Age | Commit message (Collapse) | Author | Files | Lines |
|
There used to be an overlinked dependency that's gone now, so
to fix a build error add CLIENT_LIBS to sss_ssh_knownhostsproxy_LDFLAGS.
v2:
Fix sss_ssh_authorizedkeys linking as well.
|
|
|
|
|
|
|
|
If the authenticated user comes from a different realm the service
ticket which was returned during the validation of the TGT is used to
extract the PAC which is send to the pac responder for evaluation.
|
|
|
|
|
|
|
|
https://fedorahosted.org/sssd/ticket/1500
|
|
https://fedorahosted.org/sssd/ticket/1460
|
|
https://fedorahosted.org/sssd/ticket/734
We successfully detect when the server is reinitialized by testing
the new lastUSN value. The maximum USN values are set to zero, but
the current cache content remains.
This patch removes records that were deleted from the server.
It uses the following approach:
1. remove entryUSN attribute from all entries
2. run enumeration
3. remove records that doesn't have entryUSN attribute updated
We don't need to do this for sudo rules, they will be refreshed
automatically during next smart/full refresh, or when an expired rule
is deleted.
|
|
|
|
|
|
When new subdomains are discovered, the SSSD creates a file that
includes the domain-realm mappings. This file can in turn be included in
the krb5.conf using the includedir directive, such as:
includedir /var/lib/sss/pubconf/realm_mappings
|
|
|
|
|
|
|
|
|
|
|
|
A check for allowed UIDs is added in the common responder code directly
after accept(). If the platform does not support reading the UID of the
peer but allowed UIDs are configured, access is denied.
Currently only the PAC responder sets the allowed UIDs for a socket. The
default is that only root is allowed to access the socket of the PAC
responder.
Fixes: https://fedorahosted.org/sssd/ticket/1382
|
|
|
|
This patch adds support for checking whether a user is expired or
disabled in AD.
|
|
This new identity provider takes advantage of existing code for
the LDAP provider, but provides sensible defaults for operating
against an Active Directory 2008 R2 or later server.
|
|
This will reduce code duplication between the krb5, ipa and ad
providers
|
|
We need to load host information during provider initialization.
Currently it loads only values from configuration files, but it is
implemented as an asynchrounous request as it will later try to
autodetect these settings (which will need to contact DNS).
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
This adds only the basic outline of the PAC responder, it won't support
any operations, it will just start and initialize itself.
|
|
To be able to add support for new credential cache types easily, this
patch creates a new structure sss_krb5_cc_be that defines common
operations with a credential cache, such as create, check if used or remove.
|
|
https://fedorahosted.org/sssd/ticket/1127
|
|
|
|
|
|
https://fedorahosted.org/sssd/ticket/1008
|
|
We were polluting the primary Python space with several
dependencies. We will now install them their own directory/module.
|
|
|
|
To avoid conflicts with struct dom_sid used by samba the sss_ prefix is
added to the struct used by libsss_idmap.
|
|
libtool: link: gcc -Wall -Wshadow -Wstrict-prototypes -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Werror-implicit-function-declaration -fno-strict-aliasing -fmessage-length=0 -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables -fasynchronous-unwind-tables -g -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -Wl,--version-script -Wl,./src/providers/sssd_be.exports -o sssd_be src/providers/data_provider_be.o src/providers/data_provider_fo.o src/providers/data_provider_opts.o src/providers/data_provider_callbacks.o src/providers/fail_over.o src/resolv/async_resolv.o -Wl,--export-dynamic -lpam -lcares ./.libs/libsss_util.a -ltevent -ltalloc -lpopt -lldb -ldbus-1 -lpcre -lini_config -lcollection -ldhash -llber -lldap -ltdb -lunistring -lcrypto
/usr/lib64/gcc/x86_64-suse-linux/4.7/../../../../x86_64-suse-linux/bin/ld: src/providers/data_provider_be.o: undefined reference to symbol 'dlsym@@GLIBC_2.2.5'
/usr/lib64/gcc/x86_64-suse-linux/4.7/../../../../x86_64-suse-linux/bin/ld: note: 'dlsym@@GLIBC_2.2.5' is defined in DSO /lib64/libdl.so.2 so try adding it to the linker command line
/lib64/libdl.so.2: could not read symbols: Invalid operation
collect2: error: ld returned 1 exit status
make[2]: *** [sssd_be] Error 1
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
|
|
Active Directory 2008R2 allows only 1500 group members to be
retrieved in a single lookup. However, when we hit such a
situation, we can take advantage of the ASQ lookups, which are not
similarly limited.
With this patch, we will add any members found by ASQ that were
not found by the initial lookup so we will end with a complete
group listing.
https://fedorahosted.org/sssd/ticket/783
|
|
|
|
|
|
Instead of using account_info request, creates a new ssh specific
request. This improves code readability and will make the code more
flexible in the future.
https://fedorahosted.org/sssd/ticket/1176
|
|
Besides as strings it is now possible to use binary SIDs or a struct
containing all SID information. Functions to convert between these
formats are added as well.
|