Commits on Source (94)
-
Jakub Hrozek authored
-
Sumit Bose authored
Read multiple addresses from the kdcinfo files add call the provided callback with each of them. Related to https://pagure.io/SSSD/sssd/issue/941 Reviewed-by:
Jakub Hrozek <jhrozek@redhat.com>
-
Sumit Bose authored
IPv6 addresses are added with surrounding '[' and ']' to the kdcinfo file to be able to specify a port number properly. The Kerberos location plugin didn't handle those entries properly. Related to https://pagure.io/SSSD/sssd/issue/941 Reviewed-by:
-
Sumit Bose authored
Although currently libkrb5 sets all parameters of the locator plugin calls to suitable values we should make sure that provided pointers are not NULL before trying to dereference them. Related to https://pagure.io/SSSD/sssd/issue/941 Reviewed-by:
-
Sumit Bose authored
Unit test for existing and new functionality of the Kerberos locator plugin. Related to https://pagure.io/SSSD/sssd/issue/941 Reviewed-by:
-
Sumit Bose authored
With this patch kdcinfo files are created for sub-domains by the AD provider and by the IPA provider on the IPA servers (ipa_server_mode=True). Related to https://pagure.io/SSSD/sssd/issue/3652 Reviewed-by:
-
Sumit Bose authored
Currently a persistent offline callback removes the krb5info files for the configured main domain and those files were removed by a SIGTERM signal handlers as well. This does not scale if krb5info files are created for sub-domains as well. To remove the files automatically the removal is moved into a talloc destructor of an offline callback which is added if the file is created and frees itself when the system goes offline. Due to the talloc memory hierarchy we get removal on shutdown for free. Related to https://pagure.io/SSSD/sssd/issue/3652 Reviewed-by:
-
Sumit Bose authored
Reviewed-by: -
Sumit Bose authored
Reviewed-by: -
Amit Kumar authored
The structure of if-else statements in sss_dp_get_account_msg become too complex. Replacing if-else with switch initially, Will investigate more on refactoring further. Resolves: https://pagure.io/SSSD/sssd/issue/1903 Reviewed-by:
Fabiano Fidêncio <fidencio@redhat.com>
-
Fabiano Fidêncio authored
This change is needed in order to have make intgcheck-run properly running on opensuse systems. Signed-off-by:
Chris Kowalczyk <ckowalczyk@suse.com> Reviewed-by:
Michal Židek <mzidek@redhat.com>
-
Jakub Hrozek authored
This will allow to store the users with a sshPublicKey attribute provided that they have the right objectclass as well. Related to: https://pagure.io/SSSD/sssd/issue/3747 Reviewed-by:
-
Jakub Hrozek authored
Adds the objectclass and allows storing a list of sshPublicKey attributes for users. Since there is no harm in adding the extra objectclass, we can do it unconditionally. Related to: https://pagure.io/SSSD/sssd/issue/3747 Reviewed-by:
-
Jakub Hrozek authored
Adds a basic test that makes sure that a list of SSH public keys can be retrieved. This is to make sure we don't break the SSH integration later on. Related: https://pagure.io/SSSD/sssd/issue/3747 Reviewed-by:
-
Jakub Hrozek authored
Resolves: https://pagure.io/SSSD/sssd/issue/3747 Before writing the keys to sshd, ignore SIGPIPE so that if the pipe towards the authorizedkeys helper is closed, the sss_ssh_authorizedkeys helper is not terminated with SIGPIPE, but instead proceeds and then the write(2) calls would non-terminally fail with EPIPE. Reviewed-by:
-
Jakub Hrozek authored
Adds a test tool that simulates the behaviour of OpenSSH in the sense that it starts to read the output from the sss_ssh_authorizedkeys tool, but then closes the pipe before reading the whole output. Related: https://pagure.io/SSSD/sssd/issue/3747 Reviewed-by:
-
Jakub Hrozek authored
A regression test for: https://pagure.io/SSSD/sssd/issue/3747 Reviewed-by:
-
Jakub Hrozek authored
This reverts commit 9a310913. Storing the e-mail address as a nameAlias was a performance optimization to avoid having to fall back to the UPN lookup, but had the disadvantage of returning multiple results for cases where an e-mail address is the same as a user's fully qualified name. Since the e-mail lookups would still work without this optimization, just after one more lookup, let's revert the patch. Resolves: https://pagure.io/SSSD/sssd/issue/3607 Reviewed-by:
-
Jakub Hrozek authored
This commit pretty much reverts commit 04d4c4d4, it's just coded manually, because "git revert 04d4c4d4" resulted in conflicts. It's easier to just remove the single function. Related: https://pagure.io/SSSD/sssd/issue/3607 Reviewed-by:
-
Jakub Hrozek authored
This would allow adding tests for by-e-mail lookups later Related: https://pagure.io/SSSD/sssd/issue/3607 Reviewed-by:
-
Jakub Hrozek authored
Related: https://pagure.io/SSSD/sssd/issue/3607 Reviewed-by:
-
Jakub Hrozek authored
AD/LDAP: Do not misuse the ignore_mark_offline to check if a connection needs to be checked for POSIX attribute presence The logic behind deciding whether to check if a server contains any POSIX attributes used the ignore_mark_offline flag. This was OK for some time, because this flag was only set for to true for Global Catalog connections, which are those that we need to check. However, in recent releases, the flag was also set for any connection towards a trusted domain. This had the unintended effect that any lookup, LDAP or GC against a trusted domain ran the wide POSIX presence check. Resolves: https://pagure.io/SSSD/sssd/issue/3754 Reviewed-by:
-
Jakub Hrozek authored
These notes are only valid for very old pcre releases which hopefully nobody is using anymore. Reviewed-by:
Sumit Bose <sbose@redhat.com>
-
Jakub Hrozek authored
In the 2.0 release we will be able to change the default regular expression that will allow to consume @-signs in the name, but since the 1.x branches need to stay backwards compatible, let's only document the regex for now. Related: https://pagure.io/SSSD/sssd/issue/3219 Reviewed-by:
-
Sumit Bose authored
Since the refactoring of the ssh responder to call p11_child to validate certificates there is a dependency between libss_cert and libsss_child. In some environments, e.g. gentoo or the OpenSUSE build service, this dependency must be declared explicitly even if it is resolved otherwise while linking the binaries. Reviewed-by: -
Jakub Hrozek authored
This patch switches the sudo responder from being created as a public responder where the permissions are open and not checked by the sssd deaamon to a private socket. In this case, sssd creates the pipes with strict permissions (see the umask in the call to create_pipe_fd() in set_unix_socket()) and additionaly checks the permissions with every read via the tevent integrations (see accept_fd_handler()). Resolves: https://pagure.io/SSSD/sssd/issue/3766 (CVE-2018-10852) Reviewed-by:
Pavel Březina <pbrezina@redhat.com>
-
amitkumar50 authored
This PR provides information about priority of lookup similar to as provided by function select_principal_from_keytab(). Resolves: https://pagure.io/SSSD/sssd/issue/3475 Reviewed-by:
-
Jakub Hrozek authored
This function will be used later in the patchset. Instead of exposing the format constant, expose the function that builds the DNS query for site discovery. Related: https://pagure.io/SSSD/sssd/issue/3291 Reviewed-by:
-
Jakub Hrozek authored
Adds a request that resolves a list of (host,port) tuples and returns a list of structures that contain the resolv_hostent structure as other resolver requests do, but also a pointer to the original request tuple. This is done because the request skips any unresolvable inputs, so it might be handy to know which input an output maps to. It is expected that the request will be used in the future also for cases where we want to e.g. try the connectivity to a serve using a mechanism such as an LDAP ping. Related: https://pagure.io/SSSD/sssd/issue/3291 Reviewed-by:
-
Jakub Hrozek authored
Each Kerberized provider used hand-crafted copy-paste code to set up its copy of the krb5_service structure. Instead of adding yet another copy in this patchset in the IPA subdomains code, create a utility function instead. Due to IPA provider first creating the krb5_service in the common setup function, but only later reading the auth options in the auth provider constructor, the code first uses the default true value for the use_kdcinfo flag and then overrides it with the configured value in the auth constructor -- it would be preferable to create the structure with the right value at creation time, but this would require bigger refactoring. Also, the code before this change was even less correct as the flag was initially set the "false" due to the structure being allocated with talloc_zero(). At least now it uses the default value. Related: https://pagure.io/SSSD/sssd/issue/3291 Reviewed-by:
-
Jakub Hrozek authored
Turns the previous write_krb5info_file() function into a static function that writes whatever input it recevies. Adds a wrapper around it that accepts a list of strings, turns that into a newline-separated string which is then passed to the original function. Related: https://pagure.io/SSSD/sssd/issue/3291 Reviewed-by:
-
Jakub Hrozek authored
With this patchset, IPA clients will read and evaluate the ad_server and ad_site options. This patch just adds the required structures for later usage. Related: https://pagure.io/SSSD/sssd/issue/3291 Reviewed-by:
-
Jakub Hrozek authored
Resolves: https://pagure.io/SSSD/sssd/issue/3291 Adds a new request into the IPA subdomains provider. This request runs on IPA clients only. The request looks into the configuration for either the ad_site or ad_server options for each subdomain. If none are found, the subdomain is skipped. If either is found, the request resolves the server names, or first the site and then the server names from the site and writes their addresses to the kdcinfo files for each subdomain. This allows programs such as kinit but also SSSD's krb5_child to use the configured servers. Reviewed-by:
-
Jakub Hrozek authored
Related: https://pagure.io/SSSD/sssd/issue/3291 Reviewed-by:
-
Sumit Bose authored
With recent versions of Active Directory the SIDs of Domain Local groups might be only available in the resource_groups section of the PAC, this feature is also called SID compression. To get a complete list of groups the user is a member of the SIDs from this section must be extracted as well. Resolves https://pagure.io/SSSD/sssd/issue/3767 Reviewed-by:
-
Sumit Bose authored
Reviewed-by: -
Sumit Bose authored
If pam_cert_auth is enabled the PAM responder will automatically create the pre-authentication indicator file to tell pam_sss to do the pre-auth step to find out about the available authentication methods. Related to https://pagure.io/SSSD/sssd/issue/3500 Reviewed-by:
-
Jakub Hrozek authored
Whether an attribute is replicated to the Global Catalog or not can be detected by checking the value of the isMemberOfPartialAttributeSet attribute: https://docs.microsoft.com/en-us/windows/desktop/ADSchema/a-ismemberofpartialattributeset This attribute is present in all objects with the objectClass attributeSchema in AD: https://docs.microsoft.com/en-us/windows/desktop/AD/characteristics-of-attributes And finally, the attributeSchema objects in AD are present in a schema naming context. The schema naming context is replicated to all DCs in the forest even though their own naming context might be different: https://docs.microsoft.com/en-us/windows/desktop/ad/naming-contexts-and-partitions Where the schema naming context is located is given by the schemaNamingContext attribute of the rootDSE. This patch is trivial on its own and just reads schemaNamingContext from the rootDSE and stores it in the sdap_options structure for later use. Related: https://pagure.io/SSSD/sssd/issue/3755 Reviewed-by:
-
Jakub Hrozek authored
Addsa a new tevent request which checks for the presence of uidNumber and gidNumber under the schema naming context, which is typically cn=schema,cn=configuration,$BASEDN. For both objects representing each of the attributes, the isMemberOfPartialAttributeSet attribute is requested. If this attribute is set to TRUE, then the attribute corresponding to this schema object had been replicated to the Global Catalog. Because the isMemberOfPartialAttributeSet is not replicated to the GC itself, we use the LDAP connection for the search. Related: https://pagure.io/SSSD/sssd/issue/3755 Reviewed-by:
-
Jakub Hrozek authored
Previously, the POSIX attribute presence check was run as part of the ID request, so it was necessary to also run the check as part of the get-domain-for-ID request. Since moving the POSIX check to being a part of the subdomain provider, this is no longer needed as the subdomain provider disables the GC support on its own if required. Therefore we can just remove the POSIX check from the get-domain-for-ID request. Related: https://pagure.io/SSSD/sssd/issue/3755 Reviewed-by:
-
Jakub Hrozek authored
This code is superseded by the POSIX check in the subdomains provider. Related: https://pagure.io/SSSD/sssd/issue/3755 Reviewed-by:
-
Jakub Hrozek authored
This code is no longer needed now. Related: https://pagure.io/SSSD/sssd/issue/3755 Reviewed-by:
-
Jakub Hrozek authored
The sudo testcli tool can be handy in tests, but currently its output is hard to process from a program. This patch makes the tool print an JSON output instead, which will make it more usable. Related: https://pagure.io/SSSD/sssd/issue/3596 Reviewed-by:
-
Jakub Hrozek authored
This will allow us to store sudo entries in our OpenLDAP test instances. Related: https://pagure.io/SSSD/sssd/issue/3596 Reviewed-by:
-
Jakub Hrozek authored
Actually adds an API that allows the programmer to store sudoRole objects in LDAP. Related: https://pagure.io/SSSD/sssd/issue/3596 Reviewed-by:
-
Jakub Hrozek authored
Adds the most basic SUDO LDAP tests that makes sure a user specified in a sudo rule can execute sudo and a user not specifed cannot. Related: https://pagure.io/SSSD/sssd/issue/3596 Reviewed-by:
-
Jakub Hrozek authored
The sudoUser attribute which is part of the sudo rule can contain any name that sudo can parse on the LDAP side. Internally, however, the attribute is always qualified with the name of the SSSD domain. This patch makes sure that if two or more sudoUser attributes contain the same name in both qualified and an unqualified form, the rule is actually saved. Previously, the rule would have failed to be saved and the sysdb sudo code would have errored out with EEXIST. Resolves: https://pagure.io/SSSD/sssd/issue/3596 Reviewed-by:
-
Fabiano Fidêncio authored
override_homedir should not be applied to files provider as the provider should always return *only* what's in the files and nothing else. Resolves: https://pagure.io/SSSD/sssd/issue/3758 Signed-off-by:
-
Fabiano Fidêncio authored
Resolves: http://pagure.io/SSSD/sssd/issue/3758 Signed-off-by:
-
Fabiano Fidêncio authored
override_shell should not be applied to files provider as the provider should always return *only* what's in the files and nothing else. Resolves: https://pagure.io/SSSD/sssd/issue/3758 Signed-off-by:
-
Fabiano Fidêncio authored
Resolves: https://pagure.io/SSSD/sssd/issue/3758 Signed-off-by:
-
Fabiano Fidêncio authored
In a bunch of differente places we end up checking whether the domain's provider is the "files" provider or not. Let's just add some helper function to standardize the checks. Signed-off-by:
-
Fabiano Fidêncio authored
Signed-off-by:
-
Fabiano Fidêncio authored
Currently we can't guarantee any order on which domain will the first to be searched. More than that, in case domain_resolution_order is set, we actually enforce that the first domain searched will respect the option set. This behaviour is not exactly the expect, as the implicit files domain has to be searched first in order to avoid querying for local users in remote domains. In order to enforce this, let's just keep the files domain as the first to be searched, always! Resolves: https://pagure.io/SSSD/sssd/issue/3768 Signed-off-by:
-
Fabiano Fidêncio authored
Related: https://pagure.io/SSSD/sssd/issue/3768 Signed-off-by:
-
Fabiano Fidêncio authored
Related: https://pagure.io/SSSD/sssd/issue/3743 Signed-off-by:
-
Jakub Hrozek authored
It looks like the case where the key_len was exactly 64 was Confusing Coverity. The trace looks like this: 2. Condition key_len > 64, taking false branch. 3. cond_at_most: Checking key_len > 64UL implies that key_len may be up to 64 on the false branch. 49 if (key_len > HMAC_SHA1_BLOCKSIZE) { 50 /* keys longer than blocksize are shortened */ 51 if (!EVP_DigestInit_ex(ctx, EVP_sha1(), NULL)) { 52 ret = EIO; 53 goto done; 54 } 55 56 EVP_DigestUpdate(ctx, (const unsigned char *)key, key_len); 57 EVP_DigestFinal_ex(ctx, ikey, &res_len); 58 memset(ikey + SSS_SHA1_LENGTH, 0, HMAC_SHA1_BLOCKSIZE - SSS_SHA1_LENGTH); 59 } else { 60 /* keys shorter than blocksize are zero-padded */ 61 memcpy(ikey, key, key_len); CID 18054 (#1 of 1): Out-of-bounds read (OVERRUN)4. overrun-local: Overrunning array of 64 bytes at byte offset 64 by dereferencing pointer ikey + key_len. [Note: The source code implementation of the function has been overridden by a builtin model.] 62 memset(ikey + key_len, 0, HMAC_SHA1_BLOCKSIZE - key_len); 63 } I think this is a false positive because then HMAC_SHA1_BLOCKSIZE-key_len will be 0, so ikey+key_len will not be dereferenced at all, but let's be helpful to Coverity and make sure the branch is not evaluated at all if key_len == HMAC_SHA1_BLOCKSIZE. Reviewed-by: -
Jakub Hrozek authored
This makes the code more robust in case the if-block is moved to some other place without the 'if (key_len > HMAC_SHA1_BLOCKSIZE)' check before. Reviewed-by: -
Jakub Hrozek authored
If SSSD is searching for a user using a name-based filtrer in an environment that uses nested OUs or sub domains, it is expected the search can return two or more entries. The correct entry is then matched using the domain name. But the error message was confusing admins, because it simply said "Expected one entry, found %d". This patch softens this error message and rewords the message in case the matching fails. Reviewed-by: -
Fabiano Fidêncio authored
Due to different reasons (a bug on fleet-commander, for instance?) we may face the situation where one profile ends up stored in freeipa on a half-broken state (with no data, for instance). In case it happens, we should try our best to save the not broken profiles and just skip the broken ones instead of bailing the whole operation. Resolves: https://pagure.io/SSSD/sssd/issue/3773 Signed-off-by:
-
Alexander Bokovoy authored
When FreeIPA is set up to trust an Active Directory forest, we should be using trusted domain object credentials regardless of the trust direction. Previously, SSSD relied on FreeIPA KDC issuing a cross-realm referral towards a trusted domain. However, this does not work currently with Samba AD and in general we want to move away to use TDO in all cases as it is guaranteed to have correct permissions on AD side. Signed-of-by:
Alexander Bokovoy <abokovoy@redhat.com> Reviewed-by:
-
Alexander Bokovoy authored
In case of a trust between FreeIPA and an Active Directory, domain controller would use a TDO object in the trusting domain to authenticate. Due to how trusted domain objects are used in Active Directory, a domain controller from the trusted domain either synthesize a Kerberos ticket without MS-PAC or would use NTLMSSP to authenticate. On IPA master smbd process will attempt to validate successfully authenticated TDO principal by looking at its MS-PAC structure, only to find it is missing. As result, smbd will revert to a direct getpwnam() to see if this user exists on the system. Because TDO objects are stored under cn=trusts,$SUFFIX in FreeIPA, they couldn't be found by SSSD which uses cn=accounts,$SUFFIX by default. Add a search base to look up cn=trusts,$SUFFX to allow TDO objects to be queried. On FreeIPA side access controls are put in place so that only AD trust agents are able to see a content of the cn=trusts,$SUFFIX subtree. Signed-of-by:
-
Lukas Slebodnik authored
The last usage was removed in the commit 6181113e Merges: https://pagure.io/SSSD/sssd/pull-request/3784 Reviewed-by:
-
Lukas Slebodnik authored
There are strict checks for private sockets which does not work with unprivileged responder Resolves: https://pagure.io/SSSD/sssd/issue/3778 Merges: https://pagure.io/SSSD/sssd/pull-request/3784 Reviewed-by:
-
Lukas Slebodnik authored
There is not any reason to require additional capabilities from root when sssd is running as unprivileged user. Sudo UNIX socket is not a real private socket. It just cannot be used by others. Just owner(sssd) and root should be able to use it. Resolves: https://pagure.io/SSSD/sssd/issue/3778 Merges: https://pagure.io/SSSD/sssd/pull-request/3784 Reviewed-by:
-
Lukas Slebodnik authored
CentOS 7.5.1804 was release more than 2 months ago https://blog.centos.org/2018/05/centos-7-5-1804-released/ So we can drop checks for minor versions of el7. They were used to distinguish between released and development versions and to use new optional features. Merges: https://pagure.io/SSSD/sssd/pull-request/3783 Reviewed-by:
-
Lukas Slebodnik authored
Merges: https://pagure.io/SSSD/sssd/pull-request/3782 Reviewed-by:
-
Lukas Slebodnik authored
We should install openssl build dependences even though we do not want to run/install dependencies for unit tests Merges: https://pagure.io/SSSD/sssd/pull-request/3781 Reviewed-by:
-
Lukas Slebodnik authored
src/python/pysss.c: In function 'PyList_AsStringList': src/python/pysss.c:60:17: warning: assignment discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers] itemstr = PyUnicode_AsUTF8AndSize(item, &itemlen); ^ src/python/pyhbac.c: In function 'str_concat_sequence': src/python/pyhbac.c:252:14: warning: assignment discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers] part = PyUnicode_AsUTF8(item); ^ The result of PyUnicode_AsUTF8AndSize() and PyUnicode_AsUTF8() is now of type const char * rather of char *. (Contributed by Serhiy Storchaka in bpo-28769.) https://docs.python.org/3.7/whatsnew/3.7.html https://bugs.python.org/issue28769 Merges: https://pagure.io/SSSD/sssd/pull-request/3780 Reviewed-by: -
Lukas Slebodnik authored
The sssd secrets responder is used mainly by sssd-kcm and it is not used by any service which is in the sub-package sssd-common. Therefore it make more sense to have secrets responder in the pacakge sssd-kcm and reduce dependencies of sssd-common package (http-parser, jansson) Note: libcurl is installed anyway on fedora due to other dependencies Merges: https://pagure.io/SSSD/sssd/pull-request/3714 Reviewed-by:
-
Lukas Slebodnik authored
Merges: https://pagure.io/SSSD/sssd/pull-request/3708 Reviewed-by:
-
Lukas Slebodnik authored
It will be used in systemd socket files Merges: https://pagure.io/SSSD/sssd/pull-request/3691 Reviewed-by:
-
Lukas Slebodnik authored
/var/run is only symbolic link to /run on some distributions and /run is mounted on tmpfs sh-4.4$ ls -l /var/run lrwxrwxrwx. 1 root root 6 Dec 12 2015 /var/run -> ../run Previously, we used $(localstatedir)/run in ListenStream which does not allow to use "/run" because we still need to store some files in under $(localstatedir) (/var). Autoconf 2.70 will add new configure time option --runstatedir for configuring runstatedir. ATM, we use just fallback implementation where $(runstatedir) is set to $(localstatedir)/run Merges: https://pagure.io/SSSD/sssd/pull-request/3691 Reviewed-by:
-
Jakub Hrozek authored
Resolves: https://pagure.io/SSSD/sssd/issue/3777 The responder code just returned in case the permissions check failed. But at least with the sudo responder, this just caused an endless loop. If the permission check fails, it's best to just abort the client. Reviewed-by:
-
Fabiano Fidêncio authored
Since recent changes in 389-ds two response controls are end when passwordGracelimit is set and about to expire: - [1.3.6.1.4.1.42.2.27.8.5.1] for the GraceLimit itself - [2.16.840.1.113730.3.4.4] for the PasswordExpired Whenever the former is returned and the GraceLimit is still valid, we shouldn't report the latter to the users. Resolves: https://pagure.io/SSSD/sssd/issue/3597 Signed-off-by:
-
Fabiano Fidêncio authored
There's a typo in the matrix of profiles (based in the priority set) which ended up saving the 10th priority with a wrong name. Resolves: https://pagure.io/SSSD/sssd/issue/3774 Signed-off-by:
-
Fabiano Fidêncio authored
Related: https://pagure.io/SSSD/sssd/issue/3774 Signed-off-by:
-
Josef Cejka authored
Strip leading and trailing whitespaces from netgroup three-tuple strings to be compatible with nss_ldap. Reviewed-by: -
Fabiano Fidêncio authored
This function will be used to print the public keys, as already done in sss_ssh_authorizedkeys.c. Related: https://pagure.io/SSSD/sssd/issue/3542 Signed-off-by:
-
Fabiano Fidêncio authored
Related: https://pagure.io/SSSD/sssd/issue/3542 Signed-off-by:
-
Fabiano Fidêncio authored
Related: https://pagure.io/SSSD/sssd/issue/3542 Signed-off-by:
-
Sumit Bose authored
There is a check in the memory cache code that checks if a record pointer points to the mmapped region . But since some time ago, we return not a pointer to the mmapped region itself, but a copy to avoid issues with invalidating an entry while the same entry is being returned. In most cases, the check is correct, simply because of how memory is laid out on Linux, but in some cases the check was failing and causing a high load of SSSD. Signed-off-by:
-
Michal Židek authored
This reverts commit 2951a9a8. The original use stpncpy was correct. Changing it to memcpy changed the resulting hash. This resulted in users from local domain to not be able to authenticate (offline authentication was also probably broken) if their hash was created before this change. https://pagure.io/SSSD/sssd/issue/3791 Reviewed-by:
-
Lukas Slebodnik authored
This reverts commit bb20d516. The patch introduced compile time warning src/util/crypto/libcrypto/crypto_sha512crypt.c:280:10: error: 'stpncpy' output truncated before terminating nul copying 3 bytes from a string of the same length [-Werror=stringop-truncation] cp = stpncpy(buffer, sha512_salt_prefix, SALT_PREF_SIZE); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Merges: https://pagure.io/SSSD/sssd/pull-request/3792 Reviewed-by:
-
Lukas Slebodnik authored
Since commit 2951a9a8 where we switched from stpncpy to memcpy the salt prefix "$6$" is not stored at all. This broke offline authentication if someone upgraded from old version that stored the prefix to one that doesn't store it. Resolves: https://pagure.io/SSSD/sssd/issue/3791 Merges: https://pagure.io/SSSD/sssd/pull-request/3792 Reviewed-by:
-
Lukas Slebodnik authored
Resolves: https://pagure.io/SSSD/sssd/issue/3791 Merges: https://pagure.io/SSSD/sssd/pull-request/3792 Reviewed-by:
-
Lukas Slebodnik authored
We can call cert_to_ssh_key_step from cert_to_ssh_key_done and thus p11_child can be executed more time. We created pipes for each call but destructor for state->io can close just last one. It's better to manually close pipes with macro PIPE_FD_CLOSE. that macro set file descriptor to -1 and destructor will not try to close them 2nd time. Destructor will cover just edge cases. Merges: https://pagure.io/SSSD/sssd/pull-request/3793 Resolves: https://pagure.io/SSSD/sssd/issue/3794 Reviewed-by:
-
Stanislav Levin authored
Handle a "hidepid=1" mount option for procfs. One of the affects - this option makes impermissible non own pid subdirectories on /proc. Resolves: https://pagure.io/SSSD/sssd/issue/3789 Reviewed-by:
-
Jakub Hrozek authored
Resolves: https://pagure.io/SSSD/sssd/issue/3796 The SSSD selinux management routines were only checking if SELinux is managed on the system. If it is managed, the code tries to proceed and set the login context, otherwise an error is returned which SSSD handles gracefully. But this is not enough, in some cases SELinux might be disabled, but managed and in these cases SSSD was returning strange errors, which might have prevented login with selinux provider in effect. We got this hint form the RH SELinux maintainer: """ libsemanage is for managing SELinux infrastructure. generally if there's /etc/selinux/config where libsemanage can read SELINUXTYPE and SELinux module store - /etc/selinux/<SELINUXTYPE>/active (or /var/lib/selinux/<SELINUXTYPE>/active) - is available, libsemanage can manage it even when SELinux is disabled. I'm not sure if selinux_child doesn any is_selinux_enabled() checks but it could help to avoid such situations. """ Reviewed-by:
-
Alexey Sheplyakov authored
Suppose the user U is a member of (AD) groups D1\A, D1\B, D2\X, and no domain controllers in the domain D2 can be reached at the moment (and there are no cached info). As of now initgroups won't assign any groups at all. To improve the behavior skip the incomplete groups so initgroup assigns at least some groups (D1\A, D1\B in the above example). Reviewed-by:
-
Fabiano Fidêncio authored
After 4937f2c6, Sumit noticed the following warning/breakage: make[2]: Leaving directory '/home/sbose/sssd/master_build/src/man' Making check in . make[2]: Entering directory '/home/sbose/sssd/master_build' CC src/responder/nss/nss_protocol_grent.o ../src/responder/nss/nss_protocol_grent.c: In function 'nss_protocol_fill_initgr': ../src/responder/nss/nss_protocol_grent.c:409:1: error: label 'done' defined but not used [-Werror=unused-label] done: ^~~~ cc1: all warnings being treated as errors Makefile:17808: recipe for target 'src/responder/nss/nss_protocol_grent.o' failed make[2]: *** [src/responder/nss/nss_protocol_grent.o] Error 1 make[2]: Leaving directory '/home/sbose/sssd/master_build' Also, while removing the label, by moving the error treatment to the if block just before the existing one makes the code cleaner. Signed-off-by:
-
Jakub Hrozek authored
The functions return bool as per their prototype, but returning EINVAL on failure meant that EINVAL (typically 22) was converted to 'true', so a certificate that was not processable was considered valid. Luckily this code only converts certificates into SSH public keys, so there are no security implications. Reviewed-by:
-
Sumit Bose authored
If sss_nss_idmap-tests is complied with -Wl,-Bsymbolic-functions it fails because sss_nss_make_request_timeout() is not properly wrapped but the tests expects that the replacement call it provides is picked by the linker and not the original function. This patch wraps the call in the corresponding test library. As a consequence a small helper function had to be added to make dlopen-tests pass for the test library as well. Resolves: https://pagure.io/SSSD/sssd/issue/3801 Reviewed-by:
Andreas Hasenack <andreas.hasenack@canonical.com>
-
Jakub Hrozek authored
