sssd.git/src/providers/krb5, branch my-master Experimental work on SSSD - Systen Security Services Daemon Cleanup error message handling for krb5 child 2013-01-04T19:40:54+00:00 Simo Sorce simo@redhat.com 2012-11-22T21:34:18+00:00 c8febcca6b0c1e3430b6abb4eb14564e33380e54 Use the new internal SSSD errors, to simplify error handling. Instad of having up to 3 different errors to care about (system, krb5 and pam_status), collapse all error reporting into one error type mapped on errno_t. The returned error can contain either SSSD internal errors, kerberos errors or system errors, they all use differen number spaces so there is no overlap and tey can be safely merged. This means the errors bein sent from the child to the parent is not a pam status error message anymore. The parent properly deals with that. Also not that this patch removes returning SSS_PAM_SYSTEM_INFO from the krb5_child for kerberos errors as all it was doing was simply to make the parent emit the same debug log already emitted by the child, and the code is simpler if we do not do that. 
Use the new internal SSSD errors, to simplify error handling.
Instad of having up to 3 different errors to care about (system, krb5 and
pam_status), collapse all error reporting into one error type mapped on
errno_t.

The returned error can contain either SSSD internal errors, kerberos errors
or system errors, they all use differen number spaces so there is no overlap
and tey can be safely merged.

This means the errors bein sent from the child to the parent is not a pam
status error message anymore. The parent properly deals with that.

Also not that this patch removes returning SSS_PAM_SYSTEM_INFO from the
krb5_child for kerberos errors as all it was doing was simply to make the
parent emit the same debug log already emitted by the child, and the code
is simpler if we do not do that.
Refactor krb5 child 2013-01-04T19:38:36+00:00 Simo Sorce simo@redhat.com 2012-11-22T17:39:38+00:00 9366febd6ec9b1fe588fee4a4542ea75cc857abf The aim of this refactoring is to make the code readable and understandable. This code has grown organically over time and has becomed confused and baroque enough that understanding it's very simple flow had become very complex for the uninitiated. Complex flows easily hide nasty bugs. Improvements: - Remove dead/unused data storage - Fix and simplify talloc hierarchy, use a memory context (kr) for the whole code and allocate kr->pd where it is filled up. - Rename some functions to create a better name space (easier for searching fucntions across the tree) - Streamline setup function, by spliting out fast setup in a subroutine. - Avoid confusing indirection in executng actual functions by not using the krb5_req child_req member. - Make main() flow s now simmetric, send abck data from the main function instead of delegating a reply to every inner function that implements a command. Now the flow is evident from the main function: 1. read request 2. setup data 3. execute command 4. send reply back 
The aim of this refactoring is to make the code readable and understandable.
This code has grown organically over time and has becomed confused and
baroque enough that understanding it's very simple flow had become very
complex for the uninitiated. Complex flows easily hide nasty bugs.

Improvements:
- Remove dead/unused data storage
- Fix and simplify talloc hierarchy, use a memory context (kr) for the
whole code and allocate kr->pd where it is filled up.
- Rename some functions to create a better name space (easier for
searching fucntions across the tree)
- Streamline setup function, by spliting out fast setup in a subroutine.
- Avoid confusing indirection in executng actual functions by not
using the krb5_req child_req member.
- Make main() flow s now simmetric, send abck data from the main function
instead of delegating a reply to every inner function that implements a
command.

Now the flow is evident from the main function:
1. read request
2. setup data
3. execute command
4. send reply back
krb5_child style fix 2013-01-04T19:38:36+00:00 Simo Sorce simo@redhat.com 2012-11-21T23:05:22+00:00 9a0bd5e080983ad54bbbd96170b2f9be6167214a Use the standard 'done' label for exceptions. 
Use the standard 'done' label for exceptions.
let krb5_backup_kpasswd failover work 2013-01-02T16:59:02+00:00 Pavel Březina pbrezina@redhat.com 2013-01-02T08:09:31+00:00 4bb57b5f27abd2d38f96ba8681d375fb8aec7f3d https://fedorahosted.org/sssd/ticket/1735 
https://fedorahosted.org/sssd/ticket/1735
failover: Protect against empty host names 2013-01-02T16:44:09+00:00 Michal Zidek mzidek@redhat.com 2012-10-15T10:21:00+00:00 04759b59e71c78ab23b84d13dd29d9c6dd680adb Added new parameter to split_on_separator that allows to skip empty values. The whole function was rewritten. Unit test case was added to check the new implementation. https://fedorahosted.org/sssd/ticket/1484 
Added new parameter to split_on_separator that allows to skip
empty values.

The whole function was rewritten. Unit test case was added to
check the new implementation.

https://fedorahosted.org/sssd/ticket/1484
krb5 tgt renewal: fix usage of ldb_dn_get_component_val() 2012-12-20T18:41:11+00:00 Sumit Bose sbose@redhat.com 2012-12-19T17:37:32+00:00 10c50d237d6e3137499fcfaa5a804e6712e002ee For some reason I was under the impression that the DN components are counted backwards in libldb. This patch corrects this. 
For some reason I was under the impression that the DN components are
counted backwards in libldb. This patch corrects this.
let krb5_kpasswd failover work 2012-12-10T18:20:22+00:00 Pavel Březina pbrezina@redhat.com 2012-12-10T14:21:57+00:00 8914b982dd70e1a68d7b7fd55951b854ce9abc9b https://fedorahosted.org/sssd/ticket/1680 There were two errors: 1. kr->kpasswd_srv was never set 2. bad service name (KERBEROS) was provided when setting port status, thus the port status never changed 
https://fedorahosted.org/sssd/ticket/1680

There were two errors:
1. kr->kpasswd_srv was never set
2. bad service name (KERBEROS) was provided when setting port status,
   thus the port status never changed
Fix tevent_req style for krb5_auth 2012-12-04T11:38:14+00:00 Simo Sorce simo@redhat.com 2012-11-28T03:24:54+00:00 7baccb545ac9829b7e1990f45ff6f70e2de55c2a No functionality changes, just make the code respect the tevent_req style and naming conventions and enhance readability by adding some helper functions. 
No functionality changes,
just make the code respect the tevent_req style and naming conventions
and enhance readability by adding some helper functions.
Save errno before it might be modified. 2012-11-26T10:10:43+00:00 Simo Sorce simo@redhat.com 2012-11-22T21:06:14+00:00 d5351fd908e78c7639c839853c737b96e048f95a The DEBUG() macro may, at any time, change and start calling functions that touch errno. Save errno before logging and then return the saved error. 
The DEBUG() macro may, at any time, change and start calling functions that
touch errno. Save errno before logging and then return the saved error.
Disable canonicalization during password changes 2012-11-19T21:42:46+00:00 Sumit Bose sbose@redhat.com 2012-11-14T13:56:47+00:00 9459006424bb9975b8728c7700605f9b061c791e If canonicalization is enabled Active Directory KDCs return 'krbtgt/AD.DOMAIN' as service name instead of the expected 'kadmin/changepw' which causes a 'KDC reply did not match expectations' error. Additionally the forwardable and proxiable flags are disabled, the renewable lifetime is set to 0 and the lifetime of the ticket is set to 5 minutes as recommended in https://fedorahosted.org/sssd/ticket/1405 and also done by the kpasswd utility. Fixes: https://fedorahosted.org/sssd/ticket/1405 https://fedorahosted.org/sssd/ticket/1615 
If canonicalization is enabled Active Directory KDCs return
'krbtgt/AD.DOMAIN' as service name instead of the expected
'kadmin/changepw' which causes a 'KDC reply did not match expectations'
error.

Additionally the forwardable and proxiable flags are disabled, the
renewable lifetime is set to 0 and the lifetime of the ticket is set to
5 minutes as recommended in https://fedorahosted.org/sssd/ticket/1405
and also done by the kpasswd utility.

Fixes: https://fedorahosted.org/sssd/ticket/1405
       https://fedorahosted.org/sssd/ticket/1615