Age | Commit message (Collapse) | Author | Files | Lines |
|
Resolves:
https://fedorahosted.org/sssd/ticket/2052
|
|
|
|
With the support of POSIX IDs managed on the AD side we may find
non-POSIX groups, i.e. groups which do not have a GID assigned in AD, in
the PAC. Since in this case all cached groups have a SDI attribute it is
more reliable to search the groups by SID instead of GID.
|
|
When processing a list of groups we try to process as much as possible
only not stop on the first error.
|
|
To avoid issues with case-sensitivity it is more reliable to search the
user entry in the cache and use the returned DN instead of constructing
it.
|
|
Since the DN of the group is used to remove a membership it is not
necessary to check if the GID is valid.
|
|
If the user entry does not exist in the cache and a primary GID cannot
be found it does not make sense to create a user entry.
|
|
Currently the PAC responder deletes a user entry and recreates it if
some attributes seems to be different.
Two of the attributes where the home directory and the shell of the
user. Those two attributes are not available from the PAC but where
generates by the PAC responder. The corresponding ID provider might have
better means to determine those attributes, e.g. read them from LDAP, so
we shouldn't change them here.
The third attribute is the user name. Since the PAC responder does
lookups only based on the UID we can wait until the ID provider updates
the entry.
Fixes https://fedorahosted.org/sssd/ticket/1996
|
|
Adds pac_cli be_client structure pointer, to indetify and log the PAC
responder termination correctly.
|
|
Resolves:
https://fedorahosted.org/sssd/ticket/2044
|
|
In the KRB5_FCC_NOFILE code path _valid is not set leading to 'may be
used uninitialized' compiler warnings.
|
|
|
|
warning reported by cppcheck
|
|
warnings reported by cppcheck.
|
|
warning reported by coverity
include_recursion: #include file "src/providers/dp_backend.h" includes itself:
dp_backend.h -> dp_refresh.h -> dp_backend.h (other events go to each file)
primary_file: During compilation of file
'src/krb5_plugin/sssd_krb5_locator_plugin.c
include_recursion: #include file "src/providers/dp_backend.h" includes itself:
dp_backend.h -> dp_refresh.h -> dp_ptask.h -> dp_backend.h
(other events go to each file)
primary_file: During compilation of file
'src/krb5_plugin/sssd_krb5_locator_plugin.c'
|
|
When the user is only member of its own primary group, initgroups_dyn may
return NOTFOUND as, at least for the 'files' nss provider the code skips the
passed in group.
Resolves:
https://fedorahosted.org/sssd/ticket/2051
|
|
Use sss_atomic_write_s() instead of write() in
sss_mc_save_corrupted(). Also unlink() the file if no data
were written.
It is better to use sss_atomic_write_s instead of write
|
|
The FILE cache only sets the return values of _active and _bool if the
entire function succeeds. The DIR cache was setting it even on failure.
This patch makes both consistent. This will benefit static analysis
tools which would be able to detect if the variable is ever used
uninitialized anywhere.
|
|
There was duplicated code in cc_file_check_existing() and in
cc_dir_check_existing(). I pulled them into the same function.
There are two changes made to the original code here:
1) Fixes a use-after-free bug in cc_file_check_existing(). In the
original code, we called krb5_free_context() and then used that
context immediately after that in krb5_cc_close(). This patch
corrects the ordering
2) The krb5_cc_resolve() call handles KRB5_FCC_NOFILE for all
cache types. Previously, this was only handled for DIR caches.
|
|
Kerberos now supports multiple types of collection caches, not just
DIR: caches. We should add a macro for generic collection behavior
and use that where appropriate.
|
|
During initgroups request we read the SID of a group from the server but
do not save it to the cache. This patch fixes this and might help to
avoid an additional lookup of the SID later.
|
|
For subdomains the group names must be expanded to fully qualified names
to be able to find existing groups or properly add new ones.
|
|
For subdomains the group names must be expanded to fully qualified names
to be able to find existing groups or properly add new ones.
|
|
This patch adds function to store corrupted mmap cache file to
disk for further analysis.
|
|
https://fedorahosted.org/sssd/ticket/2043
|
|
We introduced new way to check integrity of memcache in the
client code. We should use similiar checks in the responder.
|
|
Removes off by one error when using macro MC_SIZE_TO_SLOTS
and adds new macro MC_SLOT_WITHIN_BOUNDS.
|
|
We had pattern in client code with 3 conditions
that can be replaced with one.
|
|
data->name value must be checked to prevent segfaults in
case of corrupted memory cache.
resolves:
https://fedorahosted.org/sssd/ticket/2018
|
|
|
|
|
|
In some cases when MPG domains are used the information about the
original primary group of a user cannot be determined by looking at
the explicit group memberships. In those cases the GID related to the
original primary group is stored in a special attribute of the user
object.
This patch adds the GID of the original primary group when available and
needed.
Fixes https://fedorahosted.org/sssd/ticket/2027
|
|
If ID mapping is enabled we use magic private groups (MPG) for
subdomains, i.e. the UID and the primary GID of the user will have the
same numerical value. As a consequence the information about the
original primary group might get lost because neither in AD domains nor
on a typical UNIX system the user is an explicit member of it's primary
group.
With this patch the mapped GID or the original primary group is saved in
the cached user object under a new attribute.
Fixes https://fedorahosted.org/sssd/ticket/2027
|
|
|
|
Fixes https://fedorahosted.org/sssd/ticket/1630
|
|
|
|
All supported tevent releases contain these macros.
|
|
|
|
Header file proxy.h included itself.
|
|
Previous check was wrong, servername cannot be NULL.
|
|
Struct sss_auth_token became opaque in commit
9acfb09f7969a69f58bd45c856b01700541853ca.
All ocasions of "struct sss_auth_token" was replaced with pointer to this
struct, but proper initialization of auth_tokens was missing
in struct authtok_conv.
Resolves:
https://fedorahosted.org/sssd/ticket/2046
|
|
This patch prevents jumping outside of allocated memory in
case of corrupted slot or name_ptr values. It is not proper
solution, just hotfix until we find out what is the root cause
of ticket https://fedorahosted.org/sssd/ticket/2018
|
|
Print more descriptive message when wrong current password
is given during password change operation.
resolves:
https://fedorahosted.org/sssd/ticket/2029
|
|
The initialization of ad_sasl_callbacks raised an incompatible pointer
type warning. This was caused because the cyrus-sasl API hasa changed.
The callback function list needs to be cast now.
|
|
|
|
|
|
Change was introduced in commit ca344fde
|
|
|
|
|
|
In order for sss_cache to work correctly, we must also signal the nss
responder to invalidate the hash table requests.
https://fedorahosted.org/sssd/ticket/1759
|