summaryrefslogtreecommitdiff
AgeCommit message (Collapse)AuthorFilesLines
2012-10-26sss_parse_name_for_domains: always return the canonical domain nameSumit Bose1-2/+7
Domains may have a flat or short name to save some keystrokes when typing fully qualified user names. Internally sssd will always use the canonical name to allow consistent processing.
2012-10-26krb5_auth: update with correct UPN if neededSumit Bose3-0/+133
The Active Directory KDC handles request case in-sensitive and it might not always to possible to guess the UPN with the correct case. We check if the returned principal has a different case then the one used in the request and updates the principal if needed. This will help using calls from the Kerberos client libraries later on which would otherwise fail because the principal is handled case sensitive by those libraries.
2012-10-26Use find_or_guess_upn() where neededSumit Bose6-36/+52
2012-10-26Add new call find_or_guess_upn()Sumit Bose4-8/+54
With the current approach the upn was either a pointer to a const string in a ldb_message or a string created with the help of talloc. This new function always makes it a talloc'ed value. Additionally krb5_get_simple_upn() is enhanced to handle sub-domains as well.
2012-10-26krb5_child: send back the client principalSumit Bose4-5/+42
In general Kerberos is case sensitive but the KDC of Active Directory typically handles request case in-sensitive. In the case where we guess a user principal by combining the user name and the realm and are not sure about the cases of the letters used in the user name we might get a valid ticket from the AD KDC but are not able to access it with the Kerberos client library because we assume a wrong case. The client principal in the returned credentials will always have the right cases. To be able to update the cache user principal name the krb5_child will return the principal for further processing.
2012-10-26krb5_mod_ccname: replace wrong memory contextSumit Bose1-1/+1
2012-10-26krb5_child: send PAC to PAC responderSumit Bose2-3/+143
If the authenticated user comes from a different realm the service ticket which was returned during the validation of the TGT is used to extract the PAC which is send to the pac responder for evaluation.
2012-10-26krb5_auth: send different_realm flag to krb5_childSumit Bose2-1/+8
The different_realm flag which was set by the responder is send to the krb5_child so that it can act differently on users from other realms. To avoid code duplication and inconsistent behaviour the krb5_child will not set the flag on its own but use the one from the provider.
2012-10-26krb5_auth: check if principal belongs to a different realmSumit Bose5-0/+88
Add a flag if the principal used for authentication does not belong to our realm. This can be used to act differently for users from other realms.
2012-10-26Add replacement for krb5_find_authdata()Sumit Bose3-0/+20
krb5_find_authdata() is only available in MIT Kerberos 1.10 or higher. To allow sssd to be compiled on platform with lower version of MIT Kerberos a replacement call is added. Please note that on those platform the replacement call will only return an error. If the krb5_find_authdata functionality is really needed on those platform it must be implemented by a different patch.
2012-10-26check_ccache_files: search sub-domains as wellSumit Bose1-4/+14
If sssd is configured to renew Kerberos tickets automatically ticket of sub-domain uses should be renewed as well.
2012-10-26sysdb: add sysdb_base_dn()Sumit Bose2-0/+5
Add a help function which returns the ldb_dn object for the base dn of the cache.
2012-10-26krb5_auth_send: check for sub-domainsSumit Bose4-11/+37
If there is an authentication request for a user from a sub-domain a temporary sysdb context is generated to allow lookups in the corresponding sub-tree in the cache.
2012-10-26pac responder: add user principal and name alias to cached user objectSumit Bose3-4/+46
The principal name for the user is generated with the user name and the domain from the PAC. It is stored in the cache so that if e.g. can be used by password authentication. Additionally the name alias is stored to allow case-insensitive searches.
2012-10-26pac responder: use only lower case user nameSumit Bose2-5/+15
Since winbind can only return lower-cased user name the pac responder must do the same to avoid inconsistent behaviour.
2012-10-26sysdb: look for ranges in the parent treeSumit Bose1-1/+4
Make sure the right sub-tree in the cache is used to search for ranges. Sub-domain trees do not have range objects only the tree of the parent domain.
2012-10-26pac responder: fix copy-and-paste errorSumit Bose1-7/+0
This error prevent proper id-mapping in the PAC responder.
2012-10-26subdomain-id: Generate homedir only for users not groupsSumit Bose1-10/+12
2012-10-24KRB5: Return error when principal selection failsJakub Hrozek1-1/+4
The ldap_child would return a NULL ccache but the error code would still indicate success. https://fedorahosted.org/sssd/ticket/1594
2012-10-24sudo refresh: handle errors properlyPavel Březina1-8/+25
We should test both ret and (dp_error, errno) pair.
2012-10-24sudo: do not fail if usn value is zero but full refresh is completedPavel Březina2-7/+19
https://fedorahosted.org/sssd/ticket/1596 In case that LDAP server contains zero sudo rules, the full refresh completes succussfully and stores current USN value (= 0). But then smart refresh will fail because it takes USN=0 as invalid value.
2012-10-23Require ar in configure.acJakub Hrozek1-0/+2
This seems to be a change in recent autotools. I was getting a lot of messages such as: /usr/share/automake-1.12/am/ltlibrary.am: warning: 'libipa_hbac.la': linking libtool libraries using a non-POSIX /usr/share/automake-1.12/am/ltlibrary.am: archiver requires 'AM_PROG_AR' in 'configure.ac'
2012-10-23Fix two errors in the nss responderSumit Bose1-1/+3
One is a copy-and-paste error which was introduce by 1774ee9a61b9d691dadd1a0538f32bcdcc84f72f. The second fixes a missing explicit setting of the return value. In the case where we want fully qualified names ret contains the number of characters from the last snprintf() which is almost ever not 0.
2012-10-18Allow setting the default_shell option per-domain as wellJakub Hrozek7-3/+21
https://fedorahosted.org/sssd/ticket/1583
2012-10-18RPMS: Move sss_cache tool to main packageStephen Gallagher1-3/+6
https://fedorahosted.org/sssd/ticket/1481
2012-10-16sss_debuglevel: Multiple arguments are treated as error.Michal Zidek1-0/+6
https://fedorahosted.org/sssd/ticket/1327
2012-10-16Make TTL configurable for dynamic dns updatesJames Hogarth6-2/+30
2012-10-15LDAP: Check validity of naming_contextJakub Hrozek1-1/+1
https://fedorahosted.org/sssd/ticket/1581 If the namingContext attribute had no values or multiple values, then our code would dereference a NULL pointer.
2012-10-15Bump version to 1.10devJakub Hrozek1-1/+1
2012-10-12Updating the version for the 1.9.3 releaseJakub Hrozek1-1/+1
2012-10-12Updating the translations for the 1.9.2 releaseJakub Hrozek35-2885/+5459
2012-10-12MAN: improve wording of default_domain parameterJakub Hrozek1-5/+5
2012-10-12Only call krb5_set_trace_callback on platforms that support itJakub Hrozek5-6/+21
2012-10-12Create ghost users when a user DN is encountered in IPAJakub Hrozek1-37/+276
The IPA has a defined directory tree structure that allows us to guess the username from a DN without having to look up the DN in LDAP. https://fedorahosted.org/sssd/ticket/1319
2012-10-12SSH: When host keys are removed from LDAP, remove them from the cache as wellJan Cholasta1-36/+34
https://fedorahosted.org/sssd/ticket/1574
2012-10-12Allow extdom exop to return flat domain name as wellSumit Bose4-4/+37
There are case where the extdom extended operation will return the flat or NetBIOS name of a domain instead of the DNS domain name. If this name is available for the current domain we accept it as well. Related to https://fedorahosted.org/sssd/ticket/1561
2012-10-12Check for subdomains if getpwuid or getgrgid are the first requestsSumit Bose1-0/+72
Fixes https://fedorahosted.org/sssd/ticket/1561
2012-10-12Save time of last get_domains requestSumit Bose1-0/+16
2012-10-12PAM: fix handling the client fd in pam destructorJakub Hrozek3-18/+18
* Protect the fd with a mutex when closing * Set it to a safe value after closing
2012-10-12Collect krb5 trace on high debug levelsJakub Hrozek6-3/+69
If the debug level contains SSSDBG_TRACE_ALL, then the logs would also include tracing information from libkrb5. https://fedorahosted.org/sssd/ticket/1539
2012-10-12Two fixes to child processesJakub Hrozek2-6/+5
There was an unused structure member in the krb5_child. Declaration of __krb5_error_msg was shadowing the same variable from sss_krb5.h which is not nice. Also we might actually use the error context directly instead of passing it as parameter.
2012-10-12Remove libsss_sudo.pc and move libsss_sudo.so to libsss_sudoJakub Hrozek4-17/+1
2012-10-12Couple of specfile fixesJakub Hrozek1-3/+7
2012-10-11PAM: close socket fd with pam_set_dataJakub Hrozek3-0/+33
https://fedorahosted.org/sssd/ticket/1569
2012-10-11Fix memory hierarchy in subdomains discoveryJakub Hrozek1-116/+160
https://fedorahosted.org/sssd/ticket/1571 The patch changes the subdomains discovery to use the tevent_req style. Previously, the code violated several rules which made the code very unreadable and led to memory hierarchy issues and use-after-free errors.
2012-10-11nss_cmd_retpwent(): do not go into infinite loop if n < 0Pavel Březina1-0/+8
https://fedorahosted.org/sssd/ticket/1551
2012-10-11do not call dp callbacks when responder is shutting downPavel Březina3-0/+25
https://fedorahosted.org/sssd/ticket/1514 We were experiencing crash duting responder shut down. This happened when there were some unresolved dp request during the shut down. The memory hierarchy is main_ctx->specific_ctx->rctx, where specific_ctx may be one of the pam, nss, sudo, etc. contexts. If we try to call dp request callback as a result of responder termination, the specific context is already semi freed, which may cause crash.
2012-10-11Fix language errors in the sssd-krb5.conf man pageE Deon Lackey1-70/+71
2012-10-11Fixed: translation bugThorsten Scherf1-1/+1
2012-10-10Add more info about ticket validationOndrej Kos2-1/+15
https://fedorahosted.org/sssd/ticket/1499 Adds log message about not finding appropriate entry in keytab and using the last keytab entry when validation is enabled. Adds more information about validation into manpage.