summaryrefslogtreecommitdiff
path: root/src/util
AgeCommit message (Collapse)AuthorFilesLines
2013-07-22Fix warnings: uninitialized variableLukas Slebodnik1-1/+1
2013-07-19IPA: warn if full_name_format is customized in server modeJakub Hrozek1-1/+1
https://fedorahosted.org/sssd/ticket/2009 If the IPA server mode is on and the SSSD is running on the IPA server, then the server's extdom plugin calls getpwnam_r to read info about trusted users from the AD server and return them to the clients that called the extended operation. The SSSD returns the subdomain users fully-qualified, ie "user@domain" by default. The format of the fully qualified name is configurable. However, the extdom plugin returns the user name without the domain component. With this patch, when ipa_server_mode is on, warn if the full_name_format is set to a non-default value. That would prompt the admin to change the format if he changed it to something exotic.
2013-07-19Add mising argument required by format stringLukas Slebodnik1-1/+1
2013-07-19Fix clang format string warning.Lukas Slebodnik1-1/+1
warning: format string is not a string literal (potentially insecure) [-Wformat-security]
2013-07-17SIGCHLD handler: do not call callback when pvt data where freedPavel Březina2-2/+30
https://fedorahosted.org/sssd/ticket/1992
2013-07-15Use conditional build for retrieving ccache.Lukas Slebodnik2-0/+56
Some krb5 functions needn't be available for retrieving ccache with principal. Therefore ifdef is used to solve this situation with older version of libkrb5. There were two functions with similar functionality in krb5_child and krb5_utils. They were merged to one universal function, which was moved to file src/util/sss_krb5.c
2013-06-28Read mpg state for subdomains from cacheSumit Bose2-3/+5
The mpg flag will be read from the cache for subdomains and the domain object will be created accordingly.
2013-06-27Add missing argument to DEBUG messageLukas Slebodnik1-1/+1
2013-06-27AD: Write out domain-realm mappingsJakub Hrozek4-24/+187
This patch reuses the code from IPA provider to make sure that domain-realm mappings are written even for AD sub domains.
2013-06-26Fix wrong detection of krb5 ccnameLukas Slebodnik1-1/+4
DIR:/run/user/1000/krb5cc is valid ccname, but function sss_krb5_cc_file_path returned NULL in this case.
2013-06-21failover: return error when SRV lookup returned only duplicatesPavel Březina2-0/+2
https://fedorahosted.org/sssd/ticket/1947 Otherwise we risk that the meta server is removed from the server list, but without a chance to return, because there may be no fo_server with srv_data = meta. Also if state->meta->next is NULL (it is still orphaned because we try to errornously expand it without invoking collapse first), state->out will be NULL and SSSD will crash. New error code: ERR_SRV_DUPLICATES
2013-06-16subdomains: touch krb5.conf when creating new domain-realm mappingsPavel Březina2-0/+25
https://fedorahosted.org/sssd/ticket/1815
2013-06-14KRB: Handle preauthentication error correctlyOndrej Kos2-0/+2
https://fedorahosted.org/sssd/ticket/1873 KRB preauthentication error was later mishandled like authentication error.
2013-06-10Don't test for NULL in nscd config checkOndrej Kos1-12/+3
https://fedorahosted.org/sssd/ticket/1971 Coverity IDs: 11851, 11852, 11853 The NULL check on "entry" "service" and "enable" line string parts is not necessary and triggers warnings in coverity scans.
2013-06-07New utility function sss_get_domain_nameJakub Hrozek2-0/+24
Instead of copying a block of code that checks whether domain is a subdomain and uses only name of FQDN as appropriate, wrap the logic into a function.
2013-06-07Move domain_to_basedn outside IPA subtreeJakub Hrozek2-0/+37
The utility function will be reused to guess search base from the base DN of AD trusted domains.
2013-05-30Allow flat name in the FQname formatJakub Hrozek2-11/+75
https://fedorahosted.org/sssd/ticket/1648 Adds another expansion in the printf format that allows the user to use the domain flat name in the format.
2013-05-30Check the validity of FQname format prior to using itJakub Hrozek1-3/+43
Adds a sanity check of the fqname pattern. Fails if the username pattern is not specified at all and warns if the domain pattern is not specified.
2013-05-30Add utility functions for formatting fully-qualified namesJakub Hrozek2-0/+41
Instead of using printf-like functions directly, provide two wrappers that would encapsulate formatting the fully-qualified names. No functional change is present in this patch.
2013-05-21Check NSCD configuration fileOndrej Kos2-0/+131
https://fedorahosted.org/sssd/ticket/1785 nscd.conf file is now checked for the presence of caching settings for databases controlled by SSSD. Syslog warning is now written only if NSCD is running with interfering configuration or if configuration file couldn't be loaded. New configure option added to support non-standard locations --with-nscd-conf=PATH (defaultly set to /etc/nscd.conf) This is just a workaround until the following bugzilla is resolved: https://bugzilla.redhat.com/show_bug.cgi?id=963908
2013-05-21Move nscd.c from tools to utilOndrej Kos2-0/+105
Preparation for the following patch which will include the nscd.c in the monitor code due to newly introduced function for checking the nscd configuration file.
2013-05-21DB: Fix segfault when configuration file cannot be parsedOndrej Kos1-0/+1
https://fedorahosted.org/sssd/ticket/1934
2013-05-14Rename SAFEALIGN macros.Michal Zidek2-61/+111
https://fedorahosted.org/sssd/ticket/1772 SAFEALIGN macros have been renamed in this patch to make it easy to pick the right macro when data is copied from byte buffer to a variable or vice versa. The renamed macros are placed in new header file to avoid code duplication (the old ones were defined in two files, one for the client code and one for the rest of sssd).
2013-05-07SSH: Use separate field for domain name in client requestsJan Cholasta1-0/+4
Instead of appending @domain to names when the --domain option of sss_ssh_* is used, put domain name in a separate field in client requests.
2013-05-07UTIL: Add function sss_names_init_from_argsJan Cholasta2-41/+73
This function allows initializing sss_names_ctx using a regular expression and fully qualified format string specified in its arguments.
2013-05-06Fix minor typosYuri Chornoivan1-1/+1
2013-05-03Refactor dynamic DNS updatesJakub Hrozek2-0/+6
Provides two new layers instead of the previous IPA specific layer: 1) dp_dyndns.c -- a very generic dyndns layer on the DP level. Its purpose it to make it possible for any back end to use dynamic DNS updates. 2) sdap_dyndns.c -- a wrapper around dp_dyndns.c that utilizes some LDAP-specific features like autodetecting the address from the LDAP connection. Also converts the dyndns code to new specific error codes.
2013-05-03CONFDB: prevent double freeOndrej Kos1-1/+0
https://fedorahosted.org/sssd/ticket/1901 CID: 11634
2013-05-02add sss_ldap_encode_ndr_uint32Pavel Březina2-0/+17
Converts uint32 to a string value that is suitable for octed string attributes.
2013-04-26DB: Switch to new libini_config APIOndrej Kos2-0/+569
https://fedorahosted.org/sssd/ticket/1786 Since we need to support the old interface as well, the configure scritp is modified and correct ini interface is chosen.
2013-04-24Do not keep growing event contextJakub Hrozek1-3/+5
2013-04-22Allow usage of enterprise principalsSumit Bose2-0/+28
Enterprise principals are currently most useful for the AD provider and hence enabled here by default while for the other Kerberos based authentication providers they are disabled by default. If additional UPN suffixes are configured for the AD domain the user principal stored in the AD LDAP server might not contain the real Kerberos realm of the AD domain but one of the additional suffixes which might be completely randomly chooses, e.g. are not related to any existing DNS domain. This make it hard for a client to figure out the right KDC to send requests to. To get around this enterprise principals (see http://tools.ietf.org/html/rfc6806 for details) were introduced. Basically a default realm is added to the principal so that the Kerberos client libraries at least know where to send the request to. It is not in the responsibility of the KDC to either handle the request itself, return a client referral if he thinks a different KDC can handle the request or return and error. This feature is also use to allow authentication in AD environments with cross forest trusts. Fixes https://fedorahosted.org/sssd/ticket/1842
2013-04-10DNS sites support - SRV lookup plugin interfacePavel Březina2-0/+4
https://fedorahosted.org/sssd/ticket/1032 Introduces two new error codes: - ERR_SRV_NOT_FOUND - ERR_SRV_LOOKUP_ERROR Since id_provider is authoritative in case of SRV plugin choise, ability to override the selected pluging during runtime is not desirable. We rely on the fact that id_provider is initialized before all other providers, thus the plugin is set correctly.
2013-04-10Allow using flatname for subdomain home dir templateJakub Hrozek2-2/+15
https://fedorahosted.org/sssd/ticket/1609
2013-04-03Check for correct variable nameJakub Hrozek2-2/+2
https://fedorahosted.org/sssd/ticket/1864
2013-04-03pidfile(): Do not leak fd on errorJakub Hrozek1-0/+1
https://fedorahosted.org/sssd/ticket/1860
2013-04-02Making the authtok structure really opaque.Lukas Slebodnik2-43/+57
Definition of structure sss_auth_token was removed from header file authtok.h and there left only declaration of this structure. Therefore only way how to use this structure is to use accessory function from same header file. To creating new empty authotok can only be used newly created function sss_authtok_new(). TALLOC context was removed from copy and setter functions, because pointer to stuct sss_auth_token is used as a memory context. All declaration of struct sss_auth_token variables was replaced with pointer to this structure and related changes was made in source code. Function copy_pam_data can copy from argument src which was dynamically allocated with function create_pam_data() or zero initialized struct pam_data allocated on stack. https://fedorahosted.org/sssd/ticket/1830
2013-03-27filename in comment is correctedAbhishek Singh1-1/+1
2013-03-25Include config.h to build io.c on RHEL5Jakub Hrozek1-0/+2
2013-03-21Move signal.m4 from src/util to externalJakub Hrozek1-1/+0
2013-03-20correct order in error_to_str tablePavel Březina1-1/+1
Also fixed typo.
2013-03-19Convert sdap_access to new error codesSimo Sorce2-0/+2
Also simplify sdap_access_send to avoid completely fake _send() routines.
2013-03-19Move SELinux processing to provider.Michal Zidek2-5/+5
The SELinux processing was distributed between provider and pam responder which resulted in hard to maintain code. This patch moves the logic to provider. IT ALSO REQUIRES CHANGE IN THE SELINUX POLICY, because the provider also writes the content of selinux login file to disk (which was done by responder before). https://fedorahosted.org/sssd/ticket/1743
2013-03-19Use common error facility instead of sdap_resultSimo Sorce4-8/+9
Simplifies and consolidates error reporting for ldap authentication paths. Adds 3 new error codes: ERR_CHPASS_DENIED - Used when password constraints deny password changes ERR_ACCOUNT_EXPIRED - Account is expired ERR_PASSWORD_EXPIRED - Password is expired
2013-03-18Fix sss_client breakage.Lukas Slebodnik4-4/+49
Adding missing dependencies for linker. Missing dependency was introduced by commit 22d381367c27910fe82f476a76b9f4ede555e35a in changed file src/sss_client/nss_mc_common.c All function declaration for io.c was moved from util.h to separate file io.h, https://fedorahosted.org/sssd/ticket/1838
2013-03-13More generalized function open_debug_file_ex()Lukas Slebodnik2-5/+7
Function open_debug_file_ex() set flag FD_CLOEXEC to opened file according to the value of third parameter. Removed duplicity of unsetting FD_CLOEXEC after calling function open_debug_file_ex()
2013-03-13Reuse sss_open_cloexec at other places in code.Lukas Slebodnik2-0/+93
Functions open_cloexec and openat_cloexec were renamed with prefix "sss_" and moved to separete file. Replacing duplicated code of function sss_open_cloexec everywhere in the source code. https://fedorahosted.org/sssd/ticket/1794
2013-03-05Improve IS_SSSD_ERROR() macroSimo Sorce1-2/+2
We need to mask the first part with 0xFFFF or there is a slight chance an unrelated error code would match even if the upper part is not exactly equal to ERR_BASE but just has all it's bits and some more. Also make the macro more reasable by adding another helper macro for filtering the base. Finally compare err and ERR_LAST directly w/o masking err, or the comparison will always return true.
2013-03-04Cleanup error message handling for krb5 childSimo Sorce2-1/+11
Use the new internal SSSD errors, to simplify error handling. Instead of using up to 3 different error types (system, krb5 and pam_status), collapse all error reporting into one error type mapped on errno_t. The returned error can contain either SSSD internal errors, kerberos errors or system errors, they all use different number spaces so there is no overlap and they can be safely merged. This means that errors being sent from the child to the parent are not pam status error messages anymore. The callers have been changed to properly deal with that. Also note that this patch removes returning SSS_PAM_SYSTEM_INFO from the krb5_child for kerberos errors as all it was doing was simply to make the parent emit the same debug log already emitted by the child, and the code is simpler if we do not do that.
2013-03-04Return ERR_INTERNAL instead of EIOSimo Sorce1-1/+1
EIO has always been an odd match, but was used as an error to indicate that something had gone wrong internally before we had specific SSSD errors available. Use ERR_INTERNAL instead going forward.