sssd.git/src/util, branch my-master Experimental work on SSSD - Systen Security Services Daemon Cleanup error message handling for krb5 child 2013-01-04T19:40:54+00:00 Simo Sorce simo@redhat.com 2012-11-22T21:34:18+00:00 c8febcca6b0c1e3430b6abb4eb14564e33380e54 Use the new internal SSSD errors, to simplify error handling. Instad of having up to 3 different errors to care about (system, krb5 and pam_status), collapse all error reporting into one error type mapped on errno_t. The returned error can contain either SSSD internal errors, kerberos errors or system errors, they all use differen number spaces so there is no overlap and tey can be safely merged. This means the errors bein sent from the child to the parent is not a pam status error message anymore. The parent properly deals with that. Also not that this patch removes returning SSS_PAM_SYSTEM_INFO from the krb5_child for kerberos errors as all it was doing was simply to make the parent emit the same debug log already emitted by the child, and the code is simpler if we do not do that. 
Use the new internal SSSD errors, to simplify error handling.
Instad of having up to 3 different errors to care about (system, krb5 and
pam_status), collapse all error reporting into one error type mapped on
errno_t.

The returned error can contain either SSSD internal errors, kerberos errors
or system errors, they all use differen number spaces so there is no overlap
and tey can be safely merged.

This means the errors bein sent from the child to the parent is not a pam
status error message anymore. The parent properly deals with that.

Also not that this patch removes returning SSS_PAM_SYSTEM_INFO from the
krb5_child for kerberos errors as all it was doing was simply to make the
parent emit the same debug log already emitted by the child, and the code
is simpler if we do not do that.
Return ERR_INTERNAL instead of EIO 2013-01-04T19:40:54+00:00 Simo Sorce simo@redhat.com 2012-11-21T22:37:01+00:00 e74d221abc5fc4f8db25cda04998bd2d9a63134e EIO has always been an odd match, but was used as an error to indicate that something had gone wrong internally before we had specific SSSD errors available. Use ERR_INTERNAL instead going forward. 
EIO has always been an odd match, but was used as an error to indicate
that something had gone wrong internally before we had specific SSSD
errors available. Use ERR_INTERNAL instead going forward.
Use SSSD specific errors for offline auth 2013-01-04T19:40:54+00:00 Simo Sorce simo@redhat.com 2012-11-21T21:52:33+00:00 707d7b29652f12a683dfd18ea84173b4147cdb8b This prevents reportin false errors when internal functions return a generic EINVAL or EACCES that should just be treated as internal errors. 
This prevents reportin false errors when internal functions return
a generic EINVAL or EACCES that should just be treated as internal
errors.
Add SSSD specific error codes and definitions 2013-01-04T19:40:54+00:00 Simo Sorce simo@redhat.com 2012-11-21T19:29:05+00:00 a8fd47c45cf61af28b8bc82b4ac79b67cd26135a This code adds a new range of error codes specific to SSSD, It also provides helper functions to print out error defintions like you can do with system error messages and the strerror() function. The sss_strerror() function can accept both the new sssd errors and system errno_t errors falling back to the system strerror() if the error code provide is not a valid SSSD error code. 
This code adds a new range of error codes specific to SSSD,
It also provides helper functions to print out error defintions
like you can do with system error messages and the strerror() function.

The sss_strerror() function can accept both the new sssd errors and
system errno_t errors falling back to the system strerror() if the error
code provide is not a valid SSSD error code.
Change memory cache layout to add optional key 2013-01-04T19:39:23+00:00 Simo Sorce simo@redhat.com 2012-10-16T19:32:48+00:00 b5a99bebff5f7455d9b8bd89f0a81de587c5a9c0 This bumps the cache major number to 1 as this change is incompatible with current clients. The addiotinal key is used to allow name aliases to be added to user and group entries. Aliases are a string that can be looked up via the getpwname and getgrnam calls, and are useful to to fetch entries by alternate names. Currently only one, optional alias is allowed. 
This bumps the cache major number to 1 as this change is incompatible
with current clients.
The addiotinal key is used to allow name aliases to be added to user
and group entries. Aliases are a string that can be looked up via the
getpwname and getgrnam calls, and are useful to to fetch entries by
alternate names.
Currently only one, optional alias is allowed.
failover: Protect against empty host names 2013-01-02T16:44:09+00:00 Michal Zidek mzidek@redhat.com 2012-10-15T10:21:00+00:00 04759b59e71c78ab23b84d13dd29d9c6dd680adb Added new parameter to split_on_separator that allows to skip empty values. The whole function was rewritten. Unit test case was added to check the new implementation. https://fedorahosted.org/sssd/ticket/1484 
Added new parameter to split_on_separator that allows to skip
empty values.

The whole function was rewritten. Unit test case was added to
check the new implementation.

https://fedorahosted.org/sssd/ticket/1484
Carefully check records when forcibly invalidating 2012-12-20T18:55:02+00:00 Simo Sorce simo@redhat.com 2012-12-20T04:10:25+00:00 6acf7c92ab38ad388295b2d57cc97c4598aa95cc We should never try to invalidate an already invalid record as internal pointers will not be consistent. Carefully test that the record really is valid when we are fishing for free space, and properly invalidate records or return a fatal error if something goes wrong. In order to make the code more robust always invalidate the whole data space on initialization by setting all bits to 1, and make sure to invalidate the whole last allocated slot by converting rec->len to the number of slots instead of just the space used. 
We should never try to invalidate an already invalid record as
internal pointers will not be consistent. Carefully test that the
record really is valid when we are fishing for free space, and
properly invalidate records or return a fatal error if something
goes wrong.
In order to make the code more robust always invalidate the whole
data space on initialization by setting all bits to 1, and make sure
to invalidate the whole last allocated slot by converting rec->len to
the number of slots instead of just the space used.
Free resources if fileno failed 2012-12-20T17:12:18+00:00 Jakub Hrozek jhrozek@redhat.com 2012-12-18T18:33:57+00:00 3831f866292da4118e87e204ac8c02244825bf43 






select_principal_from_keytab() do wildcard lookups after specific ones
2012-12-18T18:04:06+00:00

Sumit Bose
sbose@redhat.com

2012-12-17T21:14:55+00:00

4ee7f390af4193656c1e6ba45c9c3c14dd64a8a9

Currently the wildcard lookup '*$' is done before the one for
host/our.hostname@REALM. This means we would ignore a more specific
match in favour of an unspecific match with a principal which is only
used in a AD environment.

I think this is wrong an wildcards should only be used is all specific
lookups fail.





Currently the wildcard lookup '*$' is done before the one for
host/our.hostname@REALM. This means we would ignore a more specific
match in favour of an unspecific match with a principal which is only
used in a AD environment.

I think this is wrong an wildcards should only be used is all specific
lookups fail.







select_principal_from_keytab() look for plain input as well
2012-12-18T18:04:06+00:00

Sumit Bose
sbose@redhat.com

2012-12-17T21:08:59+00:00

f2999e1d624d45e0142f39317461a6a1c996efb2

Currently in select_principal_from_keytab() all kind of different
versions of the host principal are looked up in the keytab except for
the plain name the ldap_sasl_authid option. With this patch the plain
name is looked up first.





Currently in select_principal_from_keytab() all kind of different
versions of the host principal are looked up in the keytab except for
the plain name the ldap_sasl_authid option. With this patch the plain
name is looked up first.