summaryrefslogtreecommitdiff
AgeCommit message (Collapse)AuthorFilesLines
2013-01-08PAC responder: check if existing user differsSumit Bose3-13/+64
If some of the Posix attributes of an user existing in the cache differ from the data given in the current PAC the old user entry is drop and a new one is created with the data from the PAC.
2013-01-08Add tests for get_gids_from_pac()Sumit Bose2-0/+257
2013-01-08Use hash table to collect GIDs from PAC to avoid dupsSumit Bose1-18/+86
To avoid duplicated entries in the group list all gids are added to a hash table first. Fixes: https://fedorahosted.org/sssd/ticket/1672
2013-01-08Translate LDB_ERR_ATTRIBUTE_OR_VALUE_EXISTS to EEXISTSumit Bose1-0/+1
Currently only the LDB error code indicating that an entry already exists is translated to EEXIST. To make debugging easier and return a better indication of the reason for an error in the logs this patch translates the LDB error code for an already existing attribute or value to EEXIST as well.
2013-01-08Read remote groups from PACSumit Bose1-3/+52
Read the group membership of the remote domain the user belongs to from the PAC and add them to the cache. Fixes: https://fedorahosted.org/sssd/ticket/1666
2013-01-08Remote groups do not have an original DN attributeSumit Bose1-40/+34
Groups from subdomains will not have an attribute holding the original DN because in general it will not be available. This attribute is only used by IPA HABC to improve performance and remote groups cannot be used for access control.
2013-01-08Save domain and GID for groups from the configured domainSumit Bose3-17/+47
Currently users from subdomains can only be members of groups from the configured domain and to access those groups a pointer to the domain struct of the configured domain is used. This patch sets the dom_grp member of struct pac_grp to point to the domain struct of the configured for groups from this domain. This is a first step to allow group membership for groups from subdomains as well. For those groups a pointer to the related subdomain structure will be saved.
2013-01-08Always get user data from PACSumit Bose1-7/+7
Currently some user specific data from the PAC is only read when the user is not already in the cache. Since some of this information is needed later on, e.g. the domain SID the user belongs to, with this patch the data is read always from the PAC.
2013-01-08Update domain ID for local domain as wellSumit Bose1-2/+14
Currently only the flat name of the configured domain is updated if it is not already set. This patch updates the domain ID as well. This is typically the case when trust support is enabled on the server side while sssd is running.
2013-01-08IDMAP: add sss_idmap_smb_sid_to_unix()Sumit Bose2-0/+39
To avoid a conversion on the caller side a new call is added to libsss_idmap which converts a Samba dom_sid structure to a Posix ID.
2013-01-08Add find_domain_by_id()Sumit Bose3-0/+91
Currently domains can only be searched by name in the global domain list. To make it easier to find the domain for a given SID find_domain_by_id() which returns a pointer to the domain or subdomain entry in the global domain list if a matching id was found.
2013-01-08Use struct pac_grp instead of gid_t for groups from PACSumit Bose4-26/+36
To be able to handle groupmemberships from other domains more data than just the gid must be kept for groups given in the PAC.
2013-01-08Potential resource leak in sss_nss_mc_get_recordJakub Hrozek1-0/+1
https://fedorahosted.org/sssd/ticket/1748
2013-01-07sudo smart refresh: fix debug messagePavel Březina1-1/+1
2013-01-07sudo smart refresh: do not include usn in filter if no valid usn is knownPavel Březina1-5/+12
https://fedorahosted.org/sssd/ticket/1736 When there are no rules during first refresh, we don't have valid USN value. We use 0 in this case, but it turned out that OpenLDAP takes it as invalid time format (if modifyTimestamp is used instead of USN) and thus returns no records. Now we don't include USN/modifyTimestamp attribute in the filter if such situasion occurs.
2013-01-07memcache: make MC_PTR_TO_SLOT() more readablePavel Březina1-2/+1
2013-01-07explicit null dereferenced in sss_nss_mc_get_record()Pavel Březina1-0/+5
https://fedorahosted.org/sssd/ticket/1724
2013-01-07memcache: add macro that validates record lengthPavel Březina2-2/+7
2013-01-07sss_userdel and sss_groupdel with use_fully_qualified_namesMichal Zidek1-15/+50
If use_fully_qualified_names is used, we need to pass fqdn to sss_mmap_cache_*_invalidate.
2013-01-07SYSDB: split sysdb_add_userOndrej Kos1-125/+176
The function itself was very long (more than 300 lines) and hard to read, this patch splits it to three logical blocks.
2013-01-07SYSDB: Modify ghosts in permissive modeOndrej Kos1-1/+33
https://fedorahosted.org/sssd/ticket/1714 The attempt to delete all ghosts for users name and aliases was failing, resulting into failure of whole user-add operation. In permissive mode, the attempts to delete non-existent entries are not interpreted as error.
2013-01-07Search for SHORTNAME$@REALM instead of fqdn$@REALM by defaultJakub Hrozek1-3/+35
The search was intended for the AD provider mostly, but keytabs coming from AD via samba don't contain fqdn$@REALM but rather uppercased SHORTNAME$@REALM https://fedorahosted.org/sssd/ticket/1740
2013-01-07Fix tevent_req style for sdap_async_sudo.Simo Sorce1-22/+22
Use correct name for _done() function from the caller. Remove unneded initializzations to NULL for a lot of variables hat are going to be assigned as the first thing done in the functions.
2013-01-07Remove redundant definition.Simo Sorce2-2/+1
We had 2 defines for the same class. Consolidate and remove confusion.
2013-01-06Remove unused headerSimo Sorce1-1/+0
2013-01-04sss_cache: fqdn not acceptedMichal Zidek1-14/+149
sss_cache did not accept fully quaified domain names. https://fedorahosted.org/sssd/ticket/1620
2013-01-04LDAP: initialize refresh function handlerOndrej Kos1-1/+1
2013-01-02let krb5_backup_kpasswd failover workPavel Březina1-2/+2
https://fedorahosted.org/sssd/ticket/1735
2013-01-02failover: Protect against empty host namesMichal Zidek11-102/+174
Added new parameter to split_on_separator that allows to skip empty values. The whole function was rewritten. Unit test case was added to check the new implementation. https://fedorahosted.org/sssd/ticket/1484
2013-01-02set ret to EOK after for loop in sdap_sudo_purge_sudoersPavel Březina1-0/+2
If we are unable to delete some rule from cache we print a debug message and ignore the error. Thus we should set ret to EOK after the for loop otherwise we return whether the last rule was deleted successfully or not. This also removes compilation warning that ret may be used uninitialized (when we don't go inside the loop at all).
2012-12-20mmap cache: invalidate cache on fatal errorSimo Sorce3-10/+30
If a fatal EFAULT error is returned by the internal function that frees used memory invalidate the whole cache and reinit it. This way we avoid further corruption and insure clients see consistent data. Also insure we use the right context in init() and we use talloc_zfree() in reinit so that if the init() later fails we do not leave around a pointer to free memory in the callers.
2012-12-20Carefully check records when forcibly invalidatingSimo Sorce2-20/+105
We should never try to invalidate an already invalid record as internal pointers will not be consistent. Carefully test that the record really is valid when we are fishing for free space, and properly invalidate records or return a fatal error if something goes wrong. In order to make the code more robust always invalidate the whole data space on initialization by setting all bits to 1, and make sure to invalidate the whole last allocated slot by converting rec->len to the number of slots instead of just the space used.
2012-12-20Update free table when records are invalidated.Simo Sorce1-14/+23
We were holding up slots when entries were invalidated directly an not through our primitive garbage collection scheme.
2012-12-20nss_mc: Add extra checks when dereferencing recordsSimo Sorce1-0/+12
Although it should enver happen that we pass in an invalid hash it is always better to just not do anything than access memory ouf of the hash table. It can lead to segfaults, or worse referencing memory that should not be touched.
2012-12-20krb5 tgt renewal: fix usage of ldb_dn_get_component_val()Sumit Bose1-4/+4
For some reason I was under the impression that the DN components are counted backwards in libldb. This patch corrects this.
2012-12-20Free resources if fileno failedJakub Hrozek1-0/+2
2012-12-19Add default section to switch statementSumit Bose1-0/+3
switch statements should always have a default section. In this particular case gcc gave a "'send_fn' may be used uninitialized in this function" warning.
2012-12-19Fix a 'shadows a global declaration' warningSumit Bose1-2/+2
2012-12-19sssd_nss: Plug memory leaksSimo Sorce1-2/+11
A recent patch introduced a glaring memory leak in the routines that clean up memcache memory on initgroups calls.
2012-12-19memberof: Prevent unneded failure caseSimo Sorce1-2/+7
When deleting a user we would fail the operation completely if the member attribute was not found on one of the groups it was allegedly member of. Failing in this case is unnecessary, and can cause issues. Found trying to upgrade db versione (and failing) on one of my RHEL machines. Also removed a tray \ in the companion function that removes ghost members, that function needs no changes as it was already ignoring this kind of failure.
2012-12-19use talloc_zfree when freeing rhostent in resolverPavel Březina1-1/+1
We should use talloc_zfree() when freeing state variables, so we can later avoid undesirable access after free.
2012-12-18Add responder_sbus.h to noinst_HEADERSJakub Hrozek1-0/+1
2012-12-18select_principal_from_keytab() do wildcard lookups after specific onesSumit Bose1-3/+3
Currently the wildcard lookup '*$' is done before the one for host/our.hostname@REALM. This means we would ignore a more specific match in favour of an unspecific match with a principal which is only used in a AD environment. I think this is wrong an wildcards should only be used is all specific lookups fail.
2012-12-18select_principal_from_keytab() look for plain input as wellSumit Bose1-2/+6
Currently in select_principal_from_keytab() all kind of different versions of the host principal are looked up in the keytab except for the plain name the ldap_sasl_authid option. With this patch the plain name is looked up first.
2012-12-18responder_dp: Add timeout to side requetsSimo Sorce1-1/+25
This is an additional proteciont in case the provider misbheaves to avoid having requests pending forever. Fixes: https://fedorahosted.org/sssd/ticket/1717
2012-12-18AUTOFS: Clear enum cache if a request comes in from the sss_cacheJakub Hrozek3-0/+31
In order for sss_cache to work correctly, we must also signal the autofs responder to invalidate the hash table requests.
2012-12-18RESPONDERS: Create a common file with service names and versionsJakub Hrozek11-17/+50
The monitor sends calls different sbus methods to different responders. Instead of including headers of the particular responders directly in monitor, which breaks layering a little, create a common header file that will be included from src/responder/common/
2012-12-18AUTOFS: remove all maps from hash if request for auto.master comes inJakub Hrozek2-3/+59
https://fedorahosted.org/sssd/ticket/1592 When a request for auto.master comes in, we need to remove all the maps from the lookup hash table. We can't simply delete the maps, because another request might be processing them, so instead the maps are removed from the hash table, effectively becoming orphaned. The maps will get freed when the timed destructor is invoked.
2012-12-18AUTOFS: allow removing entries from hash tableJakub Hrozek3-1/+32
There is a timed desctructor in the autofs responder that, when the entry timeout passes, removes the autofs map from the hash table while the map is freed. This patch adds a hash delete callback so that if the map is removed from the hash table with hash_delete, its hash table pointer will be invalidated. Later, when the entry is being freed, the destructor won't attempt to remove it from the hash table.
2012-12-18DP: invalidate all cached maps if a request for auto.master comes inJakub Hrozek3-0/+16
If the Data Provider receives a request for the auto.master map, it passes on a flag to let the actual provider let know he should invalidate the existing maps