Age | Commit message (Collapse) | Author | Files | Lines |
|
Expanding a principle to an enterprise principal only makes sense if
there is a KDC available which can process it. If we are offline the
plain principal should be used, e.g. to create an expired ccache.
Fixes https://fedorahosted.org/sssd/ticket/2060
|
|
If the returned TGT contains a different user principal name (upn) than
used in the request, i.e. the upn was canonicalized, we currently save
it to sysdb into the same attribute where the upn coming from an LDAP
server is stored as well. This means the canonical upn might be
overwritten when the user data is re-read from the LDAP server.
To avoid this this patch add a new attribute to sysdb where the
canonical upn is stored and makes sure it is used when available.
Fixes https://fedorahosted.org/sssd/ticket/2060
|
|
|
|
Protype of function sss_ncache_check_netgr was different than
definition of function sss_ncache_check_netgr. We did not catch it,
because header file "responder/common/negcache.h" was not included in
implementation file "responder/common/negcache.c"
|
|
Resolves:
https://fedorahosted.org/sssd/ticket/2075
|
|
https://fedorahosted.org/sssd/ticket/2067
Some AD or AD-like servers do not contain the netlogon attribute in the
master domain name. Instead of failing completely, we should just abort
the master domain request and carry on. The only functionality we miss
would be getting users by domain flat name.
|
|
The check worked for simple setups but fails e.g. in environment with
trusts.
|
|
Resolves:
https://fedorahosted.org/sssd/ticket/2085
|
|
|
|
|
|
https://fedorahosted.org/sssd/ticket/2068
With the current design, downloading master domain data was tied to
subdomains refresh, triggered by responders. But because enumeration is
a background task that can't be triggered on its own, we can't rely on
responders to download the master domain data and we need to check the
master domain on each enumeration request.
|
|
AD provider will override the default with its own.
|
|
Adds a reusable async request to download the master domain info.
|
|
If the SSSD is compiled with journald support, then all sss_log()
statements will include a new field called "SSSD_DOMAIN" that includes
the domain name. Filtering only messages from the single domain is then
as easy as:
# journalctl SSSD_DOMAIN=foo.example.com
|
|
|
|
|
|
Even if HAVE_SYSTEMD_LOGIN is set to 0 #ifdef will still see it as
defined.
|
|
|
|
When comparing username and his groups to access list, we will
obey case sensitivity of object from access list.
Resolves:
https://fedorahosted.org/sssd/ticket/2034
|
|
Recent simple access provider patches started using
be_ctx during access check. This caused segfault in
unit tests, since be_ctx wasn't initialized.
Resolves:
https://fedorahosted.org/sssd/ticket/2034
|
|
Resolves:
https://fedorahosted.org/sssd/ticket/2034
|
|
This function will parse object name into name and domain
name part and return appropriate sss domain.
Resolves:
https://fedorahosted.org/sssd/ticket/2034
|
|
This function takes domain SID (doesn't have the last component)
or object SID (have all components) and returns subdomain.
The subdomain is found by comparing domain->domainid with the SID.
E.g.
domain SID: S-1-5-21-3940105347-3434501867-2690409756
object SID: S-1-5-21-3940105347-3434501867-2690409756-513
Resolves:
https://fedorahosted.org/sssd/ticket/2034
|
|
Resolves:
https://fedorahosted.org/sssd/ticket/2034
|
|
|
|
Remove code duplication.
|
|
|
|
Use systemd-lgin in preference to check if the user is logged in or not.
Fall back to the old method if no systemd-login support is available at compile
time or if it returns a fatal error, and can't determine the status of the user
on its own.
This will allow to consider a user really active (in order to reuse or refresh
crdentials) only if it really is logged into the system, and not just if one
of the user's processes is stuck around.
Resolves:
https://fedorahosted.org/sssd/ticket/2084
|
|
|
|
If the environment variable _SSS_MC_SPECIAL is set to "NO", the
mmap cache is skipped in the client code. The name is not very
descriptive. This patch renames the variable to SSS_NSS_USE_MEMCACHE.
|
|
This option got already deprecated on the ipa server side.
Option is undocumented and warning is printed both to the sssd log files
and syslog.
Resolves:
https://fedorahosted.org/sssd/ticket/1918
|
|
Resolves:
https://fedorahosted.org/sssd/ticket/1187
|
|
Parameter "int *dp_err" and parameter "int *pam_status" were unused
in static function krb5_auth_prepare_ccache_name.
|
|
mem_ctx was unused in function get_domain_or_subdomain
|
|
The tmpl variable was only ever used to default to FILE backend in case
absolute patch w/o ccache type was selected. Since backends are no
longer there, we can remove the variable, too.
|
|
|
|
https://fedorahosted.org/sssd/ticket/1945
|
|
|
|
|
|
|
|
format specifies type 'int' but the argument has type 'const char *'
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|