Age | Commit message (Collapse) | Author | Files | Lines |
|
This patch modifies the PAC responder so that it can be used with the AD
provider as well. The main difference is that the POSIX UIDs and GIDs
are now lookup up with the help of the SID instead of being calculated
algorithmically. This was necessary because the AD provider allows
either algorithmic mapping or reading the value from attributes stored
in AD.
Fixes https://fedorahosted.org/sssd/ticket/1558
|
|
https://fedorahosted.org/sssd/ticket/1772
SAFEALIGN macros have been renamed in this patch to
make it easy to pick the right macro when data is copied
from byte buffer to a variable or vice versa.
The renamed macros are placed in new header file to
avoid code duplication (the old ones were defined in
two files, one for the client code and one for the rest
of sssd).
|
|
Instead of appending @domain to names when the --domain option of sss_ssh_* is
used, put domain name in a separate field in client requests.
|
|
This patch add a library for client side lookups for a SID or with a
SID through the calls:
- sss_nss_getsidbyname
- sss_nss_getsidbyid
- sss_nss_getnamebysid
- sss_nss_getidbysid
The library is called libsss_nss_idmap and the contributed spec file
will create two new packages libsss_nss_idmap and
libsss_nss_idmap-devel.
|
|
https://fedorahosted.org/sssd/ticket/1889
Fixes two minor coverity issues.
|
|
Adding missing dependencies for linker. Missing dependency was
introduced by commit 22d381367c27910fe82f476a76b9f4ede555e35a
in changed file src/sss_client/nss_mc_common.c
All function declaration for io.c was moved from util.h to separate file io.h,
https://fedorahosted.org/sssd/ticket/1838
|
|
Header file "providers.h" is not included in any other
file and function "dp_process_init" declared in this header file
has no implementation.
Header file protos.h is not also included in any other file and even
hole content is commented out.
|
|
Functions open_cloexec and openat_cloexec were renamed with prefix
"sss_" and moved to separete file. Replacing duplicated code of
function sss_open_cloexec everywhere in the source code.
https://fedorahosted.org/sssd/ticket/1794
|
|
krb5 1.11 adds support for a new method for responding to
structured data queries. This method, called the responder,
provides an alternative to the prompter interface.
This patch adds support for this method. It takes the password
and provides it via a responder instead of the prompter. In the
case of OTP authentication, it also disables the caching of
credentials (since the credentials are one-time only).
|
|
https://fedorahosted.org/sssd/ticket/1819
|
|
This reverts commit 30c76633788c498b7d34e7e5944a3d36f26ec2db.
|
|
|
|
|
|
https://fedorahosted.org/sssd/ticket/1748
|
|
https://fedorahosted.org/sssd/ticket/1724
|
|
We have 2 places where we memcpy memory and need barriers protection.
Use a macro so we can consolidate code in one place.
Second fix for: https://fedorahosted.org/sssd/ticket/1694
|
|
Fixes https://fedorahosted.org/sssd/ticket/1694
|
|
|
|
Eliminates a compiler warning
|
|
This caused troubles with subdomain users and it is not really
necessary. This patch does not change the protocol itself, that
should be done on the earliest possible occasion.
Part of https://fedorahosted.org/sssd/ticket/1616
|
|
https://fedorahosted.org/sssd/ticket/1495
|
|
* Protect the fd with a mutex when closing
* Set it to a safe value after closing
|
|
|
|
https://fedorahosted.org/sssd/ticket/1569
|
|
This cause troubles when we send data to a pipe and close the
file descriptor before data is read. The pipe is still readable,
but POLLHUP is detected and we fail to read them.
For example, this may cause a user beeing unable to log in.
Now if POLLHUP appears, we read the pipe and then close it on
the client side too.
|
|
|
|
|
|
https://fedorahosted.org/sssd/ticket/1460
|
|
https://fedorahosted.org/sssd/ticket/1415
|
|
|
|
The idea is to rename session provider to selinux provider. Processing
of SELinux rules has to be performed in account stack in order to ensure
that pam_selinux (which is the first module in PAM session stack) will
get the correct input from SSSD.
Processing of account PAM stack is bound to access provider. That means
we need to have two providers executed when SSS_PAM_ACCT_MGMT message
is received from PAM responder. Change in data_provider_be.c ensures
just that - after access provider finishes its actions, the control is
given to selinux provider and only after this provider finishes is the
result returned to PAM responder.
|
|
https://fedorahosted.org/sssd/ticket/1379
|
|
SIGSEGV occured when sss_sudo_cli was run without any arguments.
|
|
Fixes https://fedorahosted.org/sssd/ticket/1409
|
|
Coverity #12803
|
|
|
|
https://fedorahosted.org/sssd/ticket/1239
Test client was changed accordingly. The new usage is:
sss_sudo_cli username [uid]
If uid is not set, getpwnam(username) is called. It will retrieve
both default options and rules.
|
|
|
|
|
|
|
|
This adds support for parsing PAC and storing information contained
within. In particular the user and all his memberships are stored. In
case it is necessary, getgrgid() requests are sent to provider for group
resolution.
|
|
Older platfroms like RHEL5 do not have support for O_CLOEXC and need an
explicit fcntl after the fd is created.
Add it conditionally so it can be clearly removed once we declared those
platfroms obsolete and unsupported.
|
|
We need to make sure the mc socket is not leaked otherwise child processes will
pile up leaked file descriptors.
Add O_CLOEXEC when opening the cache.
|
|
Note we set MSG_NOSIGNAL to avoid
having to fiddle with signal masks
but also do not want to die in case
SIGPIPE gets raised and the application
does not handle it.
|
|
|
|
This would cause a crash if we jump to the done: label before it
has been allocated.
|
|
At this moment we will support only asterisk, designating "all
services".
https://fedorahosted.org/sssd/ticket/1360
|
|
missing
https://fedorahosted.org/sssd/ticket/1356
|
|
|
|
|