summaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
...
* IPA: Use sss_vdebug_fn in hbac_debug_messagesLukas Slebodnik2016-02-231-12/+1
| | | | | | | This patch reduce unnecessary memory allocations for log messages from libhbac. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* UTIL: Provide varargs version of debug_fnLukas Slebodnik2016-02-232-10/+25
| | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* UTIL: Use prefix for debug functionLukas Slebodnik2016-02-234-17/+17
| | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* Fix typos reported by lintianLukas Slebodnik2016-02-239-15/+15
| | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* krb5_child: Warn if user cannot read krb5.confLukas Slebodnik2016-02-191-0/+24
| | | | | | | | | | | | | | | | | | Attached patch should siplify troubleshoting of issues with permission of krb5.conf. It's not clear from krb5_child.log even with full debug level. [sss_get_ccache_name_for_principal] (0x4000): Location: [FILE:/tmp/krb5cc_12069_XXXXXX] [sss_get_ccache_name_for_principal] (0x2000): krb5_cc_cache_match failed: [-1765328243] [Can't find client principal user@EXAMPLE.COM in cache collection] [create_ccache] (0x0020): 735: [13][Permission denied] Resolves: https://fedorahosted.org/sssd/ticket/2931 Reviewed-by: Michal Židek <mzidek@redhat.com>
* sss_idmap-tests: Fix segmentation faultLukas Slebodnik2016-02-181-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | I can reproduce it only with clang. But it's tipical off by one error. sh$ ./sss_idmap-tests Running suite(s): IDMAP Segmentation fault (core dumped) Running suite(s): IDMAP ==2644== Process terminating with default action of signal 11 (SIGSEGV) ==2644== Access not within mapped region at address 0xA08F430 ==2644== at 0x4C2CC53: strcmp (vg_replace_strmem.c:842) ==2644== by 0x4060DA: idmap_test_sid2uid_additional_secondary_slices (sss_idmap-tests.c:451) ==2644== by 0x503C78A: ??? (in /usr/lib64/libcheck.so.0.0.0) ==2644== by 0x503CB7C: srunner_run (in /usr/lib64/libcheck.so.0.0.0) ==2644== by 0x4061EE: main (sss_idmap-tests.c:965) ==2644== If you believe this happened as a result of a stack ==2644== overflow in your program's main thread (unlikely but ==2644== possible), you can try to increase the size of the ==2644== main thread stack using the --main-stacksize= flag. ==2644== The main thread stack size used in this run was 8388608. Reviewed-by: Sumit Bose <sbose@redhat.com>
* PAM: Fix man for pam_account_{expired,locked}_messageDan Lavu2016-02-171-6/+29
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* PAM: Pass account lockout status and display messagePavel Reichl2016-02-176-8/+66
| | | | | | | | | Tested against Windows Server 2012. Resolves: https://fedorahosted.org/sssd/ticket/2839 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* SDAP: Add return code ERR_ACCOUNT_LOCKEDPavel Reichl2016-02-173-0/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add code to distinquish state when account is locked in Active Directory server. Tested against Windows Server 2012 This patch is best effort only as decision whether account is actually locked is based on parsing error message returned by AD. The format and content of this error message might be subject of change in future releases and also can be modified by AD administrators. If account is locked bind operation is expected to return following error message: ----------------------------------------------------------------------- Invalid credentials(49), 80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 775, v23f0 ----------------------------------------------------------------------- Where sub string 'data 775' implies that account is locked (ERROR_ACCOUNT_LOCKED_OUT) [1]. However the 80090308 (error code 0x80090308, SEC_E_INVALID_TOKEN) is the only guaranteed part of error string [2]. Error message is described in further detail as [3]: ----------------------------------------------------------------------- When the server fails an LDAP operation with an error, and the server has sufficient resources to compute a string value for the errorMessage field of the LDAPResult, it includes a string in the errorMessage field of the LDAPResult (see [RFC2251] section 4.1.10). The string contains further information about the error. The first eight characters of the errorMessage string are a 32-bit integer, expressed in hexadecimal. Where protocol specifies the extended error code "<unrestricted>" there is no restriction on the value of the 32-bit integer. It is recommended that implementations use a Windows error code for the 32-bit integer in this case in order to improve usability of the directory for clients. Where protocol specifies an extended error code which is a Windows error code, the 32-bit integer is the specified Windows error code. Any data after the eighth character is strictly informational and used only for debugging. Conformant implementations need not put any value beyond the eighth character of the errorMessage field. ----------------------------------------------------------------------- [1] https://msdn.microsoft.com/en-us/library/windows/desktop/ms681386%28v=vs.85%29.aspx [2] https://social.msdn.microsoft.com/Forums/en-US/e1d600c8-60b7-4ed0-94cb-20ddd6c1a1c6/msadts-user-locking-password-policies?forum=os_windowsprotocols [3] MS-ADTS 3.1.1.3.1.9 https://msdn.microsoft.com/en-us/library/cc223253.aspx Resolves: https://fedorahosted.org/sssd/ticket/2839 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* IDMAP: Add test to validate off by one bugPavel Reichl2016-02-151-4/+109
| | | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2922 Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Michal Židek <mzidek@redhat.com>
* Just return NULL if tevent_req_create() failsSumit Bose2016-02-115-10/+5
| | | | | | | | | In general we just return NULL if tevent_req_create() fails because there is nothing we can do with the request anyway. Especially tevent_req_error() should not be called because it tries to dereference req. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* SDAP: Add error code to debug messagePavel Reichl2016-02-091-2/+4
| | | | Reviewed-by: Michal Židek <mzidek@redhat.com>
* intg: Change preference of openldap module pathLukas Slebodnik2016-02-091-2/+2
| | | | | | | | | | | The /usr/lib64 should be preffered path for searching binary modules for openldap backends. The /usr/lib/ should be used for storing no binary files on 64 bit platform e.g. scripts ... The current vresion of would choose /usr/lib/ even though /usr/lib64 contains real openldap modules. Reviewed-by: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
* NSS: Fix memory leak netgroupPavel Reichl2016-02-041-12/+29
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2865 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IDMAP: Man change for ldap_idmap_range_size optionPavel Reichl2016-02-031-1/+3
| | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2922 Reviewed-by: Nathaniel McCallum <npmccallum@redhat.com> Reviewed-by: Michal Židek <mzidek@redhat.com>
* PYTHON: Fix pep8 errors in sss_obfuscateLukas Slebodnik2016-02-031-5/+8
| | | | | | | | | | | | src/tools/sss_obfuscate:12:1: E302 expected 2 blank lines, found 1 src/tools/sss_obfuscate:29:80: E501 line too long (111 > 79 characters) src/tools/sss_obfuscate:35:1: E302 expected 2 blank lines, found 1 src/tools/sss_obfuscate:47:80: E501 line too long (107 > 79 characters) src/tools/sss_obfuscate:50:13: E265 block comment should start with '# ' src/tools/sss_obfuscate:58:17: E265 block comment should start with '# ' src/tools/sss_obfuscate:107:5: E303 too many blank lines (2) Reviewed-by: Martin Basti <mbasti@redhat.com>
* PYTHON: sss_obfuscate should work with python3Lukas Slebodnik2016-02-031-11/+13
| | | | | | | | | Based on patch from: Steven W. Elling <ellingsw+29044@gmail.com> Resolves: https://fedorahosted.org/sssd/ticket/2937 Reviewed-by: Martin Basti <mbasti@redhat.com>
* server-tests: Fix clean-up after successful testLukas Slebodnik2016-02-021-1/+1
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* TESTS: Fix race condition in python testLukas Slebodnik2016-02-022-34/+32
| | | | | | | | | | Python tests for pyhbac and pysss_murmur created symbolic links in shared directory ".libs". It happened that both tests created symbolic link in the same time and therefore python2 test could try to import link to python3 module which caused failures in tests. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* pyhbac: Fix warning Wsign-compareLukas Slebodnik2016-01-291-7/+11
| | | | | | | | | | | | | | | | | | | | src/python/pyhbac.c: In function ‘HbacRuleElement_repr’: src/python/pyhbac.c:506:59: error: comparison between signed and unsigned integer expressions [-Werror=sign-compare] if (strnames == NULL || strgroups == NULL || category == -1) { ^ src/python/pyhbac.c: In function ‘HbacRuleElement_to_native’: src/python/pyhbac.c:614:51: error: comparison between signed and unsigned integer expressions [-Werror=sign-compare] if (!el->names || !el->groups || el->category == -1) { ^ The static function native_category had type of terurn value uint32_t But it also could return -1 which indicated an error. It's better to don't mix return code with returned value. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* pysss_murmur: Fix warning Wsign-compareLukas Slebodnik2016-01-291-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | src/python/pysss_murmur.c: In function ‘py_murmurhash3’: src/python/pysss_murmur.c:47:17: error: comparison between signed and unsigned integer expressions [-Werror=sign-compare] key_len > strlen(key)) { ^ uint32_t murmurhash3(const char *key, int len, uint32_t seed) The second argument of the function murmurhash3 has type int. But the code expects to be unsigned integer. There is code in python wrapper py_murmurhash3 which check boundaries of that argument. It should be an unsigned "key_len > INT_MAX || key_len < 0". An exception should be thrown for negative number. Moreover, the length should be shorter then a length of input string. The strlen returns size_t which is unsigned and key_len is signed long. We already checked that value is unsigned so we can safely cast key_len to size_t Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* TOOLS: Fix warning Wsign-compareLukas Slebodnik2016-01-291-1/+1
| | | | | | | | | | src/tools/tools_util.c: In function ‘parse_groups’: src/tools/tools_util.c:116:19: error: comparison between signed and unsigned integer expressions [-Werror=sign-compare] for (i = 0; i < tokens; i++) { ^ Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IDMAP: Fix minor memory leakPavel Reichl2016-01-281-3/+11
| | | | Reviewed-by: Michal Židek <mzidek@redhat.com>
* cache_req: do not lookup views if possiblePavel Březina2016-01-281-6/+84
| | | | | | | | | | This is needed for LOCAL view but also creates a shortcut for server side overrides. Resolves: https://fedorahosted.org/sssd/ticket/2849 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* cache_req: simplify cache_req_cache_check()Pavel Březina2016-01-281-31/+48
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* FAILOVER: Improve reporting of errorsLukas Slebodnik2016-01-281-7/+13
| | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* pam-srv-tests: Reuse test directory for IO testsLukas Slebodnik2016-01-281-1/+1
| | | | | | | | | | This patch is related to commit 50c9d542e8bf641412debaa82a4dcf67ddb72258 "tests: Use unique name for TEST_PATH" It's better to do IO operation in common test directory to prevent conflict with other test (copy & paste errors) Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* Util: Improve code to get connection credentialsSimo Sorce2016-01-285-34/+137
| | | | | | | | | | Adds support to get SELINUX context and make code more abstract so that struct ucred (if availale) can be used w/o redefining uid,gid,pid to int32. Also gives a layer of indirection that may come handy if we want to improve the code further in the future. Signed-off-by: Lukas Slebodnik <lslebodn@redhat.com> Reviewed-by: Michal Židek <mzidek@redhat.com>
* NSS: do not skip cache check for netgoupsMichal Židek2016-01-211-24/+23
| | | | | | | | | | | | | | | | | When refresh_expired_interval was not zero, the NSS responder only refreshed netgroup cache using background periodic task and ignored SYSDB_CACHE_EXPIRE attribute. With this behaviour it was impossible to get new netgroup from remote server even after sss_cache tool was used to expire existing entry in the cache. Resolves: https://fedorahosted.org/sssd/ticket/2912 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* IDMAP: Add support for automatic adding of rangesPavel Reichl2016-01-2016-62/+1006
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2188 Reviewed-by: Sumit Bose <sbose@redhat.com>
* IDMAP: New structure for domain range paramsPavel Reichl2016-01-201-57/+60
| | | | | | | | | | | Create new internal structure idmap_range_params by merging ID mapping range relevant fields from idmap_domain_info and remove corrsponding fields. Resolves: https://fedorahosted.org/sssd/ticket/2188 Reviewed-by: Sumit Bose <sbose@redhat.com>
* IDMAP: Fix computing max id for slice rangePavel Reichl2016-01-201-3/+3
| | | | | | | | | Max value of id mapping range was 1 unit too high. Resolves: https://fedorahosted.org/sssd/ticket/2922 Reviewed-by: Sumit Bose <sbose@redhat.com>
* p11: add gnome-screensaver to list of allowed servicesSumit Bose2016-01-201-1/+1
| | | | | | Resolves https://fedorahosted.org/sssd/ticket/2925 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* SDAP: Make it possible to silence errors from dereferenceJakub Hrozek2016-01-193-10/+28
| | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2791 When a modern IPA client is connected to an old (3.x) IPA server, the attribute dereferenced during the ID views lookup does not exist, which triggers an error during the dereference processing and also a confusing syslog message. This patch suppresses the syslog message. Reviewed-by: Michal Židek <mzidek@redhat.com>
* sdap_connect_send: fail if uri or sockaddr is NULLPavel Březina2016-01-191-0/+6
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2904 Reviewed-by: Michal Židek <mzidek@redhat.com>
* AD: try to use current server in the renewal taskSumit Bose2016-01-191-3/+23
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* FO: add be_fo_get_active_server_name()Sumit Bose2016-01-192-0/+20
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* FO: add fo_get_active_server()Sumit Bose2016-01-193-0/+18
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* AD: add task to renew the machine account password if neededSumit Bose2016-01-199-0/+425
| | | | | | | | | | | | | | | | | | AD expects its clients to renew the machine account password on a regular basis, be default every 30 days. Even if a client does not renew the password it might not cause issues because AD does not enforce the renewal. But the password age might be used to identify unused machine accounts in large environments which might get disabled or deleted automatically. With this patch SSSD calls an external program to check the age of the machine account password and renew it if needed. Currently 'adcli' is used as external program which is able to renew the password since version 0.8.0. Resolves https://fedorahosted.org/sssd/ticket/1041 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* DP_TASK: add be_ptask_get_timeout()Sumit Bose2016-01-193-0/+28
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* UTIL: allow to skip default options for child processesSumit Bose2016-01-196-38/+47
| | | | | | | | | | | | | Currently the SSSD default options like e.g. --debug-level are added unconditionally to the command line options of a child process when started with the child helper functions. If a binary from a different source should be started as a child by SSSD those options might not be known or used differently. This patch adds an option to exec_child_ex() which allows to skip the default options and only add specific options. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA SUDO: Add support for ipaSudoRunAsExt* attributesPavel Březina2016-01-195-0/+23
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* SUDO: simplify usn filterPavel Březina2016-01-192-11/+5
| | | | | | usn >= current && usn != currect is equivalent to usn >= current + 1 Reviewed-by: Sumit Bose <sbose@redhat.com>
* SUDO: remember usn as number instead of stringPavel Březina2016-01-194-28/+31
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* SUDO: allow disabling full refreshPavel Březina2016-01-191-1/+1
| | | | | | | | This condition always disabled smart refresh when full refresh interval was set to zero and thus disabling periodic refresh functionality completelely. Reviewed-by: Sumit Bose <sbose@redhat.com>
* SUDO: assume zero if usn is unknownPavel Březina2016-01-194-30/+13
| | | | | | | | When we switched to be_ptaks full_refresh_done has become obsolete since timing is handled in a better way. In case of unknown USN we assume zero which allows us to disable full refresh completely in configuration. Reviewed-by: Sumit Bose <sbose@redhat.com>
* SUDO: remove full_refresh_in_progressPavel Březina2016-01-194-10/+0
| | | | | | When we switched to be_ptask this variable has become obsolete. Reviewed-by: Sumit Bose <sbose@redhat.com>
* SUDO: sdap_sudo_set_usn() do not steal usnPavel Březina2016-01-192-3/+10
| | | | | | This is less error prone. Reviewed-by: Sumit Bose <sbose@redhat.com>
* IPA SUDO: Implement smart refreshPavel Březina2016-01-193-7/+438
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* SDAP: Add sdap_or_filtersPavel Březina2016-01-192-7/+27
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
generated by cgit (git 2.34.1) at 2025-09-28 10:41:49 +0000