summaryrefslogtreecommitdiff
path: root/src
AgeCommit message (Collapse)AuthorFilesLines
2012-11-12backend: add PAC to the list of known clientsPavel Březina1-0/+2
2012-11-12subdomains: check request type on one place onlyPavel Březina1-6/+0
The check is now held only in ipa_get_subdomain_account_info_send().
2012-11-12Do not always return PAM_SYSTEM_ERR when offline krb5 authentication failsJakub Hrozek3-18/+56
2012-11-10Store the original group DN in the subdomain user objectSumit Bose1-26/+58
For user of the local domain the server-side DN of the groups the user is a member of is stored with the user object in the cache and used to improve performance e.g. by the HBAC code. Since subdomain users should be handled by HBAC as well the group DN is stored in the same way as for users of the local domain. This patch also adds code to remove the attribute from the user object if the user is removed from the group.
2012-11-10Get lists of GIDs to be added and deleted and use themSumit Bose1-3/+89
Currently the user was just added to all local groups which are given in the PAC. With this patch the user is added only to groups he is currently not a member of and deleted from groups which are not found in the PAC anymore.
2012-11-10Add pac_user_get_grp_info() to read current group membershipsSumit Bose2-0/+107
To be able to efficiently store group memberships we need to know the current memberships of a user. sysdb_initgroups() is used to read the user entry together with all groups the user is a member of. Some of the group attributes are kept to avoid additional lookups and speed up further processing. Currently sysdb_initgroups() does not return the original DN of the group. Since it is needed to remove memberships later on it is added to the list of requested attributes
2012-11-10Add diff_gid_lists() with testSumit Bose3-2/+279
This patch adds a new call which compares a list of current GIDs with a list of new GIDs and return a list of GIDs which are currently missing and must be added and another list of GIDs which are not used anymore and must be deleted. The method is the same as used by diff_string_lists().
2012-11-10Do not remove a group if it has members from subdomainsSumit Bose1-4/+15
Currently it is only checked if an expired group still has members of the local domain. If not, the group is delete from the cache. With this patch the whole cache, i.e. including subdomains, is searched for members.
2012-11-10Add helpers to set common mc record fieldsSimo Sorce1-16/+26
Les copy/paste and chance of errors when setting basic record fields that are shared among all object types.
2012-11-08MAN: Fix validation error caused by bad 'ca' translationStephen Gallagher1-2/+2
2012-11-08Clarify debug message about initgroups and subdomainsSumit Bose1-0/+7
The initgroups request is not handled by the IPA provider for subdomain users on purpose because the group membership information is not available on the IPA server but will be directly written to the cache when the PAC of the user is processed. The old generic debug message "Invalid sub-domain request type" might be misleading. This patch adds a specific message for the initgroups case "Initgroups requests are not handled by the IPA provider but are resolved by the responder directly from the cache." and increase the debug level so that typically this message is not shown anymore because it is expected behaviour. Fixes https://fedorahosted.org/sssd/ticket/1610
2012-11-08MAN: sssd-simple - suggest awarness of empty rulesOndrej Kos1-0/+5
Admins should be aware of the behavior of simple access provider when empty lists are configured (may be result of scripted filing)
2012-11-08sss_dp_get_domains_send(): handle subreq error correctlyPavel Březina1-1/+2
If force is true, ret may stay uninitialized and if ret == 0 after the subrequest is send, we will go to immediate label. Data provider request is sent, but the answer is never processed. This prohibited subdomain from working correctly.
2012-11-08util_lock.c: sss_br_lock_file accepted invalid parameter valueMichal Zidek2-3/+7
Return EINVAL if number of tries is <= 0. Also the parameter retries was renamed to num_tries, so it is more obvious that it also includes the first try.
2012-11-08SSSDConfig: Locate the force_timeout option in the correct sectionsStephen Gallagher2-1/+4
2012-11-08MAN: Specify the correct location for the force_timeout optionStephen Gallagher1-16/+32
2012-11-08Monitor: Better debugging for ping timeoutsStephen Gallagher1-0/+8
2012-11-08do not default fullname to gecos when schema = adPavel Březina1-0/+14
https://fedorahosted.org/sssd/ticket/1482 When we add fullname to user_attrs, then sysdb_add_basic_user() will set fullname to gecos when it initially creates the user object in the cache, but it will be overwritten in the same transaction when sysdb_store_user() adds all the user_attrs.
2012-11-06sss_cache: Remove fastcache even if sssd is not running.Michal Zidek4-23/+175
https://fedorahosted.org/sssd/ticket/1584
2012-11-06util: Added new file util_lock.cMichal Zidek2-0/+87
2012-11-06sss_cache: Multiple domains not handled properlyMichal Zidek1-35/+37
When working with multiple domains and no matching objects for deletion were found in the first domain, the other domains were not searched at all. Also the ERROR message informing about object not found (the one printed for each domain) was changed to DEBUG message.
2012-11-06create pid file immediately after fork againPavel Březina1-25/+4
Related to https://fedorahosted.org/sssd/ticket/1357 We realized that sysv and systemd does not use pid file existence as a notification of finished initialization. Therefore, we create the pid file in server_setup() again. We are removing check_file() from monitor main(), it is handled by server_setup() during pid file creation. This check was previously included in e7dd2a5102ba6cfd28be6eccdd62768e9758d9f4.
2012-11-06exit original process after sssd is initializedPavel Březina3-2/+56
https://fedorahosted.org/sssd/ticket/1357 Neither systemd or our init script use pid file as a notification that sssd is finished initializing. They will continue starting up next service right after the original (not daemonized) sssd process is terminated. If any of the responders fail to start, we will never terminate the original process via signal and "service sssd start" will hang. Thus we take this as an error and terminate the daemon with a non-zero value. This will also terminate the original process and init script or systemd will print failure.
2012-11-06make monitor_quit() usable outside signal handlerPavel Březina1-14/+26
2012-11-06fix indendation, coding style and debug levels in server.cPavel Březina1-110/+114
2012-11-06add SSSDBG_IMPORTANT_INFO macroPavel Březina1-0/+1
We currently have only SSSDBG_FATAL_FAILURE macro that corresponds to original debug level 0. But there are several level 0 messages that are not actually failures but an important information. We should use this new macro to represent them.
2012-11-02PAM: Do not leak fd after SELinux context file is writtenJakub Hrozek1-0/+1
https://fedorahosted.org/sssd/ticket/1619 We don't close the fd when we write the selinux login file in the pam responder. This results in a fd leak.
2012-11-01Monitor: read the correct SIGKILL timeout for providers, tooJakub Hrozek1-33/+41
https://fedorahosted.org/sssd/ticket/1602
2012-11-01LDAP: Better debug logging when saving groupsStephen Gallagher1-11/+75
2012-11-01LDAP: Fix off-by-one error when saving ghost usersJakub Hrozek1-1/+1
The ldb_val's length parameter should not include the terminating NULL. This was causing funky behaviour as the users were saved as binary attributes. https://fedorahosted.org/sssd/ticket/1614
2012-10-30authconfig: allow chpass_provider = proxyPavel Březina2-1/+4
https://fedorahosted.org/sssd/ticket/1611
2012-10-30sudo: do not hardcode protocol versionPavel Březina1-1/+2
2012-10-29Include talloc log in our debug facilityMichal Zidek39-43/+52
https://fedorahosted.org/sssd/ticket/1495
2012-10-29Free the internal DP requestJakub Hrozek1-0/+8
2012-10-26Make sub-domains case-insensitiveSumit Bose2-3/+24
Currently the only type of supported sub-domains are AD domains which are not case-sensitive. To make it easier for Windows user we make sub-domains case-insensitive as well which allows to write the username in any case at the login prompt. If support for other types of sub-domains is added it might be necessary to set the case-sensitive flag based on the domain type.
2012-10-26sss_parse_name_for_domains: always return the canonical domain nameSumit Bose1-2/+7
Domains may have a flat or short name to save some keystrokes when typing fully qualified user names. Internally sssd will always use the canonical name to allow consistent processing.
2012-10-26krb5_auth: update with correct UPN if neededSumit Bose3-0/+133
The Active Directory KDC handles request case in-sensitive and it might not always to possible to guess the UPN with the correct case. We check if the returned principal has a different case then the one used in the request and updates the principal if needed. This will help using calls from the Kerberos client libraries later on which would otherwise fail because the principal is handled case sensitive by those libraries.
2012-10-26Use find_or_guess_upn() where neededSumit Bose6-36/+52
2012-10-26Add new call find_or_guess_upn()Sumit Bose4-8/+54
With the current approach the upn was either a pointer to a const string in a ldb_message or a string created with the help of talloc. This new function always makes it a talloc'ed value. Additionally krb5_get_simple_upn() is enhanced to handle sub-domains as well.
2012-10-26krb5_child: send back the client principalSumit Bose4-5/+42
In general Kerberos is case sensitive but the KDC of Active Directory typically handles request case in-sensitive. In the case where we guess a user principal by combining the user name and the realm and are not sure about the cases of the letters used in the user name we might get a valid ticket from the AD KDC but are not able to access it with the Kerberos client library because we assume a wrong case. The client principal in the returned credentials will always have the right cases. To be able to update the cache user principal name the krb5_child will return the principal for further processing.
2012-10-26krb5_mod_ccname: replace wrong memory contextSumit Bose1-1/+1
2012-10-26krb5_child: send PAC to PAC responderSumit Bose1-1/+139
If the authenticated user comes from a different realm the service ticket which was returned during the validation of the TGT is used to extract the PAC which is send to the pac responder for evaluation.
2012-10-26krb5_auth: send different_realm flag to krb5_childSumit Bose2-1/+8
The different_realm flag which was set by the responder is send to the krb5_child so that it can act differently on users from other realms. To avoid code duplication and inconsistent behaviour the krb5_child will not set the flag on its own but use the one from the provider.
2012-10-26krb5_auth: check if principal belongs to a different realmSumit Bose5-0/+88
Add a flag if the principal used for authentication does not belong to our realm. This can be used to act differently for users from other realms.
2012-10-26Add replacement for krb5_find_authdata()Sumit Bose3-0/+20
krb5_find_authdata() is only available in MIT Kerberos 1.10 or higher. To allow sssd to be compiled on platform with lower version of MIT Kerberos a replacement call is added. Please note that on those platform the replacement call will only return an error. If the krb5_find_authdata functionality is really needed on those platform it must be implemented by a different patch.
2012-10-26check_ccache_files: search sub-domains as wellSumit Bose1-4/+14
If sssd is configured to renew Kerberos tickets automatically ticket of sub-domain uses should be renewed as well.
2012-10-26sysdb: add sysdb_base_dn()Sumit Bose2-0/+5
Add a help function which returns the ldb_dn object for the base dn of the cache.
2012-10-26krb5_auth_send: check for sub-domainsSumit Bose4-11/+37
If there is an authentication request for a user from a sub-domain a temporary sysdb context is generated to allow lookups in the corresponding sub-tree in the cache.
2012-10-26pac responder: add user principal and name alias to cached user objectSumit Bose3-4/+46
The principal name for the user is generated with the user name and the domain from the PAC. It is stored in the cache so that if e.g. can be used by password authentication. Additionally the name alias is stored to allow case-insensitive searches.
2012-10-26pac responder: use only lower case user nameSumit Bose2-5/+15
Since winbind can only return lower-cased user name the pac responder must do the same to avoid inconsistent behaviour.