| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | |
|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/1669
|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/1674
|
| |
|
|
|
|
|
| |
In some case we allocate and assign data to a const pointer.
When we then try to free it we would get a const warning because talloc_free
accepts a void, not a const void pointer. Use discard_const to avoid the
warning, it is safe in this case.
|
| |
|
|
|
| |
This macro is already available in util/util.h which is expicitly included
in this file.
|
| |
|
|
|
|
|
|
|
| |
This reverts commit ff57c6aeb80a52b1f52bd1dac9308a69dc7a4774.
This commit doesn't really make sense, we are never accessing freed
memory as all we are dealing with is a pointer which is never itsef
part of the memory we are freeing (if it were, it would be an error
in the caller and we shouldn't mask it in this macro).
|
| |
|
|
|
|
|
|
| |
When converting built-in SID to unix GID/UID a confusing debug
message about the failed conversion was printed. This patch special
cases these built-in objects.
https://fedorahosted.org/sssd/ticket/1593
|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/1673
|
| |
|
|
|
|
|
| |
The logic that checks if sssd_nss is running and then
sends SIGHUP to monitor or removes the caches was moved
to a function sss_memcache_clear_all() and made public in
tools_util.h.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When a nested group with ghost users is added, its ghost attribute should
propagate within the nested group structure much like the memberuid
attribute. Unlike the memberuid attribute, the ghost attribute is only
semi-managed by the memberof plugin and added manually to the original
entry.
This bug caused LDB errors saying that attribute or value already exists
when a group with a ghost user was added to the hierarchy as groups were
updated with an attribute they already had.
|
| |
|
|
|
|
|
| |
If global variable debug_level has value SSSDBG_UNRESOLVED, we should
print at least fatal and critical errors.
https://fedorahosted.org/sssd/ticket/1345
|
| |
|
|
|
| |
The DEBUG() macro may, at any time, change and start calling functions that
touch errno. Save errno before logging and then return the saved error.
|
| |
|
|
|
|
|
| |
fixes https://fedorahosted.org/sssd/ticket/1628
When user's alias is same as it's name, don't use it for searching in
sysdb, and for deleting.
|
| |
|
|
| |
initialized variable, was causing build warning
|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/1661
|
| | |
|
| |
|
|
|
| |
We need to allocate num_services+2 - one extra space for the new service
and one for NULL.
|
| |
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1657
IPA_HOSTNAME is not stored in ipa_opts->id options so it the option
was always NULL here. This caused SIGSEGV when accessed by strchr()
in subsequent function.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1612
This patch changes the handling of ghost attributes when saving the
actual user entry. Instead of always linking all groups that contained
the ghost attribute with the new user entry, the original member
attributes are now saved in the group object and the user entry is only
linked with its direct parents.
As the member attribute is compared against the originalDN of the user,
if either the originalDN or the originalMember attributes are missing,
the user object is linked with all the groups as a fallback.
The original member attributes are only saved if the LDAP schema
supports nesting.
|
| |
|
|
|
|
|
| |
attribute
Using the convenience function instead of low-level ldb calls makes the
code more compact and more readable.
|
| |
|
|
|
|
| |
This patch extends the Kerberos version check to support Kerberos
version 1.11 alpha and later. It is a temporary measure until we
can redesign the configure checks for better granularity.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If canonicalization is enabled Active Directory KDCs return
'krbtgt/AD.DOMAIN' as service name instead of the expected
'kadmin/changepw' which causes a 'KDC reply did not match expectations'
error.
Additionally the forwardable and proxiable flags are disabled, the
renewable lifetime is set to 0 and the lifetime of the ticket is set to
5 minutes as recommended in https://fedorahosted.org/sssd/ticket/1405
and also done by the kpasswd utility.
Fixes: https://fedorahosted.org/sssd/ticket/1405
https://fedorahosted.org/sssd/ticket/1615
|
| |
|
|
|
| |
In case of a short UPN compare_principal_realm() erroneously returns an
error.
|
| |
|
|
|
|
|
|
|
| |
Currently we add the realm name to change password principal but
according to the MIT Kerberos docs and the upstream usage the realm name
is just ignored.
Dropping the realm name also does not lead to confusion if the change
password request was received for a user of a trusted domain.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The check is too restrictive as the select_principal_from_keytab can
return something else than user requested right now.
Consider that user query for host/myserver@EXAMPLE.COM, then the
select_principal_from_keytab function will return "myserver" in primary and
"EXAMPLE.COM" in realm. So the caller needs to add logic to also break
down the principal to get rid of the host/ part. The heuristics would
simply get too complex.
select_principal_from_keytab will error out anyway if there's no
suitable principal at all.
|
| |
|
|
|
| |
The AD and IPA initialization functions shared the same code. This patch
moves the code into a common initialization function.
|
| |
|
|
| |
The option was completely undocumented.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
In case a service is restarted while the DP is not ready yet, it gets
restarted again immediatelly, which means the DP might still not be
ready. The allowed number of restarts is then depleted quickly.
This patch changes the restart mechanism such that the first restart
happens immediatelly, the second is scheduled after 2 second, then 4
etc..
https://fedorahosted.org/sssd/ticket/1528
|
| |
|
|
|
|
|
| |
In subdomains we have to use fully qualified usernames.
Unfortunately we have no other good option than simply removing
caches for users of subdomains.
This is because the memberof plugin does not support the rename operation.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently the sysdb context is pointed to the subdomain subtree
containing user the user to be checked at the beginning of a HBAC
request. As a result all HBAC rules and related data is save in the
subdomain tree as well. But since the HBAC rules of the configured
domain apply to all users it is sufficient to save them once in the
subtree of the configured domain.
Since most of the sysdb operations during a HBAC request are related to
the HBAC rules and related data this patch does not change the default
sysdb context but only create a special context to look up subdomain
users.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The original sysdb code had a strong assumption that only users from one
domain are saved in the databse, with the subdomain feature, we have
changed reality, but have not adjusted all the code arund the sysdb calls
to not rely on the original assumption.
One of the side effects of this incongrunece is that currently group
memberships do not return fully qualified names for subdomain users as they
should.
In oreder to fix this and other potential issues surrounding the violation
of the original assumption, we need to fully qualify subdomain user names.
By savin them fully qualified we do not risk aliasing local users and have
group memberhips or other name based matching code mistake a domain user
with subdomain usr or vice versa.
|
| |
|
|
|
|
| |
Add functions to automate setting versions numbers in the db, also
decrease chances of error in copying and pasting code, by setting
the version number only once when we commence the upgrade.
|
| | |
|
| |
|
|
|
| |
The element being reallocated is part of the "group_attrs" array, not
attrs.
|
| |
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1647
A logic bug in the LDAP provider causes an attempt to allocate a zero-length
array for group members while processing an empty group. The allocation
would return NULL and saving the empty group would fail.
|
| |
|
|
|
|
| |
Allocating temporary context on NULL helps vind memory leaks with
valgrind and avoid growing memory over time by allocating on a
long-lived context.
|
| |
|
|
|
|
|
| |
We should at least print an error message and error out if waitpid()
fails.
https://fedorahosted.org/sssd/ticket/1651
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1589
Added check for determining, whether database version is higher or
lower than expected. To distinguish it from other errors it uses
following retun values (further used for appropriate error message):
EMEDIUMTYPE for lower version than expected
EUCLEAN for higher version than expected
When SSSD or one of it's tools fails on DB version mismatch, new error
message is showed suggesting how to proceed.
|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/1650
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
The connections request was terminated before setting the expiry timeout
in case no authentication was set.
https://fedorahosted.org/sssd/ticket/1649
|
| |
|
|
|
|
|
| |
AM_COND_IF is a very handy construct that is not present on old automake
systems such as the one in RHEL5.
The original author of the code is Ralf Corsepius <rc040203 -at- freenet.de>
|
| | |
|
| |
|
|
|
| |
I noticed that the proxy in auth_provider section of sssd.conf manpage
isn't quoted when all others are.
|
| |
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1640
Normal rules requires that sudoHost attribute is present. But this
attribute is not mandatory for a special rule named cn=defaults.
This patch modifies filter so that we store even rules that doesn't
have sudoHost attribute specified. SUDO will then decide whether it
is allowed or not.
|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/1376
|
| |
|
|
| |
Eliminates a compiler warning
|
