Age | Commit message (Collapse) | Author | Files | Lines |
|
The way a user is checked for being active does not depend on the ccache
type so move that check out of the ccache specific functions.
Resolves:
https://fedorahosted.org/sssd/ticket/2061
|
|
Instead of having duplicate functions that are type custom use a signle common
function that also performs access to the cache as the user owner, implicitly
validating correctness of ownership.
Resolves:
https://fedorahosted.org/sssd/ticket/2061
|
|
This completely replaces the per-ccache-type custom code to remove old cacches
and instead uses libkrb5 base doperations (krb5_cc_destroy) and operating as
the user owner.
Resolves:
https://fedorahosted.org/sssd/ticket/2061
|
|
This function safely destroy a ccache given a cache name and user crdentials.
It becomes the user so no possible races can compromise the system, then
uses libkrb5 functions to properly destroy a ccache, independently of the
cache type.
Finally restores the original credentials after closing the ccache handlers.
Resolves:
https://fedorahosted.org/sssd/ticket/2061
|
|
In some cases we want to temporarily assume user credentials but allow the
process to regain back the original credentials (normally regaining uid 0).
Related:
https://fedorahosted.org/sssd/ticket/2061
|
|
Recently support was added to use also libkrb5 style expansions that
uses a %{varname} type of template.
There are a number of templates we do not care/can't expand in sssd.
The current code misses tests and failed to properly preserve some of
the templates we do not want to handle.
Addiotionally in order to be future proof this patch treats unknown
templates as pass-through templates and defer any error checking to
libkrb5, so that sssd is consistent with how kinit would behave.
Resolves:
https://fedorahosted.org/sssd/ticket/2076
|
|
src/providers/krb5/krb5_utils.c:193: warning: declaration of 'rewind' shadows a
global declaration
/usr/include/stdio.h:754: warning: shadowed declaration is here
|
|
In order to use the same defaults in all system daemons that needs to know how
to generate or search for ccaches we introduce ode here to take advantage of
the new option called default_ccache_name provided by libkrb5.
If set this variable we establish the same default for all programs that surce
it out of krb5.conf therefore providing a consistent experience across the
system.
Related:
https://fedorahosted.org/sssd/ticket/2036
|
|
In preparation for handling some more allocations in the following patches and
fixes a curent memleak on the opts struct.
Related:
https://fedorahosted.org/sssd/ticket/2036
|
|
https://fedorahosted.org/sssd/ticket/2036
|
|
By the time that the create_ccache_in_dir() routine is called, we are
already guaranteed to have dropped privileges. This has either happened
because we dropped them before the exec() in the normal operation case
or because we dropped them explicitly after we completed the TGT
validation step if that or FAST is configured.
|
|
In the KRB5_FCC_NOFILE code path _valid is not set leading to 'may be
used uninitialized' compiler warnings.
|
|
The FILE cache only sets the return values of _active and _bool if the
entire function succeeds. The DIR cache was setting it even on failure.
This patch makes both consistent. This will benefit static analysis
tools which would be able to detect if the variable is ever used
uninitialized anywhere.
|
|
There was duplicated code in cc_file_check_existing() and in
cc_dir_check_existing(). I pulled them into the same function.
There are two changes made to the original code here:
1) Fixes a use-after-free bug in cc_file_check_existing(). In the
original code, we called krb5_free_context() and then used that
context immediately after that in krb5_cc_close(). This patch
corrects the ordering
2) The krb5_cc_resolve() call handles KRB5_FCC_NOFILE for all
cache types. Previously, this was only handled for DIR caches.
|
|
Kerberos now supports multiple types of collection caches, not just
DIR: caches. We should add a macro for generic collection behavior
and use that where appropriate.
|
|
|
|
|
|
Print more descriptive message when wrong current password
is given during password change operation.
resolves:
https://fedorahosted.org/sssd/ticket/2029
|
|
The krb5 child contacts the PAC responder for any user except for the
IPA native users if the PAC is configured. This works fine for the
general case but the ipa_server_mode is a special one. The PAC responder
is there, but since in the server mode we should be operating as AD
provider default, the PAC shouldn't be analyzed either in this case.
|
|
|
|
|
|
|
|
Instead of multiple calls of sss_authtok_get_type, perform the call just
once and store into variable.
|
|
https://fedorahosted.org/sssd/ticket/1814
Return authentication error when empty password is passed.
|
|
https://fedorahosted.org/sssd/ticket/1992
|
|
https://fedorahosted.org/sssd/ticket/1827
|
|
Some krb5 functions needn't be available for retrieving ccache
with principal. Therefore ifdef is used to solve this situation with older
version of libkrb5. There were two functions with similar functionality
in krb5_child and krb5_utils. They were merged to one universal function, which
was moved to file src/util/sss_krb5.c
|
|
Dircache can be either file or directory. Wrong value was used
when dircache was itself directory.
https://fedorahosted.org/sssd/ticket/2002
|
|
The switch statement was dead code due to missing case/default.
|
|
new_subdomain() will create a new domain object and should not be used
anymore in the priovder code directly. Instead a reference to the domain
from the common domain object should be used.
|
|
|
|
This patch reuses the code from IPA provider to make sure that
domain-realm mappings are written even for AD sub domains.
|
|
|
|
If user decide to kinit as another user we do not want to switch back
to user ccache at another login. We will switch to new ccache if and only
if default principal name is the same as current principal name, or there is
not any default ccache.
https://fedorahosted.org/sssd/ticket/1936
|
|
Function krb5_cc_get_full_name is called only as a way to validate that,
we have the right cache. Instead of returned name, location will be returned
from function cc_dir_cache_for_princ.
https://fedorahosted.org/sssd/ticket/1936
|
|
When renewing a ticket we already know the canonical principal hence it
is not needed to expand it to an enterprise principal but we can contact
the KDC of the corresponding realm directly.
|
|
So far we didn't send the PAC of IPA users to the PAC responder during
password authentication because group memberships for IPA users can be
retrieved efficiently with LDAP calls. Recently patches added PAC
support for the AD provider as well and removed the restriction for the
IPA users. This patch restores the original behaviour by introducing a
new flag in struct krb5_ctx which is only set for the IPA provider.
Additionally a different flag is renamed to make it's purpose more
clear.
Fixes https://fedorahosted.org/sssd/ticket/1995
|
|
This reverts commit d153941864fe481399665be8fe583c9317194a99.
|
|
|
|
|
|
Enterprise principals require that a default realm is available. To
make SSSD more robust in the case that the default realm option is
missing in krb5.conf or to allow SSSD to work with multiple unconnected
realms (e.g. AD domains without trust between them) the default realm
will be set explicitly.
Fixes https://fedorahosted.org/sssd/ticket/1931
|
|
If canonicalization or enterprise principals are enabled the realm of
the client principal might have changed compared to the original
request. To find the most suitable keytab entry to validate the TGT is
it better to use the returned client principal.
Fixes https://fedorahosted.org/sssd/ticket/1931
|
|
https://fedorahosted.org/sssd/ticket/1873
KRB preauthentication error was later mishandled like authentication error.
|
|
https://fedorahosted.org/sssd/ticket/1883
The patch introduces a new Kerberos provider option called
krb5_use_kdcinfo. The option is true by default in all providers. When
set to false, the SSSD will not create krb5 info files that the locator
plugin consumes and the user would have to set up the Kerberos options
manually in krb5.conf
|
|
Instead of using boolean variables to denote whether the call is adding
a primary or a secondary server, use a function wrapper that tells what
it's doing by its name.
|
|
Currently while doing a Kerberos based authentication the PAC was only
send to the PAC responder for principals from a different realm. This
reflects the FreeIPA use case of users from trusted domains.
This restriction does not make sense anymore when the data from the PAC
should be used for the AD provider as well. It also makes only limited
sense for the IPA use case, because when using GSSAPI the PAC of users
from the local IPA domain are already evaluated by the PAC responder.
|
|
In contrast to MIT KDCs AD does not automatically canonicalize the
enterprise principal in an AS request but requires the canonicalize
flags to be set. To be on the safe side we always enable
canonicalization if enterprise principals are used.
|
|
--missing arguments.
--format '%s', but argument is integer.
--wrong format string, examle: '%\n'
|
|
Instead of continuing to use the initial upn if enterprise principals
are used if should always be replaced. The enterprise principal
is stored in the credential cache and without knowing it the
ccache_for_princ() calls to determine the location of the credential
cache will fail.
Fixes https://fedorahosted.org/sssd/ticket/1921
|
|
If enterprise principals are enabled (which is the default in the AD
provider), then the returned UPN might be slightly different from
the one SSSD constructs before attempting the login. This patch makes
SSSD only check if the principal is the same when the enterprise
principals are disabled.
|