Fix minor spelling mistakes in providers/* Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

PAM: Use cache_req to perform initgroups lookups PAM responder has been already taking advantage of the cache_req interface, so this patch is just replacing some code that performs initgroups lookups by using cache_req to do so. Resolves: https://fedorahosted.org/sssd/ticket/1126 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

RESPONDER: Contact inconsistent domains Reviewed-by: Pavel Březina <pbrezina@redhat.com>

DP: Remove unused attr_type from struct dp_id_data Structure member attr_type was set to BE_ATTR_CORE on all places and there was a single place src/providers/ldap/ldap_id.c where we checked to other values. It is not used anymore; it's better to remove it. Reviewed-by: Michal Židek <mzidek@redhat.com>

DP: Remove unused constants BE_ATTR_* Neither BE_ATTR_MEM nor BE_ATTR_ALL are set anywhere in sssd.code. sh$ git grep -E "BE_ATTR_ALL|BE_ATTR_MEM" src/providers/data_provider.h:#define BE_ATTR_MEM 2 src/providers/data_provider.h:#define BE_ATTR_ALL 3 src/providers/data_provider/dp_target_id.c: case BE_ATTR_MEM: src/providers/data_provider/dp_target_id.c: case BE_ATTR_ALL: Reviewed-by: Michal Židek <mzidek@redhat.com>

DP: Remove old data provider interface Reverse data provider interface is moved to a better location in NSS responder. All responders now can have an sbus interface defined per data provider connection. The unused old data provider interface is removed. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

RESPONDER: New interface for client registration This is just a beginning of new responder interface to data provider and it is just to make the client registration work. It needs further improvement. The idea is to take the existing interface and make it work better with further extensions of data provider. The current interface has several disadvantages such as it is originally build only for account requests and doesn't take different set of output parameters. It also doesn't work well with integration into tevent-made responders. Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

DP: Add callback for backward compatibility Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

SDAP: Add return code ERR_ACCOUNT_LOCKED Add code to distinquish state when account is locked in Active Directory server. Tested against Windows Server 2012 This patch is best effort only as decision whether account is actually locked is based on parsing error message returned by AD. The format and content of this error message might be subject of change in future releases and also can be modified by AD administrators. If account is locked bind operation is expected to return following error message: ----------------------------------------------------------------------- Invalid credentials(49), 80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 775, v23f0 ----------------------------------------------------------------------- Where sub string 'data 775' implies that account is locked (ERROR_ACCOUNT_LOCKED_OUT) [1]. However the 80090308 (error code 0x80090308, SEC_E_INVALID_TOKEN) is the only guaranteed part of error string [2]. Error message is described in further detail as [3]: ----------------------------------------------------------------------- When the server fails an LDAP operation with an error, and the server has sufficient resources to compute a string value for the errorMessage field of the LDAPResult, it includes a string in the errorMessage field of the LDAPResult (see [RFC2251] section 4.1.10). The string contains further information about the error. The first eight characters of the errorMessage string are a 32-bit integer, expressed in hexadecimal. Where protocol specifies the extended error code "<unrestricted>" there is no restriction on the value of the 32-bit integer. It is recommended that implementations use a Windows error code for the 32-bit integer in this case in order to improve usability of the directory for clients. Where protocol specifies an extended error code which is a Windows error code, the 32-bit integer is the specified Windows error code. Any data after the eighth character is strictly informational and used only for debugging. Conformant implementations need not put any value beyond the eighth character of the errorMessage field. ----------------------------------------------------------------------- [1] https://msdn.microsoft.com/en-us/library/windows/desktop/ms681386%28v=vs.85%29.aspx [2] https://social.msdn.microsoft.com/Forums/en-US/e1d600c8-60b7-4ed0-94cb-20ddd6c1a1c6/msadts-user-locking-password-policies?forum=os_windowsprotocols [3] MS-ADTS 3.1.1.3.1.9 https://msdn.microsoft.com/en-us/library/cc223253.aspx Resolves: https://fedorahosted.org/sssd/ticket/2839 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

DATA_PROVIDER: BE_REQ as string in log message Add be_req2str() for translation BE_REQ to string. So we will have || Got request for [0x1001][FAST BE_REQ_USER][1][name=celestian] instead of || Got request for [0x1001][1][name=celestian] Function be_req2str() is used in data provider and in responder too. So this patch create new header file data_provider_req.h which delivers function be_req2str() and definitions of BE_REQ_*. Resolves: https://fedorahosted.org/sssd/ticket/2708 Reviewed-by: Pavel Reichl <preichl@redhat.com>

DP: Add DP_WILDCARD and SSS_DP_WILDCARD_USER/SSS_DP_WILDCARD_GROUP Related: https://fedorahosted.org/sssd/ticket/2553 Extends the Data Provider interface and the responder<->Data provider interface with wildcard lookups. The patch uses a new "wildcard" prefix rather than reusing the existing user/group prefixes. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

LDAP/IPA: add user lookup by certificate Related to https://fedorahosted.org/sssd/ticket/2596 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

DP: Add a function to inherit DP options, if set Related to: https://fedorahosted.org/sssd/ticket/2644 Adds a utility function that checks if a DP option is present in the subdomain_inherit list. If it is, then the option is set from source to destination dp_option array. Reviewed-by: Pavel Reichl <preichl@redhat.com>

IPA: allow initgroups by UUID for FreeIPA users If a FreeIPA user is searched with the help of an override name the UUID from the override anchor is used to search the user. Currently the initgroups request only allows searches by SID or name. With this patch a UUID can be used as well. Related to https://fedorahosted.org/sssd/ticket/2642 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA: allow initgroups by SID for AD users If a user from a trusted AD domain is search with the help of an override name the SID from the override anchor is used to search the user in AD. Currently the initgroups request only allows searches by name. With this patch a SID can be used as well. Resolves https://fedorahosted.org/sssd/ticket/2632 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

LDAP: add support for lookups by UUID Related to https://fedorahosted.org/sssd/ticket/2481 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

views: search overrides for user and group requests If the name or the POSIX ID of a user or a group is overridden the search request for those objects have to check the overide objects first before looking up the original objects. This patch adds a new request for the IPA sub-domain users which checks the overrides first if - SSSD is running in ipa-server-mode and a name or a POSIX ID is searched, since we do not override the SIDs we can skip the search in the override tree here - if the responder indicates it has not found the corresponding object in the cache and the input might be an override name or ID and not the original one of an object. If an override object was found the SID is extracted from the anchor attribute and the original object is search by its SID. If no override object was found the original object is search with the original input and finally it is checked if an override object exits for the found object. Relates to https://fedorahosted.org/sssd/ticket/2375 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

PAM: Add domains= option to pam_sss Design document: https://fedorahosted.org/sssd/wiki/DesignDocs/RestrictDomainsInPAM Fixes: https://fedorahosted.org/sssd/ticket/1021 Signed-off-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Sven-Thorsten Dietrich <sven@brocade.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

PAM, NSS: allow UPN login names With this patch the NSS and PAM responders can handle user principal names besides the fully qualified user names. User principal names are build from a user name and a domain suffix separated by an '@' sign. But the domain suffix does not necessarily has to be the same as the configured domain name in sssd.conf of the dynamically discovered DNS domain name of a domain. The typical use case is an Active Directory forest with lots of different domains. To not force the users to remember the name of the individual domain they belong to the AD administrator can set a common domain suffix for all users from all domains in the forest. This is typically the domain name used for emails to make it even more easy to the users to remember it. Since SSSD splits name and domain part at the '@' sign and the common domain suffix might not be resolvable by DNS or the given user is not a member of that domain (e.g. in the case where the forest root is used as common domain suffix) SSSD might fail to look up the user. With this patch the NSS and PAM responder will do an extra lookup for a UPN if the domain part of the given name is not known or the user was not found and the login name contained the '@' sign. Resolves https://fedorahosted.org/sssd/ticket/1749

PAM: extract checks from parsing routines This patch saves the original name given at a login prompt and send to the PAM responder in the logon_name member of the pam_data struct for later use. Additionally it separates the parsing of the data send by the PAM client and the checks of this data.

LDAP: If extra_value is 'U' do a UPN search Besides the name the responders always send an extra string attribute to the backends which is so far mostly empty. Since the only difference in the processing of a request for a user name or a user principal name is a different search attribute in the LDAP provider this extra value can be used to indicate the type of the name. Providers which do not support UPN lookup can just ignore this attribute. Related to https://fedorahosted.org/sssd/ticket/1749

DP: Provide separate dp_copy_defaults function https://fedorahosted.org/sssd/ticket/2257 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

sbus: Use constants to make dbus calls This allows us to remove duplicated information, and have the compiler check that when an method name is changed or removed the callers are updated. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

sbus: Rework sbus to use interface metadata and vtables Previous commits added support for interface metadata and handler vtables. This commit ports sbus_dbus_connection to use them. Port the internal uses of dbus to use the new scheme in a very minimal way. Further cleanup is possible here. This commit provides basic definitions of the internal dbus interfaces. The interfaces aren't fully defined, as the handlers will continue to unpack manually, and often overload DBus methods with different arguments (which is rather unorthodox, but not the end of the world). Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

nss: Stop using one DBus interface with totally different methods This is an incorrect use of DBus, where we use a single interface name with completely different sets of methods. Easily fixed. Once the vtable stuff is in use then this would be automatically detected and fail to build. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

Remove DEBUG macro support for old debug levels Remove support for specifying old debug levels to the DEBUG macro: * remove debug_get_level function which was used for conversion, * remove debug_get_level tests, * remove mentions of old/new levels from DEBUG and DEBUG_IS_SET macro descriptions, * rename "newlevel" argument of debug_fn to just "level". Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

Include external headers with #include <foo.h> I find it more readable to include headers from outside the sssd tree with <foo.h>, not "foo.h". The latter should be used for in-tree headers only.

Add two new request types to the data-provider interface The patch adds two new request types for SID related requests. The first one is used if a SID is given and the corresponding object should be found. The second one can be used if the SID for an object is requested but it is not clear if the object is a user or a group.

Add secid filter to responder-dp protocol This patch add a new filter type to the data-provider interface which can be used for SID-based lookups.

Init failover with be_res options

Making the authtok structure really opaque. Definition of structure sss_auth_token was removed from header file authtok.h and there left only declaration of this structure. Therefore only way how to use this structure is to use accessory function from same header file. To creating new empty authotok can only be used newly created function sss_authtok_new(). TALLOC context was removed from copy and setter functions, because pointer to stuct sss_auth_token is used as a memory context. All declaration of struct sss_auth_token variables was replaced with pointer to this structure and related changes was made in source code. Function copy_pam_data can copy from argument src which was dynamically allocated with function create_pam_data() or zero initialized struct pam_data allocated on stack. https://fedorahosted.org/sssd/ticket/1830

Reusing create_pam_data() on the other places. Function create_pam_data() should be only one way how to create new struct pam_data, because it also initialize destructor to created object.

Change pam data auth tokens. Use the new authtok abstraction and interfaces throught the code.

Hook for mmap cache update on initgroup calls This set of functions enumerate the user's groups and invalidate them all if the list does not matches what we get from the caller.

Hook to perform a mmap cache update from sssd_nss This set of functions enumerate each user/group from all domains and invalidate any mmap cache record that matches.

Use an entry type mask macro to filter entry types Avoids hardcoding magic numbers everywhere and self documents why a mask is being applied.

krb5_child: send back the client principal In general Kerberos is case sensitive but the KDC of Active Directory typically handles request case in-sensitive. In the case where we guess a user principal by combining the user name and the realm and are not sure about the cases of the letters used in the user name we might get a valid ticket from the AD KDC but are not able to access it with the Kerberos client library because we assume a wrong case. The client principal in the returned credentials will always have the right cases. To be able to update the cache user principal name the krb5_child will return the principal for further processing.

sudo: clean up

sudo ldap provider: add support for on demand refresh of specific rules

sudo ldap provider: add support for on demand full refresh

data provider: added subdomains

Responder part of the subdomain retrieval work

Add terminator for dp_option

DP: Add host info handler

AUTOFS: responder

AUTOFS: Data Provider request

SUDO Integration - prepare data provider for new responder commands https://fedorahosted.org/sssd/ticket/1143

SUDO: Provide a sudo DP request based on the internal_req

DP: Add support for services in dp requests

SUDO integration - data provider backend handler

Multiline macro cleanup This is mostly a cosmetic patch. The purpose of wrapping a multi-line macro in a do { } while(0) is to make the macro usable as a regular statement, not a compound statement. When the while(0) is terminated with a semicolon, the do { } while(0); block becomes a compound statement again.

New DEBUG facility - conversion https://fedorahosted.org/sssd/ticket/925 Conversion of the old debug_level format to the new one. (only where it was necessary) Removed: SSS_DEFAULT_DEBUG_LEVEL (completely replaced with SSSDBG_DEFAULT)

Remove unused constants from data_provider.h

Remove unused be_check_online() SBUS call

Add support for server-side pam response messages

Add a special filter type to handle enumerations

Introduce pam_verbosity config option Currently we display all PAM messages generated by sssd to the user. But only some of them are important and others are just some useful information. This patch introduces a new option to the PAM responder which controls what kind of messages are displayed. As an example the 'Authenticated with cached credentials' message is used. This message is only displayed if pam_verbosity=1 or if there is an expire date.

Add netgroup support to the NSS responder

Copy pam data from DBus message Instead of just using references to the pam data inside of the DBus message the data is copied. New the DBus message can be freed at any time and the pam data is part of the memory hierarchy. Additionally it is possible to overwrite the authentication tokens in the DBus message, because it is not used elsewhere.

Make data provider id_callback public

Add support for delayed kinit if offline If the configuration option krb5_store_password_if_offline is set to true and the backend is offline the plain text user password is stored and used to request a TGT if the backend becomes online. If available the Linux kernel key retention service is used.

Revert "Copy pam data from DBus message" This reverts commit 2faf73eef14d66aeb345ffa38d0f53670fa8a9a1.

Copy pam data from DBus message Instead of just using references to the pam data inside of the DBus message the data is copied. New the DBus message can be freed at any time and the pam data is part of the memory hierarchy. Additionally it is possible to overwrite the authentication tokens in the DBus message, because it is not used elsewhere.

Remove unnecessary domain parameter from PAM requests If we're sending a message to the backend, we already know which domain the request is targeting. Carrying this information is not useful and confuses the interface.

Remove unnecessary "domain" parameter from DP registration This was a holdover from when the DP and the providers were unique processes. The NSS and PAM registrations do not need to send the domain, as it is not ambiguous which one they are talking to.

Add documentation for PAM response messages

Remove unneeded items from struct pam_data

Rename server/ directory to src/ Also update BUILD.txt