Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
Enterprise principals are currently most useful for the AD provider and
hence enabled here by default while for the other Kerberos based
authentication providers they are disabled by default.
If additional UPN suffixes are configured for the AD domain the user
principal stored in the AD LDAP server might not contain the real
Kerberos realm of the AD domain but one of the additional suffixes which
might be completely randomly chooses, e.g. are not related to any
existing DNS domain. This make it hard for a client to figure out the
right KDC to send requests to.
To get around this enterprise principals (see
http://tools.ietf.org/html/rfc6806 for details) were introduced.
Basically a default realm is added to the principal so that the Kerberos
client libraries at least know where to send the request to. It is not
in the responsibility of the KDC to either handle the request itself,
return a client referral if he thinks a different KDC can handle the
request or return and error. This feature is also use to allow
authentication in AD environments with cross forest trusts.
Fixes https://fedorahosted.org/sssd/ticket/1842
|
|
https://fedorahosted.org/sssd/ticket/1032
Introduces two new error codes:
- ERR_SRV_NOT_FOUND
- ERR_SRV_LOOKUP_ERROR
Since id_provider is authoritative in case of SRV plugin choise,
ability to override the selected pluging during runtime is not
desirable. We rely on the fact that id_provider is initialized
before all other providers, thus the plugin is set correctly.
|
|
https://fedorahosted.org/sssd/ticket/1609
|
|
https://fedorahosted.org/sssd/ticket/1864
|
|
https://fedorahosted.org/sssd/ticket/1860
|
|
Definition of structure sss_auth_token was removed from header file
authtok.h and there left only declaration of this structure.
Therefore only way how to use this structure is to use accessory function from
same header file.
To creating new empty authotok can only be used newly created function
sss_authtok_new(). TALLOC context was removed from copy and setter functions,
because pointer to stuct sss_auth_token is used as a memory context.
All declaration of struct sss_auth_token variables was replaced with
pointer to this structure and related changes was made in source code.
Function copy_pam_data can copy from argument src which was dynamically
allocated with function create_pam_data() or zero initialized struct pam_data
allocated on stack.
https://fedorahosted.org/sssd/ticket/1830
|
|
|
|
|
|
|
|
Also fixed typo.
|
|
Also simplify sdap_access_send to avoid completely fake _send() routines.
|
|
The SELinux processing was distributed between provider and
pam responder which resulted in hard to maintain code. This
patch moves the logic to provider.
IT ALSO REQUIRES CHANGE IN THE SELINUX POLICY, because
the provider also writes the content of selinux login
file to disk (which was done by responder before).
https://fedorahosted.org/sssd/ticket/1743
|
|
Simplifies and consolidates error reporting for ldap authentication paths.
Adds 3 new error codes:
ERR_CHPASS_DENIED - Used when password constraints deny password changes
ERR_ACCOUNT_EXPIRED - Account is expired
ERR_PASSWORD_EXPIRED - Password is expired
|
|
Adding missing dependencies for linker. Missing dependency was
introduced by commit 22d381367c27910fe82f476a76b9f4ede555e35a
in changed file src/sss_client/nss_mc_common.c
All function declaration for io.c was moved from util.h to separate file io.h,
https://fedorahosted.org/sssd/ticket/1838
|
|
Function open_debug_file_ex() set flag FD_CLOEXEC to opened
file according to the value of third parameter.
Removed duplicity of unsetting FD_CLOEXEC after calling function
open_debug_file_ex()
|
|
Functions open_cloexec and openat_cloexec were renamed with prefix
"sss_" and moved to separete file. Replacing duplicated code of
function sss_open_cloexec everywhere in the source code.
https://fedorahosted.org/sssd/ticket/1794
|
|
We need to mask the first part with 0xFFFF or there is a slight chance an
unrelated error code would match even if the upper part is not exactly
equal to ERR_BASE but just has all it's bits and some more.
Also make the macro more reasable by adding another helper macro for filtering
the base.
Finally compare err and ERR_LAST directly w/o masking err, or the comparison
will always return true.
|
|
Use the new internal SSSD errors, to simplify error handling.
Instead of using up to 3 different error types (system, krb5 and
pam_status), collapse all error reporting into one error type mapped
on errno_t.
The returned error can contain either SSSD internal errors, kerberos
errors or system errors, they all use different number spaces so there
is no overlap and they can be safely merged.
This means that errors being sent from the child to the parent are not
pam status error messages anymore.
The callers have been changed to properly deal with that.
Also note that this patch removes returning SSS_PAM_SYSTEM_INFO from
the krb5_child for kerberos errors as all it was doing was simply to
make the parent emit the same debug log already emitted by the child,
and the code is simpler if we do not do that.
|
|
EIO has always been an odd match, but was used as an error to indicate
that something had gone wrong internally before we had specific SSSD
errors available. Use ERR_INTERNAL instead going forward.
|
|
This prevents reportin false errors when internal functions return
a generic EINVAL or EACCES that should just be treated as internal
errors.
|
|
This code adds a new range of error codes specific to SSSD,
It also provides helper functions to print out error defintions
like you can do with system error messages and the strerror() function.
The sss_strerror() function can accept both the new sssd errors and
system errno_t errors falling back to the system strerror() if the error
code provide is not a valid SSSD error code.
|
|
https://fedorahosted.org/sssd/ticket/1812
|
|
Otherwise dom may be set to NULL and we will segfault when
dereferencing dom.
|
|
krb5-1.10 used to include "struct krb5_trace_info", now krb5-1.11
includes a "krb5_trace_info" typedefed from "struct _krb5_trace_info".
Do the same in the SSSD to allow compiling with both 1.10 and 1.11.
|
|
Fixes https://fedorahosted.org/sssd/ticket/1766
|
|
- Use a double-linked list for domains and subdomains.
- Never remove a subdomain, simply mark it as disabled if it becomes
unused.
- Rework the way subdomains are refreshed.
Now sysdb_update_subdomains() actually updates the current subdomains
and marks as disabled the ones not found in the sysdb or add new ones
found. It never removes them.
Removal of missing domains from sysdb is deferred to the providers,
which will perform it at refresh time, for the ipa provider that is
done by ipa_subdomains_write_mappings() now.
sysdb_update_subdomains() is then used to update the memory hierarchy
of the subdomains.
- Removes sysdb_get_subdomains()
- Removes copy_subdomain()
- Add sysdb_subdomain_delete()
|
|
|
|
Use this function instead of explicitly calling domain->next
This function allows to get the next primary domain or to descend into the
subdomains and replaces also get_next_dom_or_subdom()
|
|
|
|
|
|
https://fedorahosted.org/sssd/ticket/1805
|
|
|
|
Now that the sysdb context does not contain anymore domain related data
we can simply stop creating faxe sysdb context and just reference the
parent context.
|
|
A sysdb contains now multiple domains, but the mpg property is a
property of a specific domain not of the underlying database.
|
|
Also remove unused sysdb_search_domuser_by_name()
|
|
Also allows us to remove sysdb_subdom_get<pw/gr>nam() wrappers and restore
fqnames proper value in subdomains, by testing for a parent domain being
present or not.
|
|
Bring it out of sysdb, which will slowly remove internal dependencies on
domains and instead will always require them to be passed by callers.
|
|
These functions allow handling of auth tokens in a completely opaque way,
with clear semantics and accessor fucntions that guarantee consistency,
proper access to data and error conditions.
|
|
This is useful for wiping passwords, as it prevents the compiler from
optimizing out a memset to zero before a free()
|
|
|
|
|
|
The search was intended for the AD provider mostly, but keytabs coming
from AD via samba don't contain fqdn$@REALM but rather uppercased
SHORTNAME$@REALM
https://fedorahosted.org/sssd/ticket/1740
|
|
Added new parameter to split_on_separator that allows to skip
empty values.
The whole function was rewritten. Unit test case was added to
check the new implementation.
https://fedorahosted.org/sssd/ticket/1484
|
|
We should never try to invalidate an already invalid record as
internal pointers will not be consistent. Carefully test that the
record really is valid when we are fishing for free space, and
properly invalidate records or return a fatal error if something
goes wrong.
In order to make the code more robust always invalidate the whole
data space on initialization by setting all bits to 1, and make sure
to invalidate the whole last allocated slot by converting rec->len to
the number of slots instead of just the space used.
|
|
|
|
Currently the wildcard lookup '*$' is done before the one for
host/our.hostname@REALM. This means we would ignore a more specific
match in favour of an unspecific match with a principal which is only
used in a AD environment.
I think this is wrong an wildcards should only be used is all specific
lookups fail.
|
|
Currently in select_principal_from_keytab() all kind of different
versions of the host principal are looked up in the keytab except for
the plain name the ldap_sasl_authid option. With this patch the plain
name is looked up first.
|
|
https://fedorahosted.org/sssd/ticket/1708
The services kept the fd to /var/log/sssd/sssd.log open. I don't think
there's any point in keeping the logfiles open after exec-ing for the
child, so I set the CLOEXEC flag.
|
|
In some case we allocate and assign data to a const pointer.
When we then try to free it we would get a const warning because talloc_free
accepts a void, not a const void pointer. Use discard_const to avoid the
warning, it is safe in this case.
|