sssd.git/src/providers/krb5, branch err_facility Experimental work on SSSD - Systen Security Services Daemon Add support for krb5 1.11's responder callback. 2013-03-08T20:58:03+00:00 Nathaniel McCallum npmccallum@redhat.com 2013-03-08T17:06:10+00:00 b40583c6d52b72e41bf01106534535e54b4fba4f krb5 1.11 adds support for a new method for responding to structured data queries. This method, called the responder, provides an alternative to the prompter interface. This patch adds support for this method. It takes the password and provides it via a responder instead of the prompter. In the case of OTP authentication, it also disables the caching of credentials (since the credentials are one-time only). 
krb5 1.11 adds support for a new method for responding to
structured data queries. This method, called the responder,
provides an alternative to the prompter interface.

This patch adds support for this method. It takes the password
and provides it via a responder instead of the prompter. In the
case of OTP authentication, it also disables the caching of
credentials (since the credentials are one-time only).
Cleanup error message handling for krb5 child 2013-03-04T22:40:39+00:00 Simo Sorce simo@redhat.com 2012-11-22T21:34:18+00:00 c6872e79e8496fd075e20aec0343ade99cca725c Use the new internal SSSD errors, to simplify error handling. Instead of using up to 3 different error types (system, krb5 and pam_status), collapse all error reporting into one error type mapped on errno_t. The returned error can contain either SSSD internal errors, kerberos errors or system errors, they all use different number spaces so there is no overlap and they can be safely merged. This means that errors being sent from the child to the parent are not pam status error messages anymore. The callers have been changed to properly deal with that. Also note that this patch removes returning SSS_PAM_SYSTEM_INFO from the krb5_child for kerberos errors as all it was doing was simply to make the parent emit the same debug log already emitted by the child, and the code is simpler if we do not do that. 
Use the new internal SSSD errors, to simplify error handling.
Instead of using up to 3 different error types (system, krb5 and
pam_status), collapse all error reporting into one error type mapped
on errno_t.

The returned error can contain either SSSD internal errors, kerberos
errors or system errors, they all use different number spaces so there
is no overlap and they can be safely merged.

This means that errors being sent from the child to the parent are not
pam status error messages anymore.
The callers have been changed to properly deal with that.

Also note that this patch removes returning SSS_PAM_SYSTEM_INFO from
the krb5_child for kerberos errors as all it was doing was simply to
make the parent emit the same debug log already emitted by the child,
and the code is simpler if we do not do that.
krb5_child: fix value type and initialization 2013-03-04T13:44:59+00:00 Ondrej Kos okos@redhat.com 2013-03-04T09:03:54+00:00 67dac0a65e9322771d853ee0914c41c30a1c4432 ret was defined as integer, instead of errno_t, and was uninitialized 
ret was defined as integer, instead of errno_t, and was uninitialized
Refactor krb5 child 2013-02-28T11:51:57+00:00 Simo Sorce simo@redhat.com 2012-11-22T17:39:38+00:00 0a8a06a50e8deaf5b78b1bf4cc99fb571dda7860 The aim of this refactoring is to make the code readable and understandable. This code has grown organically over time and has becomed confused and baroque enough that understanding it's very simple flow had become very complex for the uninitiated. Complex flows easily hide nasty bugs. Improvements: - Remove dead/unused data storage - Fix and simplify talloc hierarchy, use a memory context (kr) for the whole code and allocate kr->pd where it is filled up. - Rename some functions to create a better name space (easier for searching fucntions across the tree) - Streamline setup function, by spliting out fast setup in a subroutine. - Avoid confusing indirection in executng actual functions by not using the krb5_req child_req member. - Make main() flow s now simmetric, send abck data from the main function instead of delegating a reply to every inner function that implements a command. Now the flow is evident from the main function: 1. read request 2. setup data 3. execute command 4. send reply back 
The aim of this refactoring is to make the code readable and understandable.
This code has grown organically over time and has becomed confused and
baroque enough that understanding it's very simple flow had become very
complex for the uninitiated. Complex flows easily hide nasty bugs.

Improvements:
- Remove dead/unused data storage
- Fix and simplify talloc hierarchy, use a memory context (kr) for the
whole code and allocate kr->pd where it is filled up.
- Rename some functions to create a better name space (easier for
searching fucntions across the tree)
- Streamline setup function, by spliting out fast setup in a subroutine.
- Avoid confusing indirection in executng actual functions by not
using the krb5_req child_req member.
- Make main() flow s now simmetric, send abck data from the main function
instead of delegating a reply to every inner function that implements a
command.

Now the flow is evident from the main function:
1. read request
2. setup data
3. execute command
4. send reply back
krb5_child style fix 2013-02-28T11:51:54+00:00 Simo Sorce simo@redhat.com 2012-11-21T23:05:22+00:00 f7e97d8b7b72f376a7c75dbe184634f38db35567 Use the standard 'done' label for exceptions. 
Use the standard 'done' label for exceptions.
Do not process success case in an else 2013-02-26T17:05:07+00:00 Jakub Hrozek jhrozek@redhat.com 2013-02-01T10:54:41+00:00 24ee49904e91590e192983df16818567c060e12b 






Add realm info to sss_domain_info
2013-02-10T21:08:46+00:00

Simo Sorce
simo@redhat.com

2013-01-13T18:23:31+00:00

b8dcd1216e5ea7065213c750a92dabfe01fa3b70












Fix minor grammar error in log
2013-01-30T13:54:54+00:00

Stephen Gallagher
sgallagh@redhat.com

2013-01-30T13:52:27+00:00

af3f03d15a928168626e513e667863e9cd1dceef












krb: recreate ccache if it was deleted
2013-01-30T13:33:09+00:00

Pavel Březina
pbrezina@redhat.com

2013-01-30T12:45:27+00:00

e4d1e192430f6c76eee5b64decc3a799a0926979

https://fedorahosted.org/sssd/ticket/1512

If directory where a ccache file was stored was missing and user
was still logged in, we erroneously considered the ccache file
still active. Thus the ccache file was not recreated and user was
unable to login.





https://fedorahosted.org/sssd/ticket/1512

If directory where a ccache file was stored was missing and user
was still logged in, we erroneously considered the ccache file
still active. Thus the ccache file was not recreated and user was
unable to login.







Add be_req_get_data() helper funciton.
2013-01-21T21:17:34+00:00

Simo Sorce
simo@redhat.com

2013-01-11T23:13:36+00:00

cbaba2f47da96c4191971bce86f03afb3f88864a

In preparation for making struct be_req opaque.





In preparation for making struct be_req opaque.