summaryrefslogtreecommitdiff
path: root/src/providers/krb5
AgeCommit message (Collapse)AuthorFilesLines
2012-10-26krb5_auth: check if principal belongs to a different realmSumit Bose4-0/+43
Add a flag if the principal used for authentication does not belong to our realm. This can be used to act differently for users from other realms.
2012-10-26check_ccache_files: search sub-domains as wellSumit Bose1-4/+14
If sssd is configured to renew Kerberos tickets automatically ticket of sub-domain uses should be renewed as well.
2012-10-26krb5_auth_send: check for sub-domainsSumit Bose3-5/+37
If there is an authentication request for a user from a sub-domain a temporary sysdb context is generated to allow lookups in the corresponding sub-tree in the cache.
2012-10-12Only call krb5_set_trace_callback on platforms that support itJakub Hrozek1-1/+1
2012-10-12Collect krb5 trace on high debug levelsJakub Hrozek2-2/+25
If the debug level contains SSSDBG_TRACE_ALL, then the logs would also include tracing information from libkrb5. https://fedorahosted.org/sssd/ticket/1539
2012-10-12Two fixes to child processesJakub Hrozek1-2/+0
There was an unused structure member in the krb5_child. Declaration of __krb5_error_msg was shadowing the same variable from sss_krb5.h which is not nice. Also we might actually use the error context directly instead of passing it as parameter.
2012-10-10Add more info about ticket validationOndrej Kos1-0/+8
https://fedorahosted.org/sssd/ticket/1499 Adds log message about not finding appropriate entry in keytab and using the last keytab entry when validation is enabled. Adds more information about validation into manpage.
2012-10-04Log possibly non-randomizable ccache file templateOndrej Kos4-6/+26
fixes https://fedorahosted.org/sssd/ticket/1533 ccache file template is now checked for appended XXXXXX for use with mkstemp. When those characters are not present, warning is written to log.
2012-09-24KRB5: Recover gracefully if the ccache file could not be reusedJakub Hrozek1-4/+6
https://fedorahosted.org/sssd/ticket/1384
2012-09-20KRB5 child: handle more error codes gracefullyJakub Hrozek1-31/+26
This patch changes handling of krb5 child error codes so that it's on par with the 1.8 branch after Joschi Brauchle reviewed the 1.8 backport.
2012-09-20KRB5 child: Don't return System Error on empty passwordJakub Hrozek1-0/+4
https://fedorahosted.org/sssd/ticket/1310
2012-09-17Failover: use _srv_ when no primary server is definedPavel Březina1-12/+3
https://fedorahosted.org/sssd/ticket/1521
2012-09-13FO: Check server validity before setting statusJakub Hrozek1-5/+9
The list of resolved servers is allocated on the back end context and kept in the fo_service structure. However, a single request often resolves a server and keeps a pointer until the end of a request and only then gives feedback about the server based on the request result. This presents a big race condition in case the SRV resolution is used. When there are requests coming in in parallel, it is possible that an incoming request will invalidate a server until another request that holds a pointer to the original server is able to give a feedback. This patch simply checks if a server is in the list of servers maintained by a service before reading its status. https://fedorahosted.org/sssd/ticket/1364
2012-09-10KRB5: Add a missing string argumentJakub Hrozek1-1/+2
2012-09-10KRB5: Return PAM_AUTH_ERR on incorrect passwordJakub Hrozek1-19/+32
https://fedorahosted.org/sssd/ticket/1515
2012-09-10KRB5: cancel the sysdb transaction on one place onlyJakub Hrozek1-1/+0
https://fedorahosted.org/sssd/ticket/1516 If sysdb_set_user_attr failed, we would cancel the transaction, then go to the error handler and attempt to close it again.
2012-08-24Use new debug levels in validate_tgt()Sumit Bose1-13/+16
2012-08-24Fix fallback in validate_tgt()Sumit Bose1-8/+20
To validate a TGT a keytab entry from the client realm is preferred but if none ca be found the last entry should be used. But the entry was freed and zeroed before it could be used. This should also fix the trusted domain use case mentioned in https://fedorahosted.org/sssd/ticket/1396 although a different approach then suggested in the ticket is used.
2012-08-23Fix: IPv6 address with square brackets doesn't work.Michal Zidek1-1/+14
https://fedorahosted.org/sssd/ticket/1365
2012-08-23Unify usage of sysdb transactionsMichal Zidek1-2/+14
Removing bad examples of usage of sysdb_transaction_start/commit/end functions and making it more consistent (all files except of src/db/sysdb_*.c).
2012-08-15KRB5: Only return PAM error for unreachable kpasswd when performing chpassJakub Hrozek1-2/+4
https://fedorahosted.org/sssd/ticket/1452
2012-08-15Duplicate detection in fail over did not work.Michal Zidek1-1/+6
https://fedorahosted.org/sssd/ticket/1472
2012-08-09SRV resolution for backup servers should not be permitted.Michal Zidek1-2/+9
https://fedorahosted.org/sssd/ticket/1463
2012-08-08Allocate on top of a talloc context, not NULLJakub Hrozek1-0/+3
2012-08-01Primary server support: new options in krb5 providerJan Zeleny3-4/+17
This patch adds support for new config options krb5_backup_server and krb5_backup_kpasswd. The description of this option's functionality is included in man page in one of previous patches.
2012-08-01Primary server support: krb5 adaptationJan Zeleny3-49/+94
This patch adds support for the primary server functionality into krb5 provider. No backup servers are added at the moment, just the basic support is in place.
2012-08-01Primary server support: basic support in failover codeJan Zeleny1-1/+1
Now there are two list of servers for each service. If currently selected server is only backup, then an event will be scheduled which tries to get connection to one of primary servers and if it succeeds, it starts using this server instead of the one which is currently connected to.
2012-07-18Fix uninitialized valuesNick Guay2-2/+2
https://fedorahosted.org/sssd/ticket/1379
2012-07-10Cast uid_t to unsigned long long in DEBUG messagesJakub Hrozek1-3/+3
2012-07-10Print based on pointer contents not addressJakub Hrozek1-1/+3
2012-07-09Fix uninitialized memcpy errorStephen Gallagher1-0/+2
Coverity #12784
2012-07-09heimdal: use sss_krb5_princ_realm to access realmRambaldi1-4/+11
2012-07-06Revert commit 4c157ecedd52602f75574605ef48d0c48e9bfbe8Stef Walter1-21/+0
* This broke corner cases when used with default_tkt_types = des-cbc-crc and DES enabled on an AD domain. * This is fixed in kerberos instead, in a more correct way and in a way which we cannot replicate.
2012-07-06AD: Add AD auth and chpass providersStephen Gallagher1-0/+4
These new providers take advantage of existing code for the KRB5 provider, providing sensible defaults for operating against an Active Directory 2008 R2 or later server.
2012-07-06KRB5: Create a common init routine for krb5_child optionsStephen Gallagher3-53/+129
This will reduce code duplication between the krb5, ipa and ad providers
2012-07-06KRB5: Drop memctx parameter of krb5_try_kdcipStephen Gallagher2-13/+15
This function is not supposed to return any newly-allocated memory directly. It was actually leaking the memory for krb5_servers if krb5_kdcip was being used, though it was undetectable because it was allocated on the provided memctx. This patch removes the memctx parameter and allocates krb5_servers temporarily on NULL and ensures that it is freed on all exit conditions. It is not necessary to retain this memory, as dp_opt_set_string() performs a talloc_strdup onto the appropriate context internally. It also updates the DEBUG messages for this function to the appropriate new macro levels.
2012-07-06KRB5: Some logging enhancements for krb5_childStephen Gallagher1-6/+13
2012-06-29KRB5: Initialize the credential cache type properlyStephen Gallagher1-0/+11
We weren't guaranteeing that the cctype-specific callbacks were initialized before using them. This bug only presented itself for users who were logging in without a ccacheFile attribute in the LDB (for example, first-time logins).
2012-06-20Move some debug lines to new debug log levelsStef Walter2-4/+4
* These are common lines of debug output when starting up sssd https://bugzilla.redhat.com/show_bug.cgi?id=811113
2012-06-15KRB5: Avoid shadowing dirnameStephen Gallagher1-20/+21
The variable 'dirname' is a publicly declared variable in libgen.h on older systems such as RHEL 5
2012-06-15KRB5: Auto-detect DIR cache support in configureStephen Gallagher4-5/+33
We can't support the DIR cache features in systems with kerberos libraries older than 1.10. Make sure we don't build it on those systems.
2012-06-15KRB5: Update DEBUG macros for create_ccache_dir and find_ccdir_parent_dataStephen Gallagher1-17/+30
2012-06-14Make krb5_ccname_template and krb5_ccachedir configurableJakub Hrozek1-2/+2
2012-06-14Use Kerberos context in KRB5_DEBUGJakub Hrozek2-55/+61
Passing Kerberos context to sss_krb5_get_error_message will allow us to get better error messages.
2012-06-14Add support for storing credential caches in the DIR: back endJakub Hrozek5-70/+510
https://fedorahosted.org/sssd/ticket/974
2012-06-14Add a credential cache back end structureJakub Hrozek7-148/+382
To be able to add support for new credential cache types easily, this patch creates a new structure sss_krb5_cc_be that defines common operations with a credential cache, such as create, check if used or remove.
2012-06-14Handle trailing slash in the ccname templateJakub Hrozek1-8/+14
With the DIR cache support, it's perfectly legal to specify a ccname directory that ends with a slash. The create_dir function did not handle that situation correctly.
2012-06-14Split parse_krb5_child_response so it can be reusedJakub Hrozek3-119/+170
krb5-child-test will be another consumer. It also makes the code more readable by splitting a huge function.
2012-06-14Allow redefining the KRB5_CHILD pathJakub Hrozek1-3/+7
The krb5-child-test will want to run the child from the current directory.
2012-06-14Provide more debugging in krb5_child and ldap_childJakub Hrozek1-13/+65
https://fedorahosted.org/sssd/ticket/1225
generated by cgit (git 2.34.1) at 2024-07-13 10:08:56 +0000