Age | Commit message (Collapse) | Author | Files | Lines |
|
This is when krb5_timestamp_to_sfstring is not available
and thus the helper variables are not used.
In future heimdal's krb5_format_time could be used
on the heimdal side.
|
|
man 3 getaddrinfo:
ai_socktype This field specifies the preferred socket type, for
example SOCK_STREAM or SOCK_DGRAM.
Specifying 0 in this field indicatesa that socket addresses of any
type can be returned by getaddrinfo().
Heimdal makes use of this and passes socktype = 0.
This makes the locator plugin usable with heimdal.
|
|
Heimdal and MIT Kerberos have a different number of arguments for that
function. Add a configure compile check and use the appropriate form.
|
|
Cast to int for usable in printf using %d.
FIXME: Or rather to int64_t since time_t may be long int?
|
|
|
|
|
|
Fixes -Wshadow warning.
find -name '*.c' -exec sed -i \
-e 's/\([^"_]\)krb5_realm\([^"_]\)/\1krb5_realm_str\2/' \
-e 's/\(Missing krb5_realm\)_str/\1/' \
-e 's/\(No explicit krb5_realm\)_str/\1'
{} +
|
|
krb5_change_password is deprecated by heimdal.
Use set_password for heimdal, but for mit-krb5 as well.
|
|
krb5_free_unparsed_name is deprecated in heimdal.
Also use the wrapper in places where it is not yet used.
|
|
Using krb5_get_kdc_sec_offset from heimdal.
|
|
Use krb5_unparse_name in heimdal and calculate length using strlen.
|
|
Uses krb5_free_string for MIT and krb5_xfree for heimdal.
|
|
|
|
|
|
This is since krb5_authdata_free and krb5_authdata:contents may not be
available if HAVE_PAC_RESPONDER is disabled.
|
|
|
|
According to asprintf(3) the content off errmsg is undefined
on error, lets set it to NULL.
|
|
https://fedorahosted.org/sssd/ticket/1534
|
|
The refsect id was copied from sssd.conf(5) and was wrong. Fixing the
refsect might help us if we ever generate other formats from XML and
certainly wouldn't hurt.
|
|
Supporting the latest INI release brought an incompatible change. Lines
beginning with a whitespace were treated as continuation of the previous
line. This patch reverts to ignoring the whitespace as we did previously
so that the existing configurations keep working.
|
|
Fixes https://fedorahosted.org/sssd/ticket/2116
|
|
|
|
Many lines in debug_levels.xml violated our line-length conventsions.
This patch provides no functional changes, it simply brings those lines
into compliance.
|
|
Originally, we planned to deprecate the decimal values for the debug
levels, but that has proven to be too difficult for most users to
understand. Instead, we will document both the simple decimal and
complex bitmask values and recommend the use of the decimal values.
|
|
|
|
Setting up public directories is the job of the admin, and
current sssd syntax can't express the actual intention of the admin with
regrads to which parts of the path should be public or private.
Resolves:
https://fedorahosted.org/sssd/ticket/2071
|
|
|
|
A bad comparison resulted in the sysdb_sudo_check_time() function
always printing a debug message saying that the time matched.
Resolves:
Coverity Issue #12031
|
|
|
|
https://fedorahosted.org/sssd/ticket/2100
|
|
Currently the AD provider relies on the presence of the POSIX attributes
in the Global Catalog. This patch mentiones the fact in the sssd-ad(5)
manual page.
|
|
Related: https://fedorahosted.org/sssd/ticket/2070
Since we are recommending to configure the POSIX attributes so that they
are replicated to the Global Catalog, we can start connecting to the GC
by default even for local users. If the object is not matches in the GC,
there is a possibility to fall back to LDAP.
|
|
Related: https://fedorahosted.org/sssd/ticket/2070
Until now, the POSIX-compliant initgroups would only be able to search
the parent domain. Since we want to allow using POSIX attributes from AD
subdomains as well, we should allow searching a custom sdap_domain.
|
|
Related: https://fedorahosted.org/sssd/ticket/2070
When searching for users and groups without the use of ID mapping, make
sure the UIDs and GIDs are included in the search. This will make the
SSSD seemigly "miss" entries when searching in Global Catalog in the
scenario where the POSIX attributes are not replicated to the GC.
|
|
|
|
|
|
|
|
If there are member domains in a trusted forest which are DNS-wise not
proper children of the forest root the IPA KDC needs some help to
determine the right authentication path. In general this should be done
internally by the IPA KDC but this works requires more effort than
letting sssd write the needed data to the include file for krb5.conf.
If this functionality is available for the IPA KDC this patch might be
removed from the sssd tree.
Fixes https://fedorahosted.org/sssd/ticket/2093
|
|
In order to fix https://fedorahosted.org/sssd/ticket/2093 the name of
the forest must be known for a member domain of the forest.
|
|
https://fedorahosted.org/sssd/ticket/2079
If the dns_discovery_domain is set in the server mode, then the current
failover code will use it to discover the AD servers as well. This patch
resets the discovery domain unless the admin configured SRV resolution
for IPA servers manually. In the case he did, we try to warn him that
service discovery of AD servers will most likely fail.
|
|
If tokenGroups contains group from different domain than user's,
we stored it under the user's domain tree in sysdb. This patch
changes it so we store it under group's domain tree.
Resolves:
https://fedorahosted.org/sssd/ticket/2066
|
|
We need to work with distinguish names when processing
cross-domain membership, because groups and users may
be stored in different sysdb tree.
Resolves:
https://fedorahosted.org/sssd/ticket/2066
|
|
We need to work with distinguish names when processing
cross-domain membership, because groups and users may
be stored in different sysdb tree.
Resolves:
https://fedorahosted.org/sssd/ticket/2066
|
|
This function will return head of the domain list.
Resolves:
https://fedorahosted.org/sssd/ticket/2066
|
|
|
|
systemd-login still fails with su/sudo login shells, so always fall back
for now.
Resolves:
https://fedorahosted.org/sssd/ticket/2094
|
|
Fix a check for an error return code that can be returned when
the ccache is not found.
Even in case of other errors still do not fail authentication
but allow it to proceed using a new ccache file if necessary.
Related:
https://fedorahosted.org/sssd/ticket/2053
|
|
The only effect the failure to store a result to negative cache might
have would be a slower lookup next time.
|
|
https://fedorahosted.org/sssd/ticket/2090
Previously, when searching by UID or GID, the negative cache will only
work in case the UID was searched for using fully qualified names.
|
|
Declarations of public functions was in header files,
but header files was not included in implementation file.
|