summaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
* GPO: Add "unity" to ad_gpo_map_interactiveStephen Gallagher2016-05-062-1/+7
| | | | | | | | | | | Ubuntu systems use "unity" as their screen-locker. Without this in the defaults, people often get locked out of their machines when the screen locks. Resolves: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1578415 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* TEST: Removing duplication of mock_rctxPetr Cech2016-05-051-28/+0
| | | | | | There were duplicaton of mock_rctx(). Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* AUTOFS: Removing of redudant debug messagePetr Cech2016-04-281-7/+1
| | | | | | | | | | Debug message has been doubled. At a low level, we have a very accurate debug messsage with description of situation (in confdb_get_int()). At higher level we informe about the fatal crash, if it happend. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* MAN: Drop the reference to IPAv2 in the man pageJakub Hrozek2016-04-281-1/+1
| | | | | | | As suggested by Rob in https://fedorahosted.org/sssd/ticket/1907#comment:2 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* LDAP: Print port in sdap_print_serverLukas Slebodnik2016-04-271-3/+16
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: terminate properly if view name lookup failsSumit Bose2016-04-221-7/+1
| | | | | | | | | | | Since commit 5a5f1e1053415efaa99bb4d5bc7ce7ac0a95b757 the view name lookup is the last step in the subdomain lookup request. In case of an error the request should be finished and no previous step should be called again. Resolves https://fedorahosted.org/sssd/ticket/2993 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* intg: Use different uid range for add_remove testsLukas Slebodnik2016-04-221-2/+2
| | | | | | | | | | | Most linux distribution create local users from UID 1000. We used similar UID space in sssd but it might caused issues in add remove tests becuase sssd in cwrap enviroment run in the same PID space. If sssd try to remove user with uid 1001 it will fail because the local user with the same UID is active and sssd does not remove active users. Reviewed-by: Petr Cech <pcech@redhat.com>
* build: move ndr_krb5pac check to the other Samba checksSumit Bose2016-04-212-9/+17
| | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* TOOL: Invalidation of sudo rules at sss_cachePetr Cech2016-04-202-3/+86
| | | | | | | | | | This patch adds new functionality to sss_cach for invalidation of given sudo rule or all sudo rules. Resolves: https://fedorahosted.org/sssd/ticket/2081 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* SSS_CACHE: RefactorPetr Cech2016-04-201-47/+106
| | | | | | | | | Refactor of sss_cache tool. Resolves: https://fedorahosted.org/sssd/ticket/2081 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* TESTS: Test of sysdb_search_sudo_rulesPetr Cech2016-04-201-0/+770
| | | | | | | | | There are tests functions of sysdb_sudo_rules. Resolves: https://fedorahosted.org/sssd/ticket/2081 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* SYSDB: Add new funtions into sysdb_sudoPetr Cech2016-04-202-0/+111
| | | | | | | | | | | | This patch adds two new functions into public API of sysdb_sudo: * sysdb_search_sudo_rules * sysdb_set_sudo_rule_attr Resolves: https://fedorahosted.org/sssd/ticket/2081 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* NEGCACHE: Removing of condition for ttl = -1Petr Cech2016-04-202-52/+0
| | | | | | | | | If ttl = -1 then function sss_ncache_check_str() returns EEXIST without checking negcache. This behaviour is out of logic. We use ttl = 0 for permanent caching. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* NEGCACHE: Fixing typo in test_sss_ncache_gid()Petr Cech2016-04-201-2/+2
| | | | | | | There were sss_ncache_*_uid() functions instead of sss_ncache_*_gid() functions. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* sudo: convert get_sudorules to teventPavel Březina2016-04-193-410/+443
| | | | | | | | | | There was a lot of confusion with different error codes and where to call sudosrv_cmd_done to finish the client request. Converting it whole to tevent makes it much more simpler to read and follow the request logic. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* sudo: do not use tevent when parsing queryPavel Březina2016-04-194-118/+45
| | | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* sudo: use cache_req for initgroupsPavel Březina2016-04-194-401/+47
| | | | | | | | | | | This is just blind code change, the next patch will improve it so for example we don't do initgroups during query-parsing phase. Resolves: https://fedorahosted.org/sssd/ticket/1126 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* sudo: remove unused structure sudo_dp_requestPavel Březina2016-04-191-5/+0
| | | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* krb5_auth_store_creds: silence spurious debug messageSumit Bose2016-04-191-1/+5
| | | | | | | | | | | During a pre-authentication request there are always messages like: ... [krb5_auth_store_creds] (0x0010): unsupported PAM command [249]. ... [krb5_auth_store_creds] (0x0010): password not available, offline auth may not work. This patch removes them. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* IPA_SUDO: Prevent dereference of NULL pointerLukas Slebodnik2016-04-181-0/+5
| | | | | | | | | | | | | | | | | | | | Error: NULL_RETURNS (CWE-476): [#def31] sssd-1.13.4/src/providers/ipa/ipa_sudo_conversion.c:964: returned_null: "ipa_sudo_conv_lookup" returns null. sssd-1.13.4/src/providers/ipa/ipa_sudo_conversion.c:149:9: return_null: Explicitly returning null. sssd-1.13.4/src/providers/ipa/ipa_sudo_conversion.c:964: var_assigned: Assigning: "cmdgroup" = null return value from "ipa_sudo_conv_lookup". sssd-1.13.4/src/providers/ipa/ipa_sudo_conversion.c:966: dereference: Dereferencing a null pointer "cmdgroup". # 964| cmdgroup = ipa_sudo_conv_lookup(conv->cmdgroups, listitem->dn); # 965| # 966|-> ret = add_strings_lists(mem_ctx, values, cmdgroup->expanded, # 967| false, discard_const(&values)); # 968| if (ret != EOK) { Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* SYSDB_SUDO: Remove useless testLukas Slebodnik2016-04-181-1/+1
| | | | | | | | | | | | | | | | | | | | | | | The function sysdb_search_custom cannot return EOK and together set output argument count to zero. This case is already handled in function sysdb_search_entry which is used inside sysdb_search_custom. Such useless test can just cause read of unitialized variable in case of other errors returned from sysdb_search_custom. Error: UNINIT (CWE-457): [#def1] sssd-1.13.4/src/db/sysdb_sudo.c:678: var_decl: Declaring variable "count" without initializer. sssd-1.13.4/src/db/sysdb_sudo.c:698: uninit_use: Using uninitialized value "count". # 696| SUDORULE_SUBDIR, attrs, # 697| &count, &msgs); # 698|-> if (ret == ENOENT || count == 0) { # 699| DEBUG(SSSDBG_TRACE_FUNC, "No rules matched\n"); # 700| ret = EOK; Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* test_ad_common: Include missing header if building with NSSLukas Slebodnik2016-04-131-0/+3
| | | | | | | | | | | | There was a compile time warning if building with NSS crypto libraries. src/tests/cmocka/test_ad_common.c: In function ‘main’: src/tests/cmocka/test_ad_common.c:873:5: error: implicit declaration of function ‘nspr_nss_cleanu’ [-Werror=implicit-function-declaration] nspr_nss_cleanup(); ^~~~~~~~~~~~~~~~ Reviewed-by: Pavel Reichl <preichl@redhat.com>
* tests: Check NULL context in sysdb-tests when removing group membersJakub Hrozek2016-04-131-0/+25
| | | | | | This is done to make sure the memberof module does not leak memory. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* memberof: Don't allocate on NULL when deleting memberUidsJakub Hrozek2016-04-131-1/+2
| | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* memberof: Fix a memory leak when removing ghost usersJakub Hrozek2016-04-131-1/+2
| | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* test_be_ptask: Check leaks in testsLukas Slebodnik2016-04-131-0/+2
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* dp_ptask: Fix memory leak in synchronous ptaskLukas Slebodnik2016-04-131-0/+2
| | | | | | | structure be_ptask_sync_ctx was not released anywhere when be_ptask_create_sync was used. Reviewed-by: Sumit Bose <sbose@redhat.com>
* intg: local override for user with mixed case nameSumit Bose2016-04-131-1/+65
| | | | | | | | | Test for users with fully-qualified and mixed-cased names are added. Resolves: https://fedorahosted.org/sssd/ticket/2989 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* sss_override: only add domain if name is not fully qualifiedSumit Bose2016-04-131-1/+27
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2989 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* tools: read additional data of the master domainSumit Bose2016-04-131-0/+8
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2989 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* sss_override: do not generate DN, search objectSumit Bose2016-04-131-7/+27
| | | | | | | | | | | | DNs of existing objects can not be generate reliable because the use of fully qualified names and upper and lower cases in names has to be considered. The most reliable way to get the DN is to search the object and take the DN from the result. Resolves: https://fedorahosted.org/sssd/ticket/2989 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* PAC: only save PAC blob into the cacheSumit Bose2016-04-139-1428/+105
| | | | | | Resolves https://fedorahosted.org/sssd/ticket/2158 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* IPA: resolve PAC for trusted users on IPA clientsSumit Bose2016-04-133-1/+225
| | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* IPA: ipa_s2n_get_list_send() allow other list typesSumit Bose2016-04-131-20/+72
| | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* IPA: rename ipa_s2n_get_fqlist* to ipa_s2n_get_list*Sumit Bose2016-04-131-49/+49
| | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* AD: process PAC during initgroups requestSumit Bose2016-04-135-9/+1223
| | | | | | | | | If there is a recently attached PAC blob in the cached user entry the PAC data is used to update the group memberships data of the user. If there is no PAC attached or if it is too old the other configured methods will be used. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* util: make concatenate_string_array() reusableSumit Bose2016-04-136-25/+76
| | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* LDAP: refactor sdap_ad_tokengroups_initgr_mapping_done()Sumit Bose2016-04-132-27/+57
| | | | | | The group-processing is moved out to make it reusable. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* SDAP: make some AD specific calls publicSumit Bose2016-04-132-14/+66
| | | | | | | Make sdap_ad_tokengroups_get_posix_members() and sdap_ad_resolve_sids_send() reusable. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* IPA: Check RDN in ipa_add_ad_memberships_get_nextLukas Slebodnik2016-04-121-1/+7
| | | | | | | | | | | | | | | | | LDB functions ldb_dn_get_component_val and ldb_dn_get_rdn_val validate dn before returning component value. It should be valid DN according to RFC4514. IPA/389ds might return problematic DN due to replication conflicts. e.g. "cn=System: Read Service Delegations+nsuniqueid=b0736336-d06e11e5-8e8acabe-ce8d458d,cn=permissions,dc=example,dc=com" It's better to check return value of these LDb function rather than crash because of dereference of NULL pointer. Resolves: https://fedorahosted.org/sssd/ticket/2980 Reviewed-by: Sumit Bose <sbose@redhat.com>
* GPO: Process GPOS in offline mode if ldap search failedLukas Slebodnik2016-04-121-0/+20
| | | | | | | | | | | | | | | | | Initgroup requests use global catalog for LDAP queries. Only port for global catalog is marked as offline if request fails due to problems with connection. However, GPO code uses standard LDAP port for retrieving of target DNs and other information. Previously, GPOs were processed in offline mode only if there were issues with connection to AD server. But connection can be cached and ldap search can still fail. Resolves: https://fedorahosted.org/sssd/ticket/2964 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* TESTS: global_talloc_context push/pop removePetr Cech2016-04-125-12/+0
| | | | | | | | Push/pop global_talloc_context into check_leaks is redudant. It is done in leak_check_setup() and leak_check_teardown() functions in src/tests/check_leaks. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* GPO_CHILD: Create directories in gpo_cache with right permissionsLukas Slebodnik2016-04-071-1/+1
| | | | | | | | | | | | | | | | | | | | | | | The parent directory has to have execute bit if we want to create subdirectories or read files there. sh-4.3$ mkdir dir sh-4.3$ echo "test" > dir/test_file sh-4.3$ chmod 644 dir/ sh-4.3$ ls dir/ test_file sh-4.3$ cat dir/test_file cat: dir/test_file: Permission denied It was not probelm for sssd in root mode because root has by default capbilities DAC_OVERRIDE and DAC_READ_SEARCH which bypass file read, write, and execute permission checks and directory read and execute permission checks Resolves: https://fedorahosted.org/sssd/ticket/2962 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* GPO: Soften umask in gpo_childLukas Slebodnik2016-04-071-4/+12
| | | | | | | | | | | | | | | | | | The default umask(0177) inherited from sssd_be is to strict for gpo_child in non-root mode. mkdir creates directories with only "rw" permission for owner. The man 1 chmod says: "execute (or search for directories) (x)" In another words, execute bit is required for directories. sh-4.3$ mkdir dir sh-4.3$ chmod 600 dir/ sh-4.3$ mkdir dir/subdir mkdir: cannot create directory ‘dir/subdir’: Permission denied Resolves: https://fedorahosted.org/sssd/ticket/2962 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* AD: Recognize Windows Server 2016Jakub Hrozek2016-04-072-3/+6
| | | | | | | | | | Even though at this time the MSDN documentation at: https://msdn.microsoft.com/en-us/library/cc223272.aspx still claims that "7" is a value of DS_BEHAVIOR_WINTHRESHOLD, testing with Windows Server 2016 Preview already shows that server reporting a new value of Domain Controller Functionality. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* test_ipa_subdom_server: Workaround for slow krb5 + SELinuxLukas Slebodnik2016-04-071-0/+20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | There is an overhead caused by SELinux after fixing memory leak in krb5. https://bugzilla.redhat.com/show_bug.cgi?id=1311287. The overhead is mainly visible with valgrind and moreover it causes failures due to timeouts. sh$ time libtool --mode=execute ./test_ipa_subdom_server enabled/permissive SELinux real 0m7.976s user 0m6.680s sys 0m0.189s disabled SELinux real 0m2.111s user 0m0.071s sys 0m0.043s valgrind + enabled/permissive SELinux real 2m7.310s user 2m17.080s sys 0m0.786s valgrind + disabled SELinux real 0m5.510s user 0m3.396s sys 0m0.309s Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* Netlink: Ignore RTM_NEWADDR signals from link-localStephen Gallagher2016-04-061-0/+50
| | | | | | | | We only need to go online if we receive a netlink signal that might indicate that the external connection might have become available. This will never be true for link-local addresses. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* MAN: Remove duplicate description of the pam_account_locked_message optionJakub Hrozek2016-04-061-21/+0
| | | | Reviewed-by: Pavel Reichl <preichl@redhat.com>
* SDAP: Remove unused parameter talloc contextLukas Slebodnik2016-04-051-4/+2
| | | | | | Parameter memctx was unused in sdap_nested_group_add_ext_members. Reviewed-by: Pavel Reichl <preichl@redhat.com>
* IPA: Remove unused parameter from ipa_ext_group_member_checkLukas Slebodnik2016-04-051-2/+1
| | | | Reviewed-by: Pavel Reichl <preichl@redhat.com>
generated by cgit (git 2.34.1) at 2025-09-26 18:36:47 +0000