| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
The new SAFEALIGN macros name turned to be inappropriate because
they do not reflect what the macros really do.
|
|
It is better to use standard constant for maximum value of type size_t,
instead of reinventing wheel with own defined constant SIZE_T_MAX
This patch replace string "SIZE_T_MAX" -> "SIZE_MAX"
|
|
We use constant AF_INET6 in util.c, but we do not explicitly include header
file sys/socket.h. This header file was indirectly incuded by another header
file netdb.h (netdb.h -> netinet/in.h -> sys/socket.h), but other platform can
have other dependencies among header files.
|
|
Some platform have header file endian.h and anothers have sys/endian.h.
We nedd to use conditional build to handle it correctly, therefore new header
file sss_endian.h was created.
|
|
|
|
The enumerate flag will be read from the cache for subdomains and
the domain object will be created accordingly.
|
|
In order to use the same defaults in all system daemons that needs to know how
to generate or search for ccaches we introduce ode here to take advantage of
the new option called default_ccache_name provided by libkrb5.
If set this variable we establish the same default for all programs that surce
it out of krb5.conf therefore providing a consistent experience across the
system.
Related:
https://fedorahosted.org/sssd/ticket/2036
|
|
https://fedorahosted.org/sssd/ticket/2036
|
|
|
|
warning reported by cppcheck
|
|
warnings reported by cppcheck.
|
|
Kerberos now supports multiple types of collection caches, not just
DIR: caches. We should add a macro for generic collection behavior
and use that where appropriate.
|
|
We introduced new way to check integrity of memcache in the
client code. We should use similiar checks in the responder.
|
|
Removes off by one error when using macro MC_SIZE_TO_SLOTS
and adds new macro MC_SLOT_WITHIN_BOUNDS.
|
|
All supported tevent releases contain these macros.
|
|
This patch prevents jumping outside of allocated memory in
case of corrupted slot or name_ptr values. It is not proper
solution, just hotfix until we find out what is the root cause
of ticket https://fedorahosted.org/sssd/ticket/2018
|
|
|
|
https://fedorahosted.org/sssd/ticket/2009
If the IPA server mode is on and the SSSD is running on the IPA server,
then the server's extdom plugin calls getpwnam_r to read info about trusted
users from the AD server and return them to the clients that called the
extended operation.
The SSSD returns the subdomain users fully-qualified, ie "user@domain"
by default. The format of the fully qualified name is configurable.
However, the extdom plugin returns the user name without the domain
component.
With this patch, when ipa_server_mode is on, warn if the full_name_format
is set to a non-default value. That would prompt the admin to change the
format if he changed it to something exotic.
|
|
|
|
warning: format string is not a string literal (potentially insecure)
[-Wformat-security]
|
|
https://fedorahosted.org/sssd/ticket/1992
|
|
Some krb5 functions needn't be available for retrieving ccache
with principal. Therefore ifdef is used to solve this situation with older
version of libkrb5. There were two functions with similar functionality
in krb5_child and krb5_utils. They were merged to one universal function, which
was moved to file src/util/sss_krb5.c
|
|
The mpg flag will be read from the cache for subdomains and the domain
object will be created accordingly.
|
|
|
|
This patch reuses the code from IPA provider to make sure that
domain-realm mappings are written even for AD sub domains.
|
|
DIR:/run/user/1000/krb5cc is valid ccname, but function sss_krb5_cc_file_path
returned NULL in this case.
|
|
https://fedorahosted.org/sssd/ticket/1947
Otherwise we risk that the meta server is removed from the server list,
but without a chance to return, because there may be no fo_server with
srv_data = meta.
Also if state->meta->next is NULL (it is still orphaned because we try
to errornously expand it without invoking collapse first), state->out
will be NULL and SSSD will crash.
New error code: ERR_SRV_DUPLICATES
|
|
https://fedorahosted.org/sssd/ticket/1815
|
|
https://fedorahosted.org/sssd/ticket/1873
KRB preauthentication error was later mishandled like authentication error.
|
|
https://fedorahosted.org/sssd/ticket/1971
Coverity IDs: 11851, 11852, 11853
The NULL check on "entry" "service" and "enable" line string parts is
not necessary and triggers warnings in coverity scans.
|
|
Instead of copying a block of code that checks whether domain is a subdomain
and uses only name of FQDN as appropriate, wrap the logic into a function.
|
|
The utility function will be reused to guess search base from the base
DN of AD trusted domains.
|
|
https://fedorahosted.org/sssd/ticket/1648
Adds another expansion in the printf format that allows the user to use
the domain flat name in the format.
|
|
Adds a sanity check of the fqname pattern. Fails if the username pattern
is not specified at all and warns if the domain pattern is not
specified.
|
|
Instead of using printf-like functions directly, provide two wrappers
that would encapsulate formatting the fully-qualified names. No
functional change is present in this patch.
|
|
https://fedorahosted.org/sssd/ticket/1785
nscd.conf file is now checked for the presence of caching settings for
databases controlled by SSSD. Syslog warning is now written only if NSCD
is running with interfering configuration or if configuration file
couldn't be loaded.
New configure option added to support non-standard locations
--with-nscd-conf=PATH (defaultly set to /etc/nscd.conf)
This is just a workaround until the following bugzilla is resolved:
https://bugzilla.redhat.com/show_bug.cgi?id=963908
|
|
Preparation for the following patch which will include the nscd.c in the
monitor code due to newly introduced function for checking the nscd
configuration file.
|
|
https://fedorahosted.org/sssd/ticket/1934
|
|
https://fedorahosted.org/sssd/ticket/1772
SAFEALIGN macros have been renamed in this patch to
make it easy to pick the right macro when data is copied
from byte buffer to a variable or vice versa.
The renamed macros are placed in new header file to
avoid code duplication (the old ones were defined in
two files, one for the client code and one for the rest
of sssd).
|
|
Instead of appending @domain to names when the --domain option of sss_ssh_* is
used, put domain name in a separate field in client requests.
|
|
This function allows initializing sss_names_ctx using a regular expression and
fully qualified format string specified in its arguments.
|
|
|
|
Provides two new layers instead of the previous IPA specific layer:
1) dp_dyndns.c -- a very generic dyndns layer on the DP level. Its
purpose it to make it possible for any back end to use dynamic DNS
updates.
2) sdap_dyndns.c -- a wrapper around dp_dyndns.c that utilizes some
LDAP-specific features like autodetecting the address from the LDAP
connection.
Also converts the dyndns code to new specific error codes.
|
|
https://fedorahosted.org/sssd/ticket/1901
CID: 11634
|
|
Converts uint32 to a string value that is suitable for octed
string attributes.
|
|
https://fedorahosted.org/sssd/ticket/1786
Since we need to support the old interface as well, the configure scritp
is modified and correct ini interface is chosen.
|
|
|
|
Enterprise principals are currently most useful for the AD provider and
hence enabled here by default while for the other Kerberos based
authentication providers they are disabled by default.
If additional UPN suffixes are configured for the AD domain the user
principal stored in the AD LDAP server might not contain the real
Kerberos realm of the AD domain but one of the additional suffixes which
might be completely randomly chooses, e.g. are not related to any
existing DNS domain. This make it hard for a client to figure out the
right KDC to send requests to.
To get around this enterprise principals (see
http://tools.ietf.org/html/rfc6806 for details) were introduced.
Basically a default realm is added to the principal so that the Kerberos
client libraries at least know where to send the request to. It is not
in the responsibility of the KDC to either handle the request itself,
return a client referral if he thinks a different KDC can handle the
request or return and error. This feature is also use to allow
authentication in AD environments with cross forest trusts.
Fixes https://fedorahosted.org/sssd/ticket/1842
|
|
https://fedorahosted.org/sssd/ticket/1032
Introduces two new error codes:
- ERR_SRV_NOT_FOUND
- ERR_SRV_LOOKUP_ERROR
Since id_provider is authoritative in case of SRV plugin choise,
ability to override the selected pluging during runtime is not
desirable. We rely on the fact that id_provider is initialized
before all other providers, thus the plugin is set correctly.
|
