Age | Commit message (Collapse) | Author | Files | Lines |
|
If an expired AD user logs in, the SSSD receives
KRB5KDC_ERR_CLIENT_REVOKED from the KDC. This error code was not handled
by the SSSD which resulted in System Error being returned to the PAM
stack.
|
|
|
|
Setting up public directories is the job of the admin, and
current sssd syntax can't express the actual intention of the admin with
regrads to which parts of the path should be public or private.
Resolves:
https://fedorahosted.org/sssd/ticket/2071
|
|
|
|
|
|
|
|
Fix a check for an error return code that can be returned when
the ccache is not found.
Even in case of other errors still do not fail authentication
but allow it to proceed using a new ccache file if necessary.
Related:
https://fedorahosted.org/sssd/ticket/2053
|
|
Declarations of public functions was in header files,
but header files was not included in implementation file.
|
|
Expanding a principle to an enterprise principal only makes sense if
there is a KDC available which can process it. If we are offline the
plain principal should be used, e.g. to create an expired ccache.
Fixes https://fedorahosted.org/sssd/ticket/2060
|
|
If the returned TGT contains a different user principal name (upn) than
used in the request, i.e. the upn was canonicalized, we currently save
it to sysdb into the same attribute where the upn coming from an LDAP
server is stored as well. This means the canonical upn might be
overwritten when the user data is re-read from the LDAP server.
To avoid this this patch add a new attribute to sysdb where the
canonical upn is stored and makes sure it is used when available.
Fixes https://fedorahosted.org/sssd/ticket/2060
|
|
|
|
Parameter "int *dp_err" and parameter "int *pam_status" were unused
in static function krb5_auth_prepare_ccache_name.
|
|
mem_ctx was unused in function get_domain_or_subdomain
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
warning: variable 'ret' is used uninitialized whenever
'if' condition is false
if (kerr) {
^~~~
|
|
The containing ccache directory is precreated by the parent code,
so there is no special need to do so here for any type.
Also the special handling for the FILE ccache temporary file is not really
useful, because libkrb5 internally unlinks and then recreate the file, so
mkstemp cannot really prevent subtle races, it can only make sure the file is
unique at creation time.
Resolves:
https://fedorahosted.org/sssd/ticket/2061
|
|
Add a precheck on the actual existence at all of the file/dir ccname
targeted (for FILE/DIR types), and bail early if nothing is available.
While testing I found out that without this check, the krb5_cc_resolve()
function we call as user to check old paths would try to create the
directory if it didn't exist.
With a ccname of DIR:/tmp/ccdir_1000 saved in the user entry this would
cause two undesirable side effects:
First it would actually create a directory with the old name, when it
should not.
Second, because for some reason the umask is set to 0127 in sssd_be, it
would create the directory with permission 600 (missing the 'x' traverse
bit on the directory. If the new ccache has the same name it would cause
the krb5_child process to fal to store the credential cache in it.
Related:
https://fedorahosted.org/sssd/ticket/2061
|
|
Remove struct sss_krb5_cc_be and the remaining functions that reference
it as they are all unused now.
Resolves:
https://fedorahosted.org/sssd/ticket/2061
|
|
Only 2 types (FILE and DIR) need to precreate files or directories
on the file system, and the 2 functions were basically identical.
Consolidate all in one common function and use that function directly
where needed instead of using indirection.
Resolves:
https://fedorahosted.org/sssd/ticket/2061
|
|
This function replaces and combines check_for_valid_tgt() and type specific
functions that checked for ccache existence by using generic krb5 cache
function and executing them as the target user (implicitly validate the
target use rcan properly access the ccache).
Resolves:
https://fedorahosted.org/sssd/ticket/2061
|
|
check_for_valid_tgt() is used exclusively in krb5_uitls.c so move it there.
Resolves:
https://fedorahosted.org/sssd/ticket/2061
|
|
The randomized template check realy only makes sense for the FILE ccache
which is the only one that normally needs to use randomizing chars.
Also it is better to warn the admin early rather than to warn 'when it
is too late'.
So move the check at initialization time when we determine what the
template actually is.
Resolves:
https://fedorahosted.org/sssd/ticket/2061
|
|
The way a user is checked for being active does not depend on the ccache
type so move that check out of the ccache specific functions.
Resolves:
https://fedorahosted.org/sssd/ticket/2061
|
|
Instead of having duplicate functions that are type custom use a signle common
function that also performs access to the cache as the user owner, implicitly
validating correctness of ownership.
Resolves:
https://fedorahosted.org/sssd/ticket/2061
|
|
This completely replaces the per-ccache-type custom code to remove old cacches
and instead uses libkrb5 base doperations (krb5_cc_destroy) and operating as
the user owner.
Resolves:
https://fedorahosted.org/sssd/ticket/2061
|
|
This function safely destroy a ccache given a cache name and user crdentials.
It becomes the user so no possible races can compromise the system, then
uses libkrb5 functions to properly destroy a ccache, independently of the
cache type.
Finally restores the original credentials after closing the ccache handlers.
Resolves:
https://fedorahosted.org/sssd/ticket/2061
|
|
In some cases we want to temporarily assume user credentials but allow the
process to regain back the original credentials (normally regaining uid 0).
Related:
https://fedorahosted.org/sssd/ticket/2061
|
|
Recently support was added to use also libkrb5 style expansions that
uses a %{varname} type of template.
There are a number of templates we do not care/can't expand in sssd.
The current code misses tests and failed to properly preserve some of
the templates we do not want to handle.
Addiotionally in order to be future proof this patch treats unknown
templates as pass-through templates and defer any error checking to
libkrb5, so that sssd is consistent with how kinit would behave.
Resolves:
https://fedorahosted.org/sssd/ticket/2076
|
|
src/providers/krb5/krb5_utils.c:193: warning: declaration of 'rewind' shadows a
global declaration
/usr/include/stdio.h:754: warning: shadowed declaration is here
|
|
In order to use the same defaults in all system daemons that needs to know how
to generate or search for ccaches we introduce ode here to take advantage of
the new option called default_ccache_name provided by libkrb5.
If set this variable we establish the same default for all programs that surce
it out of krb5.conf therefore providing a consistent experience across the
system.
Related:
https://fedorahosted.org/sssd/ticket/2036
|
|
In preparation for handling some more allocations in the following patches and
fixes a curent memleak on the opts struct.
Related:
https://fedorahosted.org/sssd/ticket/2036
|
|
https://fedorahosted.org/sssd/ticket/2036
|
|
By the time that the create_ccache_in_dir() routine is called, we are
already guaranteed to have dropped privileges. This has either happened
because we dropped them before the exec() in the normal operation case
or because we dropped them explicitly after we completed the TGT
validation step if that or FAST is configured.
|
|
In the KRB5_FCC_NOFILE code path _valid is not set leading to 'may be
used uninitialized' compiler warnings.
|
|
The FILE cache only sets the return values of _active and _bool if the
entire function succeeds. The DIR cache was setting it even on failure.
This patch makes both consistent. This will benefit static analysis
tools which would be able to detect if the variable is ever used
uninitialized anywhere.
|
|
There was duplicated code in cc_file_check_existing() and in
cc_dir_check_existing(). I pulled them into the same function.
There are two changes made to the original code here:
1) Fixes a use-after-free bug in cc_file_check_existing(). In the
original code, we called krb5_free_context() and then used that
context immediately after that in krb5_cc_close(). This patch
corrects the ordering
2) The krb5_cc_resolve() call handles KRB5_FCC_NOFILE for all
cache types. Previously, this was only handled for DIR caches.
|
|
Kerberos now supports multiple types of collection caches, not just
DIR: caches. We should add a macro for generic collection behavior
and use that where appropriate.
|
|
|
|
|
|
Print more descriptive message when wrong current password
is given during password change operation.
resolves:
https://fedorahosted.org/sssd/ticket/2029
|
|
The krb5 child contacts the PAC responder for any user except for the
IPA native users if the PAC is configured. This works fine for the
general case but the ipa_server_mode is a special one. The PAC responder
is there, but since in the server mode we should be operating as AD
provider default, the PAC shouldn't be analyzed either in this case.
|
|
|
|
|
|
|