| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
|
|
https://fedorahosted.org/sssd/ticket/691
|
|
|
|
I took the opportunity to move everything related to the handling of the
krb5_child into a separate file and cleaned the interfaces and related
structures a bit.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
For the time being, if krb5_server is not found, still falls back to
krb5_kdcip with a warning. If both options are present in config file,
krb5_server has a higher priority.
Fixes: #543
|
|
|
|
Additionally the handling of errno and the errno_t return value of
functions is fixed in krb5_common.c.
|
|
|
|
Dead assignments were deleted. Also prototype of function
sdap_access_decide_offline() has been changed, since its return
code was never used.
Ticket: #586
|
|
If the allocation on line 678 failed, the value of ret was undefined
in following comparison. ENOMEM is now assigned before the comparison.
Ticket: #578
|
|
The service discovery used to use the SSSD domain name to perform DNS
queries. This is not an optimal solution, for example from the point of
view of authconfig.
This patch introduces a new option "dns_discovery_domain" that allows to set
the domain part of a DNS SRV query. If this option is not set, the
default behavior is to use the domain part of the machine's hostname.
Fixes: #479
|
|
https://fedorahosted.org/sssd/ticket/542
|
|
Fixes: #531
|
|
We need to guarantee at all times that reads and writes complete
successfully. This means that they must be checked for returning
EINTR and EAGAIN, and all writes must be wrapped in a loop to
ensure that they do not truncate their output.
|
|
|
|
|
|
|
|
|
|
|
|
This reverts commit f3c31d11bf365eb6a79c4f698667915a4c81eeb7.
|
|
The ccache file was removed too early if system is offline but the
backend was not already marked offline. Now we remove the ccache file
only if the successfully got a new one and it is not the same as the old
one.
|
|
If the configuration option krb5_store_password_if_offline is set to
true and the backend is offline the plain text user password is stored
and used to request a TGT if the backend becomes online. If available
the Linux kernel key retention service is used.
|
|
|
|
The Kerberos backend would previously try only the first server and if
it was unreachable, it immediatelly went offline.
|
|
Instead of having all-purpose SIGCHLD handlers that try to catch
every occurrence, we instead create a per-PID handler. This will
allow us to specify callbacks to occur when certain children exit.
|
|
The current version modified some global structures to be able to use
Kerberos and LDAP authentication during the IPA password migration. This
new version only uses tevent requests.
Additionally the ipaMigrationEnabled attribute is read from the IPA
server to see if password migration is allowed or not.
|
|
To allow other providers to include Kerberos authentication the main
part is put into a tevent request.
|
|
Integrate the failover improvements with our back ends. The DNS domain
used in the SRV query is always the SSSD domain name.
Please note that this patch changes the default value of ldap_uri from
"ldap://localhost" to "NULL" in order to use service discovery with no
server set.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The PAM standard allows for messages of any length to be returned
to the client. We were discarding all messages of length greater
than 255. This patch dynamically allocates the message buffers so
we can pass the complete message.
This resolves https://fedorahosted.org/sssd/ticket/432
|
|
|
|
|
|
As with krb5_ccname_template sequences like %u can be used in the
krb5_ccachedir parameter which are expanded at runtime. If the directory
does not exist, it will be created. Depending on the used sequences it
is created as a public or private directory.
|
|
Logs from confdb with missing '\n' in the DEBUG statements annoyed me so
I decided to fix them. I also made a quick grep through the code and
found other places so I fixed them too.
|
|
Make the counter optional so that alignment safe macros can be used also where
there is no counter to update.
Change arguments names so that they are not deceiving (ptr normlly identify a
pointer)
Turn the memcpy substitute into an inline function so that passing a pointer to
rp and checking for it doesn't make the compiler spit lots of warnings.
|
|
So far we handled expired password during authentication. Other PAM
modules typically detect expired password during account management and
return PAM_NEW_AUTHTOK_REQD if the password is expired and should be
changed. The PAM library then calls the change password routines. To
meet these standards pam_sss is change accordingly.
As a result it is now possible to update an expired password via ssh if
sssd is running with PasswordAuthentication=yes. One drawback due to
limitations of PAM is that the user now has to type his current password
again before setting a new one.
|
