| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
If we are unable to delete some rule from cache we print a debug
message and ignore the error. Thus we should set ret to EOK after
the for loop otherwise we return whether the last rule was deleted
successfully or not.
This also removes compilation warning that ret may be used
uninitialized (when we don't go inside the loop at all).
|
|
For some reason I was under the impression that the DN components are
counted backwards in libldb. This patch corrects this.
|
|
switch statements should always have a default section. In this
particular case gcc gave a "'send_fn' may be used uninitialized in this
function" warning.
|
|
If the Data Provider receives a request for the auto.master map, it
passes on a flag to let the actual provider let know he should
invalidate the existing maps
|
|
https://fedorahosted.org/sssd/ticket/1689
Add a online callback if the first full refresh fails due to the
provider beeing offline so we can perform the refresh as soon as
possible.
|
|
https://fedorahosted.org/sssd/ticket/1689
If the first full refresh of sudo rules fails because the data provider
is offline, we will schedule another one in 2, 4, ... minutes.
|
|
https://fedorahosted.org/sssd/ticket/1689
|
|
Reduces amount of code duplication.
|
|
https://fedorahosted.org/sssd/ticket/1679
The problem is when we are about to reset the server status, we don't
get through the timeout (30 seconds) because the "switch to primary
server" task is scheduled 30 seconds after fall back to a backup
server. Thus the server status remains "not working" and is resetted
after another 30 seconds.
We need to make sure that the server status is tried after the
timeout period. retry_timeout is currently hardcoded to 30, thus
the change in man page.
|
|
https://fedorahosted.org/sssd/ticket/1685
Properly react on deleting group which was not found in sysdb.
|
|
https://fedorahosted.org/sssd/ticket/1699
We want to continue with the next server on all errors, not only
on ETIMEDOUT.
This particullar ticket was dealing with ECONNREFUSED.
|
|
https://fedorahosted.org/sssd/ticket/1682
The problem was in following code:
if (ret != EOK || state->dp_error != DP_ERR_OK || state->error != EOK) {
tevent_req_error(req, ret);
return;
}
In situation when data provider error occurs (e.g. when offline),
ret == EOK but dp_error != DP_ERR_OK and we take the true branch.
This results in calling tevent_req_error(req, EOK).
Unfortunately, with EOK tevent_req_error only returns false, but
does not trigger callback and this tevent request hangs forever,
because no tevent_req_done(req) is called.
|
|
|
|
https://fedorahosted.org/sssd/ticket/1680
There were two errors:
1. kr->kpasswd_srv was never set
2. bad service name (KERBEROS) was provided when setting port status,
thus the port status never changed
|
|
https://fedorahosted.org/sssd/ticket/1685
The PROXY provider wasn't storing credentials to negative cache due to
bad return value. This was delegated from attempt to delete these
credentials from local cache. Therefore ENOENT is replaced as EOK.
|
|
https://fedorahosted.org/sssd/ticket/1701
|
|
|
|
https://fedorahosted.org/sssd/ticket/1695
|
|
This is needed in order to assure the memcache is properly and promptly
cleaned up if a user memberships change on login.
The list of the current groups for the user is sourced before it is
updated and sent to the NSS provider to verify if it has changed after
the update call has been made.
|
|
This set of functions enumerate the user's groups and invalidate them all
if the list does not matches what we get from the caller.
|
|
This set of functions enumerate each user/group from all domains
and invalidate any mmap cache record that matches.
|
|
Avoids hardcoding magic numbers everywhere and self documents why a
mask is being applied.
|
|
In particular note that we merge ipa_account_info_netgroups_done()
and ipa_account_info_users_done() into a single fucntion called
ipa_account_info_done() that handles both cases
We also remove the auxiliary function ipa_account_info_complete() that
unnecessarily violates the tevent_req style and instead use a new function
named ipa_account_info_error_text() to generate error text.
|
|
Also do not intermix two tevent_req sequences
|
|
|
|
No functionality changes,
just make the code respect the tevent_req style and naming conventions
and enhance readability by adding some helper functions.
|
|
|
|
|
|
https://fedorahosted.org/sssd/ticket/1638
If pwd_exp_warning == 0, expiry warning should be printed if it is
returned by server.
If pwd_exp_warning > 0, expiry warning should be printed only if
the password will expire in time <= pwd_exp_warning.
ppolicy->expiry contains period in seconds after which the password
expires. Not the exact timestamp. Thus we should not add 'now' to
pwd_exp_warning.
|
|
In some situations, the c-ares lookup can return NULL instead of
a list of addresses. In this situation, we need to avoid
dereferencing NULL.
This patch adds a log message and sets the count to zero so it is
handled appropriately below.
|
|
When converting built-in SID to unix GID/UID a confusing debug
message about the failed conversion was printed. This patch special
cases these built-in objects.
https://fedorahosted.org/sssd/ticket/1593
|
|
The DEBUG() macro may, at any time, change and start calling functions that
touch errno. Save errno before logging and then return the saved error.
|
|
initialized variable, was causing build warning
|
|
https://fedorahosted.org/sssd/ticket/1657
IPA_HOSTNAME is not stored in ipa_opts->id options so it the option
was always NULL here. This caused SIGSEGV when accessed by strchr()
in subsequent function.
|
|
https://fedorahosted.org/sssd/ticket/1612
This patch changes the handling of ghost attributes when saving the
actual user entry. Instead of always linking all groups that contained
the ghost attribute with the new user entry, the original member
attributes are now saved in the group object and the user entry is only
linked with its direct parents.
As the member attribute is compared against the originalDN of the user,
if either the originalDN or the originalMember attributes are missing,
the user object is linked with all the groups as a fallback.
The original member attributes are only saved if the LDAP schema
supports nesting.
|
|
If canonicalization is enabled Active Directory KDCs return
'krbtgt/AD.DOMAIN' as service name instead of the expected
'kadmin/changepw' which causes a 'KDC reply did not match expectations'
error.
Additionally the forwardable and proxiable flags are disabled, the
renewable lifetime is set to 0 and the lifetime of the ticket is set to
5 minutes as recommended in https://fedorahosted.org/sssd/ticket/1405
and also done by the kpasswd utility.
Fixes: https://fedorahosted.org/sssd/ticket/1405
https://fedorahosted.org/sssd/ticket/1615
|
|
In case of a short UPN compare_principal_realm() erroneously returns an
error.
|
|
Currently we add the realm name to change password principal but
according to the MIT Kerberos docs and the upstream usage the realm name
is just ignored.
Dropping the realm name also does not lead to confusion if the change
password request was received for a user of a trusted domain.
|
|
|
|
The check is too restrictive as the select_principal_from_keytab can
return something else than user requested right now.
Consider that user query for host/myserver@EXAMPLE.COM, then the
select_principal_from_keytab function will return "myserver" in primary and
"EXAMPLE.COM" in realm. So the caller needs to add logic to also break
down the principal to get rid of the host/ part. The heuristics would
simply get too complex.
select_principal_from_keytab will error out anyway if there's no
suitable principal at all.
|
|
The AD and IPA initialization functions shared the same code. This patch
moves the code into a common initialization function.
|
|
Currently the sysdb context is pointed to the subdomain subtree
containing user the user to be checked at the beginning of a HBAC
request. As a result all HBAC rules and related data is save in the
subdomain tree as well. But since the HBAC rules of the configured
domain apply to all users it is sufficient to save them once in the
subtree of the configured domain.
Since most of the sysdb operations during a HBAC request are related to
the HBAC rules and related data this patch does not change the default
sysdb context but only create a special context to look up subdomain
users.
|
|
The original sysdb code had a strong assumption that only users from one
domain are saved in the databse, with the subdomain feature, we have
changed reality, but have not adjusted all the code arund the sysdb calls
to not rely on the original assumption.
One of the side effects of this incongrunece is that currently group
memberships do not return fully qualified names for subdomain users as they
should.
In oreder to fix this and other potential issues surrounding the violation
of the original assumption, we need to fully qualify subdomain user names.
By savin them fully qualified we do not risk aliasing local users and have
group memberhips or other name based matching code mistake a domain user
with subdomain usr or vice versa.
|
|
|
|
The element being reallocated is part of the "group_attrs" array, not
attrs.
|
|
https://fedorahosted.org/sssd/ticket/1647
A logic bug in the LDAP provider causes an attempt to allocate a zero-length
array for group members while processing an empty group. The allocation
would return NULL and saving the empty group would fail.
|
|
Allocating temporary context on NULL helps vind memory leaks with
valgrind and avoid growing memory over time by allocating on a
long-lived context.
|
|
|
|
The connections request was terminated before setting the expiry timeout
in case no authentication was set.
https://fedorahosted.org/sssd/ticket/1649
|
|
|
