| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
The only effect the failure to store a result to negative cache might
have would be a slower lookup next time.
|
|
https://fedorahosted.org/sssd/ticket/2090
Previously, when searching by UID or GID, the negative cache will only
work in case the UID was searched for using fully qualified names.
|
|
|
|
Since we now store the enumerate flag in sysdb for subdomains, we can
always descend to all available subdomains and if they do not allow
enumeration, simply skip them.
|
|
In some cases when MPG domains are used the information about the
original primary group of a user cannot be determined by looking at
the explicit group memberships. In those cases the GID related to the
original primary group is stored in a special attribute of the user
object.
This patch adds the GID of the original primary group when available and
needed.
Fixes https://fedorahosted.org/sssd/ticket/2027
|
|
Function sysdb_getpwnam return more results than 1 and therefore sss_cmd_done
was called. Inside of function sss_cmd_done memory was freed,
but this freed memory was used in caller functions, therefore sssd crashed.
https://fedorahosted.org/sssd/ticket/1980
|
|
|
|
https://fedorahosted.org/sssd/ticket/1648
Adds another expansion in the printf format that allows the user to use
the domain flat name in the format.
|
|
Instead of using printf-like functions directly, provide two wrappers
that would encapsulate formatting the fully-qualified names. No
functional change is present in this patch.
|
|
--missing arguments.
--format '%s', but argument is integer.
--wrong format string, examle: '%\n'
|
|
The patch adds 4 new calls to the NSS responder:
- SSS_NSS_GETSIDBYNAME
- SSS_NSS_GETSIDBYID
- SSS_NSS_GETNAMEBYSID
- SSS_NSS_GETIDBYSID
to either return the SIDs of the requested object or map the SID to the
name or the POSIX ID of the related object.
|
|
Recent refactoring removed the need to copy the domain info data of
sub-domains because the related objects will not be removed from memory
anymore.
|
|
Different user and group lookup requests used nearly identical code,
this patch unifies some of the related code paths.
|
|
https://fedorahosted.org/sssd/ticket/1609
|
|
Variables dir_cc and file_cc are used in three
modules: krb5_common.c, krb5_utils.c, krb5_child-test.c, therefore should be
declared with extern in krb5_utils.h.
|
|
We used different debug levels for messages informing
about negative cache hits (old levels 2,3,4). Now it is
only SSSDBG_TRACE_FUNC (same level is used in nsssrv_services.c
and proposed in the ticket bellow).
https://fedorahosted.org/sssd/ticket/1771
|
|
|
|
|
|
Fixes https://fedorahosted.org/sssd/ticket/1766
|
|
Use this function instead of explicitly calling domain->next
This function allows to get the next primary domain or to descend into the
subdomains and replaces also get_next_dom_or_subdom()
|
|
https://fedorahosted.org/sssd/ticket/1805
|
|
Related to https://fedorahosted.org/sssd/ticket/1757
Previously we would optimize the mc invalidate code for cases where the
user was a member of some groups. But if the user was removed from the
server while being in memory cache, we would only invalidate the mc
record if he was a member of at least one supplementary group.
|
|
https://fedorahosted.org/sssd/ticket/1757
When the user entry was missing completely after initgroups, we would
never invalidate the user entry from cache. This led to dangling cache
entried in memory cache if the user was removed from the server while
still being in memory cache.
|
|
|
|
|
|
|
|
Also allows us to remove sysdb_subdom_get<pw/gr>nam() wrappers and restore
fqnames proper value in subdomains, by testing for a parent domain being
present or not.
|
|
If use_fully_qualified_names is used, we need to pass fqdn
to sss_mmap_cache_*_invalidate.
|
|
If a fatal EFAULT error is returned by the internal function that frees used
memory invalidate the whole cache and reinit it. This way we avoid further
corruption and insure clients see consistent data.
Also insure we use the right context in init() and we use talloc_zfree() in
reinit so that if the init() later fails we do not leave around a pointer
to free memory in the callers.
|
|
A recent patch introduced a glaring memory leak in the routines that clean up
memcache memory on initgroups calls.
|
|
Functions nss_cmd_getXXnam remove entries from memory cache if
not found in sysdb cache of a local domain.
|
|
This set of functions enumerate the user's groups and invalidate them all
if the list does not matches what we get from the caller.
|
|
This set of functions enumerate each user/group from all domains
and invalidate any mmap cache record that matches.
|
|
The original sysdb code had a strong assumption that only users from one
domain are saved in the databse, with the subdomain feature, we have
changed reality, but have not adjusted all the code arund the sysdb calls
to not rely on the original assumption.
One of the side effects of this incongrunece is that currently group
memberships do not return fully qualified names for subdomain users as they
should.
In oreder to fix this and other potential issues surrounding the violation
of the original assumption, we need to fully qualify subdomain user names.
By savin them fully qualified we do not risk aliasing local users and have
group memberhips or other name based matching code mistake a domain user
with subdomain usr or vice versa.
|
|
https://fedorahosted.org/sssd/ticket/1376
|
|
One is a copy-and-paste error which was introduce by
1774ee9a61b9d691dadd1a0538f32bcdcc84f72f.
The second fixes a missing explicit setting of the return value. In the
case where we want fully qualified names ret contains the number of
characters from the last snprintf() which is almost ever not 0.
|
|
https://fedorahosted.org/sssd/ticket/1583
|
|
Fixes https://fedorahosted.org/sssd/ticket/1561
|
|
https://fedorahosted.org/sssd/ticket/1551
|
|
|
|
If override_shell is specified in the [nss] section, all users
managed by SSSD will have their shell set to this value. If it is
specified in the [domain/DOMAINNAME] section, it will apply to
only that domain (and override the [nss] value, if any).
https://fedorahosted.org/sssd/ticket/1087
|
|
This patch fixes an issue which resulted in a need to initialize
responder with data from local domain, otherwise it would not correctly
detect requests for subdomains. Similar situation can occur if new
subdomain is added at runtime.
The solution is to ask for a list of subdomains in case there is a
candidate domain identified in the process of matching re_expressions
with given name.
|
|
* Allows different user/domain qualified names for different
domains. For example Domain\User or user@domain.
* The global re_expression and full_name_format options remain
as defaults for the domains.
* Subdomains get the re_expression and full_name_format of
their parent domain.
https://bugzilla.redhat.com/show_bug.cgi?id=811663
|
|
|
|
Since there are two attributes storing information about user
memberships of the group we have to include both of them in results.
This will apply only for objects that have ghost members (i.e. they
contain the SYSDB_GHOST attribute). If an object has this attribute,
values of this attribute are not projected to the memberuid attribute.
|
|
|
|
|
|
|
|
https://fedorahosted.org/sssd/ticket/1329
|
|
This option will allow administrators to set a default shell to be
used if a user does not have one set in the identity provider.
https://fedorahosted.org/sssd/ticket/1289
|
