Age | Commit message (Collapse) | Author | Files | Lines |
|
We weren't guaranteeing that the cctype-specific callbacks were
initialized before using them.
This bug only presented itself for users who were logging in
without a ccacheFile attribute in the LDB (for example, first-time
logins).
|
|
To be able to add support for new credential cache types easily, this
patch creates a new structure sss_krb5_cc_be that defines common
operations with a credential cache, such as create, check if used or remove.
|
|
krb5-child-test will be another consumer. It also makes the code more
readable by splitting a huge function.
|
|
https://fedorahosted.org/sssd/ticket/1316
|
|
New option pwd_expiration_warning is introduced which can be set per
domain and can override the value specified by the original
pam_pwd_expiration_warning.
If the value of expiration warning is set to zero, the filter isn't
apllied at all - if backend server returns the warning, it will be
automatically displayed.
Default value for Kerberos: 7 days
Default value for LDAP: don't apply the filter
Technical note: default value when creating the domain is -1. This is
important so we can distinguish between "no value set" and 0. Without
this possibility it would be impossible to set different values for LDAP
and Kerberos provider.
|
|
|
|
https://fedorahosted.org/sssd/ticket/1214
|
|
https://fedorahosted.org/sssd/ticket/1131
|
|
|
|
|
|
|
|
This patch deletes memory context parameter in those places in sysdb
where it is not necessary. The code using modified functions has been
updated. Tests updated as well.
|
|
The patch also updates code using modified functions. Tests have also
been adjusted.
|
|
|
|
|
|
Fixes CVE-2011-1758, https://fedorahosted.org/sssd/ticket/856
|
|
Previously, we only generated it when performing a password change,
but this didn't play nicely with kpasswd.
|
|
|
|
https://fedorahosted.org/sssd/ticket/745
|
|
|
|
- do not recreate the ccache file when renewing the TGT
- use user principal name as hash key instead of ccfile name
- let krb5_child return Kerberos error codes
|
|
|
|
|
|
|
|
I took the opportunity to move everything related to the handling of the
krb5_child into a separate file and cleaned the interfaces and related
structures a bit.
|
|
|
|
|
|
|
|
|
|
|
|
If the allocation on line 678 failed, the value of ret was undefined
in following comparison. ENOMEM is now assigned before the comparison.
Ticket: #578
|
|
The ccache file was removed too early if system is offline but the
backend was not already marked offline. Now we remove the ccache file
only if the successfully got a new one and it is not the same as the old
one.
|
|
If the configuration option krb5_store_password_if_offline is set to
true and the backend is offline the plain text user password is stored
and used to request a TGT if the backend becomes online. If available
the Linux kernel key retention service is used.
|
|
|
|
The Kerberos backend would previously try only the first server and if
it was unreachable, it immediatelly went offline.
|
|
Instead of having all-purpose SIGCHLD handlers that try to catch
every occurrence, we instead create a per-PID handler. This will
allow us to specify callbacks to occur when certain children exit.
|
|
To allow other providers to include Kerberos authentication the main
part is put into a tevent request.
|
|
|
|
|
|
|
|
|
|
|
|
The PAM standard allows for messages of any length to be returned
to the client. We were discarding all messages of length greater
than 255. This patch dynamically allocates the message buffers so
we can pass the complete message.
This resolves https://fedorahosted.org/sssd/ticket/432
|
|
|
|
As with krb5_ccname_template sequences like %u can be used in the
krb5_ccachedir parameter which are expanded at runtime. If the directory
does not exist, it will be created. Depending on the used sequences it
is created as a public or private directory.
|
|
Logs from confdb with missing '\n' in the DEBUG statements annoyed me so
I decided to fix them. I also made a quick grep through the code and
found other places so I fixed them too.
|
|
Make the counter optional so that alignment safe macros can be used also where
there is no counter to update.
Change arguments names so that they are not deceiving (ptr normlly identify a
pointer)
Turn the memcpy substitute into an inline function so that passing a pointer to
rp and checking for it doesn't make the compiler spit lots of warnings.
|
|
|
|
|
|
Also update BUILD.txt
|