Age | Commit message (Collapse) | Author | Files | Lines |
|
* This broke corner cases when used with
default_tkt_types = des-cbc-crc
and DES enabled on an AD domain.
* This is fixed in kerberos instead, in a more correct way
and in a way which we cannot replicate.
|
|
|
|
https://fedorahosted.org/sssd/ticket/1225
|
|
|
|
* Load the enctypes for the keys in the keytab and pass
them to krb5_get_init_creds_keytab().
* This fixes the problem where the server offers a enctype
that krb5 supports, but we don't have a key for in the keytab.
https://bugzilla.redhat.com/show_bug.cgi?id=811375
|
|
* When calling krb5_get_init_creds_keytab() with
krb5_get_init_creds_opt_set_canonicalize() the credential
principal can get updated.
* Create the cache file with the correct default credential.
* LDAP GSSAPI SASL would fail due to the mismatched credentials
before this patch.
https://bugzilla.redhat.com/show_bug.cgi?id=811518
|
|
https://fedorahosted.org/sssd/ticket/1209
|
|
There were many places where we were printing (null) to the logs
because a NULL keytab name tells libkrb5 to use its configured
default instead of a particular path. This patch should clean up
all uses of this to print "default" in the logs.
https://fedorahosted.org/sssd/ticket/1288
|
|
|
|
https://fedorahosted.org/sssd/ticket/1137
|
|
|
|
|
|
https://fedorahosted.org/sssd/ticket/957
|
|
https://fedorahosted.org/sssd/ticket/956
Added: --debug-microseconds=0/1
Added: debug_microseconds to sssd.conf
|
|
Removed:
SSS_UNRESOLVED_DEBUG_LEVEL (completely replaced with SSSDBG_UNRESOLVED)
Added new macro:
CONVERT_AND_SET_DEBUG_LEVEL(new_value)
Changes unresolved debug level value (SSSDBG_UNRESOLVED) from -1 to 0
so DEBUG macro could be reduced by one condition. Anyway, it has a minor
effect, every time you want to load debug_level from command line parameters,
you have to use following pattern:
/* Set debug level to invalid value so we can deside if -d 0 was used. */
debug_level = SSSDBG_INVALID;
pc = poptGetContext(argv[0], argc, argv, long_options, 0);
while((opt = poptGetNextOpt(pc)) != -1) { ... }
CONVERT_AND_SET_DEBUG_LEVEL(debug_level);
|
|
https://fedorahosted.org/sssd/ticket/925
Conversion of the old debug_level format to the new one.
(only where it was necessary)
Removed:
SSS_DEFAULT_DEBUG_LEVEL (completely replaced with SSSDBG_DEFAULT)
|
|
Currently we construct the principal as host/fqdn@REALM. The problem
with this is that this principal doesn't have to be in the keytab. In
that case the provider fails to start. It is better to scan the keytab
and find the most suitable principal to use. Only in case no suitable
principal is found the backend should fail to start.
The second issue solved by this patch is that the realm we are
authenticating the machine to can be in general different from the realm
our users are part of (in case of cross Kerberos trust).
The patch adds new configuration option SDAP_SASL_REALM.
https://fedorahosted.org/sssd/ticket/781
|
|
|
|
|
|
In addition to validating the keytab everytime a TGT is requested, we
also validate the keytab on back end startup to give early warning that
the keytab is not usable.
Fixes: #556
|
|
|
|
We will now emit a level 0 debug message on keytab errors, and
also write to the syslog (LOG_DAEMON)
|
|
sdap_handle for future reference.
|
|
|
|
The PAM standard allows for messages of any length to be returned
to the client. We were discarding all messages of length greater
than 255. This patch dynamically allocates the message buffers so
we can pass the complete message.
This resolves https://fedorahosted.org/sssd/ticket/432
|
|
Make the counter optional so that alignment safe macros can be used also where
there is no counter to update.
Change arguments names so that they are not deceiving (ptr normlly identify a
pointer)
Turn the memcpy substitute into an inline function so that passing a pointer to
rp and checking for it doesn't make the compiler spit lots of warnings.
|
|
Also update BUILD.txt
|