summaryrefslogtreecommitdiff
AgeCommit message (Collapse)AuthorFilesLines
2013-10-17[WIP] Makefile.am: remove unneeded flagsbuild-fixesBenjamin Franzke1-14/+2
2013-10-17[WIP] Add libsss_krb5_common to dlopen-testsBenjamin Franzke2-2/+13
2013-10-17BUILD: Link libsss_krb5_common.so to libkeyutils.soBenjamin Franzke1-3/+2
The symbol add_key is used by src/providers/krb5/krb5_delayed_online_authentication.c which is part of libsss_krb5_common.so Fixes following error: [sssd[be[default]]] [load_backend_module] (0x0010): Unable to load ad module with path (/usr/lib64/sssd/libsss_ad.so), error: /usr/lib64/sssd/libsss_krb5_common.so: undefined symbol: add_key -lkeyutils was passed to the libraries libsss_{krb5,ipa,ad}.so, but when compiling with -Wl,--as-needed this flag will be ignored, since it is not used directly. So it was unavailable to libsss_krb5_common.so which actually needs it. This patch removes $(KEYUTILS_LIBS) from those libraries and adds it to libsss_krb5_common.so
2013-10-17BUILD: Use OPENLDAP_CFLAGS instead of LDAP_CFLAGSBenjamin Franzke1-3/+3
LDAP_CFLAGS is never defined. OPENLDAP_CFLAGS is set by src/external/ldap.m4. This patch does: sed -i 's/$(LDAP_CFLAGS)/$(OPENLDAP_CFLAGS)/' Makefile.am
2013-10-17BUILD: Link libsss_ad.so to sasl libsBenjamin Franzke2-1/+3
This is for the sasl_client_init symbol. Introducted in commit fb945a2c.
2013-10-17KRB5: Return PAM_ACCT_EXPIRED when logging in as expired AD userHEADmasterJakub Hrozek2-0/+9
If an expired AD user logs in, the SSSD receives KRB5KDC_ERR_CLIENT_REVOKED from the KDC. This error code was not handled by the SSSD which resulted in System Error being returned to the PAM stack.
2013-10-17dlopen-tests: Check the result of asprintfBenjamin Franzke1-1/+2
According to asprintf(3) the content off errmsg is undefined on error, lets set it to NULL.
2013-10-16IPA server mode: properly initialize ext_groupsSumit Bose1-1/+2
2013-10-15LDAP: Set default value for dyndns update to falseLukas Slebodnik1-1/+1
In some cases, local boolean variable "do_update" could be used without proper initialisation. Clang static analyser warning: "Assigned value is garbage or undefined" It was not a big problem, because non-zero value for boolean variable mean true.
2013-10-15Spec file changes for cifs-utils pluginSumit Bose1-0/+25
2013-10-15Add CIFS idmap pluginBenjamin Franzke6-0/+396
https://fedorahosted.org/sssd/ticket/1534
2013-10-11MAN: Fix refsect-idJakub Hrozek5-5/+5
The refsect id was copied from sssd.conf(5) and was wrong. Fixing the refsect might help us if we ever generate other formats from XML and certainly wouldn't hurt.
2013-10-11INI: Disable line-wrapping functionalityJakub Hrozek1-1/+1
Supporting the latest INI release brought an incompatible change. Lines beginning with a whitespace were treated as continuation of the previous line. This patch reverts to ignoring the whitespace as we did previously so that the existing configurations keep working.
2013-10-10LDAP: handle SID requests if noexist_delete is setSumit Bose1-0/+10
Fixes https://fedorahosted.org/sssd/ticket/2116
2013-10-10krb5: fix warning may be used uninitializedLukas Slebodnik1-0/+1
2013-10-07MAN: Reflow debug_levels.xmlStephen Gallagher1-13/+20
Many lines in debug_levels.xml violated our line-length conventsions. This patch provides no functional changes, it simply brings those lines into compliance.
2013-10-07MAN: Clarify debug level documentationStephen Gallagher1-6/+20
Originally, we planned to deprecate the decimal values for the debug levels, but that has proven to be too difficult for most users to understand. Instead, we will document both the simple decimal and complex bitmask values and recommend the use of the decimal values.
2013-10-07krb5: Fix unit testsJakub Hrozek2-85/+46
2013-10-07krb5: Remove ability to create public directoriesSimo Sorce3-71/+37
Setting up public directories is the job of the admin, and current sssd syntax can't express the actual intention of the admin with regrads to which parts of the path should be public or private. Resolves: https://fedorahosted.org/sssd/ticket/2071
2013-10-04AD: properly intitialize GC from ad_server optionSumit Bose1-1/+1
2013-10-04SYSDB: Fix incorrect DEBUG messageStephen Gallagher1-1/+1
A bad comparison resulted in the sysdb_sudo_check_time() function always printing a debug message saying that the time matched. Resolves: Coverity Issue #12031
2013-10-01sudo: improve time restrictions debug messagesPavel Březina2-0/+15
2013-10-01sudo: allow specifying only one time restrictionPavel Březina1-47/+34
https://fedorahosted.org/sssd/ticket/2100
2013-09-27MAN: Document that POSIX attributes must be replicated to GCJakub Hrozek1-0/+5
Currently the AD provider relies on the presence of the POSIX attributes in the Global Catalog. This patch mentiones the fact in the sssd-ad(5) manual page.
2013-09-27AD: talk to GC first even for local domain objectsJakub Hrozek2-7/+18
Related: https://fedorahosted.org/sssd/ticket/2070 Since we are recommending to configure the POSIX attributes so that they are replicated to the Global Catalog, we can start connecting to the GC by default even for local users. If the object is not matches in the GC, there is a possibility to fall back to LDAP.
2013-09-27LDAP: Allow searching subdomain during RFC2307bis initgroupsJakub Hrozek1-9/+11
Related: https://fedorahosted.org/sssd/ticket/2070 Until now, the POSIX-compliant initgroups would only be able to search the parent domain. Since we want to allow using POSIX attributes from AD subdomains as well, we should allow searching a custom sdap_domain.
2013-09-27LDAP: Require ID numbers when ID mapping is offJakub Hrozek2-7/+77
Related: https://fedorahosted.org/sssd/ticket/2070 When searching for users and groups without the use of ID mapping, make sure the UIDs and GIDs are included in the search. This will make the SSSD seemigly "miss" entries when searching in Global Catalog in the scenario where the POSIX attributes are not replicated to the GC.
2013-09-27KRB5: Use the correct domain when authenticating with cached passwordJakub Hrozek1-4/+4
2013-09-27KRB5: Return ERR_NETWORK_IO when trusted AD server can't be resolvedJakub Hrozek1-0/+1
2013-09-27Do not return DP_ERR_FATAL in case of successSumit Bose1-1/+5
2013-09-27ipa_server_mode: write capaths to krb5 include fileSumit Bose4-4/+56
If there are member domains in a trusted forest which are DNS-wise not proper children of the forest root the IPA KDC needs some help to determine the right authentication path. In general this should be done internally by the IPA KDC but this works requires more effort than letting sssd write the needed data to the include file for krb5.conf. If this functionality is available for the IPA KDC this patch might be removed from the sssd tree. Fixes https://fedorahosted.org/sssd/ticket/2093
2013-09-27IPA: store forest name for forest member domainsSumit Bose8-16/+158
In order to fix https://fedorahosted.org/sssd/ticket/2093 the name of the forest must be known for a member domain of the forest.
2013-09-26IPA: Ignore dns_discovery_domain in server modeJakub Hrozek1-0/+36
https://fedorahosted.org/sssd/ticket/2079 If the dns_discovery_domain is set in the server mode, then the current failover code will use it to discover the AD servers as well. This patch resets the discovery domain unless the admin configured SRV resolution for IPA servers manually. In the case he did, we try to warn him that service discovery of AD servers will most likely fail.
2013-09-26ad: store group in correct tree on initgroups via tokenGroupsPavel Březina1-11/+41
If tokenGroups contains group from different domain than user's, we stored it under the user's domain tree in sysdb. This patch changes it so we store it under group's domain tree. Resolves: https://fedorahosted.org/sssd/ticket/2066
2013-09-26sysdb: sysdb_update_members can take either name or dnPavel Březina4-25/+65
We need to work with distinguish names when processing cross-domain membership, because groups and users may be stored in different sysdb tree. Resolves: https://fedorahosted.org/sssd/ticket/2066
2013-09-26sysdb: get_sysdb_grouplist() can return either names or dnPavel Březina2-16/+55
We need to work with distinguish names when processing cross-domain membership, because groups and users may be stored in different sysdb tree. Resolves: https://fedorahosted.org/sssd/ticket/2066
2013-09-26util: add get_domains_head()Pavel Březina2-0/+15
This function will return head of the domain list. Resolves: https://fedorahosted.org/sssd/ticket/2066
2013-09-26KRB5: Fix bad comparisonJakub Hrozek1-1/+1
2013-09-25util: Allways fall back to old find_uid methodSimo Sorce1-4/+4
systemd-login still fails with su/sudo login shells, so always fall back for now. Resolves: https://fedorahosted.org/sssd/ticket/2094
2013-09-25krb5: Be more lenient on failures for old ccacheSimo Sorce2-2/+2
Fix a check for an error return code that can be returned when the ccache is not found. Even in case of other errors still do not fail authentication but allow it to proceed using a new ccache file if necessary. Related: https://fedorahosted.org/sssd/ticket/2053
2013-09-25NSS: Failure to store entry negative cache should not be fatalJakub Hrozek1-18/+31
The only effect the failure to store a result to negative cache might have would be a slower lookup next time.
2013-09-25NSS: Set UID and GID to negative cache after searching all domainsJakub Hrozek1-66/+105
https://fedorahosted.org/sssd/ticket/2090 Previously, when searching by UID or GID, the negative cache will only work in case the UID was searched for using fully qualified names.
2013-09-24Include header file in implementation module.Lukas Slebodnik22-0/+22
Declarations of public functions was in header files, but header files was not included in implementation file.
2013-09-24Include right header fileLukas Slebodnik1-1/+1
Public selinux functions are defined in file src/tools/selinux.c (selinux_file_context, reset_selinux_file_context, set_seuser, del_seuser), but wrong header file was included "util/util.h" All declarations are in header file "tools/tools_util.h". This patch include right header file.
2013-09-24man: server side password policies always takes precedencePavel Březina1-0/+5
https://fedorahosted.org/sssd/ticket/2091
2013-09-24Convert IN_MULTICAST parameter to host orderJakub Hrozek3-3/+3
https://fedorahosted.org/sssd/ticket/2087 IN_MULTICAST accepts address in the host order, but network order was supplied.
2013-09-23mmap_cache: Use two chains for hash collision.Lukas Slebodnik6-34/+83
struct sss_mc_rec had two hash members (hash1 and hash2) but only one next member. This was a big problem in case of higher probability of hash collision. structure sss_mc_rec will have two next members (next1, next2) with this patch. next1 is related to hash1 and next2 is related to hash1. Iterating over chains is changed, because we need to choose right next pointer. Right next pointer will be chosen after comparing record hashes. This behaviour is wrapped in function sss_mc_next_slot_with_hash. Adding new record to chain is also changed. The situation is very similar to iterating. We need to choose right next pointer (next1 or next2). Right next pointer will be chosen after comparing record hashes. Adding reference to next slot is wrapped in function sss_mc_chain_slot_to_record_with_hash Size of structure sss_mc_rec was increased from 32 bytes to 40 bytes. Resolves: https://fedorahosted.org/sssd/ticket/2049
2013-09-23Revert "mmap_cache: Skip records which doesn't have same hash"Lukas Slebodnik1-34/+2
This reverts commit 4662725ffef62b3b2502481438effa7c8fef9f80.
2013-09-23krb5: do not expand enterprise principals is offlineSumit Bose1-1/+1
Expanding a principle to an enterprise principal only makes sense if there is a KDC available which can process it. If we are offline the plain principal should be used, e.g. to create an expired ccache. Fixes https://fedorahosted.org/sssd/ticket/2060
2013-09-23krb5: save canonical upn to sysdbSumit Bose5-20/+58
If the returned TGT contains a different user principal name (upn) than used in the request, i.e. the upn was canonicalized, we currently save it to sysdb into the same attribute where the upn coming from an LDAP server is stored as well. This means the canonical upn might be overwritten when the user data is re-read from the LDAP server. To avoid this this patch add a new attribute to sysdb where the canonical upn is stored and makes sure it is used when available. Fixes https://fedorahosted.org/sssd/ticket/2060