Commits on Source (92)
-
shridhargadekar authored
minor edit Reviewed-by: Anuj Borah <aborah@redhat.com> (cherry picked from commit 2b222dd3)
b1e8c210 -
Jakub Vavra authored
Reviewed-by: Shridhar Gadekar <sgadekar@redhat.com> (cherry picked from commit 684d18b4)
9490f256 -
dependabot[bot] authored
Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 3 to 4. - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](https://github.com/actions/download-artifact/compare/v3...v4 ) Reviewed-by: Justin Stephenson <jstephen@redhat.com> (cherry picked from commit 3922f4d7)
bfcb2727 -
dependabot[bot] authored
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2 to 3. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/v2...v3 ) Reviewed-by: Justin Stephenson <jstephen@redhat.com> (cherry picked from commit f5f5d83f)
32390d0b -
dependabot[bot] authored
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 3 to 4. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/v3...v4 ) Reviewed-by: Justin Stephenson <jstephen@redhat.com> (cherry picked from commit 35ef26b6)
aa63f777 -
Sumit Bose authored
While introducing the local_auth_policy option a quite specific use-case was not covered correctly. If there are multiple matching certificates on the Smartcard, 'local_auth_policy = only' is set and GDM's Smartcard mode was used for login, i.e. there is no user name given and the user has to be derived from the certificate used for login, authentication failed. The main reason for the failure is that in this case the Smartcard interaction and the user mapping has to be done first to determine the user before local_auth_policy is evaluated. As a result when checking if the authentication can be finished the request was in an unexpected state because the indicator for local Smartcard authentication was not enabled. Resolves: https://github.com/SSSD/sssd/issues/7109 Reviewed-by: Justin Stephenson <jstephen@redhat.com> Reviewed-by: Scott Poore <spoore@redhat.com> (cherry picked from commit 44ec3e46)
50077c32 -
Pavel Březina authored
``` /shared/workspace/sssd/src/providers/krb5/krb5_child.c: In function _create_empty_cred_: /shared/workspace/sssd/src/providers/krb5/krb5_child.c:1317:26: error: _calloc_ sizes specified with _sizeof_ in the earlier argument and not in the later argument [-Werror=calloc-transposed-args] 1317 | cred = calloc(sizeof(krb5_creds), 1); | ^~~~~~~~~~ /shared/workspace/sssd/src/providers/krb5/krb5_child.c:1317:26: note: earlier argument should specify number of elements, later size of each element ``` Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> (cherry picked from commit 7076c5bb)
18150374 -
Andre Boscatto authored
Resolves: https://github.com/SSSD/sssd/issues/7136 Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com> Reviewed-by: Justin Stephenson <jstephen@redhat.com> (cherry picked from commit b3124173)
33bb96fe -
Jakub Vavra authored
Reviewed-by: Tomáš Halman <thalman@redhat.com> (cherry picked from commit 2fa6ec2c)
33cce291 -
Jakub Vavra authored
Fix "PytestUnknownMarkWarning: Unknown pytest.mark.converted - is this a typo?" Reviewed-by: Scott Poore <spoore@redhat.com> (cherry picked from commit ef581c97)
ae2f5e91 -
Jakub Vavra authored
Resolve "OSError: File '/var/log/sssd/sssd_kcm.log' could not be read" ba catching and handling this exception as well. Reviewed-by: Shridhar Gadekar <sgadekar@redhat.com> (cherry picked from commit 99850321)
28c41415 -
Jakub Vavra authored
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> (cherry picked from commit 1358f417)
39ea88c2 -
Justin Stephenson authored
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> (cherry picked from commit 1bacf498)
1c3664d3 -
Günther Deschner authored
Guenther Signed-off-by: Guenther Deschner <gd@samba.org> Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit 1bf51929)
343ff2de -
Alexey Tikhonov authored
Avoid ``` * (2024-02-03 17:39:37): [ifp] [ifp_access_check] (0x0080): User 1000 not in ACL * (2024-02-03 17:39:37): [ifp] [sbus_check_access] (0x0400): org.freedesktop.sssd.infopipe.Users.FindByName: permission denied for sender :1.290 with uid 1000 * (2024-02-03 17:39:37): [ifp] [sbus_issue_request_done] (0x0040): org.freedesktop.sssd.infopipe.Users.FindByName: Error [13]: Permission denied ``` Reviewed-by: Tomáš Halman <thalman@redhat.com> (cherry picked from commit 2ef0f838)
e3d0f0d7 -
Sumit Bose authored
AD handles users and computer objects very similar and so does SSSD's GPO code when lookup up the host's group-memberships. But users and computers might be stored in different sub-tree of the AD LDAP tree and if a dedicated user search base is given with the ldap_user_search_base option in sssd.conf the host object might be in a different sub-tree. To make sure the host can still be found this patch uses the base DN of the LDAP tree when searching for hosts in the GPO code. Resolves: https://github.com/SSSD/sssd/issues/5708 Reviewed-by: Alejandro López <allopez@redhat.com> Reviewed-by: Tomáš Halman <thalman@redhat.com> (cherry picked from commit 29a77c6e)
a7621a5b -
Sumit Bose authored
The naming_context could be a more reliable source than basedn for the actual base DN because basedn is set very early from the domain name given in sssd.conf. Although it is recommended to use the fully qualified DNS domain name here it is not required. As a result basedn might not reflect the actual based DN of the LDAP server. Also pure LDAP server (i.e. not AD or FreeIPA) might use different schemes to set the base DN which will not be based on the DNS domain of the LDAP server. Resolves: https://github.com/SSSD/sssd/issues/5708 Reviewed-by: Alejandro López <allopez@redhat.com> Reviewed-by: Tomáš Halman <thalman@redhat.com> (cherry picked from commit a153f13f)
6a8e60df -
Andre Boscatto authored
Resolves: https://github.com/SSSD/sssd/issues/7173 Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com> Reviewed-by: Tomáš Halman <thalman@redhat.com> (cherry picked from commit 945cebcf)
dd0f6324 -
Sebastian Andrzej Siewior authored
The 'openssl req' ignores the '-extensions' option without '-x509'. OpenSSL versions prior 3.2 simply ignored it. Starting with version 3.2 an error is generated: | /usr/bin/openssl req -batch -config | ../../../../../src/tests/test_CA/intermediate_CA/SSSD_test_intermediate_CA.config | -new -nodes -key | …/build/../src/tests/test_CA/intermediate_CA/SSSD_test_intermediate_CA_key.pem -sha256 -extensions v3_ca -out SSSD_test_intermediate_CA_req.pem | Error adding request extensions from section v3_ca | 003163BAB27F0000:error:11000079:X509 V3 routines:v2i_AUTHORITY_KEYID:no issuer certificate:../crypto/x509/v3_akid.c:156: | 003163BAB27F0000:error:11000080:X509 V3 routines:X509V3_EXT_nconf_int:error in extension:../crypto/x509/v3_conf.c:48:section=v3_ca, name=authorityKeyIdentifier, value=keyid:always,issuer:always | Remove the '-extensions' option. Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit 32b72c7c)
a453f962 -
shridhargadekar authored
Corrected the log assertions for 'id' command passed to the sssctl analyze <> Reviewed-by: Jakub Vávra <jvavra@redhat.com> (cherry picked from commit 2176b7d8)
631c599b -
Sumit Bose authored
When the pthread key destructor is called the key value is already set to NULL by the caller. As a result the data stored in the value can only be accessed by the first argument passed to the destructor and not by pthread_getspecific() as the previous code did. Resolves: https://github.com/SSSD/sssd/issues/7189 Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com> (cherry picked from commit b439847b)
8bf31924 -
Tomasz Kłoczko authored
Signed-off-by: Tomasz Kłoczko <kloczek@github.com> Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit 40279305)
37025a19 -
Jakub Vavra authored
Deduplicate output between phases so it is not repeated. (Previous phase output was repeated in the log.) Fix isseu with "/" in test name. Reviewed-by: Shridhar Gadekar <sgadekar@redhat.com> (cherry picked from commit 3caac5f7)
e1bc03b1 -
Patrik Rosecky authored
Reviewed-by: Dan Lavu <dlavu@redhat.com> Reviewed-by: Tomáš Halman <thalman@redhat.com> (cherry picked from commit e235afee)
566ebfbb -
Jakub Vavra authored
Reviewed-by: Madhuri Upadhye <mupadhye@redhat.com> (cherry picked from commit e3af77c7)
dd921afa -
lisa authored
Reviewed-by: Dan Lavu <dlavu@redhat.com> Reviewed-by: Jakub Vávra <jvavra@redhat.com> (cherry picked from commit 9506b7b3)
2422af6c -
Sumit Bose authored
sss_krb5_get_init_creds_password() is called only with AD to be able to get more specific error details and does the basic steps also done by krb5_get_init_creds_password() from libkrb5. In contrast to the libkrb5 function it will return debug output. Unfortunately the log level is quite low, i.e. messages are shown with the default debug level, and the messages are send to syslog, too. This can get annoying during SSSD's pre-auth step to determine the available authentication types since here, no credentials are provided and errors are somewhat expected but will be ignored by the callers. This patch increases the log level during SSSD's pre-auth and only sends messages with the two lowest log levels to syslog. Resolves: https://github.com/SSSD/sssd/issues/7197 Reviewed-by: Alejandro López <allopez@redhat.com> Reviewed-by: Tomáš Halman <thalman@redhat.com> (cherry picked from commit 409f175f)
31ee5ecc -
Sumit Bose authored
The purpose of map_krb5_error() is to translate error codes. Additionally it will log the errors in case the caller has forgotten to do it. While this in general make sense the log level was set to the second lowest and the message was send to the system's log as well. This is a bit too strong and might give a wrong impression about the nature and importance of the log message. This patch increases the log level which avoids sending to the syslog as well. Resolves: https://github.com/SSSD/sssd/issues/7197 Reviewed-by: Alejandro López <allopez@redhat.com> Reviewed-by: Tomáš Halman <thalman@redhat.com> (cherry picked from commit 4f38fd10)
923cb398 -
Pavel Březina authored
Introduced by https://github.com/SSSD/sssd/pull/7172 . Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> (cherry picked from commit e9253e0a)
ee06f2fe -
Denis Zlobin authored
Double semicolon is generated, thus test src/tests/double_semicolon_test fails for async client source code. For example, we can generate code for IFP async client. To do this, add new async interface to src/responder/ifp/ifp_iface/ifp_iface.xml file: <interface name="org.freedesktop.sssd.infopipe.Tests.Test"> <annotation name="codegen.Test" value="ifp_test" /> <annotation name="codegen.AsyncCaller" value="true" /> <property name="name" type="s" access="read" /> </interface> Then make check tests. Test fails with an error: ``` Double semicolon found: ../src/responder/ifp/ifp_iface/sbus_ifp_client_async.c:132: *_value = talloc_steal(mem_ctx, state->out->arg0);; ``` Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit 11a77e8b)
f3d96061 -
Jakub Vavra authored
The package is not pulled automatically as part of deps/packageset on fedora resulting in subprocess.CalledProcessError: Command 'systemctl restart oddjobd.service' returned non-zero exit status 5. Reviewed-by: Madhuri Upadhye <mupadhye@redhat.com> (cherry picked from commit 20175f41)
fa7536d1 -
Jakub Vavra authored
The installation of shadow-utils fails on fedora as it tries to enable CRB repos. Reviewed-by: Shridhar Gadekar <sgadekar@redhat.com> (cherry picked from commit 0a397c28)
a61cc9c9 -
Jakub Jelen authored
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit b7da2450)
70be3583 -
Justin Stephenson authored
Add support to try the next Preauth type when answering krb5 questions. Fixes an issue when an IPA user has both authtype passkey and authtype password set at the same time. Resolves: https://github.com/SSSD/sssd/issues/7152 Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com> (cherry picked from commit c9a333c5)
23849f75 -
Justin Stephenson authored
handle password changes for IPA users with multiple auth types set (passkey, password) Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com> (cherry picked from commit 6c1272ed)
8d9ae754 -
Dan Lavu authored
Reviewed-by: Andre Boscatto <aboscatt@redhat.com> Reviewed-by: Tomáš Halman <thalman@redhat.com> (cherry picked from commit a80e236b)
55e641fb -
Jakub Vavra authored
The user-nsswitch.conf was removed in F36+. Tests using it therefore need fixing to use /etc/nssswitch.conf on Fedora instead. Fixed indentation of install_nslcd. Reviewed-by: Madhuri Upadhye <mupadhye@redhat.com> (cherry picked from commit 0935ce94)
afe7d8d8 -
Jakub Vavra authored
SSSD configuration backup and restore code was duplicated in multiple places moved in one place so we can easier change rights and owership of the file. Reviewed-by: Madhuri Upadhye <mupadhye@redhat.com>
c6dda0ef -
Pavel Březina authored
ifdef should be used as anywhere else, otherwise we hit a build error if sssd is being built without passkey. Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> (cherry picked from commit 603399a4)
bebb1507 -
Pavel Březina authored
This issue was introduced in a80e236b. Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> (cherry picked from commit 41cafd63)
786a4ebf -
Pavel Březina authored
If sssd startup fails for some reason, teardown would call userdel which would try to delete /tmp. Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> (cherry picked from commit 3488b9e9)
16e4b5d4 -
Iker Pedrosa authored
The default was changed to true in c76ba343 ("PAM: Passkey kerberos preauth support"), but the man page wasn't updated. Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit 5841348f)
10c49b1a -
dependabot[bot] authored
Bumps [DamianReeves/write-file-action](https://github.com/damianreeves/write-file-action) from 1.2 to 1.3. - [Release notes](https://github.com/damianreeves/write-file-action/releases) - [Commits](https://github.com/damianreeves/write-file-action/compare/0a7fcbe1960c53fc08fe789fa4850d24885f4d84...6929a9a6d1807689191dcc8bbe62b54d70a32b42 ) Reviewed-by: Justin Stephenson <jstephen@redhat.com> (cherry picked from commit 2e1c2f35)
87a46c32 -
Abhijit Roy authored
Fixing the false positive error reported by config-check Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> (cherry picked from commit 3788f480)
c1ba9da7 -
Madhuri Upadhye authored
Replace files provider with proxy provider. This test case test authentication of local user using kerberos and also update the authselect to select sssd only. Signed-off-by: Madhuri Upadhye <mupadhye@redhat.com> Reviewed-by: Dan Lavu <dlavu@redhat.com> (cherry picked from commit 0b26b6fd)
57a8fffa -
Alexey Tikhonov authored
Fixes following error: ``` Error: STRING_NULL (CWE-170): sssd-2.9.1/src/util/inotify.c:298: string_null_source: Function ""read"" does not terminate string ""ev_buf"". [Note: The source code implementation of the function has been overridden by a builtin model.] sssd-2.9.1/src/util/inotify.c:316: var_assign_var: Assigning: ""ptr"" = ""ev_buf"". Both now point to the same unterminated string. sssd-2.9.1/src/util/inotify.c:320: var_assign_var: Assigning: ""in_event"" = ""ptr"". Both now point to the same unterminated string. sssd-2.9.1/src/util/inotify.c:327: string_null: Passing unterminated string ""in_event->name"" to ""process_dir_event"", which expects a null-terminated string. # 325| # 326| if (snctx->wctx->dir_wd == in_event->wd) { # 327|-> ret = process_dir_event(snctx, in_event); # 328| } else if (snctx->wctx->file_wd == in_event->wd) { # 329| ret = process_file_event(snctx, in_event); ``` -- it might be unsafe to dereference `in_event->name` if `in_event->len == 0` Reviewed-by: Alejandro López <allopez@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit 4085ee07)
182b6c62 -
Sumit Bose authored
Originally where there was only password and OTP authentication we checked for password authentication and used OTP as a fallback. This was continued as other (pre)-authentication types were added. But so far only one authentication type was returned. This changed recently to allow the user a better selection and as a result OTP cannot be handled as a fallback anymore but has to be added to the selection. In case there are no types (questions) available now password is used as a fallback. Resolves: https://github.com/SSSD/sssd/issues/7152 Reviewed-by: Alejandro López <allopez@redhat.com> Reviewed-by: Justin Stephenson <jstephen@redhat.com> (cherry picked from commit bf6cb6dc)
5b9bc0a1 -
Sumit Bose authored
Resolves: https://github.com/SSSD/sssd/issues/7152 Reviewed-by: Alejandro López <allopez@redhat.com> Reviewed-by: Justin Stephenson <jstephen@redhat.com> (cherry picked from commit 7c33f9d5)
c3725a13 -
Sumit Bose authored
Resolves: https://github.com/SSSD/sssd/issues/7152 Reviewed-by: Alejandro López <allopez@redhat.com> Reviewed-by: Justin Stephenson <jstephen@redhat.com> (cherry picked from commit e26cc693)
87b54bd8 -
Sumit Bose authored
The current behavior is that Smartcard authentication is preferred if possible, i.e. if a Smartcard is present. Since the Smartcard (or equivalent) must be inserted manually the assumption is that if the user has inserted it they most probably want to use it for authentication. With the latest patches pam_sss might receive multiple available authentication methods. With this patch the checks for available authentication types start Smartcard authentication to mimic the existing behavior. Resolves: https://github.com/SSSD/sssd/issues/7152 Reviewed-by: Alejandro López <allopez@redhat.com> Reviewed-by: Justin Stephenson <jstephen@redhat.com> (cherry picked from commit 0d5e8f11)
d06b4a3e -
Alexey Tikhonov authored
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
ea2d0aab -
Dan Lavu authored
The assertion checks for user_3 but the user added is user-3. The value is different than the others because we are trying to try different combinations. Reviewed-by: Scott Poore <spoore@redhat.com> (cherry picked from commit 795b13c1)
829e868f -
Sumit Bose authored
Before the recent patches which allow krb5_child to iterate over all available authentication methods typically only one method was returned. E.g. is Smartcard authentication (pkinit) was possible it was typically the first method the in question list and the result of the answer_pkinit() function was immediately returned. As a result only the Smartcard authentication type was set and a missing password authentication type while others were present might have been a reasonable indicator for the online state. With the recent patches, all available methods, including password authentication if available, are return and a new indicator is needed. Reviewed-by: Alejandro López <allopez@redhat.com> Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com> Reviewed-by: Justin Stephenson <jstephen@redhat.com> Reviewed-by: Scott Poore <spoore@redhat.com> (cherry picked from commit 05df8167)
b6eae6f0 -
Sumit Bose authored
Reviewed-by: Alejandro López <allopez@redhat.com> Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com> Reviewed-by: Justin Stephenson <jstephen@redhat.com> Reviewed-by: Scott Poore <spoore@redhat.com> (cherry picked from commit 79c384fb)
5a1e1526 -
Jakub Vavra authored
Reviewed-by: Madhuri Upadhye <mupadhye@redhat.com> (cherry picked from commit 1c2aa825)
9e62e660 -
Jakub Vavra authored
The path src/tests is more generic and would make more sense for other components that share the same idmci automation. Reviewed-by: Dan Lavu <dlavu@redhat.com> (cherry picked from commit 7c6bc58a)
b87fe4fb -
Jakub Vavra authored
Reviewed-by: Madhuri Upadhye <mupadhye@redhat.com> (cherry picked from commit f30902fa)
c8f78399 -
Andreas Hasenack authored
When building for armhf with _TIME_BITS=64, the %lu format string used to represent time_t values as strings is no longer correct. Switch to SPRItime which takes into account the time_t size. Fixes: #7276 Signed-off-by: Andreas Hasenack <andreas.hasenack@canonical.com> Reviewed-by: Tomáš Halman <thalman@redhat.com> (cherry picked from commit 2b5f1cc4)
ed4c9b00 -
shridhargadekar authored
Changed doc-strings and steps for more clarity Reviewed-by: Dan Lavu <dlavu@redhat.com> Reviewed-by: Jakub Vávra <jvavra@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit fa9f6882)
925cb2a9 -
Dan Lavu authored
manual rebase of 03f68e81 Reviewed-by: Scott Poore <spoore@redhat.com>
7c57e0f0 -
Sumit Bose authored
Currently after the evaluation of a single GPO file the intermediate results are stored in the cache and this cache entry is updated until all applicable GPO files are evaluated. Finally the data in the cache is used to make the decision of access is granted or rejected. If there are two or more access-control request running in parallel one request might overwrite the cache object with intermediate data while another request reads the cached data for the access decision and as a result will do this decision based on intermediate data. To avoid this the intermediate results are not stored in the cache anymore but in hash tables which are specific to the request. Only the final result is written to the cache to have it available for offline authentication. Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> Reviewed-by: Tomáš Halman <thalman@redhat.com> (cherry picked from commit d7db7971)
e1bfbc24 -
Alexey Tikhonov authored
Addition to 718fed9c53807b8502d6547bc0253b979d35e677 Reviewed-by: Alejandro López <allopez@redhat.com> Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com> (cherry picked from commit ab2671c0)
8dcf23f2 -
Jakub Vávra authored
Issues in package installation were silently ignored resulting debugging failures elsewhere. This also resulted in false PASSED in case that sssd was not updated due to some dependecy problem. Reviewed-by: Madhuri Upadhye <mupadhye@redhat.com> (cherry picked from commit aacb789b)
d55bc6f2 -
Abhijit Roy authored
sdap_idmap: Enabling further debugging for to understand the underlying reason for Could not convert objectSID. Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit be8913eb)
c0416576 -
Madhuri Upadhye authored
Here, added two test cases: 1. Check log message when we add ssh key as passkey mapping. 2. Check log message when we add ssh key with passkey token. Signed-off-by: Madhuri Upadhye <mupadhye@redhat.com> Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com> Reviewed-by: Justin Stephenson <jstephen@redhat.com> Reviewed-by: Scott Poore <spoore@redhat.com> (cherry picked from commit 55bcb883)
c9977caf -
Sumit Bose authored
If the domain object of the forest root domain cannot be found in the LDAP tree of the local AD domain SSSD tries to read the request data from an LDAP server of the forest root domain directly. After reading this data the information is stored in the cache but currently the information about the domain store in memory is not updated with the additional data. As a result e.g. the domain SID is missing in this data and only becomes available after a restart where it is read from the cache. With this patch an unconditional refresh is triggered at the end of the fallback code path. Resolves: https://github.com/SSSD/sssd/issues/7250 Reviewed-by: Dan Lavu <dlavu@redhat.com> Reviewed-by: Tomáš Halman <thalman@redhat.com> (cherry picked from commit 0de6c330)
db27a51f -
Alexey Tikhonov authored
Reviewed-by: Andre Boscatto <aboscatt@redhat.com> Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com> (cherry picked from commit 65ca6725)
06e10708 -
Timo Aaltonen authored1602052c
-
Justin Stephenson authored
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> (cherry picked from commit c15bd3ae)
6d6bc3c4 -
Alexey Tikhonov authored
Request was created on a long term responder context, but a callback for this request tries to access memory that is allocated on a short term client context. So if client disconnects before request is completed, then callback dereferences already freed memory. Resolves: https://github.com/SSSD/sssd/issues/7319 Reviewed-by: Alejandro López <allopez@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit dc637c97)
b0fda92e -
Justin Stephenson authored
Reviewed-by: Madhuri Upadhye <mupadhye@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit b32f5960)
f36ecd2c -
Jakub Vávra authored
Reviewed-by: Madhuri Upadhye <mupadhye@redhat.com> (cherry picked from commit 31bd16f6)
540bf393 -
Jakub Vávra authored
Reviewed-by: Madhuri Upadhye <mupadhye@redhat.com>
80f87d17 -
Jakub Vávra authored
Reviewed-by: Madhuri Upadhye <mupadhye@redhat.com>
cc52f6f3 -
Jakub Vávra authored
Reviewed-by: Madhuri Upadhye <mupadhye@redhat.com>
d17f7ffd -
Jakub Vávra authored
Reviewed-by: Madhuri Upadhye <mupadhye@redhat.com>
87e3edf2 -
Jakub Vávra authored
For non-root the sssd needs to be restarted after joining the AD and fixing sssd.conf permissions, this was not done on master (smb). Reviewed-by: Madhuri Upadhye <mupadhye@redhat.com>
0911ffcd -
Jakub Vávra authored
Add journalctl info when service_ctrl call fails. Reviewed-by: Madhuri Upadhye <mupadhye@redhat.com>
0deb3f62 -
Jakub Vávra authored
Reviewed-by: Madhuri Upadhye <mupadhye@redhat.com>
6afc435e -
Dan Lavu authored
Reviewed-by: Jakub Vávra <jvavra@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit 7f48c7c4)
7d260f7d -
Sumit Bose authored
If it is not clear if a string is 0-terminated or not but the length is known the '%.*s' template must be used to use only given numbers of characters. '%*s' is a valid printf() template but only sets the minimal width of the output. This patch fixes an occurrence ion the sysdb code as well. Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> (cherry picked from commit f1c62181)
a2bd4344 -
Andreas Schneider authored
We plan to get rid of smbc_setFunctionAuthData() in future, so already move to the function using the context. Also tell libsmbclient we do not want to fallback if Kerberos fails. Signed-off-by: Andreas Schneider <asn@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit 39f5b9ac)
bca6c4ef -
Justin Stephenson authored
Avoid retrying SSS_PAM_PREAUTH loop if an unexpected error is encountered during passkey processing. Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com> Reviewed-by: Tomáš Halman <thalman@redhat.com> (cherry picked from commit 914ce094)
b363fa86 -
Justin Stephenson authored
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com> Reviewed-by: Tomáš Halman <thalman@redhat.com> (cherry picked from commit d7d51126)
f0fba6cd -
Madhuri Upadhye authored
Update the passkey test case where we are now testing su passkey auth of user when user is added with ssh-key and passkey mapping for AD, Samba and LDAP server. Signed-off-by: Madhuri Upadhye <mupadhye@redhat.com> (cherry picked from commit b73994ff3ddf58b9363282b47ebe5ca2329462c2) Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com> Reviewed-by: Tomáš Halman <thalman@redhat.com> (cherry picked from commit f1351027)
83e2e6be -
Pavel Březina authored
This was previously hardcoded to 31 seconds (hardcoded retry_timout + 1). This may be too short period under some circumstances. When we retry primary server we drop connection to the backup server and if the primary server is not yet available (and there are many unavailable primary servers) we may go through a long timeout cycle every half minute. This patch makes the value configurable. :config: Added `failover_primary_timout` configuration option. This can be used to configure how often SSSD tries to reconnect to a primary server after a successful connection to a backup server. This was previously hardcoded to 31 seconds which is kept as the default value. Resolves: https://github.com/SSSD/sssd/issues/7375 Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com> (cherry picked from commit e9738e36)
14f32f68 -
Pavel Březina authored
This is not available in sssd-2-9 branch and it was accidentally pushed when cherry-picking f1351027. Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
a2fbe044 -
Weblate authored
(Swedish) currently translated at 100.0% (717 of 717 strings) Translation: SSSD/SSSD-2-9 Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-9/sv/ po: update translations (Korean) currently translated at 100.0% (717 of 717 strings) Translation: SSSD/SSSD-2-9 Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-9/ko/ Update translation files Updated by "Update PO files to match POT (msgmerge)" hook in Weblate. Translation: SSSD/SSSD-2-9 Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-9/ po: update translations (Korean) currently translated at 100.0% (717 of 717 strings) Translation: SSSD/SSSD-2-9 Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-9/ko/
26c9dc6f -
Pavel Březina authored595c4c6d
-
Timo Aaltonen authoredb8ca3926
-
Timo Aaltonen authored77c58af0
-
Timo Aaltonen authored467ae4d6
Showing
- .github/workflows/analyze-target.yml 1 addition, 1 deletion.github/workflows/analyze-target.yml
- .github/workflows/ci.yml 9 additions, 8 deletions.github/workflows/ci.yml
- .github/workflows/copr_build.yml 2 additions, 2 deletions.github/workflows/copr_build.yml
- .github/workflows/static-code-analysis.yml 3 additions, 3 deletions.github/workflows/static-code-analysis.yml
- contrib/ci/deps.sh 0 additions, 1 deletioncontrib/ci/deps.sh
- contrib/ci/misc.sh 0 additions, 42 deletionscontrib/ci/misc.sh
- debian/changelog 7 additions, 0 deletionsdebian/changelog
- debian/patches/series 0 additions, 1 deletiondebian/patches/series
- po/ko.po 12 additions, 12 deletionspo/ko.po
- po/sv.po 10 additions, 6 deletionspo/sv.po
- src/config/SSSDConfig/sssdoptions.py 2 additions, 0 deletionssrc/config/SSSDConfig/sssdoptions.py
- src/config/SSSDConfigTest.py 2 additions, 0 deletionssrc/config/SSSDConfigTest.py
- src/config/cfg_rules.ini 2 additions, 0 deletionssrc/config/cfg_rules.ini
- src/config/etc/sssd.api.conf 1 addition, 0 deletionssrc/config/etc/sssd.api.conf
- src/db/sysdb_gpo.c 2 additions, 2 deletionssrc/db/sysdb_gpo.c
- src/db/sysdb_init.c 7 additions, 0 deletionssrc/db/sysdb_init.c
- src/db/sysdb_ops.c 1 addition, 1 deletionsrc/db/sysdb_ops.c
- src/db/sysdb_private.h 4 additions, 1 deletionsrc/db/sysdb_private.h
- src/db/sysdb_upgrade.c 56 additions, 0 deletionssrc/db/sysdb_upgrade.c
- src/external/samba.m4 12 additions, 3 deletionssrc/external/samba.m4