summaryrefslogtreecommitdiff
AgeCommit message (Collapse)AuthorFilesLines
2013-03-05Remove the alt_db_path parameter of sysdb_initMichal Zidek5-14/+5
This parameter was never used. https://fedorahosted.org/sssd/ticket/1765
2013-03-05Check the return value of sysdb_search_servicesJakub Hrozek1-0/+6
2013-03-04Use the same dbg level for all ncache hits.Michal Zidek2-21/+28
We used different debug levels for messages informing about negative cache hits (old levels 2,3,4). Now it is only SSSDBG_TRACE_FUNC (same level is used in nsssrv_services.c and proposed in the ticket bellow). https://fedorahosted.org/sssd/ticket/1771
2013-03-04Cleanup error message handling for krb5 childSimo Sorce4-297/+251
Use the new internal SSSD errors, to simplify error handling. Instead of using up to 3 different error types (system, krb5 and pam_status), collapse all error reporting into one error type mapped on errno_t. The returned error can contain either SSSD internal errors, kerberos errors or system errors, they all use different number spaces so there is no overlap and they can be safely merged. This means that errors being sent from the child to the parent are not pam status error messages anymore. The callers have been changed to properly deal with that. Also note that this patch removes returning SSS_PAM_SYSTEM_INFO from the krb5_child for kerberos errors as all it was doing was simply to make the parent emit the same debug log already emitted by the child, and the code is simpler if we do not do that.
2013-03-04Return ERR_INTERNAL instead of EIOSimo Sorce1-1/+1
EIO has always been an odd match, but was used as an error to indicate that something had gone wrong internally before we had specific SSSD errors available. Use ERR_INTERNAL instead going forward.
2013-03-04Use SSSD specific errors for offline authSimo Sorce6-25/+42
This prevents reportin false errors when internal functions return a generic EINVAL or EACCES that should just be treated as internal errors.
2013-03-04Add SSSD specific error codes and definitionsSimo Sorce4-8/+120
This code adds a new range of error codes specific to SSSD, It also provides helper functions to print out error defintions like you can do with system error messages and the strerror() function. The sss_strerror() function can accept both the new sssd errors and system errno_t errors falling back to the system strerror() if the error code provide is not a valid SSSD error code.
2013-03-04Improved readability of get_next_domain()Lukas Slebodnik1-2/+2
https://fedorahosted.org/sssd/ticket/1812
2013-03-04krb5_child: fix value type and initializationOndrej Kos1-1/+2
ret was defined as integer, instead of errno_t, and was uninitialized
2013-03-04Use the correct memory context in be_req_createJakub Hrozek1-1/+1
2013-03-04Remove unused functionsJakub Hrozek4-36/+0
2013-03-01Don't treat 0 as default for pam_pwd_expiration warningJakub Hrozek1-1/+2
2013-03-01Revert "Add debug message to autofs client"Jakub Hrozek1-3/+0
This reverts commit 30c76633788c498b7d34e7e5944a3d36f26ec2db.
2013-03-01autofs: fix invalid header 'number of entries' in packetPavel Březina1-1/+5
https://fedorahosted.org/sssd/ticket/1739 Pointer to packet body may change while filling packet with autofs mount points. As a consequence, we sometimes wrote the number of entries into invalid body and we recieved an arbitrary number on the client side. If the number was 0, there were some skipped entries. If the number was greater than 0, everything worked correctly, because we iterate through the cached entries until we reach packet length - we don't compare to the number.
2013-03-01Add debug message to autofs clientPavel Březina1-0/+3
2013-03-01BUILD: Build shared components as an internal shared libraryStephen Gallagher2-6/+27
There is a large amount of duplicated code being linked into multiple SSSD binaries. Instead of statically linking this code throughout the SSSD, we should instead create private shared libraries for them and drop this code on the system only once.
2013-02-28Refactor krb5 childSimo Sorce1-288/+210
The aim of this refactoring is to make the code readable and understandable. This code has grown organically over time and has becomed confused and baroque enough that understanding it's very simple flow had become very complex for the uninitiated. Complex flows easily hide nasty bugs. Improvements: - Remove dead/unused data storage - Fix and simplify talloc hierarchy, use a memory context (kr) for the whole code and allocate kr->pd where it is filled up. - Rename some functions to create a better name space (easier for searching fucntions across the tree) - Streamline setup function, by spliting out fast setup in a subroutine. - Avoid confusing indirection in executng actual functions by not using the krb5_req child_req member. - Make main() flow s now simmetric, send abck data from the main function instead of delegating a reply to every inner function that implements a command. Now the flow is evident from the main function: 1. read request 2. setup data 3. execute command 4. send reply back
2013-02-28krb5_child style fixSimo Sorce1-11/+11
Use the standard 'done' label for exceptions.
2013-02-27sdap_fill_memberships: continue if a member is not foud in sysdbPavel Březina1-3/+7
https://fedorahosted.org/sssd/ticket/1755 sdap_find_entry_by_origDN() may return ENOENT in these non-error scenarios: If a member is out of scope of configured nesting level, sssd produces few noise lines indicating failure. The worse case is when a member is outside of configured search bases. In this case we save the group with incomplete membership,
2013-02-26Do not process success case in an elseJakub Hrozek1-24/+24
2013-02-26Remove enumerate=true from man sssd-ldapJakub Hrozek1-1/+0
https://fedorahosted.org/sssd/ticket/1737
2013-02-26sysdb: try dealing with binary-content attributesJan Engelhardt4-7/+17
https://fedorahosted.org/sssd/ticket/1818 I have here a LDAP user entry which has this attribute loginAllowedTimeMap:: AAAAAAAAAP///38AAP///38AAP///38AAP///38AAP///38AAAAAAAAA In the function sysdb_attrs_add_string(), called from sdap_attrs_add_ldap_attr(), strlen() is called on this blob, which is the wrong thing to do. The result of strlen is then used to populate the .v_length member of a struct ldb_val - and this will set it to zero in this case. (There is also the problem that there may not be a '\0' at all in the blob.) Subsequently, .v_length being 0 makes ldb_modify(), called from sysdb_set_entry_attr(), return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX. End result is that users do not get stored in the sysdb, and programs like `id` or `getent ...` show incomplete information. The bug was encountered with sssd-1.8.5. sssd-1.5.11 seemed to behave fine, but that may not mean that is the absolute lower boundary of introduction of the problem.
2013-02-26if selinux is disabled, ignore that selogin dir is missingPavel Březina1-3/+15
https://fedorahosted.org/sssd/ticket/1817
2013-02-21Fix the krb5 password expiration warningJakub Hrozek1-1/+7
https://fedorahosted.org/sssd/ticket/1808
2013-02-21Fix uninitialized time_t var in responderOndrej Kos1-1/+1
https://fedorahosted.org/sssd/ticket/1810
2013-02-21tools: append new line to string from poptStrerror()Milan Cejnar1-1/+13
https://fedorahosted.org/sssd/ticket/1756 Messages from poptStrerror() passed to BAD_POPT_PARAMS macro were printed out to the console without new line character at the end of the message. BAD_POPT_PARAMS should now behave correctly with strings both with or without new line character at the end.
2013-02-14subdomains: replace invalid characters with underscore in krb5 mapping file namePavel Březina1-1/+26
https://fedorahosted.org/sssd/ticket/1795 Only alpha-numeric chars, dashes and underscores are allowed in krb5 include directory.
2013-02-14Lower the DEBUG level if an entry cannot be deleted from memcacheJakub Hrozek1-3/+3
2013-02-14get_next_domain() test dom->parent->next for NULLPavel Březina1-1/+1
Otherwise dom may be set to NULL and we will segfault when dereferencing dom.
2013-02-12Filter out multicast addresses from IPA DNS updatesJakub Hrozek1-1/+1
https://fedorahosted.org/sssd/ticket/1804
2013-02-11LDAP: Check for authtok validityJakub Hrozek1-7/+9
The default authtok type in the LDAP provider (unlike the new IPA and AD providers) is "password". This oddity dates back to when password was the only supported authtok type in the SSSD, so configuration specifying only the password and bind DN was valid. We need to check the authtok validity as well before attempting to use it.
2013-02-11krb5: include backwards compatible declaration of krb5_trace_infoJakub Hrozek2-2/+8
krb5-1.10 used to include "struct krb5_trace_info", now krb5-1.11 includes a "krb5_trace_info" typedefed from "struct _krb5_trace_info". Do the same in the SSSD to allow compiling with both 1.10 and 1.11.
2013-02-10Introduce IS_SUBDOMAIN() macroSimo Sorce8-13/+15
Fixes https://fedorahosted.org/sssd/ticket/1766
2013-02-10Parent and subdomains use the same sysdbSimo Sorce2-71/+8
Remove code that tries to get the 'right' sysdb, as it is always going to get the same answer anyway since the recent patches to rework the domains/sysdb relationship.
2013-02-10Change the way domains are linked.Simo Sorce13-414/+225
- Use a double-linked list for domains and subdomains. - Never remove a subdomain, simply mark it as disabled if it becomes unused. - Rework the way subdomains are refreshed. Now sysdb_update_subdomains() actually updates the current subdomains and marks as disabled the ones not found in the sysdb or add new ones found. It never removes them. Removal of missing domains from sysdb is deferred to the providers, which will perform it at refresh time, for the ipa provider that is done by ipa_subdomains_write_mappings() now. sysdb_update_subdomains() is then used to update the memory hierarchy of the subdomains. - Removes sysdb_get_subdomains() - Removes copy_subdomain() - Add sysdb_subdomain_delete()
2013-02-10Add ability to disable domainsSimo Sorce2-8/+14
2013-02-10Add function get_next_domain()Simo Sorce18-112/+119
Use this function instead of explicitly calling domain->next This function allows to get the next primary domain or to descend into the subdomains and replaces also get_next_dom_or_subdom()
2013-02-10Remove sysdb_subdom completelySimo Sorce4-127/+131
struct sss_domain_info is always used to represent domains now. Adjust tests accordingly.
2013-02-10Add sysdb_subdomain_store() functionSimo Sorce2-37/+103
Replaces sysdb_add_subdomain_attributes and is a public sysdb interface.
2013-02-10Refactor sysdb_master_domain_add_info()Simo Sorce3-51/+28
2013-02-10Update main domain info in placeSimo Sorce4-62/+38
2013-02-10Avoid sysdb_subdom in sysdb_get_subdomains()Simo Sorce6-102/+60
2013-02-10Add realm info to sss_domain_infoSimo Sorce10-10/+25
2013-02-10NSS: Add original homedir to home directory template optionsStephen Gallagher6-8/+29
https://fedorahosted.org/sssd/ticket/1805
2013-02-04Don't use srcdir with testsJakub Hrozek1-3/+3
Fixes build with automake 1.13 or newer.
2013-02-01Correct sss_ssh_knowhostsproxy typo in man pagesJohn Hodrien1-1/+1
2013-02-01dp: check whether hostid backend is configured before filing be requestPavel Březina1-0/+8
2013-01-30Fix minor grammar error in logStephen Gallagher1-1/+1
2013-01-30krb: recreate ccache if it was deletedPavel Březina1-1/+8
https://fedorahosted.org/sssd/ticket/1512 If directory where a ccache file was stored was missing and user was still logged in, we erroneously considered the ccache file still active. Thus the ccache file was not recreated and user was unable to login.
2013-01-29TESTS: include error message on failOndrej Kos1-8/+8