Age | Commit message (Collapse) | Author | Files | Lines |
|
Currently the wildcard lookup '*$' is done before the one for
host/our.hostname@REALM. This means we would ignore a more specific
match in favour of an unspecific match with a principal which is only
used in a AD environment.
I think this is wrong an wildcards should only be used is all specific
lookups fail.
|
|
Currently in select_principal_from_keytab() all kind of different
versions of the host principal are looked up in the keytab except for
the plain name the ldap_sasl_authid option. With this patch the plain
name is looked up first.
|
|
https://fedorahosted.org/sssd/ticket/1708
The services kept the fd to /var/log/sssd/sssd.log open. I don't think
there's any point in keeping the logfiles open after exec-ing for the
child, so I set the CLOEXEC flag.
|
|
In some case we allocate and assign data to a const pointer.
When we then try to free it we would get a const warning because talloc_free
accepts a void, not a const void pointer. Use discard_const to avoid the
warning, it is safe in this case.
|
|
This reverts commit ff57c6aeb80a52b1f52bd1dac9308a69dc7a4774.
This commit doesn't really make sense, we are never accessing freed
memory as all we are dealing with is a pointer which is never itsef
part of the memory we are freeing (if it were, it would be an error
in the caller and we shouldn't mask it in this macro).
|
|
If global variable debug_level has value SSSDBG_UNRESOLVED, we should
print at least fatal and critical errors.
https://fedorahosted.org/sssd/ticket/1345
|
|
https://fedorahosted.org/sssd/ticket/1661
|
|
We need to allocate num_services+2 - one extra space for the new service
and one for NULL.
|
|
The original sysdb code had a strong assumption that only users from one
domain are saved in the databse, with the subdomain feature, we have
changed reality, but have not adjusted all the code arund the sysdb calls
to not rely on the original assumption.
One of the side effects of this incongrunece is that currently group
memberships do not return fully qualified names for subdomain users as they
should.
In oreder to fix this and other potential issues surrounding the violation
of the original assumption, we need to fully qualify subdomain user names.
By savin them fully qualified we do not risk aliasing local users and have
group memberhips or other name based matching code mistake a domain user
with subdomain usr or vice versa.
|
|
We should at least print an error message and error out if waitpid()
fails.
https://fedorahosted.org/sssd/ticket/1651
|
|
Since the PAC responder is used during the authentication of users from
trusted realms it is started automatically if the IPA ID provider is
configured for a domain to simplify the configuration.
Fixes https://fedorahosted.org/sssd/ticket/1613
|
|
string_in_list() and add_string_to_list() are two utilities for NULL
terminated strings arrays. add_string_to_list() adds a new string to an
existing list or creates a new one with the strings as only item if
there is not list. string_in_list() checks if a given string is in the
list. It can be used case sensitive or in-sensitive.
|
|
|
|
|
|
Return EINVAL if number of tries is <= 0. Also the parameter
retries was renamed to num_tries, so it is more obvious that
it also includes the first try.
|
|
|
|
https://fedorahosted.org/sssd/ticket/1357
Neither systemd or our init script use pid file as a notification
that sssd is finished initializing. They will continue starting up
next service right after the original (not daemonized) sssd process
is terminated.
If any of the responders fail to start, we will never terminate
the original process via signal and "service sssd start" will hang.
Thus we take this as an error and terminate the daemon with
a non-zero value. This will also terminate the original process
and init script or systemd will print failure.
|
|
|
|
We currently have only SSSDBG_FATAL_FAILURE macro that corresponds
to original debug level 0. But there are several level 0 messages
that are not actually failures but an important information. We
should use this new macro to represent them.
|
|
https://fedorahosted.org/sssd/ticket/1495
|
|
Currently the only type of supported sub-domains are AD domains which
are not case-sensitive. To make it easier for Windows user we make
sub-domains case-insensitive as well which allows to write the username
in any case at the login prompt.
If support for other types of sub-domains is added it might be necessary
to set the case-sensitive flag based on the domain type.
|
|
Domains may have a flat or short name to save some keystrokes when
typing fully qualified user names. Internally sssd will always use the
canonical name to allow consistent processing.
|
|
krb5_find_authdata() is only available in MIT Kerberos 1.10 or higher.
To allow sssd to be compiled on platform with lower version of MIT
Kerberos a replacement call is added. Please note that on those
platform the replacement call will only return an error. If the
krb5_find_authdata functionality is really needed on those platform it
must be implemented by a different patch.
|
|
|
|
If the debug level contains SSSDBG_TRACE_ALL, then the logs would also
include tracing information from libkrb5.
https://fedorahosted.org/sssd/ticket/1539
|
|
https://fedorahosted.org/sssd/ticket/1303
Domain start up was taking too long when there are many principals
in a kerberos keytab. We were looking up in the keytab two times.
The first time we try to select a proper principal and remember it.
The second call happens almost right after the first one and
it is just a check if the principal exists in the keytab, without
any output information other than success/failure. It is
probably a left over from https://fedorahosted.org/sssd/ticket/781.
This patch removes the second call.
|
|
https://fedorahosted.org/sssd/ticket/1357
|
|
|
|
|
|
|
|
Fixes https://fedorahosted.org/sssd/ticket/1524
|
|
|
|
|
|
|
|
|
|
|
|
https://fedorahosted.org/sssd/ticket/1365
|
|
|
|
ldap_destroy() is not present in RHEL5
|
|
We were not closing LDAP connection when using SSL
with invalid certificate.
https://fedorahosted.org/sssd/ticket/1490
|
|
The compilation produced an error due to missing declaration of uint32_t
and a couple of warnings caused by different prototypes of argument
parsing functions in older Python releases.
|
|
This patch adds the possibility for user/host category attributes to
have more than one value. It also fixes semantically wrong evaluation of
SELinux map priority.
|
|
|
|
The functionality now is following:
When rule is being matched, its priority is determined as a combination
of user and host specificity (host taking preference).
After the rule is matched in provider, only its host priority is stored
in sysdb for later usage.
When rules are matched in the responder, their user priority is
determined. After that their host priority is retrieved directly from
sysdb and sum of both priorities is user to determine whether to use
that rule or not. If more rules have the same priority, the order given
in IPA config is used.
https://fedorahosted.org/sssd/ticket/1360
https://fedorahosted.org/sssd/ticket/1395
|
|
Coverity #12781
|
|
* This broke corner cases when used with
default_tkt_types = des-cbc-crc
and DES enabled on an AD domain.
* This is fixed in kerberos instead, in a more correct way
and in a way which we cannot replicate.
|
|
|
|
Implemented working versions of the following functions for libcrypto:
sss_base64_encode
sss_base64_decode
sss_hmac_sha1
sss_password_encrypt
sss_password_decrypt
test_encrypt_decrypt now expects EOK from libcrypto.
test_hmac_sha1 now expects EOK from libcrypto.
Added test_base64_encode to test base64 encoding implementation.
Added test_base64_decode to test base64 decoding implementation.
Signed-off-by: George McCollister <George.McCollister@gmail.com>
|
|
This patch fixes an issue which resulted in a need to initialize
responder with data from local domain, otherwise it would not correctly
detect requests for subdomains. Similar situation can occur if new
subdomain is added at runtime.
The solution is to ask for a list of subdomains in case there is a
candidate domain identified in the process of matching re_expressions
with given name.
|
|
The recent fixes for per-domain parsing can cause a segfault in
the netgroup processing if the domain isn't set to NULL when it's
parsed as "any domain".
https://fedorahosted.org/sssd/ticket/1383
|