summaryrefslogtreecommitdiff
path: root/src/util
AgeCommit message (Collapse)AuthorFilesLines
2013-03-05Improve IS_SSSD_ERROR() macroSimo Sorce1-2/+2
We need to mask the first part with 0xFFFF or there is a slight chance an unrelated error code would match even if the upper part is not exactly equal to ERR_BASE but just has all it's bits and some more. Also make the macro more reasable by adding another helper macro for filtering the base. Finally compare err and ERR_LAST directly w/o masking err, or the comparison will always return true.
2013-03-04Cleanup error message handling for krb5 childSimo Sorce2-1/+11
Use the new internal SSSD errors, to simplify error handling. Instead of using up to 3 different error types (system, krb5 and pam_status), collapse all error reporting into one error type mapped on errno_t. The returned error can contain either SSSD internal errors, kerberos errors or system errors, they all use different number spaces so there is no overlap and they can be safely merged. This means that errors being sent from the child to the parent are not pam status error messages anymore. The callers have been changed to properly deal with that. Also note that this patch removes returning SSS_PAM_SYSTEM_INFO from the krb5_child for kerberos errors as all it was doing was simply to make the parent emit the same debug log already emitted by the child, and the code is simpler if we do not do that.
2013-03-04Return ERR_INTERNAL instead of EIOSimo Sorce1-1/+1
EIO has always been an odd match, but was used as an error to indicate that something had gone wrong internally before we had specific SSSD errors available. Use ERR_INTERNAL instead going forward.
2013-03-04Use SSSD specific errors for offline authSimo Sorce3-10/+22
This prevents reportin false errors when internal functions return a generic EINVAL or EACCES that should just be treated as internal errors.
2013-03-04Add SSSD specific error codes and definitionsSimo Sorce3-7/+117
This code adds a new range of error codes specific to SSSD, It also provides helper functions to print out error defintions like you can do with system error messages and the strerror() function. The sss_strerror() function can accept both the new sssd errors and system errno_t errors falling back to the system strerror() if the error code provide is not a valid SSSD error code.
2013-03-04Improved readability of get_next_domain()Lukas Slebodnik1-2/+2
https://fedorahosted.org/sssd/ticket/1812
2013-02-14get_next_domain() test dom->parent->next for NULLPavel Březina1-1/+1
Otherwise dom may be set to NULL and we will segfault when dereferencing dom.
2013-02-11krb5: include backwards compatible declaration of krb5_trace_infoJakub Hrozek1-1/+7
krb5-1.10 used to include "struct krb5_trace_info", now krb5-1.11 includes a "krb5_trace_info" typedefed from "struct _krb5_trace_info". Do the same in the SSSD to allow compiling with both 1.10 and 1.11.
2013-02-10Introduce IS_SUBDOMAIN() macroSimo Sorce2-1/+3
Fixes https://fedorahosted.org/sssd/ticket/1766
2013-02-10Change the way domains are linked.Simo Sorce3-26/+33
- Use a double-linked list for domains and subdomains. - Never remove a subdomain, simply mark it as disabled if it becomes unused. - Rework the way subdomains are refreshed. Now sysdb_update_subdomains() actually updates the current subdomains and marks as disabled the ones not found in the sysdb or add new ones found. It never removes them. Removal of missing domains from sysdb is deferred to the providers, which will perform it at refresh time, for the ipa provider that is done by ipa_subdomains_write_mappings() now. sysdb_update_subdomains() is then used to update the memory hierarchy of the subdomains. - Removes sysdb_get_subdomains() - Removes copy_subdomain() - Add sysdb_subdomain_delete()
2013-02-10Add ability to disable domainsSimo Sorce1-8/+12
2013-02-10Add function get_next_domain()Simo Sorce3-2/+22
Use this function instead of explicitly calling domain->next This function allows to get the next primary domain or to descend into the subdomains and replaces also get_next_dom_or_subdom()
2013-02-10Avoid sysdb_subdom in sysdb_get_subdomains()Simo Sorce1-0/+3
2013-02-10Add realm info to sss_domain_infoSimo Sorce2-1/+12
2013-02-10NSS: Add original homedir to home directory template optionsStephen Gallagher2-2/+14
https://fedorahosted.org/sssd/ticket/1805
2013-01-16Correct format security for talloc_named of auth tokensStephen Gallagher1-1/+1
2013-01-15Stop creating fake sysdb contextsSimo Sorce1-7/+2
Now that the sysdb context does not contain anymore domain related data we can simply stop creating faxe sysdb context and just reference the parent context.
2013-01-15Move mpg flag to the domain where it belongsSimo Sorce1-0/+1
A sysdb contains now multiple domains, but the mpg property is a property of a specific domain not of the underlying database.
2013-01-15Add domain to sysdb_search_user_by_name()Simo Sorce2-1/+3
Also remove unused sysdb_search_domuser_by_name()
2013-01-15Pass domain to sysdb_get<pw/gr>nam() functionsSimo Sorce1-1/+1
Also allows us to remove sysdb_subdom_get<pw/gr>nam() wrappers and restore fqnames proper value in subdomains, by testing for a parent domain being present or not.
2013-01-15Refactor single domain initializationSimo Sorce2-0/+40
Bring it out of sysdb, which will slowly remove internal dependencies on domains and instead will always require them to be passed by callers.
2013-01-10Add authtok utility functions.Simo Sorce2-0/+382
These functions allow handling of auth tokens in a completely opaque way, with clear semantics and accessor fucntions that guarantee consistency, proper access to data and error conditions.
2013-01-10Add function to safely wipe memory.Simo Sorce2-0/+18
This is useful for wiping passwords, as it prevents the compiler from optimizing out a memset to zero before a free()
2013-01-07memcache: make MC_PTR_TO_SLOT() more readablePavel Březina1-2/+1
2013-01-07memcache: add macro that validates record lengthPavel Březina1-0/+6
2013-01-07Search for SHORTNAME$@REALM instead of fqdn$@REALM by defaultJakub Hrozek1-3/+35
The search was intended for the AD provider mostly, but keytabs coming from AD via samba don't contain fqdn$@REALM but rather uppercased SHORTNAME$@REALM https://fedorahosted.org/sssd/ticket/1740
2013-01-02failover: Protect against empty host namesMichal Zidek2-92/+72
Added new parameter to split_on_separator that allows to skip empty values. The whole function was rewritten. Unit test case was added to check the new implementation. https://fedorahosted.org/sssd/ticket/1484
2012-12-20Carefully check records when forcibly invalidatingSimo Sorce1-2/+4
We should never try to invalidate an already invalid record as internal pointers will not be consistent. Carefully test that the record really is valid when we are fishing for free space, and properly invalidate records or return a fatal error if something goes wrong. In order to make the code more robust always invalidate the whole data space on initialization by setting all bits to 1, and make sure to invalidate the whole last allocated slot by converting rec->len to the number of slots instead of just the space used.
2012-12-20Free resources if fileno failedJakub Hrozek1-0/+2
2012-12-18select_principal_from_keytab() do wildcard lookups after specific onesSumit Bose1-3/+3
Currently the wildcard lookup '*$' is done before the one for host/our.hostname@REALM. This means we would ignore a more specific match in favour of an unspecific match with a principal which is only used in a AD environment. I think this is wrong an wildcards should only be used is all specific lookups fail.
2012-12-18select_principal_from_keytab() look for plain input as wellSumit Bose1-2/+6
Currently in select_principal_from_keytab() all kind of different versions of the host principal are looked up in the keytab except for the plain name the ldap_sasl_authid option. With this patch the plain name is looked up first.
2012-12-18Set cloexec flag for log filesJakub Hrozek1-0/+11
https://fedorahosted.org/sssd/ticket/1708 The services kept the fd to /var/log/sssd/sssd.log open. I don't think there's any point in keeping the logfiles open after exec-ing for the child, so I set the CLOEXEC flag.
2012-11-28Avoid const warnings when deallocating memorySimo Sorce1-1/+1
In some case we allocate and assign data to a const pointer. When we then try to free it we would get a const warning because talloc_free accepts a void, not a const void pointer. Use discard_const to avoid the warning, it is safe in this case.
2012-11-28Revert "Avoid accessing half-deallocated memory when using talloc_zfree macro."Simo Sorce1-5/+1
This reverts commit ff57c6aeb80a52b1f52bd1dac9308a69dc7a4774. This commit doesn't really make sense, we are never accessing freed memory as all we are dealing with is a pointer which is never itsef part of the memory we are freeing (if it were, it would be an error in the caller and we shouldn't mask it in this macro).
2012-11-26debug: print fatal and critical errors if debug level is unresolvedMichal Zidek1-1/+4
If global variable debug_level has value SSSDBG_UNRESOLVED, we should print at least fatal and critical errors. https://fedorahosted.org/sssd/ticket/1345
2012-11-22Handle compiling FQDN regular expression with old pcre gracefullyJakub Hrozek1-0/+9
https://fedorahosted.org/sssd/ticket/1661
2012-11-21MONITOR: Fix off-by-one error in add_string_to_listJakub Hrozek1-1/+4
We need to allocate num_services+2 - one extra space for the new service and one for NULL.
2012-11-19Refactor the way subdomain accounts are savedSimo Sorce1-1/+1
The original sysdb code had a strong assumption that only users from one domain are saved in the databse, with the subdomain feature, we have changed reality, but have not adjusted all the code arund the sysdb calls to not rely on the original assumption. One of the side effects of this incongrunece is that currently group memberships do not return fully qualified names for subdomain users as they should. In oreder to fix this and other potential issues surrounding the violation of the original assumption, we need to fully qualify subdomain user names. By savin them fully qualified we do not risk aliasing local users and have group memberhips or other name based matching code mistake a domain user with subdomain usr or vice versa.
2012-11-19SERVER: Check the return value of waitpidJakub Hrozek1-11/+27
We should at least print an error message and error out if waitpid() fails. https://fedorahosted.org/sssd/ticket/1651
2012-11-14Always start PAC responder if IPA ID provider is configuredSumit Bose1-0/+6
Since the PAC responder is used during the authentication of users from trusted realms it is started automatically if the IPA ID provider is configured for a domain to simplify the configuration. Fixes https://fedorahosted.org/sssd/ticket/1613
2012-11-14Add string_in_list() and add_string_to_list() with testsSumit Bose2-0/+69
string_in_list() and add_string_to_list() are two utilities for NULL terminated strings arrays. add_string_to_list() adds a new string to an existing list or creates a new one with the strings as only item if there is not list. string_in_list() checks if a given string is in the list. It can be used case sensitive or in-sensitive.
2012-11-12Only build extract_and_send_pac on platforms that support itJakub Hrozek2-0/+118
2012-11-12Do not always return PAM_SYSTEM_ERR when offline krb5 authentication failsJakub Hrozek1-0/+42
2012-11-08util_lock.c: sss_br_lock_file accepted invalid parameter valueMichal Zidek2-3/+7
Return EINVAL if number of tries is <= 0. Also the parameter retries was renamed to num_tries, so it is more obvious that it also includes the first try.
2012-11-06util: Added new file util_lock.cMichal Zidek2-0/+87
2012-11-06exit original process after sssd is initializedPavel Březina2-2/+30
https://fedorahosted.org/sssd/ticket/1357 Neither systemd or our init script use pid file as a notification that sssd is finished initializing. They will continue starting up next service right after the original (not daemonized) sssd process is terminated. If any of the responders fail to start, we will never terminate the original process via signal and "service sssd start" will hang. Thus we take this as an error and terminate the daemon with a non-zero value. This will also terminate the original process and init script or systemd will print failure.
2012-11-06fix indendation, coding style and debug levels in server.cPavel Březina1-110/+114
2012-11-06add SSSDBG_IMPORTANT_INFO macroPavel Březina1-0/+1
We currently have only SSSDBG_FATAL_FAILURE macro that corresponds to original debug level 0. But there are several level 0 messages that are not actually failures but an important information. We should use this new macro to represent them.
2012-10-29Include talloc log in our debug facilityMichal Zidek2-5/+15
https://fedorahosted.org/sssd/ticket/1495
2012-10-26Make sub-domains case-insensitiveSumit Bose1-1/+1
Currently the only type of supported sub-domains are AD domains which are not case-sensitive. To make it easier for Windows user we make sub-domains case-insensitive as well which allows to write the username in any case at the login prompt. If support for other types of sub-domains is added it might be necessary to set the case-sensitive flag based on the domain type.