| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
|
|
format specifies type 'int' but the argument has type 'const char *'
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
struct ldb_message_element.num_values is unsigned
This patch indirectly fixes printf format string warning.
|
|
|
|
|
|
|
|
When the SSSD changes serves (and hence lastUSN) we perform a cleanup as
well. However, after recent changes, we didn't set the cleanup timestamp
correctly, which made the lastUSN logic fail.
|
|
|
|
warning: variable 'ret' is used uninitialized whenever
'if' condition is false
if (kerr) {
^~~~
|
|
The containing ccache directory is precreated by the parent code,
so there is no special need to do so here for any type.
Also the special handling for the FILE ccache temporary file is not really
useful, because libkrb5 internally unlinks and then recreate the file, so
mkstemp cannot really prevent subtle races, it can only make sure the file is
unique at creation time.
Resolves:
https://fedorahosted.org/sssd/ticket/2061
|
|
Add a precheck on the actual existence at all of the file/dir ccname
targeted (for FILE/DIR types), and bail early if nothing is available.
While testing I found out that without this check, the krb5_cc_resolve()
function we call as user to check old paths would try to create the
directory if it didn't exist.
With a ccname of DIR:/tmp/ccdir_1000 saved in the user entry this would
cause two undesirable side effects:
First it would actually create a directory with the old name, when it
should not.
Second, because for some reason the umask is set to 0127 in sssd_be, it
would create the directory with permission 600 (missing the 'x' traverse
bit on the directory. If the new ccache has the same name it would cause
the krb5_child process to fal to store the credential cache in it.
Related:
https://fedorahosted.org/sssd/ticket/2061
|
|
Remove struct sss_krb5_cc_be and the remaining functions that reference
it as they are all unused now.
Resolves:
https://fedorahosted.org/sssd/ticket/2061
|
|
Only 2 types (FILE and DIR) need to precreate files or directories
on the file system, and the 2 functions were basically identical.
Consolidate all in one common function and use that function directly
where needed instead of using indirection.
Resolves:
https://fedorahosted.org/sssd/ticket/2061
|
|
This function replaces and combines check_for_valid_tgt() and type specific
functions that checked for ccache existence by using generic krb5 cache
function and executing them as the target user (implicitly validate the
target use rcan properly access the ccache).
Resolves:
https://fedorahosted.org/sssd/ticket/2061
|
|
check_for_valid_tgt() is used exclusively in krb5_uitls.c so move it there.
Resolves:
https://fedorahosted.org/sssd/ticket/2061
|
|
The randomized template check realy only makes sense for the FILE ccache
which is the only one that normally needs to use randomizing chars.
Also it is better to warn the admin early rather than to warn 'when it
is too late'.
So move the check at initialization time when we determine what the
template actually is.
Resolves:
https://fedorahosted.org/sssd/ticket/2061
|
|
The way a user is checked for being active does not depend on the ccache
type so move that check out of the ccache specific functions.
Resolves:
https://fedorahosted.org/sssd/ticket/2061
|
|
Instead of having duplicate functions that are type custom use a signle common
function that also performs access to the cache as the user owner, implicitly
validating correctness of ownership.
Resolves:
https://fedorahosted.org/sssd/ticket/2061
|
|
This completely replaces the per-ccache-type custom code to remove old cacches
and instead uses libkrb5 base doperations (krb5_cc_destroy) and operating as
the user owner.
Resolves:
https://fedorahosted.org/sssd/ticket/2061
|
|
This function safely destroy a ccache given a cache name and user crdentials.
It becomes the user so no possible races can compromise the system, then
uses libkrb5 functions to properly destroy a ccache, independently of the
cache type.
Finally restores the original credentials after closing the ccache handlers.
Resolves:
https://fedorahosted.org/sssd/ticket/2061
|
|
In some cases we want to temporarily assume user credentials but allow the
process to regain back the original credentials (normally regaining uid 0).
Related:
https://fedorahosted.org/sssd/ticket/2061
|
|
Recently support was added to use also libkrb5 style expansions that
uses a %{varname} type of template.
There are a number of templates we do not care/can't expand in sssd.
The current code misses tests and failed to properly preserve some of
the templates we do not want to handle.
Addiotionally in order to be future proof this patch treats unknown
templates as pass-through templates and defer any error checking to
libkrb5, so that sssd is consistent with how kinit would behave.
Resolves:
https://fedorahosted.org/sssd/ticket/2076
|
|
Resolves:
https://fedorahosted.org/sssd/ticket/2063
|
|
|
|
https://fedorahosted.org/sssd/ticket/2001
|
|
This will give SRV plugins all information needed for additional
sorting.
|
|
|
|
|
|
src/providers/krb5/krb5_utils.c:193: warning: declaration of 'rewind' shadows a
global declaration
/usr/include/stdio.h:754: warning: shadowed declaration is here
|
|
If the user's GECOS as returned by the proxied module is an empty string
(as opposed to NULL), the ldb transaction would error out.
|
|
|
|
struct hbac_eval_req is defined in header file and it has attribute
request_time with type time_t, but header file "time.h" was not included.
It was not problem, because time.h was indirectly included by stdlib.h
(stdlib.h -> sys/types.h -> time.h) in implementation files,
but other platforms can have other dependencies among header files.
|
|
A conflict between two patches was not resolved correctly
|
|
https://fedorahosted.org/sssd/ticket/1963
|
|
|
|
Instead of always performing the setup for the main domain, the setup
can now be performed for subdomains as well.
|
|
Instead of always performing the cleanup on the main domain, the task
now accepts a sdap_domain structure to perform the cleanup on. This
change will make the cleanup task reusable for subdomains.
|
|
The LDAP cleanup request was asynchronous for no good reason, probably a
leftover from the days of async sysdb. This patch makes it sychronous
again, removing a lot of uneeded code.
|
|
https://fedorahosted.org/sssd/ticket/1942
Identity providers other than LDAP need to customize the enumeration in
different ways while sharing the way the task is scheduled etc. The
easiest way to accomplish it is to leverage the recently introduced
ptask framework.
|
|
The LDAP enumeration was too closely tied to the LDAP identity provider.
Because some providers might need special handling such as refresh the
master domain record before proceeding with the enumeration itself, this
patch splits the request itself to a separate async request and lets the
ldap_id_enum.c module only configure this new request.
Also move the enum timestamp to sdap_domain to make the enum tracking
per sdap domain. The cleanup timestamp will be moved in another patch.
|
|
The constant was not used since Euegene came up with his reconnection
logic.
|
|
The enum code was quite old and predated the tevent_req style. In
particular, the enum code was checking tevent state direcly and not
using _recv functions or the helper macros we added later.
As a consequence, it was not easy to read. This patch adds the standard
_recv functions to read the status of the enum requests.
|
