Age | Commit message (Collapse) | Author | Files | Lines |
|
This patch prevents jumping outside of allocated memory in
case of corrupted slot or name_ptr values. It is not proper
solution, just hotfix until we find out what is the root cause
of ticket https://fedorahosted.org/sssd/ticket/2018
|
|
|
|
|
|
In order for sss_cache to work correctly, we must also signal the nss
responder to invalidate the hash table requests.
https://fedorahosted.org/sssd/ticket/1759
|
|
There is a timed desctructor in the nss responder that, when the
entry timeout passes, removes the netgroup from the hash table while
the netgroup is freed. This patch adds a hash delete callback so that if the
netgroup is removed from the hash table with hash_delete, its hash table
pointer will be invalidated. Later, when the entry is being freed, the
destructor won't attempt to remove it from the hash table.
|
|
If cmd_ctx->name was not initialized by sss_parse_name
then copy of name will be used.
https://fedorahosted.org/sssd/ticket/1970
Coverity ID: 11647
|
|
|
|
Netgroups often have memberNisNetgroup entries included in them
that will never process correctly if we require fully-qualified
names on the nested lookup. This patch alters the behavior of
netgroup lookups to check *all* domains for an unqualified
netgroup name, instead of only the ones not requiring fully-
qualified names.
https://fedorahosted.org/sssd/ticket/2013
|
|
|
|
|
|
https://fedorahosted.org/sssd/ticket/1814
When the authtok_length is zero, it shouldn't call
sss_authtok_set_password, because it tries to determine lenght of passed
string by itself and would read parts of DBus message behind boundaries
of authtok.
|
|
|
|
|
|
|
|
Function sysdb_getpwnam return more results than 1 and therefore sss_cmd_done
was called. Inside of function sss_cmd_done memory was freed,
but this freed memory was used in caller functions, therefore sssd crashed.
https://fedorahosted.org/sssd/ticket/1980
|
|
|
|
https://fedorahosted.org/sssd/ticket/1949
|
|
https://fedorahosted.org/sssd/ticket/1693
Since we don't care about returned values from out of band refresh,
we do not need to set callback data. However, this caused talloc
to abort as it considers it as type mismatch when called from
tevent_req_callback_data().
|
|
If the PAC responder recognizes some attribute changes between the
cached user entry and the PAC data it quite crudely just removes the
cached entry and recreates it. While in most cases all needed data can
be recovered from the PAC data there is a case where it is not possible.
E.g the IPA HBAC code use the OriginalDN attribute to improve
performance when evaluating access rules. This patch makes sure this
attribute is not lost when the PAC responder updates the object.
|
|
sysdb_search_object_by_sid() does not return ENOENT if no related object
was found in the cache but EOK and an empty result list.
Fixes https://fedorahosted.org/sssd/ticket/1989
|
|
Instead of copying a block of code that checks whether domain is a subdomain
and uses only name of FQDN as appropriate, wrap the logic into a function.
|
|
This patch modifies the PAC responder so that it can be used with the AD
provider as well. The main difference is that the POSIX UIDs and GIDs
are now lookup up with the help of the SID instead of being calculated
algorithmically. This was necessary because the AD provider allows
either algorithmic mapping or reading the value from attributes stored
in AD.
Fixes https://fedorahosted.org/sssd/ticket/1558
|
|
To make sure that e.g. the short/NetBIOS domain name is available this
patch make sure that the responders send a get_domains request to their
backends at startup the collect the domain information or read it from
the cache if the backend is offline.
For completeness I added this to all responders even if they do not need
the information at the moment.
Fixes https://fedorahosted.org/sssd/ticket/1951
|
|
|
|
https://fedorahosted.org/sssd/ticket/1648
Adds another expansion in the printf format that allows the user to use
the domain flat name in the format.
|
|
Instead of using printf-like functions directly, provide two wrappers
that would encapsulate formatting the fully-qualified names. No
functional change is present in this patch.
|
|
--missing arguments.
--format '%s', but argument is integer.
--wrong format string, examle: '%\n'
|
|
https://fedorahosted.org/sssd/ticket/1912
SUDO rules are stored under cn=ipa.domain,cn=sysdb tree but sobdomains
users are in cn=sub.domain,cn=sysdb. When we search for rules for
subdomain users we have to switch domain context to parent.
|
|
|
|
|
|
Instead of appending @domain to names when the --domain option of sss_ssh_* is
used, put domain name in a separate field in client requests.
|
|
Try to parse names in the form user@domain first, as that's what sss_ssh_*
send in requests when the --domain option is used. Do not parse host names
using domain-specific regular expression.
|
|
The patch adds 4 new calls to the NSS responder:
- SSS_NSS_GETSIDBYNAME
- SSS_NSS_GETSIDBYID
- SSS_NSS_GETNAMEBYSID
- SSS_NSS_GETIDBYSID
to either return the SIDs of the requested object or map the SID to the
name or the POSIX ID of the related object.
|
|
Two new calls are added to allow to add SID based lookups to the
negative cache.
|
|
This new call is similar to responder_get_domain() but uses the domain
SID as search parameter. Since the length of the stored domain SID is
used in the comparison, SIDs of users and groups and be used directly
without stripping the RID component.
The functionality is not merged into responder_get_domain() to allow to
calculate the timeout correctly and return a specific error code if the
entry is expired.
|
|
This allows the nss responder to use libsss_idmap to convert between
different SID representations.
|
|
The patch adds two new request types for SID related requests. The first
one is used if a SID is given and the corresponding object should be
found. The second one can be used if the SID for an object is requested
but it is not clear if the object is a user or a group.
|
|
This patch add a new filter type to the data-provider interface which
can be used for SID-based lookups.
|
|
The current timout calculation code in responder_get_domain() is flawed
and I think it always was. I removed the related code because
- it currently has no effect, a match is returned even if it is expired
- that callers do not have any code to handle expired domains.
|
|
Recent refactoring introduced to concept of disabled domains, i.e.
domains which does not exists anymore. responder_get_domain() should not
return disabled domains.
|
|
Recent refactoring removed the need to copy the domain info data of
sub-domains because the related objects will not be removed from memory
anymore.
|
|
https://fedorahosted.org/sssd/ticket/1786
Since we need to support the old interface as well, the configure scritp
is modified and correct ini interface is chosen.
|
|
Different user and group lookup requests used nearly identical code,
this patch unifies some of the related code paths.
|
|
The task of get_my_domain_data() is to read some information about the
configured domain from the cache. While the sysdb interface was
redesigned some changes changed the behaviour so that the data of the
domain of the current request was read. If this domain is a sub-domain
the wrong data was read. As a result group-memberships of the configured
domain were not taken into account.
The original code didn't made it easy to see that always the parent
domain should be used here, because there was no comment indication this
and the function name get_my_domain_data() didn't made it clear either.
Additionally to fixing the issue this patch also adds a comment and
rename the function to get_parent_domain_data().
Fixes https://fedorahosted.org/sssd/ticket/1888
|
|
sss_mc_set_recycled is a static function, that should not
be used outside nsssrv_mmap_cache.c. The sss_cache tool
is an exception, because in the case when sssd is not running,
sss_cache must invalidate the memory cache file. That is why
sss_mc_set_recycled was copied to the tools_mc_util.c
(as helper function for sss_memcache_invalidate function).
It was duplicated to allow this function to remain static
(and invisible to any .h files), so that it is not used anywhere else.
Wrong usage of this function might cause race conditions and corrupt
the cache.
I'll add comments about the duplication to the code.
|
|
https://fedorahosted.org/sssd/ticket/1609
|
|
https://fedorahosted.org/sssd/ticket/1869
Currently the private data passed to the PAM request is a structure
allocated on the client context. But in the odd case where the back end
would be stopped or stuck until the idle timeout hits, the DP callback
would access data that were freed when the client timed out.
This patch introduces a new structure allocated on responder context,
whose only purpose is to live as long as the request is active.
|
|
https://fedorahosted.org/sssd/ticket/1864
|
|
Definition of structure sss_auth_token was removed from header file
authtok.h and there left only declaration of this structure.
Therefore only way how to use this structure is to use accessory function from
same header file.
To creating new empty authotok can only be used newly created function
sss_authtok_new(). TALLOC context was removed from copy and setter functions,
because pointer to stuct sss_auth_token is used as a memory context.
All declaration of struct sss_auth_token variables was replaced with
pointer to this structure and related changes was made in source code.
Function copy_pam_data can copy from argument src which was dynamically
allocated with function create_pam_data() or zero initialized struct pam_data
allocated on stack.
https://fedorahosted.org/sssd/ticket/1830
|
|
Function create_pam_data() should be only one way how to create new
struct pam_data, because it also initialize destructor to created
object.
|