| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
|
|
|
|
|
|
Use the new authtok abstraction and interfaces throught the code.
|
|
Make it clear to the API users that we can not take arbitrary auth tokens.
We can only take a password for now so simplify and clarify the interface.
|
|
https://fedorahosted.org/sssd/ticket/1735
|
|
Added new parameter to split_on_separator that allows to skip
empty values.
The whole function was rewritten. Unit test case was added to
check the new implementation.
https://fedorahosted.org/sssd/ticket/1484
|
|
For some reason I was under the impression that the DN components are
counted backwards in libldb. This patch corrects this.
|
|
https://fedorahosted.org/sssd/ticket/1680
There were two errors:
1. kr->kpasswd_srv was never set
2. bad service name (KERBEROS) was provided when setting port status,
thus the port status never changed
|
|
No functionality changes,
just make the code respect the tevent_req style and naming conventions
and enhance readability by adding some helper functions.
|
|
The DEBUG() macro may, at any time, change and start calling functions that
touch errno. Save errno before logging and then return the saved error.
|
|
If canonicalization is enabled Active Directory KDCs return
'krbtgt/AD.DOMAIN' as service name instead of the expected
'kadmin/changepw' which causes a 'KDC reply did not match expectations'
error.
Additionally the forwardable and proxiable flags are disabled, the
renewable lifetime is set to 0 and the lifetime of the ticket is set to
5 minutes as recommended in https://fedorahosted.org/sssd/ticket/1405
and also done by the kpasswd utility.
Fixes: https://fedorahosted.org/sssd/ticket/1405
https://fedorahosted.org/sssd/ticket/1615
|
|
In case of a short UPN compare_principal_realm() erroneously returns an
error.
|
|
Currently we add the realm name to change password principal but
according to the MIT Kerberos docs and the upstream usage the realm name
is just ignored.
Dropping the realm name also does not lead to confusion if the change
password request was received for a user of a trusted domain.
|
|
|
|
src/providers/krb5/krb5_utils.c: In function ‘cc_dir_create’:
src/providers/krb5/krb5_utils.c:824: warning: declaration of ‘dirname’
shadows a global declaration
/usr/include/libgen.h:27: warning: shadowed declaration is here
|
|
|
|
https://fedorahosted.org/sssd/ticket/1495
|
|
The Active Directory KDC handles request case in-sensitive and it might
not always to possible to guess the UPN with the correct case. We check
if the returned principal has a different case then the one used in the
request and updates the principal if needed. This will help using calls
from the Kerberos client libraries later on which would otherwise fail
because the principal is handled case sensitive by those libraries.
|
|
|
|
With the current approach the upn was either a pointer to a const string
in a ldb_message or a string created with the help of talloc. This new
function always makes it a talloc'ed value.
Additionally krb5_get_simple_upn() is enhanced to handle sub-domains as
well.
|
|
In general Kerberos is case sensitive but the KDC of Active Directory
typically handles request case in-sensitive. In the case where we guess
a user principal by combining the user name and the realm and are not
sure about the cases of the letters used in the user name we might get a
valid ticket from the AD KDC but are not able to access it with the
Kerberos client library because we assume a wrong case.
The client principal in the returned credentials will always have the
right cases. To be able to update the cache user principal name the
krb5_child will return the principal for further processing.
|
|
|
|
If the authenticated user comes from a different realm the service
ticket which was returned during the validation of the TGT is used to
extract the PAC which is send to the pac responder for evaluation.
|
|
The different_realm flag which was set by the responder is send to the
krb5_child so that it can act differently on users from other realms. To
avoid code duplication and inconsistent behaviour the krb5_child will
not set the flag on its own but use the one from the provider.
|
|
Add a flag if the principal used for authentication does not belong
to our realm. This can be used to act differently for users from other
realms.
|
|
If sssd is configured to renew Kerberos tickets automatically ticket of
sub-domain uses should be renewed as well.
|
|
If there is an authentication request for a user from a sub-domain a
temporary sysdb context is generated to allow lookups in the
corresponding sub-tree in the cache.
|
|
|
|
If the debug level contains SSSDBG_TRACE_ALL, then the logs would also
include tracing information from libkrb5.
https://fedorahosted.org/sssd/ticket/1539
|
|
There was an unused structure member in the krb5_child.
Declaration of __krb5_error_msg was shadowing the same variable from
sss_krb5.h which is not nice. Also we might actually use the error
context directly instead of passing it as parameter.
|
|
https://fedorahosted.org/sssd/ticket/1499
Adds log message about not finding appropriate entry in keytab and using
the last keytab entry when validation is enabled.
Adds more information about validation into manpage.
|
|
fixes https://fedorahosted.org/sssd/ticket/1533
ccache file template is now checked for appended XXXXXX for use with
mkstemp. When those characters are not present, warning is written to log.
|
|
https://fedorahosted.org/sssd/ticket/1384
|
|
This patch changes handling of krb5 child error codes so that it's on
par with the 1.8 branch after Joschi Brauchle reviewed the 1.8 backport.
|
|
https://fedorahosted.org/sssd/ticket/1310
|
|
https://fedorahosted.org/sssd/ticket/1521
|
|
The list of resolved servers is allocated on the back end context and
kept in the fo_service structure. However, a single request often
resolves a server and keeps a pointer until the end of a request and
only then gives feedback about the server based on the request result.
This presents a big race condition in case the SRV resolution is used.
When there are requests coming in in parallel, it is possible that an
incoming request will invalidate a server until another request that
holds a pointer to the original server is able to give a feedback.
This patch simply checks if a server is in the list of servers
maintained by a service before reading its status.
https://fedorahosted.org/sssd/ticket/1364
|
|
|
|
https://fedorahosted.org/sssd/ticket/1515
|
|
https://fedorahosted.org/sssd/ticket/1516
If sysdb_set_user_attr failed, we would cancel the transaction, then go
to the error handler and attempt to close it again.
|
|
|
|
To validate a TGT a keytab entry from the client realm is preferred but
if none ca be found the last entry should be used. But the entry was
freed and zeroed before it could be used.
This should also fix the trusted domain use case mentioned in
https://fedorahosted.org/sssd/ticket/1396
although a different approach then suggested in the ticket is used.
|
|
https://fedorahosted.org/sssd/ticket/1365
|
|
Removing bad examples of usage of sysdb_transaction_start/commit/end
functions and making it more consistent (all files except of
src/db/sysdb_*.c).
|
|
https://fedorahosted.org/sssd/ticket/1452
|
|
https://fedorahosted.org/sssd/ticket/1472
|
|
https://fedorahosted.org/sssd/ticket/1463
|
|
|
