Age | Commit message (Collapse) | Author | Files | Lines |
|
In some cases when MPG domains are used the information about the
original primary group of a user cannot be determined by looking at
the explicit group memberships. In those cases the GID related to the
original primary group is stored in a special attribute of the user
object.
This patch adds the GID of the original primary group when available and
needed.
Fixes https://fedorahosted.org/sssd/ticket/2027
|
|
If ID mapping is enabled we use magic private groups (MPG) for
subdomains, i.e. the UID and the primary GID of the user will have the
same numerical value. As a consequence the information about the
original primary group might get lost because neither in AD domains nor
on a typical UNIX system the user is an explicit member of it's primary
group.
With this patch the mapped GID or the original primary group is saved in
the cached user object under a new attribute.
Fixes https://fedorahosted.org/sssd/ticket/2027
|
|
|
|
Fixes https://fedorahosted.org/sssd/ticket/1630
|
|
|
|
All supported tevent releases contain these macros.
|
|
|
|
Header file proxy.h included itself.
|
|
Previous check was wrong, servername cannot be NULL.
|
|
Struct sss_auth_token became opaque in commit
9acfb09f7969a69f58bd45c856b01700541853ca.
All ocasions of "struct sss_auth_token" was replaced with pointer to this
struct, but proper initialization of auth_tokens was missing
in struct authtok_conv.
Resolves:
https://fedorahosted.org/sssd/ticket/2046
|
|
This patch prevents jumping outside of allocated memory in
case of corrupted slot or name_ptr values. It is not proper
solution, just hotfix until we find out what is the root cause
of ticket https://fedorahosted.org/sssd/ticket/2018
|
|
Print more descriptive message when wrong current password
is given during password change operation.
resolves:
https://fedorahosted.org/sssd/ticket/2029
|
|
The initialization of ad_sasl_callbacks raised an incompatible pointer
type warning. This was caused because the cyrus-sasl API hasa changed.
The callback function list needs to be cast now.
|
|
|
|
|
|
Change was introduced in commit ca344fde
|
|
|
|
|
|
In order for sss_cache to work correctly, we must also signal the nss
responder to invalidate the hash table requests.
https://fedorahosted.org/sssd/ticket/1759
|
|
There is a timed desctructor in the nss responder that, when the
entry timeout passes, removes the netgroup from the hash table while
the netgroup is freed. This patch adds a hash delete callback so that if the
netgroup is removed from the hash table with hash_delete, its hash table
pointer will be invalidated. Later, when the entry is being freed, the
destructor won't attempt to remove it from the hash table.
|
|
In sdap_nested_group_populate_users() username and orignal_dn are
allocated on a temporary memory context. If the corresponding user is
not found in the cache both are added to a hash which is later on
returned to the caller. To avoid a use-after-free when the hash entries
are looked up both must be reassigned to the memory context of the hash.
|
|
|
|
https://fedorahosted.org/sssd/ticket/2026
|
|
primary_name was allocated on a temporary memory context but as it is a
member of the state struct it should belong to the memory context of the
state.
|
|
This tries to set the ad_compat option for sasl, by working around
the openldap/sasl initialization as openldap does not allow us to pass
down to sasl our own getopt callback.
Resolves:
https://fedorahosted.org/sssd/ticket/2040
|
|
|
|
https://fedorahosted.org/sssd/ticket/2031
|
|
If cmd_ctx->name was not initialized by sss_parse_name
then copy of name will be used.
https://fedorahosted.org/sssd/ticket/1970
Coverity ID: 11647
|
|
|
|
Netgroups often have memberNisNetgroup entries included in them
that will never process correctly if we require fully-qualified
names on the nested lookup. This patch alters the behavior of
netgroup lookups to check *all* domains for an unqualified
netgroup name, instead of only the ones not requiring fully-
qualified names.
https://fedorahosted.org/sssd/ticket/2013
|
|
|
|
https://fedorahosted.org/sssd/ticket/2032
In non-MPG subdomains (such as those that manage their IDs manually with
POSIX attributes), we need to set the GID ourself.
|
|
https://fedorahosted.org/sssd/ticket/2035
|
|
Wait for c-ares to finish before checking for memory leaks.
https://fedorahosted.org/sssd/ticket/1899
|
|
Coverity ID: 11927
|
|
|
|
|
|
Coverity: 11922
|
|
c-ares timeout to wait for response from DNS server
before moving to next DNS server is lowered from 5s
to 2s.
Partially solves https://fedorahosted.org/sssd/ticket/1966
|
|
Partially solves ticket:
https://fedorahosted.org/sssd/ticket/1966
To avoid the problem mentioned in the ticket above, option
dns_discovery_domain must be set properly.
|
|
The subdomain users user FQDN in their name attribute. However, handling
of whether to use FQDN in the LDAP code was not really good. This patch
introduces a utility function and converts code that was relying on
user/group names matching to this utility function.
This is a temporary fix until we can refactor the sysdb API in #2011.
|
|
We check if function ipa_get_ad_id_ctx returns NULL,
but function ipa_get_ad_id_ctx could never return NULL.
This issue was found by scan-build.
|
|
In unlikely case that an NSS module returns a reference to a group
and we are unable to resolve it shortly after that, make sure these
groups are skipped.
|
|
|
|
The krb5 child contacts the PAC responder for any user except for the
IPA native users if the PAC is configured. This works fine for the
general case but the ipa_server_mode is a special one. The PAC responder
is there, but since in the server mode we should be operating as AD
provider default, the PAC shouldn't be analyzed either in this case.
|
|
|
|
getgrouplist(3) call is missing from Python older than Python 3.3
Introduce supplementary binding to provide getgrouplist as part of pysss
interface. Since getgrouplist() can be run against any domain, place
it at top module rather than pysss.local namespace.
pysss.getgrouplist(username) -> tuple(group list as strings)
|
|
|
|
|
|
Commit 52ae806bd17c3c00d70bd1aed437f10f5ae51a1c changed the default FQDN
format by accident to the one we only ever user internally. This commit
fixes the mistake.
|