Age | Commit message (Collapse) | Author | Files | Lines |
|
Currently the AD provider relies on the presence of the POSIX attributes
in the Global Catalog. This patch mentiones the fact in the sssd-ad(5)
manual page.
|
|
Related: https://fedorahosted.org/sssd/ticket/2070
Since we are recommending to configure the POSIX attributes so that they
are replicated to the Global Catalog, we can start connecting to the GC
by default even for local users. If the object is not matches in the GC,
there is a possibility to fall back to LDAP.
|
|
Related: https://fedorahosted.org/sssd/ticket/2070
Until now, the POSIX-compliant initgroups would only be able to search
the parent domain. Since we want to allow using POSIX attributes from AD
subdomains as well, we should allow searching a custom sdap_domain.
|
|
Related: https://fedorahosted.org/sssd/ticket/2070
When searching for users and groups without the use of ID mapping, make
sure the UIDs and GIDs are included in the search. This will make the
SSSD seemigly "miss" entries when searching in Global Catalog in the
scenario where the POSIX attributes are not replicated to the GC.
|
|
|
|
|
|
|
|
If there are member domains in a trusted forest which are DNS-wise not
proper children of the forest root the IPA KDC needs some help to
determine the right authentication path. In general this should be done
internally by the IPA KDC but this works requires more effort than
letting sssd write the needed data to the include file for krb5.conf.
If this functionality is available for the IPA KDC this patch might be
removed from the sssd tree.
Fixes https://fedorahosted.org/sssd/ticket/2093
|
|
In order to fix https://fedorahosted.org/sssd/ticket/2093 the name of
the forest must be known for a member domain of the forest.
|
|
https://fedorahosted.org/sssd/ticket/2079
If the dns_discovery_domain is set in the server mode, then the current
failover code will use it to discover the AD servers as well. This patch
resets the discovery domain unless the admin configured SRV resolution
for IPA servers manually. In the case he did, we try to warn him that
service discovery of AD servers will most likely fail.
|
|
If tokenGroups contains group from different domain than user's,
we stored it under the user's domain tree in sysdb. This patch
changes it so we store it under group's domain tree.
Resolves:
https://fedorahosted.org/sssd/ticket/2066
|
|
We need to work with distinguish names when processing
cross-domain membership, because groups and users may
be stored in different sysdb tree.
Resolves:
https://fedorahosted.org/sssd/ticket/2066
|
|
We need to work with distinguish names when processing
cross-domain membership, because groups and users may
be stored in different sysdb tree.
Resolves:
https://fedorahosted.org/sssd/ticket/2066
|
|
This function will return head of the domain list.
Resolves:
https://fedorahosted.org/sssd/ticket/2066
|
|
|
|
systemd-login still fails with su/sudo login shells, so always fall back
for now.
Resolves:
https://fedorahosted.org/sssd/ticket/2094
|
|
Fix a check for an error return code that can be returned when
the ccache is not found.
Even in case of other errors still do not fail authentication
but allow it to proceed using a new ccache file if necessary.
Related:
https://fedorahosted.org/sssd/ticket/2053
|
|
The only effect the failure to store a result to negative cache might
have would be a slower lookup next time.
|
|
https://fedorahosted.org/sssd/ticket/2090
Previously, when searching by UID or GID, the negative cache will only
work in case the UID was searched for using fully qualified names.
|
|
Declarations of public functions was in header files,
but header files was not included in implementation file.
|
|
Public selinux functions are defined in file src/tools/selinux.c
(selinux_file_context, reset_selinux_file_context, set_seuser, del_seuser),
but wrong header file was included "util/util.h"
All declarations are in header file "tools/tools_util.h".
This patch include right header file.
|
|
https://fedorahosted.org/sssd/ticket/2091
|
|
https://fedorahosted.org/sssd/ticket/2087
IN_MULTICAST accepts address in the host order, but network order was
supplied.
|
|
struct sss_mc_rec had two hash members (hash1 and hash2) but only one next
member. This was a big problem in case of higher probability of hash collision.
structure sss_mc_rec will have two next members (next1, next2) with this patch.
next1 is related to hash1 and next2 is related to hash1.
Iterating over chains is changed, because we need to choose right next pointer.
Right next pointer will be chosen after comparing record hashes.
This behaviour is wrapped in function sss_mc_next_slot_with_hash.
Adding new record to chain is also changed. The situation is very similar to
iterating. We need to choose right next pointer (next1 or next2).
Right next pointer will be chosen after comparing record hashes.
Adding reference to next slot is wrapped in function
sss_mc_chain_slot_to_record_with_hash
Size of structure sss_mc_rec was increased from 32 bytes to 40 bytes.
Resolves:
https://fedorahosted.org/sssd/ticket/2049
|
|
This reverts commit 4662725ffef62b3b2502481438effa7c8fef9f80.
|
|
Expanding a principle to an enterprise principal only makes sense if
there is a KDC available which can process it. If we are offline the
plain principal should be used, e.g. to create an expired ccache.
Fixes https://fedorahosted.org/sssd/ticket/2060
|
|
If the returned TGT contains a different user principal name (upn) than
used in the request, i.e. the upn was canonicalized, we currently save
it to sysdb into the same attribute where the upn coming from an LDAP
server is stored as well. This means the canonical upn might be
overwritten when the user data is re-read from the LDAP server.
To avoid this this patch add a new attribute to sysdb where the
canonical upn is stored and makes sure it is used when available.
Fixes https://fedorahosted.org/sssd/ticket/2060
|
|
|
|
Protype of function sss_ncache_check_netgr was different than
definition of function sss_ncache_check_netgr. We did not catch it,
because header file "responder/common/negcache.h" was not included in
implementation file "responder/common/negcache.c"
|
|
Resolves:
https://fedorahosted.org/sssd/ticket/2075
|
|
https://fedorahosted.org/sssd/ticket/2067
Some AD or AD-like servers do not contain the netlogon attribute in the
master domain name. Instead of failing completely, we should just abort
the master domain request and carry on. The only functionality we miss
would be getting users by domain flat name.
|
|
The check worked for simple setups but fails e.g. in environment with
trusts.
|
|
Resolves:
https://fedorahosted.org/sssd/ticket/2085
|
|
|
|
|
|
https://fedorahosted.org/sssd/ticket/2068
With the current design, downloading master domain data was tied to
subdomains refresh, triggered by responders. But because enumeration is
a background task that can't be triggered on its own, we can't rely on
responders to download the master domain data and we need to check the
master domain on each enumeration request.
|
|
AD provider will override the default with its own.
|
|
Adds a reusable async request to download the master domain info.
|
|
If the SSSD is compiled with journald support, then all sss_log()
statements will include a new field called "SSSD_DOMAIN" that includes
the domain name. Filtering only messages from the single domain is then
as easy as:
# journalctl SSSD_DOMAIN=foo.example.com
|
|
|
|
|
|
Even if HAVE_SYSTEMD_LOGIN is set to 0 #ifdef will still see it as
defined.
|
|
|
|
When comparing username and his groups to access list, we will
obey case sensitivity of object from access list.
Resolves:
https://fedorahosted.org/sssd/ticket/2034
|
|
Recent simple access provider patches started using
be_ctx during access check. This caused segfault in
unit tests, since be_ctx wasn't initialized.
Resolves:
https://fedorahosted.org/sssd/ticket/2034
|
|
Resolves:
https://fedorahosted.org/sssd/ticket/2034
|
|
This function will parse object name into name and domain
name part and return appropriate sss domain.
Resolves:
https://fedorahosted.org/sssd/ticket/2034
|
|
This function takes domain SID (doesn't have the last component)
or object SID (have all components) and returns subdomain.
The subdomain is found by comparing domain->domainid with the SID.
E.g.
domain SID: S-1-5-21-3940105347-3434501867-2690409756
object SID: S-1-5-21-3940105347-3434501867-2690409756-513
Resolves:
https://fedorahosted.org/sssd/ticket/2034
|
|
Resolves:
https://fedorahosted.org/sssd/ticket/2034
|
|
|