summaryrefslogtreecommitdiff
path: root/src/providers/krb5
AgeCommit message (Collapse)AuthorFilesLines
2010-10-13Initialize kerberos service for GSSAPIJakub Hrozek2-1/+7
2010-09-28Suppress some 'may be used uninitialized' warningsSumit Bose1-6/+12
Additionally the handling of errno and the errno_t return value of functions is fixed in krb5_common.c.
2010-09-23Use new MIT krb5 API for better password expiration warningsSumit Bose1-0/+51
2010-09-08Dead assignments cleanup in providers codeJan Zeleny1-1/+0
Dead assignments were deleted. Also prototype of function sdap_access_decide_offline() has been changed, since its return code was never used. Ticket: #586
2010-09-02Fixed potential comparison of undefined variableJan Zeleny1-0/+1
If the allocation on line 678 failed, the value of ret was undefined in following comparison. ENOMEM is now assigned before the comparison. Ticket: #578
2010-06-30Add dns_discovery_domain optionJakub Hrozek1-1/+1
The service discovery used to use the SSSD domain name to perform DNS queries. This is not an optimal solution, for example from the point of view of authconfig. This patch introduces a new option "dns_discovery_domain" that allows to set the domain part of a DNS SRV query. If this option is not set, the default behavior is to use the domain part of the machine's hostname. Fixes: #479
2010-06-16Standardize on correct spelling of "principal" for krb5Stephen Gallagher2-4/+4
https://fedorahosted.org/sssd/ticket/542
2010-06-14Remove krb5_changepw_principal optionJakub Hrozek4-42/+22
Fixes: #531
2010-06-10Properly handle read() and write() throughout the SSSDStephen Gallagher1-7/+18
We need to guarantee at all times that reads and writes complete successfully. This means that they must be checked for returning EINTR and EAGAIN, and all writes must be wrapped in a loop to ensure that they do not truncate their output.
2010-06-09Add a missing initializerSumit Bose1-1/+1
2010-06-06Initialize pam_data in Kerberos child.Sumit Bose1-1/+1
2010-05-27Refactor krb5 SIGTERM handler installationSumit Bose3-14/+39
2010-05-27Add callback to remove krb5 info files when going offlineSumit Bose4-40/+156
2010-05-27Refactor krb5_finalize()Sumit Bose1-12/+27
2010-05-27Revert "Create kdcinfo and kpasswdinfo file at startup"Sumit Bose2-41/+1
This reverts commit f3c31d11bf365eb6a79c4f698667915a4c81eeb7.
2010-05-26Fix handling of ccache file when going offlineSumit Bose2-32/+76
The ccache file was removed too early if system is offline but the backend was not already marked offline. Now we remove the ccache file only if the successfully got a new one and it is not the same as the old one.
2010-05-26Add support for delayed kinit if offlineSumit Bose6-27/+425
If the configuration option krb5_store_password_if_offline is set to true and the backend is offline the plain text user password is stored and used to request a TGT if the backend becomes online. If available the Linux kernel key retention service is used.
2010-05-26Handle Krb5 password expiration warningSumit Bose2-174/+195
2010-05-26Try all servers during Kerberos authJakub Hrozek1-23/+104
The Kerberos backend would previously try only the first server and if it was unreachable, it immediatelly went offline.
2010-05-16Properly set up SIGCHLD handlersStephen Gallagher2-1/+6
Instead of having all-purpose SIGCHLD handlers that try to catch every occurrence, we instead create a per-PID handler. This will allow us to specify callbacks to occur when certain children exit.
2010-05-16New version of IPA auth and password migrationSumit Bose1-2/+2
The current version modified some global structures to be able to use Kerberos and LDAP authentication during the IPA password migration. This new version only uses tevent requests. Additionally the ipaMigrationEnabled attribute is read from the IPA server to see if password migration is allowed or not.
2010-05-16Make Kerberos authentication a tevent_reqSumit Bose2-215/+345
To allow other providers to include Kerberos authentication the main part is put into a tevent request.
2010-05-07Use service discovery in backendsJakub Hrozek3-6/+27
Integrate the failover improvements with our back ends. The DNS domain used in the SRV query is always the SSSD domain name. Please note that this patch changes the default value of ldap_uri from "ldap://localhost" to "NULL" in order to use service discovery with no server set.
2010-05-07Create kdcinfo and kpasswdinfo file at startupSumit Bose2-1/+41
2010-05-07Clean up kdcinfo and kpasswdinfo files when exitingStephen Gallagher3-2/+57
2010-04-26Display a message if a password reset by root failsSumit Bose1-0/+7
2010-04-12sysdb: convert sysdb_get_user_attrSimo Sorce1-38/+13
2010-04-12Remove remaining use of sysdb_transaction_sendSimo Sorce1-103/+49
2010-04-12sysdb: convert sysdb_cache_passwordSimo Sorce1-29/+8
2010-04-12sysdb: convert sysdb_set_entry/user/group_attrSimo Sorce1-23/+4
2010-03-25Allow arbitrary-length PAM messagesStephen Gallagher2-20/+7
The PAM standard allows for messages of any length to be returned to the client. We were discarding all messages of length greater than 255. This patch dynamically allocates the message buffers so we can pass the complete message. This resolves https://fedorahosted.org/sssd/ticket/432
2010-03-12Add krb5_kpasswd optionSumit Bose6-30/+205
2010-03-11Write the IP address of the KDC to the kdcinfo fileSumit Bose1-16/+10
2010-03-11Add expandable sequences to krb5_ccachedirSumit Bose6-21/+292
As with krb5_ccname_template sequences like %u can be used in the krb5_ccachedir parameter which are expanded at runtime. If the directory does not exist, it will be created. Depending on the used sequences it is created as a public or private directory.
2010-03-04Add forgotten \n in DEBUG statementsMartin Nagy1-1/+1
Logs from confdb with missing '\n' in the DEBUG statements annoyed me so I decided to fix them. I also made a quick grep through the code and found other places so I fixed them too.
2010-03-03Improve safe alignment buffer handling macrosSimo Sorce2-31/+32
Make the counter optional so that alignment safe macros can be used also where there is no counter to update. Change arguments names so that they are not deceiving (ptr normlly identify a pointer) Turn the memcpy substitute into an inline function so that passing a pointer to rp and checking for it doesn't make the compiler spit lots of warnings.
2010-02-23Handle expired passwords like other PAM modulesSumit Bose1-1/+1
So far we handled expired password during authentication. Other PAM modules typically detect expired password during account management and return PAM_NEW_AUTHTOK_REQD if the password is expired and should be changed. The PAM library then calls the change password routines. To meet these standards pam_sss is change accordingly. As a result it is now possible to update an expired password via ssh if sssd is running with PasswordAuthentication=yes. One drawback due to limitations of PAM is that the user now has to type his current password again before setting a new one.
2010-02-19Remove unneeded items from struct pam_dataSumit Bose4-59/+69
2010-02-19Send Kerberos environment after password changeSumit Bose1-1/+1
2010-02-18Rename server/ directory to src/Stephen Gallagher9-0/+3139
Also update BUILD.txt