summaryrefslogtreecommitdiff
path: root/src/providers/krb5
AgeCommit message (Collapse)AuthorFilesLines
2013-10-17KRB5: Return PAM_ACCT_EXPIRED when logging in as expired AD userHEADmasterJakub Hrozek2-0/+9
If an expired AD user logs in, the SSSD receives KRB5KDC_ERR_CLIENT_REVOKED from the KDC. This error code was not handled by the SSSD which resulted in System Error being returned to the PAM stack.
2013-10-10krb5: fix warning may be used uninitializedLukas Slebodnik1-0/+1
2013-10-07krb5: Remove ability to create public directoriesSimo Sorce3-71/+37
Setting up public directories is the job of the admin, and current sssd syntax can't express the actual intention of the admin with regrads to which parts of the path should be public or private. Resolves: https://fedorahosted.org/sssd/ticket/2071
2013-09-27KRB5: Use the correct domain when authenticating with cached passwordJakub Hrozek1-4/+4
2013-09-27KRB5: Return ERR_NETWORK_IO when trusted AD server can't be resolvedJakub Hrozek1-0/+1
2013-09-26KRB5: Fix bad comparisonJakub Hrozek1-1/+1
2013-09-25krb5: Be more lenient on failures for old ccacheSimo Sorce2-2/+2
Fix a check for an error return code that can be returned when the ccache is not found. Even in case of other errors still do not fail authentication but allow it to proceed using a new ccache file if necessary. Related: https://fedorahosted.org/sssd/ticket/2053
2013-09-24Include header file in implementation module.Lukas Slebodnik2-0/+2
Declarations of public functions was in header files, but header files was not included in implementation file.
2013-09-23krb5: do not expand enterprise principals is offlineSumit Bose1-1/+1
Expanding a principle to an enterprise principal only makes sense if there is a KDC available which can process it. If we are offline the plain principal should be used, e.g. to create an expired ccache. Fixes https://fedorahosted.org/sssd/ticket/2060
2013-09-23krb5: save canonical upn to sysdbSumit Bose4-20/+57
If the returned TGT contains a different user principal name (upn) than used in the request, i.e. the upn was canonicalized, we currently save it to sysdb into the same attribute where the upn coming from an LDAP server is stored as well. This means the canonical upn might be overwritten when the user data is re-read from the LDAP server. To avoid this this patch add a new attribute to sysdb where the canonical upn is stored and makes sure it is used when available. Fixes https://fedorahosted.org/sssd/ticket/2060
2013-09-17KRB5: Call umask before mkstemp in the krb5 child codeJakub Hrozek1-0/+3
2013-09-12KRB: Remove unused function parametersLukas Slebodnik1-4/+2
Parameter "int *dp_err" and parameter "int *pam_status" were unused in static function krb5_auth_prepare_ccache_name.
2013-09-12KRB: Remove unused memory contextLukas Slebodnik3-3/+3
mem_ctx was unused in function get_domain_or_subdomain
2013-09-11Fix formating of variables with type: gid_tLukas Slebodnik2-3/+3
2013-09-11Fix formating of variables with type: uid_tLukas Slebodnik2-4/+5
2013-09-11Fix formating of variables with type: time_tLukas Slebodnik1-1/+1
2013-09-11Fix formating of variables with type: key_serial_tLukas Slebodnik1-1/+2
2013-09-11Fix formating of variables with type: size_tLukas Slebodnik3-5/+6
2013-09-11Fix formating of variables with type: ssize_tLukas Slebodnik2-3/+3
2013-09-11Fix formating of variables with type: longLukas Slebodnik2-2/+2
2013-09-10krb5: Fix warning sometimes uninitializedLukas Slebodnik1-0/+2
warning: variable 'ret' is used uninitialized whenever 'if' condition is false if (kerr) { ^~~~
2013-09-09krb5_child: Simplify ccache creationSimo Sorce1-387/+87
The containing ccache directory is precreated by the parent code, so there is no special need to do so here for any type. Also the special handling for the FILE ccache temporary file is not really useful, because libkrb5 internally unlinks and then recreate the file, so mkstemp cannot really prevent subtle races, it can only make sure the file is unique at creation time. Resolves: https://fedorahosted.org/sssd/ticket/2061
2013-09-09krb5: Add file/dir path precheckSimo Sorce2-0/+35
Add a precheck on the actual existence at all of the file/dir ccname targeted (for FILE/DIR types), and bail early if nothing is available. While testing I found out that without this check, the krb5_cc_resolve() function we call as user to check old paths would try to create the directory if it didn't exist. With a ccname of DIR:/tmp/ccdir_1000 saved in the user entry this would cause two undesirable side effects: First it would actually create a directory with the old name, when it should not. Second, because for some reason the umask is set to 0127 in sssd_be, it would create the directory with permission 600 (missing the 'x' traverse bit on the directory. If the new ccache has the same name it would cause the krb5_child process to fal to store the credential cache in it. Related: https://fedorahosted.org/sssd/ticket/2061
2013-09-09krb5: Remove unused ccache backend infrastructureSimo Sorce6-144/+14
Remove struct sss_krb5_cc_be and the remaining functions that reference it as they are all unused now. Resolves: https://fedorahosted.org/sssd/ticket/2061
2013-09-09krb5: Unify function to create ccache filesSimo Sorce3-69/+22
Only 2 types (FILE and DIR) need to precreate files or directories on the file system, and the 2 functions were basically identical. Consolidate all in one common function and use that function directly where needed instead of using indirection. Resolves: https://fedorahosted.org/sssd/ticket/2061
2013-09-09krb5: Use new function to validate ccachesSimo Sorce3-371/+88
This function replaces and combines check_for_valid_tgt() and type specific functions that checked for ccache existence by using generic krb5 cache function and executing them as the target user (implicitly validate the target use rcan properly access the ccache). Resolves: https://fedorahosted.org/sssd/ticket/2061
2013-09-09krb5: Make check_for_valid_tgt() staticSimo Sorce1-0/+74
check_for_valid_tgt() is used exclusively in krb5_uitls.c so move it there. Resolves: https://fedorahosted.org/sssd/ticket/2061
2013-09-09krb5: move template check to initializzationSimo Sorce4-24/+22
The randomized template check realy only makes sense for the FILE ccache which is the only one that normally needs to use randomizing chars. Also it is better to warn the admin early rather than to warn 'when it is too late'. So move the check at initialization time when we determine what the template actually is. Resolves: https://fedorahosted.org/sssd/ticket/2061
2013-09-09krb5: Move determination of user being activeSimo Sorce3-43/+17
The way a user is checked for being active does not depend on the ccache type so move that check out of the ccache specific functions. Resolves: https://fedorahosted.org/sssd/ticket/2061
2013-09-09krb5: Replace type-specific ccache/principal checkSimo Sorce3-148/+89
Instead of having duplicate functions that are type custom use a signle common function that also performs access to the cache as the user owner, implicitly validating correctness of ownership. Resolves: https://fedorahosted.org/sssd/ticket/2061
2013-09-09krb5: Use krb5_cc_destroy to remove old ccachesSimo Sorce3-118/+18
This completely replaces the per-ccache-type custom code to remove old cacches and instead uses libkrb5 base doperations (krb5_cc_destroy) and operating as the user owner. Resolves: https://fedorahosted.org/sssd/ticket/2061
2013-09-09krb5: Add helper to destroy ccache as userSimo Sorce2-0/+111
This function safely destroy a ccache given a cache name and user crdentials. It becomes the user so no possible races can compromise the system, then uses libkrb5 functions to properly destroy a ccache, independently of the cache type. Finally restores the original credentials after closing the ccache handlers. Resolves: https://fedorahosted.org/sssd/ticket/2061
2013-09-09krb5: Add calls to change and restore credentialsSimo Sorce2-0/+131
In some cases we want to temporarily assume user credentials but allow the process to regain back the original credentials (normally regaining uid 0). Related: https://fedorahosted.org/sssd/ticket/2061
2013-09-09krb5: Ingnore unknown expansion sequencesSimo Sorce1-30/+15
Recently support was added to use also libkrb5 style expansions that uses a %{varname} type of template. There are a number of templates we do not care/can't expand in sssd. The current code misses tests and failed to properly preserve some of the templates we do not want to handle. Addiotionally in order to be future proof this patch treats unknown templates as pass-through templates and defer any error checking to libkrb5, so that sssd is consistent with how kinit would behave. Resolves: https://fedorahosted.org/sssd/ticket/2076
2013-09-03KRB5: Fix warning declaration shadows global declarationLukas Slebodnik1-8/+8
src/providers/krb5/krb5_utils.c:193: warning: declaration of 'rewind' shadows a global declaration /usr/include/stdio.h:754: warning: shadowed declaration is here
2013-08-28krb5: Fetch ccname template from krb5.confStephen Gallagher4-12/+167
In order to use the same defaults in all system daemons that needs to know how to generate or search for ccaches we introduce ode here to take advantage of the new option called default_ccache_name provided by libkrb5. If set this variable we establish the same default for all programs that surce it out of krb5.conf therefore providing a consistent experience across the system. Related: https://fedorahosted.org/sssd/ticket/2036
2013-08-28krb5_common: Refactor to use a talloc temp contextSimo Sorce1-12/+28
In preparation for handling some more allocations in the following patches and fixes a curent memleak on the opts struct. Related: https://fedorahosted.org/sssd/ticket/2036
2013-08-27KRB5: Add support for KEYRING cache typeStephen Gallagher4-0/+212
https://fedorahosted.org/sssd/ticket/2036
2013-08-27KRB5: Remove unnecessary call to become_user()Stephen Gallagher1-6/+0
By the time that the create_ccache_in_dir() routine is called, we are already guaranteed to have dropped privileges. This has either happened because we dropped them before the exec() in the normal operation case or because we dropped them explicitly after we completed the TGT validation step if that or FAST is configured.
2013-08-24check_cc_validity: make sure _valid is always setSumit Bose1-5/+7
In the KRB5_FCC_NOFILE code path _valid is not set leading to 'may be used uninitialized' compiler warnings.
2013-08-22KRB5: Only set active and valid on successStephen Gallagher1-6/+5
The FILE cache only sets the return values of _active and _bool if the entire function succeeds. The DIR cache was setting it even on failure. This patch makes both consistent. This will benefit static analysis tools which would be able to detect if the variable is ever used uninitialized anywhere.
2013-08-22KRB5: Refactor cc_*_check_existingStephen Gallagher1-61/+59
There was duplicated code in cc_file_check_existing() and in cc_dir_check_existing(). I pulled them into the same function. There are two changes made to the original code here: 1) Fixes a use-after-free bug in cc_file_check_existing(). In the original code, we called krb5_free_context() and then used that context immediately after that in krb5_cc_close(). This patch corrects the ordering 2) The krb5_cc_resolve() call handles KRB5_FCC_NOFILE for all cache types. Previously, this was only handled for DIR caches.
2013-08-22KRB5: Add new #define for collection cache typesStephen Gallagher4-18/+18
Kerberos now supports multiple types of collection caches, not just DIR: caches. We should add a macro for generic collection behavior and use that where appropriate.
2013-08-19KRB5: Do not log to syslog on each loginJakub Hrozek1-1/+3
2013-08-19KRB5: Formatting changesJakub Hrozek1-4/+4
2013-08-11ldap, krb5: More descriptive msg on chpass failure.Michal Zidek1-0/+15
Print more descriptive message when wrong current password is given during password change operation. resolves: https://fedorahosted.org/sssd/ticket/2029
2013-07-23KRB5: Do not send PAC in server modeJakub Hrozek3-6/+19
The krb5 child contacts the PAC responder for any user except for the IPA native users if the PAC is configured. This works fine for the general case but the ipa_server_mode is a special one. The PAC responder is there, but since in the server mode we should be operating as AD provider default, the PAC shouldn't be analyzed either in this case.
2013-07-22Fix warnings: uninitialized variableLukas Slebodnik2-4/+3
2013-07-22Remove unused memory context from function unpack_authtokLukas Slebodnik1-3/+3
2013-07-19Add mising argument required by format stringLukas Slebodnik1-2/+3