Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
|
|
--missing arguments.
--format '%s', but argument is integer.
--wrong format string, examle: '%\n'
|
|
This new call is similar to responder_get_domain() but uses the domain
SID as search parameter. Since the length of the stored domain SID is
used in the comparison, SIDs of users and groups and be used directly
without stripping the RID component.
The functionality is not merged into responder_get_domain() to allow to
calculate the timeout correctly and return a specific error code if the
entry is expired.
|
|
The current timout calculation code in responder_get_domain() is flawed
and I think it always was. I removed the related code because
- it currently has no effect, a match is returned even if it is expired
- that callers do not have any code to handle expired domains.
|
|
Recent refactoring introduced to concept of disabled domains, i.e.
domains which does not exists anymore. responder_get_domain() should not
return disabled domains.
|
|
Recent refactoring removed the need to copy the domain info data of
sub-domains because the related objects will not be removed from memory
anymore.
|
|
|
|
I think it logically belongs there and allows to better exercise the
responder commands from unit tests.
|
|
This parameter was never used.
https://fedorahosted.org/sssd/ticket/1765
|
|
https://fedorahosted.org/sssd/ticket/1810
|
|
Fixes https://fedorahosted.org/sssd/ticket/1766
|
|
- Use a double-linked list for domains and subdomains.
- Never remove a subdomain, simply mark it as disabled if it becomes
unused.
- Rework the way subdomains are refreshed.
Now sysdb_update_subdomains() actually updates the current subdomains
and marks as disabled the ones not found in the sysdb or add new ones
found. It never removes them.
Removal of missing domains from sysdb is deferred to the providers,
which will perform it at refresh time, for the ipa provider that is
done by ipa_subdomains_write_mappings() now.
sysdb_update_subdomains() is then used to update the memory hierarchy
of the subdomains.
- Removes sysdb_get_subdomains()
- Removes copy_subdomain()
- Add sysdb_subdomain_delete()
|
|
Use this function instead of explicitly calling domain->next
This function allows to get the next primary domain or to descend into the
subdomains and replaces also get_next_dom_or_subdom()
|
|
Change the way sysdbs are initialized. Make callers responsible for providing
the list of domains.
Remove the returned array of sysdb contexts, it was used only by sss_cache
and not really necessary there either as that tool can easily iterate the
domains.
Make sysdb ctx children of their respective domains.
Neither sysdb context nor domains are ever freed until a program is done so
there shouldn't be any memory hierarchy issue. As plus we simplify the code by
removing a destructor and a setter function.
|
|
Added new parameter to split_on_separator that allows to skip
empty values.
The whole function was rewritten. Unit test case was added to
check the new implementation.
https://fedorahosted.org/sssd/ticket/1484
|
|
This is used for the new calls back from the data provider.
|
|
https://fedorahosted.org/sssd/ticket/1589
Added check for determining, whether database version is higher or
lower than expected. To distinguish it from other errors it uses
following retun values (further used for appropriate error message):
EMEDIUMTYPE for lower version than expected
EUCLEAN for higher version than expected
When SSSD or one of it's tools fails on DB version mismatch, new error
message is showed suggesting how to proceed.
|
|
https://fedorahosted.org/sssd/ticket/1514
We were experiencing crash duting responder shut down. This happened
when there were some unresolved dp request during the shut down.
The memory hierarchy is main_ctx->specific_ctx->rctx, where
specific_ctx may be one of the pam, nss, sudo, etc. contexts.
If we try to call dp request callback as a result of responder
termination, the specific context is already semi freed, which may
cause crash.
|
|
|
|
|
|
|
|
The name context was not being initialized for local provider
domains because it was handled after skipping over the back-end
initialization routine. This patch moves the name context init
routine to occur earlier.
https://fedorahosted.org/sssd/ticket/1412
|
|
A check for allowed UIDs is added in the common responder code directly
after accept(). If the platform does not support reading the UID of the
peer but allowed UIDs are configured, access is denied.
Currently only the PAC responder sets the allowed UIDs for a socket. The
default is that only root is allowed to access the socket of the PAC
responder.
Fixes: https://fedorahosted.org/sssd/ticket/1382
|
|
* These are common lines of debug output when starting
up sssd
https://bugzilla.redhat.com/show_bug.cgi?id=811113
|
|
|
|
|
|
|
|
* Allows different user/domain qualified names for different
domains. For example Domain\User or user@domain.
* The global re_expression and full_name_format options remain
as defaults for the domains.
* Subdomains get the re_expression and full_name_format of
their parent domain.
https://bugzilla.redhat.com/show_bug.cgi?id=811663
|
|
sss_process_init forgot to check return value of confdb_get_int
|
|
Now it checks for subdomains as well as for the domain itself
|
|
|
|
The function that handled pending requests on reconnect was checking an
orphaned global variable that was never used, redenring the whole function
uselsess.
This fixes a very nasty bug that was causing requests for which we never
received an answer for (for example because the backend failed and was
restarted) to be never removed and therefore causing a black hole effect for
any other request of the same type.
Fixes: https://fedorahosted.org/sssd/ticket/1229
|
|
This code will now attempt first to see if it has privilege to set
the value as specified, and if not it will fall back to the
previous behavior. So on systems with the CAP_SYS_RESOURCE
capability granted to SSSD, it will be able to ignore the
limits.conf hard limit.
https://fedorahosted.org/sssd/ticket/1197
|
|
This patch will increase the file descriptor limit to 8k or the
limits.conf maximum, whichever is lesser.
https://fedorahosted.org/sssd/ticket/1197
|
|
|
|
|
|
|
|
|
|
|
|
These two functions were almost identical. Better to maintain them
as a single function.
|
|
|
|
We will now re-read the confdb debug_level value when processing
the monitor_common_logrotate() function, which occurs when the
monitor receives a SIGHUP.
|
|
This was implemented almost identically for both the responders
and the providers. It is easier to maintain as a single routine.
This patch also adds the ability to provide a private context to
attach to the sbus_connection for later use.
|
|
Also fixes the same problem with set_close_on_exec
https://fedorahosted.org/sssd/ticket/713
|
|
https://fedorahosted.org/sssd/ticket/540
|
|
This is the second attempt to let the PAM client and the PAM responder
exchange their credentials, i.e. uid, gid and pid. Because this approach
does not require any message interchange between the client and the
server the protocol version number is not changed.
On the client side the connection is terminated it the responder is not
run by root. On the server side the effective uid and gid and the pid of
the client are available for future use.
The following additional changes are made by this patch:
- the checks of the ownership and the permissions on the PAM sockets are
enhanced
- internal error codes are introduced on the client side to generate
more specific log messages if an error occurs
|
|
This reverts commit 5a88e963744e5da453e88b5c36499f04712df097.
|
|
This commit completes the migration to a synchronous sysdb
|
|
- catch all errors of send() and recv(), not only EAGAIN
- check if send() or recv() return EWOULDBLOCK or EINTR
- remove unused parameter from client_send() and client_recv()
- fix a debugging message
|