| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
This patch reuses the code from IPA provider to make sure that
domain-realm mappings are written even for AD sub domains.
|
|
|
|
We tried to use the GC address even for kinit which gave us errors like:
"Realm not local to KDC while getting initial credentials".
This patch adds a new AD_GC service that is only used for ID lookups,
any sort of Kerberos operations are done against the local servers.
|
|
https://fedorahosted.org/sssd/ticket/1973
|
|
If user decide to kinit as another user we do not want to switch back
to user ccache at another login. We will switch to new ccache if and only
if default principal name is the same as current principal name, or there is
not any default ccache.
https://fedorahosted.org/sssd/ticket/1936
|
|
Function krb5_cc_get_full_name is called only as a way to validate that,
we have the right cache. Instead of returned name, location will be returned
from function cc_dir_cache_for_princ.
https://fedorahosted.org/sssd/ticket/1936
|
|
https://fedorahosted.org/sssd/ticket/1969
The dead code is in fo_discover_servers_primary_done(). By fixing
it I have also added a debug message on ret != EOK. This change is
done also in fo_discover_servers_backup_done().
|
|
When renewing a ticket we already know the canonical principal hence it
is not needed to expand it to an enterprise principal but we can contact
the KDC of the corresponding realm directly.
|
|
So far we didn't send the PAC of IPA users to the PAC responder during
password authentication because group memberships for IPA users can be
retrieved efficiently with LDAP calls. Recently patches added PAC
support for the AD provider as well and removed the restriction for the
IPA users. This patch restores the original behaviour by introducing a
new flag in struct krb5_ctx which is only set for the IPA provider.
Additionally a different flag is renamed to make it's purpose more
clear.
Fixes https://fedorahosted.org/sssd/ticket/1995
|
|
This reverts commit d153941864fe481399665be8fe583c9317194a99.
|
|
|
|
|
|
https://fedorahosted.org/sssd/ticket/1806
The IPA provider attempted to store the original value of member
attribute to the cache. That caused the memberof plugin to process the
values which was really CPU intensive.
|
|
|
|
https://fedorahosted.org/sssd/ticket/1947
Otherwise we will do the SRV expansion once again:
1. leaving the old servers in server list
2. meta server is not inserted back in the list, the newly found
servers are inserted behind meta server, meta server is orphaned
and the new servers are forgotten
|
|
https://fedorahosted.org/sssd/ticket/1947
|
|
https://fedorahosted.org/sssd/ticket/1947
Otherwise we risk that the meta server is removed from the server list,
but without a chance to return, because there may be no fo_server with
srv_data = meta.
Also if state->meta->next is NULL (it is still orphaned because we try
to errornously expand it without invoking collapse first), state->out
will be NULL and SSSD will crash.
New error code: ERR_SRV_DUPLICATES
|
|
https://fedorahosted.org/sssd/ticket/1947
|
|
|
|
|
|
|
|
talloc_realloc(..., 0) calls talloc_free() and returns NULL.
If we process group that contains only users, we errornously
return ENOMEM.
|
|
Enterprise principals require that a default realm is available. To
make SSSD more robust in the case that the default realm option is
missing in krb5.conf or to allow SSSD to work with multiple unconnected
realms (e.g. AD domains without trust between them) the default realm
will be set explicitly.
Fixes https://fedorahosted.org/sssd/ticket/1931
|
|
If canonicalization or enterprise principals are enabled the realm of
the client principal might have changed compared to the original
request. To find the most suitable keytab entry to validate the TGT is
it better to use the returned client principal.
Fixes https://fedorahosted.org/sssd/ticket/1931
|
|
https://fedorahosted.org/sssd/ticket/1953
|
|
|
|
https://fedorahosted.org/sssd/ticket/1894
|
|
https://fedorahosted.org/sssd/ticket/1815
|
|
The options are stored in ad_options->auth_ctx->opts, this member was
completely unused and confusing.
|
|
|
|
https://fedorahosted.org/sssd/ticket/1873
KRB preauthentication error was later mishandled like authentication error.
|
|
https://fedorahosted.org/sssd/ticket/1886
|
|
|
|
sdom was only ever guaranteed to be set when a new domain was being
created. sditer is a valid pointer in both cases, so just use that.
|
|
|
|
|
|
https://fedorahosted.org/sssd/ticket/1976
|
|
https://fedorahosted.org/sssd/ticket/1883
The patch introduces a new Kerberos provider option called
krb5_use_kdcinfo. The option is true by default in all providers. When
set to false, the SSSD will not create krb5 info files that the locator
plugin consumes and the user would have to set up the Kerberos options
manually in krb5.conf
|
|
https://fedorahosted.org/sssd/ticket/1713
|
|
https://fedorahosted.org/sssd/ticket/1713
Add new option refresh_expired_interval.
|
|
https://fedorahosted.org/sssd/ticket/1713
|
|
https://fedorahosted.org/sssd/ticket/1891
|
|
|
|
https://fedorahosted.org/sssd/ticket/364
Looks up trusted domain objects in the LDAP and stores them as AD
subdomains.
Currently only trusted domains that run NT5 or newer from the same forest
are looked up and stored.
|
|
https://fedorahosted.org/sssd/ticket/1557
Some lookups should be performed from GC only -- for example trusted
users are only present in the Global Catalog, while some lookups should
be performed from LDAP only as not all objects or attributes are
replicated to Global Catalog.
This patch adds a generic failover mechanism for identity lookups in the
AD provider that allows to choose the appropriate source and even fail over
to the other source if available.
|
|
When fixed host names of AD servers are configured in the config file,
we can't know (unlike when service discovery is at play) if the servers
are Global Catalogs or not. This patch adds a private data to servers
read from the config file that denote whether the server can be tried
for contacting the Global Catalog port or just LDAP. The GC or LDAP URIs
are generated based on contents of this private data structure.
Because SSSD sticks to a working server, we don't have to disable or
remove the faulty GC servers from the list.
|
|
As the subdomains are MPG domains, we don't want to store a separate GID
for the subdomain users, but rather just create a UPG.
|
|
Move the part of sdap_save_user into a separate function so that it can
be special cased an only called for users in primary domains, not
subdomain users.
|
|
Because the NSS responder expects the name attribute to contain FQDN,
we must save the name as FQDN in the LDAP provider if the domain we save
to is a subdomain.
|
