| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
Reviewed-by: Fabiano Fidêncio <fabiano@fidencio.org>
|
|
|
|
| |
Reviewed-by: Fabiano Fidêncio <fabiano@fidencio.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes:
https://fedorahosted.org/sssd/ticket/3076
We segfaulted in this area once. This patch
makes the code more defensive and adds
some DEBUG messages.
Normally the structures are filled in online
and/or resolve callbacks.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/3068
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Allow option "timeout" for all sevices.
Also remove unused macro CONFDB_SERVICE_TIMEOUT.
Resolves:
https://fedorahosted.org/sssd/ticket/3068
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
be_ctx had talloc_zero() initialized uid and gid which was used
in function dp_init(). Therefore back-end was every time started as root
and therefore non-root responders could not communicate with back-end
due to wrong permission of unix sockets.
This patch sets right uid and gid to data-providers if sssd runs
as non-root user.
Resolves:
https://fedorahosted.org/sssd/ticket/3077
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
src/tests/sysdb-tests.c: In function 'test_sysdb_memberof_close_loop':
src/tests/sysdb-tests.c:2740:5: warning: passing argument
1 of '_ck_assert_msg' makes integer from pointer without a cast
[enabled by default]
fail_unless(data->attrlist[0], "talloc_array failed.");
^
In file included from src/tests/sysdb-tests.c:23:0:
/usr/include/check.h:237:16: note: expected 'int' but argument
is of type 'const char *'
void CK_EXPORT _ck_assert_msg (int result, const char *file,
^
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Fixes:
https://fedorahosted.org/sssd/ticket/3068
Option user_attributes is also available in
NSS responder, but not in PAC responder.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
We read override_space from [sssd] not
[nss] section.
Resolves:
https://fedorahosted.org/sssd/ticket/3068
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
VAR_CHECK is called with (var, EOK, ...)
EOK would be returned in case of "var != EOK"
and output argument _attrs would not be initialized.
Therefore there could be dereference of null pointer
after calling function usermod_build_attrs.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
The argument ttl was recently removed from negative cache functions
(sss_ncache_check_user, sss_ncache_check_uid, sss_ncache_check_sid,
sss_ncache_check_cert) but it was not removed from wrapped versions
in nss-srv-tests. It caused a crash on machine with big endian
and when configure wih --coverage.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently a new override for a non-default view cannot be displayed at
run-time. It even does not only require a restart but the view must be
un-applied and applied again to make the changes visible.
This patch fixes this and makes non-default view behave like the default
view where the data from a newly added override are displayed after the
cached entry of the related object is expired.
Resolves https://fedorahosted.org/sssd/ticket/3092
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It looks like some special gcc optimalisation and special case
may cause to have unitialized output argument _dom when return
code is EOK
src/tools/sssctl/sssctl_cache.c: In function ‘sssctl_print_object’:
src/tools/sssctl/sssctl_cache.c:491:8: error: ‘dom’ may be used
uninitialized in this function [-Werror=maybe-uninitialized]
if (dom == NULL) {
^
src/tools/sssctl/sssctl_cache.c:447:15: error: ‘entry’ may be used
uninitialized in this function [-Werror=maybe-uninitialized]
*_entry = talloc_steal(mem_ctx, entry);
^~~~~~~~~~~~
src/tools/sssctl/sssctl_cache.c:412:25: note: ‘entry’ was declared here
struct sysdb_attrs *entry;
^~~~~
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
| |
src/lib/ipa_hbac/ipa_hbac.h:68: warning: expected whitespace after [ command
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
| |
Warning: tag INPUT: input source `src/providers/ipa/ipa_hbac.h' does not exist
warning: source src/providers/ipa/ipa_hbac.h is not
a readable file or directory... skipping.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
src/tools/sssctl/sssctl_config.c: In function 'sssctl_config_check':
src/tools/sssctl/sssctl_config.c:93:14: warning: format '%lu' expects
argument of type 'long unsigned int', but argument 2 has type
'size_t {aka unsigned int}' [-Wformat=]
printf(_("Issues identified by validators: %lu\n"), num_errors);
^
src/tools/sssctl/sssctl_config.c:93:12: note: in expansion of macro '_'
printf(_("Issues identified by validators: %lu\n"), num_errors);
^
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
| |
Resolves: https://fedorahosted.org/sssd/ticket/3009
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
| |
Improve output when access check error
is detected by sssctl config-check command.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Functions sysdb_user_base_dn() and sysdb_group_base_dn() expect
that struct sss_domain_info contains pointer to struct sysdb_ctx.
This is not true in case of sysdb_upgrade functions.
This patch fixes the situation and revert code to the state before
12a000c8c7c07259e438fb1e992134bdd07d9a30 commit.
Resolves:
https://fedorahosted.org/sssd/ticket/3023
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/3055
Reviewed-by: Michal Židek <mzidek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
| |
In the ssh keys a leading 0 is added to the bignums of the RSA modulus
and exponent if the leading bit is set to avoid the interpretation as a
negative number.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Currently cert_verify_opts is only initialized when there is an option
in the config file. This might cause issues later when the struct is
accessed. Since parse_cert_verify_opts() can already handle an empty
option the additional check is not needed at all.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
| |
The DP refactoring changed the way we handle strings from sbus. We no
longer receive NULL strings, but empty strings instead.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Related to:
https://fedorahosted.org/sssd/ticket/2247
Explain configuration merging in sssd.conf
man page.
Signed-off-by: Dan Lavu <dlavu@redhat.com>
Reviewed-by: Dan Lavu <dlavu@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes:
https://fedorahosted.org/sssd/ticket/2269
sssctl sconfig-check command allows to
call SSSD config file validators on
demand.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
| |
Separate logic to fill errobj so that
the errors can be printed by the caller.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
| |
Use division instead of modulo while rounding the created packet size up
to a multiple of SSSSRV_PACKET_MEM_SIZE in sss_packet_new. This fixes
potentially packet buffer overflows with certain body sizes.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Depending on the available Kerberos pre-authentication methods pam_sss
will prompt the user for a password, 2 authentication factors or both.
Resolves https://fedorahosted.org/sssd/ticket/2988
Reviewed-by: Nathaniel McCallum <npmccallum@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
| |
Just adds more debugging messages that are handy in seeing what gets
passed between sudo responder and client.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
sudo expects the same name in sudo rule as login name. Therefore
if fully qualified name is used or even enforced by setting
use_fully_qualified_names to true or by forcing default domain
with default_domain_suffix sssd is able to correctly return the
rules but sudo can't match the user with contect of sudoUser
attribute since it is not qualified.
This patch changes the rules on the fly to avoid using names at all.
We do this in two steps:
1. We fetch all rules that match current user name, id or groups and
replace sudoUser attribute with sudoUser: #uid.
2. We fetch complementry rules that contain netgroups since it is
expected we don't have infromation about existing netgroups in
cache, sudo still needs to evaluate it for us if needed.
This patch also remove test for sysdb_get_sudo_filter since it wasn't
sufficient anyway and I did not rewrite it since I don't thing it
is a good thing to have filter tests that depends on exact filter
order.
Resolves:
https://fedorahosted.org/sssd/ticket/2919
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
| |
Allows to upgrade the cache using the sssctl tool, which might be useful
e.g. in RPM %post scripts.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since we want to use the sssctl tool during upgrade, we need to amend
the tools initialization code to not error out if sysdb can't be
instantiated, but rather return errno and let the tool handle the error.
Each tool command now has a 'allowed errno' the command is able to
handle. In this patch iteration, only a single errno can be handled and
only the upgrade command is able to do so.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
and override objects
Runs a sysdb upgrade that changes objects that represent users, groups,
sudo rules and overrides to the new schema, which uses the fully
qualified names.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
The next sysdb upgrade will be changing memberUid and memberOf
attributes as well. To avoid chanding the memberof module just because
of an upgrade, add a environment variable that disabled the memberof
plugin altogether when set.
The variable will be set at the beginning of the upgrade and unset
later.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
When the cache is upgraded, we want to avoid upgrading the timestamps
cache, because it was only introduced recently in Beta, so it doesn't
make senes to write complex code to change the format.
This patch rather removes the cache during upgrade, it will be recreated
with later lookups anyway.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes several issues introduced during the recent sysdb
upgrade:
1) The upgrade code often accesses sysdb->ldb, but at this point,
the ldb pointer might not be initialized yet. As a kind of an ugly,
yet functional workaround, we pass in the ldb pointer that we
received from the caller as part of the sysdb structure.
2) the version that sysdb_domain_cache_upgrade() returns is not a
talloc pointer, so the upgrade was crashing when we tried to steal
it.
3) the ldb pointer sysdb_cache_connect() returns was kept allocated
on the tmp_ctx. We need to steal it instead.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|