sssd - System Security Services Daemon

Age	Commit message (Collapse)	Author	Files	Lines
2012-11-12	Only build extract_and_send_pac on platforms that support it	Jakub Hrozek	1	-0/+7

2012-10-26	Add replacement for krb5_find_authdata()	Sumit Bose	1	-0/+5
	krb5_find_authdata() is only available in MIT Kerberos 1.10 or higher. To allow sssd to be compiled on platform with lower version of MIT Kerberos a replacement call is added. Please note that on those platform the replacement call will only return an error. If the krb5_find_authdata functionality is really needed on those platform it must be implemented by a different patch.
2012-10-12	Only call krb5_set_trace_callback on platforms that support it	Jakub Hrozek	1	-3/+2

2012-10-12	Collect krb5 trace on high debug levels	Jakub Hrozek	1	-0/+7
	If the debug level contains SSSDBG_TRACE_ALL, then the logs would also include tracing information from libkrb5. https://fedorahosted.org/sssd/ticket/1539
2012-10-02	remove left over principal selection	Pavel Březina	1	-4/+0
	https://fedorahosted.org/sssd/ticket/1303 Domain start up was taking too long when there are many principals in a kerberos keytab. We were looking up in the keytab two times. The first time we try to select a proper principal and remember it. The second call happens almost right after the first one and it is just a check if the principal exists in the keytab, without any output information other than success/failure. It is probably a left over from https://fedorahosted.org/sssd/ticket/781. This patch removes the second call.
2012-07-06	Revert commit 4c157ecedd52602f75574605ef48d0c48e9bfbe8	Stef Walter	1	-8/+0
	* This broke corner cases when used with default_tkt_types = des-cbc-crc and DES enabled on an AD domain. * This is fixed in kerberos instead, in a more correct way and in a way which we cannot replicate.
2012-06-18	Fix typo breaking DIR cache detection	Stephen Gallagher	1	-2/+0

2012-06-15	KRB5: Auto-detect DIR cache support in configure	Stephen Gallagher	1	-0/+8
	We can't support the DIR cache features in systems with kerberos libraries older than 1.10. Make sure we don't build it on those systems.
2012-06-14	Use Kerberos context in KRB5_DEBUG	Jakub Hrozek	1	-0/+8
	Passing Kerberos context to sss_krb5_get_error_message will allow us to get better error messages.
2012-06-14	Add support for storing credential caches in the DIR: back end	Jakub Hrozek	1	-1/+2
	https://fedorahosted.org/sssd/ticket/974
2012-06-14	Residual util functions	Jakub Hrozek	1	-0/+16
	Kerberos credential caches can be specified by TYPE:RESIDUAL. This patch adds a couple of utilities to support parsing if ccache locations, checking types etc.
2012-05-07	Limit krb5_get_init_creds_keytab() to etypes in keytab	Stef Walter	1	-0/+8
	* Load the enctypes for the keys in the keytab and pass them to krb5_get_init_creds_keytab(). * This fixes the problem where the server offers a enctype that krb5 supports, but we don't have a key for in the keytab. https://bugzilla.redhat.com/show_bug.cgi?id=811375
2012-05-04	Modify behavior of pam_pwd_expiration_warning	Jan Zeleny	1	-0/+5
	New option pwd_expiration_warning is introduced which can be set per domain and can override the value specified by the original pam_pwd_expiration_warning. If the value of expiration warning is set to zero, the filter isn't apllied at all - if backend server returns the warning, it will be automatically displayed. Default value for Kerberos: 7 days Default value for LDAP: don't apply the filter Technical note: default value when creating the domain is -1. This is important so we can distinguish between "no value set" and 0. Without this possibility it would be impossible to set different values for LDAP and Kerberos provider.
2012-04-05	Clean up log messages about keytab_name	Stephen Gallagher	1	-0/+2
	There were many places where we were printing (null) to the logs because a NULL keytab name tells libkrb5 to use its configured default instead of a particular path. This patch should clean up all uses of this to print "default" in the logs. https://fedorahosted.org/sssd/ticket/1288
2011-12-22	Add compatibility layer for Heimdal Kerberos implementation	Stephen Gallagher	1	-0/+15

2011-11-02	Add wrapper for krb5_get_init_creds_opt_set_canonicalize	Jan Zeleny	1	-0/+3

2011-05-05	Added some kerberos functions for building on RHEL5	Jan Zeleny	1	-0/+10

2011-04-25	Modify principal selection for keytab authentication	Jan Zeleny	1	-0/+8
	Currently we construct the principal as host/fqdn@REALM. The problem with this is that this principal doesn't have to be in the keytab. In that case the provider fails to start. It is better to scan the keytab and find the most suitable principal to use. Only in case no suitable principal is found the backend should fail to start. The second issue solved by this patch is that the realm we are authenticating the machine to can be in general different from the realm our users are part of (in case of cross Kerberos trust). The patch adds new configuration option SDAP_SASL_REALM. https://fedorahosted.org/sssd/ticket/781
2011-04-25	Extend and move function for finding principal in keytab	Jan Zeleny	1	-0/+6
	The function now supports finding principal in keytab not only based on realm, but based on both realm and primary/instance parts. The function also supports * wildcard at the beginning or at the end of primary principal part. The function for finding principal has been moved to util/sss_krb5.c, so it can be used in other parts of the code.
2010-12-08	Fix build issue with older Kerberos library	Sumit Bose	1	-0/+7

2010-12-07	Add support for FAST in krb5 provider	Sumit Bose	1	-0/+14

2010-09-23	Use new MIT krb5 API for better password expiration warnings	Sumit Bose	1	-1/+12

2010-08-03	Validate keytab at startup	Jakub Hrozek	1	-0/+9
	In addition to validating the keytab everytime a TGT is requested, we also validate the keytab on back end startup to give early warning that the keytab is not usable. Fixes: #556
2010-02-18	Rename server/ directory to src/	Stephen Gallagher	1	-0/+50
	Also update BUILD.txt