summaryrefslogtreecommitdiff
path: root/src/responder
AgeCommit message (Collapse)AuthorFilesLines
2013-09-25NSS: Failure to store entry negative cache should not be fatalJakub Hrozek1-18/+31
The only effect the failure to store a result to negative cache might have would be a slower lookup next time.
2013-09-25NSS: Set UID and GID to negative cache after searching all domainsJakub Hrozek1-66/+105
https://fedorahosted.org/sssd/ticket/2090 Previously, when searching by UID or GID, the negative cache will only work in case the UID was searched for using fully qualified names.
2013-09-24Include header file in implementation module.Lukas Slebodnik2-0/+2
Declarations of public functions was in header files, but header files was not included in implementation file.
2013-09-23mmap_cache: Use two chains for hash collision.Lukas Slebodnik1-18/+48
struct sss_mc_rec had two hash members (hash1 and hash2) but only one next member. This was a big problem in case of higher probability of hash collision. structure sss_mc_rec will have two next members (next1, next2) with this patch. next1 is related to hash1 and next2 is related to hash1. Iterating over chains is changed, because we need to choose right next pointer. Right next pointer will be chosen after comparing record hashes. This behaviour is wrapped in function sss_mc_next_slot_with_hash. Adding new record to chain is also changed. The situation is very similar to iterating. We need to choose right next pointer (next1 or next2). Right next pointer will be chosen after comparing record hashes. Adding reference to next slot is wrapped in function sss_mc_chain_slot_to_record_with_hash Size of structure sss_mc_rec was increased from 32 bytes to 40 bytes. Resolves: https://fedorahosted.org/sssd/ticket/2049
2013-09-23Revert "mmap_cache: Skip records which doesn't have same hash"Lukas Slebodnik1-34/+2
This reverts commit 4662725ffef62b3b2502481438effa7c8fef9f80.
2013-09-20RESPONDER: Use right function prototypeLukas Slebodnik2-1/+2
Protype of function sss_ncache_check_netgr was different than definition of function sss_ncache_check_netgr. We did not catch it, because header file "responder/common/negcache.h" was not included in implementation file "responder/common/negcache.c"
2013-09-17nss: Wrong debug message.Michal Zidek1-1/+2
2013-09-17util: add sss_idmap_talloc[_free]Pavel Březina2-22/+4
Remove code duplication.
2013-09-16Add missing new line in DEBUG messageLukas Slebodnik1-2/+3
2013-09-11Fix formating of variables with type: gid_tLukas Slebodnik1-2/+2
2013-09-11Fix formating of variables with type: uid_tLukas Slebodnik1-2/+2
2013-09-11Fix formating of variables with type defined in stdint.hLukas Slebodnik1-6/+7
2013-09-11Fix formating of variables with type: rlim_tLukas Slebodnik1-5/+5
2013-09-11Fix formating of variables with type: size_tLukas Slebodnik2-2/+2
2013-09-11Fix formating of variables with type: unsigned longLukas Slebodnik1-1/+1
2013-09-09mmap_cache: Do not remove record from chain twiceLukas Slebodnik1-0/+6
It is not very likely, that record will have the same hash1 and hash2, but it is possible. In this situation, it does not make sense to remove record twice. Function sss_mc_rm_rec_from_chain was not robust and sssd_nss could crash in this situation. It was only possible if record was alone in chain. Resolves: https://fedorahosted.org/sssd/ticket/2049
2013-09-03Include sys/types.h for types id_t and uid_tLukas Slebodnik1-0/+1
2013-08-28DP: Use the correct type for DBus booleanJakub Hrozek1-2/+5
https://fedorahosted.org/sssd/ticket/2057
2013-08-28NSS: Descend into subdomains if enumerate=trueJakub Hrozek1-12/+12
Since we now store the enumerate flag in sysdb for subdomains, we can always descend to all available subdomains and if they do not allow enumeration, simply skip them.
2013-08-28mmap_cache: Use stricter check for hash keys.Lukas Slebodnik1-4/+6
ht_size is size of hash_table in bytes, but hash keys have type uint32_t
2013-08-28mmap_cache: Skip records which doesn't have same hashLukas Slebodnik1-2/+34
The code uses 2 hashes for each record, but only one hash table to index them both, furthermore each record has only one single 'next' pointer. This means that in certain conditions a record main end up being on a hash chain even though its hashes do not match the hash chain. This can happen when another record 'drags' it in from another hash chain where they both belong. If the record without matching hashes happens to be the second of the chain and the first record is removed, then the non matching record is left on the wrong chain. On removal of the non-matching record the hash chain will not be updated and the hash chain will end up pointing to an invalid slot. This slot may be later reused for another record and may not be the first slot of this new record. In this case the hash chain will point to arbitrary data and may cause issues if the slot is interpreted as the head of a record. By skipping any block that has no matching hashes upon removing the first record in a chain we insure that dangling references cannot be left in the hash table Resolves: https://fedorahosted.org/sssd/ticket/2049
2013-08-28sss_packet_grow: correctly pad packet length to 512BPavel Březina1-1/+1
https://fedorahosted.org/sssd/ticket/2059 If len % SSSSRV_PACKET_MEM_SIZE == 0 or some low number, we can end up with totlen < len and return EINVAL. It also does not pad the length, but usually allocates much more memory than is desired. len = 1024 n = 1024 % 512 + 1 = 0 + 1 = 1 totlen = 1 * 512 = 512 => totlen < len len = 511 n = 511 % 512 + 1 = 511 + 1 totlen = 512 * 512 = 262144 totlen is way bigger than it was supposed to be
2013-08-26PAC: Skip SIDs that cannot be resolved to domainJakub Hrozek1-2/+4
2013-08-26PAC: use SID instead of GID to search for groupsSumit Bose1-48/+41
With the support of POSIX IDs managed on the AD side we may find non-POSIX groups, i.e. groups which do not have a GID assigned in AD, in the PAC. Since in this case all cached groups have a SDI attribute it is more reliable to search the groups by SID instead of GID.
2013-08-26PAC: do not fail if a single group cannot be added/removedSumit Bose1-18/+31
When processing a list of groups we try to process as much as possible only not stop on the first error.
2013-08-26PAC: read user DN instead of constructing itSumit Bose1-5/+17
To avoid issues with case-sensitivity it is more reliable to search the user entry in the cache and use the returned DN instead of constructing it.
2013-08-26PAC: handle non-POSIX groups in cacheSumit Bose2-11/+9
Since the DN of the group is used to remove a membership it is not necessary to check if the GID is valid.
2013-08-26PAC: do not create users with missing GIDSumit Bose1-0/+14
If the user entry does not exist in the cache and a primary GID cannot be found it does not make sense to create a user entry.
2013-08-26PAC: if user entry already exists keep itSumit Bose3-86/+10
Currently the PAC responder deletes a user entry and recreates it if some attributes seems to be different. Two of the attributes where the home directory and the shell of the user. Those two attributes are not available from the PAC but where generates by the PAC responder. The corresponding ID provider might have better means to determine those attributes, e.g. read them from LDAP, so we shouldn't change them here. The third attribute is the user name. Since the PAC responder does lookups only based on the UID we can wait until the ID provider updates the entry. Fixes https://fedorahosted.org/sssd/ticket/1996
2013-08-22pam: Bad debug message format and parameter.Michal Zidek1-1/+2
2013-08-22mmap_cache: Use sss_atomic_write_s instead of write.Michal Zidek1-2/+11
Use sss_atomic_write_s() instead of write() in sss_mc_save_corrupted(). Also unlink() the file if no data were written. It is better to use sss_atomic_write_s instead of write
2013-08-19mmap_cache: Store corrupted mmap cache before resetMichal Zidek1-0/+66
This patch adds function to store corrupted mmap cache file to disk for further analysis.
2013-08-19mmap_cache: Use better checks for corrupted mc in responderMichal Zidek1-3/+53
We introduced new way to check integrity of memcache in the client code. We should use similiar checks in the responder.
2013-08-19mmap_cache: Off by one error.Michal Zidek1-6/+6
Removes off by one error when using macro MC_SIZE_TO_SLOTS and adds new macro MC_SLOT_WITHIN_BOUNDS.
2013-08-19fill_initgr: add original primary GID if availableSumit Bose1-0/+27
In some cases when MPG domains are used the information about the original primary group of a user cannot be determined by looking at the explicit group memberships. In those cases the GID related to the original primary group is stored in a special attribute of the user object. This patch adds the GID of the original primary group when available and needed. Fixes https://fedorahosted.org/sssd/ticket/2027
2013-08-11mmap_cache: Check if slot and name_ptr are not invalid.Michal Zidek2-2/+54
This patch prevents jumping outside of allocated memory in case of corrupted slot or name_ptr values. It is not proper solution, just hotfix until we find out what is the root cause of ticket https://fedorahosted.org/sssd/ticket/2018
2013-08-08PAM: Set negcache if user is not found after provider checkJakub Hrozek1-0/+10
2013-08-08PAM: Check negcache when searching for fully qualified users, tooJakub Hrozek1-0/+8
2013-08-08NSS: Clear cached netgroups if a request comes in from the sss_cacheLukas Slebodnik3-0/+54
In order for sss_cache to work correctly, we must also signal the nss responder to invalidate the hash table requests. https://fedorahosted.org/sssd/ticket/1759
2013-08-08NSS: allow removing entries from netgroup hash tableLukas Slebodnik3-1/+32
There is a timed desctructor in the nss responder that, when the entry timeout passes, removes the netgroup from the hash table while the netgroup is freed. This patch adds a hash delete callback so that if the netgroup is removed from the hash table with hash_delete, its hash table pointer will be invalidated. Later, when the entry is being freed, the destructor won't attempt to remove it from the hash table.
2013-08-05SSH: Ensure that cmd_ctx->name will not be NULL.Lukas Slebodnik1-4/+6
If cmd_ctx->name was not initialized by sss_parse_name then copy of name will be used. https://fedorahosted.org/sssd/ticket/1970 Coverity ID: 11647
2013-07-31Fix netgroup lookup when using fully qualified namePavel Březina1-2/+2
2013-07-29Netgroups should ignore the 'use_fully_qualified_names' settingStephen Gallagher1-8/+6
Netgroups often have memberNisNetgroup entries included in them that will never process correctly if we require fully-qualified names on the nested lookup. This patch alters the behavior of netgroup lookups to check *all* domains for an unqualified netgroup name, instead of only the ones not requiring fully- qualified names. https://fedorahosted.org/sssd/ticket/2013
2013-07-29Remove unused memory contextLukas Slebodnik1-6/+6
2013-07-22SUDO: realloc with sizeof(uint32_t) when adding uint32_tJakub Hrozek1-1/+1
2013-07-18Do not try to set password when authtok_length is zeroOndrej Kos1-2/+6
https://fedorahosted.org/sssd/ticket/1814 When the authtok_length is zero, it shouldn't call sss_authtok_set_password, because it tries to determine lenght of passed string by itself and would read parts of DBus message behind boundaries of authtok.
2013-07-16remove unused variablePavel Březina1-4/+0
2013-07-16Remove unused function parameterLukas Slebodnik1-3/+1
2013-07-15Missing space in debug messageMichal Zidek1-2/+2
2013-06-27Do not call sss_cmd_done in function check_cache.Lukas Slebodnik1-6/+0
Function sysdb_getpwnam return more results than 1 and therefore sss_cmd_done was called. Inside of function sss_cmd_done memory was freed, but this freed memory was used in caller functions, therefore sssd crashed. https://fedorahosted.org/sssd/ticket/1980