Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
https://fedorahosted.org/sssd/ticket/1482
When we add fullname to user_attrs, then sysdb_add_basic_user()
will set fullname to gecos when it initially creates the user
object in the cache, but it will be overwritten in the same
transaction when sysdb_store_user() adds all the user_attrs.
|
|
https://fedorahosted.org/sssd/ticket/1584
|
|
|
|
When working with multiple domains and no
matching objects for deletion were found in the first
domain, the other domains were not searched at all.
Also the ERROR message informing about object not found
(the one printed for each domain) was changed to
DEBUG message.
|
|
Related to https://fedorahosted.org/sssd/ticket/1357
We realized that sysv and systemd does not use pid file existence
as a notification of finished initialization. Therefore, we create
the pid file in server_setup() again.
We are removing check_file() from monitor main(), it is handled
by server_setup() during pid file creation. This check was
previously included in e7dd2a5102ba6cfd28be6eccdd62768e9758d9f4.
|
|
https://fedorahosted.org/sssd/ticket/1357
Neither systemd or our init script use pid file as a notification
that sssd is finished initializing. They will continue starting up
next service right after the original (not daemonized) sssd process
is terminated.
If any of the responders fail to start, we will never terminate
the original process via signal and "service sssd start" will hang.
Thus we take this as an error and terminate the daemon with
a non-zero value. This will also terminate the original process
and init script or systemd will print failure.
|
|
|
|
|
|
We currently have only SSSDBG_FATAL_FAILURE macro that corresponds
to original debug level 0. But there are several level 0 messages
that are not actually failures but an important information. We
should use this new macro to represent them.
|
|
https://fedorahosted.org/sssd/ticket/1619
We don't close the fd when we write the selinux login file in the pam
responder. This results in a fd leak.
|
|
https://fedorahosted.org/sssd/ticket/1602
|
|
|
|
The ldb_val's length parameter should not include the terminating NULL.
This was causing funky behaviour as the users were saved as binary
attributes.
https://fedorahosted.org/sssd/ticket/1614
|
|
https://fedorahosted.org/sssd/ticket/1611
|
|
|
|
https://fedorahosted.org/sssd/ticket/1495
|
|
|
|
Currently the only type of supported sub-domains are AD domains which
are not case-sensitive. To make it easier for Windows user we make
sub-domains case-insensitive as well which allows to write the username
in any case at the login prompt.
If support for other types of sub-domains is added it might be necessary
to set the case-sensitive flag based on the domain type.
|
|
Domains may have a flat or short name to save some keystrokes when
typing fully qualified user names. Internally sssd will always use the
canonical name to allow consistent processing.
|
|
The Active Directory KDC handles request case in-sensitive and it might
not always to possible to guess the UPN with the correct case. We check
if the returned principal has a different case then the one used in the
request and updates the principal if needed. This will help using calls
from the Kerberos client libraries later on which would otherwise fail
because the principal is handled case sensitive by those libraries.
|
|
|
|
With the current approach the upn was either a pointer to a const string
in a ldb_message or a string created with the help of talloc. This new
function always makes it a talloc'ed value.
Additionally krb5_get_simple_upn() is enhanced to handle sub-domains as
well.
|
|
In general Kerberos is case sensitive but the KDC of Active Directory
typically handles request case in-sensitive. In the case where we guess
a user principal by combining the user name and the realm and are not
sure about the cases of the letters used in the user name we might get a
valid ticket from the AD KDC but are not able to access it with the
Kerberos client library because we assume a wrong case.
The client principal in the returned credentials will always have the
right cases. To be able to update the cache user principal name the
krb5_child will return the principal for further processing.
|
|
|
|
If the authenticated user comes from a different realm the service
ticket which was returned during the validation of the TGT is used to
extract the PAC which is send to the pac responder for evaluation.
|
|
The different_realm flag which was set by the responder is send to the
krb5_child so that it can act differently on users from other realms. To
avoid code duplication and inconsistent behaviour the krb5_child will
not set the flag on its own but use the one from the provider.
|
|
Add a flag if the principal used for authentication does not belong
to our realm. This can be used to act differently for users from other
realms.
|
|
krb5_find_authdata() is only available in MIT Kerberos 1.10 or higher.
To allow sssd to be compiled on platform with lower version of MIT
Kerberos a replacement call is added. Please note that on those
platform the replacement call will only return an error. If the
krb5_find_authdata functionality is really needed on those platform it
must be implemented by a different patch.
|
|
If sssd is configured to renew Kerberos tickets automatically ticket of
sub-domain uses should be renewed as well.
|
|
Add a help function which returns the ldb_dn object for the base dn of
the cache.
|
|
If there is an authentication request for a user from a sub-domain a
temporary sysdb context is generated to allow lookups in the
corresponding sub-tree in the cache.
|
|
The principal name for the user is generated with the user name and the
domain from the PAC. It is stored in the cache so that if e.g. can be
used by password authentication. Additionally the name alias is stored
to allow case-insensitive searches.
|
|
Since winbind can only return lower-cased user name the pac responder
must do the same to avoid inconsistent behaviour.
|
|
Make sure the right sub-tree in the cache is used to search for ranges.
Sub-domain trees do not have range objects only the tree of the parent
domain.
|
|
This error prevent proper id-mapping in the PAC responder.
|
|
|
|
The ldap_child would return a NULL ccache but the error code would still
indicate success.
https://fedorahosted.org/sssd/ticket/1594
|
|
We should test both ret and (dp_error, errno) pair.
|
|
https://fedorahosted.org/sssd/ticket/1596
In case that LDAP server contains zero sudo rules, the full refresh
completes succussfully and stores current USN value (= 0). But then
smart refresh will fail because it takes USN=0 as invalid value.
|
|
This seems to be a change in recent autotools. I was getting a lot of
messages such as:
/usr/share/automake-1.12/am/ltlibrary.am: warning: 'libipa_hbac.la':
linking libtool libraries using a non-POSIX
/usr/share/automake-1.12/am/ltlibrary.am: archiver requires 'AM_PROG_AR'
in 'configure.ac'
|
|
One is a copy-and-paste error which was introduce by
1774ee9a61b9d691dadd1a0538f32bcdcc84f72f.
The second fixes a missing explicit setting of the return value. In the
case where we want fully qualified names ret contains the number of
characters from the last snprintf() which is almost ever not 0.
|
|
https://fedorahosted.org/sssd/ticket/1583
|
|
https://fedorahosted.org/sssd/ticket/1481
|
|
https://fedorahosted.org/sssd/ticket/1327
|
|
|
|
https://fedorahosted.org/sssd/ticket/1581
If the namingContext attribute had no values or multiple values, then
our code would dereference a NULL pointer.
|
|
|
|
|
|
|