplete as there are still some leftovers.
The .po and sssd-docs.pot were not touched as I do believe they are
autogenerated from Zanata.
Related:
https://fedorahosted.org/sssd/ticket/3052
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Petr Čech <pcech@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Seems that when I sent the v2 of 7579cf99 I attached the wrong patch
that ended up being pushed.
That patch was incomplete as there are still some leftovers.
Related:
https://fedorahosted.org/sssd/ticket/3051
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Petr Čech <pcech@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Applications should never #define USE_GNU themselves, but rather
_GNU_SOURCE. This patch removes USE_GNU and replaces it with including
config.h which has _GNU_SOURCE defined if applicable for that platform
See for example:
https://gcc.gnu.org/ml/fortran/2005-10/msg00365.html
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
| |
Reviewed-by: Petr Čech <pcech@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
| |
One of confdb_get_ calls in sec_get_config() used a variable referenced
from rctx, the other used a hardcoded string. Use one of them on both
places instead.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
We used internal fq name in ldap filter
with id_provider proxy to files and auth provider
ldap
[sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x0400): calling ldap_search_ext with
[(&(uid=testuser1@ldap)(objectclass=posixAccount))][dc=example,dc=com].
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
| |
Instead of using the number 3 directly, let's introduce and use
WATCHDOG_MAX_TICKS.
Reviewed-by: Petr Čech <pcech@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
After introducing the watchdog, the force_timeout option is no longer
used.
Resolves:
https://fedorahosted.org/sssd/ticket/3052
Reviewed-by: Petr Čech <pcech@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
After introducing the watchdog, the diag_cmd is longer used and makes no
sense trying to make it usable by watchdog as the result of "pstack %p"
seems next to useless in this context.
Related:
https://fedorahosted.org/sssd/ticket/3051
Reviewed-by: Petr Čech <pcech@redhat.com>
|
| |
|
|
| |
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
| |
During the review process "intgcheck-build" ended up being merged to the
"intgcheck-prepare" rule.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
| |
Clean up the pre-release targets in order to avoid lines exceeding 80
characters.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Running "make intgcheck" has been proven to be a bit painful (mainly
when the developer is just writing down a single test case), as it
cleans up the build directory and fireis a new build before, finally,
run the tests.
In order to make it a little less painful, let's break the whole
operation into 3 new targets:
intgcheck-{prepare,run,clean}.
As expected, "make intgcheck" calls these 3 new operations in the same
order they were presented, not changing then the current behavior.
Each operation will trigger the previous one in case there is no
"$$prefix" directory created and the directory is _only_ created in the
very first operation (intghcheck-prepare).
A note must be done about how to run a simple test file or a simple test
from a test file when running "make intgcheck-run". The option always
been here but only makes sense now that we have the intgcheck split in a
few useful steps. See the examples below (and for more detailed
information, check the py.test documentation):
#Run a single file
make intgcheck-run INTGCHECK_PYTEST_ARGS="-k test_netgroup.py"
#Run a single test from a single file
make intgcheck-run INTGCHECK_PYTEST_ARGS="-k test_add_empty_netgroup"
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
The boolean variable newly_created could be used uninitialized
in done section in case of failure. The variable was firstly initialized
to true after succesfull execution of function sysdb_cache_create_empty.
Uninitialized variable usually means true for boolean variable.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
These two functions (save_user() and save_group()) share, between
themselves, the code preparing the attributes that are going to be
stored in the sysdb.
This patch basically splits this code out of those functions and
introduces the new prepare_attrs_for_saving_ops().
Related:
https://fedorahosted.org/sssd/ticket/3134
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Those comments are similar to what we have in the save_group() function.
Related:
https://fedorahosted.org/sssd/ticket/3134
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
As this function already receives a struct sss_domain_info * parameter
as argument, we can simply get the cache_timeout attribute by accessing
domain->group_timeout.
Related:
https://fedorahosted.org/sssd/ticket/3134
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
As this function already receives a struct sss_domain_info * parameter
as argument, we can simply get the cache_timeout attribute by accessing
domain->user_timeout.
Related:
https://fedorahosted.org/sssd/ticket/3134
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
As this function already receives a struct sss_domain_info * parameter
as argument, we can simply check whether we will need a lowercase name
by accessing domain->case_sensitive.
Related:
https://fedorahosted.org/sssd/ticket/3134
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Most AD users store their UPN in an attribute. If they don't, or the sssd
was configured (typically in earlier versions to work around a bug) to not
look at the principal attribute, then sssd is supposed to guess
the attribute.
That currently doesn't work in 1.14, because the username is already
qualified and then we also append the realm name to it. We need to parse
the simple username from the qualified name first.
The issue can be reproduced simply by authenticating as the Administrator
account in IPA-AD trust setups.
Resolves:
https://fedorahosted.org/sssd/ticket/3127
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
For this, just make use of the sysdb_error_to_errno() function.
Resolves:
https://fedorahosted.org/sssd/ticket/3125
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
As many users are used to remove the persistent cache without removing
the timestamp cache, let's throw away the timestamp cache in this case.
Resolves:
https://fedorahosted.org/sssd/ticket/3128
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As sysdb_cache_connect() has two very specific use cases (connect to the
cache and connect to the timestamp cache) and each of those calls have a
predetermined/fixed sets of values for a few parameters, let's try to
make the code a bit simpler to follow by having explicit functions for
connecting to the cache and connecting to the timestamp cache.
Macros could be used as well, but I have a slightly preference for
having two new functions instead of macros accessing internal parameters
of the macro's parameter.
Related:
https://fedorahosted.org/sssd/ticket/3128
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Root can read anything from any directory even with permissions 000.
However SELinux checks discretionary access control (DAC)
and deny access if access is not allowed for root by DAC.
The pam_sss use different unix socket /var/lib/sss/pipes/private/pam
for user with uid 0. Therefore root need to be able read content
of directory with private pipes.
type=AVC msg=audit(08/19/2016 10:58:34.081:3369) : avc: denied
{ dac_read_search } for pid=20257 comm=vsftpd capability=dac_read_search
scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(08/19/2016 10:58:34.081:3369) : avc: denied
{ dac_override } for pid=20257 comm=vsftpd capability=dac_override
scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tclass=capability
Resolves:
https://fedorahosted.org/sssd/ticket/3143
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When a time is changed into the past during sssd runtime
(e.g. on boot during time correction), it is possible that
we never hit watchdog tevent timer since it is based on
system time.
This patch adds a past-time shift detection mechanism. If a time
shift is detected we restart watchdog.
Resolves:
https://fedorahosted.org/sssd/ticket/3154
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
This patch adds tests on reproducer of t2841.
Resolves:
https://fedorahosted.org/sssd/ticket/2841
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2841
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
There were problem with local key which wasn't properly removed.
This patch fixes it.
Resolves:
https://fedorahosted.org/sssd/ticket/2841
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
| |
Reviewed-by: Petr Čech <pcech@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
When saving the user there is a comparison between the "cased alias"
and the "lowercase password name". However, the first doesn't use fully
qualified name while the second does, resulting in a not expected
override of the "nameAlias" attribute of a stored user when trying to
authenticate more than once using an alias.
Resolves:
https://fedorahosted.org/sssd/ticket/3134
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
The session_provider used to exist a long time ago when we used to set
the SELinux context from it, but the provider had been removed for a
long time. We just forgot to remove the value from the config API and
the validator.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
| |
We should not warn about it in the validator and should allow
selinux_provider from the config API.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Regresion test for ticket #3120
Resolves:
https://fedorahosted.org/sssd/ticket/3120
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When extending map with entry that already
exists in the map in the exacty same form,
then there is no need to fail.
We should only fail if we try to
change purpose of already used sysdb
attribute.
Resolves:
https://fedorahosted.org/sssd/ticket/3120
Signed-off-by: Lukas Slebodnik <lslebodn@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
| |
Integration test for #3121
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
| |
Integration test for #3093
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
| |
E302 expected 2 blank lines, found 1
E303 too many blank lines (2)
E501 line too long (84 > 79 characters)
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Side effect of this change was that some primary groups
could not be resolved and therefore get_user_groups
failed in override tests. We should do the same as "id user".
return decimal representation GID if it cannot be mapped to name.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
