Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
krb5 1.11 adds support for a new method for responding to
structured data queries. This method, called the responder,
provides an alternative to the prompter interface.
This patch adds support for this method. It takes the password
and provides it via a responder instead of the prompter. In the
case of OTP authentication, it also disables the caching of
credentials (since the credentials are one-time only).
|
|
|
|
|
|
This patch adds debug message for the case if sssd
fails to open old mc file for some other reason than
the file does not exist.
|
|
File descriptors leaked every time sss_mmap_cache_reinit was
called and also the old memory cache was still maped in memory
(munmap was not called). This patch adds destructor for memory
cache context to call close() and munmap() automaticly.
https://fedorahosted.org/sssd/ticket/1826
|
|
https://fedorahosted.org/sssd/ticket/1825
|
|
C compiler did not complain, because "index" is function defined
in header file <string.h>
|
|
https://fedorahosted.org/sssd/ticket/1819
|
|
We need to mask the first part with 0xFFFF or there is a slight chance an
unrelated error code would match even if the upper part is not exactly
equal to ERR_BASE but just has all it's bits and some more.
Also make the macro more reasable by adding another helper macro for filtering
the base.
Finally compare err and ERR_LAST directly w/o masking err, or the comparison
will always return true.
|
|
This parameter was never used.
https://fedorahosted.org/sssd/ticket/1765
|
|
|
|
We used different debug levels for messages informing
about negative cache hits (old levels 2,3,4). Now it is
only SSSDBG_TRACE_FUNC (same level is used in nsssrv_services.c
and proposed in the ticket bellow).
https://fedorahosted.org/sssd/ticket/1771
|
|
Use the new internal SSSD errors, to simplify error handling.
Instead of using up to 3 different error types (system, krb5 and
pam_status), collapse all error reporting into one error type mapped
on errno_t.
The returned error can contain either SSSD internal errors, kerberos
errors or system errors, they all use different number spaces so there
is no overlap and they can be safely merged.
This means that errors being sent from the child to the parent are not
pam status error messages anymore.
The callers have been changed to properly deal with that.
Also note that this patch removes returning SSS_PAM_SYSTEM_INFO from
the krb5_child for kerberos errors as all it was doing was simply to
make the parent emit the same debug log already emitted by the child,
and the code is simpler if we do not do that.
|
|
EIO has always been an odd match, but was used as an error to indicate
that something had gone wrong internally before we had specific SSSD
errors available. Use ERR_INTERNAL instead going forward.
|
|
This prevents reportin false errors when internal functions return
a generic EINVAL or EACCES that should just be treated as internal
errors.
|
|
This code adds a new range of error codes specific to SSSD,
It also provides helper functions to print out error defintions
like you can do with system error messages and the strerror() function.
The sss_strerror() function can accept both the new sssd errors and
system errno_t errors falling back to the system strerror() if the error
code provide is not a valid SSSD error code.
|
|
https://fedorahosted.org/sssd/ticket/1812
|
|
ret was defined as integer, instead of errno_t, and was uninitialized
|
|
|
|
|
|
|
|
This reverts commit 30c76633788c498b7d34e7e5944a3d36f26ec2db.
|
|
https://fedorahosted.org/sssd/ticket/1739
Pointer to packet body may change while filling packet with autofs
mount points. As a consequence, we sometimes wrote the number of
entries into invalid body and we recieved an arbitrary number
on the client side.
If the number was 0, there were some skipped entries. If the number
was greater than 0, everything worked correctly, because we iterate
through the cached entries until we reach packet length - we don't
compare to the number.
|
|
|
|
There is a large amount of duplicated code being linked into multiple
SSSD binaries. Instead of statically linking this code throughout the
SSSD, we should instead create private shared libraries for them and
drop this code on the system only once.
|
|
The aim of this refactoring is to make the code readable and understandable.
This code has grown organically over time and has becomed confused and
baroque enough that understanding it's very simple flow had become very
complex for the uninitiated. Complex flows easily hide nasty bugs.
Improvements:
- Remove dead/unused data storage
- Fix and simplify talloc hierarchy, use a memory context (kr) for the
whole code and allocate kr->pd where it is filled up.
- Rename some functions to create a better name space (easier for
searching fucntions across the tree)
- Streamline setup function, by spliting out fast setup in a subroutine.
- Avoid confusing indirection in executng actual functions by not
using the krb5_req child_req member.
- Make main() flow s now simmetric, send abck data from the main function
instead of delegating a reply to every inner function that implements a
command.
Now the flow is evident from the main function:
1. read request
2. setup data
3. execute command
4. send reply back
|
|
Use the standard 'done' label for exceptions.
|
|
https://fedorahosted.org/sssd/ticket/1755
sdap_find_entry_by_origDN() may return ENOENT in these
non-error scenarios:
If a member is out of scope of configured nesting level, sssd
produces few noise lines indicating failure.
The worse case is when a member is outside of configured search
bases. In this case we save the group with incomplete membership,
|
|
|
|
https://fedorahosted.org/sssd/ticket/1737
|
|
https://fedorahosted.org/sssd/ticket/1818
I have here a LDAP user entry which has this attribute
loginAllowedTimeMap::
AAAAAAAAAP///38AAP///38AAP///38AAP///38AAP///38AAAAAAAAA
In the function sysdb_attrs_add_string(), called from
sdap_attrs_add_ldap_attr(), strlen() is called on this blob, which is
the wrong thing to do. The result of strlen is then used to populate
the .v_length member of a struct ldb_val - and this will set it to
zero in this case. (There is also the problem that there may not be
a '\0' at all in the blob.)
Subsequently, .v_length being 0 makes ldb_modify(), called from
sysdb_set_entry_attr(), return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX. End
result is that users do not get stored in the sysdb, and programs like
`id` or `getent ...` show incomplete information.
The bug was encountered with sssd-1.8.5. sssd-1.5.11 seemed to behave
fine, but that may not mean that is the absolute lower boundary of
introduction of the problem.
|
|
https://fedorahosted.org/sssd/ticket/1817
|
|
https://fedorahosted.org/sssd/ticket/1808
|
|
https://fedorahosted.org/sssd/ticket/1810
|
|
https://fedorahosted.org/sssd/ticket/1756
Messages from poptStrerror() passed to BAD_POPT_PARAMS macro were
printed out to the console without new line character at the end of the
message. BAD_POPT_PARAMS should now behave correctly with strings both
with or without new line character at the end.
|
|
https://fedorahosted.org/sssd/ticket/1795
Only alpha-numeric chars, dashes and underscores are allowed in
krb5 include directory.
|
|
|
|
Otherwise dom may be set to NULL and we will segfault when
dereferencing dom.
|
|
https://fedorahosted.org/sssd/ticket/1804
|
|
The default authtok type in the LDAP provider (unlike the new IPA and AD
providers) is "password". This oddity dates back to when password was
the only supported authtok type in the SSSD, so configuration specifying
only the password and bind DN was valid.
We need to check the authtok validity as well before attempting to use
it.
|
|
krb5-1.10 used to include "struct krb5_trace_info", now krb5-1.11
includes a "krb5_trace_info" typedefed from "struct _krb5_trace_info".
Do the same in the SSSD to allow compiling with both 1.10 and 1.11.
|
|
Fixes https://fedorahosted.org/sssd/ticket/1766
|
|
Remove code that tries to get the 'right' sysdb, as it is always going
to get the same answer anyway since the recent patches to rework the
domains/sysdb relationship.
|
|
- Use a double-linked list for domains and subdomains.
- Never remove a subdomain, simply mark it as disabled if it becomes
unused.
- Rework the way subdomains are refreshed.
Now sysdb_update_subdomains() actually updates the current subdomains
and marks as disabled the ones not found in the sysdb or add new ones
found. It never removes them.
Removal of missing domains from sysdb is deferred to the providers,
which will perform it at refresh time, for the ipa provider that is
done by ipa_subdomains_write_mappings() now.
sysdb_update_subdomains() is then used to update the memory hierarchy
of the subdomains.
- Removes sysdb_get_subdomains()
- Removes copy_subdomain()
- Add sysdb_subdomain_delete()
|
|
|
|
Use this function instead of explicitly calling domain->next
This function allows to get the next primary domain or to descend into the
subdomains and replaces also get_next_dom_or_subdom()
|
|
struct sss_domain_info is always used to represent domains now.
Adjust tests accordingly.
|
|
Replaces sysdb_add_subdomain_attributes and is a public sysdb interface.
|
|
|