| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
If the authenticated user comes from a different realm the service
ticket which was returned during the validation of the TGT is used to
extract the PAC which is send to the pac responder for evaluation.
|
|
The different_realm flag which was set by the responder is send to the
krb5_child so that it can act differently on users from other realms. To
avoid code duplication and inconsistent behaviour the krb5_child will
not set the flag on its own but use the one from the provider.
|
|
Add a flag if the principal used for authentication does not belong
to our realm. This can be used to act differently for users from other
realms.
|
|
If sssd is configured to renew Kerberos tickets automatically ticket of
sub-domain uses should be renewed as well.
|
|
If there is an authentication request for a user from a sub-domain a
temporary sysdb context is generated to allow lookups in the
corresponding sub-tree in the cache.
|
|
|
|
The ldap_child would return a NULL ccache but the error code would still
indicate success.
https://fedorahosted.org/sssd/ticket/1594
|
|
We should test both ret and (dp_error, errno) pair.
|
|
https://fedorahosted.org/sssd/ticket/1596
In case that LDAP server contains zero sudo rules, the full refresh
completes succussfully and stores current USN value (= 0). But then
smart refresh will fail because it takes USN=0 as invalid value.
|
|
|
|
https://fedorahosted.org/sssd/ticket/1581
If the namingContext attribute had no values or multiple values, then
our code would dereference a NULL pointer.
|
|
|
|
The IPA has a defined directory tree structure that allows us to guess
the username from a DN without having to look up the DN in LDAP.
https://fedorahosted.org/sssd/ticket/1319
|
|
There are case where the extdom extended operation will return the flat
or NetBIOS name of a domain instead of the DNS domain name. If this name
is available for the current domain we accept it as well.
Related to https://fedorahosted.org/sssd/ticket/1561
|
|
If the debug level contains SSSDBG_TRACE_ALL, then the logs would also
include tracing information from libkrb5.
https://fedorahosted.org/sssd/ticket/1539
|
|
There was an unused structure member in the krb5_child.
Declaration of __krb5_error_msg was shadowing the same variable from
sss_krb5.h which is not nice. Also we might actually use the error
context directly instead of passing it as parameter.
|
|
https://fedorahosted.org/sssd/ticket/1499
Adds log message about not finding appropriate entry in keytab and using
the last keytab entry when validation is enabled.
Adds more information about validation into manpage.
|
|
If there was no SID attribute, then we would have detected it by
checking the number of values of an element. We would however happily
return EOK in that case and save garbage into the sid_str.
This was causing segfault when the entry was supposed to be ID-mapped by
had no SID.
|
|
|
|
https://fedorahosted.org/sssd/ticket/1537
changes upper limit of slices to 2000200000 in providers code and
manpage.
|
|
|
|
fixes https://fedorahosted.org/sssd/ticket/1533
ccache file template is now checked for appended XXXXXX for use with
mkstemp. When those characters are not present, warning is written to log.
|
|
|
|
|
|
https://fedorahosted.org/sssd/ticket/1535
|
|
https://fedorahosted.org/sssd/ticket/1303
Domain start up was taking too long when there are many principals
in a kerberos keytab. We were looking up in the keytab two times.
The first time we try to select a proper principal and remember it.
The second call happens almost right after the first one and
it is just a check if the principal exists in the keytab, without
any output information other than success/failure. It is
probably a left over from https://fedorahosted.org/sssd/ticket/781.
This patch removes the second call.
|
|
Certain LDAP servers can return an empty string as the value of
namingContexts. We need to treat these as NULL so that we can fail
gracefully.
https://fedorahosted.org/sssd/ticket/1542
|
|
https://fedorahosted.org/sssd/ticket/1384
|
|
https://fedorahosted.org/sssd/ticket/920
|
|
The domain can be read from the sysdb object. Removing the domain string
makes the API more self-contained.
|
|
This patch switches from using just key in the RDN to using both key and
value. That is neccessary to allow multiple direct mounts in a single
map.
|
|
https://fedorahosted.org/sssd/ticket/1506
Changes how the new autofs entry objects are handled. Instead of
creating the entry on the cn=autofs,cn=custom level, the entry is
created below the map it belongs to.
|
|
|
|
|
|
Fixes https://fedorahosted.org/sssd/ticket/1517
|
|
|
|
https://fedorahosted.org/sssd/ticket/1355
|
|
|
|
Previously, we were failing to start if ldap_idmap_autorid_compat
was True but the default domain SID was unspecified. This is the
recommended configuration, but it is functional without it. There
is just a slight risk that the IDs will be inconsistent between
machines if the first user requested is not from the default
domain.
https://fedorahosted.org/sssd/ticket/1530
|
|
https://fedorahosted.org/sssd/ticket/1440
|
|
https://fedorahosted.org/sssd/ticket/1225
krb5_child already updated before. Adding more debuginfo into
ldap_child. Also old debug levels rewritten into new macros.
|
|
This patch changes handling of krb5 child error codes so that it's on
par with the 1.8 branch after Joschi Brauchle reviewed the 1.8 backport.
|
|
https://fedorahosted.org/sssd/ticket/1310
|
|
https://fedorahosted.org/sssd/ticket/1521
|
|
https://fedorahosted.org/sssd/ticket/1513
This is a counterpart of the FreeIPA ticket https://fedorahosted.org/freeipa/ticket/3045
During an e-mail discussion, it was decided that
* if the default is set in the IPA config object, the SSSD would use
that default no matter what
* if the default is not set (aka empty or missing), the SSSD
would just use the system default and skip creating the login
file altogether
|
|
The list of resolved servers is allocated on the back end context and
kept in the fo_service structure. However, a single request often
resolves a server and keeps a pointer until the end of a request and
only then gives feedback about the server based on the request result.
This presents a big race condition in case the SRV resolution is used.
When there are requests coming in in parallel, it is possible that an
incoming request will invalidate a server until another request that
holds a pointer to the original server is able to give a feedback.
This patch simply checks if a server is in the list of servers
maintained by a service before reading its status.
https://fedorahosted.org/sssd/ticket/1364
|
|
https://fedorahosted.org/sssd/ticket/1458
When the responder is disabled and sudo_provider is set explicitly,
a warning is print and the module will be initialized.
|
|
|
|
https://fedorahosted.org/sssd/ticket/1519
IPA host refactoring changed mapping of memberOf attribute
which caused SSSD being unable to retrieve membership of
hostgroup when being interpreted as netgroup.
|
