summaryrefslogtreecommitdiff
path: root/src/providers
AgeCommit message (Collapse)AuthorFilesLines
2013-09-09krb5: Add file/dir path precheckSimo Sorce2-0/+35
Add a precheck on the actual existence at all of the file/dir ccname targeted (for FILE/DIR types), and bail early if nothing is available. While testing I found out that without this check, the krb5_cc_resolve() function we call as user to check old paths would try to create the directory if it didn't exist. With a ccname of DIR:/tmp/ccdir_1000 saved in the user entry this would cause two undesirable side effects: First it would actually create a directory with the old name, when it should not. Second, because for some reason the umask is set to 0127 in sssd_be, it would create the directory with permission 600 (missing the 'x' traverse bit on the directory. If the new ccache has the same name it would cause the krb5_child process to fal to store the credential cache in it. Related: https://fedorahosted.org/sssd/ticket/2061
2013-09-09krb5: Remove unused ccache backend infrastructureSimo Sorce6-144/+14
Remove struct sss_krb5_cc_be and the remaining functions that reference it as they are all unused now. Resolves: https://fedorahosted.org/sssd/ticket/2061
2013-09-09krb5: Unify function to create ccache filesSimo Sorce3-69/+22
Only 2 types (FILE and DIR) need to precreate files or directories on the file system, and the 2 functions were basically identical. Consolidate all in one common function and use that function directly where needed instead of using indirection. Resolves: https://fedorahosted.org/sssd/ticket/2061
2013-09-09krb5: Use new function to validate ccachesSimo Sorce3-371/+88
This function replaces and combines check_for_valid_tgt() and type specific functions that checked for ccache existence by using generic krb5 cache function and executing them as the target user (implicitly validate the target use rcan properly access the ccache). Resolves: https://fedorahosted.org/sssd/ticket/2061
2013-09-09krb5: Make check_for_valid_tgt() staticSimo Sorce1-0/+74
check_for_valid_tgt() is used exclusively in krb5_uitls.c so move it there. Resolves: https://fedorahosted.org/sssd/ticket/2061
2013-09-09krb5: move template check to initializzationSimo Sorce4-24/+22
The randomized template check realy only makes sense for the FILE ccache which is the only one that normally needs to use randomizing chars. Also it is better to warn the admin early rather than to warn 'when it is too late'. So move the check at initialization time when we determine what the template actually is. Resolves: https://fedorahosted.org/sssd/ticket/2061
2013-09-09krb5: Move determination of user being activeSimo Sorce3-43/+17
The way a user is checked for being active does not depend on the ccache type so move that check out of the ccache specific functions. Resolves: https://fedorahosted.org/sssd/ticket/2061
2013-09-09krb5: Replace type-specific ccache/principal checkSimo Sorce3-148/+89
Instead of having duplicate functions that are type custom use a signle common function that also performs access to the cache as the user owner, implicitly validating correctness of ownership. Resolves: https://fedorahosted.org/sssd/ticket/2061
2013-09-09krb5: Use krb5_cc_destroy to remove old ccachesSimo Sorce3-118/+18
This completely replaces the per-ccache-type custom code to remove old cacches and instead uses libkrb5 base doperations (krb5_cc_destroy) and operating as the user owner. Resolves: https://fedorahosted.org/sssd/ticket/2061
2013-09-09krb5: Add helper to destroy ccache as userSimo Sorce2-0/+111
This function safely destroy a ccache given a cache name and user crdentials. It becomes the user so no possible races can compromise the system, then uses libkrb5 functions to properly destroy a ccache, independently of the cache type. Finally restores the original credentials after closing the ccache handlers. Resolves: https://fedorahosted.org/sssd/ticket/2061
2013-09-09krb5: Add calls to change and restore credentialsSimo Sorce2-0/+131
In some cases we want to temporarily assume user credentials but allow the process to regain back the original credentials (normally regaining uid 0). Related: https://fedorahosted.org/sssd/ticket/2061
2013-09-09krb5: Ingnore unknown expansion sequencesSimo Sorce1-30/+15
Recently support was added to use also libkrb5 style expansions that uses a %{varname} type of template. There are a number of templates we do not care/can't expand in sssd. The current code misses tests and failed to properly preserve some of the templates we do not want to handle. Addiotionally in order to be future proof this patch treats unknown templates as pass-through templates and defer any error checking to libkrb5, so that sssd is consistent with how kinit would behave. Resolves: https://fedorahosted.org/sssd/ticket/2076
2013-09-05dyndns: do not modify global family_orderSumit Bose1-3/+3
Resolves: https://fedorahosted.org/sssd/ticket/2063
2013-09-05AD: Rename parametrized #defineJakub Hrozek1-3/+3
2013-09-05ad srv: prefer servers that are in the same domain as clientPavel Březina1-0/+89
https://fedorahosted.org/sssd/ticket/2001
2013-09-05fo srv: add priority to fo_server_infoPavel Březina2-0/+2
This will give SRV plugins all information needed for additional sorting.
2013-09-05resolv_sort_srv_reply: remove unnecessary mem_ctxPavel Březina1-1/+1
2013-09-05Fix warning missing argumentsLukas Slebodnik1-1/+1
2013-09-03KRB5: Fix warning declaration shadows global declarationLukas Slebodnik1-8/+8
src/providers/krb5/krb5_utils.c:193: warning: declaration of 'rewind' shadows a global declaration /usr/include/stdio.h:754: warning: shadowed declaration is here
2013-09-03PROXY: Handle empty GECOSJakub Hrozek1-1/+8
If the user's GECOS as returned by the proxied module is an empty string (as opposed to NULL), the ldb transaction would error out.
2013-09-02Fix czech specific character in my namePavel Březina8-8/+8
2013-08-28IPA_HBAC: Explicitelly include header file time.hLukas Slebodnik1-0/+1
struct hbac_eval_req is defined in header file and it has attribute request_time with type time_t, but header file "time.h" was not included. It was not problem, because time.h was indirectly included by stdlib.h (stdlib.h -> sys/types.h -> time.h) in implementation files, but other platforms can have other dependencies among header files.
2013-08-28IPA: Add forgotten declarationJakub Hrozek1-0/+1
A conflict between two patches was not resolved correctly
2013-08-28IPA: enable enumeration if parent domain enumerates in server modeJakub Hrozek1-12/+58
https://fedorahosted.org/sssd/ticket/1963
2013-08-28SYSDB: Store enumerate flag for subdomainJakub Hrozek2-3/+4
2013-08-28LDAP: Make sdap_id_setup_tasks reusable for subdomainsJakub Hrozek5-9/+21
Instead of always performing the setup for the main domain, the setup can now be performed for subdomains as well.
2013-08-28LDAP: Make the cleanup task reusable for subdomainsJakub Hrozek5-42/+73
Instead of always performing the cleanup on the main domain, the task now accepts a sdap_domain structure to perform the cleanup on. This change will make the cleanup task reusable for subdomains.
2013-08-28LDAP: Make cleanup synchronousJakub Hrozek3-150/+34
The LDAP cleanup request was asynchronous for no good reason, probably a leftover from the days of async sysdb. This patch makes it sychronous again, removing a lot of uneeded code.
2013-08-28LDAP: Convert enumeration to the ptask APIJakub Hrozek4-136/+132
https://fedorahosted.org/sssd/ticket/1942 Identity providers other than LDAP need to customize the enumeration in different ways while sharing the way the task is scheduled etc. The easiest way to accomplish it is to leverage the recently introduced ptask framework.
2013-08-28LDAP: Move the ldap enum request to its own reusable moduleJakub Hrozek6-642/+741
The LDAP enumeration was too closely tied to the LDAP identity provider. Because some providers might need special handling such as refresh the master domain record before proceeding with the enumeration itself, this patch splits the request itself to a separate async request and lets the ldap_id_enum.c module only configure this new request. Also move the enum timestamp to sdap_domain to make the enum tracking per sdap domain. The cleanup timestamp will be moved in another patch.
2013-08-28LDAP: Remove unused constantJakub Hrozek1-2/+0
The constant was not used since Euegene came up with his reconnection logic.
2013-08-28LDAP: Add enum_{users,groups}_recv to follow the tevent_req styleJakub Hrozek1-24/+19
The enum code was quite old and predated the tevent_req style. In particular, the enum code was checking tevent state direcly and not using _recv functions or the helper macros we added later. As a consequence, it was not easy to read. This patch adds the standard _recv functions to read the status of the enum requests.
2013-08-28DB: remove unused realm parameter from sysdb_master_domain_add_infoJakub Hrozek2-2/+2
The parameter was not used at all.
2013-08-28ipa-server-mode: add IPA group memberships to AD usersSumit Bose3-8/+1004
When IPA trusts an AD domain the AD user or groups can be placed into IPA groups e.g. to put AD users under the control of HBAC. Since IPA group can only have members from the IPA directory tree and the AD users and groups are not stored there a special IPA object called external group was introduced. SIDs of users and groups can be added to the external group and since the external groups are in the IPA directory tree they can be member of IPA groups. To speed things up and to remove some load from the IPA servers SSSD reads all external groups and stores them in memory for some time before rereading the data. Enhances https://fedorahosted.org/sssd/ticket/1962
2013-08-28IPA: Enable AD sites when in server modeJakub Hrozek3-2/+70
https://fedorahosted.org/sssd/ticket/1964 Currently the AD sites are enabled unconditionally
2013-08-28krb5: Fetch ccname template from krb5.confStephen Gallagher6-14/+169
In order to use the same defaults in all system daemons that needs to know how to generate or search for ccaches we introduce ode here to take advantage of the new option called default_ccache_name provided by libkrb5. If set this variable we establish the same default for all programs that surce it out of krb5.conf therefore providing a consistent experience across the system. Related: https://fedorahosted.org/sssd/ticket/2036
2013-08-28krb5_common: Refactor to use a talloc temp contextSimo Sorce1-12/+28
In preparation for handling some more allocations in the following patches and fixes a curent memleak on the opts struct. Related: https://fedorahosted.org/sssd/ticket/2036
2013-08-27KRB5: Add support for KEYRING cache typeStephen Gallagher4-0/+212
https://fedorahosted.org/sssd/ticket/2036
2013-08-27KRB5: Remove unnecessary call to become_user()Stephen Gallagher1-6/+0
By the time that the create_ccache_in_dir() routine is called, we are already guaranteed to have dropped privileges. This has either happened because we dropped them before the exec() in the normal operation case or because we dropped them explicitly after we completed the TGT validation step if that or FAST is configured.
2013-08-26sudo: do not strdup usn on ENOENTPavel Březina1-1/+1
If USN attribute is not present, we call strdup on uninitialized variable. This may cause segfault, or if we are lucky and usn is NULL it will return ENOMEM.
2013-08-26sudo: do not fail to store the rule if we can't read usnPavel Březina1-3/+4
Resolves: https://fedorahosted.org/sssd/ticket/2052
2013-08-24DP: Notify propperly when removing PAC responderOndrej Kos2-1/+5
Adds pac_cli be_client structure pointer, to indetify and log the PAC responder termination correctly.
2013-08-24check_cc_validity: make sure _valid is always setSumit Bose1-5/+7
In the KRB5_FCC_NOFILE code path _valid is not set leading to 'may be used uninitialized' compiler warnings.
2013-08-22Remove include recursionLukas Slebodnik2-3/+0
warning reported by coverity include_recursion: #include file "src/providers/dp_backend.h" includes itself: dp_backend.h -> dp_refresh.h -> dp_backend.h (other events go to each file) primary_file: During compilation of file 'src/krb5_plugin/sssd_krb5_locator_plugin.c include_recursion: #include file "src/providers/dp_backend.h" includes itself: dp_backend.h -> dp_refresh.h -> dp_ptask.h -> dp_backend.h (other events go to each file) primary_file: During compilation of file 'src/krb5_plugin/sssd_krb5_locator_plugin.c'
2013-08-22proxy: Allow initgroup to return NOTFOUNDSimo Sorce1-0/+16
When the user is only member of its own primary group, initgroups_dyn may return NOTFOUND as, at least for the 'files' nss provider the code skips the passed in group. Resolves: https://fedorahosted.org/sssd/ticket/2051
2013-08-22KRB5: Only set active and valid on successStephen Gallagher1-6/+5
The FILE cache only sets the return values of _active and _bool if the entire function succeeds. The DIR cache was setting it even on failure. This patch makes both consistent. This will benefit static analysis tools which would be able to detect if the variable is ever used uninitialized anywhere.
2013-08-22KRB5: Refactor cc_*_check_existingStephen Gallagher1-61/+59
There was duplicated code in cc_file_check_existing() and in cc_dir_check_existing(). I pulled them into the same function. There are two changes made to the original code here: 1) Fixes a use-after-free bug in cc_file_check_existing(). In the original code, we called krb5_free_context() and then used that context immediately after that in krb5_cc_close(). This patch corrects the ordering 2) The krb5_cc_resolve() call handles KRB5_FCC_NOFILE for all cache types. Previously, this was only handled for DIR caches.
2013-08-22KRB5: Add new #define for collection cache typesStephen Gallagher4-18/+18
Kerberos now supports multiple types of collection caches, not just DIR: caches. We should add a macro for generic collection behavior and use that where appropriate.
2013-08-19sysdb_add_incomplete_group: store SID string is availableSumit Bose2-9/+18
During initgroups request we read the SID of a group from the server but do not save it to the cache. This patch fixes this and might help to avoid an additional lookup of the SID later.
2013-08-19save_rfc2307bis_user_memberships: use fq names for subdomainsSumit Bose1-0/+16
For subdomains the group names must be expanded to fully qualified names to be able to find existing groups or properly add new ones.