summaryrefslogtreecommitdiff
path: root/src/responder
AgeCommit message (Collapse)AuthorFilesLines
2013-06-27Do not call sss_cmd_done in function check_cache.Lukas Slebodnik1-6/+0
Function sysdb_getpwnam return more results than 1 and therefore sss_cmd_done was called. Inside of function sss_cmd_done memory was freed, but this freed memory was used in caller functions, therefore sssd crashed. https://fedorahosted.org/sssd/ticket/1980
2013-06-27Handle too many results from getnetgr.Lukas Slebodnik1-1/+13
2013-06-27SSH: Update known_hosts file after unsuccessful requests as well.Jan Cholasta1-20/+36
https://fedorahosted.org/sssd/ticket/1949
2013-06-27sudo responder: use different callback for oob refreshPavel Březina1-6/+8
https://fedorahosted.org/sssd/ticket/1693 Since we don't care about returned values from out of band refresh, we do not need to set callback data. However, this caused talloc to abort as it considers it as type mismatch when called from tevent_req_callback_data().
2013-06-24PAC: do not delete originalDN or cached password if presentSumit Bose1-1/+26
If the PAC responder recognizes some attribute changes between the cached user entry and the PAC data it quite crudely just removes the cached entry and recreates it. While in most cases all needed data can be recovered from the PAC data there is a case where it is not possible. E.g the IPA HBAC code use the OriginalDN attribute to improve performance when evaluating access rules. This patch makes sure this attribute is not lost when the PAC responder updates the object.
2013-06-19PAC: do not expect that sysdb_search_object_by_sid() return ENOENTSumit Bose1-8/+8
sysdb_search_object_by_sid() does not return ENOENT if no related object was found in the cache but EOK and an empty result list. Fixes https://fedorahosted.org/sssd/ticket/1989
2013-06-07New utility function sss_get_domain_nameJakub Hrozek2-19/+10
Instead of copying a block of code that checks whether domain is a subdomain and uses only name of FQDN as appropriate, wrap the logic into a function.
2013-06-06Enhance PAC responder for AD usersSumit Bose3-927/+659
This patch modifies the PAC responder so that it can be used with the AD provider as well. The main difference is that the POSIX UIDs and GIDs are now lookup up with the help of the SID instead of being calculated algorithmically. This was necessary because the AD provider allows either algorithmic mapping or reading the value from attributes stored in AD. Fixes https://fedorahosted.org/sssd/ticket/1558
2013-06-04Lookup domains at startupSumit Bose8-0/+89
To make sure that e.g. the short/NetBIOS domain name is available this patch make sure that the responders send a get_domains request to their backends at startup the collect the domain information or read it from the cache if the backend is offline. For completeness I added this to all responders even if they do not need the information at the moment. Fixes https://fedorahosted.org/sssd/ticket/1951
2013-05-30Remove branching to improve readabilityJakub Hrozek1-23/+11
2013-05-30Allow flat name in the FQname formatJakub Hrozek1-3/+3
https://fedorahosted.org/sssd/ticket/1648 Adds another expansion in the printf format that allows the user to use the domain flat name in the format.
2013-05-30Add utility functions for formatting fully-qualified namesJakub Hrozek3-34/+22
Instead of using printf-like functions directly, provide two wrappers that would encapsulate formatting the fully-qualified names. No functional change is present in this patch.
2013-05-20Fixing critical format string issues.Lukas Slebodnik7-14/+25
--missing arguments. --format '%s', but argument is integer. --wrong format string, examle: '%\n'
2013-05-10sudo responder: search rules for subdomains in parent domain subtreePavel Březina1-0/+5
https://fedorahosted.org/sssd/ticket/1912 SUDO rules are stored under cn=ipa.domain,cn=sysdb tree but sobdomains users are in cn=sub.domain,cn=sysdb. When we search for rules for subdomain users we have to switch domain context to parent.
2013-05-10Add missing \n to debug stringSumit Bose1-1/+1
2013-05-07SSH: Do not skip domains with use_fully_qualified_names in host key requestsJan Cholasta1-6/+0
2013-05-07SSH: Use separate field for domain name in client requestsJan Cholasta1-27/+64
Instead of appending @domain to names when the --domain option of sss_ssh_* is used, put domain name in a separate field in client requests.
2013-05-07SSH: Fix parsing of names from client requestsJan Cholasta3-3/+30
Try to parse names in the form user@domain first, as that's what sss_ssh_* send in requests when the --domain option is used. Do not parse host names using domain-specific regular expression.
2013-05-03Add SID related calls to the NSS responderSumit Bose2-3/+795
The patch adds 4 new calls to the NSS responder: - SSS_NSS_GETSIDBYNAME - SSS_NSS_GETSIDBYID - SSS_NSS_GETNAMEBYSID - SSS_NSS_GETIDBYSID to either return the SIDs of the requested object or map the SID to the name or the POSIX ID of the related object.
2013-05-02Add sss_ncache_set_sid() and sss_ncache_check_sid()Sumit Bose2-0/+31
Two new calls are added to allow to add SID based lookups to the negative cache.
2013-05-02Add responder_get_domain_by_id()Sumit Bose2-0/+52
This new call is similar to responder_get_domain() but uses the domain SID as search parameter. Since the length of the stored domain SID is used in the comparison, SIDs of users and groups and be used directly without stripping the RID component. The functionality is not merged into responder_get_domain() to allow to calculate the timeout correctly and return a specific error code if the entry is expired.
2013-05-02Add idmap context to nss contextSumit Bose2-0/+22
This allows the nss responder to use libsss_idmap to convert between different SID representations.
2013-05-02Add two new request types to the data-provider interfaceSumit Bose2-1/+9
The patch adds two new request types for SID related requests. The first one is used if a SID is given and the corresponding object should be found. The second one can be used if the SID for an object is requested but it is not clear if the object is a user or a group.
2013-05-02Add secid filter to responder-dp protocolSumit Bose1-4/+14
This patch add a new filter type to the data-provider interface which can be used for SID-based lookups.
2013-05-02responder_get_domain(): remove timeout calculationSumit Bose1-10/+1
The current timout calculation code in responder_get_domain() is flawed and I think it always was. I removed the related code because - it currently has no effect, a match is returned even if it is expired - that callers do not have any code to handle expired domains.
2013-05-02responder_get_domain: do not return disabled domainsSumit Bose1-0/+4
Recent refactoring introduced to concept of disabled domains, i.e. domains which does not exists anymore. responder_get_domain() should not return disabled domains.
2013-05-02Remove unused TALLOC_CTX from responder_get_domain()Sumit Bose11-20/+16
Recent refactoring removed the need to copy the domain info data of sub-domains because the related objects will not be removed from memory anymore.
2013-04-26DB: Switch to new libini_config APIOndrej Kos2-2/+1
https://fedorahosted.org/sssd/ticket/1786 Since we need to support the old interface as well, the configure scritp is modified and correct ini interface is chosen.
2013-04-21Refactoring: remove duplicated code in nss responderSumit Bose2-622/+240
Different user and group lookup requests used nearly identical code, this patch unifies some of the related code paths.
2013-04-21Fix and rename get_my_domain_data()Sumit Bose3-12/+14
The task of get_my_domain_data() is to read some information about the configured domain from the cache. While the sysdb interface was redesigned some changes changed the behaviour so that the data of the domain of the current request was read. If this domain is a sub-domain the wrong data was read. As a result group-memberships of the configured domain were not taken into account. The original code didn't made it easy to see that always the parent domain should be used here, because there was no comment indication this and the function name get_my_domain_data() didn't made it clear either. Additionally to fixing the issue this patch also adds a comment and rename the function to get_parent_domain_data(). Fixes https://fedorahosted.org/sssd/ticket/1888
2013-04-17Inform about function duplication.Michal Zidek1-0/+3
sss_mc_set_recycled is a static function, that should not be used outside nsssrv_mmap_cache.c. The sss_cache tool is an exception, because in the case when sssd is not running, sss_cache must invalidate the memory cache file. That is why sss_mc_set_recycled was copied to the tools_mc_util.c (as helper function for sss_memcache_invalidate function). It was duplicated to allow this function to remain static (and invisible to any .h files), so that it is not used anywhere else. Wrong usage of this function might cause race conditions and corrupt the cache. I'll add comments about the duplication to the code.
2013-04-10Allow using flatname for subdomain home dir templateJakub Hrozek2-5/+7
https://fedorahosted.org/sssd/ticket/1609
2013-04-08Allocate PAM DP request data on responder contextJakub Hrozek3-5/+54
https://fedorahosted.org/sssd/ticket/1869 Currently the private data passed to the PAM request is a structure allocated on the client context. But in the odd case where the back end would be stopped or stuck until the idle timeout hits, the DP callback would access data that were freed when the client timed out. This patch introduces a new structure allocated on responder context, whose only purpose is to live as long as the request is active.
2013-04-03Check for correct variable nameJakub Hrozek1-1/+1
https://fedorahosted.org/sssd/ticket/1864
2013-04-02Making the authtok structure really opaque.Lukas Slebodnik2-14/+12
Definition of structure sss_auth_token was removed from header file authtok.h and there left only declaration of this structure. Therefore only way how to use this structure is to use accessory function from same header file. To creating new empty authotok can only be used newly created function sss_authtok_new(). TALLOC context was removed from copy and setter functions, because pointer to stuct sss_auth_token is used as a memory context. All declaration of struct sss_auth_token variables was replaced with pointer to this structure and related changes was made in source code. Function copy_pam_data can copy from argument src which was dynamically allocated with function create_pam_data() or zero initialized struct pam_data allocated on stack. https://fedorahosted.org/sssd/ticket/1830
2013-04-02Reusing create_pam_data() on the other places.Lukas Slebodnik1-1/+1
Function create_pam_data() should be only one way how to create new struct pam_data, because it also initialize destructor to created object.
2013-03-20coding style fixPavel Březina1-1/+1
2013-03-20change responder contexts hierarchyPavel Březina6-65/+94
https://fedorahosted.org/sssd/ticket/1575 The hierarchy is now: main_ctx -> responder_ctx -> specific_ctx where specific_ctx is one of sudo, pam, etc.
2013-03-20do not leak memory on failure in *_process_init()Pavel Březina7-35/+62
2013-03-19Move SELinux processing to provider.Michal Zidek1-309/+0
The SELinux processing was distributed between provider and pam responder which resulted in hard to maintain code. This patch moves the logic to provider. IT ALSO REQUIRES CHANGE IN THE SELINUX POLICY, because the provider also writes the content of selinux login file to disk (which was done by responder before). https://fedorahosted.org/sssd/ticket/1743
2013-03-19Removing unused declaration of functions and variable.Lukas Slebodnik1-1/+0
Variables dir_cc and file_cc are used in three modules: krb5_common.c, krb5_utils.c, krb5_child-test.c, therefore should be declared with extern in krb5_utils.h.
2013-03-08Move sss_cmd_execute from client to responder code.Jakub Hrozek3-7/+15
I think it logically belongs there and allows to better exercise the responder commands from unit tests.
2013-03-07Debug message in sss_mc_create_file.Michal Zidek1-0/+5
This patch adds debug message for the case if sssd fails to open old mc file for some other reason than the file does not exist.
2013-03-07File descriptor leak in nss responder.Michal Zidek1-18/+43
File descriptors leaked every time sss_mmap_cache_reinit was called and also the old memory cache was still maped in memory (munmap was not called). This patch adds destructor for memory cache context to call close() and munmap() automaticly. https://fedorahosted.org/sssd/ticket/1826
2013-03-07Removing unused parameter type from sudosrv_get_sudorules_query_cache()Lukas Slebodnik1-6/+4
https://fedorahosted.org/sssd/ticket/1825
2013-03-05Remove the alt_db_path parameter of sysdb_initMichal Zidek1-1/+1
This parameter was never used. https://fedorahosted.org/sssd/ticket/1765
2013-03-04Use the same dbg level for all ncache hits.Michal Zidek2-21/+28
We used different debug levels for messages informing about negative cache hits (old levels 2,3,4). Now it is only SSSDBG_TRACE_FUNC (same level is used in nsssrv_services.c and proposed in the ticket bellow). https://fedorahosted.org/sssd/ticket/1771
2013-03-04Remove unused functionsJakub Hrozek4-36/+0
2013-03-01autofs: fix invalid header 'number of entries' in packetPavel Březina1-1/+5
https://fedorahosted.org/sssd/ticket/1739 Pointer to packet body may change while filling packet with autofs mount points. As a consequence, we sometimes wrote the number of entries into invalid body and we recieved an arbitrary number on the client side. If the number was 0, there were some skipped entries. If the number was greater than 0, everything worked correctly, because we iterate through the cached entries until we reach packet length - we don't compare to the number.
2013-02-26if selinux is disabled, ignore that selogin dir is missingPavel Březina1-3/+15
https://fedorahosted.org/sssd/ticket/1817