summaryrefslogtreecommitdiff
path: root/src/providers/krb5
AgeCommit message (Collapse)AuthorFilesLines
2012-06-15KRB5: Auto-detect DIR cache support in configureStephen Gallagher4-5/+33
We can't support the DIR cache features in systems with kerberos libraries older than 1.10. Make sure we don't build it on those systems.
2012-06-15KRB5: Update DEBUG macros for create_ccache_dir and find_ccdir_parent_dataStephen Gallagher1-17/+30
2012-06-14Make krb5_ccname_template and krb5_ccachedir configurableJakub Hrozek1-2/+2
2012-06-14Use Kerberos context in KRB5_DEBUGJakub Hrozek2-55/+61
Passing Kerberos context to sss_krb5_get_error_message will allow us to get better error messages.
2012-06-14Add support for storing credential caches in the DIR: back endJakub Hrozek5-70/+510
https://fedorahosted.org/sssd/ticket/974
2012-06-14Add a credential cache back end structureJakub Hrozek7-148/+382
To be able to add support for new credential cache types easily, this patch creates a new structure sss_krb5_cc_be that defines common operations with a credential cache, such as create, check if used or remove.
2012-06-14Handle trailing slash in the ccname templateJakub Hrozek1-8/+14
With the DIR cache support, it's perfectly legal to specify a ccname directory that ends with a slash. The create_dir function did not handle that situation correctly.
2012-06-14Split parse_krb5_child_response so it can be reusedJakub Hrozek3-119/+170
krb5-child-test will be another consumer. It also makes the code more readable by splitting a huge function.
2012-06-14Allow redefining the KRB5_CHILD pathJakub Hrozek1-3/+7
The krb5-child-test will want to run the child from the current directory.
2012-06-14Provide more debugging in krb5_child and ldap_childJakub Hrozek1-13/+65
https://fedorahosted.org/sssd/ticket/1225
2012-06-14Two small krb5_child fixesJakub Hrozek1-3/+10
* Allocation check was missing * a DEBUG statement overwrote errno
2012-05-31added DEBUG messages to krb5_child and ldap_childNick Guay1-3/+12
2012-05-07Only reset kpasswd server status when performing a chpass operationJakub Hrozek1-2/+3
https://fedorahosted.org/sssd/ticket/1316
2012-05-07Limit krb5_get_init_creds_keytab() to etypes in keytabStef Walter1-0/+21
* Load the enctypes for the keys in the keytab and pass them to krb5_get_init_creds_keytab(). * This fixes the problem where the server offers a enctype that krb5 supports, but we don't have a key for in the keytab. https://bugzilla.redhat.com/show_bug.cgi?id=811375
2012-05-07Remove erroneous failure message in find_principal_in_keytabStef Walter1-1/+3
* When it's actually a failure, then the callers will print a message. Fine tune this.
2012-05-04If canon'ing principals, write ccache with updated default principalStef Walter1-2/+6
* When calling krb5_get_init_creds_keytab() with krb5_get_init_creds_opt_set_canonicalize() the credential principal can get updated. * Create the cache file with the correct default credential. * LDAP GSSAPI SASL would fail due to the mismatched credentials before this patch. https://bugzilla.redhat.com/show_bug.cgi?id=811518
2012-05-04Modify behavior of pam_pwd_expiration_warningJan Zeleny1-4/+27
New option pwd_expiration_warning is introduced which can be set per domain and can override the value specified by the original pam_pwd_expiration_warning. If the value of expiration warning is set to zero, the filter isn't apllied at all - if backend server returns the warning, it will be automatically displayed. Default value for Kerberos: 7 days Default value for LDAP: don't apply the filter Technical note: default value when creating the domain is -1. This is important so we can distinguish between "no value set" and 0. Without this possibility it would be impossible to set different values for LDAP and Kerberos provider.
2012-04-20Convert read and write operations to sss_atomic_readJakub Hrozek2-46/+31
https://fedorahosted.org/sssd/ticket/1209
2012-04-05Clean up log messages about keytab_nameStephen Gallagher1-2/+4
There were many places where we were printing (null) to the logs because a NULL keytab name tells libkrb5 to use its configured default instead of a particular path. This patch should clean up all uses of this to print "default" in the logs. https://fedorahosted.org/sssd/ticket/1288
2012-03-28Add terminator for dp_optionStephen Gallagher1-1/+2
2012-03-28Put dp_option maps in their own fileStephen Gallagher2-18/+47
There is no functional change due to this patch.
2012-03-08Detect cycle in the fail over on subsequent resolve requests onlyJakub Hrozek1-17/+15
2012-03-06krb5_child: set debugging soonerJakub Hrozek1-12/+18
2012-03-06Only do one cycle when resolving a serverJakub Hrozek1-7/+12
https://fedorahosted.org/sssd/ticket/1214
2012-03-01IPA: Set the DNS discovery domain to match ipa_domainStephen Gallagher1-1/+1
https://fedorahosted.org/sssd/ticket/1217
2012-01-31KRB5: Add syslog messages for Kerberos failuresStephen Gallagher1-0/+1
https://fedorahosted.org/sssd/ticket/1137
2012-01-06Do not call krb5_child when changing passwords and provider went offlineJakub Hrozek1-1/+11
https://fedorahosted.org/sssd/ticket/1131
2011-12-22Add compatibility layer for Heimdal Kerberos implementationStephen Gallagher2-8/+12
2011-12-21Honor case sensitive flag when creating the ccname templateJakub Hrozek3-5/+17
2011-12-19Securely set umask when using mkstempStephen Gallagher2-0/+6
Coverity 12394, 12395, 12396, 12397 and 12398
2011-12-19Move child_common routines to utilStephen Gallagher5-5/+5
2011-11-22Set more strict permissions on keyringSimo Sorce1-1/+1
We want to confine access to the keyring to the current process and not let root easily peek into the keyring contents.
2011-11-22Fixed unchecked value of setenv() in check_and_export_options()Jan Zeleny1-2/+5
https://fedorahosted.org/sssd/ticket/1080
2011-11-22Cleanup: Remove unused parametersJakub Hrozek1-7/+2
2011-11-02Add support to request canonicalization on krb AS requestsJan Zeleny3-1/+25
https://fedorahosted.org/sssd/ticket/957
2011-09-28Multiline macro cleanupJakub Hrozek1-1/+1
This is mostly a cosmetic patch. The purpose of wrapping a multi-line macro in a do { } while(0) is to make the macro usable as a regular statement, not a compound statement. When the while(0) is terminated with a semicolon, the do { } while(0); block becomes a compound statement again.
2011-09-08DEBUG timestamps offer higher precisionPavel Březina1-0/+2
https://fedorahosted.org/sssd/ticket/956 Added: --debug-microseconds=0/1 Added: debug_microseconds to sssd.conf
2011-08-25New DEBUG facility - SSSDBG_UNRESOLVED changed from -1 to 0Pavel Březina1-1/+3
Removed: SSS_UNRESOLVED_DEBUG_LEVEL (completely replaced with SSSDBG_UNRESOLVED) Added new macro: CONVERT_AND_SET_DEBUG_LEVEL(new_value) Changes unresolved debug level value (SSSDBG_UNRESOLVED) from -1 to 0 so DEBUG macro could be reduced by one condition. Anyway, it has a minor effect, every time you want to load debug_level from command line parameters, you have to use following pattern: /* Set debug level to invalid value so we can deside if -d 0 was used. */ debug_level = SSSDBG_INVALID; pc = poptGetContext(argv[0], argc, argv, long_options, 0); while((opt = poptGetNextOpt(pc)) != -1) { ... } CONVERT_AND_SET_DEBUG_LEVEL(debug_level);
2011-08-25New DEBUG facility - conversionPavel Březina1-0/+2
https://fedorahosted.org/sssd/ticket/925 Conversion of the old debug_level format to the new one. (only where it was necessary) Removed: SSS_DEFAULT_DEBUG_LEVEL (completely replaced with SSSDBG_DEFAULT)
2011-08-15sysdb refactoring: memory context deletedJan Zeleny1-4/+3
This patch deletes memory context parameter in those places in sysdb where it is not necessary. The code using modified functions has been updated. Tests updated as well.
2011-08-15sysdb refactoring: deleted domain variables in sysdb APIJan Zeleny3-13/+10
The patch also updates code using modified functions. Tests have also been adjusted.
2011-07-21Rename fo_get_server_name to fo_get_server_str_nameJakub Hrozek1-1/+1
2011-07-13Remove unused krb5_service structure memberJakub Hrozek2-5/+1
2011-07-11Escape IP address in kdcinfoJakub Hrozek1-4/+26
https://fedorahosted.org/sssd/ticket/909
2011-06-15Switch resolver to using resolv_hostent and honor TTLJakub Hrozek1-1/+1
2011-06-15Fix two typosSumit Bose1-2/+3
2011-06-15Delete cached ccache file if password is expiredSumit Bose1-8/+63
2011-06-02Add utility function to return IP address as stringJakub Hrozek1-9/+2
2011-06-02Add online callback only once for TGT renewalSumit Bose1-25/+44
2011-05-20Rename label in expand_ccname_templateJakub Hrozek1-17/+17
The label was named fail but used also in success cases.