| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Use the new authtok abstraction and interfaces throught the code.
|
|
This set of functions enumerate the user's groups and invalidate them all
if the list does not matches what we get from the caller.
|
|
This set of functions enumerate each user/group from all domains
and invalidate any mmap cache record that matches.
|
|
Avoids hardcoding magic numbers everywhere and self documents why a
mask is being applied.
|
|
In general Kerberos is case sensitive but the KDC of Active Directory
typically handles request case in-sensitive. In the case where we guess
a user principal by combining the user name and the realm and are not
sure about the cases of the letters used in the user name we might get a
valid ticket from the AD KDC but are not able to access it with the
Kerberos client library because we assume a wrong case.
The client principal in the returned credentials will always have the
right cases. To be able to update the cache user principal name the
krb5_child will return the principal for further processing.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
https://fedorahosted.org/sssd/ticket/1143
|
|
|
|
|
|
|
|
This is mostly a cosmetic patch.
The purpose of wrapping a multi-line macro in a do { } while(0) is to
make the macro usable as a regular statement, not a compound statement.
When the while(0) is terminated with a semicolon, the do { } while(0);
block becomes a compound statement again.
|
|
https://fedorahosted.org/sssd/ticket/925
Conversion of the old debug_level format to the new one.
(only where it was necessary)
Removed:
SSS_DEFAULT_DEBUG_LEVEL (completely replaced with SSSDBG_DEFAULT)
|
|
|
|
|
|
|
|
|
|
Currently we display all PAM messages generated by sssd to the user. But
only some of them are important and others are just some useful
information.
This patch introduces a new option to the PAM responder which controls
what kind of messages are displayed. As an example the 'Authenticated
with cached credentials' message is used. This message is only displayed
if pam_verbosity=1 or if there is an expire date.
|
|
|
|
Instead of just using references to the pam data inside of the DBus
message the data is copied. New the DBus message can be freed at any
time and the pam data is part of the memory hierarchy. Additionally it
is possible to overwrite the authentication tokens in the DBus message,
because it is not used elsewhere.
|
|
|
|
If the configuration option krb5_store_password_if_offline is set to
true and the backend is offline the plain text user password is stored
and used to request a TGT if the backend becomes online. If available
the Linux kernel key retention service is used.
|
|
This reverts commit 2faf73eef14d66aeb345ffa38d0f53670fa8a9a1.
|
|
Instead of just using references to the pam data inside of the DBus
message the data is copied. New the DBus message can be freed at any
time and the pam data is part of the memory hierarchy. Additionally it
is possible to overwrite the authentication tokens in the DBus message,
because it is not used elsewhere.
|
|
If we're sending a message to the backend, we already know which
domain the request is targeting. Carrying this information is not
useful and confuses the interface.
|
|
This was a holdover from when the DP and the providers were unique
processes. The NSS and PAM registrations do not need to send the
domain, as it is not ambiguous which one they are talking to.
|
|
|
|
|
|
Also update BUILD.txt
|
