summaryrefslogtreecommitdiff
path: root/src/responder
AgeCommit message (Collapse)AuthorFilesLines
2013-05-07SSH: Use separate field for domain name in client requestsJan Cholasta1-27/+64
Instead of appending @domain to names when the --domain option of sss_ssh_* is used, put domain name in a separate field in client requests.
2013-05-07SSH: Fix parsing of names from client requestsJan Cholasta3-3/+30
Try to parse names in the form user@domain first, as that's what sss_ssh_* send in requests when the --domain option is used. Do not parse host names using domain-specific regular expression.
2013-05-03Add SID related calls to the NSS responderSumit Bose2-3/+795
The patch adds 4 new calls to the NSS responder: - SSS_NSS_GETSIDBYNAME - SSS_NSS_GETSIDBYID - SSS_NSS_GETNAMEBYSID - SSS_NSS_GETIDBYSID to either return the SIDs of the requested object or map the SID to the name or the POSIX ID of the related object.
2013-05-02Add sss_ncache_set_sid() and sss_ncache_check_sid()Sumit Bose2-0/+31
Two new calls are added to allow to add SID based lookups to the negative cache.
2013-05-02Add responder_get_domain_by_id()Sumit Bose2-0/+52
This new call is similar to responder_get_domain() but uses the domain SID as search parameter. Since the length of the stored domain SID is used in the comparison, SIDs of users and groups and be used directly without stripping the RID component. The functionality is not merged into responder_get_domain() to allow to calculate the timeout correctly and return a specific error code if the entry is expired.
2013-05-02Add idmap context to nss contextSumit Bose2-0/+22
This allows the nss responder to use libsss_idmap to convert between different SID representations.
2013-05-02Add two new request types to the data-provider interfaceSumit Bose2-1/+9
The patch adds two new request types for SID related requests. The first one is used if a SID is given and the corresponding object should be found. The second one can be used if the SID for an object is requested but it is not clear if the object is a user or a group.
2013-05-02Add secid filter to responder-dp protocolSumit Bose1-4/+14
This patch add a new filter type to the data-provider interface which can be used for SID-based lookups.
2013-05-02responder_get_domain(): remove timeout calculationSumit Bose1-10/+1
The current timout calculation code in responder_get_domain() is flawed and I think it always was. I removed the related code because - it currently has no effect, a match is returned even if it is expired - that callers do not have any code to handle expired domains.
2013-05-02responder_get_domain: do not return disabled domainsSumit Bose1-0/+4
Recent refactoring introduced to concept of disabled domains, i.e. domains which does not exists anymore. responder_get_domain() should not return disabled domains.
2013-05-02Remove unused TALLOC_CTX from responder_get_domain()Sumit Bose11-20/+16
Recent refactoring removed the need to copy the domain info data of sub-domains because the related objects will not be removed from memory anymore.
2013-04-26DB: Switch to new libini_config APIOndrej Kos2-2/+1
https://fedorahosted.org/sssd/ticket/1786 Since we need to support the old interface as well, the configure scritp is modified and correct ini interface is chosen.
2013-04-21Refactoring: remove duplicated code in nss responderSumit Bose2-622/+240
Different user and group lookup requests used nearly identical code, this patch unifies some of the related code paths.
2013-04-21Fix and rename get_my_domain_data()Sumit Bose3-12/+14
The task of get_my_domain_data() is to read some information about the configured domain from the cache. While the sysdb interface was redesigned some changes changed the behaviour so that the data of the domain of the current request was read. If this domain is a sub-domain the wrong data was read. As a result group-memberships of the configured domain were not taken into account. The original code didn't made it easy to see that always the parent domain should be used here, because there was no comment indication this and the function name get_my_domain_data() didn't made it clear either. Additionally to fixing the issue this patch also adds a comment and rename the function to get_parent_domain_data(). Fixes https://fedorahosted.org/sssd/ticket/1888
2013-04-17Inform about function duplication.Michal Zidek1-0/+3
sss_mc_set_recycled is a static function, that should not be used outside nsssrv_mmap_cache.c. The sss_cache tool is an exception, because in the case when sssd is not running, sss_cache must invalidate the memory cache file. That is why sss_mc_set_recycled was copied to the tools_mc_util.c (as helper function for sss_memcache_invalidate function). It was duplicated to allow this function to remain static (and invisible to any .h files), so that it is not used anywhere else. Wrong usage of this function might cause race conditions and corrupt the cache. I'll add comments about the duplication to the code.
2013-04-10Allow using flatname for subdomain home dir templateJakub Hrozek2-5/+7
https://fedorahosted.org/sssd/ticket/1609
2013-04-08Allocate PAM DP request data on responder contextJakub Hrozek3-5/+54
https://fedorahosted.org/sssd/ticket/1869 Currently the private data passed to the PAM request is a structure allocated on the client context. But in the odd case where the back end would be stopped or stuck until the idle timeout hits, the DP callback would access data that were freed when the client timed out. This patch introduces a new structure allocated on responder context, whose only purpose is to live as long as the request is active.
2013-04-03Check for correct variable nameJakub Hrozek1-1/+1
https://fedorahosted.org/sssd/ticket/1864
2013-04-02Making the authtok structure really opaque.Lukas Slebodnik2-14/+12
Definition of structure sss_auth_token was removed from header file authtok.h and there left only declaration of this structure. Therefore only way how to use this structure is to use accessory function from same header file. To creating new empty authotok can only be used newly created function sss_authtok_new(). TALLOC context was removed from copy and setter functions, because pointer to stuct sss_auth_token is used as a memory context. All declaration of struct sss_auth_token variables was replaced with pointer to this structure and related changes was made in source code. Function copy_pam_data can copy from argument src which was dynamically allocated with function create_pam_data() or zero initialized struct pam_data allocated on stack. https://fedorahosted.org/sssd/ticket/1830
2013-04-02Reusing create_pam_data() on the other places.Lukas Slebodnik1-1/+1
Function create_pam_data() should be only one way how to create new struct pam_data, because it also initialize destructor to created object.
2013-03-20coding style fixPavel Březina1-1/+1
2013-03-20change responder contexts hierarchyPavel Březina6-65/+94
https://fedorahosted.org/sssd/ticket/1575 The hierarchy is now: main_ctx -> responder_ctx -> specific_ctx where specific_ctx is one of sudo, pam, etc.
2013-03-20do not leak memory on failure in *_process_init()Pavel Březina7-35/+62
2013-03-19Move SELinux processing to provider.Michal Zidek1-309/+0
The SELinux processing was distributed between provider and pam responder which resulted in hard to maintain code. This patch moves the logic to provider. IT ALSO REQUIRES CHANGE IN THE SELINUX POLICY, because the provider also writes the content of selinux login file to disk (which was done by responder before). https://fedorahosted.org/sssd/ticket/1743
2013-03-19Removing unused declaration of functions and variable.Lukas Slebodnik1-1/+0
Variables dir_cc and file_cc are used in three modules: krb5_common.c, krb5_utils.c, krb5_child-test.c, therefore should be declared with extern in krb5_utils.h.
2013-03-08Move sss_cmd_execute from client to responder code.Jakub Hrozek3-7/+15
I think it logically belongs there and allows to better exercise the responder commands from unit tests.
2013-03-07Debug message in sss_mc_create_file.Michal Zidek1-0/+5
This patch adds debug message for the case if sssd fails to open old mc file for some other reason than the file does not exist.
2013-03-07File descriptor leak in nss responder.Michal Zidek1-18/+43
File descriptors leaked every time sss_mmap_cache_reinit was called and also the old memory cache was still maped in memory (munmap was not called). This patch adds destructor for memory cache context to call close() and munmap() automaticly. https://fedorahosted.org/sssd/ticket/1826
2013-03-07Removing unused parameter type from sudosrv_get_sudorules_query_cache()Lukas Slebodnik1-6/+4
https://fedorahosted.org/sssd/ticket/1825
2013-03-05Remove the alt_db_path parameter of sysdb_initMichal Zidek1-1/+1
This parameter was never used. https://fedorahosted.org/sssd/ticket/1765
2013-03-04Use the same dbg level for all ncache hits.Michal Zidek2-21/+28
We used different debug levels for messages informing about negative cache hits (old levels 2,3,4). Now it is only SSSDBG_TRACE_FUNC (same level is used in nsssrv_services.c and proposed in the ticket bellow). https://fedorahosted.org/sssd/ticket/1771
2013-03-04Remove unused functionsJakub Hrozek4-36/+0
2013-03-01autofs: fix invalid header 'number of entries' in packetPavel Březina1-1/+5
https://fedorahosted.org/sssd/ticket/1739 Pointer to packet body may change while filling packet with autofs mount points. As a consequence, we sometimes wrote the number of entries into invalid body and we recieved an arbitrary number on the client side. If the number was 0, there were some skipped entries. If the number was greater than 0, everything worked correctly, because we iterate through the cached entries until we reach packet length - we don't compare to the number.
2013-02-26if selinux is disabled, ignore that selogin dir is missingPavel Březina1-3/+15
https://fedorahosted.org/sssd/ticket/1817
2013-02-21Fix uninitialized time_t var in responderOndrej Kos1-1/+1
https://fedorahosted.org/sssd/ticket/1810
2013-02-14Lower the DEBUG level if an entry cannot be deleted from memcacheJakub Hrozek1-3/+3
2013-02-10Introduce IS_SUBDOMAIN() macroSimo Sorce4-8/+8
Fixes https://fedorahosted.org/sssd/ticket/1766
2013-02-10Parent and subdomains use the same sysdbSimo Sorce2-71/+8
Remove code that tries to get the 'right' sysdb, as it is always going to get the same answer anyway since the recent patches to rework the domains/sysdb relationship.
2013-02-10Change the way domains are linked.Simo Sorce3-78/+32
- Use a double-linked list for domains and subdomains. - Never remove a subdomain, simply mark it as disabled if it becomes unused. - Rework the way subdomains are refreshed. Now sysdb_update_subdomains() actually updates the current subdomains and marks as disabled the ones not found in the sysdb or add new ones found. It never removes them. Removal of missing domains from sysdb is deferred to the providers, which will perform it at refresh time, for the ipa provider that is done by ipa_subdomains_write_mappings() now. sysdb_update_subdomains() is then used to update the memory hierarchy of the subdomains. - Removes sysdb_get_subdomains() - Removes copy_subdomain() - Add sysdb_subdomain_delete()
2013-02-10Add function get_next_domain()Simo Sorce11-101/+83
Use this function instead of explicitly calling domain->next This function allows to get the next primary domain or to descend into the subdomains and replaces also get_next_dom_or_subdom()
2013-02-10Update main domain info in placeSimo Sorce1-21/+4
2013-02-10Avoid sysdb_subdom in sysdb_get_subdomains()Simo Sorce1-30/+7
2013-02-10Add realm info to sss_domain_infoSimo Sorce1-0/+1
2013-02-10NSS: Add original homedir to home directory template optionsStephen Gallagher2-6/+7
https://fedorahosted.org/sssd/ticket/1805
2013-01-23Check that strings do not go beyond the end of the packet body in autofs and ↵Jan Cholasta2-7/+7
SSH requests. This fixes CVE-2013-0220. https://fedorahosted.org/sssd/ticket/1781
2013-01-22sudo responder: change num_rules type from size_t to uint32_tPavel Březina5-20/+20
https://fedorahosted.org/sssd/ticket/1779 2^32 should be enough to store sudo rules. size_t type was causing troubles on big endian architectures, because it wasn't used correctly in combination with D-Bus.
2013-01-16Invalidate user entry even if there are no groupsJakub Hrozek1-6/+1
Related to https://fedorahosted.org/sssd/ticket/1757 Previously we would optimize the mc invalidate code for cases where the user was a member of some groups. But if the user was removed from the server while being in memory cache, we would only invalidate the mc record if he was a member of at least one supplementary group.
2013-01-16NSS: invalidate memcache user entry on initgr, tooJakub Hrozek1-0/+11
https://fedorahosted.org/sssd/ticket/1757 When the user entry was missing completely after initgroups, we would never invalidate the user entry from cache. This led to dangling cache entried in memory cache if the user was removed from the server while still being in memory cache.
2013-01-15Add domain to some subdomain functionsSimo Sorce1-1/+2
2013-01-15Add domain arguments to sysdb sudo functionsSimo Sorce1-4/+5