| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Use the sdap_idmap context for the IPA provider as well.
https://fedorahosted.org/sssd/ticket/1961
|
|
Currently the decision if external or algorithmic mapping should be used
in the LDAP or AD provider was based on the value of the ldap_id_mapping
config option. Since now all information about ID mapping is handled by
libsss_idmap the check for this options can be replace with a call which
checks the state via libss_idmap.
https://fedorahosted.org/sssd/ticket/1961
|
|
This patch implements a wrapper for
sss_idmap_domain_has_algorithmic_mapping() for the sdap ID mapping.
Fixes https://fedorahosted.org/sssd/ticket/1960
|
|
Currently the range management code is in the generic LDAP provider and
can be used by the LDAP and AD provider. New ranges are allocated with
the help of a hash value of the domain SID.
If the IPA provider cannot find a range for a given domain it cannot
allocate a new range on its own but has to look up the idrange objects
on the FreeIPA server and use them accordingly. To allow the LDAP, AD
and IPA provider to use as much common code as possible a plugin
interface, similar to the one used to find the DNS site, to find a
missing range would be useful. The default plugin will be used by the
LDAP and the AD provider and the IPA provider will implement a plugin to
read the data from the server.
Fixes https://fedorahosted.org/sssd/ticket/1961
|
|
To allow libsss_idmap to manage all id-ranges the id-ranges of the
domains configured in sssd.conf which are currently unmanaged must be
added to libsss_idmap.
|
|
Currently the range for Posix IDs stored in an LDAP server is unbound.
This might lead to conflicts in a setup with AD and trusts when the
configured domain uses IDs from LDAP. With the two noe options this
conflict can be avoided.
|
|
https://fedorahosted.org/sssd/ticket/1949
|
|
|
|
This patch reuses the code from IPA provider to make sure that
domain-realm mappings are written even for AD sub domains.
|
|
|
|
We tried to use the GC address even for kinit which gave us errors like:
"Realm not local to KDC while getting initial credentials".
This patch adds a new AD_GC service that is only used for ID lookups,
any sort of Kerberos operations are done against the local servers.
|
|
https://fedorahosted.org/sssd/ticket/1973
|
|
If user decide to kinit as another user we do not want to switch back
to user ccache at another login. We will switch to new ccache if and only
if default principal name is the same as current principal name, or there is
not any default ccache.
https://fedorahosted.org/sssd/ticket/1936
|
|
Function krb5_cc_get_full_name is called only as a way to validate that,
we have the right cache. Instead of returned name, location will be returned
from function cc_dir_cache_for_princ.
https://fedorahosted.org/sssd/ticket/1936
|
|
https://fedorahosted.org/sssd/ticket/1969
The dead code is in fo_discover_servers_primary_done(). By fixing
it I have also added a debug message on ret != EOK. This change is
done also in fo_discover_servers_backup_done().
|
|
When renewing a ticket we already know the canonical principal hence it
is not needed to expand it to an enterprise principal but we can contact
the KDC of the corresponding realm directly.
|
|
So far we didn't send the PAC of IPA users to the PAC responder during
password authentication because group memberships for IPA users can be
retrieved efficiently with LDAP calls. Recently patches added PAC
support for the AD provider as well and removed the restriction for the
IPA users. This patch restores the original behaviour by introducing a
new flag in struct krb5_ctx which is only set for the IPA provider.
Additionally a different flag is renamed to make it's purpose more
clear.
Fixes https://fedorahosted.org/sssd/ticket/1995
|
|
This reverts commit d153941864fe481399665be8fe583c9317194a99.
|
|
|
|
|
|
https://fedorahosted.org/sssd/ticket/1806
The IPA provider attempted to store the original value of member
attribute to the cache. That caused the memberof plugin to process the
values which was really CPU intensive.
|
|
|
|
https://fedorahosted.org/sssd/ticket/1947
Otherwise we will do the SRV expansion once again:
1. leaving the old servers in server list
2. meta server is not inserted back in the list, the newly found
servers are inserted behind meta server, meta server is orphaned
and the new servers are forgotten
|
|
https://fedorahosted.org/sssd/ticket/1947
|
|
https://fedorahosted.org/sssd/ticket/1947
Otherwise we risk that the meta server is removed from the server list,
but without a chance to return, because there may be no fo_server with
srv_data = meta.
Also if state->meta->next is NULL (it is still orphaned because we try
to errornously expand it without invoking collapse first), state->out
will be NULL and SSSD will crash.
New error code: ERR_SRV_DUPLICATES
|
|
https://fedorahosted.org/sssd/ticket/1947
|
|
|
|
|
|
|
|
talloc_realloc(..., 0) calls talloc_free() and returns NULL.
If we process group that contains only users, we errornously
return ENOMEM.
|
|
Enterprise principals require that a default realm is available. To
make SSSD more robust in the case that the default realm option is
missing in krb5.conf or to allow SSSD to work with multiple unconnected
realms (e.g. AD domains without trust between them) the default realm
will be set explicitly.
Fixes https://fedorahosted.org/sssd/ticket/1931
|
|
If canonicalization or enterprise principals are enabled the realm of
the client principal might have changed compared to the original
request. To find the most suitable keytab entry to validate the TGT is
it better to use the returned client principal.
Fixes https://fedorahosted.org/sssd/ticket/1931
|
|
https://fedorahosted.org/sssd/ticket/1953
|
|
|
|
https://fedorahosted.org/sssd/ticket/1894
|
|
https://fedorahosted.org/sssd/ticket/1815
|
|
The options are stored in ad_options->auth_ctx->opts, this member was
completely unused and confusing.
|
|
|
|
https://fedorahosted.org/sssd/ticket/1873
KRB preauthentication error was later mishandled like authentication error.
|
|
https://fedorahosted.org/sssd/ticket/1886
|
|
|
|
sdom was only ever guaranteed to be set when a new domain was being
created. sditer is a valid pointer in both cases, so just use that.
|
|
|
|
|
|
https://fedorahosted.org/sssd/ticket/1976
|
|
https://fedorahosted.org/sssd/ticket/1883
The patch introduces a new Kerberos provider option called
krb5_use_kdcinfo. The option is true by default in all providers. When
set to false, the SSSD will not create krb5 info files that the locator
plugin consumes and the user would have to set up the Kerberos options
manually in krb5.conf
|
|
https://fedorahosted.org/sssd/ticket/1713
|
|
https://fedorahosted.org/sssd/ticket/1713
Add new option refresh_expired_interval.
|
|
https://fedorahosted.org/sssd/ticket/1713
|
|
https://fedorahosted.org/sssd/ticket/1891
|
