Age | Commit message (Collapse) | Author | Files | Lines |
|
In order to use the same defaults in all system daemons that needs to know how
to generate or search for ccaches we introduce ode here to take advantage of
the new option called default_ccache_name provided by libkrb5.
If set this variable we establish the same default for all programs that surce
it out of krb5.conf therefore providing a consistent experience across the
system.
Related:
https://fedorahosted.org/sssd/ticket/2036
|
|
In preparation for handling some more allocations in the following patches and
fixes a curent memleak on the opts struct.
Related:
https://fedorahosted.org/sssd/ticket/2036
|
|
https://fedorahosted.org/sssd/ticket/2036
|
|
By the time that the create_ccache_in_dir() routine is called, we are
already guaranteed to have dropped privileges. This has either happened
because we dropped them before the exec() in the normal operation case
or because we dropped them explicitly after we completed the TGT
validation step if that or FAST is configured.
|
|
If USN attribute is not present, we call strdup on uninitialized
variable. This may cause segfault, or if we are lucky and
usn is NULL it will return ENOMEM.
|
|
Resolves:
https://fedorahosted.org/sssd/ticket/2052
|
|
Adds pac_cli be_client structure pointer, to indetify and log the PAC
responder termination correctly.
|
|
In the KRB5_FCC_NOFILE code path _valid is not set leading to 'may be
used uninitialized' compiler warnings.
|
|
warning reported by coverity
include_recursion: #include file "src/providers/dp_backend.h" includes itself:
dp_backend.h -> dp_refresh.h -> dp_backend.h (other events go to each file)
primary_file: During compilation of file
'src/krb5_plugin/sssd_krb5_locator_plugin.c
include_recursion: #include file "src/providers/dp_backend.h" includes itself:
dp_backend.h -> dp_refresh.h -> dp_ptask.h -> dp_backend.h
(other events go to each file)
primary_file: During compilation of file
'src/krb5_plugin/sssd_krb5_locator_plugin.c'
|
|
When the user is only member of its own primary group, initgroups_dyn may
return NOTFOUND as, at least for the 'files' nss provider the code skips the
passed in group.
Resolves:
https://fedorahosted.org/sssd/ticket/2051
|
|
The FILE cache only sets the return values of _active and _bool if the
entire function succeeds. The DIR cache was setting it even on failure.
This patch makes both consistent. This will benefit static analysis
tools which would be able to detect if the variable is ever used
uninitialized anywhere.
|
|
There was duplicated code in cc_file_check_existing() and in
cc_dir_check_existing(). I pulled them into the same function.
There are two changes made to the original code here:
1) Fixes a use-after-free bug in cc_file_check_existing(). In the
original code, we called krb5_free_context() and then used that
context immediately after that in krb5_cc_close(). This patch
corrects the ordering
2) The krb5_cc_resolve() call handles KRB5_FCC_NOFILE for all
cache types. Previously, this was only handled for DIR caches.
|
|
Kerberos now supports multiple types of collection caches, not just
DIR: caches. We should add a macro for generic collection behavior
and use that where appropriate.
|
|
During initgroups request we read the SID of a group from the server but
do not save it to the cache. This patch fixes this and might help to
avoid an additional lookup of the SID later.
|
|
For subdomains the group names must be expanded to fully qualified names
to be able to find existing groups or properly add new ones.
|
|
For subdomains the group names must be expanded to fully qualified names
to be able to find existing groups or properly add new ones.
|
|
https://fedorahosted.org/sssd/ticket/2043
|
|
|
|
|
|
If ID mapping is enabled we use magic private groups (MPG) for
subdomains, i.e. the UID and the primary GID of the user will have the
same numerical value. As a consequence the information about the
original primary group might get lost because neither in AD domains nor
on a typical UNIX system the user is an explicit member of it's primary
group.
With this patch the mapped GID or the original primary group is saved in
the cached user object under a new attribute.
Fixes https://fedorahosted.org/sssd/ticket/2027
|
|
|
|
Fixes https://fedorahosted.org/sssd/ticket/1630
|
|
|
|
|
|
Header file proxy.h included itself.
|
|
Previous check was wrong, servername cannot be NULL.
|
|
Struct sss_auth_token became opaque in commit
9acfb09f7969a69f58bd45c856b01700541853ca.
All ocasions of "struct sss_auth_token" was replaced with pointer to this
struct, but proper initialization of auth_tokens was missing
in struct authtok_conv.
Resolves:
https://fedorahosted.org/sssd/ticket/2046
|
|
Print more descriptive message when wrong current password
is given during password change operation.
resolves:
https://fedorahosted.org/sssd/ticket/2029
|
|
The initialization of ad_sasl_callbacks raised an incompatible pointer
type warning. This was caused because the cyrus-sasl API hasa changed.
The callback function list needs to be cast now.
|
|
|
|
|
|
Change was introduced in commit ca344fde
|
|
In sdap_nested_group_populate_users() username and orignal_dn are
allocated on a temporary memory context. If the corresponding user is
not found in the cache both are added to a hash which is later on
returned to the caller. To avoid a use-after-free when the hash entries
are looked up both must be reassigned to the memory context of the hash.
|
|
https://fedorahosted.org/sssd/ticket/2026
|
|
primary_name was allocated on a temporary memory context but as it is a
member of the state struct it should belong to the memory context of the
state.
|
|
This tries to set the ad_compat option for sasl, by working around
the openldap/sasl initialization as openldap does not allow us to pass
down to sasl our own getopt callback.
Resolves:
https://fedorahosted.org/sssd/ticket/2040
|
|
|
|
https://fedorahosted.org/sssd/ticket/2031
|
|
https://fedorahosted.org/sssd/ticket/2032
In non-MPG subdomains (such as those that manage their IDs manually with
POSIX attributes), we need to set the GID ourself.
|
|
Coverity ID: 11927
|
|
Partially solves ticket:
https://fedorahosted.org/sssd/ticket/1966
To avoid the problem mentioned in the ticket above, option
dns_discovery_domain must be set properly.
|
|
The subdomain users user FQDN in their name attribute. However, handling
of whether to use FQDN in the LDAP code was not really good. This patch
introduces a utility function and converts code that was relying on
user/group names matching to this utility function.
This is a temporary fix until we can refactor the sysdb API in #2011.
|
|
We check if function ipa_get_ad_id_ctx returns NULL,
but function ipa_get_ad_id_ctx could never return NULL.
This issue was found by scan-build.
|
|
The krb5 child contacts the PAC responder for any user except for the
IPA native users if the PAC is configured. This works fine for the
general case but the ipa_server_mode is a special one. The PAC responder
is there, but since in the server mode we should be operating as AD
provider default, the PAC shouldn't be analyzed either in this case.
|
|
|
|
|
|
Commit 52ae806bd17c3c00d70bd1aed437f10f5ae51a1c changed the default FQDN
format by accident to the one we only ever user internally. This commit
fixes the mistake.
|
|
https://fedorahosted.org/sssd/ticket/2023
When the option values are copied using dp_opt_copy_map, the .val member
is used if it's not NULL. At the same time, the bool options are never
NULL, unlike integers or strings that can have special NULL-like values
such as NULL_STRING. This effectively means that when copying a bool
option, the .val member is always used.
But in the AD maps, some .val fields were set differently from the
.def_val fields. The effect was that when the AD subdomain provider was
initialized from IPA subdomain provider using only the defaults, some
options (notably referral chasing) were set to a value that didn't make
sense for the AD provider.
This patch makes sure that for all boolean option, the .val is always
the same as .def_val.
|
|
https://fedorahosted.org/sssd/ticket/2009
If the IPA server mode is on and the SSSD is running on the IPA server,
then the server's extdom plugin calls getpwnam_r to read info about trusted
users from the AD server and return them to the clients that called the
extended operation.
The SSSD returns the subdomain users fully-qualified, ie "user@domain"
by default. The format of the fully qualified name is configurable.
However, the extdom plugin returns the user name without the domain
component.
With this patch, when ipa_server_mode is on, warn if the full_name_format
is set to a non-default value. That would prompt the admin to change the
format if he changed it to something exotic.
|
|
|