History log of /sssd-io/src/providers/ipa/ipa_subdomains.c
Revision Date Author Comments Expand
60a715a0dd79873d2d2607eab8fdfaf0ffd2e7d3 09-Feb-2018 Hristo Venev <hristo@venev.name>

providers: Move hostid from ipa to sdap, v2 In the ldap provider, all option names are renamed to ldap_host_*. In the ipa provider the names haven't been changed. Host lookups for both ipa and ldap are handled in the ldap provider. sss_ssh_knownhostsproxy works but hostgroups are still only available in the ipa provider. I've also added some documentation for the ldap provider. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

261a84355d9d033ca03f46727dbc2cf4921f154e 10-Jan-2018 Jakub Hrozek <jhrozek@redhat.com>

IPA: Delay the first periodic refresh of trusted domains When the IPA subdomains code is initialized, the responders send a request to fetch subdomains. This request first stores the list of trusted domains to the cache and then runs the ipa-getkeytab helper. At the same time, the periodical task to update the subdomains is also started. The task founds out that all the trusted domains are already known and finishes the request, which replies to the Data Provider requests as well even while the ipa-getkeytab request is still running. This unblocks requests from the responders, which try to connect to the AD DCs even before the keytab is available, which switches the SSSD status to offline. This patch simply delays the first periodic task in the IPA subdomains code by 10 minutes, thus mitigating the startup race. Resolves: https://pagure.io/SSSD/sssd/issue/3601 Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Michal Židek <mzidek@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

f2e70ec742cd7aab82b74d7e4b424ba3258da7aa 14-Sep-2017 Sumit Bose <sbose@redhat.com>

IPA: fix handling of certmap_ctx This patch fixes a use-after-free in the AD provider part and initializes the certmap_ctx with data from the cache at startup. Related to https://pagure.io/SSSD/sssd/issue/3508 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

f00591a4615720640cf01b1c408315b57dd397dc 06-Sep-2017 Sumit Bose <sbose@redhat.com>

ipa: make sure view name is initialized at startup sysdb_master_domain_update() can only set the view name properly if it was not set before but it might be called multiple times before the view name is available if the cache is empty. Since ipa_apply_view() keeps track if the view name was already set at startup or not the name can safely be cleaned here before sysdb_master_domain_update() is called. Resolves: https://pagure.io/SSSD/sssd/issue/3501 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

6bd6571dfe97fb9c6ce9040c3fcfb4965f95eda1 14-Aug-2017 Petr Čech <pcech@redhat.com>

UTIL: Set udp_preference_limit=0 in krb5 snippet We add udp_preference_limit = 0 to krb5 snippet if ad provider is used. This option enable TCP connection before UDP, when sending a message to the KDC. Resolves: https://pagure.io/SSSD/sssd/issue/3254 Signed-off-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Robbie Harwood <rharwood@redhat.com>

fcfc1450a846519f2c74e864a12fad65aa54189b 15-Jun-2017 Jakub Hrozek <jhrozek@redhat.com>

IPA: Enable enterprise principals even if there are no changes to subdomains Resolves: https://pagure.io/SSSD/sssd/issue/3431 Reviewed-by: Sumit Bose <sbose@redhat.com>

fb81f337b68c85471c3f5140850dccf549a2d0ac 29-Mar-2017 Fabiano Fidêncio <fidencio@redhat.com>

IPA: Get ipaDomainsResolutionOrder from IPA ID View ipaDomainsResolutionOrder provides a list of domains that have to be looked up firstly during cache_req searches. This commit only fetches this list from the server and stores its value at sysdb so we can make use of it later on this patch series. There are no tests for newly introduced sysdb methods are those are basically only calling sysdb_update_domain_resolution_order(), sysdb_get_domain_resolution_order() and sysdb_get_use_domain_resolution_order() which are have tests written for. Related: https://pagure.io/SSSD/sssd/issue/3001 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

17ab121a6c69d74acf1d40f2bbcbe90d77bb6b8a 29-Mar-2017 Fabiano Fidêncio <fidencio@redhat.com>

IPA_SUBDOMAINS: Rename _refresh_view() to _refresh_view_name() This method got renamed in order to match better with what it does currently. Related: https://pagure.io/SSSD/sssd/issue/3001 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

3cbf0e7b63e8e6888917e9215bbdc5674c2fa852 29-Mar-2017 Fabiano Fidêncio <fidencio@redhat.com>

IPA: Get ipaDomainsResolutionOrder from ipaConfig ipaDomainsResolutionOrder provides a list of domains that have to be looked up firstly during cache_req searches. This commit only fetches this list from the server and stores its value at sysdb so we can make use of it later on this patch series. There are no tests for newly introduced sysdb methods are those are basically only calling sysdb_update_domain_resolution_order(), sysdb_get_domain_resolution_order() and sysdb_get_use_domain_resolution_order() which are have tests written for. Related: https://pagure.io/SSSD/sssd/issue/3001 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

a63d74f65db2db7389cd373cb37adcdaaa2d56ea 29-Mar-2017 Michal Židek <mzidek@redhat.com>

SUBDOMAINS: Allow use_fully_qualified_names for subdomains Allow option use_fully_qualified_names in subdomain section. This option was recently added to subdomain_inherit. Resolves: https://pagure.io/SSSD/sssd/issue/3337 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

c44728a02d5e2c9eaced11e74820a6ae6a985f61 23-Mar-2017 Sumit Bose <sbose@redhat.com>

IPA: add certmap support Read certificate mapping data from the IPA server and configure the certificate mapping library accordingly. Related to https://pagure.io/SSSD/sssd/issue/3050 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

ea11ed3ea6291488dd762033246edc4ce3951aeb 10-Nov-2016 Sumit Bose <sbose@redhat.com>

IPA/AD: check auth ctx before using it In e6b6b9fa79c67d7d2698bc7e33d2e2f6bb53d483 a feature was introduced to set the 'canonicalize' option in the system-wide Kerberos configuration according to the settings in SSSD if the AD or IPA provider were used. Unfortunately the patch implied that the auth provider is the same as the id provider which might not always be the case. A different auth provider caused a crash in the backend which is fixed by this patch. Resolves https://fedorahosted.org/sssd/ticket/3234 Reviewed-by: Petr Cech <pcech@redhat.com>

7b07f50dfdfa1e94c82d86a957ee7c9852d7a322 04-Oct-2016 Jakub Hrozek <jhrozek@redhat.com>

IPA: Initialize a boolean control value without this patch, valgrind was reporting: ==30955== Conditional jump or move depends on uninitialised value(s) ==30955== at 0xDBBACC3: ipa_subdomains_slave_search_done (ipa_subdomains.c:1111) ==30955== by 0xE73B34D: sdap_search_bases_ex_done (sdap_ops.c:222) ==30955== by 0xE6FFA98: sdap_get_generic_done (sdap_async.c:1872) ==30955== by 0xE6FF4E2: generic_ext_search_handler (sdap_async.c:1689) ==30955== by 0xE6FF840: sdap_get_and_parse_generic_done (sdap_async.c:1797) ==30955== by 0xE6FEFB5: sdap_get_generic_op_finished (sdap_async.c:1579) ==30955== by 0xE6FB1D2: sdap_process_message (sdap_async.c:353) ==30955== by 0xE6FAD51: sdap_process_result (sdap_async.c:197) ==30955== by 0xE6FAA14: sdap_ldap_next_result (sdap_async.c:145) ==30955== by 0x8E157FF: tevent_common_loop_timer_delay (tevent_timed.c:341) ==30955== by 0x8E16809: epoll_event_loop_once (tevent_epoll.c:911) ==30955== by 0x8E14F09: std_event_loop_once (tevent_standard.c:114) ==30955== Resolves: https://fedorahosted.org/sssd/ticket/3213 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

2427b40566cf63880f3650b26a2fee91cb28de24 05-Aug-2016 Petr Cech <pcech@redhat.com>

IPA: Changing of confusing debug message This debug message used to confuse our users. So this patch changes it. Old version: "Trust direction of %s is %s\n" New version: "Trust type of [%s]: %s\n" Resolves: https://fedorahosted.org/sssd/ticket/3090 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

70673115c03c37ddc64c951b53d92df9d3310762 18-Jul-2016 Sumit Bose <sbose@redhat.com>

IPA: enable enterprise principals if server supports them If there are alternative UPN suffixes found on the server we can safely assume that the IPA server supports enterprise principals. Resolves https://fedorahosted.org/sssd/ticket/3018 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

20348a30feb4be619b3b691c24c9be8131507c46 18-Jul-2016 Sumit Bose <sbose@redhat.com>

sysdb: make subdomain calls aware of upn_suffixes sysdb_subdomain_store() and sysdb_update_subdomains() can now update upn_suffixes as well. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

132b31fd5fb74a7627896cdceaf29c7601ed4795 18-Jul-2016 Sumit Bose <sbose@redhat.com>

sysdb: add UPN suffix support for the master domain sysdb_master_domain_update() and sysdb_master_domain_add_info() are now aware of the UPN suffix attribute. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

39f21d2b61685362642d42bc2f94f829671cd5ef 18-Jul-2016 Sumit Bose <sbose@redhat.com>

IPA: read ipaNTAdditionalSuffixes for master and trusted domains Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

e6b6b9fa79c67d7d2698bc7e33d2e2f6bb53d483 06-Jul-2016 Sumit Bose <sbose@redhat.com>

IPA/AD: globally set krb5 canonicalization flag If Kerberos principal canonicalization is configured in SSSD, currently it is the default for the IPA provider, a configuration snippet is generated for the system-wide libkrb5 configuration so that all kerberized applications will use canonicalization by default. Resolves https://fedorahosted.org/sssd/ticket/3041 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

dea636af4d1902a081ee891f1b19ee2f8729d759 20-Jun-2016 Pavel Březina <pbrezina@redhat.com>

DP: Switch to new interface Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

/sssd-io/Makefile.am /sssd-io/src/providers/ad/ad_access.c /sssd-io/src/providers/ad/ad_access.h /sssd-io/src/providers/ad/ad_autofs.c /sssd-io/src/providers/ad/ad_common.h /sssd-io/src/providers/ad/ad_id.c /sssd-io/src/providers/ad/ad_id.h /sssd-io/src/providers/ad/ad_init.c /sssd-io/src/providers/ad/ad_subdomains.c /sssd-io/src/providers/ad/ad_subdomains.h /sssd-io/src/providers/ad/ad_sudo.c /sssd-io/src/providers/backend.h /sssd-io/src/providers/data_provider/dp_custom_data.h /sssd-io/src/providers/data_provider/dp_iface.c /sssd-io/src/providers/data_provider/dp_iface.h /sssd-io/src/providers/data_provider/dp_target_auth.c /sssd-io/src/providers/data_provider/dp_target_autofs.c /sssd-io/src/providers/data_provider/dp_target_hostid.c /sssd-io/src/providers/data_provider/dp_target_id.c /sssd-io/src/providers/data_provider/dp_target_subdomains.c /sssd-io/src/providers/data_provider/dp_target_sudo.c /sssd-io/src/providers/data_provider_be.c /sssd-io/src/providers/data_provider_req.c /sssd-io/src/providers/data_provider_req.h ipa_access.c ipa_access.h ipa_auth.c ipa_auth.h ipa_autofs.c ipa_common.h ipa_hbac_common.c ipa_hostid.c ipa_hostid.h ipa_id.c ipa_id.h ipa_init.c ipa_selinux.c ipa_selinux.h ipa_subdomains.c ipa_subdomains.h ipa_subdomains_ext_groups.c ipa_subdomains_id.c ipa_subdomains_server.c ipa_sudo.c /sssd-io/src/providers/krb5/krb5_auth.c /sssd-io/src/providers/krb5/krb5_auth.h /sssd-io/src/providers/krb5/krb5_common.h /sssd-io/src/providers/krb5/krb5_init.c /sssd-io/src/providers/ldap/ldap_access.c /sssd-io/src/providers/ldap/ldap_auth.c /sssd-io/src/providers/ldap/ldap_common.c /sssd-io/src/providers/ldap/ldap_common.h /sssd-io/src/providers/ldap/ldap_id.c /sssd-io/src/providers/ldap/ldap_init.c /sssd-io/src/providers/ldap/sdap_access.h /sssd-io/src/providers/ldap/sdap_autofs.c /sssd-io/src/providers/ldap/sdap_autofs.h /sssd-io/src/providers/ldap/sdap_idmap.c /sssd-io/src/providers/ldap/sdap_online_check.c /sssd-io/src/providers/ldap/sdap_sudo.c /sssd-io/src/providers/ldap/sdap_sudo.h /sssd-io/src/providers/proxy/proxy.h /sssd-io/src/providers/proxy/proxy_auth.c /sssd-io/src/providers/proxy/proxy_client.c /sssd-io/src/providers/proxy/proxy_id.c /sssd-io/src/providers/proxy/proxy_init.c /sssd-io/src/providers/simple/simple_access.c /sssd-io/src/providers/simple/simple_access_check.c /sssd-io/src/responder/autofs/autofssrv_dp.c /sssd-io/src/responder/common/responder_dp.c /sssd-io/src/responder/ssh/sshsrv_dp.c /sssd-io/src/responder/sudo/sudosrv_dp.c /sssd-io/src/tests/cmocka/test_nested_groups.c /sssd-io/src/tests/simple_access-tests.c
57d8b4b9254442a568838cb60ea16068965f2df0 22-Apr-2016 Sumit Bose <sbose@redhat.com>

IPA: terminate properly if view name lookup fails Since commit 5a5f1e1053415efaa99bb4d5bc7ce7ac0a95b757 the view name lookup is the last step in the subdomain lookup request. In case of an error the request should be finished and no previous step should be called again. Resolves https://fedorahosted.org/sssd/ticket/2993 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

b5d48539966aefbea703377ba2ebcb67f9cf88b8 26-Feb-2016 Sumit Bose <sbose@redhat.com>

IPA: invalidate override data if original view is missing If the idview name cannot be read from cache this either means that the cache was empty or the name wasn't written because of an error. In the case of an error SSSD would assume that the default view was used. If the new view is different from the default view the override data must be invalidated. Since the sysdb call to invalidate the override data would work with an empty cache as well and do nothing it is safe to call it on both cases. Related to https://fedorahosted.org/sssd/ticket/2960 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

b25d33b0a775e2337014a334699156ac56b08f9b 26-Feb-2016 Sumit Bose <sbose@redhat.com>

IPA: lookup idview name even if there is no master domain record Currently the IPA subdomain provider returns with a error if there is no master domain record found. Since this record contains data which is only needed to create a trust with AD, like e.g. the IPA domain SID, this record is only created by ipa-adtrust-install. But the idview name is read after the master domain record. To make the idview feature work with a plain FreeIPA setup without running ipa-adtrust-install the missing master domain record should be handled gracefully and the following lookup should run as well. Resolves https://fedorahosted.org/sssd/ticket/2960 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

95c132e1a8c6bbab4be8b3a340333fadd8076122 19-Jan-2016 Jakub Hrozek <jhrozek@redhat.com>

SDAP: Make it possible to silence errors from dereference https://fedorahosted.org/sssd/ticket/2791 When a modern IPA client is connected to an old (3.x) IPA server, the attribute dereferenced during the ID views lookup does not exist, which triggers an error during the dereference processing and also a confusing syslog message. This patch suppresses the syslog message. Reviewed-by: Michal Židek <mzidek@redhat.com>

92ec40e6aa25f75903ffdb166a8ec56b67bfd77d 19-Jan-2016 Pavel Březina <pbrezina@redhat.com>

SDAP: rename sdap_get_id_specific_filter More generic name is used now since it is not used only for id filters. Probably all references will be deleted when the code uses sdap_search_in_bases istead of custom search base iterators. Reviewed-by: Sumit Bose <sbose@redhat.com>

4afc1f2b6ca066d30d2be5ccda9fa760b5a6016e 10-Dec-2015 Jakub Hrozek <jhrozek@redhat.com>

DP: Reduce code duplication in the callback handlers Instead of calling sbus_request_return_and_finish() directly with the same checks copied over, add a be_sbus_reply() helper instead. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

877b92e80bde510d5cd9f03dbf01e2bcf73ab072 23-Oct-2015 Michal Židek <mzidek@redhat.com>

util: Update get_next_domain's interface Update get next domain to be able to include disbled domains and change the interface to accept flags instead of multiple booleans. Ticket: https://fedorahosted.org/sssd/ticket/2673 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

/sssd-io/src/confdb/confdb.c /sssd-io/src/db/sysdb_subdomains.c /sssd-io/src/monitor/monitor.c /sssd-io/src/providers/ad/ad_subdomains.c /sssd-io/src/providers/dp_refresh.c ipa_subdomains.c ipa_subdomains_server.c /sssd-io/src/providers/ldap/sdap_domain.c /sssd-io/src/responder/autofs/autofssrv_cmd.c /sssd-io/src/responder/common/negcache.c /sssd-io/src/responder/common/responder_cache_req.c /sssd-io/src/responder/common/responder_common.c /sssd-io/src/responder/common/responder_get_domains.c /sssd-io/src/responder/ifp/ifp_cache.c /sssd-io/src/responder/ifp/ifp_domains.c /sssd-io/src/responder/ifp/ifp_groups.c /sssd-io/src/responder/ifp/ifp_users.c /sssd-io/src/responder/nss/nsssrv_cmd.c /sssd-io/src/responder/nss/nsssrv_netgroup.c /sssd-io/src/responder/nss/nsssrv_services.c /sssd-io/src/responder/pam/pamsrv_cmd.c /sssd-io/src/responder/sudo/sudosrv_get_sudorules.c /sssd-io/src/tests/cmocka/test_utils.c /sssd-io/src/tools/common/sss_tools.c /sssd-io/src/tools/sss_cache.c /sssd-io/src/tools/sss_debuglevel.c /sssd-io/src/tools/sss_override.c /sssd-io/src/util/domain_info_utils.c /sssd-io/src/util/usertools.c /sssd-io/src/util/util.h
b5825c74b6bf7a99ae2172392dbecb51179013a6 21-Sep-2015 Jakub Hrozek <jhrozek@redhat.com>

UTIL: Convert domain->disabled into tri-state with domain states Required for: https://fedorahosted.org/sssd/ticket/2637 This is a first step towards making it possible for domain to be around, but not contacted by Data Provider. Also explicitly create domains as active, previously we only relied on talloc_zero marking dom->disabled as false. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

db5f9ab3feb85aa444eab20428ca2b98801b6783 14-Aug-2015 Jakub Hrozek <jhrozek@redhat.com>

IPA: Always re-fetch the keytab from the IPA server Even if a keytab for one-way trust exists, re-fetch the keytab again and try to use it. Fall back to the previous one if it exists. This is in order to allow the admin to re-establish the trust keytabs with a simple sssd restart. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

a8d31510d12af6ee39fb3e1e13f3a4f6bdef33c1 27-Jul-2015 Pavel Březina <pbrezina@redhat.com>

SYSDB: prepare for LOCAL view Objects doesn't have to have overrideDN specified when using LOCAL view. Since the view is not stored on the server we do not want to contact LDAP therefore we special case LOCAL view saying that it is OK that this attribute is missing. Preparation for: https://fedorahosted.org/sssd/ticket/2584 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

9ac2a33f4cdc4941fa63118dcffe8058854f33c4 02-Jul-2015 Michal Židek <mzidek@redhat.com>

views: Add is_default_view helper function Ticket: https://fedorahosted.org/sssd/ticket/2641 Reviewed-by: Pavel Reichl <preichl@redhat.com>

298e22fc97a99994e025c0d507737d88fe6fafef 14-Jun-2015 Jakub Hrozek <jhrozek@redhat.com>

IPA: Make constructing an IPA server mode context async Refactoring in preparation for requesting the keytab in future patches. Currently it's a fake async that just marks the request as done. Reviewed-by: Sumit Bose <sbose@redhat.com>

10bf907b6d463a5cd776a056cb182bc9f8765bf4 14-Jun-2015 Jakub Hrozek <jhrozek@redhat.com>

IPA: Read forest name for trusted forest roots as well This will reduce special-casing when establishing forest roots as all domains will contain the forest name. Additionally, AD subdomains already contain the forest name. Reviewed-by: Sumit Bose <sbose@redhat.com>

05d935cc9d04f03522d0bb44598d22d99b085926 14-Jun-2015 Jakub Hrozek <jhrozek@redhat.com>

IPA: Include ipaNTTrustDirection in the attribute set for trusted domains Allows to distinguish the trust directions for trusted domains. For domains where we don't know the direction in server mode, we assume two-way trusts. Member domains do not have the direction, but rather the forest root direction is used. Reviewed-by: Sumit Bose <sbose@redhat.com>

89ddc9ed474e9ac2b1e7bccb0a58610babf26cf8 14-Jun-2015 Jakub Hrozek <jhrozek@redhat.com>

IPA: Split two functions to new module ipa_subdomains_utils.c These functions will be later reused by the subdomains_server.c module. Splitting them into a separate subdomains_utils.c module will make sure there are no cyclic dependencies and the functions are testable in isolation. Reviewed-by: Sumit Bose <sbose@redhat.com>

27e89b6925334565c73c407a9ae2809358789c81 14-Jun-2015 Jakub Hrozek <jhrozek@redhat.com>

IPA: Move server-mode functions to a separate module There is already quite a few functions that are server-mode specific and there will be even more with one-way trusts. Split the server-mode specific functions into a separate module. Reviewed-by: Sumit Bose <sbose@redhat.com>

c3243e3212f91b69ef9990e2cb4c9339bf2f7888 14-Jun-2015 Jakub Hrozek <jhrozek@redhat.com>

IPA: Also update master domain when initializing subdom handler Updating master domain record from sysdb will ensure the flat name of the master domain record is up-to-date. Reviewed-by: Sumit Bose <sbose@redhat.com>

9b7762729da24a901388ea53da29448f23e0f77b 14-Jun-2015 Jakub Hrozek <jhrozek@redhat.com>

IPA: Fold ipa_subdom_enumerates into ipa_subdom_store Reduced code duplication Reviewed-by: Sumit Bose <sbose@redhat.com>

5a5f1e1053415efaa99bb4d5bc7ce7ac0a95b757 14-Jun-2015 Jakub Hrozek <jhrozek@redhat.com>

IPA: Check master domain record before subdomain records For one-way trusts we need to know the flat name of the IPA domain when we process subdomains, hence we need to swap the processing order and read the master domain record sooner. Previsouly the order was: - ranges - subdomains - if on client, views - master Now the order is: - ranges - master - subdomains - if on client, views Reviewed-by: Sumit Bose <sbose@redhat.com>

ad9ca94d0c793c2e30e77f4cc385bf10e42e382f 14-Jun-2015 Jakub Hrozek <jhrozek@redhat.com>

IPA: Add ipa_subdomains_handler_get_{start,cont} wrappers Previously it was error-prone to move code around, because the functions that started next subdomain request were scattered together with moving to next base or assigning next base. This patch creates a wrappers for better readability. Reviewed-by: Sumit Bose <sbose@redhat.com>

9af86b9c936d07cff9d0c2054acde908749ea522 14-Jun-2015 Jakub Hrozek <jhrozek@redhat.com>

SYSDB: Add realm to sysdb_master_domain_add_info Adding realm to both master domain and subdomain will make it easier to set and select forest roots. Even master domains can be forest members, it's preferable to avoid special-casing as much as possible. Includes a unit test. Reviewed-by: Sumit Bose <sbose@redhat.com>

ea224c3813a537639778f91ac762732b3c289603 14-Jun-2015 Jakub Hrozek <jhrozek@redhat.com>

SYSDB: Store trust direction for subdomains We need to store the subdomain trust direction in order to recover the structure after SSSD restart. The trust direction is a plain uint32_t to avoid leaking the knowledge about AD trust directions to sysdb while at the same time making it easy to compare values between sysdb and LDAP and avoid translating the values. Reviewed-by: Sumit Bose <sbose@redhat.com>

9b162bf39ef75629f54ffa1d0bd5f9c13119b650 05-Jun-2015 Jakub Hrozek <jhrozek@redhat.com>

subdomains: Inherit cleanup period and tokengroup settings from parent domain Allows the administrator to extend the functionality of ldap_purge_cache_timeout, ldap_user_principal and ldap_use_tokengroups to the subdomains. This is a less intrusive way of achieving: https://fedorahosted.org/sssd/ticket/2627 Reviewed-by: Pavel Reichl <preichl@redhat.com>

a50b229c8ea1e22c9efa677760b94d8c48c3ec89 12-May-2015 Sumit Bose <sbose@redhat.com>

IPA: do not fail if view name lookup failed on older versions Depending on the version 389ds return a different error code if the search for the view name failed because our dereference attribute ipaAssignedIDView is not known. Newer version return LDAP_UNAVAILABLE_CRITICAL_EXTENSION(12) which is translated to EOPNOTSUPP and older versions return LDAP_PROTOCOL_ERROR(2) which is returned as EIO. In both cases we have to assume that the server is not view aware and keep the view name unset. Resolves https://fedorahosted.org/sssd/ticket/2650 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

6fa190d636805a7126ebc775c0eacdd97dd78035 16-Apr-2015 Jakub Hrozek <jhrozek@redhat.com>

subdom: Remove unused function get_flat_name_from_subdomain_name The function was added in 70eaade10feedd7845e39170d0b7eebf3a030af1 and is unused since b8d703cf3aba81800cf1b8ccca64bb00ef0b30f7 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

87f8bee53ee1b4ca87b602ff8536bc5fd5b5b595 17-Mar-2015 Lukas Slebodnik <lslebodn@redhat.com>

Add missing new lines to debug messages Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

/sssd-io/src/confdb/confdb_setup.c /sssd-io/src/db/sysdb_autofs.c /sssd-io/src/db/sysdb_sudo.c /sssd-io/src/db/sysdb_views.c /sssd-io/src/monitor/monitor.c /sssd-io/src/monitor/monitor_netlink.c /sssd-io/src/providers/ad/ad_common.c /sssd-io/src/providers/ad/ad_init.c /sssd-io/src/providers/ad/ad_subdomains.c /sssd-io/src/providers/data_provider_be.c /sssd-io/src/providers/dp_dyndns.c /sssd-io/src/providers/dp_ptask.c ipa_access.c ipa_hbac_rules.c ipa_hostid.c ipa_selinux.c ipa_subdomains.c /sssd-io/src/providers/krb5/krb5_child.c /sssd-io/src/providers/krb5/krb5_wait_queue.c /sssd-io/src/providers/ldap/ldap_id.c /sssd-io/src/providers/ldap/sdap.c /sssd-io/src/providers/ldap/sdap_async.c /sssd-io/src/providers/ldap/sdap_async_connection.c /sssd-io/src/providers/ldap/sdap_async_initgroups.c /sssd-io/src/providers/ldap/sdap_utils.c /sssd-io/src/responder/autofs/autofssrv_cmd.c /sssd-io/src/responder/common/responder_dp.c /sssd-io/src/responder/nss/nsssrv_cmd.c /sssd-io/src/responder/nss/nsssrv_netgroup.c /sssd-io/src/responder/pac/pacsrv_cmd.c /sssd-io/src/responder/pac/pacsrv_utils.c /sssd-io/src/responder/pam/pamsrv.c /sssd-io/src/responder/sudo/sudosrv_get_sudorules.c /sssd-io/src/responder/sudo/sudosrv_query.c /sssd-io/src/sbus/sssd_dbus_server.c /sssd-io/src/tests/krb5_child-test.c /sssd-io/src/tools/files.c /sssd-io/src/tools/sss_sync_ops.c /sssd-io/src/util/debug.c /sssd-io/src/util/domain_info_utils.c /sssd-io/src/util/find_uid.c /sssd-io/src/util/server.c /sssd-io/src/util/sss_ini.c /sssd-io/src/util/sss_krb5.c /sssd-io/src/util/sss_semanage.c /sssd-io/src/util/usertools.c
e438fbf102c3d787902504bdae177e84230cbbc9 26-Jan-2015 Pavel Reichl <preichl@redhat.com>

AD: support for AD site override Override AD site found during DNS discovery. Resolves: https://fedorahosted.org/sssd/ticket/2486 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

2bf1cbffaac3b4bc0bd736493c985ca865092805 02-Dec-2014 Sumit Bose <sbose@redhat.com>

IPA: only update view data if it really changed https://fedorahosted.org/sssd/ticket/2510 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

61d2ccf1dae3f1e7fc987ae98cb5c493cc73a782 02-Dec-2014 Sumit Bose <sbose@redhat.com>

krb5: make krb5 provider view aware https://fedorahosted.org/sssd/ticket/2510 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

cd5033e86bb4065d75188e2b6ef287a4421344c8 25-Nov-2014 Sumit Bose <sbose@redhat.com>

views: allow view name change at startup Currently some manual steps are needed on a FreeIPA to switch from one view to another. With this patch the IPA provider checks at startup if the view name changed and does the needed steps automatically. Besides saving the new view name this includes removing the old view data and marking the user and group entries as invalid. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

4fa184e2c60b377fd71e0115a618bd68dc73627d 25-Nov-2014 Sumit Bose <sbose@redhat.com>

AD/IPA: add krb5_confd_path configuration option With this new parameter the directory where Kerberos configuration snippets are created can be specified. Fixes https://fedorahosted.org/sssd/ticket/2473 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

1f7844eb0aa4b19247533aa83f1cb4876396c738 05-Nov-2014 Sumit Bose <sbose@redhat.com>

IPA: inherit ldap_user_extra_attrs to AD subdomains Currently the component of the IPA provider which reads the AD user and group attributes in ipa-server-mode uses default settings for the LDAP related attributes. As a result even if ldap_user_extra_attrs is defined in sssd.conf no extra attributes are read from AD. With the patch the value if ldap_user_extra_attrs is inherited to the AD subdomains to allow them to read extra attributes as well. Related to https://fedorahosted.org/sssd/ticket/2464 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

f99534c058e9367d2610de89b1af4dcc1ec63035 22-Oct-2014 Sumit Bose <sbose@redhat.com>

ipa_subdomains_handler_master_done: initialize reply_count This patch should mainly silence a false-positive Coverity warning but since further processing depends on this variable I think it is a good idea anyways. Reviewed-by: Pavel Reichl <preichl@redhat.com>

44329653f423c632b027065a9c0ea0bf4199396a 22-Oct-2014 Sumit Bose <sbose@redhat.com>

ipa: fix issues with older servers not supporting views Older FreeIPA servers which do not know about the ipaAssignedIDView attribute will return an error during the LDAP dereference request because SSSD marks LDAP extensions as critical. In this case we keep the view name empty and skip override lookups. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

06424c5ac5ffb871476208155762bb5b73e0b665 16-Oct-2014 Jakub Hrozek <jhrozek@redhat.com>

UTIL: Always write capaths We used to only generate the [capaths] section on the IPA server itself, when running in a trusted setup. But we also found out that the capaths are often required to make SSO fully work, so it's better to always generate them. Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>

08ab0d4ede41a1749e0bc26f78a37a4d10c20db8 16-Oct-2014 Sumit Bose <sbose@redhat.com>

IPA: add view support and get view name Related to https://fedorahosted.org/sssd/ticket/2375 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

db18dda869bc6c52a41797b2066cf121cf10f49c 22-Jul-2014 Pavel Reichl <preichl@redhat.com>

UTIL: rename find_subdomain_by_name The function was named "find_subdomain" yet it could find both main domain and subdomain. sed 's/find_subdomain_by_name/find_domain_by_name/' -i `find . -name "*.[ch]"` Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

096a9678919fae460342469989b97fd47d812823 26-Feb-2014 Sumit Bose <sbose@redhat.com>

IPA: check ranges for collisions before saving them Fixes https://fedorahosted.org/sssd/ticket/2253 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

a3c8390d19593b1e5277d95bfb4ab206d4785150 12-Feb-2014 Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>

Make DEBUG macro invocations variadic Use a script to update DEBUG macro invocations to use it as a variadic macro, supplying format string and its arguments directly, instead of wrapping them in parens. This script was used to update the code: grep -rwl --include '*.[hc]' DEBUG . | while read f; do mv "$f"{,.orig} perl -e \ 'use strict; use File::Slurp; my $text=read_file(\*STDIN); $text=~s#(\bDEBUG\s*\([^(]+)\((.*?)\)\s*\)\s*;#$1$2);#gs; print $text;' < "$f.orig" > "$f" rm "$f.orig" done Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

/sssd-io/src/confdb/confdb.c /sssd-io/src/confdb/confdb_setup.c /sssd-io/src/db/sysdb.c /sssd-io/src/db/sysdb_autofs.c /sssd-io/src/db/sysdb_idmap.c /sssd-io/src/db/sysdb_ops.c /sssd-io/src/db/sysdb_ranges.c /sssd-io/src/db/sysdb_search.c /sssd-io/src/db/sysdb_selinux.c /sssd-io/src/db/sysdb_services.c /sssd-io/src/db/sysdb_ssh.c /sssd-io/src/db/sysdb_subdomains.c /sssd-io/src/db/sysdb_sudo.c /sssd-io/src/db/sysdb_upgrade.c /sssd-io/src/monitor/monitor.c /sssd-io/src/monitor/monitor_netlink.c /sssd-io/src/monitor/monitor_sbus.c /sssd-io/src/providers/ad/ad_access.c /sssd-io/src/providers/ad/ad_common.c /sssd-io/src/providers/ad/ad_domain_info.c /sssd-io/src/providers/ad/ad_dyndns.c /sssd-io/src/providers/ad/ad_id.c /sssd-io/src/providers/ad/ad_init.c /sssd-io/src/providers/ad/ad_srv.c /sssd-io/src/providers/ad/ad_subdomains.c /sssd-io/src/providers/data_provider_be.c /sssd-io/src/providers/data_provider_callbacks.c /sssd-io/src/providers/data_provider_fo.c /sssd-io/src/providers/data_provider_opts.c /sssd-io/src/providers/dp_auth_util.c /sssd-io/src/providers/dp_dyndns.c /sssd-io/src/providers/dp_pam_data_util.c /sssd-io/src/providers/dp_ptask.c /sssd-io/src/providers/dp_refresh.c /sssd-io/src/providers/fail_over.c /sssd-io/src/providers/fail_over_srv.c ipa_access.c ipa_auth.c ipa_autofs.c ipa_common.c ipa_config.c ipa_dyndns.c ipa_hbac_common.c ipa_hbac_hosts.c ipa_hbac_rules.c ipa_hbac_services.c ipa_hbac_users.c ipa_hostid.c ipa_hosts.c ipa_id.c ipa_idmap.c ipa_init.c ipa_netgroups.c ipa_s2n_exop.c ipa_selinux.c ipa_selinux_maps.c ipa_srv.c ipa_subdomains.c ipa_subdomains_ext_groups.c ipa_subdomains_id.c ipa_sudo.c /sssd-io/src/providers/krb5/krb5_access.c /sssd-io/src/providers/krb5/krb5_auth.c /sssd-io/src/providers/krb5/krb5_become_user.c /sssd-io/src/providers/krb5/krb5_child.c /sssd-io/src/providers/krb5/krb5_child_handler.c /sssd-io/src/providers/krb5/krb5_common.c /sssd-io/src/providers/krb5/krb5_delayed_online_authentication.c /sssd-io/src/providers/krb5/krb5_init.c /sssd-io/src/providers/krb5/krb5_init_shared.c /sssd-io/src/providers/krb5/krb5_renew_tgt.c /sssd-io/src/providers/krb5/krb5_utils.c /sssd-io/src/providers/krb5/krb5_wait_queue.c /sssd-io/src/providers/ldap/ldap_access.c /sssd-io/src/providers/ldap/ldap_auth.c /sssd-io/src/providers/ldap/ldap_child.c /sssd-io/src/providers/ldap/ldap_common.c /sssd-io/src/providers/ldap/ldap_id.c /sssd-io/src/providers/ldap/ldap_id_cleanup.c /sssd-io/src/providers/ldap/ldap_id_enum.c /sssd-io/src/providers/ldap/ldap_id_netgroup.c /sssd-io/src/providers/ldap/ldap_id_services.c /sssd-io/src/providers/ldap/ldap_init.c /sssd-io/src/providers/ldap/sdap.c /sssd-io/src/providers/ldap/sdap_access.c /sssd-io/src/providers/ldap/sdap_async.c /sssd-io/src/providers/ldap/sdap_async_autofs.c /sssd-io/src/providers/ldap/sdap_async_connection.c /sssd-io/src/providers/ldap/sdap_async_enum.c /sssd-io/src/providers/ldap/sdap_async_groups.c /sssd-io/src/providers/ldap/sdap_async_groups_ad.c /sssd-io/src/providers/ldap/sdap_async_initgroups.c /sssd-io/src/providers/ldap/sdap_async_initgroups_ad.c /sssd-io/src/providers/ldap/sdap_async_nested_groups.c /sssd-io/src/providers/ldap/sdap_async_netgroups.c /sssd-io/src/providers/ldap/sdap_async_services.c /sssd-io/src/providers/ldap/sdap_async_sudo.c /sssd-io/src/providers/ldap/sdap_async_sudo_hostinfo.c /sssd-io/src/providers/ldap/sdap_async_sudo_timer.c /sssd-io/src/providers/ldap/sdap_async_users.c /sssd-io/src/providers/ldap/sdap_autofs.c /sssd-io/src/providers/ldap/sdap_child_helpers.c /sssd-io/src/providers/ldap/sdap_dyndns.c /sssd-io/src/providers/ldap/sdap_fd_events.c /sssd-io/src/providers/ldap/sdap_id_op.c /sssd-io/src/providers/ldap/sdap_idmap.c /sssd-io/src/providers/ldap/sdap_range.c /sssd-io/src/providers/ldap/sdap_refresh.c /sssd-io/src/providers/ldap/sdap_reinit.c /sssd-io/src/providers/ldap/sdap_sudo.c /sssd-io/src/providers/ldap/sdap_sudo_cache.c /sssd-io/src/providers/proxy/proxy_auth.c /sssd-io/src/providers/proxy/proxy_child.c /sssd-io/src/providers/proxy/proxy_id.c /sssd-io/src/providers/proxy/proxy_init.c /sssd-io/src/providers/proxy/proxy_netgroup.c /sssd-io/src/providers/proxy/proxy_services.c /sssd-io/src/providers/simple/simple_access.c /sssd-io/src/providers/simple/simple_access_check.c /sssd-io/src/resolv/async_resolv.c /sssd-io/src/resolv/async_resolv_utils.c /sssd-io/src/responder/autofs/autofssrv.c /sssd-io/src/responder/autofs/autofssrv_cmd.c /sssd-io/src/responder/autofs/autofssrv_dp.c /sssd-io/src/responder/common/negcache.c /sssd-io/src/responder/common/responder_cmd.c /sssd-io/src/responder/common/responder_common.c /sssd-io/src/responder/common/responder_dp.c /sssd-io/src/responder/common/responder_get_domains.c /sssd-io/src/responder/nss/nsssrv.c /sssd-io/src/responder/nss/nsssrv_cmd.c /sssd-io/src/responder/nss/nsssrv_mmap_cache.c /sssd-io/src/responder/nss/nsssrv_netgroup.c /sssd-io/src/responder/nss/nsssrv_private.h /sssd-io/src/responder/nss/nsssrv_services.c /sssd-io/src/responder/pac/pacsrv.c /sssd-io/src/responder/pac/pacsrv_cmd.c /sssd-io/src/responder/pac/pacsrv_utils.c /sssd-io/src/responder/pam/pam_LOCAL_domain.c /sssd-io/src/responder/pam/pam_helpers.c /sssd-io/src/responder/pam/pamsrv.c /sssd-io/src/responder/pam/pamsrv_cmd.c /sssd-io/src/responder/pam/pamsrv_dp.c /sssd-io/src/responder/ssh/sshsrv.c /sssd-io/src/responder/ssh/sshsrv_cmd.c /sssd-io/src/responder/ssh/sshsrv_dp.c /sssd-io/src/responder/sudo/sudosrv.c /sssd-io/src/responder/sudo/sudosrv_cmd.c /sssd-io/src/responder/sudo/sudosrv_dp.c /sssd-io/src/responder/sudo/sudosrv_get_sudorules.c /sssd-io/src/responder/sudo/sudosrv_query.c /sssd-io/src/sbus/sbus_client.c /sssd-io/src/sbus/sssd_dbus_common.c /sssd-io/src/sbus/sssd_dbus_connection.c /sssd-io/src/sbus/sssd_dbus_server.c /sssd-io/src/sss_client/ssh/sss_ssh_authorizedkeys.c /sssd-io/src/sss_client/ssh/sss_ssh_knownhostsproxy.c /sssd-io/src/tests/auth-tests.c /sssd-io/src/tests/cmocka/test_dyndns.c /sssd-io/src/tests/cmocka/test_fqnames.c /sssd-io/src/tests/cmocka/test_nss_srv.c /sssd-io/src/tests/cmocka/test_utils.c /sssd-io/src/tests/common_dom.c /sssd-io/src/tests/common_tev.c /sssd-io/src/tests/debug-tests.c /sssd-io/src/tests/files-tests.c /sssd-io/src/tests/krb5_child-test.c /sssd-io/src/tests/resolv-tests.c /sssd-io/src/tests/simple_access-tests.c /sssd-io/src/tests/sysdb-tests.c /sssd-io/src/tests/sysdb_ssh-tests.c /sssd-io/src/tools/files.c /sssd-io/src/tools/selinux.c /sssd-io/src/tools/sss_cache.c /sssd-io/src/tools/sss_debuglevel.c /sssd-io/src/tools/sss_groupadd.c /sssd-io/src/tools/sss_groupdel.c /sssd-io/src/tools/sss_groupmod.c /sssd-io/src/tools/sss_groupshow.c /sssd-io/src/tools/sss_seed.c /sssd-io/src/tools/sss_sync_ops.c /sssd-io/src/tools/sss_useradd.c /sssd-io/src/tools/sss_userdel.c /sssd-io/src/tools/sss_usermod.c /sssd-io/src/tools/tools_mc_util.c /sssd-io/src/tools/tools_util.c /sssd-io/src/tools/tools_util.h /sssd-io/src/util/authtok.c /sssd-io/src/util/backup_file.c /sssd-io/src/util/check_and_open.c /sssd-io/src/util/child_common.c /sssd-io/src/util/crypto/libcrypto/crypto_base64.c /sssd-io/src/util/crypto/libcrypto/crypto_obfuscate.c /sssd-io/src/util/crypto/nss/nss_obfuscate.c /sssd-io/src/util/crypto/nss/nss_util.c /sssd-io/src/util/debug.c /sssd-io/src/util/domain_info_utils.c /sssd-io/src/util/find_uid.c /sssd-io/src/util/nscd.c /sssd-io/src/util/server.c /sssd-io/src/util/signal.c /sssd-io/src/util/sss_ini.c /sssd-io/src/util/sss_krb5.c /sssd-io/src/util/sss_krb5.h /sssd-io/src/util/sss_ldap.c /sssd-io/src/util/sss_nss.c /sssd-io/src/util/sss_selinux.c /sssd-io/src/util/sss_ssh.c /sssd-io/src/util/sss_tc_utf8.c /sssd-io/src/util/user_info_msg.c /sssd-io/src/util/usertools.c /sssd-io/src/util/util.c /sssd-io/src/util/util.h /sssd-io/src/util/util_lock.c /sssd-io/src/util/well_known_sids.c
f8407faaeb6726bef6463d84f183f2b0ad1f99d4 29-Jan-2014 Jakub Hrozek <jhrozek@redhat.com>

LDAP: Pass a private context to enumeration ptask instead of hardcoded connection Previously, the sdap-domain enumeration request used a single connection context to download all the data. Now we'd like to use different connections to download different objects, so the ID context is passed in and the request itself decides which connection to use for the sdap-domain enumeration.

17195241500e46272018d7897d6e87249870caf2 09-Jan-2014 Pavel Reichl <pavel.reichl@redhat.com>

responder: Set forest attribute in AD domains Resolves: https://fedorahosted.org/sssd/ticket/2160

01c9724f3bd540eda8b6d2879ca8a1cdd4af4330 08-Jan-2014 Sumit Bose <sbose@redhat.com>

IPA: fix for recent AD group membership changes

b17b51c2779906bf3a5e4aecbb9ef8bfbfc2ebab 19-Dec-2013 Jakub Hrozek <jhrozek@redhat.com>

IPA: Call ipa_ad_subdom_refresh when server mode is initialized ipa_ad_subdom_refresh was called before IPA server context was initialized. On IPA server, this caused the code to dereference a NULL pointer and crash.

d2a8b08561e6700bdd4feb988becae4e8f5368dd 18-Dec-2013 Jakub Hrozek <jhrozek@redhat.com>

IPA: Refresh subdomain data structures on startup Write domain-mappings at startup and initialize internal data structures on provider startup, not only during updates.

2b4b6b829f197493b4901bec96fefaadbc7a2464 09-Dec-2013 Jakub Hrozek <jhrozek@redhat.com>

SUBDOMAINS: Reuse cached results if DP is offline If Data Provider was unable to refresh the subdomain list, the sss_domain_info->subdomains list was NULL. Which meant that no DP request matched any known domain and hence offline authentication was not working correctly. Resolves: https://fedorahosted.org/sssd/ticket/2168

44e8e9660ff4db5873b0a7a3cff24ff78ff929e1 25-Oct-2013 Pavel Březina <pbrezina@redhat.com>

ipa: destroy cleanup task when subdomain is removed Resolves: https://fedorahosted.org/sssd/ticket/1968

d19e343d3fcb0780300d69ba5813ca4762ca9b98 25-Oct-2013 Pavel Březina <pbrezina@redhat.com>

dp: free sdap domain if subdomain is removed Resolves: https://fedorahosted.org/sssd/ticket/1968

cd4cc8d8829f1ea5257bf874b91980368114275f 25-Oct-2013 Pavel Březina <pbrezina@redhat.com>

dp: make subdomains refresh interval configurable This patch makes the refresh of available subdomains configurable. New option: subdomain_refresh_interval (undocumented) Resolves: https://fedorahosted.org/sssd/ticket/1968

fdda4b659fa3be3027df91a2b053835186ec2c59 25-Oct-2013 Sumit Bose <sbose@redhat.com>

sdap_idmap_domain_has_algorithmic_mapping: add domain name argument When libss_idmap was only used to algorithmically map a SID to a POSIX ID a domain SID was strictly necessary and the only information needed to find a domain. With the introduction of external mappings there are cases where a domain SID is not available. Currently we relied on the fact that external mapping was always used as a default if not specific information about the domain was found. The lead to extra CPU cycles and potentially confusing debug messages. Adding the domain name as a search parameter will avoid this.

648d3ec563fafea7d7daf88b46e28ce0d43b3935 24-Oct-2013 Pavel Březina <pbrezina@redhat.com>

subdomains: first destroy ptask then remove sdom be_ptask_destroy was unreachable since sdom is not present in the list of sdap domains any more.

fab48878db202d620f43c9da23e375866d1db2c6 22-Oct-2013 Sumit Bose <sbose@redhat.com>

IPA: add callback to reset subdomain timeouts Fixes https://fedorahosted.org/sssd/ticket/2030

4ba716f4808d9ab2cd8e95916dd61309c31e2111 16-Oct-2013 Sumit Bose <sbose@redhat.com>

IPA server mode: properly initialize ext_groups

ce29aa8998332fd3c2e4e4b81e7302d41c461893 27-Sep-2013 Sumit Bose <sbose@redhat.com>

Do not return DP_ERR_FATAL in case of success

bbd43fbcd8f70eedeac4e4ce01c36256cde82ab1 27-Sep-2013 Sumit Bose <sbose@redhat.com>

ipa_server_mode: write capaths to krb5 include file If there are member domains in a trusted forest which are DNS-wise not proper children of the forest root the IPA KDC needs some help to determine the right authentication path. In general this should be done internally by the IPA KDC but this works requires more effort than letting sssd write the needed data to the include file for krb5.conf. If this functionality is available for the IPA KDC this patch might be removed from the sssd tree. Fixes https://fedorahosted.org/sssd/ticket/2093

c5711b0279ea85d69fe3c77dfb194360c346e1d7 27-Sep-2013 Sumit Bose <sbose@redhat.com>

IPA: store forest name for forest member domains In order to fix https://fedorahosted.org/sssd/ticket/2093 the name of the forest must be known for a member domain of the forest.

21f749c9300a1a51f3eb83d7f1483ec2fe15b3cc 18-Sep-2013 Jakub Hrozek <jhrozek@redhat.com>

LDAP: sdap_id_setup_tasks accepts a custom enum request AD provider will override the default with its own.

6fab6db37339833a1534221f9f8b86c1fac427f0 28-Aug-2013 Jakub Hrozek <jhrozek@redhat.com>

IPA: Add forgotten declaration A conflict between two patches was not resolved correctly

31dd31b00ad759f256282ef0f7054e60672161ce 28-Aug-2013 Jakub Hrozek <jhrozek@redhat.com>

IPA: enable enumeration if parent domain enumerates in server mode https://fedorahosted.org/sssd/ticket/1963

b3458bbb5315b05d7ac1abc58f1c380761756603 28-Aug-2013 Jakub Hrozek <jhrozek@redhat.com>

SYSDB: Store enumerate flag for subdomain

a4644da8f2bd25621ae159d753ffb66df9594dc8 28-Aug-2013 Jakub Hrozek <jhrozek@redhat.com>

DB: remove unused realm parameter from sysdb_master_domain_add_info The parameter was not used at all.

de307ab8e390deabc5df9884a3f762bfb1581936 28-Aug-2013 Jakub Hrozek <jhrozek@redhat.com>

IPA: Enable AD sites when in server mode https://fedorahosted.org/sssd/ticket/1964 Currently the AD sites are enabled unconditionally

d5e8c3a1290d68d07362a119e63121156ad448df 19-Jul-2013 Jakub Hrozek <jhrozek@redhat.com>

Fix the default FQDN format Commit 52ae806bd17c3c00d70bd1aed437f10f5ae51a1c changed the default FQDN format by accident to the one we only ever user internally. This commit fixes the mistake.

52ae806bd17c3c00d70bd1aed437f10f5ae51a1c 19-Jul-2013 Jakub Hrozek <jhrozek@redhat.com>

IPA: warn if full_name_format is customized in server mode https://fedorahosted.org/sssd/ticket/2009 If the IPA server mode is on and the SSSD is running on the IPA server, then the server's extdom plugin calls getpwnam_r to read info about trusted users from the AD server and return them to the clients that called the extended operation. The SSSD returns the subdomain users fully-qualified, ie "user@domain" by default. The format of the fully qualified name is configurable. However, the extdom plugin returns the user name without the domain component. With this patch, when ipa_server_mode is on, warn if the full_name_format is set to a non-default value. That would prompt the admin to change the format if he changed it to something exotic.

418e6ccd116eced7ccc75aca999a4c37c67289ba 28-Jun-2013 Jakub Hrozek <jhrozek@redhat.com>

IPA: Create and remove AD id_ctx for subdomains discovered in server mode When IPA server mode is on, then this patch will create an ad_id_ctx for each subdomain discovered in IPA provider. The ID context is needed to perform direct lookups using the AD provider. Subtask of: https://fedorahosted.org/sssd/ticket/1962

f8a4a5f6240156809e1b5ef03816f673281e3fa0 28-Jun-2013 Jakub Hrozek <jhrozek@redhat.com>

IPA: Initialize server mode ctx if server mode is on This patch introduces a new structure that holds information about a subdomain and its ad_id_ctx. This structure will be used only in server mode to make it possible to search subdomains with a particular ad_id_ctx. Subtask of: https://fedorahosted.org/sssd/ticket/1962

09d7c105839bfc7447ea0f766413ed86675ca075 28-Jun-2013 Sumit Bose <sbose@redhat.com>

Save mpg state for subdomains The information of a subdomain will use magic private groups (mpg) or not will be stored together with other information about the domain in the cache.

20ccfd63a17dc15dd24e6543424d86913d511c4b 28-Jun-2013 Sumit Bose <sbose@redhat.com>

IPA: read ranges before subdomains Since FreIPA will start to support external mapping for trusted domains as well the range type for the domain must be know before the domain object is created. The reason is that external mapping will not use magic private groups (mpg) while algorithmic mapping will use them.

5e60c73cb91d1659755fb5ea829837db68d46163 28-Jun-2013 Sumit Bose <sbose@redhat.com>

Add support for new ipaRangeType attribute Recent versions of FreeIPA support a range type attribute to allow different type of ranges for sub/trusted-domains. If the attribute is available it will be used, if not the right value is determined with the help of the other idrange attributes. Fixes https://fedorahosted.org/sssd/ticket/1961

58dd26b1c5b60ee992dd5d1214bb168aebb42d54 27-Jun-2013 Jakub Hrozek <jhrozek@redhat.com>

AD: Write out domain-realm mappings This patch reuses the code from IPA provider to make sure that domain-realm mappings are written even for AD sub domains.

03713859dffacc7142393e53c73d8d4cf7dee8d5 16-Jun-2013 Pavel Březina <pbrezina@redhat.com>

subdomains: touch krb5.conf when creating new domain-realm mappings https://fedorahosted.org/sssd/ticket/1815

dcb44c39dda9699cdd6488fd116a51ced0687de3 07-Jun-2013 Jakub Hrozek <jhrozek@redhat.com>

LDAP: sdap_id_ctx might contain several connections With some LDAP server implementations, one server might provide different "views" of the identites on different ports. One example is the Active Directory Global catalog. The provider would contact different view depending on which operation it is performing and against which SSSD domain. At the same time, these views run on the same server, which means the same server options, enumeration, cleanup or Kerberos service should be used. So instead of using several different failover ports or several instances of sdap_id_ctx, this patch introduces a new "struct sdap_id_conn_ctx" that contains the connection cache to the particular view and an instance of "struct sdap_options" that contains the URI. No functional changes are present in this patch, currently all providers use a single connection. Multiple connections will be used later in the upcoming patches.

5627532b81802c2654ced8edac07f420bd677930 28-May-2013 Jakub Hrozek <jhrozek@redhat.com>

IPA: Check for ENOMEM

b1829e54acbc8a010aca7f14b9ffa9625f8c102c 29-Apr-2013 Sumit Bose <sbose@redhat.com>

Make IPA SELinux provider aware of subdomain users Fixes https://fedorahosted.org/sssd/ticket/1892

0fcdef99980260d2da308c2c26861492ab983e3d 20-Mar-2013 Jakub Hrozek <jhrozek@redhat.com>

Return error code from ipa_subdom_store

ad65d4ef017e87c1be4b1054e1276f5256a77bfc 14-Feb-2013 Pavel Březina <pbrezina@redhat.com>

subdomains: replace invalid characters with underscore in krb5 mapping file name https://fedorahosted.org/sssd/ticket/1795 Only alpha-numeric chars, dashes and underscores are allowed in krb5 include directory.

4f118e3e6a25762f40a43e6dbefb09f44adbef32 10-Feb-2013 Simo Sorce <simo@redhat.com>

Introduce IS_SUBDOMAIN() macro Fixes https://fedorahosted.org/sssd/ticket/1766

bba1a5fd62cffcae076d1351df5a83fbc4a6ec17 10-Feb-2013 Simo Sorce <simo@redhat.com>

Change the way domains are linked. - Use a double-linked list for domains and subdomains. - Never remove a subdomain, simply mark it as disabled if it becomes unused. - Rework the way subdomains are refreshed. Now sysdb_update_subdomains() actually updates the current subdomains and marks as disabled the ones not found in the sysdb or add new ones found. It never removes them. Removal of missing domains from sysdb is deferred to the providers, which will perform it at refresh time, for the ipa provider that is done by ipa_subdomains_write_mappings() now. sysdb_update_subdomains() is then used to update the memory hierarchy of the subdomains. - Removes sysdb_get_subdomains() - Removes copy_subdomain() - Add sysdb_subdomain_delete()

95e94691178297f2b8225a83d43ae388cab04b45 10-Feb-2013 Simo Sorce <simo@redhat.com>

Remove sysdb_subdom completely struct sss_domain_info is always used to represent domains now. Adjust tests accordingly.

3912262270a6449ebe1d3e92c27c217b4044f894 10-Feb-2013 Simo Sorce <simo@redhat.com>

Refactor sysdb_master_domain_add_info()

65393a294e635822c1d7a15fe5853dc457ad8a2a 10-Feb-2013 Simo Sorce <simo@redhat.com>

Update main domain info in place

aab938c5975f0e3b85c7c79a5d718e5fefed7217 10-Feb-2013 Simo Sorce <simo@redhat.com>

Avoid sysdb_subdom in sysdb_get_subdomains()

44af0057c1fd52f6252f82ca73a06acfcac6c5e3 25-Jan-2013 Michal Zidek <mzidek@redhat.com>

Possible null derefence in ipa_subdomains.c. Found by coverity. https://fedorahosted.org/sssd/ticket/1790

03abdaa21ecf562b714f204ca42379ff08626f75 21-Jan-2013 Simo Sorce <simo@redhat.com>

Add be_req_get_be_ctx() helper. In preparation for making be_req opaque

99151f2217ddaa179543b89b49f836f29f7dcd2a 21-Jan-2013 Simo Sorce <simo@redhat.com>

Add be_req_create() helper

8e5549e453558d4bebdec333a93e215d5d6ffaec 21-Jan-2013 Simo Sorce <simo@redhat.com>

Introduce be_req_terminate() helper Call it everywhere instead of directly dereferencing be_req->fn This is in preparation of making be_req opaque.

ccc2af010bbbe6d8a7496fb717216135bc4c1993 21-Jan-2013 Simo Sorce <simo@redhat.com>

Remove domain from be_req structure

d6d8287a9b8a240e068a26769dc6ce4582604850 21-Jan-2013 Simo Sorce <simo@redhat.com>

Do not pass NULL to ipa_subdomain_retrieve()

24b715f096613d18f182cf0fff537e1fc79647fa 21-Jan-2013 Simo Sorce <simo@redhat.com>

Remove sysdb as a be request structure member The sysdb context is already available through the 'domain' context.

df0596ec12bc5091608371e2977f3111241e8caf 21-Jan-2013 Simo Sorce <simo@redhat.com>

Remove sysdb as a be context structure member The sysdb context is already available through the 'domain' structure.

/sssd-io/src/providers/data_provider_be.c /sssd-io/src/providers/dp_backend.h ipa_auth.c ipa_hostid.c ipa_id.c ipa_selinux.c ipa_subdomains.c /sssd-io/src/providers/krb5/krb5_access.c /sssd-io/src/providers/krb5/krb5_auth.c /sssd-io/src/providers/krb5/krb5_renew_tgt.c /sssd-io/src/providers/ldap/ldap_auth.c /sssd-io/src/providers/ldap/ldap_common.c /sssd-io/src/providers/ldap/ldap_id.c /sssd-io/src/providers/ldap/ldap_id_cleanup.c /sssd-io/src/providers/ldap/ldap_id_enum.c /sssd-io/src/providers/ldap/ldap_id_netgroup.c /sssd-io/src/providers/ldap/ldap_id_services.c /sssd-io/src/providers/ldap/sdap_async_initgroups.c /sssd-io/src/providers/ldap/sdap_async_services.c /sssd-io/src/providers/ldap/sdap_async_sudo.c /sssd-io/src/providers/ldap/sdap_autofs.c /sssd-io/src/providers/ldap/sdap_idmap.c /sssd-io/src/providers/ldap/sdap_sudo.c /sssd-io/src/providers/proxy/proxy_auth.c /sssd-io/src/providers/proxy/proxy_id.c /sssd-io/src/providers/simple/simple_access.c /sssd-io/src/providers/simple/simple_access.h
0754ff886f909f0404038eb9c99dd61be1acf5b9 15-Jan-2013 Simo Sorce <simo@redhat.com>

Add domain to some subdomain functions

1e6f2180724de4722a5218826c9401181168d9d4 15-Jan-2013 Simo Sorce <simo@redhat.com>

Remove the sysdb_ctx_get_domain() function. We are deprecating sysdb->domain so kill the function that gives access to this member as we should stop relying on it being available (or correct).

5063dcc5ab685dce325b13b9c1e93cee2a673e60 14-Nov-2012 Sumit Bose <sbose@redhat.com>

Run IPA subdomain provider if IPA ID provider is configured To make configuration easier the IPA subdomain provider should be always loaded if the IPA ID provider is configured and the subdomain provider is not explicitly disabled. But to avoid the overhead of regular subdomain requests in setups where no subdomains are used the IPA subdomain provider should behave differently if configured explicit or implicit. If the IPA subdomain provider is configured explicitly, i.e. 'subdomains_provider = ipa' can be found in the domain section of sssd.conf subdomain request are always send to the server if needed. If it is configured implicitly and a request to the server fails with an indication that the server currently does not support subdomains at all, e.g. is not configured to handle trust relationships, a new request will be only send to the server after a long timeout or after a going-online event. To be able to make this distinction this patch save the configuration status to the subdomain context. Fixes https://fedorahosted.org/sssd/ticket/1613

70eaade10feedd7845e39170d0b7eebf3a030af1 12-Oct-2012 Sumit Bose <sbose@redhat.com>

Allow extdom exop to return flat domain name as well There are case where the extdom extended operation will return the flat or NetBIOS name of a domain instead of the DNS domain name. If this name is available for the current domain we accept it as well. Related to https://fedorahosted.org/sssd/ticket/1561

e4c29d1f8e3b2c2b268105f169e5156a0a36aebf 23-Aug-2012 Ondrej Kos <okos@redhat.com>

Consolidation of functions that make realm upper-case

249d3b8c72798a8eb081b620cc94072b3e8d6351 06-Aug-2012 Stephen Gallagher <sgallagh@redhat.com>

IPA: Securely set umask for mkstemp in subdomain provider https://fedorahosted.org/sssd/ticket/1457

b1a8ecc98c0f588f86b98d9c0c5751225ce9aaa9 06-Aug-2012 Stephen Gallagher <sgallagh@redhat.com>

IPA: Do not attempt to close the same file twice https://fedorahosted.org/sssd/ticket/1456

7197ce636c2b92152f5f6180bef6bda3752d148d 01-Aug-2012 Jakub Hrozek <jhrozek@redhat.com>

Create a domain-realm mapping for krb5.conf to be included When new subdomains are discovered, the SSSD creates a file that includes the domain-realm mappings. This file can in turn be included in the krb5.conf using the includedir directive, such as: includedir /var/lib/sss/pubconf/realm_mappings

3b533d57a737e2de1b3e85b073b14d3bfb49dafc 01-Aug-2012 Simo Sorce <simo@redhat.com>

Add automatic periodic retrieval of subdomains

6a81cb8c3424dbe9f764af3738299cbbe5874a15 01-Aug-2012 Simo Sorce <simo@redhat.com>

Add online callback to enumerate subdomains

4c20fe34346919cf676c3e1b54b7701069e2aac6 01-Aug-2012 Simo Sorce <simo@redhat.com>

Limit refreshes keeping track of last refresh time

efea50efda58be66638e5d38c8e57fdf9992f204 01-Aug-2012 Simo Sorce <simo@redhat.com>

Change refreshing of subdomains This patch keeps a local copy of the subdomains in the ipa subdomains plugin context. This has 2 advantages: 1. allows to check if anything changed w/o always hitting the sysdb. 2. later will allows us to dump this information w/o having to retrieve it again. The timestamp also allows to avoid refreshing too often.

87ed72b47859e673b636c85f35b85f1546c7ed3d 01-Aug-2012 Simo Sorce <simo@redhat.com>

Expose an initializer function from subdomain Instead of exporting internal structures, expose an initilizer function like the autofs code and initialize everything inside the ipa_subdomains.c file.

204cfc89a076fd32bf34f2abb3f809304aaa88ab 01-Aug-2012 Simo Sorce <simo@redhat.com>

Add realm paramter to subdomain list This will be used later for setting domain_realm mappings in krb5.conf

067bfcaad9baae2d962528839fde30ebd1a5ba2b 01-Aug-2012 Simo Sorce <simo@redhat.com>

Use a more tractable name for subdomain request I am all for readable names, but there is a tradeof between expressing purpose and compactness.

21f19d573047e70ee8ec0119ec00c1ed1af9ec04 01-Aug-2012 Simo Sorce <simo@redhat.com>

80 col and style fixes Something like this: sysdb = (be_req->sysdb)?be_req->sysdb:be_req->be_ctx->sysdb; really is not readable, and we always discourage using obfuscated C, please refrain in future.

5ea449b18d2597f2581627de80bcaf2bc70b0fd3 01-Aug-2012 Simo Sorce <simo@redhat.com>

Make structure initializer more readable

c929c213c91b2f9d55f96d6964b9390636178991 01-Aug-2012 Simo Sorce <simo@redhat.com>

Fix wrong elements used in comparison

b58460076fe843c11d736ae244c1ac979a6473a4 01-Aug-2012 Simo Sorce <simo@redhat.com>

Change subdomain_info Rename the structure to use a standard name prefix so it is properly name-spaced, in preparation for changing the structure itself.

a56156c13c71a96166b0a8f3921e67f36470f8d7 10-Jul-2012 Sumit Bose <sbose@redhat.com>

Remove dead code in ipa_subdomains_handler_done() Fixes https://fedorahosted.org/sssd/ticket/1410

386a66b1aa18a176e6a06fa126556c9590c373b6 21-Jun-2012 Sumit Bose <sbose@redhat.com>

Add support for ID ranges

84c611c1b7c04cc7735ab54d4e5f48284b79e6fb 10-Jun-2012 Jan Zeleny <jzeleny@redhat.com>

IPA subdomains - ask for information about master domain The query is performed only if there is missing information in the cache. That means this should be done only once after restart when cache doesn't exist. All subsequent requests for subdomains won't include the request for master domain.

81165faf5d951aca69f410713730c26ff048ec44 24-Apr-2012 Sumit Bose <sbose@redhat.com>

IPA: Add get-domains target