summaryrefslogtreecommitdiffstats
path: root/src/providers/krb5
Commit message (Collapse)AuthorAgeFilesLines
* krb5_child: Simplify ccache creationSimo Sorce2013-09-091-387/+87
| | | | | | | | | | | | The containing ccache directory is precreated by the parent code, so there is no special need to do so here for any type. Also the special handling for the FILE ccache temporary file is not really useful, because libkrb5 internally unlinks and then recreate the file, so mkstemp cannot really prevent subtle races, it can only make sure the file is unique at creation time. Resolves: https://fedorahosted.org/sssd/ticket/2061
* krb5: Add file/dir path precheckSimo Sorce2013-09-092-0/+35
| | | | | | | | | | | | | | | | | | | | | | | Add a precheck on the actual existence at all of the file/dir ccname targeted (for FILE/DIR types), and bail early if nothing is available. While testing I found out that without this check, the krb5_cc_resolve() function we call as user to check old paths would try to create the directory if it didn't exist. With a ccname of DIR:/tmp/ccdir_1000 saved in the user entry this would cause two undesirable side effects: First it would actually create a directory with the old name, when it should not. Second, because for some reason the umask is set to 0127 in sssd_be, it would create the directory with permission 600 (missing the 'x' traverse bit on the directory. If the new ccache has the same name it would cause the krb5_child process to fal to store the credential cache in it. Related: https://fedorahosted.org/sssd/ticket/2061
* krb5: Remove unused ccache backend infrastructureSimo Sorce2013-09-096-144/+14
| | | | | | | | Remove struct sss_krb5_cc_be and the remaining functions that reference it as they are all unused now. Resolves: https://fedorahosted.org/sssd/ticket/2061
* krb5: Unify function to create ccache filesSimo Sorce2013-09-093-69/+22
| | | | | | | | | | | Only 2 types (FILE and DIR) need to precreate files or directories on the file system, and the 2 functions were basically identical. Consolidate all in one common function and use that function directly where needed instead of using indirection. Resolves: https://fedorahosted.org/sssd/ticket/2061
* krb5: Use new function to validate ccachesSimo Sorce2013-09-093-371/+88
| | | | | | | | | | This function replaces and combines check_for_valid_tgt() and type specific functions that checked for ccache existence by using generic krb5 cache function and executing them as the target user (implicitly validate the target use rcan properly access the ccache). Resolves: https://fedorahosted.org/sssd/ticket/2061
* krb5: Make check_for_valid_tgt() staticSimo Sorce2013-09-091-0/+74
| | | | | | | check_for_valid_tgt() is used exclusively in krb5_uitls.c so move it there. Resolves: https://fedorahosted.org/sssd/ticket/2061
* krb5: move template check to initializzationSimo Sorce2013-09-094-24/+22
| | | | | | | | | | | | The randomized template check realy only makes sense for the FILE ccache which is the only one that normally needs to use randomizing chars. Also it is better to warn the admin early rather than to warn 'when it is too late'. So move the check at initialization time when we determine what the template actually is. Resolves: https://fedorahosted.org/sssd/ticket/2061
* krb5: Move determination of user being activeSimo Sorce2013-09-093-43/+17
| | | | | | | | The way a user is checked for being active does not depend on the ccache type so move that check out of the ccache specific functions. Resolves: https://fedorahosted.org/sssd/ticket/2061
* krb5: Replace type-specific ccache/principal checkSimo Sorce2013-09-093-148/+89
| | | | | | | | | Instead of having duplicate functions that are type custom use a signle common function that also performs access to the cache as the user owner, implicitly validating correctness of ownership. Resolves: https://fedorahosted.org/sssd/ticket/2061
* krb5: Use krb5_cc_destroy to remove old ccachesSimo Sorce2013-09-093-118/+18
| | | | | | | | | This completely replaces the per-ccache-type custom code to remove old cacches and instead uses libkrb5 base doperations (krb5_cc_destroy) and operating as the user owner. Resolves: https://fedorahosted.org/sssd/ticket/2061
* krb5: Add helper to destroy ccache as userSimo Sorce2013-09-092-0/+111
| | | | | | | | | | | This function safely destroy a ccache given a cache name and user crdentials. It becomes the user so no possible races can compromise the system, then uses libkrb5 functions to properly destroy a ccache, independently of the cache type. Finally restores the original credentials after closing the ccache handlers. Resolves: https://fedorahosted.org/sssd/ticket/2061
* krb5: Add calls to change and restore credentialsSimo Sorce2013-09-092-0/+131
| | | | | | | | In some cases we want to temporarily assume user credentials but allow the process to regain back the original credentials (normally regaining uid 0). Related: https://fedorahosted.org/sssd/ticket/2061
* krb5: Ingnore unknown expansion sequencesSimo Sorce2013-09-091-30/+15
| | | | | | | | | | | | | | | | Recently support was added to use also libkrb5 style expansions that uses a %{varname} type of template. There are a number of templates we do not care/can't expand in sssd. The current code misses tests and failed to properly preserve some of the templates we do not want to handle. Addiotionally in order to be future proof this patch treats unknown templates as pass-through templates and defer any error checking to libkrb5, so that sssd is consistent with how kinit would behave. Resolves: https://fedorahosted.org/sssd/ticket/2076
* KRB5: Fix warning declaration shadows global declarationLukas Slebodnik2013-09-031-8/+8
| | | | | | src/providers/krb5/krb5_utils.c:193: warning: declaration of 'rewind' shadows a global declaration /usr/include/stdio.h:754: warning: shadowed declaration is here
* krb5: Fetch ccname template from krb5.confStephen Gallagher2013-08-284-12/+167
| | | | | | | | | | | | | In order to use the same defaults in all system daemons that needs to know how to generate or search for ccaches we introduce ode here to take advantage of the new option called default_ccache_name provided by libkrb5. If set this variable we establish the same default for all programs that surce it out of krb5.conf therefore providing a consistent experience across the system. Related: https://fedorahosted.org/sssd/ticket/2036
* krb5_common: Refactor to use a talloc temp contextSimo Sorce2013-08-281-12/+28
| | | | | | | | In preparation for handling some more allocations in the following patches and fixes a curent memleak on the opts struct. Related: https://fedorahosted.org/sssd/ticket/2036
* KRB5: Add support for KEYRING cache typeStephen Gallagher2013-08-274-0/+212
| | | | https://fedorahosted.org/sssd/ticket/2036
* KRB5: Remove unnecessary call to become_user()Stephen Gallagher2013-08-271-6/+0
| | | | | | | | By the time that the create_ccache_in_dir() routine is called, we are already guaranteed to have dropped privileges. This has either happened because we dropped them before the exec() in the normal operation case or because we dropped them explicitly after we completed the TGT validation step if that or FAST is configured.
* check_cc_validity: make sure _valid is always setSumit Bose2013-08-241-5/+7
| | | | | In the KRB5_FCC_NOFILE code path _valid is not set leading to 'may be used uninitialized' compiler warnings.
* KRB5: Only set active and valid on successStephen Gallagher2013-08-221-6/+5
| | | | | | | | The FILE cache only sets the return values of _active and _bool if the entire function succeeds. The DIR cache was setting it even on failure. This patch makes both consistent. This will benefit static analysis tools which would be able to detect if the variable is ever used uninitialized anywhere.
* KRB5: Refactor cc_*_check_existingStephen Gallagher2013-08-221-61/+59
| | | | | | | | | | | | | | There was duplicated code in cc_file_check_existing() and in cc_dir_check_existing(). I pulled them into the same function. There are two changes made to the original code here: 1) Fixes a use-after-free bug in cc_file_check_existing(). In the original code, we called krb5_free_context() and then used that context immediately after that in krb5_cc_close(). This patch corrects the ordering 2) The krb5_cc_resolve() call handles KRB5_FCC_NOFILE for all cache types. Previously, this was only handled for DIR caches.
* KRB5: Add new #define for collection cache typesStephen Gallagher2013-08-224-18/+18
| | | | | | Kerberos now supports multiple types of collection caches, not just DIR: caches. We should add a macro for generic collection behavior and use that where appropriate.
* KRB5: Do not log to syslog on each loginJakub Hrozek2013-08-191-1/+3
|
* KRB5: Formatting changesJakub Hrozek2013-08-191-4/+4
|
* ldap, krb5: More descriptive msg on chpass failure.Michal Zidek2013-08-111-0/+15
| | | | | | | | Print more descriptive message when wrong current password is given during password change operation. resolves: https://fedorahosted.org/sssd/ticket/2029
* KRB5: Do not send PAC in server modeJakub Hrozek2013-07-233-6/+19
| | | | | | | | The krb5 child contacts the PAC responder for any user except for the IPA native users if the PAC is configured. This works fine for the general case but the ipa_server_mode is a special one. The PAC responder is there, but since in the server mode we should be operating as AD provider default, the PAC shouldn't be analyzed either in this case.
* Fix warnings: uninitialized variableLukas Slebodnik2013-07-222-4/+3
|
* Remove unused memory context from function unpack_authtokLukas Slebodnik2013-07-221-3/+3
|
* Add mising argument required by format stringLukas Slebodnik2013-07-191-2/+3
|
* KRB: Replace multiple calls with variableOndrej Kos2013-07-181-6/+9
| | | | | Instead of multiple calls of sss_authtok_get_type, perform the call just once and store into variable.
* KRB: Handle empty password gracefullyOndrej Kos2013-07-181-0/+11
| | | | | | https://fedorahosted.org/sssd/ticket/1814 Return authentication error when empty password is passed.
* SIGCHLD handler: do not call callback when pvt data where freedPavel Březina2013-07-171-1/+1
| | | | https://fedorahosted.org/sssd/ticket/1992
* print hint about password complexity when new password is rejectedPavel Březina2013-07-171-1/+7
| | | | https://fedorahosted.org/sssd/ticket/1827
* Use conditional build for retrieving ccache.Lukas Slebodnik2013-07-152-88/+22
| | | | | | | | Some krb5 functions needn't be available for retrieving ccache with principal. Therefore ifdef is used to solve this situation with older version of libkrb5. There were two functions with similar functionality in krb5_child and krb5_utils. They were merged to one universal function, which was moved to file src/util/sss_krb5.c
* Return right directory name for dircacheLukas Slebodnik2013-07-111-6/+10
| | | | | | | Dircache can be either file or directory. Wrong value was used when dircache was itself directory. https://fedorahosted.org/sssd/ticket/2002
* KRB5_CHILD: Fix handling of get_password return codeOndrej Kos2013-07-101-4/+10
| | | | The switch statement was dead code due to missing case/default.
* Replace new_subdomain() with find_subdomain_by_name()Sumit Bose2013-06-281-3/+2
| | | | | | new_subdomain() will create a new domain object and should not be used anymore in the priovder code directly. Instead a reference to the domain from the common domain object should be used.
* Fix compilation warningJakub Hrozek2013-06-271-1/+1
|
* AD: Write out domain-realm mappingsJakub Hrozek2013-06-271-1/+0
| | | | | This patch reuses the code from IPA provider to make sure that domain-realm mappings are written even for AD sub domains.
* KRB5: guess UPN for subdomain usersJakub Hrozek2013-06-277-18/+43
|
* Do not switch to credentials everytime.Lukas Slebodnik2013-06-261-4/+69
| | | | | | | | | If user decide to kinit as another user we do not want to switch back to user ccache at another login. We will switch to new ccache if and only if default principal name is the same as current principal name, or there is not any default ccache. https://fedorahosted.org/sssd/ticket/1936
* Every time return directory for krb5 cache collection.Lukas Slebodnik2013-06-262-4/+64
| | | | | | | | Function krb5_cc_get_full_name is called only as a way to validate that, we have the right cache. Instead of returned name, location will be returned from function cc_dir_cache_for_princ. https://fedorahosted.org/sssd/ticket/1936
* krb5: do not use enterprise principals for renewalsSumit Bose2013-06-251-1/+6
| | | | | | When renewing a ticket we already know the canonical principal hence it is not needed to expand it to an enterprise principal but we can contact the KDC of the corresponding realm directly.
* krb5: do not send pac for IPA users from the local domainSumit Bose2013-06-254-10/+19
| | | | | | | | | | | | | So far we didn't send the PAC of IPA users to the PAC responder during password authentication because group memberships for IPA users can be retrieved efficiently with LDAP calls. Recently patches added PAC support for the AD provider as well and removed the restriction for the IPA users. This patch restores the original behaviour by introducing a new flag in struct krb5_ctx which is only set for the IPA provider. Additionally a different flag is renamed to make it's purpose more clear. Fixes https://fedorahosted.org/sssd/ticket/1995
* Revert "Always send the PAC to the PAC responder"Sumit Bose2013-06-251-18/+20
| | | | This reverts commit d153941864fe481399665be8fe583c9317194a99.
* Fix typo in pack_authtok()Sumit Bose2013-06-241-1/+1
|
* KRB5: use the right authtok type for renewalsSumit Bose2013-06-241-3/+20
|
* Set default realm for enterprise principalsSumit Bose2013-06-171-0/+12
| | | | | | | | | | Enterprise principals require that a default realm is available. To make SSSD more robust in the case that the default realm option is missing in krb5.conf or to allow SSSD to work with multiple unconnected realms (e.g. AD domains without trust between them) the default realm will be set explicitly. Fixes https://fedorahosted.org/sssd/ticket/1931
* Use principal from the ticket to find validation entrySumit Bose2013-06-171-1/+1
| | | | | | | | | If canonicalization or enterprise principals are enabled the realm of the client principal might have changed compared to the original request. To find the most suitable keytab entry to validate the TGT is it better to use the returned client principal. Fixes https://fedorahosted.org/sssd/ticket/1931
* KRB: Handle preauthentication error correctlyOndrej Kos2013-06-142-1/+9
| | | | | | https://fedorahosted.org/sssd/ticket/1873 KRB preauthentication error was later mishandled like authentication error.
generated by cgit (git 2.34.1) at 2025-09-22 10:10:33 +0000