| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
https://fedorahosted.org/sssd/ticket/1959
|
|
When renewing a ticket we already know the canonical principal hence it
is not needed to expand it to an enterprise principal but we can contact
the KDC of the corresponding realm directly.
|
|
So far we didn't send the PAC of IPA users to the PAC responder during
password authentication because group memberships for IPA users can be
retrieved efficiently with LDAP calls. Recently patches added PAC
support for the AD provider as well and removed the restriction for the
IPA users. This patch restores the original behaviour by introducing a
new flag in struct krb5_ctx which is only set for the IPA provider.
Additionally a different flag is renamed to make it's purpose more
clear.
Fixes https://fedorahosted.org/sssd/ticket/1995
|
|
This reverts commit d153941864fe481399665be8fe583c9317194a99.
|
|
|
|
|
|
https://fedorahosted.org/sssd/ticket/1806
The IPA provider attempted to store the original value of member
attribute to the cache. That caused the memberof plugin to process the
values which was really CPU intensive.
|
|
If the PAC responder recognizes some attribute changes between the
cached user entry and the PAC data it quite crudely just removes the
cached entry and recreates it. While in most cases all needed data can
be recovered from the PAC data there is a case where it is not possible.
E.g the IPA HBAC code use the OriginalDN attribute to improve
performance when evaluating access rules. This patch makes sure this
attribute is not lost when the PAC responder updates the object.
|
|
|
|
https://fedorahosted.org/sssd/ticket/1947
Otherwise we will do the SRV expansion once again:
1. leaving the old servers in server list
2. meta server is not inserted back in the list, the newly found
servers are inserted behind meta server, meta server is orphaned
and the new servers are forgotten
|
|
https://fedorahosted.org/sssd/ticket/1947
|
|
https://fedorahosted.org/sssd/ticket/1947
Otherwise we risk that the meta server is removed from the server list,
but without a chance to return, because there may be no fo_server with
srv_data = meta.
Also if state->meta->next is NULL (it is still orphaned because we try
to errornously expand it without invoking collapse first), state->out
will be NULL and SSSD will crash.
New error code: ERR_SRV_DUPLICATES
|
|
https://fedorahosted.org/sssd/ticket/1947
|
|
Previously, these contained hard-coded paths. Now they are
populated correctly by the configure script.
https://fedorahosted.org/sssd/ticket/1986
|
|
|
|
|
|
Change the contents of BUILD.txt with URL to have one place
with documentation for easier management of the contents.
|
|
sysdb_search_object_by_sid() does not return ENOENT if no related object
was found in the cache but EOK and an empty result list.
Fixes https://fedorahosted.org/sssd/ticket/1989
|
|
|
|
talloc_realloc(..., 0) calls talloc_free() and returns NULL.
If we process group that contains only users, we errornously
return ENOMEM.
|
|
Enterprise principals require that a default realm is available. To
make SSSD more robust in the case that the default realm option is
missing in krb5.conf or to allow SSSD to work with multiple unconnected
realms (e.g. AD domains without trust between them) the default realm
will be set explicitly.
Fixes https://fedorahosted.org/sssd/ticket/1931
|
|
If canonicalization or enterprise principals are enabled the realm of
the client principal might have changed compared to the original
request. To find the most suitable keytab entry to validate the TGT is
it better to use the returned client principal.
Fixes https://fedorahosted.org/sssd/ticket/1931
|
|
https://fedorahosted.org/sssd/ticket/1953
|
|
|
|
https://fedorahosted.org/sssd/ticket/1894
|
|
* Include localized pam_sss manpages in sssd-client
* Call ldconfig after libsss_nss_idmap is installed or removed
|
|
https://fedorahosted.org/sssd/ticket/1815
|
|
The options are stored in ad_options->auth_ctx->opts, this member was
completely unused and confusing.
|
|
|
|
https://fedorahosted.org/sssd/ticket/1873
KRB preauthentication error was later mishandled like authentication error.
|
|
https://fedorahosted.org/sssd/ticket/1886
|
|
|
|
sdom was only ever guaranteed to be set when a new domain was being
created. sditer is a valid pointer in both cases, so just use that.
|
|
|
|
|
|
It seems that some linkers have problem with wrong order of libraries.
This commit only change order.
|
|
|
|
|
|
tx was complaining about the need to rename the URL:
$ tx pull -af --minimum-perc=1
Hostname https://www.transifex.net should be changed to https://www.transifex.com.
Change it now? [Y/n]y
Hostname changed
|
|
https://fedorahosted.org/sssd/ticket/1510
This patch splits the previously monolithic sssd package into sssd-common
that contains the deamon and the responders and per-provider packages
such as sssd-ldap or sssd-ipa.
This split would benefit two parties:
1) security auditors who are often trying to find the smallest package
set including dependencies needed for the package to function.
They would be able to i.e. install sssd-ldap and not bother
about sssd-ipa or sssd-ad pulling in more dependencies.
2) 3rd party programs such as realmd or authconfig
that would only be able to require or install on demand the
needed packages.
|
|
https://fedorahosted.org/sssd/ticket/1797
This patch adds the _hardened_build macro on platforms where it is
defined by the RPM. The macro amounts to compiling with cc
--spec=/usr/lib/rpm/redhat/redhat-hardened-cc1 and then linking with ld
--spec=/usr/lib/rpm/redhat/redhat-hardened-ld.
On Fedora 19, the gcc spec files contain -z now and fPIC or fPIE.
|
|
|
|
https://fedorahosted.org/sssd/ticket/1976
|
|
https://fedorahosted.org/sssd/ticket/1883
The patch introduces a new Kerberos provider option called
krb5_use_kdcinfo. The option is true by default in all providers. When
set to false, the SSSD will not create krb5 info files that the locator
plugin consumes and the user would have to set up the Kerberos options
manually in krb5.conf
|
|
https://fedorahosted.org/sssd/ticket/1713
|
|
https://fedorahosted.org/sssd/ticket/1713
Add new option refresh_expired_interval.
|
|
https://fedorahosted.org/sssd/ticket/1713
|
|
https://fedorahosted.org/sssd/ticket/1891
|
|
https://fedorahosted.org/sssd/ticket/1789
ldap_access_order must be set in order to non-default access control
options to work. This patch amends the sssd-ldap man page to document
this fact with all non-default ldap_access_order options.
|
|
https://fedorahosted.org/sssd/ticket/1972
Coverity IDs: 11870,11871
Do not call unlink with NULL pointer.
|
