...
 
Commits (125)
......@@ -3690,9 +3690,7 @@ intgcheck-prepare:
rm -Rf intg; \
$(MKDIR_P) intg/bld; \
: Use /hopefully/ short prefix to keep D-Bus socket path short; \
prefix=`mktemp --dry-run --tmpdir --directory sssd-intg.XXXXXXXX`; \
prefix=`echo $$prefix | tr '[:upper:]' '[:lower:]'`; \
mkdir -p $$prefix; \
prefix=`mktemp --tmpdir --directory sssd-intg.XXXXXXXX`; \
$(LN_S) "$$prefix" intg/pfx; \
cd intg/bld; \
$(abs_top_srcdir)/configure \
......
......@@ -41,7 +41,7 @@ declare -r COVERAGE_MIN_FUNCS=0
# Those values are a sum up of the default warnings in all our
# supported distros in our CI.
# debian_testing: E121,E123,E126,E226,E24,E704,W503
# debian_testing: E121,E123,E126,E226,E24,E704,W503,W504,W605
# fedora22:
# fedora23:
# fedora24: E121,E123,E126,E226,E24,E704
......@@ -51,7 +51,7 @@ declare -r COVERAGE_MIN_FUNCS=0
# fedora_rawhide: E121,E123,E126,E226,E24,E704
# rhel6:
# rhel7:
declare PEP8_IGNORE="--ignore=E121,E123,E126,E226,E24,E704,W503"
declare PEP8_IGNORE="--ignore=E121,E123,E126,E226,E24,E704,W503,W504,W605"
declare BASE_PFX=""
declare DEPS=true
declare BASE_DIR=`pwd`
......
......@@ -165,11 +165,11 @@
fun:recreate_ares_channel
fun:resolv_init
fun:be_res_init
...
fun:be_init_failover
fun:test_ipa_server_create_trusts_setup
...
fun:_cmocka_run_group_tests
fun:main
}
# Leaks in bash if p11_child returns and error because due to libtool the
......
......@@ -1025,11 +1025,11 @@ done
%dir %{sssdstatedir}
%dir %{_localstatedir}/cache/krb5rcache
%attr(700,sssd,sssd) %dir %{dbpath}
%attr(755,sssd,sssd) %dir %{mcpath}
%attr(775,sssd,sssd) %dir %{mcpath}
%attr(751,sssd,sssd) %dir %{deskprofilepath}
%ghost %attr(0644,sssd,sssd) %verify(not md5 size mtime) %{mcpath}/passwd
%ghost %attr(0644,sssd,sssd) %verify(not md5 size mtime) %{mcpath}/group
%ghost %attr(0644,sssd,sssd) %verify(not md5 size mtime) %{mcpath}/initgroups
%ghost %attr(0664,sssd,sssd) %verify(not md5 size mtime) %{mcpath}/passwd
%ghost %attr(0664,sssd,sssd) %verify(not md5 size mtime) %{mcpath}/group
%ghost %attr(0664,sssd,sssd) %verify(not md5 size mtime) %{mcpath}/initgroups
%attr(755,sssd,sssd) %dir %{pipepath}
%attr(750,sssd,root) %dir %{pipepath}/private
%attr(755,sssd,sssd) %dir %{pubconfpath}
......
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
......@@ -936,14 +936,13 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
goto done;
}
ret = get_entry_as_bool(res->msgs[0], &domain->mpg,
CONFDB_DOMAIN_AUTO_UPG, 0);
if (ret != EOK) {
DEBUG(SSSDBG_FATAL_FAILURE,
"Invalid value for %s\n", CONFDB_DOMAIN_AUTO_UPG);
goto done;
tmp = ldb_msg_find_attr_as_string(res->msgs[0], CONFDB_DOMAIN_AUTO_UPG, NULL);
if (tmp == NULL || *tmp == '\0') {
tmp = "false";
}
domain->mpg_mode = str_to_domain_mpg_mode(tmp);
if (strcasecmp(domain->provider, "local") == 0) {
/* If this is the local provider, we need to ensure that
* no other provider was specified for other types, since
......@@ -980,7 +979,7 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
}
/* The LOCAL provider use always Magic Private Groups */
domain->mpg = true;
domain->mpg_mode = MPG_ENABLED;
}
domain->timeout = ldb_msg_find_attr_as_int(res->msgs[0],
......@@ -1301,6 +1300,15 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
ret = ENOMEM;
goto done;
}
} else {
if (strcasecmp(domain->provider, "ad") == 0) {
/* ad provider default */
domain->fallback_homedir = talloc_strdup(domain, "/home/%d/%u");
if (!domain->fallback_homedir) {
ret = ENOMEM;
goto done;
}
}
}
tmp = ldb_msg_find_attr_as_string(res->msgs[0],
......@@ -1495,7 +1503,7 @@ int confdb_get_domains(struct confdb_ctx *cdb,
CONFDB_MONITOR_ACTIVE_DOMAINS,
&domlist);
if (ret == ENOENT) {
DEBUG(SSSDBG_FATAL_FAILURE, "No domains configured, fatal error!\n");
DEBUG(SSSDBG_MINOR_FAILURE, "No domains configured, fatal error!\n");
goto done;
}
if (ret != EOK ) {
......
......@@ -131,6 +131,7 @@
#define CONFDB_PAM_CERT_DB_PATH "pam_cert_db_path"
#define CONFDB_PAM_P11_CHILD_TIMEOUT "p11_child_timeout"
#define CONFDB_PAM_APP_SERVICES "pam_app_services"
#define CONFDB_PAM_P11_ALLOWED_SERVICES "pam_p11_allowed_services"
/* SUDO */
#define CONFDB_SUDO_CONF_ENTRY "config/sudo"
......@@ -299,6 +300,12 @@ enum sss_domain_type {
DOM_TYPE_APPLICATION,
};
enum sss_domain_mpg_mode {
MPG_DISABLED,
MPG_ENABLED,
MPG_HYBRID,
};
/**
* Data structure storing all of the basic features
* of a domain.
......@@ -313,7 +320,7 @@ struct sss_domain_info {
bool enumerate;
char **sd_enumerate;
bool fqnames;
bool mpg;
enum sss_domain_mpg_mode mpg_mode;
bool ignore_group_members;
uint32_t id_min;
uint32_t id_max;
......
......@@ -103,6 +103,7 @@ option_strings = {
'pam_cert_db_path' : _('Path to certificate database with PKCS#11 modules.'),
'p11_child_timeout' : _('How many seconds will pam_sss wait for p11_child to finish'),
'pam_app_services' : _('Which PAM services are permitted to contact application domains'),
'pam_p11_allowed_services' : _('Allowed services for using smartcards'),
# [sudo]
'sudo_timed' : _('Whether to evaluate the time-based attributes in sudo rules'),
......@@ -280,6 +281,7 @@ option_strings = {
'ldap_backup_uri' : _('ldap_backup_uri, The URI of the LDAP server'),
'ldap_search_base' : _('The default base DN'),
'ldap_schema' : _('The Schema Type in use on the LDAP server, rfc2307'),
'ldap_pwmodify_mode' : _('Mode used to change user password'),
'ldap_default_bind_dn' : _('The default bind DN'),
'ldap_default_authtok_type' : _('The type of the authentication token of the default bind DN'),
'ldap_default_authtok' : _('The authentication token of the default bind DN'),
......@@ -500,16 +502,14 @@ class SSSDConfigSchema(SSSDChangeConf):
schemaplugindir = '@datadir@/sssd/sssd.api.d'
try:
#Read the primary config file
fd = open(schemafile, 'r')
self.readfp(fd)
fd.close()
# Read the primary config file
with open(schemafile, 'r') as fd:
self.readfp(fd)
# Read in the provider files
for file in filter(lambda f: re.search(r'^sssd-.*\.conf$', f),
os.listdir(schemaplugindir)):
fd = open(schemaplugindir+ "/" + file)
self.readfp(fd)
fd.close()
with open(schemaplugindir+ "/" + file) as fd:
self.readfp(fd)
except IOError:
raise
except SyntaxError: # can be raised with readfp
......@@ -1452,14 +1452,12 @@ class SSSDConfig(SSSDChangeConf):
#TODO: get this from a global setting
configfile = '@sysconfdir@/sssd/sssd.conf'
# open will raise an IOError if it fails
fd = open(configfile, 'r')
try:
self.readfp(fd)
except:
raise ParsingError
with open(configfile, 'r') as fd:
try:
self.readfp(fd)
except:
raise ParsingError
fd.close()
self.configfile = configfile
self.initialized = True
......@@ -1523,10 +1521,9 @@ class SSSDConfig(SSSDChangeConf):
# open() will raise IOError if it fails
old_umask = os.umask(0o177)
of = open(outputfile, "wb")
output = self.dump(self.opts).encode('utf-8')
of.write(output)
of.close()
with open(outputfile, "wb") as of:
output = self.dump(self.opts).encode('utf-8')
of.write(output)
os.umask(old_umask)
def list_active_services(self):
......
......@@ -4,14 +4,15 @@
# Copyright (c) 1999-2007 Red Hat, Inc.
# Author: Simo Sorce <ssorce@redhat.com>
#
# This is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 only
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# General Public License for more details.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
......
#!/usr/bin/env python
# SSSD
#
# SSSD Config API tests
#
# Copyright (C) Red Hat
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
'''
Created on Sep 18, 2009
......@@ -67,36 +85,36 @@ class SSSDConfigTestValid(unittest.TestCase):
new_options = new_sssd_service.list_options();
self.assertTrue('debug_level' in new_options)
self.assertEquals(new_options['debug_level'][0], int)
self.assertEqual(new_options['debug_level'][0], int)
self.assertTrue('command' in new_options)
self.assertEquals(new_options['command'][0], str)
self.assertEqual(new_options['command'][0], str)
self.assertTrue('reconnection_retries' in new_options)
self.assertEquals(new_options['reconnection_retries'][0], int)
self.assertEqual(new_options['reconnection_retries'][0], int)
self.assertTrue('services' in new_options)
self.assertEquals(new_options['debug_level'][0], int)
self.assertEqual(new_options['debug_level'][0], int)
self.assertTrue('domains' in new_options)
self.assertEquals(new_options['domains'][0], list)
self.assertEquals(new_options['domains'][1], str)
self.assertEqual(new_options['domains'][0], list)
self.assertEqual(new_options['domains'][1], str)
self.assertTrue('sbus_timeout' in new_options)
self.assertEquals(new_options['sbus_timeout'][0], int)
self.assertEqual(new_options['sbus_timeout'][0], int)
self.assertTrue('re_expression' in new_options)
self.assertEquals(new_options['re_expression'][0], str)
self.assertEqual(new_options['re_expression'][0], str)
self.assertTrue('full_name_format' in new_options)
self.assertEquals(new_options['full_name_format'][0], str)
self.assertEqual(new_options['full_name_format'][0], str)
self.assertTrue('default_domain_suffix' in new_options)
self.assertEquals(new_options['default_domain_suffix'][0], str)
self.assertEqual(new_options['default_domain_suffix'][0], str)
self.assertTrue('domain_resolution_order' in new_options)
self.assertEquals(new_options['domain_resolution_order'][0], list)
self.assertEquals(new_options['domain_resolution_order'][1], str)
self.assertEqual(new_options['domain_resolution_order'][0], list)
self.assertEqual(new_options['domain_resolution_order'][1], str)
del sssdconfig
......@@ -1111,15 +1129,15 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
domain.set_option('krb5_realm', 'EXAMPLE.COM')
domain.set_option('ldap_uri', 'ldap://ldap.example.com')
self.assertEquals(domain.get_option('krb5_realm'),
'EXAMPLE.COM')
self.assertEquals(domain.get_option('ldap_uri'),
'ldap://ldap.example.com')
self.assertEqual(domain.get_option('krb5_realm'),
'EXAMPLE.COM')
self.assertEqual(domain.get_option('ldap_uri'),
'ldap://ldap.example.com')
# Remove the LDAP provider and verify that krb5_realm remains
domain.remove_provider('id')
self.assertEquals(domain.get_option('krb5_realm'),
'EXAMPLE.COM')
self.assertEqual(domain.get_option('krb5_realm'),
'EXAMPLE.COM')
self.assertFalse('ldap_uri' in domain.options)
# Put the LOCAL provider back
......@@ -1566,7 +1584,7 @@ class SSSDConfigTestSSSDConfig(unittest.TestCase):
# First need to remove the existing service
sssdconfig.delete_service('sssd')
service = sssdconfig.new_service('sssd')
self.failUnless(service.get_name() in sssdconfig.list_services())
self.assertTrue(service.get_name() in sssdconfig.list_services())
# TODO: check that the values of this new service
# are set to the defaults from the schema
......@@ -1836,8 +1854,8 @@ class SSSDConfigTestSSSDConfig(unittest.TestCase):
# Positive Test
domain = sssdconfig.new_domain('example.com')
self.assertTrue(isinstance(domain, SSSDConfig.SSSDDomain))
self.failUnless(domain.get_name() in sssdconfig.list_domains())
self.failUnless(domain.get_name() in sssdconfig.list_inactive_domains())
self.assertTrue(domain.get_name() in sssdconfig.list_domains())
self.assertTrue(domain.get_name() in sssdconfig.list_inactive_domains())
# TODO: check that the values of this new domain
# are set to the defaults from the schema
......@@ -1898,7 +1916,7 @@ class SSSDConfigTestSSSDConfig(unittest.TestCase):
self.assertFalse('example.com' in sssdconfig.list_active_domains())
self.assertFalse('example.com' in sssdconfig.list_inactive_domains())
self.assertFalse(sssdconfig.has_section('domain/example.com'))
self.assertEquals(domain.oldname, None)
self.assertEqual(domain.oldname, None)
# Positive test - Set the domain inactive and save it
activelist = sssdconfig.list_active_domains()
......@@ -1910,10 +1928,10 @@ class SSSDConfigTestSSSDConfig(unittest.TestCase):
self.assertFalse('example.com2' in sssdconfig.list_active_domains())
self.assertTrue('example.com2' in sssdconfig.list_inactive_domains())
self.assertEquals(len(sssdconfig.list_active_domains()),
len(activelist)-1)
self.assertEquals(len(sssdconfig.list_inactive_domains()),
len(inactivelist)+1)
self.assertEqual(len(sssdconfig.list_active_domains()),
len(activelist)-1)
self.assertEqual(len(sssdconfig.list_inactive_domains()),
len(inactivelist)+1)
# Positive test - Set the domain active and save it
activelist = sssdconfig.list_active_domains()
......@@ -1924,10 +1942,10 @@ class SSSDConfigTestSSSDConfig(unittest.TestCase):
self.assertTrue('example.com2' in sssdconfig.list_active_domains())
self.assertFalse('example.com2' in sssdconfig.list_inactive_domains())
self.assertEquals(len(sssdconfig.list_active_domains()),
len(activelist)+1)
self.assertEquals(len(sssdconfig.list_inactive_domains()),
len(inactivelist)-1)
self.assertEqual(len(sssdconfig.list_active_domains()),
len(activelist)+1)
self.assertEqual(len(sssdconfig.list_inactive_domains()),
len(inactivelist)-1)
# Positive test - Set the domain inactive and save it
activelist = sssdconfig.list_active_domains()
......@@ -1938,10 +1956,10 @@ class SSSDConfigTestSSSDConfig(unittest.TestCase):
self.assertFalse('example.com2' in sssdconfig.list_active_domains())
self.assertTrue('example.com2' in sssdconfig.list_inactive_domains())
self.assertEquals(len(sssdconfig.list_active_domains()),
len(activelist)-1)
self.assertEquals(len(sssdconfig.list_inactive_domains()),
len(inactivelist)+1)
self.assertEqual(len(sssdconfig.list_active_domains()),
len(activelist)-1)
self.assertEqual(len(sssdconfig.list_inactive_domains()),
len(inactivelist)+1)
# Positive test - Set the domain active and save it
activelist = sssdconfig.list_active_domains()
......@@ -1952,10 +1970,10 @@ class SSSDConfigTestSSSDConfig(unittest.TestCase):
self.assertTrue('example.com2' in sssdconfig.list_active_domains())
self.assertFalse('example.com2' in sssdconfig.list_inactive_domains())
self.assertEquals(len(sssdconfig.list_active_domains()),
len(activelist)+1)
self.assertEquals(len(sssdconfig.list_inactive_domains()),
len(inactivelist)-1)
self.assertEqual(len(sssdconfig.list_active_domains()),
len(activelist)+1)
self.assertEqual(len(sssdconfig.list_inactive_domains()),
len(inactivelist)-1)
# Positive test - Ensure that saved domains retain values
domain.set_option('ldap_krb5_init_creds', True)
......
......@@ -126,6 +126,7 @@ option = pam_cert_auth
option = pam_cert_db_path
option = p11_child_timeout
option = pam_app_services
option = pam_p11_allowed_services
[rule/allowed_sudo_options]
validator = ini_allowed_options
......@@ -437,6 +438,7 @@ option = ad_enable_dns_sites
option = ad_enabled_domains
option = ad_enable_gc
option = ad_gpo_access_control
option = ad_gpo_implicit_deny
option = ad_gpo_cache_timeout
option = ad_gpo_default_right
option = ad_gpo_map_batch
......@@ -652,6 +654,7 @@ option = ldap_sasl_canonicalize
option = ldap_sasl_mech
option = ldap_sasl_minssf
option = ldap_schema
option = ldap_pwmodify_mode
option = ldap_search_base
option = ldap_search_timeout
option = ldap_service_entry_usn
......@@ -728,6 +731,14 @@ option = ldap_user_ssh_public_key
option = ldap_user_uid_number
option = ldap_user_uuid
option = ldap_use_tokengroups
option = ldap_host_object_class
option = ldap_host_name
option = ldap_host_fqdn
option = ldap_host_serverhostname
option = ldap_host_member_of
option = ldap_host_search_base
option = ldap_host_ssh_public_key
option = ldap_host_uuid
# For application domains
option = inherit_from
......
......@@ -75,6 +75,7 @@ pam_cert_auth = bool, None, false
pam_cert_db_path = str, None, false
p11_child_timeout = int, None, false
pam_app_services = str, None, false
pam_p11_allowed_services = str, None, false
[sudo]
# sudo service
......
......@@ -24,6 +24,7 @@ ldap_uri = str, None, false
ldap_backup_uri = str, None, false
ldap_search_base = str, None, false
ldap_schema = str, None, false
ldap_pwmodify_mode = str, None, false
ldap_default_bind_dn = str, None, false
ldap_default_authtok_type = str, None, false
ldap_default_authtok = str, None, false
......
......@@ -16,6 +16,7 @@ ldap_uri = str, None, false
ldap_backup_uri = str, None, false
ldap_search_base = str, None, false
ldap_schema = str, None, false
ldap_pwmodify_mode = str, None, false
ldap_default_bind_dn = str, None, false
ldap_default_authtok_type = str, None, false
ldap_default_authtok = str, None, false
......
......@@ -3,6 +3,7 @@ ldap_uri = str, None, false
ldap_backup_uri = str, None, false
ldap_search_base = str, None, false
ldap_schema = str, None, false
ldap_pwmodify_mode = str, None, false
ldap_default_bind_dn = str, None, false
ldap_default_authtok_type = str, None, false
ldap_default_authtok = str, None, false
......
......@@ -4,9 +4,10 @@
# Copyright (C) 2009 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation; version 2 only
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
......@@ -14,8 +15,8 @@
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
"""
Python-level packaging using distutils.
......
......@@ -526,7 +526,8 @@ sysdb_set_site(struct sss_domain_info *dom,
errno_t sysdb_subdomain_store(struct sysdb_ctx *sysdb,
const char *name, const char *realm,
const char *flat_name, const char *domain_id,
bool mpg, bool enumerate, const char *forest,
enum sss_domain_mpg_mode mpg_mode,
bool enumerate, const char *forest,
uint32_t trust_direction,
struct ldb_message_element *upn_suffixes);
......
......@@ -494,7 +494,8 @@ static int sysdb_search_by_name(TALLOC_CTX *mem_ctx,
break;
case SYSDB_GROUP:
def_attrs[1] = SYSDB_GIDNUM;
if (domain->mpg && strcasecmp(domain->provider, "local") != 0) {
if (sss_domain_is_mpg(domain)
&& strcasecmp(domain->provider, "local") != 0) {
/* When searching a group by name in a MPG domain, we also
* need to search the user space in order to be able to match
* a user private group/
......@@ -1971,7 +1972,7 @@ int sysdb_add_user(struct sss_domain_info *domain,
int ret;
bool posix;
if (domain->mpg) {
if (sss_domain_is_mpg(domain)) {
if (gid != 0) {
DEBUG(SSSDBG_FATAL_FAILURE,
"Cannot add user with arbitrary GID in MPG domain!\n");
......@@ -2008,7 +2009,7 @@ int sysdb_add_user(struct sss_domain_info *domain,
return ret;
}
if (domain->mpg) {
if (sss_domain_is_mpg(domain)) {
/* In MPG domains you can't have groups with the same name or GID
* as users, search if a group with the same name exists.
* Don't worry about users, if we try to add a user with the same
......@@ -2092,7 +2093,7 @@ int sysdb_add_user(struct sss_domain_info *domain,
ret = sysdb_attrs_add_uint32(id_attrs, SYSDB_UIDNUM, id);
if (ret) goto done;
if (domain->mpg) {
if (sss_domain_is_mpg(domain)) {
ret = sysdb_attrs_add_uint32(id_attrs, SYSDB_GIDNUM, id);
if (ret) goto done;
}
......@@ -2226,7 +2227,7 @@ int sysdb_add_group(struct sss_domain_info *domain,
return ret;
}
if (domain->mpg) {
if (sss_domain_is_mpg(domain)) {
/* In MPG domains you can't have groups with the same name as users,
* search if a group with the same name exists.
* Don't worry about users, if we try to add a user with the same
......@@ -2840,7 +2841,7 @@ static errno_t sysdb_store_user_attrs(struct sss_domain_info *domain,
if (ret) return ret;
}
if (uid && !gid && domain->mpg) {
if (uid && !gid && sss_domain_is_mpg(domain)) {
ret = sysdb_attrs_add_uint32(attrs, SYSDB_GIDNUM, uid);
if (ret) return ret;
}
......
......@@ -198,7 +198,7 @@ struct sss_domain_info *new_subdomain(TALLOC_CTX *mem_ctx,
const char *realm,
const char *flat_name,
const char *id,
bool mpg,
enum sss_domain_mpg_mode mpg_mode,
bool enumerate,
const char *forest,
const char **upn_suffixes,
......
......@@ -909,7 +909,7 @@ int sysdb_getgrnam(TALLOC_CTX *mem_ctx,
goto done;
}
if (domain->mpg) {
if (sss_domain_is_mpg(domain)) {
/* In case the domain supports magic private groups we *must*
* check whether the searched name is the very same as the
* originalADname attribute.
......@@ -1108,7 +1108,7 @@ int sysdb_getgrgid_attrs(TALLOC_CTX *mem_ctx,
}
}
if (domain->mpg) {
if (sss_domain_is_mpg(domain)) {
/* In case the domain supports magic private groups we *must*
* check whether the searched gid is the very same as the
* originalADgidNumber attribute.
......@@ -1216,7 +1216,7 @@ int sysdb_enumgrent_filter(TALLOC_CTX *mem_ctx,
return ENOMEM;
}
if (domain->mpg) {
if (sss_domain_is_mpg(domain)) {
base_filter = SYSDB_GRENT_MPG_FILTER;
base_dn = sysdb_domain_dn(tmp_ctx, domain);
} else {
......
......@@ -34,7 +34,7 @@ struct sss_domain_info *new_subdomain(TALLOC_CTX *mem_ctx,
const char *realm,
const char *flat_name,
const char *id,
bool mpg,
enum sss_domain_mpg_mode mpg_mode,
bool enumerate,
const char *forest,
const char **upn_suffixes,
......@@ -126,7 +126,7 @@ struct sss_domain_info *new_subdomain(TALLOC_CTX *mem_ctx,
dom->enumerate = enumerate;
dom->fqnames = true;
dom->mpg = mpg;
dom->mpg_mode = mpg_mode;
dom->state = DOM_ACTIVE;
/* use fully qualified names as output in order to avoid causing
......@@ -320,7 +320,8 @@ errno_t sysdb_update_subdomains(struct sss_domain_info *domain,
const char *flat;
const char *id;
const char *forest;
bool mpg;
const char *str_mpg_mode;
enum sss_domain_mpg_mode mpg_mode;
bool enumerate;
uint32_t trust_direction;
struct ldb_message_element *tmp_el;
......@@ -376,8 +377,12 @@ errno_t sysdb_update_subdomains(struct sss_domain_info *domain,
id = ldb_msg_find_attr_as_string(res->msgs[i],
SYSDB_SUBDOMAIN_ID, NULL);
mpg = ldb_msg_find_attr_as_bool(res->msgs[i],
SYSDB_SUBDOMAIN_MPG, false);
str_mpg_mode = ldb_msg_find_attr_as_string(res->msgs[i],
SYSDB_SUBDOMAIN_MPG, NULL);
if (str_mpg_mode == NULL || *str_mpg_mode == '\0') {
str_mpg_mode = "false";
}
mpg_mode = str_to_domain_mpg_mode(str_mpg_mode);
enumerate = ldb_msg_find_attr_as_bool(res->msgs[i],
SYSDB_SUBDOMAIN_ENUM, false);
......@@ -440,12 +445,12 @@ errno_t sysdb_update_subdomains(struct sss_domain_info *domain,
}
}
if (dom->mpg != mpg) {
if (dom->mpg_mode != mpg_mode) {
DEBUG(SSSDBG_TRACE_INTERNAL,
"MPG state change from [%s] to [%s]!\n",
dom->mpg ? "true" : "false",
mpg ? "true" : "false");
dom->mpg = mpg;
dom->mpg_mode == MPG_ENABLED ? "true" : "false",
mpg_mode == MPG_ENABLED ? "true" : "false");
dom->mpg_mode = mpg_mode;
}
if (dom->enumerate != enumerate) {
......@@ -515,7 +520,7 @@ errno_t sysdb_update_subdomains(struct sss_domain_info *domain,
/* If not found in loop it is a new subdomain */
if (dom == NULL) {
dom = new_subdomain(domain, domain, name, realm,
flat, id, mpg, enumerate, forest,
flat, id, mpg_mode, enumerate, forest,
upn_suffixes, trust_direction, confdb);
if (dom == NULL) {
ret = ENOMEM;
......@@ -894,7 +899,8 @@ done:
errno_t sysdb_subdomain_store(struct sysdb_ctx *sysdb,
const char *name, const char *realm,
const char *flat_name, const char *domain_id,
bool mpg, bool enumerate, const char *forest,
enum sss_domain_mpg_mode mpg_mode,
bool enumerate, const char *forest,
uint32_t trust_direction,
struct ldb_message_element *upn_suffixes)
{
......@@ -984,11 +990,28 @@ errno_t sysdb_subdomain_store(struct sysdb_ctx *sysdb,
}
}
tmp_bool = ldb_msg_find_attr_as_bool(res->msgs[0], SYSDB_SUBDOMAIN_MPG,
!mpg);
if (tmp_bool != mpg) {
mpg_flags = LDB_FLAG_MOD_REPLACE;
tmp_str = ldb_msg_find_attr_as_string(res->msgs[0],
SYSDB_SUBDOMAIN_MPG,
"false");
/* If mpg_mode changed we need to replace the old value in sysdb */
switch (mpg_mode) {
case MPG_ENABLED:
if (strcasecmp(tmp_str, "true") != 0) {
mpg_flags = LDB_FLAG_MOD_REPLACE;
}
break;
case MPG_DISABLED:
if (strcasecmp(tmp_str, "false") != 0) {
mpg_flags = LDB_FLAG_MOD_REPLACE;
}
break;
case MPG_HYBRID:
if (strcasecmp(tmp_str, "hybrid") != 0) {
mpg_flags = LDB_FLAG_MOD_REPLACE;
}
break;
}
tmp_bool = ldb_msg_find_attr_as_bool(res->msgs[0], SYSDB_SUBDOMAIN_ENUM,
!enumerate);
if (tmp_bool != enumerate) {
......@@ -1098,8 +1121,14 @@ errno_t sysdb_subdomain_store(struct sysdb_ctx *sysdb,
goto done;
}
ret = ldb_msg_add_string(msg, SYSDB_SUBDOMAIN_MPG,
mpg ? "TRUE" : "FALSE");
tmp_str = str_domain_mpg_mode(mpg_mode);
if (tmp_str == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "Couldn't convert mpg_mode to string\n");
ret = EINVAL;
goto done;
}
ret = ldb_msg_add_string(msg, SYSDB_SUBDOMAIN_MPG, tmp_str);
if (ret != LDB_SUCCESS) {
ret = sysdb_error_to_errno(ret);
goto done;
......
......@@ -418,7 +418,17 @@ sysdb_get_sudo_user_info(TALLOC_CTX *mem_ctx,
ret = EINVAL;
goto done;
}
DEBUG(SSSDBG_TRACE_FUNC, "original name: %s\n", orig_name);
DEBUG(SSSDBG_TRACE_FUNC, "Original name: %s\n", orig_name);
orig_name = sss_get_cased_name(tmp_ctx, orig_name, domain->case_sensitive);
if (orig_name == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory!\n");
ret = ENOMEM;
goto done;
}
DEBUG(SSSDBG_TRACE_FUNC, "Cased name: %s\n", orig_name);
if (_uid != NULL) {
uid = ldb_msg_find_attr_as_uint64(res->msgs[0], SYSDB_UIDNUM, 0);
......@@ -450,8 +460,9 @@ sysdb_get_sudo_user_info(TALLOC_CTX *mem_ctx,
continue;
}
sysdb_groupnames[num_groups] = talloc_strdup(sysdb_groupnames,
groupname);
sysdb_groupnames[num_groups] = \
sss_get_cased_name(sysdb_groupnames, groupname,
domain->case_sensitive);
if (sysdb_groupnames[num_groups] == NULL) {
DEBUG(SSSDBG_MINOR_FAILURE, "Cannot strdup %s\n", groupname);
continue;
......
......@@ -18,7 +18,8 @@ then
Kerberos\ 5\ release\ 1.13* | \
Kerberos\ 5\ release\ 1.14* | \
Kerberos\ 5\ release\ 1.15* | \
Kerberos\ 5\ release\ 1.16*)
Kerberos\ 5\ release\ 1.16* | \
Kerberos\ 5\ release\ 1.17*)
krb5_version_ok=yes
AC_MSG_RESULT([yes])
;;
......
......@@ -36,6 +36,14 @@ AM_CONDITIONAL([HAVE_SUSE], [test x"$osname" = xsuse])
AM_CONDITIONAL([HAVE_DEBIAN], [test x"$osname" = xdebian])
AM_CONDITIONAL([HAVE_GENTOO], [test x"$osname" = xgentoo])
AS_CASE([$osname],
[redhat], [AC_DEFINE_UNQUOTED([HAVE_REDHAT], 1, [Build with redhat config])],
[fedora], [AC_DEFINE_UNQUOTED([HAVE_FEDORA], 1, [Build with fedora config])],
[suse], [AC_DEFINE_UNQUOTED([HAVE_SUSE], 1, [Build with suse config])],
[gentoo], [AC_DEFINE_UNQUOTED([HAVE_GENTOO], 1, [Build with gentoo config])],
[debian], [AC_DEFINE_UNQUOTED([HAVE_DEBIAN], 1, [Build with debian config])],
[AC_MSG_NOTICE([Build with $osname config])])
AC_CHECK_MEMBERS([struct ucred.pid, struct ucred.uid, struct ucred.gid], , ,
[[#include <sys/socket.h>]])
......
This diff is collapsed.
......@@ -217,12 +217,14 @@ static int sss_sid_to_id(struct sssd_ctx *ctx, const char *sid,
{
int err;
enum sss_id_type id_type;
uint32_t uid;
err = sss_nss_getidbysid(sid, (uint32_t *)&cuxid->id.uid, &id_type);
err = sss_nss_getidbysid(sid, &uid, &id_type);
if (err != 0) {
ctx_set_error(ctx, strerror(err));
return -1;
}
cuxid->id.uid = (uid_t)uid;
switch (id_type) {
case SSS_ID_TYPE_UID:
......
......@@ -27,7 +27,7 @@ endif
if BUILD_SECRETS
SEC_CONDS = ;with_secrets
endif
if BUILD_SECRETS
if BUILD_KCM
KCM_CONDS = ;with_kcm
endif
if BUILD_SYSTEMTAP
......
......@@ -76,4 +76,23 @@
</listitem>
</itemizedlist>
</refsect2>
<refsect2 id='nss_modifications'>
<title>NSS configuration</title>
<itemizedlist>
<listitem>
<para>
fallback_homedir = /home/%d/%u
</para>
<para>
The AD provider automatically sets
"fallback_homedir = /home/%d/%u" to provide personal
home directories for users without the homeDirectory
attribute. If your AD Domain is properly
populated with Posix attributes, and you want to avoid
this fallback behavior, you can explicitly
set "fallback_homedir = %o".
</para>
</listitem>
</itemizedlist>
</refsect2>
</refsect1>
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
......@@ -86,7 +86,7 @@ GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts
</varlistentry>
<varlistentry>
<term>
<option>-k</option>,<option>--pubkeys</option>
<option>-k</option>,<option>--pubkey</option>
</term>
<listitem>
<para>
......
......@@ -417,6 +417,27 @@ DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,
</listitem>
</varlistentry>
<varlistentry>
<term>ad_gpo_implicit_deny (boolean)</term>
<listitem>
<para>
Normally when no applicable GPOs are found the
users are allowed access. When this option is set
to True users will be allowed access only when
explicitly allowed by a GPO rule. Otherwise users
will be denied access. This can be used to harden
security but be careful when using this option
because it can deny access even to users in the
built-in Administrators group if no GPO rules
apply to them.
</para>
<para>
Default: False (seconds)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>ad_gpo_cache_timeout (integer)</term>
<listitem>
......@@ -647,6 +668,7 @@ ad_gpo_map_network = +my_pam_service, -ftp
ad_gpo_map_batch = +my_pam_service, -crond
</programlisting>
</para>
<para>Note: Cron service name may differ depending on Linux distribution used.</para>
<para>
Default: the default set of PAM service names includes:
<itemizedlist>
......
......@@ -205,6 +205,44 @@
</listitem>
</varlistentry>
<varlistentry>
<term>ldap_pwmodify_mode (string)</term>
<listitem>
<para>
Specify the operation that is used to modify user
password.
</para>
<para>
Two modes are currently supported:
<itemizedlist>
<listitem>
<para>
exop - Password Modify Extended
Operation (RFC 3062)
</para>
</listitem>
<listitem>
<para>
ldap_modify - Direct modification of
userPassword (not recommended).
</para>
</listitem>
</itemizedlist>
</para>
<para>
Note: First, a new connection is established to
verify current password by binding as the user
that requested password change. If successful,
this connection is used to change the password
therefore the user must have write access to
userPassword attribute.
</para>
<para>
Default: exop
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>ldap_default_bind_dn (string)</term>
<listitem>
......
......@@ -813,7 +813,8 @@
from the sss NSS database. This is particularly
useful for system accounts. This option can also
be set per-domain or include fully-qualified names
to filter only users from the particular domain.
to filter only users from the particular domain or
by a user principal name (UPN).
</para>
<para>
NOTE: The filter_groups option doesn't affect
......@@ -1389,7 +1390,81 @@ pam_account_locked_message = Account locked, please contact help desk.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>pam_p11_allowed_services (integer)</term>
<listitem>
<para>
A comma-separated list of PAM service names for
which it will be allowed to use Smartcards.
</para>
<para>
It is possible to add another PAM service name to
the default set by using
<quote>+service_name</quote> or to explicitly
remove a PAM service name from the default set by
using <quote>-service_name</quote>. For example,
in order to replace a default PAM service name for
authentication with Smartcards
(e.g. <quote>login</quote>) with a custom PAM
service name (e.g. <quote>my_pam_service</quote>),
you would use the following configuration:
<programlisting>
pam_p11_allowed_services = +my_pam_service, -login
</programlisting>
</para>
<para>
Default: the default set of PAM service names
includes:
<itemizedlist>
<listitem>
<para>
login
</para>
</listitem>
<listitem>
<para>
su
</para>
</listitem>
<listitem>
<para>
su-l
</para>
</listitem>
<listitem>
<para>
gdm-smartcard
</para>
</listitem>
<listitem>
<para>
gdm-password
</para>
</listitem>
<listitem>
<para>
kdm
</para>
</listitem>
<listitem>
<para>
sudo
</para>
</listitem>
<listitem>
<para>
sudo-i
</para>
</listitem>
<listitem>
<para>
gnome-screensaver
</para>
</listitem>
</itemizedlist>
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect2>
......@@ -2906,10 +2981,61 @@ subdomain_inherit = ldap_purge_cache_timeout
<term>auto_private_groups (string)</term>
<listitem>
<para>
If this option is enabled, SSSD will automatically
create user private groups based on user's
UID number. The GID number is ignored in this case.
</para>
This option takes any of three available values:
<variablelist>
<varlistentry>
<term>true</term>
<listitem>
<para>
Create user's private group unconditionally from user's UID number.
The GID number is ignored in this case.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>false</term>
<listitem>
<para>
Always use the user's primary GID number. The GID number must refer
to a group object in the LDAP database.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>hybrid</term>
<listitem>
<para>
A primary group is autogenerated
for user entries whose UID
and GID numbers have the same
value and at the same time the
GID number does not correspond
to a real group object in LDAP
If the values are the same, but
the primary GID in the user entry
is also used by a group object,
the primary GID of the user resolves
to that group object.
</para>
<para>
If the UID and GID of a user
are different, then the GID
must correspond to a group
entry, otherwise the GID is
simply not resolvable.
</para>
<para>
This feature is useful for
environments that wish to stop
maintaining a separate group
objects for the user private
groups, but also wish to retain
the existing user private groups.
</para>
</listitem>
</varlistentry>
</variablelist>
</para>
<para>
For POSIX subdomains, setting the option in the main
domain is inherited in the subdomain.
......
This diff is collapsed.
......@@ -648,8 +648,11 @@ static int add_services_startup_timeout(struct mt_ctx *ctx)
struct tevent_timer *to;
struct timeval tv;
/* 5 seconds should be plenty */
tv = tevent_timeval_current_ofs(5, 0);
/* `monitor_service_init()` allows 10 secs for any connected sbus client
to proceed with registration.
It makes sense to allow overall provider startup timeout