summaryrefslogtreecommitdiff
AgeCommit message (Collapse)AuthorFilesLines
2013-09-27AD: talk to GC first even for local domain objectsJakub Hrozek2-7/+18
Related: https://fedorahosted.org/sssd/ticket/2070 Since we are recommending to configure the POSIX attributes so that they are replicated to the Global Catalog, we can start connecting to the GC by default even for local users. If the object is not matches in the GC, there is a possibility to fall back to LDAP.
2013-09-27LDAP: Allow searching subdomain during RFC2307bis initgroupsJakub Hrozek1-9/+11
Related: https://fedorahosted.org/sssd/ticket/2070 Until now, the POSIX-compliant initgroups would only be able to search the parent domain. Since we want to allow using POSIX attributes from AD subdomains as well, we should allow searching a custom sdap_domain.
2013-09-27LDAP: Require ID numbers when ID mapping is offJakub Hrozek2-7/+77
Related: https://fedorahosted.org/sssd/ticket/2070 When searching for users and groups without the use of ID mapping, make sure the UIDs and GIDs are included in the search. This will make the SSSD seemigly "miss" entries when searching in Global Catalog in the scenario where the POSIX attributes are not replicated to the GC.
2013-09-27KRB5: Use the correct domain when authenticating with cached passwordJakub Hrozek1-4/+4
2013-09-27KRB5: Return ERR_NETWORK_IO when trusted AD server can't be resolvedJakub Hrozek1-0/+1
2013-09-27Do not return DP_ERR_FATAL in case of successSumit Bose1-1/+5
2013-09-27ipa_server_mode: write capaths to krb5 include fileSumit Bose4-4/+56
If there are member domains in a trusted forest which are DNS-wise not proper children of the forest root the IPA KDC needs some help to determine the right authentication path. In general this should be done internally by the IPA KDC but this works requires more effort than letting sssd write the needed data to the include file for krb5.conf. If this functionality is available for the IPA KDC this patch might be removed from the sssd tree. Fixes https://fedorahosted.org/sssd/ticket/2093
2013-09-27IPA: store forest name for forest member domainsSumit Bose8-16/+158
In order to fix https://fedorahosted.org/sssd/ticket/2093 the name of the forest must be known for a member domain of the forest.
2013-09-26IPA: Ignore dns_discovery_domain in server modeJakub Hrozek1-0/+36
https://fedorahosted.org/sssd/ticket/2079 If the dns_discovery_domain is set in the server mode, then the current failover code will use it to discover the AD servers as well. This patch resets the discovery domain unless the admin configured SRV resolution for IPA servers manually. In the case he did, we try to warn him that service discovery of AD servers will most likely fail.
2013-09-26ad: store group in correct tree on initgroups via tokenGroupsPavel Březina1-11/+41
If tokenGroups contains group from different domain than user's, we stored it under the user's domain tree in sysdb. This patch changes it so we store it under group's domain tree. Resolves: https://fedorahosted.org/sssd/ticket/2066
2013-09-26sysdb: sysdb_update_members can take either name or dnPavel Březina4-25/+65
We need to work with distinguish names when processing cross-domain membership, because groups and users may be stored in different sysdb tree. Resolves: https://fedorahosted.org/sssd/ticket/2066
2013-09-26sysdb: get_sysdb_grouplist() can return either names or dnPavel Březina2-16/+55
We need to work with distinguish names when processing cross-domain membership, because groups and users may be stored in different sysdb tree. Resolves: https://fedorahosted.org/sssd/ticket/2066
2013-09-26util: add get_domains_head()Pavel Březina2-0/+15
This function will return head of the domain list. Resolves: https://fedorahosted.org/sssd/ticket/2066
2013-09-26KRB5: Fix bad comparisonJakub Hrozek1-1/+1
2013-09-25util: Allways fall back to old find_uid methodSimo Sorce1-4/+4
systemd-login still fails with su/sudo login shells, so always fall back for now. Resolves: https://fedorahosted.org/sssd/ticket/2094
2013-09-25krb5: Be more lenient on failures for old ccacheSimo Sorce2-2/+2
Fix a check for an error return code that can be returned when the ccache is not found. Even in case of other errors still do not fail authentication but allow it to proceed using a new ccache file if necessary. Related: https://fedorahosted.org/sssd/ticket/2053
2013-09-25NSS: Failure to store entry negative cache should not be fatalJakub Hrozek1-18/+31
The only effect the failure to store a result to negative cache might have would be a slower lookup next time.
2013-09-25NSS: Set UID and GID to negative cache after searching all domainsJakub Hrozek1-66/+105
https://fedorahosted.org/sssd/ticket/2090 Previously, when searching by UID or GID, the negative cache will only work in case the UID was searched for using fully qualified names.
2013-09-24Include header file in implementation module.Lukas Slebodnik22-0/+22
Declarations of public functions was in header files, but header files was not included in implementation file.
2013-09-24Include right header fileLukas Slebodnik1-1/+1
Public selinux functions are defined in file src/tools/selinux.c (selinux_file_context, reset_selinux_file_context, set_seuser, del_seuser), but wrong header file was included "util/util.h" All declarations are in header file "tools/tools_util.h". This patch include right header file.
2013-09-24man: server side password policies always takes precedencePavel Březina1-0/+5
https://fedorahosted.org/sssd/ticket/2091
2013-09-24Convert IN_MULTICAST parameter to host orderJakub Hrozek3-3/+3
https://fedorahosted.org/sssd/ticket/2087 IN_MULTICAST accepts address in the host order, but network order was supplied.
2013-09-23mmap_cache: Use two chains for hash collision.Lukas Slebodnik6-34/+83
struct sss_mc_rec had two hash members (hash1 and hash2) but only one next member. This was a big problem in case of higher probability of hash collision. structure sss_mc_rec will have two next members (next1, next2) with this patch. next1 is related to hash1 and next2 is related to hash1. Iterating over chains is changed, because we need to choose right next pointer. Right next pointer will be chosen after comparing record hashes. This behaviour is wrapped in function sss_mc_next_slot_with_hash. Adding new record to chain is also changed. The situation is very similar to iterating. We need to choose right next pointer (next1 or next2). Right next pointer will be chosen after comparing record hashes. Adding reference to next slot is wrapped in function sss_mc_chain_slot_to_record_with_hash Size of structure sss_mc_rec was increased from 32 bytes to 40 bytes. Resolves: https://fedorahosted.org/sssd/ticket/2049
2013-09-23Revert "mmap_cache: Skip records which doesn't have same hash"Lukas Slebodnik1-34/+2
This reverts commit 4662725ffef62b3b2502481438effa7c8fef9f80.
2013-09-23krb5: do not expand enterprise principals is offlineSumit Bose1-1/+1
Expanding a principle to an enterprise principal only makes sense if there is a KDC available which can process it. If we are offline the plain principal should be used, e.g. to create an expired ccache. Fixes https://fedorahosted.org/sssd/ticket/2060
2013-09-23krb5: save canonical upn to sysdbSumit Bose5-20/+58
If the returned TGT contains a different user principal name (upn) than used in the request, i.e. the upn was canonicalized, we currently save it to sysdb into the same attribute where the upn coming from an LDAP server is stored as well. This means the canonical upn might be overwritten when the user data is re-read from the LDAP server. To avoid this this patch add a new attribute to sysdb where the canonical upn is stored and makes sure it is used when available. Fixes https://fedorahosted.org/sssd/ticket/2060
2013-09-22Check return values of setenv and unsetenvJakub Hrozek2-2/+10
2013-09-20RESPONDER: Use right function prototypeLukas Slebodnik2-1/+2
Protype of function sss_ncache_check_netgr was different than definition of function sss_ncache_check_netgr. We did not catch it, because header file "responder/common/negcache.h" was not included in implementation file "responder/common/negcache.c"
2013-09-20LDAP: Use primary cn to search netgroupLukas Slebodnik3-7/+22
Resolves: https://fedorahosted.org/sssd/ticket/2075
2013-09-20AD: Failure to get flat name is not fatalJakub Hrozek3-68/+86
https://fedorahosted.org/sssd/ticket/2067 Some AD or AD-like servers do not contain the netlogon attribute in the master domain name. Instead of failing completely, we should just abort the master domain request and carry on. The only functionality we miss would be getting users by domain flat name.
2013-09-20sdap_domain_add: remove too strict consistency checkSumit Bose1-10/+0
The check worked for simple setups but fails e.g. in environment with trusts.
2013-09-20man: improve sssd-sudo manual pagePavel Březina1-2/+22
Resolves: https://fedorahosted.org/sssd/ticket/2085
2013-09-20LDAP: Deprecate ldap_{user,group}_search_filterJakub Hrozek2-44/+12
2013-09-20MAN: Fix provider man page subtitleJakub Hrozek5-5/+5
2013-09-18AD: Download master domain info when enumeratingJakub Hrozek5-7/+211
https://fedorahosted.org/sssd/ticket/2068 With the current design, downloading master domain data was tied to subdomains refresh, triggered by responders. But because enumeration is a background task that can't be triggered on its own, we can't rely on responders to download the master domain data and we need to check the master domain on each enumeration request.
2013-09-18LDAP: sdap_id_setup_tasks accepts a custom enum requestJakub Hrozek4-18/+29
AD provider will override the default with its own.
2013-09-18AD: async request to retrieve master domain infoJakub Hrozek5-214/+417
Adds a reusable async request to download the master domain info.
2013-09-18BE: Log domain name to journald if availableJakub Hrozek4-0/+16
If the SSSD is compiled with journald support, then all sss_log() statements will include a new field called "SSSD_DOMAIN" that includes the domain name. Filtering only messages from the single domain is then as easy as: # journalctl SSSD_DOMAIN=foo.example.com
2013-09-18Add journald supportJakub Hrozek5-0/+80
2013-09-17KRB5: Call umask before mkstemp in the krb5 child codeJakub Hrozek1-0/+3
2013-09-17Do not set HAVE_SYSTEMD_LOGIN if libsystemd-login is not availableSumit Bose1-1/+1
Even if HAVE_SYSTEMD_LOGIN is set to 0 #ifdef will still see it as defined.
2013-09-17nss: Wrong debug message.Michal Zidek1-1/+2
2013-09-17simple provider: obey case sensitivity for subdomain users and groupsPavel Březina1-7/+43
When comparing username and his groups to access list, we will obey case sensitivity of object from access list. Resolves: https://fedorahosted.org/sssd/ticket/2034
2013-09-17simple access test: initialize be_ctx for all testsPavel Březina1-15/+16
Recent simple access provider patches started using be_ctx during access check. This caused segfault in unit tests, since be_ctx wasn't initialized. Resolves: https://fedorahosted.org/sssd/ticket/2034
2013-09-17simple provider: support subdomain groupsPavel Březina1-23/+64
Resolves: https://fedorahosted.org/sssd/ticket/2034
2013-09-17util: add find_subdomain_by_object_name()Pavel Březina2-0/+39
This function will parse object name into name and domain name part and return appropriate sss domain. Resolves: https://fedorahosted.org/sssd/ticket/2034
2013-09-17util: add find_subdomain_by_sid()Pavel Březina2-0/+35
This function takes domain SID (doesn't have the last component) or object SID (have all components) and returns subdomain. The subdomain is found by comparing domain->domainid with the SID. E.g. domain SID: S-1-5-21-3940105347-3434501867-2690409756 object SID: S-1-5-21-3940105347-3434501867-2690409756-513 Resolves: https://fedorahosted.org/sssd/ticket/2034
2013-09-17simple provider: support subdomain usersPavel Březina1-5/+10
Resolves: https://fedorahosted.org/sssd/ticket/2034
2013-09-17simple access tests: fix typosPavel Březina1-5/+5
2013-09-17util: add sss_idmap_talloc[_free]Pavel Březina8-62/+76
Remove code duplication.