| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
The blobs contains beside the PIN the name of the PKCS#11 module and the
token name where the certificate of the user was found and the key id.
Those data will be used e.g. by the pkinit module to make sure them
right certificate is used.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
| |
ERR_SC_AUTH_NOT_SUPPORTED can be used by backends to indicate that
Smartcard authentication is not supported. ERR_NO_AUTH_METHOD_AVAILABLE
can be used by backends that no authentication method was found.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Since there can be multiple rounds trips between the PAM client and SSSD
it might be possible that the same data is send multiple times by SSSD.
So before overriding the old data it should be freed. I've seen this
with the domain name which is send both in the pre-auth and the auth
responses. To be on the safe side I added free() for some other items as
well.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
"grp_iter->gr_mem" is an array of strings and not just a string.
We tried to compare first string to NULL (acctually '\0')
But after that we iterated over the array to find count of members
and we check for NULL one more time.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This behaviour was mistakenly changed by the {dbus,socket}-activation
series and, as it's now, I've noticed the monitor may end up in some
weird state due to this change, where it doesn't stop properly and leave
some defuncts children processes.
Let's change it back to what it was before and avoid possible
regressions (even if no regression where hit yet).
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
With this patch pam_sss checks if a conversation callback is available
before using it.
Resolves https://fedorahosted.org/sssd/ticket/3296
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
There were two bugs in the files provider reallocation logic:
1) the reallocated array was not NULL-terminated properly
2) talloc_get_size was used in place of talloc_array_length
This bug could have resulted in a crash when the passwd or groups file
contained more than FILES_REALLOC_CHUNK entries.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
| |
Resolves https://fedorahosted.org/sssd/ticket/3231
Reviewed-by: Petr Cech <pcech@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
If there is an error after calling talloc_realloc() the caller cannot
free the memory properly because neither src_map nor _map were pointing
to a valid memory location. With this patch _map will always point to
the current valid location so that it can always be used with
talloc_free().
Reviewed-by: Petr Cech <pcech@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
If the realm is not added to the nsupdate message, the SSSD Debug log
message should inform about utilizing autodiscovered realm.
Resolves:
https://fedorahosted.org/sssd/ticket/3220
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Continue to send PTR record update in situations where the nsupdate
child forward zone updates are successful but nsupdate returns non-zero
Resolves:
https://fedorahosted.org/sssd/ticket/3227
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
NamedTemporaryFile use the default mode 'w+b'
and we tried to write strings. It is not a problem on python2
but failed on pyhton3
Python module ctypes directly uses C functions from libraries.
C functions usually expect/returns "char *" when string is expected.
But python3 uses unicode for string. Decoding returned bytes
("char *") to unicode strings simplify tests in python3.
Otherwise we would need to convert bytes to string in each assertion.
Reviewed-by: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Unused value was immediately overwritten.
Resolves:
https://fedorahosted.org/sssd/ticket/3309
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
It might not be apparent how to free the message constructed by
sbus_create_message(). This patch just adds a comment that tells the
developer to either free the parent context or unref the message with a
dbus call directly.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
| |
It makes more sense to show id_provider=files
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
| |
The new provider needs a man page.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
| |
The monitor code used its own inotify callbacks to watch for changes to
resolv.conf. Instead of keeping this duplicated code around, let's use
the shared inotify module that also powers the files provider.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
| |
This feature was if-ed out for many years and since it's quite unlikely
we will re-enable the feature in the foreseeable future, let's just
remove this code.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Implements integration tests for the files provider. In order to change
entries in the nss-wrapped passwd and group files, this commit also
implements a helper module that creates a new passwd and group file and
moves it in place of the nss-wrapped files. We move the files instead of
modifying them in-place in order to trigger similar inotify
notifications as shadow-utils would.
The unit test uses sleep on several places. This is suboptimal, but
during testing especially on slow machines, it became apparent that
sometimes the inotify message arrives later than the test would check
for the changed entries. Therefore, the check would query the NSS
responder even before the sss-files domain was invalidated.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
| |
Implements a python module that allows to load the nss_sss module and
call functions that act like getgr*
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
| |
Implements a python module that allows to load the nss_sss module and
simulate calling getpw* functions from tests.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Every module that reads the sssd_nss module directly copied around the
same definition of NSS constants. This commit moves them into a single
file to avoid code duplication.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
The fixtures will be useful for tests that set up and restore a user and
group database. While it would be possible to import them already, the
functions were previously used in a test and importing from a test seems
a bit like a hack.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
| |
The pwfield was not documented at all previously. In addition, document
the different defaults for remote provider and the file provider.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
| |
In order to make it possible for files provider users to authenticate
with pam_unix, default to "x" as the pwfield of users from the files
domain.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Previously, the pwfield option was only configurable at the NSS level.
Because it's important for the files provider to report "x" as the
pwfield instead of "*" which is the SSSD default, this commit makes the
pwfield configurable at the domain level.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
| |
Since the files provider always mirrors the whole passwd and group
contents, the files domain should always permit its contents to be
enumerated.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adds a new provider type "files". The provider watches the UNIX password
and group databases for changes using inotify and propagates its
contents to the sysdb.
The files provider is only built on platforms that support the inotify
interface, polling or loading the entries on-deman is not supported.
During initialization, the files are loaded from the environment
variables SSS_FILES_PASSWD and SSS_FILES_GROUP, defaulting to
/etc/passwd and /etc/group respectively. Loading the files from
environment variables is mostly implemented for tests that need to load
nss_wrapped files.
The files provider is a bit different from other provider types in the
sense that it always enumerates full contents of the database.
Therefore, the requests from Data Provider are always just replied to
with success. Enumerating the contents is done in full at the moment,
all users and all groups are removed and added anew. Modifying the
passwd and group databses should be rare enough for this to be
justified and we can optimize the code later.
Since with large databases, the cache update might take a bit of time,
we signal the responders to disable the files domain once we receive the
inotify notification and re-enable the files domain after the update is
finished. The idea is that the NSS configuration would still contain
"files" after "sss" so that if the domain is disabled, libc would fall
back to a direct "files" lookup.
Resolves:
https://fedorahosted.org/sssd/ticket/3262
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The files provider was "blacklisted" for a long time, because very old
(pre-1.0) versions of sssd had the capability to create users and groups
by calling into the shadow-utils binaries directly which was later
removed.
Since nobody is (hopefully) running these ancient versions anymore and
we are about to re-enable the files provider, we can remove this check.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adds a reusable module for watching files using the Linux-specific
inotify(7) interface. Adds the possibility to watch the file's parent
directory as well to make it possible to watch moves into the directory
and allow watching file that doesn't exist at the time the watch is
created.
This interface is needed to implement the files provider, so this commit
is related to:
https://fedorahosted.org/sssd/ticket/2228
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
| |
It makes no sense to contact the Data Provider with the files provider
except when the files provider is updating itself.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
| |
This is to avoid a needless round-trip between the responder and the
back end for domains that do not have a traditional back end such as
local or files.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
| |
Adds an interfae to the Data Provider that allows the DP to notify the
NSS responder to invalidate its memory cache records.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
| |
Adds a an interface that allows the Data Provider to notify responders
to drop their negative cache.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
| |
Adds functions to the interface Data Provider publishes towards back
ends that allows the back ends to notify responders that a domain has
been enabled or disabled.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
| |
Adds two new responder sbus interface functions: ResetNegcacheUsers and
ResetNegcacheGroups. These functions can be called by a Data Provider to
signal to a responder that it should drop its negative cache.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Adds a generic responder s-bus interface that all responders implement.
The interface currently contains methods that make it possible for a sssd
domain to be marked as active or inconsistent by a back end.
In the future, this commit will be superseded by sbus signals.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
