| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
extra_attrs can be a list of sysdb_attrs which are not available on the
server side but should be store with the cached user entry.
|
| | |
|
| | |
|
| |
|
|
|
| |
To be able to include split_on_separator() without additional
dependencies (only talloc), it is moved into a separate file.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The current code doesn't handle the situation where lowercasing the
sudoUser attribute would yield the same value again.
For example:
sudoUser: TUSER
sudoUser tuser
would break.
This patch switches to using the utility function
sysdb_attrs_add_lower_case_string() which already checks for duplicates.
Resolves:
https://fedorahosted.org/sssd/ticket/3301
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When using only the local provider with socket-activated services SSSD
ends up never notifying systemd its startup has been done, as notifying
systemd is done *only* when a service (provider or responder) is started
up, leading SSSD's startup to fail due to a timeout.
So, in order to avoid this situation, let's just notify the startup
earlier in case we have *only* socket-activated services and the *only*
provider set up is the LOCAL one.
Resolves:
https://fedorahosted.org/sssd/ticket/3299
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This new function will be used later on in this series as we also will
need to notify systemd that we're up in at least one more scenario (for
now).
Related:
https://fedorahosted.org/sssd/ticket/3299
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
| |
We need to always lookup host in DP first to update host certificates so
we are consinstent during ssh authentication.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
| |
Those macros are the same so there is no functional difference.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
There was a linking fialure on debian:
/usr/bin/ld: src/tests/cmocka/test_sdap_initgr-test_sdap_initgr.o:
undefined reference to symbol 'hash_iterate@@DHASH_0.4.3'
//usr/lib64/libdhash.so.1: error adding symbols: DSO missing from command line
collect2: error: ld returned 1 exit status
This patch adds some missing libraries and remove unnecessary libraries.
Bug was intoduced in commit 0b7ded15e53b3f31f1570c366f04bc41e5761929
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
from sssd.conf
If the sssd.conf domain name was different from the joined domain name,
but sssd was joined to the forest root, the AD subdomains code considered
sssd joined to a non-root domain and tried to discover the forest root.
This could be reproduced by joining sssd to a domain, for example
win.trust.test but calling the sssd.conf domain otherwise, for example:
[domain/addomain]
ad_domain = win.trust.test
This is/was a frequent use-case in the RHEL world, where authconfig
often names the sssd.conf domain 'default'.
Without the patch, the trusted domains were not detected.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This is a bigger change since both supported commands could be
rewritten for cache_req and the logic could be deleted. I decided
to also split the file into more modules and follow similar pattern
as with nss responder.
Resolves:
https://fedorahosted.org/sssd/ticket/1126
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
| |
This will allow to use cache req even for object that do not use
account request such as hosts.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Some sysdb methods doesn't return ldb_result as output but return
ldb_message instead. Changing sysdb to be consistent is too big
so I added this helper function that will wrap resulting message
into ldb_result.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
| |
Sometime is is desirable to aquire more attribute from user object
than SYSDB_PW_ATTRS set. such as user's public key.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
| |
This will be used in the next plugin "host by name" where
it is not desirable to use default domain suffix if set.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
It is not always desirable to consider default_domain from configuration
but expect none instead. For example when we search host certificates.
This is currently not used in this patch since host lookups parse
name directly with sss_parse_name but it will be used in the next
patch.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
We store fully qualified name in sysdb so there is no need to append
the domain part again which result in name@domain@domain string.
This field is not actually used in ssh client so it doesn't cause
any issue but we should stay correct here.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
SSH responder returned invalid number of certificates when
original ad pubkey attribute was not empty. Since we always
return all certificates to the client we should add number
of results to the output not override it.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This patch provides tests for core logic of
sdap_search_initgr_user_in_batch() function. This function replaces
old approach with sysdb_try_to_find_expected_dn() function.
Resolves:
https://fedorahosted.org/sssd/ticket/3230
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Function create_multidom_test_ctx() prepares test environment for
multidomains. This patch enables setting of different params for
each domain.
Resolves:
https://fedorahosted.org/sssd/ticket/3230
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently in order to match multiple LDAP search results we
use two different functions - we have sysdb_try_to_find_expected_dn()
but also sdap_object_in_domain().
This patch removes sysdb_try_to_find_expected_dn() and add new
sdap_search_initgr_user_in_batch() based on sdap_object_in_domain().
This function covers necessary logic.
Resolves:
https://fedorahosted.org/sssd/ticket/3230
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Add test to ensure conflict entries return ENOENT
Resolves:
https://fedorahosted.org/sssd/ticket/3288
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Add boolean to convert_attributes function and pass boolean as argument
to sudo conversion functions to add logic for skipping unexpected
entries like replication conflicts.
Resolves:
https://fedorahosted.org/sssd/ticket/3288
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
This reverts part of commit 59744cff6edb106ae799b2321cb8731edadf409a.
Removed is copying of default configuration into /etc/sssd/sssd.conf
Sample configurations is still part of installation.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
| |
We changed type forking into type notify as part of commit
d4063e9a21a4e203bee7e0a0144fa8cabb14cc46.
But we forgot to update template drop-in file for logging into journald.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
| |
These changes are leftovers from commit 78b4b7e.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
| |
It should be more clear to administrators that when SSSD internal
port status is set as PORT_NOT_WORKING, this does not directly relate
to an assumed network port-related issue.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In case on any krb5 related error, we tried to send string
interpretation of krb5 error tb parrent in prepare_response.
However, we cannot use global krb5 context (krb5_error_ctx)
because the context is every time released in done section of
ldap_child_get_tgt_sync.
This patch rather return duplicated string to prevent use after free.
Backtrace:
#0 __strchr_sse42 () at ../sysdeps/x86_64/multiarch/strchr.S:100
100 ../sysdeps/x86_64/multiarch/strchr.S: No such file or directory.
Thread 1 (Thread 0x7fc96cad5880 (LWP 11201)):
#0 __strchr_sse42 () at ../sysdeps/x86_64/multiarch/strchr.S:100
No locals.
#1 0x00007fc96be43725 in err_fmt_fmt (msg=0x7fc96d1cf8d0 "Cannot find KDC for requested realm",
code=-1765328230,
err_fmt=<optimized out>) at kerrs.c:152
buf = {buftype = K5BUF_DYNAMIC, data = 0x7fc96d1cdb10,
space = 128, len = 0}
p = <optimized out>
s = 0xdededededededede <Address 0xdededededededede out of bounds>
#2 krb5_get_error_message (ctx=<optimized out>,
code=code@entry=-1765328230) at kerrs.c:184
std = 0x7fc96d1cf8d0 "Cannot find KDC for requested realm"
#3 0x00007fc96cb224e5 in sss_krb5_get_error_message (ctx=<optimized out>,
ec=ec@entry=-1765328230) at src/util/sss_krb5.c:424
No locals.
#4 0x00007fc96cb1fbb0 in prepare_response (rsp=<synthetic pointer>,
kerr=-1765328230, expire_time=0,
ccname=0x0,
mem_ctx=0x7fc96d1cb390) at src/providers/ldap/ldap_child.c:553
ret = <optimized out>
r = 0x7fc96d1cd8b0
krb5_msg = 0x0
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
| |
This patch reuses sss_ptr_hash module introduced in NSS patches in sbus code.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
| |
This patch reuses sss_ptr_hash module introduced in NSS patches in sbus code.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
| |
This patch reuses sss_ptr_hash module introduced in NSS patches in sbus code.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
| |
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
gcc 7 probably does some new optimisations which might cause few
wariables to be uninitialized.
src/tools/sssctl/sssctl_cache.c: In function ‘sssctl_print_object’:
src/tools/sssctl/sssctl_cache.c:523:13: error: ‘dom’ may be used uninitialized
in this function [-Werror=maybe-uninitialized]
ret = info[i].attr_fn(tmp_ctx, entry, dom, info[i].attr, &value);
~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/tools/sssctl/sssctl_cache.c:472:15: error: ‘entry’ may be used
uninitialized in this function [-Werror=maybe-uninitialized]
*_entry = talloc_steal(mem_ctx, entry);
^~~~~~~~~~~~
src/tools/sssctl/sssctl_cache.c:437:25: note: ‘entry’ was declared here
struct sysdb_attrs *entry;
^~~~~
Another workaround would be to remove static modifier from function
sssctl_find_object which probably prevents some inlinig + optimisation.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
src/tools/sss_groupshow.c: In function ‘print_group_info’:
src/tools/sss_groupshow.c:612:22: error: ‘%d’ directive output truncated
writing between 10 and 11 bytes into a region of size 7 [-Werror=format-truncation=]
snprintf(fmt, 8, "%%%ds", level*PADDING_SPACES);
^~~~~~~
src/tools/sss_groupshow.c:612:22: note: using the range
[-2147483648, 2147483647] for directive argument
src/tools/sss_groupshow.c:612:5: note: ‘snprintf’ output between 13 and 14
bytes into a destination of size 8
snprintf(fmt, 8, "%%%ds", level*PADDING_SPACES);
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
src/sss_client/pam_sss.c: In function ‘send_and_receive’:
src/sss_client/pam_sss.c:742:39: error: ‘%.*s’ directive output
between 0 and 18446744073709551615 bytes may cause result to exceed
‘INT_MAX’ [-Werror=format-truncation=]
ret = snprintf(user_msg, bufsize, "%s%s%.*s",
^~~~~~~~~~
sssd/src/sss_client/pam_sss.c:742:39: note: assuming directive output
of 4294967295 bytes
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
| |
Some kind of comments are recognized by gcc7 but they are ignored with
-Wimplicit-fallthrough=5 and only attributes disable the warning.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Client code does not anymore depend on libpthread in master.
This is a reason why we didn't notice any linking failure
in master. But the test should be linked with CLIENT_LIBS.
CCLD test_wbc_calls
/usr/bin/ld: src/sss_client/test_wbc_calls-common.o: undefined reference
to symbol 'pthread_mutexattr_setrobust@@GLIBC_2.12'
//lib/x86_64-linux-gnu/libpthread.so.0: error adding symbols: DSO missing
from command line
collect2: error: ld returned 1 exit status
Makefile:12460: recipe for target 'test_wbc_calls' failed
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| | |
|
| | |
|
| | |
|
