Age | Commit message (Collapse) | Author | Files | Lines |
|
The krb5 child contacts the PAC responder for any user except for the
IPA native users if the PAC is configured. This works fine for the
general case but the ipa_server_mode is a special one. The PAC responder
is there, but since in the server mode we should be operating as AD
provider default, the PAC shouldn't be analyzed either in this case.
|
|
|
|
|
|
|
|
Instead of multiple calls of sss_authtok_get_type, perform the call just
once and store into variable.
|
|
https://fedorahosted.org/sssd/ticket/1814
Return authentication error when empty password is passed.
|
|
https://fedorahosted.org/sssd/ticket/1992
|
|
https://fedorahosted.org/sssd/ticket/1827
|
|
Some krb5 functions needn't be available for retrieving ccache
with principal. Therefore ifdef is used to solve this situation with older
version of libkrb5. There were two functions with similar functionality
in krb5_child and krb5_utils. They were merged to one universal function, which
was moved to file src/util/sss_krb5.c
|
|
Dircache can be either file or directory. Wrong value was used
when dircache was itself directory.
https://fedorahosted.org/sssd/ticket/2002
|
|
The switch statement was dead code due to missing case/default.
|
|
new_subdomain() will create a new domain object and should not be used
anymore in the priovder code directly. Instead a reference to the domain
from the common domain object should be used.
|
|
|
|
This patch reuses the code from IPA provider to make sure that
domain-realm mappings are written even for AD sub domains.
|
|
|
|
If user decide to kinit as another user we do not want to switch back
to user ccache at another login. We will switch to new ccache if and only
if default principal name is the same as current principal name, or there is
not any default ccache.
https://fedorahosted.org/sssd/ticket/1936
|
|
Function krb5_cc_get_full_name is called only as a way to validate that,
we have the right cache. Instead of returned name, location will be returned
from function cc_dir_cache_for_princ.
https://fedorahosted.org/sssd/ticket/1936
|
|
When renewing a ticket we already know the canonical principal hence it
is not needed to expand it to an enterprise principal but we can contact
the KDC of the corresponding realm directly.
|
|
So far we didn't send the PAC of IPA users to the PAC responder during
password authentication because group memberships for IPA users can be
retrieved efficiently with LDAP calls. Recently patches added PAC
support for the AD provider as well and removed the restriction for the
IPA users. This patch restores the original behaviour by introducing a
new flag in struct krb5_ctx which is only set for the IPA provider.
Additionally a different flag is renamed to make it's purpose more
clear.
Fixes https://fedorahosted.org/sssd/ticket/1995
|
|
This reverts commit d153941864fe481399665be8fe583c9317194a99.
|
|
|
|
|
|
Enterprise principals require that a default realm is available. To
make SSSD more robust in the case that the default realm option is
missing in krb5.conf or to allow SSSD to work with multiple unconnected
realms (e.g. AD domains without trust between them) the default realm
will be set explicitly.
Fixes https://fedorahosted.org/sssd/ticket/1931
|
|
If canonicalization or enterprise principals are enabled the realm of
the client principal might have changed compared to the original
request. To find the most suitable keytab entry to validate the TGT is
it better to use the returned client principal.
Fixes https://fedorahosted.org/sssd/ticket/1931
|
|
https://fedorahosted.org/sssd/ticket/1873
KRB preauthentication error was later mishandled like authentication error.
|
|
https://fedorahosted.org/sssd/ticket/1883
The patch introduces a new Kerberos provider option called
krb5_use_kdcinfo. The option is true by default in all providers. When
set to false, the SSSD will not create krb5 info files that the locator
plugin consumes and the user would have to set up the Kerberos options
manually in krb5.conf
|
|
Instead of using boolean variables to denote whether the call is adding
a primary or a secondary server, use a function wrapper that tells what
it's doing by its name.
|
|
Currently while doing a Kerberos based authentication the PAC was only
send to the PAC responder for principals from a different realm. This
reflects the FreeIPA use case of users from trusted domains.
This restriction does not make sense anymore when the data from the PAC
should be used for the AD provider as well. It also makes only limited
sense for the IPA use case, because when using GSSAPI the PAC of users
from the local IPA domain are already evaluated by the PAC responder.
|
|
In contrast to MIT KDCs AD does not automatically canonicalize the
enterprise principal in an AS request but requires the canonicalize
flags to be set. To be on the safe side we always enable
canonicalization if enterprise principals are used.
|
|
--missing arguments.
--format '%s', but argument is integer.
--wrong format string, examle: '%\n'
|
|
Instead of continuing to use the initial upn if enterprise principals
are used if should always be replaced. The enterprise principal
is stored in the credential cache and without knowing it the
ccache_for_princ() calls to determine the location of the credential
cache will fail.
Fixes https://fedorahosted.org/sssd/ticket/1921
|
|
If enterprise principals are enabled (which is the default in the AD
provider), then the returned UPN might be slightly different from
the one SSSD constructs before attempting the login. This patch makes
SSSD only check if the principal is the same when the enterprise
principals are disabled.
|
|
Enterprise principals are currently most useful for the AD provider and
hence enabled here by default while for the other Kerberos based
authentication providers they are disabled by default.
If additional UPN suffixes are configured for the AD domain the user
principal stored in the AD LDAP server might not contain the real
Kerberos realm of the AD domain but one of the additional suffixes which
might be completely randomly chooses, e.g. are not related to any
existing DNS domain. This make it hard for a client to figure out the
right KDC to send requests to.
To get around this enterprise principals (see
http://tools.ietf.org/html/rfc6806 for details) were introduced.
Basically a default realm is added to the principal so that the Kerberos
client libraries at least know where to send the request to. It is not
in the responsibility of the KDC to either handle the request itself,
return a client referral if he thinks a different KDC can handle the
request or return and error. This feature is also use to allow
authentication in AD environments with cross forest trusts.
Fixes https://fedorahosted.org/sssd/ticket/1842
|
|
In krb5-libs >= 1.11, function krb5_cc_resolve verify if credential cache dir
exists. If it doesn't exist, than it will be created with process permissions
and not user permissions.
Function cc_residual_is_used has already checked for non existing
directory, but it wasn't considered to be a failure and therefore next call
of krb5_init_context will create directory with wrong permissions.
Now if directory doesn't exist, it will be handled like there was not ccache
attribute in sysdb cache. We also check if "primary" file in ccache directory
has right permissions. But we ignore missing "primary" file.
https://fedorahosted.org/sssd/ticket/1822
|
|
We never need to regain root after we call become_user() so tighten up even
further our privilege drop.
Add a setgroups() call to remove all secondary groups root may have been given
for whateve reason. Then use the setres[ug]id function to also drop the saved
uid/gid so the process cannot regain back root id.
Capabilities are also implicitly dropped here, no more CAP_SETUID so this is a
Point of No Return, once changed to non-root the process can't get back.
Remove redefinition of sys/types.h and unistd.h, they are already defined in
util.h and they need to be included after _GNU_SOURCE/_BSD_SOURCE is defined
or the prototypes for setres[ug]id will not be found.
Add grp.h after util.h for the same reason.
|
|
https://fedorahosted.org/sssd/ticket/902
changed the data type the krb5_renew_interval to string.
function krb5_string_to_deltat is used to convert and allow delimiters
|
|
https://fedorahosted.org/sssd/ticket/1864
|
|
|
|
Definition of structure sss_auth_token was removed from header file
authtok.h and there left only declaration of this structure.
Therefore only way how to use this structure is to use accessory function from
same header file.
To creating new empty authotok can only be used newly created function
sss_authtok_new(). TALLOC context was removed from copy and setter functions,
because pointer to stuct sss_auth_token is used as a memory context.
All declaration of struct sss_auth_token variables was replaced with
pointer to this structure and related changes was made in source code.
Function copy_pam_data can copy from argument src which was dynamically
allocated with function create_pam_data() or zero initialized struct pam_data
allocated on stack.
https://fedorahosted.org/sssd/ticket/1830
|
|
Function create_pam_data() should be only one way how to create new
struct pam_data, because it also initialize destructor to created
object.
|
|
Variables dir_cc and file_cc are used in three
modules: krb5_common.c, krb5_utils.c, krb5_child-test.c, therefore should be
declared with extern in krb5_utils.h.
|
|
https://fedorahosted.org/sssd/ticket/1738
|
|
|
|
|
|
Function open_debug_file_ex() set flag FD_CLOEXEC to opened
file according to the value of third parameter.
Removed duplicity of unsetting FD_CLOEXEC after calling function
open_debug_file_ex()
|
|
krb5 1.11 adds support for a new method for responding to
structured data queries. This method, called the responder,
provides an alternative to the prompter interface.
This patch adds support for this method. It takes the password
and provides it via a responder instead of the prompter. In the
case of OTP authentication, it also disables the caching of
credentials (since the credentials are one-time only).
|
|
Use the new internal SSSD errors, to simplify error handling.
Instead of using up to 3 different error types (system, krb5 and
pam_status), collapse all error reporting into one error type mapped
on errno_t.
The returned error can contain either SSSD internal errors, kerberos
errors or system errors, they all use different number spaces so there
is no overlap and they can be safely merged.
This means that errors being sent from the child to the parent are not
pam status error messages anymore.
The callers have been changed to properly deal with that.
Also note that this patch removes returning SSS_PAM_SYSTEM_INFO from
the krb5_child for kerberos errors as all it was doing was simply to
make the parent emit the same debug log already emitted by the child,
and the code is simpler if we do not do that.
|
|
ret was defined as integer, instead of errno_t, and was uninitialized
|
|
The aim of this refactoring is to make the code readable and understandable.
This code has grown organically over time and has becomed confused and
baroque enough that understanding it's very simple flow had become very
complex for the uninitiated. Complex flows easily hide nasty bugs.
Improvements:
- Remove dead/unused data storage
- Fix and simplify talloc hierarchy, use a memory context (kr) for the
whole code and allocate kr->pd where it is filled up.
- Rename some functions to create a better name space (easier for
searching fucntions across the tree)
- Streamline setup function, by spliting out fast setup in a subroutine.
- Avoid confusing indirection in executng actual functions by not
using the krb5_req child_req member.
- Make main() flow s now simmetric, send abck data from the main function
instead of delegating a reply to every inner function that implements a
command.
Now the flow is evident from the main function:
1. read request
2. setup data
3. execute command
4. send reply back
|
|
Use the standard 'done' label for exceptions.
|