summaryrefslogtreecommitdiff
AgeCommit message (Collapse)AuthorFilesLines
2013-10-17heimdal: Fix warning in krb5-child-test's printtimeheimdal-1Benjamin Franzke1-2/+2
This is when krb5_timestamp_to_sfstring is not available and thus the helper variables are not used. In future heimdal's krb5_format_time could be used on the heimdal side.
2013-10-17krb5_locator: Allow socktype to be 0 (any)Benjamin Franzke1-1/+2
man 3 getaddrinfo: ai_socktype This field specifies the preferred socket type, for example SOCK_STREAM or SOCK_DGRAM. Specifying 0 in this field indicatesa that socket addresses of any type can be returned by getaddrinfo(). Heimdal makes use of this and passes socktype = 0. This makes the locator plugin usable with heimdal.
2013-10-17heimdal: Fix sss_krb5_get_init_creds_opt_set_canonicalizeBenjamin Franzke5-13/+35
Heimdal and MIT Kerberos have a different number of arguments for that function. Add a configure compile check and use the appropriate form.
2013-10-17heimdal: krb5_deltat may be int32_t or time_tBenjamin Franzke1-1/+1
Cast to int for usable in printf using %d. FIXME: Or rather to int64_t since time_t may be long int?
2013-10-17heimdal: Fix implication of krb5_data types [WIP]Benjamin Franzke1-3/+6
2013-10-17heimdal: Add fallback for krb5_authdatatypeBenjamin Franzke2-1/+5
2013-10-17heimdal: Rename krb5_realm since thats a type in heimdalBenjamin Franzke4-38/+38
Fixes -Wshadow warning. find -name '*.c' -exec sed -i \ -e 's/\([^"_]\)krb5_realm\([^"_]\)/\1krb5_realm_str\2/' \ -e 's/\(Missing krb5_realm\)_str/\1/' \ -e 's/\(No explicit krb5_realm\)_str/\1' {} +
2013-10-17heimdal: Change password using krb5_set_passwordBenjamin Franzke1-3/+3
krb5_change_password is deprecated by heimdal. Use set_password for heimdal, but for mit-krb5 as well.
2013-10-17heimdal: Add krb5_xfree to krb5_free_unparsed_name wrapperBenjamin Franzke3-5/+7
krb5_free_unparsed_name is deprecated in heimdal. Also use the wrapper in places where it is not yet used.
2013-10-17heimdal: Add wrapper for krb5_get_time_offsetsBenjamin Franzke4-6/+28
Using krb5_get_kdc_sec_offset from heimdal.
2013-10-17heimdal: Add wrapper for krb5_unparse_name_extBenjamin Franzke4-1/+28
Use krb5_unparse_name in heimdal and calculate length using strlen.
2013-10-17heimdal: Add wrapper for krb5_free_stringBenjamin Franzke3-2/+15
Uses krb5_free_string for MIT and krb5_xfree for heimdal.
2013-10-17heimdal: Use sss_krb5_princ_realm where not yetBenjamin Franzke1-7/+12
2013-10-17heimdal: Add a check whether profile.h existsBenjamin Franzke2-3/+3
2013-10-17krb5: Add additional HAVE_PAC_RESONDER checksBenjamin Franzke1-0/+6
This is since krb5_authdata_free and krb5_authdata:contents may not be available if HAVE_PAC_RESPONDER is disabled.
2013-10-17[WIP] Makefile.am: remove unneeded flagsbuild-fixes-1Benjamin Franzke1-14/+2
2013-10-17[WIP] Add libsss_krb5_common to dlopen-testsBenjamin Franzke2-2/+13
2013-10-17BUILD: Link libsss_krb5_common.so to libkeyutils.soBenjamin Franzke1-3/+2
The symbol add_key is used by src/providers/krb5/krb5_delayed_online_authentication.c which is part of libsss_krb5_common.so Fixes following error: [sssd[be[default]]] [load_backend_module] (0x0010): Unable to load ad module with path (/usr/lib64/sssd/libsss_ad.so), error: /usr/lib64/sssd/libsss_krb5_common.so: undefined symbol: add_key -lkeyutils was passed to the libraries libsss_{krb5,ipa,ad}.so, but when compiling with -Wl,--as-needed this flag will be ignored, since it is not used directly. So it was unavailable to libsss_krb5_common.so which actually needs it. This patch removes $(KEYUTILS_LIBS) from those libraries and adds it to libsss_krb5_common.so
2013-10-17dlopen-tests: Check result of asprintfBenjamin Franzke1-1/+2
According to asprintf(3) the content off errmsg is undefined on error, lets set it to NULL.
2013-10-15BUILD: Use OPENLDAP_CFLAGS instead of LDAP_CFLAGSBenjamin Franzke1-3/+3
LDAP_CFLAGS is never defined. OPENLDAP_CFLAGS is set by src/external/ldap.m4. This patch does: sed -i 's/$(LDAP_CFLAGS)/$(OPENLDAP_CFLAGS)/' Makefile.am
2013-10-15BUILD: Link libsss_ad.so to sasl libsBenjamin Franzke2-1/+3
This is for the sasl_client_init symbol. Introducted in commit fb945a2c.
2013-10-15Spec file changes for cifs-utils pluginSumit Bose1-0/+25
2013-10-15Add CIFS idmap pluginBenjamin Franzke6-0/+396
https://fedorahosted.org/sssd/ticket/1534
2013-10-11MAN: Fix refsect-idJakub Hrozek5-5/+5
The refsect id was copied from sssd.conf(5) and was wrong. Fixing the refsect might help us if we ever generate other formats from XML and certainly wouldn't hurt.
2013-10-11INI: Disable line-wrapping functionalityJakub Hrozek1-1/+1
Supporting the latest INI release brought an incompatible change. Lines beginning with a whitespace were treated as continuation of the previous line. This patch reverts to ignoring the whitespace as we did previously so that the existing configurations keep working.
2013-10-10LDAP: handle SID requests if noexist_delete is setSumit Bose1-0/+10
Fixes https://fedorahosted.org/sssd/ticket/2116
2013-10-10krb5: fix warning may be used uninitializedLukas Slebodnik1-0/+1
2013-10-07MAN: Reflow debug_levels.xmlStephen Gallagher1-13/+20
Many lines in debug_levels.xml violated our line-length conventsions. This patch provides no functional changes, it simply brings those lines into compliance.
2013-10-07MAN: Clarify debug level documentationStephen Gallagher1-6/+20
Originally, we planned to deprecate the decimal values for the debug levels, but that has proven to be too difficult for most users to understand. Instead, we will document both the simple decimal and complex bitmask values and recommend the use of the decimal values.
2013-10-07krb5: Fix unit testsJakub Hrozek2-85/+46
2013-10-07krb5: Remove ability to create public directoriesSimo Sorce3-71/+37
Setting up public directories is the job of the admin, and current sssd syntax can't express the actual intention of the admin with regrads to which parts of the path should be public or private. Resolves: https://fedorahosted.org/sssd/ticket/2071
2013-10-04AD: properly intitialize GC from ad_server optionSumit Bose1-1/+1
2013-10-04SYSDB: Fix incorrect DEBUG messageStephen Gallagher1-1/+1
A bad comparison resulted in the sysdb_sudo_check_time() function always printing a debug message saying that the time matched. Resolves: Coverity Issue #12031
2013-10-01sudo: improve time restrictions debug messagesPavel Březina2-0/+15
2013-10-01sudo: allow specifying only one time restrictionPavel Březina1-47/+34
https://fedorahosted.org/sssd/ticket/2100
2013-09-27MAN: Document that POSIX attributes must be replicated to GCJakub Hrozek1-0/+5
Currently the AD provider relies on the presence of the POSIX attributes in the Global Catalog. This patch mentiones the fact in the sssd-ad(5) manual page.
2013-09-27AD: talk to GC first even for local domain objectsJakub Hrozek2-7/+18
Related: https://fedorahosted.org/sssd/ticket/2070 Since we are recommending to configure the POSIX attributes so that they are replicated to the Global Catalog, we can start connecting to the GC by default even for local users. If the object is not matches in the GC, there is a possibility to fall back to LDAP.
2013-09-27LDAP: Allow searching subdomain during RFC2307bis initgroupsJakub Hrozek1-9/+11
Related: https://fedorahosted.org/sssd/ticket/2070 Until now, the POSIX-compliant initgroups would only be able to search the parent domain. Since we want to allow using POSIX attributes from AD subdomains as well, we should allow searching a custom sdap_domain.
2013-09-27LDAP: Require ID numbers when ID mapping is offJakub Hrozek2-7/+77
Related: https://fedorahosted.org/sssd/ticket/2070 When searching for users and groups without the use of ID mapping, make sure the UIDs and GIDs are included in the search. This will make the SSSD seemigly "miss" entries when searching in Global Catalog in the scenario where the POSIX attributes are not replicated to the GC.
2013-09-27KRB5: Use the correct domain when authenticating with cached passwordJakub Hrozek1-4/+4
2013-09-27KRB5: Return ERR_NETWORK_IO when trusted AD server can't be resolvedJakub Hrozek1-0/+1
2013-09-27Do not return DP_ERR_FATAL in case of successSumit Bose1-1/+5
2013-09-27ipa_server_mode: write capaths to krb5 include fileSumit Bose4-4/+56
If there are member domains in a trusted forest which are DNS-wise not proper children of the forest root the IPA KDC needs some help to determine the right authentication path. In general this should be done internally by the IPA KDC but this works requires more effort than letting sssd write the needed data to the include file for krb5.conf. If this functionality is available for the IPA KDC this patch might be removed from the sssd tree. Fixes https://fedorahosted.org/sssd/ticket/2093
2013-09-27IPA: store forest name for forest member domainsSumit Bose8-16/+158
In order to fix https://fedorahosted.org/sssd/ticket/2093 the name of the forest must be known for a member domain of the forest.
2013-09-26IPA: Ignore dns_discovery_domain in server modeJakub Hrozek1-0/+36
https://fedorahosted.org/sssd/ticket/2079 If the dns_discovery_domain is set in the server mode, then the current failover code will use it to discover the AD servers as well. This patch resets the discovery domain unless the admin configured SRV resolution for IPA servers manually. In the case he did, we try to warn him that service discovery of AD servers will most likely fail.
2013-09-26ad: store group in correct tree on initgroups via tokenGroupsPavel Březina1-11/+41
If tokenGroups contains group from different domain than user's, we stored it under the user's domain tree in sysdb. This patch changes it so we store it under group's domain tree. Resolves: https://fedorahosted.org/sssd/ticket/2066
2013-09-26sysdb: sysdb_update_members can take either name or dnPavel Březina4-25/+65
We need to work with distinguish names when processing cross-domain membership, because groups and users may be stored in different sysdb tree. Resolves: https://fedorahosted.org/sssd/ticket/2066
2013-09-26sysdb: get_sysdb_grouplist() can return either names or dnPavel Březina2-16/+55
We need to work with distinguish names when processing cross-domain membership, because groups and users may be stored in different sysdb tree. Resolves: https://fedorahosted.org/sssd/ticket/2066
2013-09-26util: add get_domains_head()Pavel Březina2-0/+15
This function will return head of the domain list. Resolves: https://fedorahosted.org/sssd/ticket/2066
2013-09-26KRB5: Fix bad comparisonJakub Hrozek1-1/+1