5a7b76bf3dc1b7a4a6ca6608c750cbffef73a3eb |
|
07-Feb-2018 |
Lukas Slebodnik <lslebodn@redhat.com> |
krb5_child: Distinguish between expired & disabled AD user
Active directory return krb5 error code KRB5KDC_ERR_CLIENT_REVOKED
"-1765328366/Clients credentials have been revoked" for expired and
disabled user. This is difference between AD and IPA
https://pagure.io/SSSD/sssd/issue/2924.
Therefore we need to distinguish between these two states.
AD provides krb5 error data together with krb5 error code.
They contains KERB-EXT-ERROR which is documeted in
"[MS-KILE]: Kerberos Protocol Extensions"[1] and contains
NTSTATUS in KERB-EXT-ERROR
The function sss_krb5_get_init_creds_password is simpler version
of krb5_get_init_creds_password and there is a small difference
that the krb5 native API actually retries by locating a KDC master server
if the initial attempt fails and the KDC that was contacted is not a master
KDC. Special version for AD(and even IPA) is not a issue. Retry will be
no-op because every server is considered a master (or no masters exist at
all in DNS SRV records
[1] https://msdn.microsoft.com/en-us/library/cc233855.aspx
Resolves:
https://pagure.io/SSSD/sssd/issue/3198
Reviewed-by: Sumit Bose <sbose@redhat.com> |
d380148b0a23dd1a04d1d0767ba41d3e76fb7d23 |
|
07-Feb-2018 |
Lukas Slebodnik <lslebodn@redhat.com> |
KRB5: Pass special flag to krb5_child
We will need to distinguish between standard version
of krb5_get_init_creds_password or custom one which can distinguish
KERB-EXT-ERROR error code for expired and disabled AD users.
Flag is set only in case of auth provider ad.
Resolves:
https://pagure.io/SSSD/sssd/issue/3198
Reviewed-by: Sumit Bose <sbose@redhat.com> |
4a9c1047354dbe5a4ed41e5951ae623e3772e113 |
|
29-Jan-2018 |
René Genz <liebundartig@freenet.de> |
Fix minor spelling mistakes in providers/*
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> |
011dc535406f5f2fca711380547669a27f0fc63c |
|
23-Jan-2018 |
Sumit Bose <sbose@redhat.com> |
krb5_child: check preauth types if password is expired
If the long term Kerberos password is expired the available
pre-authentication types for the user should be checked by requesting
the kadmin/changepw principal. This is e.g. needed for 2-factor
authentication where the user not only has to specific the current
long password but an one-time password as well.
Related to https://pagure.io/SSSD/sssd/issue/3585
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
a24954cc19285b197fb287bfa7aa01949c92b17d |
|
10-Nov-2017 |
Lukas Slebodnik <lslebodn@redhat.com> |
CHILD: Pass information about logger to children
Variables debug_to_file or debug_to_stderr were not set
because back-end already user parameter --logger=%s.
And therefore logs were not sent to files.
It could only work in case of direct usage of --debug-to-files in back-end via
command configuration option.
Resolves:
https://pagure.io/SSSD/sssd/issue/3433
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> |
cb75b275d15beedd1fdecc1f8ced657fba282218 |
|
03-Nov-2017 |
Lukas Slebodnik <lslebodn@redhat.com> |
Add parameter --logger to daemons
Different binary handled information about logging differently
e,g, --debug-to-files --debug-to-stderr
And logging to journald was a special case of previous options
(!debug_file && !debug_to_stderr). It was also tied to the monitor option
"--daemon" and therefore loggind to stderr was used in interactive mode
+ systemd Type=notify.
Resolves:
https://pagure.io/SSSD/sssd/issue/3433
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> |
a02a5ed51178b2cbede0396d66aed716b8898096 |
|
25-Oct-2017 |
René Genz <liebundartig@freenet.de> |
Fix minor spelling mistakes
Merges: https://pagure.io/SSSD/sssd/pull-request/3556
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> |
865cbab7db1458422033bbd19197516110b9deca |
|
24-Jul-2017 |
Jakub Hrozek <jhrozek@redhat.com> |
KRB5: Return invalid credentials internally when attempting to renew an expired TGT
Since 1.14.2 and in particular commit
d3348f49260998880bb7cd3b2fb72d562b1b7a64 we return ERR_NETWORK_IO for any
krb5_child operations that receive KRB5KRB_AP_ERR_TKT_EXPIRED from libkrb5.
However, when the action that krb5_child performs is ticket renewal and
the ticket is totally expired, this can send the SSSD into offline mode.
Instead, this patch converts the KRB5KRB_AP_ERR_TKT_EXPIRED code into
sssd-internal ERR_CREDS_EXPIRED which map_krb5_error() won't map
anymore.
The effect on the deamon is that just the single renewal fails, but
the failover code is not called and therefore sssd doesn't switch into
offline mode.
Resolves:
https://pagure.io/SSSD/sssd/issue/3406
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Tested-by: Joakim Tjernlund <Joakim.Tjernlund@infinera.com> |
7e2ec7caa2d1c17e475fff78c5025496b8695509 |
|
15-Jun-2017 |
Sumit Bose <sbose@redhat.com> |
krb5: use plain principal if password is expired
Similar as in https://pagure.io/SSSD/sssd/issue/3426 enterprise
principals should be avoided while requesting a kadmin/changepw@REALM
principal for a password change.
Resolves https://pagure.io/SSSD/sssd/issue/3419
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> |
96e1794db6915a655d97ecab7ab71ad53d1f527b |
|
08-Jun-2017 |
Lukas Slebodnik <lslebodn@redhat.com> |
UTIL: Remove ctype.h from util/util.h
ctype.h is not used directly by util/util.h. The header file ctype.h
must be included in 32 files and after removing it from util.h it had to be
added only to 8 missing files
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> |
8890a30f5d054187fd7d5b50503f82a49cd025f0 |
|
08-Jun-2017 |
Lukas Slebodnik <lslebodn@redhat.com> |
UTIL: Remove fcntl.h from util/util.h
fcntl.h is not used directly by util/util.h. The header file fcntl.h
must be included in 49 files and after removing it from util.h it had to be
added only to 7 missing file which were using either directly syscall fcntl
or syscall open.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> |
a5e134b22aa27ff6cd66a7ff47089788ebc098a1 |
|
03-Jun-2017 |
Sumit Bose <sbose@redhat.com> |
IPA: Fix the PAM error code that auth code expects to start migration
Recent patches which adds support for PKINIT in krb5_child changed a
return code which is used to indicate to the IPA provider that password
migration should be tried.
With this patch krb5_child properly returns PAM_CRED_ERR as expected by
the IPA provider in this case.
Resolves:
https://pagure.io/SSSD/sssd/issue/3394
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> |
861ab44e8148208425b67c4711bc8fade10fd3ed |
|
30-Mar-2017 |
Jakub Hrozek <jhrozek@redhat.com> |
KRB5: Authenticate users in a non-POSIX domain using a MEMORY ccache
Related to:
https://pagure.io/SSSD/sssd/issue/3310
The following changes were done to the Kerberos authentication code
in order to support authentication in a non-POSIX environment:
- delayed authentication is disabled in non-POSIX domains
- when a user logs in in a non-POSIX domain, SSSD uses a
MEMORY:$username ccache and destroys is then krb5_child finishes
so that just the numeric result is used
- krb5_child doesn't drop privileges in this configuration because
there is nothing to drop privileges to
Reviewed-by: Sumit Bose <sbose@redhat.com> |
1c551b1373799643f3e9ba4f696d21b8fc57dafd |
|
29-Mar-2017 |
Sumit Bose <sbose@redhat.com> |
krb5: return to responder that pkinit is not available
If pkinit is not available for a user but other authentication methods
are SSSD should still fall back to local certificate based
authentication if Smartcard credentials are provided.
Resolves https://pagure.io/SSSD/sssd/issue/3343
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> |
2d527aab0bab0c5323b7ea09c9a8c3820f4f8736 |
|
23-Feb-2017 |
Sumit Bose <sbose@redhat.com> |
KRB5: allow pkinit pre-authentication
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
52f45837ded98564968da42229b37db6a36ad627 |
|
23-Feb-2017 |
Sumit Bose <sbose@redhat.com> |
pam: enhance Smartcard authentication token
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
7e394400eefd0e7c5ba0c64ab3fa28bee21ef2d7 |
|
28-Nov-2016 |
Sumit Bose <sbose@redhat.com> |
krb5: Use command line arguments instead env vars for krb5_child
Resolves:
https://fedorahosted.org/sssd/ticket/697
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> |
b9941359b3181c42f415530d5ccad0f4664d85fa |
|
21-Sep-2016 |
Lukas Slebodnik <lslebodn@redhat.com> |
Remove double semicolon at the end of line
Reviewed-by: Pavel Březina <pbrezina@redhat.com> |
d3348f49260998880bb7cd3b2fb72d562b1b7a64 |
|
13-Sep-2016 |
Jakub Hrozek <jhrozek@redhat.com> |
KRB5: Return ERR_NETWORK_IO on clock skew
Adds two more return codes to the list of codes we translate to
ERR_NETWORK_IO.
Resolves:
https://fedorahosted.org/sssd/ticket/3174
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com> |
78027feeb56d6fe216f699be86a4716aaef3f628 |
|
07-Jul-2016 |
Sumit Bose <sbose@redhat.com> |
PAM/KRB5: optional otp and password prompting
Depending on the available Kerberos pre-authentication methods pam_sss
will prompt the user for a password, 2 authentication factors or both.
Resolves https://fedorahosted.org/sssd/ticket/2988
Reviewed-by: Nathaniel McCallum <npmccallum@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> |
cc2d77d5218c188119fa954c856e858cbde76947 |
|
20-Jun-2016 |
Pavel Březina <pbrezina@redhat.com> |
Rename dp_backend.h to backend.h
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> |
c02b8482375837b57cb618ed56d4bede0e006d9d |
|
18-Jun-2016 |
Pavel Březina <pbrezina@redhat.com> |
Remove braces from DEBUG statements
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> |
38f251e531b1c68e70eaa98dfecaf78da5f36ccc |
|
19-Feb-2016 |
Lukas Slebodnik <lslebodn@redhat.com> |
krb5_child: Warn if user cannot read krb5.conf
Attached patch should siplify troubleshoting of
issues with permission of krb5.conf. It's not clear from
krb5_child.log even with full debug level.
[sss_get_ccache_name_for_principal] (0x4000):
Location: [FILE:/tmp/krb5cc_12069_XXXXXX]
[sss_get_ccache_name_for_principal] (0x2000):
krb5_cc_cache_match failed: [-1765328243]
[Can't find client principal user@EXAMPLE.COM in cache collection]
[create_ccache] (0x0020): 735: [13][Permission denied]
Resolves:
https://fedorahosted.org/sssd/ticket/2931
Reviewed-by: Michal Židek <mzidek@redhat.com> |
19e44537c28f6d5f011cd7ac885c74c1e892605f |
|
14-Jan-2016 |
Simo Sorce <simo@redhat.com> |
Krb5/PAM: Fix account lockout error handling
The krb5 provider was mapping KRB5KDC_ERR_CLIENT_REVOKED as
ERR_ACCOUNT_EXPIRED. This is incorrect as KRB5KDC_ERR_CLIENT_REVOKED is
returned by the KDC when an account lockout is in effect. When an account is
expired the kdc returns KRB5KDC_ERR_NAME_EXP.
Fix the mapping by adding a new ERR_ACCOUNT_LOCKOUT sssd_error code.
Resolves:
https://fedorahosted.org/sssd/ticket/2924
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
e131fef2d3f40bce5af85613690df8aa15f90fde |
|
14-Dec-2015 |
Petr Cech <pcech@redhat.com> |
KRB5_CHILD: Debug logs for PAC timeout
This patch adds debug message that inform user when KRB5_CHILD calls
PAC responder. This action might take a bit of time in case the cache
is not populated or up to date.
Resolves:
https://fedorahosted.org/sssd/ticket/2846
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> |
9f69dff2af5ee0e922ca75efa9749913fd2d944f |
|
07-Dec-2015 |
Jakub Hrozek <jhrozek@redhat.com> |
KRB5: Handle KRB5_REALM_UNKNOWN as ERR_NETWORK_IO
Resolves:
https://fedorahosted.org/sssd/ticket/2866
This would help users who authenticate to AD trust servers while offline
and see error messages such as:
[get_and_save_tgt] (0x0020): 996: [-1765328230][Cannot find KDC for realm "AD.EXAMPLE.COM"]
in the krb5_child.log
Reviewed-by: Pavel Březina <pbrezina@redhat.com> |
fb75e886c2f203fe8c10e572cd4d8c635941678d |
|
05-Nov-2015 |
Petr Cech <pcech@redhat.com> |
KRB5_CHILD: More restrictive umask
We could use more restrictive umask in krb5_child. I found out that
there is directory creation, but it is done by create_ccache_dir()
which has its own umask setup.
Resolves:
https://fedorahosted.org/sssd/ticket/2424
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
f8e337540d280f944098cd4dd7d670e2f7166b54 |
|
14-Oct-2015 |
Petr Cech <pcech@redhat.com> |
REFACTOR: umask(077) --> umask(SSS_DFL_X_UMASK)
There are many calls of umask function with 077 argument. This patch
add new constant SSS_DFL_X_UMASK which stands fot 077. So all
occurences of umask(077) are replaced by constant SSS_DFL_X_UMASK.
Resolves:
https://fedorahosted.org/sssd/ticket/2424
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
9f0bffebd070115ab47a92eadc6890a721c7b78d |
|
31-Aug-2015 |
Michal Židek <mzidek@redhat.com> |
sssd: incorrect checks on length values during packet decoding
https://fedorahosted.org/sssd/ticket/1697
It is safer to isolate the checked (unknown/untrusted)
value on the left hand side in the conditions
to avoid overflows/underflows.
Reviewed-by: Petr Cech <pcech@redhat.com> |
f5db13d4462faa531c9924181f0fd51364647e2d |
|
17-Aug-2015 |
Jakub Hrozek <jhrozek@redhat.com> |
KRB5: Use sss_unique file in krb5_child
In krb5_child, we intentionally don' set the owner of the temporary
file, because we're not renaming it to a 'stable' name, but rather
directly using it as the ccache.
Reviewed-by: Pavel Březina <pbrezina@redhat.com> |
4b1b2e60d0764fed289eada9a7afbfd1993cadcd |
|
08-May-2015 |
Sumit Bose <sbose@redhat.com> |
krb5-child: add preauth and split 2fa token support
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> |
2bb92b969abc805be95f58ab5aafe9cde09e2238 |
|
20-Mar-2015 |
Pavel Reichl <preichl@redhat.com> |
KRB5: add debug hint
Reviewed-by: Sumit Bose <sbose@redhat.com> |
87f8bee53ee1b4ca87b602ff8536bc5fd5b5b595 |
|
17-Mar-2015 |
Lukas Slebodnik <lslebodn@redhat.com> |
Add missing new lines to debug messages
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
429d51ec39193dd1681cef2c8eafd74595142a48 |
|
10-Mar-2015 |
Jakub Hrozek <jhrozek@redhat.com> |
KRB5: More debugging for create_ccache()
It was difficult to find where the problem was without advanced
techniques like strace.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> |
858e750c3d4fe54e50616a1ed1e101469503c070 |
|
21-Jan-2015 |
Jakub Hrozek <jhrozek@redhat.com> |
Open the PAC socket from krb5_child before dropping root
The PAC responder by default allows only connections from the root user.
This patch opens the socket to the PAC responder before the krb5_child
drops privileges so the connection seemingly comes from root.
https://fedorahosted.org/sssd/ticket/2559
Reviewed-by: Sumit Bose <sbose@redhat.com> |
9b2cd4e5e451c07cb2f04cdbaea2b94ccb5fb2ee |
|
14-Jan-2015 |
Jakub Hrozek <jhrozek@redhat.com> |
krb5_child: Return ERR_NETWORK_IO on KRB5_KDCREP_SKEW
Previously, we were only handling KRB5KRB_AP_ERR_SKEW
Reviewed-by: Sumit Bose <sbose@redhat.com> |
956dbefd49ce3cbf27539d8846a6d71462a3a927 |
|
17-Dec-2014 |
Sumit Bose <sbose@redhat.com> |
krb5: handle KRB5KRB_ERR_GENERIC as unspecific error
KRB5KRB_ERR_GENERIC is a generic error and we cannot make any
assumptions about the cause. If there are cases where
KRB5KRB_ERR_GENERIC is returned and SSSD should behave differently this
must be solved by other means.
Resolves https://fedorahosted.org/sssd/ticket/2535
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> |
a183e279f754afdd571d8b084c7a36b71d5c1701 |
|
17-Dec-2014 |
Lukas Slebodnik <lslebodn@redhat.com> |
krb5_child: Initialize REALM earlier
Environment variable SSSD_KRB5_REALM was used to late for initialisation
realm. and therefore default value NULL was used.
The SSSD_KRB5_REALM (kr->realm) was used as fast_principal_realm for checking
fast cache: privileged_krb5_setup -> k5c_setup_fast -> check_fast_ccache
And therefore wrong principal was used when the option krb5_fast_principal is
empty.
[find_principal_in_keytab] (0x4000): Trying to find principal (null)@(null) in keytab.
[match_principal] (0x1000): Principal matched to the sample ((null)@(null)).
[get_tgt_times] (0x1000): FAST ccache must be recreated
[get_tgt_times] (0x0020): krb5_cc_retrieve_cred failed
[get_tgt_times] (0x0020): 1688: [-1765328243][Matching credential not found]
[check_fast_ccache] (0x0040): Valid FAST TGT not found after attempting to renew it
[k5c_setup_fast] (0x0020): check_fast_ccache failed.
[k5c_setup_fast] (0x0020): 1956: [1432158213][Unknown code UUz 5]
[privileged_krb5_setup] (0x0040): Cannot set up FAST
[main] (0x0020): privileged_krb5_setup failed.
[main] (0x0020): krb5_child failed!
As a result of this user was not able to authenticate.
Resolves:
https://fedorahosted.org/sssd/ticket/2526
Reviewed-by: Sumit Bose <sbose@redhat.com> |
f33ddf15796745888d0194a2f80f22bb3b379dec |
|
11-Dec-2014 |
Jakub Hrozek <jhrozek@redhat.com> |
KRB5: Check FAST kinit errors using get_tgt_times()
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> |
714446cfe8f7f577e8c546cfc1b4cf7d425b5f7a |
|
03-Dec-2014 |
Jakub Hrozek <jhrozek@redhat.com> |
KRB5: Relax DEBUG message
Reviewed-by: Sumit Bose <sbose@redhat.com> |
8e44ddfccebe61728d8a2c1dafce36dfa944bc90 |
|
03-Dec-2014 |
Jakub Hrozek <jhrozek@redhat.com> |
sss_atomic_write_s() return value is signed
Reviewed-by: Sumit Bose <sbose@redhat.com> |
543d1652e0185abadd5d8b45c718a3db96cd2828 |
|
03-Dec-2014 |
Jakub Hrozek <jhrozek@redhat.com> |
KRB5: Create the fast ccache in a child process
Related:
https://fedorahosted.org/sssd/ticket/2503
In order to avoid calling Kerberos library calls as root, the krb5_child
forks itself and recreates the FAST ccache as the SSSD user.
Reviewed-by: Sumit Bose <sbose@redhat.com> |
939d44cef4d202a7ef88250e90c22f6c6a3acc50 |
|
02-Dec-2014 |
Sumit Bose <sbose@redhat.com> |
krb5_child: become user earlier
The host keytab and the FAST credential cache are copied into memory
early at startup to allow to drop privileges earlier.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
b7088215501c99e40ae71d1c57e0b789bbae2c87 |
|
02-Dec-2014 |
Sumit Bose <sbose@redhat.com> |
krb5: do not fail if checking the old ccache failed
https://fedorahosted.org/sssd/ticket/2510
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
466f5a539be1e4c6e7cfb396a2f406e1eb8c428d |
|
28-Nov-2014 |
Lukas Slebodnik <lslebodn@redhat.com> |
krb5: Check return value of sss_krb5_princ_realm
sss_krb5_princ_realm set output parameter realm to NULL and len to 0
in case of failure. Clang static analysers reported warning
"Null pointer passed as an argument to a 'nonnull' parameter"
in function match_principal. It was possible, that realm_name with value NULL
could be used in strncmp.
Reviewed-by: Pavel Reichl <preichl@redhat.com> |
2745b0156f12df7a7eb93d57716233243658e4d9 |
|
18-Nov-2014 |
Jakub Hrozek <jhrozek@redhat.com> |
KRB5: Move all ccache operations to krb5_child.c
The credential cache operations must be now performed by the krb5_child
completely, because the sssd_be process might be running as the sssd
user who doesn't have access to the ccaches.
src/providers/krb5/krb5_ccache.c is still linked against libsss_krb5
until we fix Kerberos ticket renewal as non-root.
Also includes a new error code that indicates that the back end should
remove the old ccache attribute -- the child can't do that if it's
running as the user.
Related:
https://fedorahosted.org/sssd/ticket/2370
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> |
45aeb924ec3ac448bb8d174a5cc061ed98b147c7 |
|
18-Nov-2014 |
Jakub Hrozek <jhrozek@redhat.com> |
KRB5: Move ccache-related functions to krb5_ccache.c
Add a new module krb5_ccache.c that contains all ccache-related
operations. The only user of this module shall be krb5_child.c as the
other modules will run unprivileged and accessing the ccache requires
either privileges of root or the ccache owner.
Related:
https://fedorahosted.org/sssd/ticket/2370
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> |
476b78b3f66abc7a0f805154ea1a29f54628224a |
|
18-Nov-2014 |
Jakub Hrozek <jhrozek@redhat.com> |
KRB5: Drop privileges in the child, not the back end
In future patches, sssd_be will be running as a non-privileged user, who
will execute the setuid krb5_child. In this case, the child will start
as root and drop the privileges as soon as possible.
However, we need to also remove the privilege drop in sssd_be, because
if we dropped to the user who is authenticating, we wouldn't be even
allowed to execute krb5_child. The krb5_child permissions should be
4750, owned by root.sssd, to make sure only root and sssd can execute
the child and if executed by sssd, the child will run as root.
Related:
https://fedorahosted.org/sssd/ticket/2370
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> |
ee4ba51f2fcfc8d8b807c3de6eaac554281165d2 |
|
20-Jul-2014 |
Sumit Bose <sbose@redhat.com> |
KRB5: add missing debug-to-stderr option to krb5_child
Without this option krb5_child cannot be run in interactive mode.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
dd3398f8cc5a80cd99546bfe9c500589b78a96f1 |
|
17-Apr-2014 |
Pavel Reichl <preichl@redhat.com> |
KRB5: Go offline in case of generic error
Resolves:
https://fedorahosted.org/sssd/ticket/2313 |
47bc2d6639c41da1e5bac37eb4af3559bbc0e10e |
|
08-Apr-2014 |
Lukas Slebodnik <lslebodn@redhat.com> |
krb5_child: Fix use after free in debug message
debug_prg_name is used in debug_fn and it was allocated under
talloc context "kr". The variable "kr" was removed before the last debug
messages in function main. It is very little change that it will be overridden.
It is possible to see this issue with exported environment variable
TALLOC_FREE_FILL=255
Reviewed-by: Sumit Bose <sbose@redhat.com> |
d2ea839a907ba6ee1fe44027d67b11b02593fc99 |
|
07-Apr-2014 |
Lukas Slebodnik <lslebodn@redhat.com> |
krb5_child: Remove unused krb5_context from set_changepw_options
Reviewed-by: Pavel Reichl <preichl@redhat.com> |
3983d81f461a4f17736a516eb595f54df4bf4336 |
|
26-Mar-2014 |
Jakub Hrozek <jhrozek@redhat.com> |
KRB5: Do not attempt to get a TGT after a password change using OTP
https://fedorahosted.org/sssd/ticket/2271
The current krb5_child code attempts to get a TGT for the convenience of
the user using the new password after a password change operation.
However, an OTP should never be used twice, which means we can't perform
the kinit operation after chpass is finished. Instead, we only print a
PAM information instructing the user to log out and back in manually.
Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com> |
6bbff437dcea7e56d71cf119d1391be7264dfaf0 |
|
21-Mar-2014 |
Sumit Bose <sbose@redhat.com> |
krb5-child: add revert_changepw_options()
After changing the Kerberos password krb5-child will try to get a fresh
TGT with the new password. This patch tries to make sure the right gic
options are used.
Resolves: https://fedorahosted.org/sssd/ticket/2289
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
4bdc95dd47a7f2898dea30c61355ed0f3be402d9 |
|
21-Mar-2014 |
Sumit Bose <sbose@redhat.com> |
krb5_client: rename krb5_set_canonicalize() to set_canonicalize_option()
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
9c20e3386a9716419772a0cf70dc742a5cd0551b |
|
21-Mar-2014 |
Sumit Bose <sbose@redhat.com> |
krb5-child: extract lifetime settings into set_lifetime_options()
Additionally the lifetime option flags are unset if there are no
explicit settings to make sure the defaults from krb5.conf are used even
if other values were set manually in between.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
d5043cd73bcfdca3f7e94c7df690236b30c73537 |
|
21-Mar-2014 |
Sumit Bose <sbose@redhat.com> |
krb5_child: remove unused option lifetime_str from k5c_setup_fast()
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
63bf0b7697d5a51b5338070d0e2652d49a4728ce |
|
12-Mar-2014 |
Sumit Bose <sbose@redhat.com> |
IPA/KRB5: handle KRB5_PROG_ETYPE_NOSUPP during IPA password migration
Fixes https://fedorahosted.org/sssd/ticket/2279
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
bfed0bf8e1f3292ee35c9c98e6c0f487c2a6a1a3 |
|
10-Mar-2014 |
Nathaniel McCallum <npmccallum@redhat.com> |
Fix krb5 changepw when FAST-only preauth methods are used (like OTP)
Before this patch, a different set of options was used when calling
krb5_get_init_creds_password() for the changepw principal. Because
this set of options did not contain the same FAST settings as the
options for normal requests, all authentication would fail when the
password of a FAST-only account would expire.
The two sets approach was cargo-cult from kinit where multiple
requests could be issued using the same options set. However, in the
case of krb5_child, only one request (or occasionally a well-defined
second request) will be issued. Two option sets are therefore not
required.
To fix this problem we removed the second option set used for changepw
requests. All requests now use a single option set which is modified,
if needed, for well-defined subsequent requests.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com> |
83bf46f4066e3d5e838a32357c201de9bd6ecdfd |
|
12-Feb-2014 |
Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com> |
Update DEBUG* invocations to use new levels
Use a script to update DEBUG* macro invocations, which use literal
numbers for levels, to use bitmask macros instead:
grep -rl --include '*.[hc]' DEBUG . |
while read f; do
mv "$f"{,.orig}
perl -e 'use strict;
use File::Slurp;
my @map=qw"
SSSDBG_FATAL_FAILURE
SSSDBG_CRIT_FAILURE
SSSDBG_OP_FAILURE
SSSDBG_MINOR_FAILURE
SSSDBG_CONF_SETTINGS
SSSDBG_FUNC_DATA
SSSDBG_TRACE_FUNC
SSSDBG_TRACE_LIBS
SSSDBG_TRACE_INTERNAL
SSSDBG_TRACE_ALL
";
my $text=read_file(\*STDIN);
my $repl;
$text=~s/
^
(
.*
\b
(DEBUG|DEBUG_PAM_DATA|DEBUG_GR_MEM)
\s*
\(\s*
)(
[0-9]
)(
\s*,
)
(
\s*
)
(
.*
)
$
/
$repl = $1.$map[$3].$4.$5.$6,
length($repl) <= 80
? $repl
: $1.$map[$3].$4."\n".(" " x length($1)).$6
/xmge;
print $text;
' < "$f.orig" > "$f"
rm "$f.orig"
done
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com> |
a3c8390d19593b1e5277d95bfb4ab206d4785150 |
|
12-Feb-2014 |
Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com> |
Make DEBUG macro invocations variadic
Use a script to update DEBUG macro invocations to use it as a variadic
macro, supplying format string and its arguments directly, instead of
wrapping them in parens.
This script was used to update the code:
grep -rwl --include '*.[hc]' DEBUG . |
while read f; do
mv "$f"{,.orig}
perl -e \
'use strict;
use File::Slurp;
my $text=read_file(\*STDIN);
$text=~s#(\bDEBUG\s*\([^(]+)\((.*?)\)\s*\)\s*;#$1$2);#gs;
print $text;' < "$f.orig" > "$f"
rm "$f.orig"
done
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com> |
83011d97d17bd00e99ccf1e0302167a6bc0db84e |
|
29-Nov-2013 |
Jakub Hrozek <jhrozek@redhat.com> |
KRB5: Go offline in case of clock skew
https://fedorahosted.org/sssd/ticket/1096
In case the KDC has skewed time, we can retry with the next one and
eventually go offline if no KDC has time in sync with the client.
Previously, authentication with wrong time resulted in System Error. |
f9bb1b81fed053991324de84d6856ee61188aa0f |
|
22-Oct-2013 |
Lukas Slebodnik <lslebodn@redhat.com> |
krb5: Use right function to free data.
In function create_empty_cred, krb5_creds was aloocated using calloc,
but krb5_free_creds was used to remove this creds in done section.
Therefore clang static analyzer repoted this as warning:
Potential leak of memory pointed to by 'cred' |
6dc5ddd177e3b0ffe4315827aa8df7f33340585c |
|
17-Oct-2013 |
Lukas Slebodnik <lslebodn@redhat.com> |
krb5: Remove warning dereference of a null pointer
Variable kr->creds is initialized in function krb5_get_init_creds_password.
It does not make sense to check kr->creds for null, because we have already
checked return value of function krb5_get_init_creds_password.
Resolves:
https://fedorahosted.org/sssd/ticket/2112 |
2105a6a63cb74bf009fb6e723e74f6ec075e1238 |
|
17-Oct-2013 |
Jakub Hrozek <jhrozek@redhat.com> |
KRB5: Return PAM_ACCT_EXPIRED when logging in as expired AD user
If an expired AD user logs in, the SSSD receives
KRB5KDC_ERR_CLIENT_REVOKED from the KDC. This error code was not handled
by the SSSD which resulted in System Error being returned to the PAM
stack. |
46967fe03a7472537baea13d01882e0ebe83d57a |
|
10-Oct-2013 |
Lukas Slebodnik <lslebodn@redhat.com> |
krb5: fix warning may be used uninitialized |
2db23c67f1bba5f573e6109ca46c8f63659a9ac4 |
|
27-Sep-2013 |
Jakub Hrozek <jhrozek@redhat.com> |
KRB5: Return ERR_NETWORK_IO when trusted AD server can't be resolved |
11a044514e3799c4e685cf98ed5c058aa02b5fdb |
|
17-Sep-2013 |
Jakub Hrozek <jhrozek@redhat.com> |
KRB5: Call umask before mkstemp in the krb5 child code |
0e65abe5cf2abf5d4b431cf6bd161b419f07901d |
|
11-Sep-2013 |
Lukas Slebodnik <lslebodn@redhat.com> |
Fix formating of variables with type: size_t |
57cd3443dcb7c073c5a00a9f2c3c3a3030ae2d3e |
|
11-Sep-2013 |
Lukas Slebodnik <lslebodn@redhat.com> |
Fix formating of variables with type: long |
a6a0d4edebccd3cf04f9813fc65185845626b5d4 |
|
09-Sep-2013 |
Simo Sorce <simo@redhat.com> |
krb5_child: Simplify ccache creation
The containing ccache directory is precreated by the parent code,
so there is no special need to do so here for any type.
Also the special handling for the FILE ccache temporary file is not really
useful, because libkrb5 internally unlinks and then recreate the file, so
mkstemp cannot really prevent subtle races, it can only make sure the file is
unique at creation time.
Resolves:
https://fedorahosted.org/sssd/ticket/2061 |
aeb1e654c337037b6bdb350e1ec8aaa065e86794 |
|
27-Aug-2013 |
Stephen Gallagher <sgallagh@redhat.com> |
KRB5: Add support for KEYRING cache type
https://fedorahosted.org/sssd/ticket/2036 |
fe1afaccc7c9a99df823a7c44cd89fc3c619715a |
|
27-Aug-2013 |
Stephen Gallagher <sgallagh@redhat.com> |
KRB5: Remove unnecessary call to become_user()
By the time that the create_ccache_in_dir() routine is called, we are
already guaranteed to have dropped privileges. This has either happened
because we dropped them before the exec() in the normal operation case
or because we dropped them explicitly after we completed the TGT
validation step if that or FAST is configured. |
8340ca480e0fe823441633720d67efc9e4a4bc64 |
|
22-Aug-2013 |
Stephen Gallagher <sgallagh@redhat.com> |
KRB5: Add new #define for collection cache types
Kerberos now supports multiple types of collection caches, not just
DIR: caches. We should add a macro for generic collection behavior
and use that where appropriate. |
c235f67280a84a5248457c110500fa3f0e11f755 |
|
19-Aug-2013 |
Jakub Hrozek <jhrozek@redhat.com> |
KRB5: Do not log to syslog on each login |
50e694bddc95b3137b29fa872af4f679feb96964 |
|
19-Aug-2013 |
Jakub Hrozek <jhrozek@redhat.com> |
KRB5: Formatting changes |
86c985481c2fdb1d8996a77576b12bff431c18d5 |
|
11-Aug-2013 |
Michal Zidek <mzidek@redhat.com> |
ldap, krb5: More descriptive msg on chpass failure.
Print more descriptive message when wrong current password
is given during password change operation.
resolves:
https://fedorahosted.org/sssd/ticket/2029 |
08e3f641a8b8d6b5d7eb0b523599702eda960da2 |
|
22-Jul-2013 |
Lukas Slebodnik <lslebodn@redhat.com> |
Fix warnings: uninitialized variable |
d6c2ee96f5f181f21b0003aa8f3506e82522291d |
|
22-Jul-2013 |
Lukas Slebodnik <lslebodn@redhat.com> |
Remove unused memory context from function unpack_authtok |
6f6e4408cedaebbfcef61e5adb78ba75abe5839d |
|
17-Jul-2013 |
Pavel Březina <pbrezina@redhat.com> |
print hint about password complexity when new password is rejected
https://fedorahosted.org/sssd/ticket/1827 |
dbf4dd47aa7f314a6a6bb2c8f9bb4ddd09de9e8b |
|
15-Jul-2013 |
Lukas Slebodnik <lslebodn@redhat.com> |
Use conditional build for retrieving ccache.
Some krb5 functions needn't be available for retrieving ccache
with principal. Therefore ifdef is used to solve this situation with older
version of libkrb5. There were two functions with similar functionality
in krb5_child and krb5_utils. They were merged to one universal function, which
was moved to file src/util/sss_krb5.c |
0c0f91311fd2a947992914d8bca644cd1eb4298b |
|
10-Jul-2013 |
Ondrej Kos <okos@redhat.com> |
KRB5_CHILD: Fix handling of get_password return code
The switch statement was dead code due to missing case/default. |
d673bd397f1ed8239b36a5134bcd29914b11ae72 |
|
26-Jun-2013 |
Lukas Slebodnik <lslebodn@redhat.com> |
Do not switch to credentials everytime.
If user decide to kinit as another user we do not want to switch back
to user ccache at another login. We will switch to new ccache if and only
if default principal name is the same as current principal name, or there is
not any default ccache.
https://fedorahosted.org/sssd/ticket/1936 |
fa3cdcff460d555f4a4905fb0a2d96be564fc599 |
|
26-Jun-2013 |
Lukas Slebodnik <lslebodn@redhat.com> |
Every time return directory for krb5 cache collection.
Function krb5_cc_get_full_name is called only as a way to validate that,
we have the right cache. Instead of returned name, location will be returned
from function cc_dir_cache_for_princ.
https://fedorahosted.org/sssd/ticket/1936 |
fa4a9c4afcc0c62a693034e21f33356e64735687 |
|
25-Jun-2013 |
Sumit Bose <sbose@redhat.com> |
krb5: do not send pac for IPA users from the local domain
So far we didn't send the PAC of IPA users to the PAC responder during
password authentication because group memberships for IPA users can be
retrieved efficiently with LDAP calls. Recently patches added PAC
support for the AD provider as well and removed the restriction for the
IPA users. This patch restores the original behaviour by introducing a
new flag in struct krb5_ctx which is only set for the IPA provider.
Additionally a different flag is renamed to make it's purpose more
clear.
Fixes https://fedorahosted.org/sssd/ticket/1995 |
48a53690ae35ef7e5690eb216c8e33140070f984 |
|
25-Jun-2013 |
Sumit Bose <sbose@redhat.com> |
Revert "Always send the PAC to the PAC responder"
This reverts commit d153941864fe481399665be8fe583c9317194a99. |
1b224723e8db9699835ad58d6f589328f928e14e |
|
17-Jun-2013 |
Sumit Bose <sbose@redhat.com> |
Set default realm for enterprise principals
Enterprise principals require that a default realm is available. To
make SSSD more robust in the case that the default realm option is
missing in krb5.conf or to allow SSSD to work with multiple unconnected
realms (e.g. AD domains without trust between them) the default realm
will be set explicitly.
Fixes https://fedorahosted.org/sssd/ticket/1931 |
95332f72acf87e04be6fb70c5dc00cabd14ac97c |
|
17-Jun-2013 |
Sumit Bose <sbose@redhat.com> |
Use principal from the ticket to find validation entry
If canonicalization or enterprise principals are enabled the realm of
the client principal might have changed compared to the original
request. To find the most suitable keytab entry to validate the TGT is
it better to use the returned client principal.
Fixes https://fedorahosted.org/sssd/ticket/1931 |
22a21e910fd216ec1468fe769dcc29f1621a52a4 |
|
14-Jun-2013 |
Ondrej Kos <okos@redhat.com> |
KRB: Handle preauthentication error correctly
https://fedorahosted.org/sssd/ticket/1873
KRB preauthentication error was later mishandled like authentication error. |
d153941864fe481399665be8fe583c9317194a99 |
|
06-Jun-2013 |
Sumit Bose <sbose@redhat.com> |
Always send the PAC to the PAC responder
Currently while doing a Kerberos based authentication the PAC was only
send to the PAC responder for principals from a different realm. This
reflects the FreeIPA use case of users from trusted domains.
This restriction does not make sense anymore when the data from the PAC
should be used for the AD provider as well. It also makes only limited
sense for the IPA use case, because when using GSSAPI the PAC of users
from the local IPA domain are already evaluated by the PAC responder. |
7486dea9f5f7b2a6fbbacc6db740a82140b6377c |
|
20-May-2013 |
Lukas Slebodnik <lslebodn@redhat.com> |
Fixing critical format string issues.
--missing arguments.
--format '%s', but argument is integer.
--wrong format string, examle: '%\n' |
edaa983d094c239c3e1ba667bcd20ed3934be3b8 |
|
22-Apr-2013 |
Sumit Bose <sbose@redhat.com> |
Allow usage of enterprise principals
Enterprise principals are currently most useful for the AD provider and
hence enabled here by default while for the other Kerberos based
authentication providers they are disabled by default.
If additional UPN suffixes are configured for the AD domain the user
principal stored in the AD LDAP server might not contain the real
Kerberos realm of the AD domain but one of the additional suffixes which
might be completely randomly chooses, e.g. are not related to any
existing DNS domain. This make it hard for a client to figure out the
right KDC to send requests to.
To get around this enterprise principals (see
http://tools.ietf.org/html/rfc6806 for details) were introduced.
Basically a default realm is added to the principal so that the Kerberos
client libraries at least know where to send the request to. It is not
in the responsibility of the KDC to either handle the request itself,
return a client referral if he thinks a different KDC can handle the
request or return and error. This feature is also use to allow
authentication in AD environments with cross forest trusts.
Fixes https://fedorahosted.org/sssd/ticket/1842 |
274fe6a4f8bcb23e31929430110c0b52e9ce233a |
|
03-Apr-2013 |
Jakub Hrozek <jhrozek@redhat.com> |
Check for correct variable name
https://fedorahosted.org/sssd/ticket/1864 |
04689cbf9c09d68ed5640919757d4bef292a9c57 |
|
03-Apr-2013 |
Jakub Hrozek <jhrozek@redhat.com> |
krb5 child: Use the correct type when processing OTP |
9acfb09f7969a69f58bd45c856b01700541853ca |
|
02-Apr-2013 |
Lukas Slebodnik <lslebodn@redhat.com> |
Making the authtok structure really opaque.
Definition of structure sss_auth_token was removed from header file
authtok.h and there left only declaration of this structure.
Therefore only way how to use this structure is to use accessory function from
same header file.
To creating new empty authotok can only be used newly created function
sss_authtok_new(). TALLOC context was removed from copy and setter functions,
because pointer to stuct sss_auth_token is used as a memory context.
All declaration of struct sss_auth_token variables was replaced with
pointer to this structure and related changes was made in source code.
Function copy_pam_data can copy from argument src which was dynamically
allocated with function create_pam_data() or zero initialized struct pam_data
allocated on stack.
https://fedorahosted.org/sssd/ticket/1830 |
53b58615fbc13eddcd6e2f28066b67cb5f16b6d3 |
|
02-Apr-2013 |
Lukas Slebodnik <lslebodn@redhat.com> |
Reusing create_pam_data() on the other places.
Function create_pam_data() should be only one way how to create new
struct pam_data, because it also initialize destructor to created
object. |
b40583c6d52b72e41bf01106534535e54b4fba4f |
|
08-Mar-2013 |
Nathaniel McCallum <npmccallum@redhat.com> |
Add support for krb5 1.11's responder callback.
krb5 1.11 adds support for a new method for responding to
structured data queries. This method, called the responder,
provides an alternative to the prompter interface.
This patch adds support for this method. It takes the password
and provides it via a responder instead of the prompter. In the
case of OTP authentication, it also disables the caching of
credentials (since the credentials are one-time only). |
c6872e79e8496fd075e20aec0343ade99cca725c |
|
04-Mar-2013 |
Simo Sorce <simo@redhat.com> |
Cleanup error message handling for krb5 child
Use the new internal SSSD errors, to simplify error handling.
Instead of using up to 3 different error types (system, krb5 and
pam_status), collapse all error reporting into one error type mapped
on errno_t.
The returned error can contain either SSSD internal errors, kerberos
errors or system errors, they all use different number spaces so there
is no overlap and they can be safely merged.
This means that errors being sent from the child to the parent are not
pam status error messages anymore.
The callers have been changed to properly deal with that.
Also note that this patch removes returning SSS_PAM_SYSTEM_INFO from
the krb5_child for kerberos errors as all it was doing was simply to
make the parent emit the same debug log already emitted by the child,
and the code is simpler if we do not do that. |
67dac0a65e9322771d853ee0914c41c30a1c4432 |
|
04-Mar-2013 |
Ondrej Kos <okos@redhat.com> |
krb5_child: fix value type and initialization
ret was defined as integer, instead of errno_t, and was uninitialized |
0a8a06a50e8deaf5b78b1bf4cc99fb571dda7860 |
|
28-Feb-2013 |
Simo Sorce <simo@redhat.com> |
Refactor krb5 child
The aim of this refactoring is to make the code readable and understandable.
This code has grown organically over time and has becomed confused and
baroque enough that understanding it's very simple flow had become very
complex for the uninitiated. Complex flows easily hide nasty bugs.
Improvements:
- Remove dead/unused data storage
- Fix and simplify talloc hierarchy, use a memory context (kr) for the
whole code and allocate kr->pd where it is filled up.
- Rename some functions to create a better name space (easier for
searching fucntions across the tree)
- Streamline setup function, by spliting out fast setup in a subroutine.
- Avoid confusing indirection in executng actual functions by not
using the krb5_req child_req member.
- Make main() flow s now simmetric, send abck data from the main function
instead of delegating a reply to every inner function that implements a
command.
Now the flow is evident from the main function:
1. read request
2. setup data
3. execute command
4. send reply back |
f7e97d8b7b72f376a7c75dbe184634f38db35567 |
|
28-Feb-2013 |
Simo Sorce <simo@redhat.com> |
krb5_child style fix
Use the standard 'done' label for exceptions. |
64af76e2bef2565caa9738f675c108a4b3789237 |
|
10-Jan-2013 |
Simo Sorce <simo@redhat.com> |
Change pam data auth tokens.
Use the new authtok abstraction and interfaces throught the code. |
9459006424bb9975b8728c7700605f9b061c791e |
|
19-Nov-2012 |
Sumit Bose <sbose@redhat.com> |
Disable canonicalization during password changes
If canonicalization is enabled Active Directory KDCs return
'krbtgt/AD.DOMAIN' as service name instead of the expected
'kadmin/changepw' which causes a 'KDC reply did not match expectations'
error.
Additionally the forwardable and proxiable flags are disabled, the
renewable lifetime is set to 0 and the lifetime of the ticket is set to
5 minutes as recommended in https://fedorahosted.org/sssd/ticket/1405
and also done by the kpasswd utility.
Fixes: https://fedorahosted.org/sssd/ticket/1405
https://fedorahosted.org/sssd/ticket/1615 |
6ef6612dd9e52c879e536a8b06bfeb4408d337b1 |
|
19-Nov-2012 |
Sumit Bose <sbose@redhat.com> |
Just use the service name with krb5_get_init_creds_password()
Currently we add the realm name to change password principal but
according to the MIT Kerberos docs and the upstream usage the realm name
is just ignored.
Dropping the realm name also does not lead to confusion if the change
password request was received for a user of a trusted domain. |
0f76569b4cecc048974e837c92d4ca806ca3bbac |
|
12-Nov-2012 |
Jakub Hrozek <jhrozek@redhat.com> |
Only build extract_and_send_pac on platforms that support it |
9e2c64c6d4f5560e27207193efea6536a566865e |
|
29-Oct-2012 |
Michal Zidek <mzidek@redhat.com> |
Include talloc log in our debug facility
https://fedorahosted.org/sssd/ticket/1495 |
d3dca30d3a6feba062d0299718d1a9fcdc8b9d17 |
|
26-Oct-2012 |
Sumit Bose <sbose@redhat.com> |
krb5_child: send back the client principal
In general Kerberos is case sensitive but the KDC of Active Directory
typically handles request case in-sensitive. In the case where we guess
a user principal by combining the user name and the realm and are not
sure about the cases of the letters used in the user name we might get a
valid ticket from the AD KDC but are not able to access it with the
Kerberos client library because we assume a wrong case.
The client principal in the returned credentials will always have the
right cases. To be able to update the cache user principal name the
krb5_child will return the principal for further processing. |
dca03a97f4e1532ee2f2cbd26b1538ab6ccf18f7 |
|
26-Oct-2012 |
Sumit Bose <sbose@redhat.com> |
krb5_child: send PAC to PAC responder
If the authenticated user comes from a different realm the service
ticket which was returned during the validation of the TGT is used to
extract the PAC which is send to the pac responder for evaluation. |
916674f6c54a64980f181790befe861a6e2b8daf |
|
26-Oct-2012 |
Sumit Bose <sbose@redhat.com> |
krb5_auth: send different_realm flag to krb5_child
The different_realm flag which was set by the responder is send to the
krb5_child so that it can act differently on users from other realms. To
avoid code duplication and inconsistent behaviour the krb5_child will
not set the flag on its own but use the one from the provider. |
c5e4d4e9a3f6896f0f3c631ea26bb49a79b5cd8e |
|
12-Oct-2012 |
Jakub Hrozek <jhrozek@redhat.com> |
Only call krb5_set_trace_callback on platforms that support it |
e7a24374d97e1d1c32d3e18561a20e8c5e6319ec |
|
12-Oct-2012 |
Jakub Hrozek <jhrozek@redhat.com> |
Collect krb5 trace on high debug levels
If the debug level contains SSSDBG_TRACE_ALL, then the logs would also
include tracing information from libkrb5.
https://fedorahosted.org/sssd/ticket/1539 |
115cc768599d7df4b3206426652d3e7a3971d597 |
|
12-Oct-2012 |
Jakub Hrozek <jhrozek@redhat.com> |
Two fixes to child processes
There was an unused structure member in the krb5_child.
Declaration of __krb5_error_msg was shadowing the same variable from
sss_krb5.h which is not nice. Also we might actually use the error
context directly instead of passing it as parameter. |
89cc2dac478c899aaaacb75d7448e3c651723f74 |
|
10-Oct-2012 |
Ondrej Kos <okos@redhat.com> |
Add more info about ticket validation
https://fedorahosted.org/sssd/ticket/1499
Adds log message about not finding appropriate entry in keytab and using
the last keytab entry when validation is enabled.
Adds more information about validation into manpage. |
8fe574521b7f8b14e17aea1d9afb471b80761b83 |
|
04-Oct-2012 |
Ondrej Kos <okos@redhat.com> |
Log possibly non-randomizable ccache file template
fixes https://fedorahosted.org/sssd/ticket/1533
ccache file template is now checked for appended XXXXXX for use with
mkstemp. When those characters are not present, warning is written to log. |
6c722d1125ee285d72fb4d7444b8cefc6db33a0b |
|
20-Sep-2012 |
Jakub Hrozek <jhrozek@redhat.com> |
KRB5 child: handle more error codes gracefully
This patch changes handling of krb5 child error codes so that it's on
par with the 1.8 branch after Joschi Brauchle reviewed the 1.8 backport. |
383fa7e69136ce27031d7d0b9b9b8e5b0392bfee |
|
20-Sep-2012 |
Jakub Hrozek <jhrozek@redhat.com> |
KRB5 child: Don't return System Error on empty password
https://fedorahosted.org/sssd/ticket/1310 |
ea45f80628dfbe75dfba7c37c0cb14acf5af440f |
|
10-Sep-2012 |
Jakub Hrozek <jhrozek@redhat.com> |
KRB5: Return PAM_AUTH_ERR on incorrect password
https://fedorahosted.org/sssd/ticket/1515 |
fd2840c15ce480ef017ce880a6ac8b10e22ae9d2 |
|
24-Aug-2012 |
Sumit Bose <sbose@redhat.com> |
Use new debug levels in validate_tgt() |
d29a9e0bfe54926c057bc1ea3e22269a2f87c15b |
|
24-Aug-2012 |
Sumit Bose <sbose@redhat.com> |
Fix fallback in validate_tgt()
To validate a TGT a keytab entry from the client realm is preferred but
if none ca be found the last entry should be used. But the entry was
freed and zeroed before it could be used.
This should also fix the trusted domain use case mentioned in
https://fedorahosted.org/sssd/ticket/1396
although a different approach then suggested in the ticket is used. |
2bdb99e3578fa8ff606632d9e7242bc753737752 |
|
10-Jul-2012 |
Jakub Hrozek <jhrozek@redhat.com> |
Cast uid_t to unsigned long long in DEBUG messages |
951a2082ba1bfe2fec59b06b1f3fdf424d9d75c2 |
|
10-Jul-2012 |
Jakub Hrozek <jhrozek@redhat.com> |
Print based on pointer contents not address |
bb446567389e894bf4d64a9589606d1951ac7902 |
|
09-Jul-2012 |
Rambaldi <gentoo@xs4me.net> |
heimdal: use sss_krb5_princ_realm to access realm |
aa2c6f469414668e56aa03d5ba5cecde64bc713e |
|
06-Jul-2012 |
Stef Walter <stefw@gnome.org> |
Revert commit 4c157ecedd52602f75574605ef48d0c48e9bfbe8
* This broke corner cases when used with
default_tkt_types = des-cbc-crc
and DES enabled on an AD domain.
* This is fixed in kerberos instead, in a more correct way
and in a way which we cannot replicate. |
a9c8fdfc939813eafceeecf3ec694608868d8000 |
|
06-Jul-2012 |
Stephen Gallagher <sgallagh@redhat.com> |
KRB5: Some logging enhancements for krb5_child |
6ca87e797982061576885f944e2ccfaba9573897 |
|
15-Jun-2012 |
Stephen Gallagher <sgallagh@redhat.com> |
KRB5: Auto-detect DIR cache support in configure
We can't support the DIR cache features in systems with kerberos
libraries older than 1.10. Make sure we don't build it on those
systems. |
95cc3f4be93d3cb5bb28bb3787f0aace4edb3124 |
|
14-Jun-2012 |
Jakub Hrozek <jhrozek@redhat.com> |
Use Kerberos context in KRB5_DEBUG
Passing Kerberos context to sss_krb5_get_error_message will allow us to
get better error messages. |
9a3ba9ca00e73adc3fb17ce8afa532076768023b |
|
14-Jun-2012 |
Jakub Hrozek <jhrozek@redhat.com> |
Add support for storing credential caches in the DIR: back end
https://fedorahosted.org/sssd/ticket/974 |
3ca7450bc821ac37851e92a256d0a2b89f4f2032 |
|
14-Jun-2012 |
Jakub Hrozek <jhrozek@redhat.com> |
Provide more debugging in krb5_child and ldap_child
https://fedorahosted.org/sssd/ticket/1225 |
727937fb86cfb042063f02fa2a229d236d7f105f |
|
14-Jun-2012 |
Jakub Hrozek <jhrozek@redhat.com> |
Two small krb5_child fixes
* Allocation check was missing
* a DEBUG statement overwrote errno |
583f24df86e433589c73a3f112b30676c412b7cd |
|
31-May-2012 |
Nick Guay <nguay@redhat.com> |
added DEBUG messages to krb5_child and ldap_child |
4c157ecedd52602f75574605ef48d0c48e9bfbe8 |
|
07-May-2012 |
Stef Walter <stefw@gnome.org> |
Limit krb5_get_init_creds_keytab() to etypes in keytab
* Load the enctypes for the keys in the keytab and pass
them to krb5_get_init_creds_keytab().
* This fixes the problem where the server offers a enctype
that krb5 supports, but we don't have a key for in the keytab.
https://bugzilla.redhat.com/show_bug.cgi?id=811375 |
5b1a798a2a792c74e5f11f744f4f5b663c8b93c3 |
|
07-May-2012 |
Stef Walter <stefw@gnome.org> |
Remove erroneous failure message in find_principal_in_keytab
* When it's actually a failure, then the callers will print
a message. Fine tune this. |
4d1a261202d828efc84e3a84d16c30548f29f76d |
|
04-May-2012 |
Stef Walter <stefw@gnome.org> |
If canon'ing principals, write ccache with updated default principal
* When calling krb5_get_init_creds_keytab() with
krb5_get_init_creds_opt_set_canonicalize() the credential
principal can get updated.
* Create the cache file with the correct default credential.
* LDAP GSSAPI SASL would fail due to the mismatched credentials
before this patch.
https://bugzilla.redhat.com/show_bug.cgi?id=811518 |
9d7d4458d94d0aac0a7edf999368eb18f89cb76a |
|
20-Apr-2012 |
Jakub Hrozek <jhrozek@redhat.com> |
Convert read and write operations to sss_atomic_read
https://fedorahosted.org/sssd/ticket/1209 |
c87a579a23b27e65ae956bc42cf0a247f2ca0baf |
|
06-Apr-2012 |
Stephen Gallagher <sgallagh@redhat.com> |
Clean up log messages about keytab_name
There were many places where we were printing (null) to the logs
because a NULL keytab name tells libkrb5 to use its configured
default instead of a particular path. This patch should clean up
all uses of this to print "default" in the logs.
https://fedorahosted.org/sssd/ticket/1288 |
ee6e61781536a0ef34491cea74e91c36ee439df9 |
|
06-Mar-2012 |
Jakub Hrozek <jhrozek@redhat.com> |
krb5_child: set debugging sooner |
85d8b2567730b236578a1aaeb0139c38dda23304 |
|
31-Jan-2012 |
Stephen Gallagher <sgallagh@redhat.com> |
KRB5: Add syslog messages for Kerberos failures
https://fedorahosted.org/sssd/ticket/1137 |
768591607fc89d3a14fa00c9c8f78e83f3f6b565 |
|
22-Dec-2011 |
Stephen Gallagher <sgallagh@redhat.com> |
Add compatibility layer for Heimdal Kerberos implementation |
69420a154fc9fb8b04f437125a6a0604b26b1292 |
|
19-Dec-2011 |
Stephen Gallagher <sgallagh@redhat.com> |
Securely set umask when using mkstemp
Coverity 12394, 12395, 12396, 12397 and 12398 |
87c07559af5cfcd2752295ef7c425bd3205f426f |
|
19-Dec-2011 |
Stephen Gallagher <sgallagh@redhat.com> |
Move child_common routines to util |
7dfc7617085c403d30debe9f08d4c9bcca322744 |
|
02-Nov-2011 |
Jan Zeleny <jzeleny@redhat.com> |
Add support to request canonicalization on krb AS requests
https://fedorahosted.org/sssd/ticket/957 |
4a6a5421113ab662a665c62ed6a24b61a5a36950 |
|
28-Sep-2011 |
Jakub Hrozek <jhrozek@redhat.com> |
Multiline macro cleanup
This is mostly a cosmetic patch.
The purpose of wrapping a multi-line macro in a do { } while(0) is to
make the macro usable as a regular statement, not a compound statement.
When the while(0) is terminated with a semicolon, the do { } while(0);
block becomes a compound statement again. |
1a7529bf5f867b43e0475f7f9ac0cd8671fb16f1 |
|
08-Sep-2011 |
Pavel Březina <pbrezina@redhat.com> |
DEBUG timestamps offer higher precision
https://fedorahosted.org/sssd/ticket/956
Added: --debug-microseconds=0/1
Added: debug_microseconds to sssd.conf |
89caf5edcc99f5731e89bd51e6ffaad3ec11c304 |
|
25-Aug-2011 |
Pavel Březina <pbrezina@redhat.com> |
New DEBUG facility - SSSDBG_UNRESOLVED changed from -1 to 0
Removed:
SSS_UNRESOLVED_DEBUG_LEVEL (completely replaced with SSSDBG_UNRESOLVED)
Added new macro:
CONVERT_AND_SET_DEBUG_LEVEL(new_value)
Changes unresolved debug level value (SSSDBG_UNRESOLVED) from -1 to 0
so DEBUG macro could be reduced by one condition. Anyway, it has a minor
effect, every time you want to load debug_level from command line parameters,
you have to use following pattern:
/* Set debug level to invalid value so we can deside if -d 0 was used. */
debug_level = SSSDBG_INVALID;
pc = poptGetContext(argv[0], argc, argv, long_options, 0);
while((opt = poptGetNextOpt(pc)) != -1) { ... }
CONVERT_AND_SET_DEBUG_LEVEL(debug_level); |
99dd40a885ed3d42af4bbbde7ee2fc98830544d0 |
|
25-Aug-2011 |
Pavel Březina <pbrezina@redhat.com> |
New DEBUG facility - conversion
https://fedorahosted.org/sssd/ticket/925
Conversion of the old debug_level format to the new one.
(only where it was necessary)
Removed:
SSS_DEFAULT_DEBUG_LEVEL (completely replaced with SSSDBG_DEFAULT) |
628187049e815ee54637398c8011883d762c8a64 |
|
05-May-2011 |
Jan Zeleny <jzeleny@redhat.com> |
Added some kerberos functions for building on RHEL5 |
8cf1b4183577237d965068d70cd06bd0716aea84 |
|
25-Apr-2011 |
Jan Zeleny <jzeleny@redhat.com> |
Allow new option to specify principal for FAST
https://fedorahosted.org/sssd/ticket/700 |
cfd79b92d3813ed53ef51ae2cf93be6287e73a27 |
|
25-Apr-2011 |
Jan Zeleny <jzeleny@redhat.com> |
Extend and move function for finding principal in keytab
The function now supports finding principal in keytab not only based on
realm, but based on both realm and primary/instance parts. The function
also supports * wildcard at the beginning or at the end of primary
principal part. The function for finding principal has been moved to
util/sss_krb5.c, so it can be used in other parts of the code. |
589dd0f6600515926e4e514442c62366db0a62b3 |
|
20-Dec-2010 |
Sumit Bose <sbose@redhat.com> |
Fixes for automatic ticket renewal
- do not recreate the ccache file when renewing the TGT
- use user principal name as hash key instead of ccfile name
- let krb5_child return Kerberos error codes |
6369396f3b6e87ee8322b7bae9d2901e1a2fa37d |
|
08-Dec-2010 |
Sumit Bose <sbose@redhat.com> |
Fix build issue with older Kerberos library |
5843ad321944a028f6dee7e1fd4f9381c4953d07 |
|
07-Dec-2010 |
Sumit Bose <sbose@redhat.com> |
Add support for FAST in krb5 provider |
263c8d47ca21d3bacd77266613fcc7baab988465 |
|
07-Dec-2010 |
Sumit Bose <sbose@redhat.com> |
Refactor krb5_child to make helpers more flexible |
1709edfb690bb4ffa4b96c64d08853f47390eda3 |
|
03-Dec-2010 |
Sumit Bose <sbose@redhat.com> |
krb5_child returns TGT lifetime |
c7d73cf51642c7f89c1f21e54b8ce1b262bef899 |
|
03-Dec-2010 |
Sumit Bose <sbose@redhat.com> |
Add krb5_lifetime option |
c8b8901b05da9e31dba320f305ec20301e928cfb |
|
03-Dec-2010 |
Sumit Bose <sbose@redhat.com> |
Add krb5_renewable_lifetime option |
7470bb938429c7a723f5aad971cc50a805a9ead8 |
|
03-Dec-2010 |
Sumit Bose <sbose@redhat.com> |
Check authtok type for krb5 auth and chpass |
92ae4a7ef84f05239da1ac2eba0d7a34161da271 |
|
03-Dec-2010 |
Sumit Bose <sbose@redhat.com> |
Add a renew task to krb5_child |
369983d509540d8289e62675c6cf7009f964abd7 |
|
03-Dec-2010 |
Sumit Bose <sbose@redhat.com> |
Send authtok_type to krb5_child |
c3593efe68ddee16b810944e5dc808740b14942d |
|
04-Nov-2010 |
Sumit Bose <sbose@redhat.com> |
Add krb5_kuserok() access check to krb5_child |
fab9c6a75eaf09e4f5440f4bb530c26009b0ffc7 |
|
04-Nov-2010 |
Sumit Bose <sbose@redhat.com> |
Make krb5_setup() public |
047332ebbe8397a70c92e5e3a5fbd40a9d00d0b5 |
|
23-Sep-2010 |
Sumit Bose <sbose@redhat.com> |
Use new MIT krb5 API for better password expiration warnings |
87f2bb60510f31fec012d126411f09a99c72140e |
|
08-Sep-2010 |
Jan Zeleny <jzeleny@redhat.com> |
Dead assignments cleanup in providers code
Dead assignments were deleted. Also prototype of function
sdap_access_decide_offline() has been changed, since its return
code was never used.
Ticket: #586 |
564d213ea3f0957a3337cd0f1d63e766e16ce6d8 |
|
16-Jun-2010 |
Stephen Gallagher <sgallagh@redhat.com> |
Standardize on correct spelling of "principal" for krb5
https://fedorahosted.org/sssd/ticket/542 |
f520e7a2f4fe29747f25118621e20b0d89d296fc |
|
14-Jun-2010 |
Jakub Hrozek <jhrozek@redhat.com> |
Remove krb5_changepw_principal option
Fixes: #531 |
fb02f9845f2d734d55973f27c2393148a9dd0838 |
|
09-Jun-2010 |
Sumit Bose <sbose@redhat.com> |
Add a missing initializer |
a777a485bf73be24404fe3094c3688e604d8cbf8 |
|
06-Jun-2010 |
Sumit Bose <sbose@redhat.com> |
Initialize pam_data in Kerberos child. |
06c03627c81a5252420931383a68eb67ba551667 |
|
26-May-2010 |
Sumit Bose <sbose@redhat.com> |
Handle Krb5 password expiration warning |
80c8a4f94d54b23bce206fdd75ff2648977ce271 |
|
25-Mar-2010 |
Stephen Gallagher <sgallagh@redhat.com> |
Allow arbitrary-length PAM messages
The PAM standard allows for messages of any length to be returned
to the client. We were discarding all messages of length greater
than 255. This patch dynamically allocates the message buffers so
we can pass the complete message.
This resolves https://fedorahosted.org/sssd/ticket/432 |
5096bb4c2242b426aa6f5ea2cb82223e0b81a345 |
|
12-Mar-2010 |
Sumit Bose <sbose@redhat.com> |
Add krb5_kpasswd option |
6adf5b8a078f2b37f2d3d91cd060b891c2a7efaa |
|
03-Mar-2010 |
Simo Sorce <ssorce@redhat.com> |
Improve safe alignment buffer handling macros
Make the counter optional so that alignment safe macros can be used also where
there is no counter to update.
Change arguments names so that they are not deceiving (ptr normlly identify a
pointer)
Turn the memcpy substitute into an inline function so that passing a pointer to
rp and checking for it doesn't make the compiler spit lots of warnings. |
7343ee3d775303845e2528c676c59ef3582d6b27 |
|
23-Feb-2010 |
Sumit Bose <sbose@redhat.com> |
Handle expired passwords like other PAM modules
So far we handled expired password during authentication. Other PAM
modules typically detect expired password during account management and
return PAM_NEW_AUTHTOK_REQD if the password is expired and should be
changed. The PAM library then calls the change password routines. To
meet these standards pam_sss is change accordingly.
As a result it is now possible to update an expired password via ssh if
sssd is running with PasswordAuthentication=yes. One drawback due to
limitations of PAM is that the user now has to type his current password
again before setting a new one. |
953e07b7c43bc9bb7c7616180b1ba1730e22c59a |
|
19-Feb-2010 |
Sumit Bose <sbose@redhat.com> |
Remove unneeded items from struct pam_data |
1c48b5a62f73234ed26bb20f0ab345ab61cda0ab |
|
18-Feb-2010 |
Stephen Gallagher <sgallagh@redhat.com> |
Rename server/ directory to src/
Also update BUILD.txt |