Age | Commit message (Collapse) | Author | Files | Lines |
|
The original sysdb code had a strong assumption that only users from one
domain are saved in the databse, with the subdomain feature, we have
changed reality, but have not adjusted all the code arund the sysdb calls
to not rely on the original assumption.
One of the side effects of this incongrunece is that currently group
memberships do not return fully qualified names for subdomain users as they
should.
In oreder to fix this and other potential issues surrounding the violation
of the original assumption, we need to fully qualify subdomain user names.
By savin them fully qualified we do not risk aliasing local users and have
group memberhips or other name based matching code mistake a domain user
with subdomain usr or vice versa.
|
|
https://fedorahosted.org/sssd/ticket/1589
Added check for determining, whether database version is higher or
lower than expected. To distinguish it from other errors it uses
following retun values (further used for appropriate error message):
EMEDIUMTYPE for lower version than expected
EUCLEAN for higher version than expected
When SSSD or one of it's tools fails on DB version mismatch, new error
message is showed suggesting how to proceed.
|
|
https://fedorahosted.org/sssd/ticket/1650
|
|
https://fedorahosted.org/sssd/ticket/1376
|
|
|
|
This caused troubles with subdomain users and it is not really
necessary. This patch does not change the protocol itself, that
should be done on the earliest possible occasion.
Part of https://fedorahosted.org/sssd/ticket/1616
|
|
https://fedorahosted.org/sssd/ticket/1616
|
|
|
|
|
|
|
|
For user of the local domain the server-side DN of the groups the user
is a member of is stored with the user object in the cache and used to
improve performance e.g. by the HBAC code. Since subdomain users should
be handled by HBAC as well the group DN is stored in the same way as for
users of the local domain.
This patch also adds code to remove the attribute from the user object
if the user is removed from the group.
|
|
Currently the user was just added to all local groups which are given in
the PAC. With this patch the user is added only to groups he is
currently not a member of and deleted from groups which are not found in
the PAC anymore.
|
|
To be able to efficiently store group memberships we need to know the
current memberships of a user. sysdb_initgroups() is used to read the
user entry together with all groups the user is a member of. Some of the
group attributes are kept to avoid additional lookups and speed up
further processing.
Currently sysdb_initgroups() does not return the original DN of the
group. Since it is needed to remove memberships later on it is added to
the list of requested attributes
|
|
This patch adds a new call which compares a list of current GIDs with a
list of new GIDs and return a list of GIDs which are currently missing
and must be added and another list of GIDs which are not used anymore
and must be deleted. The method is the same as used by
diff_string_lists().
|
|
Les copy/paste and chance of errors when setting basic record fields
that are shared among all object types.
|
|
If force is true, ret may stay uninitialized and if ret == 0
after the subrequest is send, we will go to immediate label.
Data provider request is sent, but the answer is never processed.
This prohibited subdomain from working correctly.
|
|
https://fedorahosted.org/sssd/ticket/1584
|
|
https://fedorahosted.org/sssd/ticket/1619
We don't close the fd when we write the selinux login file in the pam
responder. This results in a fd leak.
|
|
|
|
https://fedorahosted.org/sssd/ticket/1495
|
|
|
|
The principal name for the user is generated with the user name and the
domain from the PAC. It is stored in the cache so that if e.g. can be
used by password authentication. Additionally the name alias is stored
to allow case-insensitive searches.
|
|
Since winbind can only return lower-cased user name the pac responder
must do the same to avoid inconsistent behaviour.
|
|
This error prevent proper id-mapping in the PAC responder.
|
|
One is a copy-and-paste error which was introduce by
1774ee9a61b9d691dadd1a0538f32bcdcc84f72f.
The second fixes a missing explicit setting of the return value. In the
case where we want fully qualified names ret contains the number of
characters from the last snprintf() which is almost ever not 0.
|
|
https://fedorahosted.org/sssd/ticket/1583
|
|
Fixes https://fedorahosted.org/sssd/ticket/1561
|
|
|
|
https://fedorahosted.org/sssd/ticket/1571
The patch changes the subdomains discovery to use the tevent_req
style. Previously, the code violated several rules which made the code
very unreadable and led to memory hierarchy issues and use-after-free
errors.
|
|
https://fedorahosted.org/sssd/ticket/1551
|
|
https://fedorahosted.org/sssd/ticket/1514
We were experiencing crash duting responder shut down. This happened
when there were some unresolved dp request during the shut down.
The memory hierarchy is main_ctx->specific_ctx->rctx, where
specific_ctx may be one of the pam, nss, sudo, etc. contexts.
If we try to call dp request callback as a result of responder
termination, the specific context is already semi freed, which may
cause crash.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The domain can be read from the sysdb object. Removing the domain string
makes the API more self-contained.
|
|
|
|
|
|
https://fedorahosted.org/sssd/ticket/1513
This is a counterpart of the FreeIPA ticket https://fedorahosted.org/freeipa/ticket/3045
During an e-mail discussion, it was decided that
* if the default is set in the IPA config object, the SSSD would use
that default no matter what
* if the default is not set (aka empty or missing), the SSSD
would just use the system default and skip creating the login
file altogether
|
|
https://fedorahosted.org/sssd/ticket/1438
|
|
|
|
|
|
https://fedorahosted.org/sssd/ticket/1492
|
|
|
|
https://fedorahosted.org/sssd/ticket/1455
In case there are no rules on the IPA server, we must simply avoid generating
the login file. That would make us fall back to the system-wide default
defined in /etc/selinux/targeted/seusers.
The IPA default must be only used if there *are* rules on the server,
but none matches.
|
|
write_selinux_string() would try to unlink the temporary file even after
it was renamed. Failure to unlink the file would not be fatal, but would
produce a confusing error message.
Also don't use "0" for the default fd number, that's reserved for stdin.
Using -1 is safer.
|
|
https://fedorahosted.org/sssd/ticket/1480
|