| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
fixes https://fedorahosted.org/sssd/ticket/1533
ccache file template is now checked for appended XXXXXX for use with
mkstemp. When those characters are not present, warning is written to log.
|
|
https://fedorahosted.org/sssd/ticket/1384
|
|
This patch changes handling of krb5 child error codes so that it's on
par with the 1.8 branch after Joschi Brauchle reviewed the 1.8 backport.
|
|
https://fedorahosted.org/sssd/ticket/1310
|
|
https://fedorahosted.org/sssd/ticket/1521
|
|
The list of resolved servers is allocated on the back end context and
kept in the fo_service structure. However, a single request often
resolves a server and keeps a pointer until the end of a request and
only then gives feedback about the server based on the request result.
This presents a big race condition in case the SRV resolution is used.
When there are requests coming in in parallel, it is possible that an
incoming request will invalidate a server until another request that
holds a pointer to the original server is able to give a feedback.
This patch simply checks if a server is in the list of servers
maintained by a service before reading its status.
https://fedorahosted.org/sssd/ticket/1364
|
|
|
|
https://fedorahosted.org/sssd/ticket/1515
|
|
https://fedorahosted.org/sssd/ticket/1516
If sysdb_set_user_attr failed, we would cancel the transaction, then go
to the error handler and attempt to close it again.
|
|
|
|
To validate a TGT a keytab entry from the client realm is preferred but
if none ca be found the last entry should be used. But the entry was
freed and zeroed before it could be used.
This should also fix the trusted domain use case mentioned in
https://fedorahosted.org/sssd/ticket/1396
although a different approach then suggested in the ticket is used.
|
|
https://fedorahosted.org/sssd/ticket/1365
|
|
Removing bad examples of usage of sysdb_transaction_start/commit/end
functions and making it more consistent (all files except of
src/db/sysdb_*.c).
|
|
https://fedorahosted.org/sssd/ticket/1452
|
|
https://fedorahosted.org/sssd/ticket/1472
|
|
https://fedorahosted.org/sssd/ticket/1463
|
|
|
|
This patch adds support for new config options krb5_backup_server and
krb5_backup_kpasswd. The description of this option's functionality
is included in man page in one of previous patches.
|
|
This patch adds support for the primary server functionality
into krb5 provider. No backup servers are added at the moment,
just the basic support is in place.
|
|
Now there are two list of servers for each service. If currently
selected server is only backup, then an event will be scheduled which
tries to get connection to one of primary servers and if it succeeds,
it starts using this server instead of the one which is currently
connected to.
|
|
https://fedorahosted.org/sssd/ticket/1379
|
|
|
|
|
|
Coverity #12784
|
|
|
|
* This broke corner cases when used with
default_tkt_types = des-cbc-crc
and DES enabled on an AD domain.
* This is fixed in kerberos instead, in a more correct way
and in a way which we cannot replicate.
|
|
These new providers take advantage of existing code for the KRB5
provider, providing sensible defaults for operating against an
Active Directory 2008 R2 or later server.
|
|
This will reduce code duplication between the krb5, ipa and ad
providers
|
|
This function is not supposed to return any newly-allocated memory
directly. It was actually leaking the memory for krb5_servers if
krb5_kdcip was being used, though it was undetectable because it
was allocated on the provided memctx.
This patch removes the memctx parameter and allocates krb5_servers
temporarily on NULL and ensures that it is freed on all exit
conditions. It is not necessary to retain this memory, as
dp_opt_set_string() performs a talloc_strdup onto the appropriate
context internally.
It also updates the DEBUG messages for this function to the
appropriate new macro levels.
|
|
|
|
We weren't guaranteeing that the cctype-specific callbacks were
initialized before using them.
This bug only presented itself for users who were logging in
without a ccacheFile attribute in the LDB (for example, first-time
logins).
|
|
* These are common lines of debug output when starting
up sssd
https://bugzilla.redhat.com/show_bug.cgi?id=811113
|
|
The variable 'dirname' is a publicly declared variable in libgen.h
on older systems such as RHEL 5
|
|
We can't support the DIR cache features in systems with kerberos
libraries older than 1.10. Make sure we don't build it on those
systems.
|
|
|
|
|
|
Passing Kerberos context to sss_krb5_get_error_message will allow us to
get better error messages.
|
|
https://fedorahosted.org/sssd/ticket/974
|
|
To be able to add support for new credential cache types easily, this
patch creates a new structure sss_krb5_cc_be that defines common
operations with a credential cache, such as create, check if used or remove.
|
|
With the DIR cache support, it's perfectly legal to specify a ccname
directory that ends with a slash. The create_dir function did not handle
that situation correctly.
|
|
krb5-child-test will be another consumer. It also makes the code more
readable by splitting a huge function.
|
|
The krb5-child-test will want to run the child from the current
directory.
|
|
https://fedorahosted.org/sssd/ticket/1225
|
|
* Allocation check was missing
* a DEBUG statement overwrote errno
|
|
|
|
https://fedorahosted.org/sssd/ticket/1316
|
|
* Load the enctypes for the keys in the keytab and pass
them to krb5_get_init_creds_keytab().
* This fixes the problem where the server offers a enctype
that krb5 supports, but we don't have a key for in the keytab.
https://bugzilla.redhat.com/show_bug.cgi?id=811375
|
|
* When it's actually a failure, then the callers will print
a message. Fine tune this.
|
|
* When calling krb5_get_init_creds_keytab() with
krb5_get_init_creds_opt_set_canonicalize() the credential
principal can get updated.
* Create the cache file with the correct default credential.
* LDAP GSSAPI SASL would fail due to the mismatched credentials
before this patch.
https://bugzilla.redhat.com/show_bug.cgi?id=811518
|
|
New option pwd_expiration_warning is introduced which can be set per
domain and can override the value specified by the original
pam_pwd_expiration_warning.
If the value of expiration warning is set to zero, the filter isn't
apllied at all - if backend server returns the warning, it will be
automatically displayed.
Default value for Kerberos: 7 days
Default value for LDAP: don't apply the filter
Technical note: default value when creating the domain is -1. This is
important so we can distinguish between "no value set" and 0. Without
this possibility it would be impossible to set different values for LDAP
and Kerberos provider.
|
