summaryrefslogtreecommitdiff
path: root/src/providers/krb5/krb5_child.c
AgeCommit message (Collapse)AuthorFilesLines
2012-06-14Use Kerberos context in KRB5_DEBUGJakub Hrozek1-45/+40
Passing Kerberos context to sss_krb5_get_error_message will allow us to get better error messages.
2012-06-14Add support for storing credential caches in the DIR: back endJakub Hrozek1-30/+198
https://fedorahosted.org/sssd/ticket/974
2012-06-14Provide more debugging in krb5_child and ldap_childJakub Hrozek1-13/+65
https://fedorahosted.org/sssd/ticket/1225
2012-06-14Two small krb5_child fixesJakub Hrozek1-3/+10
* Allocation check was missing * a DEBUG statement overwrote errno
2012-05-31added DEBUG messages to krb5_child and ldap_childNick Guay1-3/+12
2012-05-07Limit krb5_get_init_creds_keytab() to etypes in keytabStef Walter1-0/+21
* Load the enctypes for the keys in the keytab and pass them to krb5_get_init_creds_keytab(). * This fixes the problem where the server offers a enctype that krb5 supports, but we don't have a key for in the keytab. https://bugzilla.redhat.com/show_bug.cgi?id=811375
2012-05-07Remove erroneous failure message in find_principal_in_keytabStef Walter1-1/+3
* When it's actually a failure, then the callers will print a message. Fine tune this.
2012-05-04If canon'ing principals, write ccache with updated default principalStef Walter1-2/+6
* When calling krb5_get_init_creds_keytab() with krb5_get_init_creds_opt_set_canonicalize() the credential principal can get updated. * Create the cache file with the correct default credential. * LDAP GSSAPI SASL would fail due to the mismatched credentials before this patch. https://bugzilla.redhat.com/show_bug.cgi?id=811518
2012-04-20Convert read and write operations to sss_atomic_readJakub Hrozek1-30/+21
https://fedorahosted.org/sssd/ticket/1209
2012-04-05Clean up log messages about keytab_nameStephen Gallagher1-2/+4
There were many places where we were printing (null) to the logs because a NULL keytab name tells libkrb5 to use its configured default instead of a particular path. This patch should clean up all uses of this to print "default" in the logs. https://fedorahosted.org/sssd/ticket/1288
2012-03-06krb5_child: set debugging soonerJakub Hrozek1-12/+18
2012-01-31KRB5: Add syslog messages for Kerberos failuresStephen Gallagher1-0/+1
https://fedorahosted.org/sssd/ticket/1137
2011-12-22Add compatibility layer for Heimdal Kerberos implementationStephen Gallagher1-4/+6
2011-12-19Securely set umask when using mkstempStephen Gallagher1-0/+3
Coverity 12394, 12395, 12396, 12397 and 12398
2011-12-19Move child_common routines to utilStephen Gallagher1-1/+1
2011-11-02Add support to request canonicalization on krb AS requestsJan Zeleny1-0/+15
https://fedorahosted.org/sssd/ticket/957
2011-09-28Multiline macro cleanupJakub Hrozek1-1/+1
This is mostly a cosmetic patch. The purpose of wrapping a multi-line macro in a do { } while(0) is to make the macro usable as a regular statement, not a compound statement. When the while(0) is terminated with a semicolon, the do { } while(0); block becomes a compound statement again.
2011-09-08DEBUG timestamps offer higher precisionPavel Březina1-0/+2
https://fedorahosted.org/sssd/ticket/956 Added: --debug-microseconds=0/1 Added: debug_microseconds to sssd.conf
2011-08-25New DEBUG facility - SSSDBG_UNRESOLVED changed from -1 to 0Pavel Březina1-1/+3
Removed: SSS_UNRESOLVED_DEBUG_LEVEL (completely replaced with SSSDBG_UNRESOLVED) Added new macro: CONVERT_AND_SET_DEBUG_LEVEL(new_value) Changes unresolved debug level value (SSSDBG_UNRESOLVED) from -1 to 0 so DEBUG macro could be reduced by one condition. Anyway, it has a minor effect, every time you want to load debug_level from command line parameters, you have to use following pattern: /* Set debug level to invalid value so we can deside if -d 0 was used. */ debug_level = SSSDBG_INVALID; pc = poptGetContext(argv[0], argc, argv, long_options, 0); while((opt = poptGetNextOpt(pc)) != -1) { ... } CONVERT_AND_SET_DEBUG_LEVEL(debug_level);
2011-08-25New DEBUG facility - conversionPavel Březina1-0/+2
https://fedorahosted.org/sssd/ticket/925 Conversion of the old debug_level format to the new one. (only where it was necessary) Removed: SSS_DEFAULT_DEBUG_LEVEL (completely replaced with SSSDBG_DEFAULT)
2011-05-05Added some kerberos functions for building on RHEL5Jan Zeleny1-2/+2
2011-04-25Allow new option to specify principal for FASTJan Zeleny1-3/+42
https://fedorahosted.org/sssd/ticket/700
2011-04-25Extend and move function for finding principal in keytabJan Zeleny1-80/+2
The function now supports finding principal in keytab not only based on realm, but based on both realm and primary/instance parts. The function also supports * wildcard at the beginning or at the end of primary principal part. The function for finding principal has been moved to util/sss_krb5.c, so it can be used in other parts of the code.
2010-12-20Fixes for automatic ticket renewalSumit Bose1-2/+15
- do not recreate the ccache file when renewing the TGT - use user principal name as hash key instead of ccfile name - let krb5_child return Kerberos error codes
2010-12-08Fix build issue with older Kerberos librarySumit Bose1-2/+2
2010-12-07Add support for FAST in krb5 providerSumit Bose1-4/+309
2010-12-07Refactor krb5_child to make helpers more flexibleSumit Bose1-20/+36
2010-12-03krb5_child returns TGT lifetimeSumit Bose1-0/+29
2010-12-03Add krb5_lifetime optionSumit Bose1-1/+15
2010-12-03Add krb5_renewable_lifetime optionSumit Bose1-1/+17
2010-12-03Check authtok type for krb5 auth and chpassSumit Bose1-0/+12
2010-12-03Add a renew task to krb5_childSumit Bose1-0/+87
2010-12-03Send authtok_type to krb5_childSumit Bose1-0/+2
2010-11-04Add krb5_kuserok() access check to krb5_childSumit Bose1-17/+73
2010-11-04Make krb5_setup() publicSumit Bose1-3/+3
2010-09-23Use new MIT krb5 API for better password expiration warningsSumit Bose1-0/+51
2010-09-08Dead assignments cleanup in providers codeJan Zeleny1-1/+0
Dead assignments were deleted. Also prototype of function sdap_access_decide_offline() has been changed, since its return code was never used. Ticket: #586
2010-06-16Standardize on correct spelling of "principal" for krb5Stephen Gallagher1-3/+3
https://fedorahosted.org/sssd/ticket/542
2010-06-14Remove krb5_changepw_principal optionJakub Hrozek1-12/+22
Fixes: #531
2010-06-09Add a missing initializerSumit Bose1-1/+1
2010-06-06Initialize pam_data in Kerberos child.Sumit Bose1-1/+1
2010-05-26Handle Krb5 password expiration warningSumit Bose1-55/+122
2010-03-25Allow arbitrary-length PAM messagesStephen Gallagher1-19/+6
The PAM standard allows for messages of any length to be returned to the client. We were discarding all messages of length greater than 255. This patch dynamically allocates the message buffers so we can pass the complete message. This resolves https://fedorahosted.org/sssd/ticket/432
2010-03-12Add krb5_kpasswd optionSumit Bose1-0/+7
2010-03-03Improve safe alignment buffer handling macrosSimo Sorce1-15/+15
Make the counter optional so that alignment safe macros can be used also where there is no counter to update. Change arguments names so that they are not deceiving (ptr normlly identify a pointer) Turn the memcpy substitute into an inline function so that passing a pointer to rp and checking for it doesn't make the compiler spit lots of warnings.
2010-02-23Handle expired passwords like other PAM modulesSumit Bose1-1/+1
So far we handled expired password during authentication. Other PAM modules typically detect expired password during account management and return PAM_NEW_AUTHTOK_REQD if the password is expired and should be changed. The PAM library then calls the change password routines. To meet these standards pam_sss is change accordingly. As a result it is now possible to update an expired password via ssh if sssd is running with PasswordAuthentication=yes. One drawback due to limitations of PAM is that the user now has to type his current password again before setting a new one.
2010-02-19Remove unneeded items from struct pam_dataSumit Bose1-39/+32
2010-02-18Rename server/ directory to src/Stephen Gallagher1-0/+1030
Also update BUILD.txt