History log of /sssd-io/src/providers/krb5/krb5_child.c
Revision Date Author Comments Expand
5a7b76bf3dc1b7a4a6ca6608c750cbffef73a3eb 07-Feb-2018 Lukas Slebodnik <lslebodn@redhat.com>

krb5_child: Distinguish between expired & disabled AD user Active directory return krb5 error code KRB5KDC_ERR_CLIENT_REVOKED "-1765328366/Clients credentials have been revoked" for expired and disabled user. This is difference between AD and IPA https://pagure.io/SSSD/sssd/issue/2924. Therefore we need to distinguish between these two states. AD provides krb5 error data together with krb5 error code. They contains KERB-EXT-ERROR which is documeted in "[MS-KILE]: Kerberos Protocol Extensions"[1] and contains NTSTATUS in KERB-EXT-ERROR The function sss_krb5_get_init_creds_password is simpler version of krb5_get_init_creds_password and there is a small difference that the krb5 native API actually retries by locating a KDC master server if the initial attempt fails and the KDC that was contacted is not a master KDC. Special version for AD(and even IPA) is not a issue. Retry will be no-op because every server is considered a master (or no masters exist at all in DNS SRV records [1] https://msdn.microsoft.com/en-us/library/cc233855.aspx Resolves: https://pagure.io/SSSD/sssd/issue/3198 Reviewed-by: Sumit Bose <sbose@redhat.com>

d380148b0a23dd1a04d1d0767ba41d3e76fb7d23 07-Feb-2018 Lukas Slebodnik <lslebodn@redhat.com>

KRB5: Pass special flag to krb5_child We will need to distinguish between standard version of krb5_get_init_creds_password or custom one which can distinguish KERB-EXT-ERROR error code for expired and disabled AD users. Flag is set only in case of auth provider ad. Resolves: https://pagure.io/SSSD/sssd/issue/3198 Reviewed-by: Sumit Bose <sbose@redhat.com>

4a9c1047354dbe5a4ed41e5951ae623e3772e113 29-Jan-2018 René Genz <liebundartig@freenet.de>

Fix minor spelling mistakes in providers/* Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

/sssd-io/src/providers/be_dyndns.c /sssd-io/src/providers/data_provider.h /sssd-io/src/providers/data_provider/dp_request.c /sssd-io/src/providers/data_provider/dp_target_id.c /sssd-io/src/providers/data_provider_be.c /sssd-io/src/providers/ipa/ipa_auth.c /sssd-io/src/providers/ipa/ipa_hbac_users.c /sssd-io/src/providers/ipa/ipa_id.c krb5_child.c /sssd-io/src/providers/ldap/ldap_auth.c /sssd-io/src/providers/ldap/ldap_id.c /sssd-io/src/providers/ldap/sdap_async.c /sssd-io/src/providers/ldap/sdap_async_groups.c /sssd-io/src/providers/ldap/sdap_async_initgroups.c /sssd-io/src/providers/ldap/sdap_async_initgroups_ad.c /sssd-io/src/providers/ldap/sdap_async_nested_groups.c /sssd-io/src/providers/ldap/sdap_async_users.c /sssd-io/src/providers/ldap/sdap_child_helpers.c /sssd-io/src/providers/proxy/proxy_child.c /sssd-io/src/providers/proxy/proxy_id.c /sssd-io/src/providers/proxy/proxy_services.c /sssd-io/src/providers/simple/simple_access_check.c
011dc535406f5f2fca711380547669a27f0fc63c 23-Jan-2018 Sumit Bose <sbose@redhat.com>

krb5_child: check preauth types if password is expired If the long term Kerberos password is expired the available pre-authentication types for the user should be checked by requesting the kadmin/changepw principal. This is e.g. needed for 2-factor authentication where the user not only has to specific the current long password but an one-time password as well. Related to https://pagure.io/SSSD/sssd/issue/3585 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

a24954cc19285b197fb287bfa7aa01949c92b17d 10-Nov-2017 Lukas Slebodnik <lslebodn@redhat.com>

CHILD: Pass information about logger to children Variables debug_to_file or debug_to_stderr were not set because back-end already user parameter --logger=%s. And therefore logs were not sent to files. It could only work in case of direct usage of --debug-to-files in back-end via command configuration option. Resolves: https://pagure.io/SSSD/sssd/issue/3433 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

cb75b275d15beedd1fdecc1f8ced657fba282218 03-Nov-2017 Lukas Slebodnik <lslebodn@redhat.com>

Add parameter --logger to daemons Different binary handled information about logging differently e,g, --debug-to-files --debug-to-stderr And logging to journald was a special case of previous options (!debug_file && !debug_to_stderr). It was also tied to the monitor option "--daemon" and therefore loggind to stderr was used in interactive mode + systemd Type=notify. Resolves: https://pagure.io/SSSD/sssd/issue/3433 Reviewed-by: Justin Stephenson <jstephen@redhat.com> Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

/sssd-io/src/man/sssd.8.xml /sssd-io/src/monitor/monitor.c /sssd-io/src/p11_child/p11_child_nss.c /sssd-io/src/providers/ad/ad_gpo_child.c /sssd-io/src/providers/data_provider_be.c /sssd-io/src/providers/ipa/selinux_child.c krb5_child.c /sssd-io/src/providers/ldap/ldap_child.c /sssd-io/src/providers/proxy/proxy_auth.c /sssd-io/src/providers/proxy/proxy_child.c /sssd-io/src/responder/autofs/autofssrv.c /sssd-io/src/responder/ifp/ifpsrv.c /sssd-io/src/responder/kcm/kcm.c /sssd-io/src/responder/nss/nsssrv.c /sssd-io/src/responder/pac/pacsrv.c /sssd-io/src/responder/pam/pamsrv.c /sssd-io/src/responder/secrets/secsrv.c /sssd-io/src/responder/ssh/sshsrv.c /sssd-io/src/responder/sudo/sudosrv.c /sssd-io/src/tests/cmocka/dummy_child.c /sssd-io/src/tests/debug-tests.c /sssd-io/src/util/child_common.c /sssd-io/src/util/debug.c /sssd-io/src/util/server.c
a02a5ed51178b2cbede0396d66aed716b8898096 25-Oct-2017 René Genz <liebundartig@freenet.de>

Fix minor spelling mistakes Merges: https://pagure.io/SSSD/sssd/pull-request/3556 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

/sssd-io/contrib/sssd.spec.in /sssd-io/src/db/sysdb_private.h /sssd-io/src/db/sysdb_views.c /sssd-io/src/examples/sssd-example.conf /sssd-io/src/lib/idmap/sss_idmap.doxy.in /sssd-io/src/man/sssd-secrets.5.xml /sssd-io/src/providers/ad/ad_gpo.c /sssd-io/src/providers/be_dyndns.c /sssd-io/src/providers/data_provider/dp_request.c krb5_child.c /sssd-io/src/providers/ldap/sdap_async_sudo.c /sssd-io/src/responder/kcm/kcmsrv_ccache_json.c /sssd-io/src/responder/kcm/kcmsrv_op_queue.c /sssd-io/src/sbus/sssd_dbus_connection.c /sssd-io/src/shared/safealign.h /sssd-io/src/sss_client/autofs/sss_autofs.c /sssd-io/src/sss_client/idmap/sss_nss_idmap.doxy.in /sssd-io/src/sss_client/libwbclient/wbc_pwd_sssd.c /sssd-io/src/sss_client/sudo/sss_sudo.h /sssd-io/src/tests/cmocka/common_mock_resp_dp.c /sssd-io/src/tests/cmocka/test_sbus_opath.c /sssd-io/src/tools/common/sss_process.c /sssd-io/src/tools/common/sss_process.h /sssd-io/src/tools/sssctl/sssctl.c /sssd-io/src/tools/sssctl/sssctl_data.c /sssd-io/src/util/crypto/libcrypto/crypto_sha512crypt.c /sssd-io/src/util/crypto/nss/nss_sha512crypt.c /sssd-io/src/util/server.c /sssd-io/src/util/sss_ini.h /sssd-io/src/util/tev_curl.c /sssd-io/src/util/util_lock.c
865cbab7db1458422033bbd19197516110b9deca 24-Jul-2017 Jakub Hrozek <jhrozek@redhat.com>

KRB5: Return invalid credentials internally when attempting to renew an expired TGT Since 1.14.2 and in particular commit d3348f49260998880bb7cd3b2fb72d562b1b7a64 we return ERR_NETWORK_IO for any krb5_child operations that receive KRB5KRB_AP_ERR_TKT_EXPIRED from libkrb5. However, when the action that krb5_child performs is ticket renewal and the ticket is totally expired, this can send the SSSD into offline mode. Instead, this patch converts the KRB5KRB_AP_ERR_TKT_EXPIRED code into sssd-internal ERR_CREDS_EXPIRED which map_krb5_error() won't map anymore. The effect on the deamon is that just the single renewal fails, but the failover code is not called and therefore sssd doesn't switch into offline mode. Resolves: https://pagure.io/SSSD/sssd/issue/3406 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Tested-by: Joakim Tjernlund <Joakim.Tjernlund@infinera.com>

7e2ec7caa2d1c17e475fff78c5025496b8695509 15-Jun-2017 Sumit Bose <sbose@redhat.com>

krb5: use plain principal if password is expired Similar as in https://pagure.io/SSSD/sssd/issue/3426 enterprise principals should be avoided while requesting a kadmin/changepw@REALM principal for a password change. Resolves https://pagure.io/SSSD/sssd/issue/3419 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

96e1794db6915a655d97ecab7ab71ad53d1f527b 08-Jun-2017 Lukas Slebodnik <lslebodn@redhat.com>

UTIL: Remove ctype.h from util/util.h ctype.h is not used directly by util/util.h. The header file ctype.h must be included in 32 files and after removing it from util.h it had to be added only to 8 missing files Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

8890a30f5d054187fd7d5b50503f82a49cd025f0 08-Jun-2017 Lukas Slebodnik <lslebodn@redhat.com>

UTIL: Remove fcntl.h from util/util.h fcntl.h is not used directly by util/util.h. The header file fcntl.h must be included in 49 files and after removing it from util.h it had to be added only to 7 missing file which were using either directly syscall fcntl or syscall open. Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

a5e134b22aa27ff6cd66a7ff47089788ebc098a1 03-Jun-2017 Sumit Bose <sbose@redhat.com>

IPA: Fix the PAM error code that auth code expects to start migration Recent patches which adds support for PKINIT in krb5_child changed a return code which is used to indicate to the IPA provider that password migration should be tried. With this patch krb5_child properly returns PAM_CRED_ERR as expected by the IPA provider in this case. Resolves: https://pagure.io/SSSD/sssd/issue/3394 Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

861ab44e8148208425b67c4711bc8fade10fd3ed 30-Mar-2017 Jakub Hrozek <jhrozek@redhat.com>

KRB5: Authenticate users in a non-POSIX domain using a MEMORY ccache Related to: https://pagure.io/SSSD/sssd/issue/3310 The following changes were done to the Kerberos authentication code in order to support authentication in a non-POSIX environment: - delayed authentication is disabled in non-POSIX domains - when a user logs in in a non-POSIX domain, SSSD uses a MEMORY:$username ccache and destroys is then krb5_child finishes so that just the numeric result is used - krb5_child doesn't drop privileges in this configuration because there is nothing to drop privileges to Reviewed-by: Sumit Bose <sbose@redhat.com>

1c551b1373799643f3e9ba4f696d21b8fc57dafd 29-Mar-2017 Sumit Bose <sbose@redhat.com>

krb5: return to responder that pkinit is not available If pkinit is not available for a user but other authentication methods are SSSD should still fall back to local certificate based authentication if Smartcard credentials are provided. Resolves https://pagure.io/SSSD/sssd/issue/3343 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

2d527aab0bab0c5323b7ea09c9a8c3820f4f8736 23-Feb-2017 Sumit Bose <sbose@redhat.com>

KRB5: allow pkinit pre-authentication Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

52f45837ded98564968da42229b37db6a36ad627 23-Feb-2017 Sumit Bose <sbose@redhat.com>

pam: enhance Smartcard authentication token Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

7e394400eefd0e7c5ba0c64ab3fa28bee21ef2d7 28-Nov-2016 Sumit Bose <sbose@redhat.com>

krb5: Use command line arguments instead env vars for krb5_child Resolves: https://fedorahosted.org/sssd/ticket/697 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

b9941359b3181c42f415530d5ccad0f4664d85fa 21-Sep-2016 Lukas Slebodnik <lslebodn@redhat.com>

Remove double semicolon at the end of line Reviewed-by: Pavel Březina <pbrezina@redhat.com>

d3348f49260998880bb7cd3b2fb72d562b1b7a64 13-Sep-2016 Jakub Hrozek <jhrozek@redhat.com>

KRB5: Return ERR_NETWORK_IO on clock skew Adds two more return codes to the list of codes we translate to ERR_NETWORK_IO. Resolves: https://fedorahosted.org/sssd/ticket/3174 Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com>

78027feeb56d6fe216f699be86a4716aaef3f628 07-Jul-2016 Sumit Bose <sbose@redhat.com>

PAM/KRB5: optional otp and password prompting Depending on the available Kerberos pre-authentication methods pam_sss will prompt the user for a password, 2 authentication factors or both. Resolves https://fedorahosted.org/sssd/ticket/2988 Reviewed-by: Nathaniel McCallum <npmccallum@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

cc2d77d5218c188119fa954c856e858cbde76947 20-Jun-2016 Pavel Březina <pbrezina@redhat.com>

Rename dp_backend.h to backend.h Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

/sssd-io/Makefile.am /sssd-io/src/p11_child/p11_child_nss.c /sssd-io/src/providers/ad/ad_access.c /sssd-io/src/providers/ad/ad_gpo.c /sssd-io/src/providers/ad/ad_gpo_child.c /sssd-io/src/providers/ad/ad_srv.c /sssd-io/src/providers/ad/ad_subdomains.h /sssd-io/src/providers/backend.h /sssd-io/src/providers/be_dyndns.c /sssd-io/src/providers/be_ptask.c /sssd-io/src/providers/be_refresh.c /sssd-io/src/providers/data_provider_be.c /sssd-io/src/providers/data_provider_callbacks.c /sssd-io/src/providers/data_provider_fo.c /sssd-io/src/providers/ipa/ipa_auth.h /sssd-io/src/providers/ipa/ipa_dyndns.h /sssd-io/src/providers/ipa/ipa_subdomains.h /sssd-io/src/providers/ipa/selinux_child.c krb5_auth.h krb5_child.c krb5_common.c krb5_common.h /sssd-io/src/providers/ldap/ldap_access.c /sssd-io/src/providers/ldap/ldap_child.c /sssd-io/src/providers/ldap/ldap_common.h /sssd-io/src/providers/ldap/sdap.h /sssd-io/src/providers/ldap/sdap_access.c /sssd-io/src/providers/ldap/sdap_access.h /sssd-io/src/providers/ldap/sdap_async.h /sssd-io/src/providers/ldap/sdap_async_sudo.c /sssd-io/src/providers/ldap/sdap_autofs.c /sssd-io/src/providers/ldap/sdap_dyndns.c /sssd-io/src/providers/ldap/sdap_dyndns.h /sssd-io/src/providers/ldap/sdap_sudo.c /sssd-io/src/providers/ldap/sdap_sudo.h /sssd-io/src/providers/ldap/sdap_sudo_shared.h /sssd-io/src/providers/proxy/proxy.h /sssd-io/src/providers/proxy/proxy_child.c /sssd-io/src/providers/simple/simple_access.c /sssd-io/src/providers/simple/simple_access_check.c /sssd-io/src/tests/cmocka/test_be_ptask.c /sssd-io/src/tests/cmocka/test_data_provider_be.c
c02b8482375837b57cb618ed56d4bede0e006d9d 18-Jun-2016 Pavel Březina <pbrezina@redhat.com>

Remove braces from DEBUG statements Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

38f251e531b1c68e70eaa98dfecaf78da5f36ccc 19-Feb-2016 Lukas Slebodnik <lslebodn@redhat.com>

krb5_child: Warn if user cannot read krb5.conf Attached patch should siplify troubleshoting of issues with permission of krb5.conf. It's not clear from krb5_child.log even with full debug level. [sss_get_ccache_name_for_principal] (0x4000): Location: [FILE:/tmp/krb5cc_12069_XXXXXX] [sss_get_ccache_name_for_principal] (0x2000): krb5_cc_cache_match failed: [-1765328243] [Can't find client principal user@EXAMPLE.COM in cache collection] [create_ccache] (0x0020): 735: [13][Permission denied] Resolves: https://fedorahosted.org/sssd/ticket/2931 Reviewed-by: Michal Židek <mzidek@redhat.com>

19e44537c28f6d5f011cd7ac885c74c1e892605f 14-Jan-2016 Simo Sorce <simo@redhat.com>

Krb5/PAM: Fix account lockout error handling The krb5 provider was mapping KRB5KDC_ERR_CLIENT_REVOKED as ERR_ACCOUNT_EXPIRED. This is incorrect as KRB5KDC_ERR_CLIENT_REVOKED is returned by the KDC when an account lockout is in effect. When an account is expired the kdc returns KRB5KDC_ERR_NAME_EXP. Fix the mapping by adding a new ERR_ACCOUNT_LOCKOUT sssd_error code. Resolves: https://fedorahosted.org/sssd/ticket/2924 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

e131fef2d3f40bce5af85613690df8aa15f90fde 14-Dec-2015 Petr Cech <pcech@redhat.com>

KRB5_CHILD: Debug logs for PAC timeout This patch adds debug message that inform user when KRB5_CHILD calls PAC responder. This action might take a bit of time in case the cache is not populated or up to date. Resolves: https://fedorahosted.org/sssd/ticket/2846 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

9f69dff2af5ee0e922ca75efa9749913fd2d944f 07-Dec-2015 Jakub Hrozek <jhrozek@redhat.com>

KRB5: Handle KRB5_REALM_UNKNOWN as ERR_NETWORK_IO Resolves: https://fedorahosted.org/sssd/ticket/2866 This would help users who authenticate to AD trust servers while offline and see error messages such as: [get_and_save_tgt] (0x0020): 996: [-1765328230][Cannot find KDC for realm "AD.EXAMPLE.COM"] in the krb5_child.log Reviewed-by: Pavel Březina <pbrezina@redhat.com>

fb75e886c2f203fe8c10e572cd4d8c635941678d 05-Nov-2015 Petr Cech <pcech@redhat.com>

KRB5_CHILD: More restrictive umask We could use more restrictive umask in krb5_child. I found out that there is directory creation, but it is done by create_ccache_dir() which has its own umask setup. Resolves: https://fedorahosted.org/sssd/ticket/2424 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

f8e337540d280f944098cd4dd7d670e2f7166b54 14-Oct-2015 Petr Cech <pcech@redhat.com>

REFACTOR: umask(077) --> umask(SSS_DFL_X_UMASK) There are many calls of umask function with 077 argument. This patch add new constant SSS_DFL_X_UMASK which stands fot 077. So all occurences of umask(077) are replaced by constant SSS_DFL_X_UMASK. Resolves: https://fedorahosted.org/sssd/ticket/2424 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

9f0bffebd070115ab47a92eadc6890a721c7b78d 31-Aug-2015 Michal Židek <mzidek@redhat.com>

sssd: incorrect checks on length values during packet decoding https://fedorahosted.org/sssd/ticket/1697 It is safer to isolate the checked (unknown/untrusted) value on the left hand side in the conditions to avoid overflows/underflows. Reviewed-by: Petr Cech <pcech@redhat.com>

f5db13d4462faa531c9924181f0fd51364647e2d 17-Aug-2015 Jakub Hrozek <jhrozek@redhat.com>

KRB5: Use sss_unique file in krb5_child In krb5_child, we intentionally don' set the owner of the temporary file, because we're not renaming it to a 'stable' name, but rather directly using it as the ccache. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

4b1b2e60d0764fed289eada9a7afbfd1993cadcd 08-May-2015 Sumit Bose <sbose@redhat.com>

krb5-child: add preauth and split 2fa token support Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

2bb92b969abc805be95f58ab5aafe9cde09e2238 20-Mar-2015 Pavel Reichl <preichl@redhat.com>

KRB5: add debug hint Reviewed-by: Sumit Bose <sbose@redhat.com>

87f8bee53ee1b4ca87b602ff8536bc5fd5b5b595 17-Mar-2015 Lukas Slebodnik <lslebodn@redhat.com>

Add missing new lines to debug messages Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

/sssd-io/src/confdb/confdb_setup.c /sssd-io/src/db/sysdb_autofs.c /sssd-io/src/db/sysdb_sudo.c /sssd-io/src/db/sysdb_views.c /sssd-io/src/monitor/monitor.c /sssd-io/src/monitor/monitor_netlink.c /sssd-io/src/providers/ad/ad_common.c /sssd-io/src/providers/ad/ad_init.c /sssd-io/src/providers/ad/ad_subdomains.c /sssd-io/src/providers/data_provider_be.c /sssd-io/src/providers/dp_dyndns.c /sssd-io/src/providers/dp_ptask.c /sssd-io/src/providers/ipa/ipa_access.c /sssd-io/src/providers/ipa/ipa_hbac_rules.c /sssd-io/src/providers/ipa/ipa_hostid.c /sssd-io/src/providers/ipa/ipa_selinux.c /sssd-io/src/providers/ipa/ipa_subdomains.c krb5_child.c krb5_wait_queue.c /sssd-io/src/providers/ldap/ldap_id.c /sssd-io/src/providers/ldap/sdap.c /sssd-io/src/providers/ldap/sdap_async.c /sssd-io/src/providers/ldap/sdap_async_connection.c /sssd-io/src/providers/ldap/sdap_async_initgroups.c /sssd-io/src/providers/ldap/sdap_utils.c /sssd-io/src/responder/autofs/autofssrv_cmd.c /sssd-io/src/responder/common/responder_dp.c /sssd-io/src/responder/nss/nsssrv_cmd.c /sssd-io/src/responder/nss/nsssrv_netgroup.c /sssd-io/src/responder/pac/pacsrv_cmd.c /sssd-io/src/responder/pac/pacsrv_utils.c /sssd-io/src/responder/pam/pamsrv.c /sssd-io/src/responder/sudo/sudosrv_get_sudorules.c /sssd-io/src/responder/sudo/sudosrv_query.c /sssd-io/src/sbus/sssd_dbus_server.c /sssd-io/src/tests/krb5_child-test.c /sssd-io/src/tools/files.c /sssd-io/src/tools/sss_sync_ops.c /sssd-io/src/util/debug.c /sssd-io/src/util/domain_info_utils.c /sssd-io/src/util/find_uid.c /sssd-io/src/util/server.c /sssd-io/src/util/sss_ini.c /sssd-io/src/util/sss_krb5.c /sssd-io/src/util/sss_semanage.c /sssd-io/src/util/usertools.c
429d51ec39193dd1681cef2c8eafd74595142a48 10-Mar-2015 Jakub Hrozek <jhrozek@redhat.com>

KRB5: More debugging for create_ccache() It was difficult to find where the problem was without advanced techniques like strace. Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

858e750c3d4fe54e50616a1ed1e101469503c070 21-Jan-2015 Jakub Hrozek <jhrozek@redhat.com>

Open the PAC socket from krb5_child before dropping root The PAC responder by default allows only connections from the root user. This patch opens the socket to the PAC responder before the krb5_child drops privileges so the connection seemingly comes from root. https://fedorahosted.org/sssd/ticket/2559 Reviewed-by: Sumit Bose <sbose@redhat.com>

9b2cd4e5e451c07cb2f04cdbaea2b94ccb5fb2ee 14-Jan-2015 Jakub Hrozek <jhrozek@redhat.com>

krb5_child: Return ERR_NETWORK_IO on KRB5_KDCREP_SKEW Previously, we were only handling KRB5KRB_AP_ERR_SKEW Reviewed-by: Sumit Bose <sbose@redhat.com>

956dbefd49ce3cbf27539d8846a6d71462a3a927 17-Dec-2014 Sumit Bose <sbose@redhat.com>

krb5: handle KRB5KRB_ERR_GENERIC as unspecific error KRB5KRB_ERR_GENERIC is a generic error and we cannot make any assumptions about the cause. If there are cases where KRB5KRB_ERR_GENERIC is returned and SSSD should behave differently this must be solved by other means. Resolves https://fedorahosted.org/sssd/ticket/2535 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

a183e279f754afdd571d8b084c7a36b71d5c1701 17-Dec-2014 Lukas Slebodnik <lslebodn@redhat.com>

krb5_child: Initialize REALM earlier Environment variable SSSD_KRB5_REALM was used to late for initialisation realm. and therefore default value NULL was used. The SSSD_KRB5_REALM (kr->realm) was used as fast_principal_realm for checking fast cache: privileged_krb5_setup -> k5c_setup_fast -> check_fast_ccache And therefore wrong principal was used when the option krb5_fast_principal is empty. [find_principal_in_keytab] (0x4000): Trying to find principal (null)@(null) in keytab. [match_principal] (0x1000): Principal matched to the sample ((null)@(null)). [get_tgt_times] (0x1000): FAST ccache must be recreated [get_tgt_times] (0x0020): krb5_cc_retrieve_cred failed [get_tgt_times] (0x0020): 1688: [-1765328243][Matching credential not found] [check_fast_ccache] (0x0040): Valid FAST TGT not found after attempting to renew it [k5c_setup_fast] (0x0020): check_fast_ccache failed. [k5c_setup_fast] (0x0020): 1956: [1432158213][Unknown code UUz 5] [privileged_krb5_setup] (0x0040): Cannot set up FAST [main] (0x0020): privileged_krb5_setup failed. [main] (0x0020): krb5_child failed! As a result of this user was not able to authenticate. Resolves: https://fedorahosted.org/sssd/ticket/2526 Reviewed-by: Sumit Bose <sbose@redhat.com>

f33ddf15796745888d0194a2f80f22bb3b379dec 11-Dec-2014 Jakub Hrozek <jhrozek@redhat.com>

KRB5: Check FAST kinit errors using get_tgt_times() Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

714446cfe8f7f577e8c546cfc1b4cf7d425b5f7a 03-Dec-2014 Jakub Hrozek <jhrozek@redhat.com>

KRB5: Relax DEBUG message Reviewed-by: Sumit Bose <sbose@redhat.com>

8e44ddfccebe61728d8a2c1dafce36dfa944bc90 03-Dec-2014 Jakub Hrozek <jhrozek@redhat.com>

sss_atomic_write_s() return value is signed Reviewed-by: Sumit Bose <sbose@redhat.com>

543d1652e0185abadd5d8b45c718a3db96cd2828 03-Dec-2014 Jakub Hrozek <jhrozek@redhat.com>

KRB5: Create the fast ccache in a child process Related: https://fedorahosted.org/sssd/ticket/2503 In order to avoid calling Kerberos library calls as root, the krb5_child forks itself and recreates the FAST ccache as the SSSD user. Reviewed-by: Sumit Bose <sbose@redhat.com>

939d44cef4d202a7ef88250e90c22f6c6a3acc50 02-Dec-2014 Sumit Bose <sbose@redhat.com>

krb5_child: become user earlier The host keytab and the FAST credential cache are copied into memory early at startup to allow to drop privileges earlier. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

b7088215501c99e40ae71d1c57e0b789bbae2c87 02-Dec-2014 Sumit Bose <sbose@redhat.com>

krb5: do not fail if checking the old ccache failed https://fedorahosted.org/sssd/ticket/2510 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

466f5a539be1e4c6e7cfb396a2f406e1eb8c428d 28-Nov-2014 Lukas Slebodnik <lslebodn@redhat.com>

krb5: Check return value of sss_krb5_princ_realm sss_krb5_princ_realm set output parameter realm to NULL and len to 0 in case of failure. Clang static analysers reported warning "Null pointer passed as an argument to a 'nonnull' parameter" in function match_principal. It was possible, that realm_name with value NULL could be used in strncmp. Reviewed-by: Pavel Reichl <preichl@redhat.com>

2745b0156f12df7a7eb93d57716233243658e4d9 18-Nov-2014 Jakub Hrozek <jhrozek@redhat.com>

KRB5: Move all ccache operations to krb5_child.c The credential cache operations must be now performed by the krb5_child completely, because the sssd_be process might be running as the sssd user who doesn't have access to the ccaches. src/providers/krb5/krb5_ccache.c is still linked against libsss_krb5 until we fix Kerberos ticket renewal as non-root. Also includes a new error code that indicates that the back end should remove the old ccache attribute -- the child can't do that if it's running as the user. Related: https://fedorahosted.org/sssd/ticket/2370 Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

45aeb924ec3ac448bb8d174a5cc061ed98b147c7 18-Nov-2014 Jakub Hrozek <jhrozek@redhat.com>

KRB5: Move ccache-related functions to krb5_ccache.c Add a new module krb5_ccache.c that contains all ccache-related operations. The only user of this module shall be krb5_child.c as the other modules will run unprivileged and accessing the ccache requires either privileges of root or the ccache owner. Related: https://fedorahosted.org/sssd/ticket/2370 Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

476b78b3f66abc7a0f805154ea1a29f54628224a 18-Nov-2014 Jakub Hrozek <jhrozek@redhat.com>

KRB5: Drop privileges in the child, not the back end In future patches, sssd_be will be running as a non-privileged user, who will execute the setuid krb5_child. In this case, the child will start as root and drop the privileges as soon as possible. However, we need to also remove the privilege drop in sssd_be, because if we dropped to the user who is authenticating, we wouldn't be even allowed to execute krb5_child. The krb5_child permissions should be 4750, owned by root.sssd, to make sure only root and sssd can execute the child and if executed by sssd, the child will run as root. Related: https://fedorahosted.org/sssd/ticket/2370 Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

ee4ba51f2fcfc8d8b807c3de6eaac554281165d2 20-Jul-2014 Sumit Bose <sbose@redhat.com>

KRB5: add missing debug-to-stderr option to krb5_child Without this option krb5_child cannot be run in interactive mode. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

dd3398f8cc5a80cd99546bfe9c500589b78a96f1 17-Apr-2014 Pavel Reichl <preichl@redhat.com>

KRB5: Go offline in case of generic error Resolves: https://fedorahosted.org/sssd/ticket/2313

47bc2d6639c41da1e5bac37eb4af3559bbc0e10e 08-Apr-2014 Lukas Slebodnik <lslebodn@redhat.com>

krb5_child: Fix use after free in debug message debug_prg_name is used in debug_fn and it was allocated under talloc context "kr". The variable "kr" was removed before the last debug messages in function main. It is very little change that it will be overridden. It is possible to see this issue with exported environment variable TALLOC_FREE_FILL=255 Reviewed-by: Sumit Bose <sbose@redhat.com>

d2ea839a907ba6ee1fe44027d67b11b02593fc99 07-Apr-2014 Lukas Slebodnik <lslebodn@redhat.com>

krb5_child: Remove unused krb5_context from set_changepw_options Reviewed-by: Pavel Reichl <preichl@redhat.com>

3983d81f461a4f17736a516eb595f54df4bf4336 26-Mar-2014 Jakub Hrozek <jhrozek@redhat.com>

KRB5: Do not attempt to get a TGT after a password change using OTP https://fedorahosted.org/sssd/ticket/2271 The current krb5_child code attempts to get a TGT for the convenience of the user using the new password after a password change operation. However, an OTP should never be used twice, which means we can't perform the kinit operation after chpass is finished. Instead, we only print a PAM information instructing the user to log out and back in manually. Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>

6bbff437dcea7e56d71cf119d1391be7264dfaf0 21-Mar-2014 Sumit Bose <sbose@redhat.com>

krb5-child: add revert_changepw_options() After changing the Kerberos password krb5-child will try to get a fresh TGT with the new password. This patch tries to make sure the right gic options are used. Resolves: https://fedorahosted.org/sssd/ticket/2289 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

4bdc95dd47a7f2898dea30c61355ed0f3be402d9 21-Mar-2014 Sumit Bose <sbose@redhat.com>

krb5_client: rename krb5_set_canonicalize() to set_canonicalize_option() Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

9c20e3386a9716419772a0cf70dc742a5cd0551b 21-Mar-2014 Sumit Bose <sbose@redhat.com>

krb5-child: extract lifetime settings into set_lifetime_options() Additionally the lifetime option flags are unset if there are no explicit settings to make sure the defaults from krb5.conf are used even if other values were set manually in between. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

d5043cd73bcfdca3f7e94c7df690236b30c73537 21-Mar-2014 Sumit Bose <sbose@redhat.com>

krb5_child: remove unused option lifetime_str from k5c_setup_fast() Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

63bf0b7697d5a51b5338070d0e2652d49a4728ce 12-Mar-2014 Sumit Bose <sbose@redhat.com>

IPA/KRB5: handle KRB5_PROG_ETYPE_NOSUPP during IPA password migration Fixes https://fedorahosted.org/sssd/ticket/2279 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

bfed0bf8e1f3292ee35c9c98e6c0f487c2a6a1a3 10-Mar-2014 Nathaniel McCallum <npmccallum@redhat.com>

Fix krb5 changepw when FAST-only preauth methods are used (like OTP) Before this patch, a different set of options was used when calling krb5_get_init_creds_password() for the changepw principal. Because this set of options did not contain the same FAST settings as the options for normal requests, all authentication would fail when the password of a FAST-only account would expire. The two sets approach was cargo-cult from kinit where multiple requests could be issued using the same options set. However, in the case of krb5_child, only one request (or occasionally a well-defined second request) will be issued. Two option sets are therefore not required. To fix this problem we removed the second option set used for changepw requests. All requests now use a single option set which is modified, if needed, for well-defined subsequent requests. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com>

83bf46f4066e3d5e838a32357c201de9bd6ecdfd 12-Feb-2014 Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>

Update DEBUG* invocations to use new levels Use a script to update DEBUG* macro invocations, which use literal numbers for levels, to use bitmask macros instead: grep -rl --include '*.[hc]' DEBUG . | while read f; do mv "$f"{,.orig} perl -e 'use strict; use File::Slurp; my @map=qw" SSSDBG_FATAL_FAILURE SSSDBG_CRIT_FAILURE SSSDBG_OP_FAILURE SSSDBG_MINOR_FAILURE SSSDBG_CONF_SETTINGS SSSDBG_FUNC_DATA SSSDBG_TRACE_FUNC SSSDBG_TRACE_LIBS SSSDBG_TRACE_INTERNAL SSSDBG_TRACE_ALL "; my $text=read_file(\*STDIN); my $repl; $text=~s/ ^ ( .* \b (DEBUG|DEBUG_PAM_DATA|DEBUG_GR_MEM) \s* \(\s* )( [0-9] )( \s*, ) ( \s* ) ( .* ) $ / $repl = $1.$map[$3].$4.$5.$6, length($repl) <= 80 ? $repl : $1.$map[$3].$4."\n".(" " x length($1)).$6 /xmge; print $text; ' < "$f.orig" > "$f" rm "$f.orig" done Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

/sssd-io/src/confdb/confdb.c /sssd-io/src/confdb/confdb_setup.c /sssd-io/src/db/sysdb.c /sssd-io/src/db/sysdb_ops.c /sssd-io/src/db/sysdb_ranges.c /sssd-io/src/db/sysdb_search.c /sssd-io/src/db/sysdb_upgrade.c /sssd-io/src/monitor/monitor.c /sssd-io/src/monitor/monitor_netlink.c /sssd-io/src/monitor/monitor_sbus.c /sssd-io/src/providers/data_provider_be.c /sssd-io/src/providers/data_provider_callbacks.c /sssd-io/src/providers/data_provider_fo.c /sssd-io/src/providers/data_provider_opts.c /sssd-io/src/providers/dp_auth_util.c /sssd-io/src/providers/dp_pam_data_util.c /sssd-io/src/providers/fail_over.c /sssd-io/src/providers/ipa/ipa_access.c /sssd-io/src/providers/ipa/ipa_auth.c /sssd-io/src/providers/ipa/ipa_common.c /sssd-io/src/providers/ipa/ipa_hbac_common.c /sssd-io/src/providers/ipa/ipa_hbac_hosts.c /sssd-io/src/providers/ipa/ipa_hbac_rules.c /sssd-io/src/providers/ipa/ipa_hbac_services.c /sssd-io/src/providers/ipa/ipa_hbac_users.c /sssd-io/src/providers/ipa/ipa_id.c /sssd-io/src/providers/ipa/ipa_init.c /sssd-io/src/providers/ipa/ipa_netgroups.c krb5_access.c krb5_auth.c krb5_child.c krb5_child_handler.c krb5_common.c krb5_delayed_online_authentication.c krb5_init.c krb5_init_shared.c krb5_renew_tgt.c krb5_utils.c krb5_wait_queue.c /sssd-io/src/providers/ldap/ldap_auth.c /sssd-io/src/providers/ldap/ldap_child.c /sssd-io/src/providers/ldap/ldap_common.c /sssd-io/src/providers/ldap/ldap_id.c /sssd-io/src/providers/ldap/ldap_id_cleanup.c /sssd-io/src/providers/ldap/ldap_id_netgroup.c /sssd-io/src/providers/ldap/ldap_init.c /sssd-io/src/providers/ldap/sdap.c /sssd-io/src/providers/ldap/sdap_access.c /sssd-io/src/providers/ldap/sdap_async.c /sssd-io/src/providers/ldap/sdap_async_connection.c /sssd-io/src/providers/ldap/sdap_async_enum.c /sssd-io/src/providers/ldap/sdap_async_groups.c /sssd-io/src/providers/ldap/sdap_async_initgroups.c /sssd-io/src/providers/ldap/sdap_async_initgroups_ad.c /sssd-io/src/providers/ldap/sdap_async_netgroups.c /sssd-io/src/providers/ldap/sdap_async_users.c /sssd-io/src/providers/ldap/sdap_child_helpers.c /sssd-io/src/providers/ldap/sdap_fd_events.c /sssd-io/src/providers/ldap/sdap_id_op.c /sssd-io/src/providers/proxy/proxy_auth.c /sssd-io/src/providers/proxy/proxy_child.c /sssd-io/src/providers/proxy/proxy_id.c /sssd-io/src/providers/proxy/proxy_init.c /sssd-io/src/providers/proxy/proxy_netgroup.c /sssd-io/src/resolv/async_resolv.c /sssd-io/src/responder/common/negcache.c /sssd-io/src/responder/common/responder_cmd.c /sssd-io/src/responder/common/responder_common.c /sssd-io/src/responder/common/responder_dp.c /sssd-io/src/responder/nss/nsssrv.c /sssd-io/src/responder/nss/nsssrv_cmd.c /sssd-io/src/responder/nss/nsssrv_netgroup.c /sssd-io/src/responder/nss/nsssrv_private.h /sssd-io/src/responder/nss/nsssrv_services.c /sssd-io/src/responder/pam/pam_LOCAL_domain.c /sssd-io/src/responder/pam/pamsrv.c /sssd-io/src/responder/pam/pamsrv_cmd.c /sssd-io/src/responder/pam/pamsrv_dp.c /sssd-io/src/sbus/sbus_client.c /sssd-io/src/sbus/sssd_dbus_common.c /sssd-io/src/sbus/sssd_dbus_connection.c /sssd-io/src/sbus/sssd_dbus_server.c /sssd-io/src/tests/auth-tests.c /sssd-io/src/tests/files-tests.c /sssd-io/src/tests/resolv-tests.c /sssd-io/src/tests/sysdb-tests.c /sssd-io/src/tests/sysdb_ssh-tests.c /sssd-io/src/tools/selinux.c /sssd-io/src/tools/sss_cache.c /sssd-io/src/tools/sss_groupadd.c /sssd-io/src/tools/sss_groupdel.c /sssd-io/src/tools/sss_groupmod.c /sssd-io/src/tools/sss_groupshow.c /sssd-io/src/tools/sss_sync_ops.c /sssd-io/src/tools/sss_useradd.c /sssd-io/src/tools/sss_userdel.c /sssd-io/src/tools/sss_usermod.c /sssd-io/src/tools/tools_util.c /sssd-io/src/tools/tools_util.h /sssd-io/src/util/check_and_open.c /sssd-io/src/util/child_common.c /sssd-io/src/util/crypto/nss/nss_obfuscate.c /sssd-io/src/util/crypto/nss/nss_util.c /sssd-io/src/util/debug.c /sssd-io/src/util/find_uid.c /sssd-io/src/util/nscd.c /sssd-io/src/util/signal.c /sssd-io/src/util/sss_krb5.c /sssd-io/src/util/sss_ldap.c /sssd-io/src/util/user_info_msg.c /sssd-io/src/util/usertools.c /sssd-io/src/util/util.c
a3c8390d19593b1e5277d95bfb4ab206d4785150 12-Feb-2014 Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>

Make DEBUG macro invocations variadic Use a script to update DEBUG macro invocations to use it as a variadic macro, supplying format string and its arguments directly, instead of wrapping them in parens. This script was used to update the code: grep -rwl --include '*.[hc]' DEBUG . | while read f; do mv "$f"{,.orig} perl -e \ 'use strict; use File::Slurp; my $text=read_file(\*STDIN); $text=~s#(\bDEBUG\s*\([^(]+)\((.*?)\)\s*\)\s*;#$1$2);#gs; print $text;' < "$f.orig" > "$f" rm "$f.orig" done Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

/sssd-io/src/confdb/confdb.c /sssd-io/src/confdb/confdb_setup.c /sssd-io/src/db/sysdb.c /sssd-io/src/db/sysdb_autofs.c /sssd-io/src/db/sysdb_idmap.c /sssd-io/src/db/sysdb_ops.c /sssd-io/src/db/sysdb_ranges.c /sssd-io/src/db/sysdb_search.c /sssd-io/src/db/sysdb_selinux.c /sssd-io/src/db/sysdb_services.c /sssd-io/src/db/sysdb_ssh.c /sssd-io/src/db/sysdb_subdomains.c /sssd-io/src/db/sysdb_sudo.c /sssd-io/src/db/sysdb_upgrade.c /sssd-io/src/monitor/monitor.c /sssd-io/src/monitor/monitor_netlink.c /sssd-io/src/monitor/monitor_sbus.c /sssd-io/src/providers/ad/ad_access.c /sssd-io/src/providers/ad/ad_common.c /sssd-io/src/providers/ad/ad_domain_info.c /sssd-io/src/providers/ad/ad_dyndns.c /sssd-io/src/providers/ad/ad_id.c /sssd-io/src/providers/ad/ad_init.c /sssd-io/src/providers/ad/ad_srv.c /sssd-io/src/providers/ad/ad_subdomains.c /sssd-io/src/providers/data_provider_be.c /sssd-io/src/providers/data_provider_callbacks.c /sssd-io/src/providers/data_provider_fo.c /sssd-io/src/providers/data_provider_opts.c /sssd-io/src/providers/dp_auth_util.c /sssd-io/src/providers/dp_dyndns.c /sssd-io/src/providers/dp_pam_data_util.c /sssd-io/src/providers/dp_ptask.c /sssd-io/src/providers/dp_refresh.c /sssd-io/src/providers/fail_over.c /sssd-io/src/providers/fail_over_srv.c /sssd-io/src/providers/ipa/ipa_access.c /sssd-io/src/providers/ipa/ipa_auth.c /sssd-io/src/providers/ipa/ipa_autofs.c /sssd-io/src/providers/ipa/ipa_common.c /sssd-io/src/providers/ipa/ipa_config.c /sssd-io/src/providers/ipa/ipa_dyndns.c /sssd-io/src/providers/ipa/ipa_hbac_common.c /sssd-io/src/providers/ipa/ipa_hbac_hosts.c /sssd-io/src/providers/ipa/ipa_hbac_rules.c /sssd-io/src/providers/ipa/ipa_hbac_services.c /sssd-io/src/providers/ipa/ipa_hbac_users.c /sssd-io/src/providers/ipa/ipa_hostid.c /sssd-io/src/providers/ipa/ipa_hosts.c /sssd-io/src/providers/ipa/ipa_id.c /sssd-io/src/providers/ipa/ipa_idmap.c /sssd-io/src/providers/ipa/ipa_init.c /sssd-io/src/providers/ipa/ipa_netgroups.c /sssd-io/src/providers/ipa/ipa_s2n_exop.c /sssd-io/src/providers/ipa/ipa_selinux.c /sssd-io/src/providers/ipa/ipa_selinux_maps.c /sssd-io/src/providers/ipa/ipa_srv.c /sssd-io/src/providers/ipa/ipa_subdomains.c /sssd-io/src/providers/ipa/ipa_subdomains_ext_groups.c /sssd-io/src/providers/ipa/ipa_subdomains_id.c /sssd-io/src/providers/ipa/ipa_sudo.c krb5_access.c krb5_auth.c krb5_become_user.c krb5_child.c krb5_child_handler.c krb5_common.c krb5_delayed_online_authentication.c krb5_init.c krb5_init_shared.c krb5_renew_tgt.c krb5_utils.c krb5_wait_queue.c /sssd-io/src/providers/ldap/ldap_access.c /sssd-io/src/providers/ldap/ldap_auth.c /sssd-io/src/providers/ldap/ldap_child.c /sssd-io/src/providers/ldap/ldap_common.c /sssd-io/src/providers/ldap/ldap_id.c /sssd-io/src/providers/ldap/ldap_id_cleanup.c /sssd-io/src/providers/ldap/ldap_id_enum.c /sssd-io/src/providers/ldap/ldap_id_netgroup.c /sssd-io/src/providers/ldap/ldap_id_services.c /sssd-io/src/providers/ldap/ldap_init.c /sssd-io/src/providers/ldap/sdap.c /sssd-io/src/providers/ldap/sdap_access.c /sssd-io/src/providers/ldap/sdap_async.c /sssd-io/src/providers/ldap/sdap_async_autofs.c /sssd-io/src/providers/ldap/sdap_async_connection.c /sssd-io/src/providers/ldap/sdap_async_enum.c /sssd-io/src/providers/ldap/sdap_async_groups.c /sssd-io/src/providers/ldap/sdap_async_groups_ad.c /sssd-io/src/providers/ldap/sdap_async_initgroups.c /sssd-io/src/providers/ldap/sdap_async_initgroups_ad.c /sssd-io/src/providers/ldap/sdap_async_nested_groups.c /sssd-io/src/providers/ldap/sdap_async_netgroups.c /sssd-io/src/providers/ldap/sdap_async_services.c /sssd-io/src/providers/ldap/sdap_async_sudo.c /sssd-io/src/providers/ldap/sdap_async_sudo_hostinfo.c /sssd-io/src/providers/ldap/sdap_async_sudo_timer.c /sssd-io/src/providers/ldap/sdap_async_users.c /sssd-io/src/providers/ldap/sdap_autofs.c /sssd-io/src/providers/ldap/sdap_child_helpers.c /sssd-io/src/providers/ldap/sdap_dyndns.c /sssd-io/src/providers/ldap/sdap_fd_events.c /sssd-io/src/providers/ldap/sdap_id_op.c /sssd-io/src/providers/ldap/sdap_idmap.c /sssd-io/src/providers/ldap/sdap_range.c /sssd-io/src/providers/ldap/sdap_refresh.c /sssd-io/src/providers/ldap/sdap_reinit.c /sssd-io/src/providers/ldap/sdap_sudo.c /sssd-io/src/providers/ldap/sdap_sudo_cache.c /sssd-io/src/providers/proxy/proxy_auth.c /sssd-io/src/providers/proxy/proxy_child.c /sssd-io/src/providers/proxy/proxy_id.c /sssd-io/src/providers/proxy/proxy_init.c /sssd-io/src/providers/proxy/proxy_netgroup.c /sssd-io/src/providers/proxy/proxy_services.c /sssd-io/src/providers/simple/simple_access.c /sssd-io/src/providers/simple/simple_access_check.c /sssd-io/src/resolv/async_resolv.c /sssd-io/src/resolv/async_resolv_utils.c /sssd-io/src/responder/autofs/autofssrv.c /sssd-io/src/responder/autofs/autofssrv_cmd.c /sssd-io/src/responder/autofs/autofssrv_dp.c /sssd-io/src/responder/common/negcache.c /sssd-io/src/responder/common/responder_cmd.c /sssd-io/src/responder/common/responder_common.c /sssd-io/src/responder/common/responder_dp.c /sssd-io/src/responder/common/responder_get_domains.c /sssd-io/src/responder/nss/nsssrv.c /sssd-io/src/responder/nss/nsssrv_cmd.c /sssd-io/src/responder/nss/nsssrv_mmap_cache.c /sssd-io/src/responder/nss/nsssrv_netgroup.c /sssd-io/src/responder/nss/nsssrv_private.h /sssd-io/src/responder/nss/nsssrv_services.c /sssd-io/src/responder/pac/pacsrv.c /sssd-io/src/responder/pac/pacsrv_cmd.c /sssd-io/src/responder/pac/pacsrv_utils.c /sssd-io/src/responder/pam/pam_LOCAL_domain.c /sssd-io/src/responder/pam/pam_helpers.c /sssd-io/src/responder/pam/pamsrv.c /sssd-io/src/responder/pam/pamsrv_cmd.c /sssd-io/src/responder/pam/pamsrv_dp.c /sssd-io/src/responder/ssh/sshsrv.c /sssd-io/src/responder/ssh/sshsrv_cmd.c /sssd-io/src/responder/ssh/sshsrv_dp.c /sssd-io/src/responder/sudo/sudosrv.c /sssd-io/src/responder/sudo/sudosrv_cmd.c /sssd-io/src/responder/sudo/sudosrv_dp.c /sssd-io/src/responder/sudo/sudosrv_get_sudorules.c /sssd-io/src/responder/sudo/sudosrv_query.c /sssd-io/src/sbus/sbus_client.c /sssd-io/src/sbus/sssd_dbus_common.c /sssd-io/src/sbus/sssd_dbus_connection.c /sssd-io/src/sbus/sssd_dbus_server.c /sssd-io/src/sss_client/ssh/sss_ssh_authorizedkeys.c /sssd-io/src/sss_client/ssh/sss_ssh_knownhostsproxy.c /sssd-io/src/tests/auth-tests.c /sssd-io/src/tests/cmocka/test_dyndns.c /sssd-io/src/tests/cmocka/test_fqnames.c /sssd-io/src/tests/cmocka/test_nss_srv.c /sssd-io/src/tests/cmocka/test_utils.c /sssd-io/src/tests/common_dom.c /sssd-io/src/tests/common_tev.c /sssd-io/src/tests/debug-tests.c /sssd-io/src/tests/files-tests.c /sssd-io/src/tests/krb5_child-test.c /sssd-io/src/tests/resolv-tests.c /sssd-io/src/tests/simple_access-tests.c /sssd-io/src/tests/sysdb-tests.c /sssd-io/src/tests/sysdb_ssh-tests.c /sssd-io/src/tools/files.c /sssd-io/src/tools/selinux.c /sssd-io/src/tools/sss_cache.c /sssd-io/src/tools/sss_debuglevel.c /sssd-io/src/tools/sss_groupadd.c /sssd-io/src/tools/sss_groupdel.c /sssd-io/src/tools/sss_groupmod.c /sssd-io/src/tools/sss_groupshow.c /sssd-io/src/tools/sss_seed.c /sssd-io/src/tools/sss_sync_ops.c /sssd-io/src/tools/sss_useradd.c /sssd-io/src/tools/sss_userdel.c /sssd-io/src/tools/sss_usermod.c /sssd-io/src/tools/tools_mc_util.c /sssd-io/src/tools/tools_util.c /sssd-io/src/tools/tools_util.h /sssd-io/src/util/authtok.c /sssd-io/src/util/backup_file.c /sssd-io/src/util/check_and_open.c /sssd-io/src/util/child_common.c /sssd-io/src/util/crypto/libcrypto/crypto_base64.c /sssd-io/src/util/crypto/libcrypto/crypto_obfuscate.c /sssd-io/src/util/crypto/nss/nss_obfuscate.c /sssd-io/src/util/crypto/nss/nss_util.c /sssd-io/src/util/debug.c /sssd-io/src/util/domain_info_utils.c /sssd-io/src/util/find_uid.c /sssd-io/src/util/nscd.c /sssd-io/src/util/server.c /sssd-io/src/util/signal.c /sssd-io/src/util/sss_ini.c /sssd-io/src/util/sss_krb5.c /sssd-io/src/util/sss_krb5.h /sssd-io/src/util/sss_ldap.c /sssd-io/src/util/sss_nss.c /sssd-io/src/util/sss_selinux.c /sssd-io/src/util/sss_ssh.c /sssd-io/src/util/sss_tc_utf8.c /sssd-io/src/util/user_info_msg.c /sssd-io/src/util/usertools.c /sssd-io/src/util/util.c /sssd-io/src/util/util.h /sssd-io/src/util/util_lock.c /sssd-io/src/util/well_known_sids.c
83011d97d17bd00e99ccf1e0302167a6bc0db84e 29-Nov-2013 Jakub Hrozek <jhrozek@redhat.com>

KRB5: Go offline in case of clock skew https://fedorahosted.org/sssd/ticket/1096 In case the KDC has skewed time, we can retry with the next one and eventually go offline if no KDC has time in sync with the client. Previously, authentication with wrong time resulted in System Error.

f9bb1b81fed053991324de84d6856ee61188aa0f 22-Oct-2013 Lukas Slebodnik <lslebodn@redhat.com>

krb5: Use right function to free data. In function create_empty_cred, krb5_creds was aloocated using calloc, but krb5_free_creds was used to remove this creds in done section. Therefore clang static analyzer repoted this as warning: Potential leak of memory pointed to by 'cred'

6dc5ddd177e3b0ffe4315827aa8df7f33340585c 17-Oct-2013 Lukas Slebodnik <lslebodn@redhat.com>

krb5: Remove warning dereference of a null pointer Variable kr->creds is initialized in function krb5_get_init_creds_password. It does not make sense to check kr->creds for null, because we have already checked return value of function krb5_get_init_creds_password. Resolves: https://fedorahosted.org/sssd/ticket/2112

2105a6a63cb74bf009fb6e723e74f6ec075e1238 17-Oct-2013 Jakub Hrozek <jhrozek@redhat.com>

KRB5: Return PAM_ACCT_EXPIRED when logging in as expired AD user If an expired AD user logs in, the SSSD receives KRB5KDC_ERR_CLIENT_REVOKED from the KDC. This error code was not handled by the SSSD which resulted in System Error being returned to the PAM stack.

46967fe03a7472537baea13d01882e0ebe83d57a 10-Oct-2013 Lukas Slebodnik <lslebodn@redhat.com>

krb5: fix warning may be used uninitialized

2db23c67f1bba5f573e6109ca46c8f63659a9ac4 27-Sep-2013 Jakub Hrozek <jhrozek@redhat.com>

KRB5: Return ERR_NETWORK_IO when trusted AD server can't be resolved

11a044514e3799c4e685cf98ed5c058aa02b5fdb 17-Sep-2013 Jakub Hrozek <jhrozek@redhat.com>

KRB5: Call umask before mkstemp in the krb5 child code

0e65abe5cf2abf5d4b431cf6bd161b419f07901d 11-Sep-2013 Lukas Slebodnik <lslebodn@redhat.com>

Fix formating of variables with type: size_t

/sssd-io/src/db/sysdb_autofs.c /sssd-io/src/db/sysdb_ops.c /sssd-io/src/db/sysdb_search.c /sssd-io/src/providers/ad/ad_srv.c /sssd-io/src/providers/fail_over_srv.c /sssd-io/src/providers/ipa/ipa_config.c /sssd-io/src/providers/ipa/ipa_idmap.c /sssd-io/src/providers/ipa/ipa_netgroups.c /sssd-io/src/providers/ipa/ipa_selinux.c /sssd-io/src/providers/ipa/ipa_selinux_maps.c /sssd-io/src/providers/ipa/ipa_srv.c /sssd-io/src/providers/ipa/ipa_subdomains_ext_groups.c krb5_child.c krb5_child_handler.c krb5_renew_tgt.c /sssd-io/src/providers/ldap/ldap_child.c /sssd-io/src/providers/ldap/ldap_id_cleanup.c /sssd-io/src/providers/ldap/sdap_access.c /sssd-io/src/providers/ldap/sdap_async_autofs.c /sssd-io/src/providers/ldap/sdap_async_groups.c /sssd-io/src/providers/ldap/sdap_async_groups_ad.c /sssd-io/src/providers/ldap/sdap_async_initgroups.c /sssd-io/src/providers/ldap/sdap_async_initgroups_ad.c /sssd-io/src/providers/ldap/sdap_async_nested_groups.c /sssd-io/src/providers/ldap/sdap_async_netgroups.c /sssd-io/src/providers/ldap/sdap_async_services.c /sssd-io/src/providers/ldap/sdap_async_sudo.c /sssd-io/src/providers/ldap/sdap_async_users.c /sssd-io/src/providers/ldap/sdap_child_helpers.c /sssd-io/src/providers/simple/simple_access_check.c /sssd-io/src/responder/nss/nsssrv_mmap_cache.c /sssd-io/src/responder/pam/pamsrv_cmd.c /sssd-io/src/util/child_common.c
57cd3443dcb7c073c5a00a9f2c3c3a3030ae2d3e 11-Sep-2013 Lukas Slebodnik <lslebodn@redhat.com>

Fix formating of variables with type: long

a6a0d4edebccd3cf04f9813fc65185845626b5d4 09-Sep-2013 Simo Sorce <simo@redhat.com>

krb5_child: Simplify ccache creation The containing ccache directory is precreated by the parent code, so there is no special need to do so here for any type. Also the special handling for the FILE ccache temporary file is not really useful, because libkrb5 internally unlinks and then recreate the file, so mkstemp cannot really prevent subtle races, it can only make sure the file is unique at creation time. Resolves: https://fedorahosted.org/sssd/ticket/2061

aeb1e654c337037b6bdb350e1ec8aaa065e86794 27-Aug-2013 Stephen Gallagher <sgallagh@redhat.com>

KRB5: Add support for KEYRING cache type https://fedorahosted.org/sssd/ticket/2036

fe1afaccc7c9a99df823a7c44cd89fc3c619715a 27-Aug-2013 Stephen Gallagher <sgallagh@redhat.com>

KRB5: Remove unnecessary call to become_user() By the time that the create_ccache_in_dir() routine is called, we are already guaranteed to have dropped privileges. This has either happened because we dropped them before the exec() in the normal operation case or because we dropped them explicitly after we completed the TGT validation step if that or FAST is configured.

8340ca480e0fe823441633720d67efc9e4a4bc64 22-Aug-2013 Stephen Gallagher <sgallagh@redhat.com>

KRB5: Add new #define for collection cache types Kerberos now supports multiple types of collection caches, not just DIR: caches. We should add a macro for generic collection behavior and use that where appropriate.

c235f67280a84a5248457c110500fa3f0e11f755 19-Aug-2013 Jakub Hrozek <jhrozek@redhat.com>

KRB5: Do not log to syslog on each login

50e694bddc95b3137b29fa872af4f679feb96964 19-Aug-2013 Jakub Hrozek <jhrozek@redhat.com>

KRB5: Formatting changes

86c985481c2fdb1d8996a77576b12bff431c18d5 11-Aug-2013 Michal Zidek <mzidek@redhat.com>

ldap, krb5: More descriptive msg on chpass failure. Print more descriptive message when wrong current password is given during password change operation. resolves: https://fedorahosted.org/sssd/ticket/2029

08e3f641a8b8d6b5d7eb0b523599702eda960da2 22-Jul-2013 Lukas Slebodnik <lslebodn@redhat.com>

Fix warnings: uninitialized variable

d6c2ee96f5f181f21b0003aa8f3506e82522291d 22-Jul-2013 Lukas Slebodnik <lslebodn@redhat.com>

Remove unused memory context from function unpack_authtok

6f6e4408cedaebbfcef61e5adb78ba75abe5839d 17-Jul-2013 Pavel Březina <pbrezina@redhat.com>

print hint about password complexity when new password is rejected https://fedorahosted.org/sssd/ticket/1827

dbf4dd47aa7f314a6a6bb2c8f9bb4ddd09de9e8b 15-Jul-2013 Lukas Slebodnik <lslebodn@redhat.com>

Use conditional build for retrieving ccache. Some krb5 functions needn't be available for retrieving ccache with principal. Therefore ifdef is used to solve this situation with older version of libkrb5. There were two functions with similar functionality in krb5_child and krb5_utils. They were merged to one universal function, which was moved to file src/util/sss_krb5.c

0c0f91311fd2a947992914d8bca644cd1eb4298b 10-Jul-2013 Ondrej Kos <okos@redhat.com>

KRB5_CHILD: Fix handling of get_password return code The switch statement was dead code due to missing case/default.

d673bd397f1ed8239b36a5134bcd29914b11ae72 26-Jun-2013 Lukas Slebodnik <lslebodn@redhat.com>

Do not switch to credentials everytime. If user decide to kinit as another user we do not want to switch back to user ccache at another login. We will switch to new ccache if and only if default principal name is the same as current principal name, or there is not any default ccache. https://fedorahosted.org/sssd/ticket/1936

fa3cdcff460d555f4a4905fb0a2d96be564fc599 26-Jun-2013 Lukas Slebodnik <lslebodn@redhat.com>

Every time return directory for krb5 cache collection. Function krb5_cc_get_full_name is called only as a way to validate that, we have the right cache. Instead of returned name, location will be returned from function cc_dir_cache_for_princ. https://fedorahosted.org/sssd/ticket/1936

fa4a9c4afcc0c62a693034e21f33356e64735687 25-Jun-2013 Sumit Bose <sbose@redhat.com>

krb5: do not send pac for IPA users from the local domain So far we didn't send the PAC of IPA users to the PAC responder during password authentication because group memberships for IPA users can be retrieved efficiently with LDAP calls. Recently patches added PAC support for the AD provider as well and removed the restriction for the IPA users. This patch restores the original behaviour by introducing a new flag in struct krb5_ctx which is only set for the IPA provider. Additionally a different flag is renamed to make it's purpose more clear. Fixes https://fedorahosted.org/sssd/ticket/1995

48a53690ae35ef7e5690eb216c8e33140070f984 25-Jun-2013 Sumit Bose <sbose@redhat.com>

Revert "Always send the PAC to the PAC responder" This reverts commit d153941864fe481399665be8fe583c9317194a99.

1b224723e8db9699835ad58d6f589328f928e14e 17-Jun-2013 Sumit Bose <sbose@redhat.com>

Set default realm for enterprise principals Enterprise principals require that a default realm is available. To make SSSD more robust in the case that the default realm option is missing in krb5.conf or to allow SSSD to work with multiple unconnected realms (e.g. AD domains without trust between them) the default realm will be set explicitly. Fixes https://fedorahosted.org/sssd/ticket/1931

95332f72acf87e04be6fb70c5dc00cabd14ac97c 17-Jun-2013 Sumit Bose <sbose@redhat.com>

Use principal from the ticket to find validation entry If canonicalization or enterprise principals are enabled the realm of the client principal might have changed compared to the original request. To find the most suitable keytab entry to validate the TGT is it better to use the returned client principal. Fixes https://fedorahosted.org/sssd/ticket/1931

22a21e910fd216ec1468fe769dcc29f1621a52a4 14-Jun-2013 Ondrej Kos <okos@redhat.com>

KRB: Handle preauthentication error correctly https://fedorahosted.org/sssd/ticket/1873 KRB preauthentication error was later mishandled like authentication error.

d153941864fe481399665be8fe583c9317194a99 06-Jun-2013 Sumit Bose <sbose@redhat.com>

Always send the PAC to the PAC responder Currently while doing a Kerberos based authentication the PAC was only send to the PAC responder for principals from a different realm. This reflects the FreeIPA use case of users from trusted domains. This restriction does not make sense anymore when the data from the PAC should be used for the AD provider as well. It also makes only limited sense for the IPA use case, because when using GSSAPI the PAC of users from the local IPA domain are already evaluated by the PAC responder.

7486dea9f5f7b2a6fbbacc6db740a82140b6377c 20-May-2013 Lukas Slebodnik <lslebodn@redhat.com>

Fixing critical format string issues. --missing arguments. --format '%s', but argument is integer. --wrong format string, examle: '%\n'

/sssd-io/src/db/sysdb_idmap.c krb5_child.c krb5_utils.c /sssd-io/src/providers/ldap/ldap_init.c /sssd-io/src/providers/ldap/sdap_async.c /sssd-io/src/providers/ldap/sdap_async_connection.c /sssd-io/src/providers/ldap/sdap_async_groups.c /sssd-io/src/providers/ldap/sdap_async_initgroups_ad.c /sssd-io/src/resolv/async_resolv.c /sssd-io/src/responder/common/responder_common.c /sssd-io/src/responder/nss/nsssrv_cmd.c /sssd-io/src/responder/nss/nsssrv_services.c /sssd-io/src/responder/pam/pam_LOCAL_domain.c /sssd-io/src/responder/pam/pamsrv_cmd.c /sssd-io/src/responder/pam/pamsrv_dp.c /sssd-io/src/responder/sudo/sudosrv_get_sudorules.c /sssd-io/src/sbus/sssd_dbus_server.c /sssd-io/src/tools/files.c /sssd-io/src/tools/sss_seed.c /sssd-io/src/tools/sss_userdel.c /sssd-io/src/tools/tools_mc_util.c /sssd-io/src/tools/tools_util.c
edaa983d094c239c3e1ba667bcd20ed3934be3b8 22-Apr-2013 Sumit Bose <sbose@redhat.com>

Allow usage of enterprise principals Enterprise principals are currently most useful for the AD provider and hence enabled here by default while for the other Kerberos based authentication providers they are disabled by default. If additional UPN suffixes are configured for the AD domain the user principal stored in the AD LDAP server might not contain the real Kerberos realm of the AD domain but one of the additional suffixes which might be completely randomly chooses, e.g. are not related to any existing DNS domain. This make it hard for a client to figure out the right KDC to send requests to. To get around this enterprise principals (see http://tools.ietf.org/html/rfc6806 for details) were introduced. Basically a default realm is added to the principal so that the Kerberos client libraries at least know where to send the request to. It is not in the responsibility of the KDC to either handle the request itself, return a client referral if he thinks a different KDC can handle the request or return and error. This feature is also use to allow authentication in AD environments with cross forest trusts. Fixes https://fedorahosted.org/sssd/ticket/1842

274fe6a4f8bcb23e31929430110c0b52e9ce233a 03-Apr-2013 Jakub Hrozek <jhrozek@redhat.com>

Check for correct variable name https://fedorahosted.org/sssd/ticket/1864

04689cbf9c09d68ed5640919757d4bef292a9c57 03-Apr-2013 Jakub Hrozek <jhrozek@redhat.com>

krb5 child: Use the correct type when processing OTP

9acfb09f7969a69f58bd45c856b01700541853ca 02-Apr-2013 Lukas Slebodnik <lslebodn@redhat.com>

Making the authtok structure really opaque. Definition of structure sss_auth_token was removed from header file authtok.h and there left only declaration of this structure. Therefore only way how to use this structure is to use accessory function from same header file. To creating new empty authotok can only be used newly created function sss_authtok_new(). TALLOC context was removed from copy and setter functions, because pointer to stuct sss_auth_token is used as a memory context. All declaration of struct sss_auth_token variables was replaced with pointer to this structure and related changes was made in source code. Function copy_pam_data can copy from argument src which was dynamically allocated with function create_pam_data() or zero initialized struct pam_data allocated on stack. https://fedorahosted.org/sssd/ticket/1830

53b58615fbc13eddcd6e2f28066b67cb5f16b6d3 02-Apr-2013 Lukas Slebodnik <lslebodn@redhat.com>

Reusing create_pam_data() on the other places. Function create_pam_data() should be only one way how to create new struct pam_data, because it also initialize destructor to created object.

b40583c6d52b72e41bf01106534535e54b4fba4f 08-Mar-2013 Nathaniel McCallum <npmccallum@redhat.com>

Add support for krb5 1.11's responder callback. krb5 1.11 adds support for a new method for responding to structured data queries. This method, called the responder, provides an alternative to the prompter interface. This patch adds support for this method. It takes the password and provides it via a responder instead of the prompter. In the case of OTP authentication, it also disables the caching of credentials (since the credentials are one-time only).

c6872e79e8496fd075e20aec0343ade99cca725c 04-Mar-2013 Simo Sorce <simo@redhat.com>

Cleanup error message handling for krb5 child Use the new internal SSSD errors, to simplify error handling. Instead of using up to 3 different error types (system, krb5 and pam_status), collapse all error reporting into one error type mapped on errno_t. The returned error can contain either SSSD internal errors, kerberos errors or system errors, they all use different number spaces so there is no overlap and they can be safely merged. This means that errors being sent from the child to the parent are not pam status error messages anymore. The callers have been changed to properly deal with that. Also note that this patch removes returning SSS_PAM_SYSTEM_INFO from the krb5_child for kerberos errors as all it was doing was simply to make the parent emit the same debug log already emitted by the child, and the code is simpler if we do not do that.

67dac0a65e9322771d853ee0914c41c30a1c4432 04-Mar-2013 Ondrej Kos <okos@redhat.com>

krb5_child: fix value type and initialization ret was defined as integer, instead of errno_t, and was uninitialized

0a8a06a50e8deaf5b78b1bf4cc99fb571dda7860 28-Feb-2013 Simo Sorce <simo@redhat.com>

Refactor krb5 child The aim of this refactoring is to make the code readable and understandable. This code has grown organically over time and has becomed confused and baroque enough that understanding it's very simple flow had become very complex for the uninitiated. Complex flows easily hide nasty bugs. Improvements: - Remove dead/unused data storage - Fix and simplify talloc hierarchy, use a memory context (kr) for the whole code and allocate kr->pd where it is filled up. - Rename some functions to create a better name space (easier for searching fucntions across the tree) - Streamline setup function, by spliting out fast setup in a subroutine. - Avoid confusing indirection in executng actual functions by not using the krb5_req child_req member. - Make main() flow s now simmetric, send abck data from the main function instead of delegating a reply to every inner function that implements a command. Now the flow is evident from the main function: 1. read request 2. setup data 3. execute command 4. send reply back

f7e97d8b7b72f376a7c75dbe184634f38db35567 28-Feb-2013 Simo Sorce <simo@redhat.com>

krb5_child style fix Use the standard 'done' label for exceptions.

64af76e2bef2565caa9738f675c108a4b3789237 10-Jan-2013 Simo Sorce <simo@redhat.com>

Change pam data auth tokens. Use the new authtok abstraction and interfaces throught the code.

9459006424bb9975b8728c7700605f9b061c791e 19-Nov-2012 Sumit Bose <sbose@redhat.com>

Disable canonicalization during password changes If canonicalization is enabled Active Directory KDCs return 'krbtgt/AD.DOMAIN' as service name instead of the expected 'kadmin/changepw' which causes a 'KDC reply did not match expectations' error. Additionally the forwardable and proxiable flags are disabled, the renewable lifetime is set to 0 and the lifetime of the ticket is set to 5 minutes as recommended in https://fedorahosted.org/sssd/ticket/1405 and also done by the kpasswd utility. Fixes: https://fedorahosted.org/sssd/ticket/1405 https://fedorahosted.org/sssd/ticket/1615

6ef6612dd9e52c879e536a8b06bfeb4408d337b1 19-Nov-2012 Sumit Bose <sbose@redhat.com>

Just use the service name with krb5_get_init_creds_password() Currently we add the realm name to change password principal but according to the MIT Kerberos docs and the upstream usage the realm name is just ignored. Dropping the realm name also does not lead to confusion if the change password request was received for a user of a trusted domain.

0f76569b4cecc048974e837c92d4ca806ca3bbac 12-Nov-2012 Jakub Hrozek <jhrozek@redhat.com>

Only build extract_and_send_pac on platforms that support it

9e2c64c6d4f5560e27207193efea6536a566865e 29-Oct-2012 Michal Zidek <mzidek@redhat.com>

Include talloc log in our debug facility https://fedorahosted.org/sssd/ticket/1495

/sssd-io/src/monitor/monitor.c /sssd-io/src/providers/data_provider_be.c krb5_child.c /sssd-io/src/providers/ldap/ldap_child.c /sssd-io/src/providers/proxy/proxy_child.c /sssd-io/src/responder/autofs/autofssrv.c /sssd-io/src/responder/nss/nsssrv.c /sssd-io/src/responder/pac/pacsrv.c /sssd-io/src/responder/pam/pamsrv.c /sssd-io/src/responder/ssh/sshsrv.c /sssd-io/src/responder/sudo/sudosrv.c /sssd-io/src/sss_client/ssh/sss_ssh_authorizedkeys.c /sssd-io/src/sss_client/ssh/sss_ssh_knownhostsproxy.c /sssd-io/src/tests/auth-tests.c /sssd-io/src/tests/crypto-tests.c /sssd-io/src/tests/fail_over-tests.c /sssd-io/src/tests/files-tests.c /sssd-io/src/tests/krb5_child-test.c /sssd-io/src/tests/krb5_utils-tests.c /sssd-io/src/tests/refcount-tests.c /sssd-io/src/tests/resolv-tests.c /sssd-io/src/tests/responder_socket_access-tests.c /sssd-io/src/tests/simple_access-tests.c /sssd-io/src/tests/strtonum-tests.c /sssd-io/src/tests/sysdb-tests.c /sssd-io/src/tests/sysdb_ssh-tests.c /sssd-io/src/tests/util-tests.c /sssd-io/src/tools/sss_cache.c /sssd-io/src/tools/sss_debuglevel.c /sssd-io/src/tools/sss_groupadd.c /sssd-io/src/tools/sss_groupdel.c /sssd-io/src/tools/sss_groupmod.c /sssd-io/src/tools/sss_groupshow.c /sssd-io/src/tools/sss_seed.c /sssd-io/src/tools/sss_useradd.c /sssd-io/src/tools/sss_userdel.c /sssd-io/src/tools/sss_usermod.c /sssd-io/src/util/debug.c /sssd-io/src/util/util.h
d3dca30d3a6feba062d0299718d1a9fcdc8b9d17 26-Oct-2012 Sumit Bose <sbose@redhat.com>

krb5_child: send back the client principal In general Kerberos is case sensitive but the KDC of Active Directory typically handles request case in-sensitive. In the case where we guess a user principal by combining the user name and the realm and are not sure about the cases of the letters used in the user name we might get a valid ticket from the AD KDC but are not able to access it with the Kerberos client library because we assume a wrong case. The client principal in the returned credentials will always have the right cases. To be able to update the cache user principal name the krb5_child will return the principal for further processing.

dca03a97f4e1532ee2f2cbd26b1538ab6ccf18f7 26-Oct-2012 Sumit Bose <sbose@redhat.com>

krb5_child: send PAC to PAC responder If the authenticated user comes from a different realm the service ticket which was returned during the validation of the TGT is used to extract the PAC which is send to the pac responder for evaluation.

916674f6c54a64980f181790befe861a6e2b8daf 26-Oct-2012 Sumit Bose <sbose@redhat.com>

krb5_auth: send different_realm flag to krb5_child The different_realm flag which was set by the responder is send to the krb5_child so that it can act differently on users from other realms. To avoid code duplication and inconsistent behaviour the krb5_child will not set the flag on its own but use the one from the provider.

c5e4d4e9a3f6896f0f3c631ea26bb49a79b5cd8e 12-Oct-2012 Jakub Hrozek <jhrozek@redhat.com>

Only call krb5_set_trace_callback on platforms that support it

e7a24374d97e1d1c32d3e18561a20e8c5e6319ec 12-Oct-2012 Jakub Hrozek <jhrozek@redhat.com>

Collect krb5 trace on high debug levels If the debug level contains SSSDBG_TRACE_ALL, then the logs would also include tracing information from libkrb5. https://fedorahosted.org/sssd/ticket/1539

115cc768599d7df4b3206426652d3e7a3971d597 12-Oct-2012 Jakub Hrozek <jhrozek@redhat.com>

Two fixes to child processes There was an unused structure member in the krb5_child. Declaration of __krb5_error_msg was shadowing the same variable from sss_krb5.h which is not nice. Also we might actually use the error context directly instead of passing it as parameter.

89cc2dac478c899aaaacb75d7448e3c651723f74 10-Oct-2012 Ondrej Kos <okos@redhat.com>

Add more info about ticket validation https://fedorahosted.org/sssd/ticket/1499 Adds log message about not finding appropriate entry in keytab and using the last keytab entry when validation is enabled. Adds more information about validation into manpage.

8fe574521b7f8b14e17aea1d9afb471b80761b83 04-Oct-2012 Ondrej Kos <okos@redhat.com>

Log possibly non-randomizable ccache file template fixes https://fedorahosted.org/sssd/ticket/1533 ccache file template is now checked for appended XXXXXX for use with mkstemp. When those characters are not present, warning is written to log.

6c722d1125ee285d72fb4d7444b8cefc6db33a0b 20-Sep-2012 Jakub Hrozek <jhrozek@redhat.com>

KRB5 child: handle more error codes gracefully This patch changes handling of krb5 child error codes so that it's on par with the 1.8 branch after Joschi Brauchle reviewed the 1.8 backport.

383fa7e69136ce27031d7d0b9b9b8e5b0392bfee 20-Sep-2012 Jakub Hrozek <jhrozek@redhat.com>

KRB5 child: Don't return System Error on empty password https://fedorahosted.org/sssd/ticket/1310

ea45f80628dfbe75dfba7c37c0cb14acf5af440f 10-Sep-2012 Jakub Hrozek <jhrozek@redhat.com>

KRB5: Return PAM_AUTH_ERR on incorrect password https://fedorahosted.org/sssd/ticket/1515

fd2840c15ce480ef017ce880a6ac8b10e22ae9d2 24-Aug-2012 Sumit Bose <sbose@redhat.com>

Use new debug levels in validate_tgt()

d29a9e0bfe54926c057bc1ea3e22269a2f87c15b 24-Aug-2012 Sumit Bose <sbose@redhat.com>

Fix fallback in validate_tgt() To validate a TGT a keytab entry from the client realm is preferred but if none ca be found the last entry should be used. But the entry was freed and zeroed before it could be used. This should also fix the trusted domain use case mentioned in https://fedorahosted.org/sssd/ticket/1396 although a different approach then suggested in the ticket is used.

2bdb99e3578fa8ff606632d9e7242bc753737752 10-Jul-2012 Jakub Hrozek <jhrozek@redhat.com>

Cast uid_t to unsigned long long in DEBUG messages

951a2082ba1bfe2fec59b06b1f3fdf424d9d75c2 10-Jul-2012 Jakub Hrozek <jhrozek@redhat.com>

Print based on pointer contents not address

bb446567389e894bf4d64a9589606d1951ac7902 09-Jul-2012 Rambaldi <gentoo@xs4me.net>

heimdal: use sss_krb5_princ_realm to access realm

aa2c6f469414668e56aa03d5ba5cecde64bc713e 06-Jul-2012 Stef Walter <stefw@gnome.org>

Revert commit 4c157ecedd52602f75574605ef48d0c48e9bfbe8 * This broke corner cases when used with default_tkt_types = des-cbc-crc and DES enabled on an AD domain. * This is fixed in kerberos instead, in a more correct way and in a way which we cannot replicate.

a9c8fdfc939813eafceeecf3ec694608868d8000 06-Jul-2012 Stephen Gallagher <sgallagh@redhat.com>

KRB5: Some logging enhancements for krb5_child

6ca87e797982061576885f944e2ccfaba9573897 15-Jun-2012 Stephen Gallagher <sgallagh@redhat.com>

KRB5: Auto-detect DIR cache support in configure We can't support the DIR cache features in systems with kerberos libraries older than 1.10. Make sure we don't build it on those systems.

95cc3f4be93d3cb5bb28bb3787f0aace4edb3124 14-Jun-2012 Jakub Hrozek <jhrozek@redhat.com>

Use Kerberos context in KRB5_DEBUG Passing Kerberos context to sss_krb5_get_error_message will allow us to get better error messages.

9a3ba9ca00e73adc3fb17ce8afa532076768023b 14-Jun-2012 Jakub Hrozek <jhrozek@redhat.com>

Add support for storing credential caches in the DIR: back end https://fedorahosted.org/sssd/ticket/974

3ca7450bc821ac37851e92a256d0a2b89f4f2032 14-Jun-2012 Jakub Hrozek <jhrozek@redhat.com>

Provide more debugging in krb5_child and ldap_child https://fedorahosted.org/sssd/ticket/1225

727937fb86cfb042063f02fa2a229d236d7f105f 14-Jun-2012 Jakub Hrozek <jhrozek@redhat.com>

Two small krb5_child fixes * Allocation check was missing * a DEBUG statement overwrote errno

583f24df86e433589c73a3f112b30676c412b7cd 31-May-2012 Nick Guay <nguay@redhat.com>

added DEBUG messages to krb5_child and ldap_child

4c157ecedd52602f75574605ef48d0c48e9bfbe8 07-May-2012 Stef Walter <stefw@gnome.org>

Limit krb5_get_init_creds_keytab() to etypes in keytab * Load the enctypes for the keys in the keytab and pass them to krb5_get_init_creds_keytab(). * This fixes the problem where the server offers a enctype that krb5 supports, but we don't have a key for in the keytab. https://bugzilla.redhat.com/show_bug.cgi?id=811375

5b1a798a2a792c74e5f11f744f4f5b663c8b93c3 07-May-2012 Stef Walter <stefw@gnome.org>

Remove erroneous failure message in find_principal_in_keytab * When it's actually a failure, then the callers will print a message. Fine tune this.

4d1a261202d828efc84e3a84d16c30548f29f76d 04-May-2012 Stef Walter <stefw@gnome.org>

If canon'ing principals, write ccache with updated default principal * When calling krb5_get_init_creds_keytab() with krb5_get_init_creds_opt_set_canonicalize() the credential principal can get updated. * Create the cache file with the correct default credential. * LDAP GSSAPI SASL would fail due to the mismatched credentials before this patch. https://bugzilla.redhat.com/show_bug.cgi?id=811518

9d7d4458d94d0aac0a7edf999368eb18f89cb76a 20-Apr-2012 Jakub Hrozek <jhrozek@redhat.com>

Convert read and write operations to sss_atomic_read https://fedorahosted.org/sssd/ticket/1209

c87a579a23b27e65ae956bc42cf0a247f2ca0baf 06-Apr-2012 Stephen Gallagher <sgallagh@redhat.com>

Clean up log messages about keytab_name There were many places where we were printing (null) to the logs because a NULL keytab name tells libkrb5 to use its configured default instead of a particular path. This patch should clean up all uses of this to print "default" in the logs. https://fedorahosted.org/sssd/ticket/1288

ee6e61781536a0ef34491cea74e91c36ee439df9 06-Mar-2012 Jakub Hrozek <jhrozek@redhat.com>

krb5_child: set debugging sooner

85d8b2567730b236578a1aaeb0139c38dda23304 31-Jan-2012 Stephen Gallagher <sgallagh@redhat.com>

KRB5: Add syslog messages for Kerberos failures https://fedorahosted.org/sssd/ticket/1137

768591607fc89d3a14fa00c9c8f78e83f3f6b565 22-Dec-2011 Stephen Gallagher <sgallagh@redhat.com>

Add compatibility layer for Heimdal Kerberos implementation

69420a154fc9fb8b04f437125a6a0604b26b1292 19-Dec-2011 Stephen Gallagher <sgallagh@redhat.com>

Securely set umask when using mkstemp Coverity 12394, 12395, 12396, 12397 and 12398

87c07559af5cfcd2752295ef7c425bd3205f426f 19-Dec-2011 Stephen Gallagher <sgallagh@redhat.com>

Move child_common routines to util

7dfc7617085c403d30debe9f08d4c9bcca322744 02-Nov-2011 Jan Zeleny <jzeleny@redhat.com>

Add support to request canonicalization on krb AS requests https://fedorahosted.org/sssd/ticket/957

4a6a5421113ab662a665c62ed6a24b61a5a36950 28-Sep-2011 Jakub Hrozek <jhrozek@redhat.com>

Multiline macro cleanup This is mostly a cosmetic patch. The purpose of wrapping a multi-line macro in a do { } while(0) is to make the macro usable as a regular statement, not a compound statement. When the while(0) is terminated with a semicolon, the do { } while(0); block becomes a compound statement again.

1a7529bf5f867b43e0475f7f9ac0cd8671fb16f1 08-Sep-2011 Pavel Březina <pbrezina@redhat.com>

DEBUG timestamps offer higher precision https://fedorahosted.org/sssd/ticket/956 Added: --debug-microseconds=0/1 Added: debug_microseconds to sssd.conf

89caf5edcc99f5731e89bd51e6ffaad3ec11c304 25-Aug-2011 Pavel Březina <pbrezina@redhat.com>

New DEBUG facility - SSSDBG_UNRESOLVED changed from -1 to 0 Removed: SSS_UNRESOLVED_DEBUG_LEVEL (completely replaced with SSSDBG_UNRESOLVED) Added new macro: CONVERT_AND_SET_DEBUG_LEVEL(new_value) Changes unresolved debug level value (SSSDBG_UNRESOLVED) from -1 to 0 so DEBUG macro could be reduced by one condition. Anyway, it has a minor effect, every time you want to load debug_level from command line parameters, you have to use following pattern: /* Set debug level to invalid value so we can deside if -d 0 was used. */ debug_level = SSSDBG_INVALID; pc = poptGetContext(argv[0], argc, argv, long_options, 0); while((opt = poptGetNextOpt(pc)) != -1) { ... } CONVERT_AND_SET_DEBUG_LEVEL(debug_level);

/sssd-io/src/monitor/monitor.c /sssd-io/src/providers/data_provider_be.c krb5_child.c /sssd-io/src/providers/ldap/ldap_child.c /sssd-io/src/providers/proxy/proxy_child.c /sssd-io/src/responder/nss/nsssrv.c /sssd-io/src/responder/pam/pamsrv.c /sssd-io/src/tests/auth-tests.c /sssd-io/src/tests/crypto-tests.c /sssd-io/src/tests/debug-tests.c /sssd-io/src/tests/fail_over-tests.c /sssd-io/src/tests/files-tests.c /sssd-io/src/tests/krb5_utils-tests.c /sssd-io/src/tests/refcount-tests.c /sssd-io/src/tests/resolv-tests.c /sssd-io/src/tests/simple_access-tests.c /sssd-io/src/tests/strtonum-tests.c /sssd-io/src/tests/sysdb-tests.c /sssd-io/src/tests/util-tests.c /sssd-io/src/tools/sss_cache.c /sssd-io/src/tools/sss_groupadd.c /sssd-io/src/tools/sss_groupdel.c /sssd-io/src/tools/sss_groupmod.c /sssd-io/src/tools/sss_groupshow.c /sssd-io/src/tools/sss_useradd.c /sssd-io/src/tools/sss_userdel.c /sssd-io/src/tools/sss_usermod.c /sssd-io/src/util/debug.c /sssd-io/src/util/server.c /sssd-io/src/util/util.h
99dd40a885ed3d42af4bbbde7ee2fc98830544d0 25-Aug-2011 Pavel Březina <pbrezina@redhat.com>

New DEBUG facility - conversion https://fedorahosted.org/sssd/ticket/925 Conversion of the old debug_level format to the new one. (only where it was necessary) Removed: SSS_DEFAULT_DEBUG_LEVEL (completely replaced with SSSDBG_DEFAULT)

/sssd-io/src/monitor/monitor.c /sssd-io/src/monitor/monitor_sbus.c /sssd-io/src/providers/child_common.c /sssd-io/src/providers/data_provider.h /sssd-io/src/providers/data_provider_be.c /sssd-io/src/providers/data_provider_fo.c krb5_child.c /sssd-io/src/providers/ldap/ldap_child.c /sssd-io/src/providers/ldap/sdap_async.c /sssd-io/src/providers/ldap/sdap_fd_events.c /sssd-io/src/providers/proxy/proxy_auth.c /sssd-io/src/providers/proxy/proxy_child.c /sssd-io/src/providers/proxy/proxy_id.c /sssd-io/src/responder/nss/nsssrv.c /sssd-io/src/responder/pam/pamsrv.c /sssd-io/src/sbus/sssd_dbus_common.c /sssd-io/src/tests/auth-tests.c /sssd-io/src/tests/crypto-tests.c /sssd-io/src/tests/fail_over-tests.c /sssd-io/src/tests/files-tests.c /sssd-io/src/tests/find_uid-tests.c /sssd-io/src/tests/krb5_utils-tests.c /sssd-io/src/tests/refcount-tests.c /sssd-io/src/tests/resolv-tests.c /sssd-io/src/tests/simple_access-tests.c /sssd-io/src/tests/strtonum-tests.c /sssd-io/src/tests/sysdb-tests.c /sssd-io/src/tests/util-tests.c /sssd-io/src/tools/selinux.c /sssd-io/src/tools/sss_cache.c /sssd-io/src/tools/sss_groupadd.c /sssd-io/src/tools/sss_groupdel.c /sssd-io/src/tools/sss_groupmod.c /sssd-io/src/tools/sss_groupshow.c /sssd-io/src/tools/sss_useradd.c /sssd-io/src/tools/sss_userdel.c /sssd-io/src/tools/sss_usermod.c /sssd-io/src/util/debug.c /sssd-io/src/util/server.c /sssd-io/src/util/util.h
628187049e815ee54637398c8011883d762c8a64 05-May-2011 Jan Zeleny <jzeleny@redhat.com>

Added some kerberos functions for building on RHEL5

8cf1b4183577237d965068d70cd06bd0716aea84 25-Apr-2011 Jan Zeleny <jzeleny@redhat.com>

Allow new option to specify principal for FAST https://fedorahosted.org/sssd/ticket/700

cfd79b92d3813ed53ef51ae2cf93be6287e73a27 25-Apr-2011 Jan Zeleny <jzeleny@redhat.com>

Extend and move function for finding principal in keytab The function now supports finding principal in keytab not only based on realm, but based on both realm and primary/instance parts. The function also supports * wildcard at the beginning or at the end of primary principal part. The function for finding principal has been moved to util/sss_krb5.c, so it can be used in other parts of the code.

589dd0f6600515926e4e514442c62366db0a62b3 20-Dec-2010 Sumit Bose <sbose@redhat.com>

Fixes for automatic ticket renewal - do not recreate the ccache file when renewing the TGT - use user principal name as hash key instead of ccfile name - let krb5_child return Kerberos error codes

6369396f3b6e87ee8322b7bae9d2901e1a2fa37d 08-Dec-2010 Sumit Bose <sbose@redhat.com>

Fix build issue with older Kerberos library

5843ad321944a028f6dee7e1fd4f9381c4953d07 07-Dec-2010 Sumit Bose <sbose@redhat.com>

Add support for FAST in krb5 provider

263c8d47ca21d3bacd77266613fcc7baab988465 07-Dec-2010 Sumit Bose <sbose@redhat.com>

Refactor krb5_child to make helpers more flexible

1709edfb690bb4ffa4b96c64d08853f47390eda3 03-Dec-2010 Sumit Bose <sbose@redhat.com>

krb5_child returns TGT lifetime

c7d73cf51642c7f89c1f21e54b8ce1b262bef899 03-Dec-2010 Sumit Bose <sbose@redhat.com>

Add krb5_lifetime option

c8b8901b05da9e31dba320f305ec20301e928cfb 03-Dec-2010 Sumit Bose <sbose@redhat.com>

Add krb5_renewable_lifetime option

7470bb938429c7a723f5aad971cc50a805a9ead8 03-Dec-2010 Sumit Bose <sbose@redhat.com>

Check authtok type for krb5 auth and chpass

92ae4a7ef84f05239da1ac2eba0d7a34161da271 03-Dec-2010 Sumit Bose <sbose@redhat.com>

Add a renew task to krb5_child

369983d509540d8289e62675c6cf7009f964abd7 03-Dec-2010 Sumit Bose <sbose@redhat.com>

Send authtok_type to krb5_child

c3593efe68ddee16b810944e5dc808740b14942d 04-Nov-2010 Sumit Bose <sbose@redhat.com>

Add krb5_kuserok() access check to krb5_child

fab9c6a75eaf09e4f5440f4bb530c26009b0ffc7 04-Nov-2010 Sumit Bose <sbose@redhat.com>

Make krb5_setup() public

047332ebbe8397a70c92e5e3a5fbd40a9d00d0b5 23-Sep-2010 Sumit Bose <sbose@redhat.com>

Use new MIT krb5 API for better password expiration warnings

87f2bb60510f31fec012d126411f09a99c72140e 08-Sep-2010 Jan Zeleny <jzeleny@redhat.com>

Dead assignments cleanup in providers code Dead assignments were deleted. Also prototype of function sdap_access_decide_offline() has been changed, since its return code was never used. Ticket: #586

564d213ea3f0957a3337cd0f1d63e766e16ce6d8 16-Jun-2010 Stephen Gallagher <sgallagh@redhat.com>

Standardize on correct spelling of "principal" for krb5 https://fedorahosted.org/sssd/ticket/542

f520e7a2f4fe29747f25118621e20b0d89d296fc 14-Jun-2010 Jakub Hrozek <jhrozek@redhat.com>

Remove krb5_changepw_principal option Fixes: #531

fb02f9845f2d734d55973f27c2393148a9dd0838 09-Jun-2010 Sumit Bose <sbose@redhat.com>

Add a missing initializer

a777a485bf73be24404fe3094c3688e604d8cbf8 06-Jun-2010 Sumit Bose <sbose@redhat.com>

Initialize pam_data in Kerberos child.

06c03627c81a5252420931383a68eb67ba551667 26-May-2010 Sumit Bose <sbose@redhat.com>

Handle Krb5 password expiration warning

80c8a4f94d54b23bce206fdd75ff2648977ce271 25-Mar-2010 Stephen Gallagher <sgallagh@redhat.com>

Allow arbitrary-length PAM messages The PAM standard allows for messages of any length to be returned to the client. We were discarding all messages of length greater than 255. This patch dynamically allocates the message buffers so we can pass the complete message. This resolves https://fedorahosted.org/sssd/ticket/432

5096bb4c2242b426aa6f5ea2cb82223e0b81a345 12-Mar-2010 Sumit Bose <sbose@redhat.com>

Add krb5_kpasswd option

6adf5b8a078f2b37f2d3d91cd060b891c2a7efaa 03-Mar-2010 Simo Sorce <ssorce@redhat.com>

Improve safe alignment buffer handling macros Make the counter optional so that alignment safe macros can be used also where there is no counter to update. Change arguments names so that they are not deceiving (ptr normlly identify a pointer) Turn the memcpy substitute into an inline function so that passing a pointer to rp and checking for it doesn't make the compiler spit lots of warnings.

7343ee3d775303845e2528c676c59ef3582d6b27 23-Feb-2010 Sumit Bose <sbose@redhat.com>

Handle expired passwords like other PAM modules So far we handled expired password during authentication. Other PAM modules typically detect expired password during account management and return PAM_NEW_AUTHTOK_REQD if the password is expired and should be changed. The PAM library then calls the change password routines. To meet these standards pam_sss is change accordingly. As a result it is now possible to update an expired password via ssh if sssd is running with PasswordAuthentication=yes. One drawback due to limitations of PAM is that the user now has to type his current password again before setting a new one.

953e07b7c43bc9bb7c7616180b1ba1730e22c59a 19-Feb-2010 Sumit Bose <sbose@redhat.com>

Remove unneeded items from struct pam_data

1c48b5a62f73234ed26bb20f0ab345ab61cda0ab 18-Feb-2010 Stephen Gallagher <sgallagh@redhat.com>

Rename server/ directory to src/ Also update BUILD.txt

/sssd-io/BUILD.txt /sssd-io/Makefile.am /sssd-io/configure.ac /sssd-io/contrib/sssd.spec.in /sssd-io/src/Makefile.am /sssd-io/src/build_macros.m4 /sssd-io/src/conf_macros.m4 /sssd-io/src/confdb/confdb.c /sssd-io/src/confdb/confdb.h /sssd-io/src/confdb/confdb_private.h /sssd-io/src/confdb/confdb_setup.c /sssd-io/src/confdb/confdb_setup.h /sssd-io/src/config/SSSDConfig.py /sssd-io/src/config/SSSDConfigTest.py /sssd-io/src/config/etc/sssd.api.conf /sssd-io/src/config/etc/sssd.api.d/sssd-ipa.conf /sssd-io/src/config/etc/sssd.api.d/sssd-krb5.conf /sssd-io/src/config/etc/sssd.api.d/sssd-ldap.conf /sssd-io/src/config/etc/sssd.api.d/sssd-local.conf /sssd-io/src/config/etc/sssd.api.d/sssd-proxy.conf /sssd-io/src/config/ipachangeconf.py /sssd-io/src/config/setup.py /sssd-io/src/config/testconfigs/noparse.api.conf /sssd-io/src/config/testconfigs/sssd-badversion.conf /sssd-io/src/config/testconfigs/sssd-invalid-badbool.conf /sssd-io/src/config/testconfigs/sssd-invalid.conf /sssd-io/src/config/testconfigs/sssd-noversion.conf /sssd-io/src/config/testconfigs/sssd-valid.conf /sssd-io/src/config/upgrade_config.py /sssd-io/src/configure.ac /sssd-io/src/db/sysdb.c /sssd-io/src/db/sysdb.h /sssd-io/src/db/sysdb_ops.c /sssd-io/src/db/sysdb_private.h /sssd-io/src/db/sysdb_search.c /sssd-io/src/doxy.config.in /sssd-io/src/examples/sssd.conf /sssd-io/src/examples/sssdproxytest /sssd-io/src/examples/sudo /sssd-io/src/external/crypto.m4 /sssd-io/src/external/docbook.m4 /sssd-io/src/external/krb5.m4 /sssd-io/src/external/ldap.m4 /sssd-io/src/external/libcares.m4 /sssd-io/src/external/libcollection.m4 /sssd-io/src/external/libdhash.m4 /sssd-io/src/external/libini_config.m4 /sssd-io/src/external/libldb.m4 /sssd-io/src/external/libpcre.m4 /sssd-io/src/external/libpopt.m4 /sssd-io/src/external/libtalloc.m4 /sssd-io/src/external/libtdb.m4 /sssd-io/src/external/libtevent.m4 /sssd-io/src/external/pam.m4 /sssd-io/src/external/pkg.m4 /sssd-io/src/external/platform.m4 /sssd-io/src/external/python.m4 /sssd-io/src/external/selinux.m4 /sssd-io/src/external/sizes.m4 /sssd-io/src/krb5_plugin/sssd_krb5_locator_plugin.c /sssd-io/src/ldb_modules/memberof.c /sssd-io/src/m4/.dir /sssd-io/src/man/include/failover.xml /sssd-io/src/man/include/param_help.xml /sssd-io/src/man/include/upstream.xml /sssd-io/src/man/sss_groupadd.8.xml /sssd-io/src/man/sss_groupdel.8.xml /sssd-io/src/man/sss_groupmod.8.xml /sssd-io/src/man/sss_groupshow.8.xml /sssd-io/src/man/sss_useradd.8.xml /sssd-io/src/man/sss_userdel.8.xml /sssd-io/src/man/sss_usermod.8.xml /sssd-io/src/man/sssd-ipa.5.xml /sssd-io/src/man/sssd-krb5.5.xml /sssd-io/src/man/sssd-ldap.5.xml /sssd-io/src/man/sssd.8.xml /sssd-io/src/man/sssd.conf.5.xml /sssd-io/src/man/sssd_krb5_locator_plugin.8.xml /sssd-io/src/monitor/monitor.c /sssd-io/src/monitor/monitor.h /sssd-io/src/monitor/monitor_interfaces.h /sssd-io/src/monitor/monitor_sbus.c /sssd-io/src/po/LINGUAS /sssd-io/src/po/Makevars /sssd-io/src/po/POTFILES.in /sssd-io/src/po/de.po /sssd-io/src/po/es.po /sssd-io/src/po/fr.po /sssd-io/src/po/it.po /sssd-io/src/po/ja.po /sssd-io/src/po/nl.po /sssd-io/src/po/pl.po /sssd-io/src/po/pt.po /sssd-io/src/po/sss_daemon.pot /sssd-io/src/po/sv.po /sssd-io/src/providers/child_common.c /sssd-io/src/providers/child_common.h /sssd-io/src/providers/data_provider.h /sssd-io/src/providers/data_provider_be.c /sssd-io/src/providers/data_provider_fo.c /sssd-io/src/providers/data_provider_opts.c /sssd-io/src/providers/dp_auth_util.c /sssd-io/src/providers/dp_backend.h /sssd-io/src/providers/dp_sbus.c /sssd-io/src/providers/fail_over.c /sssd-io/src/providers/fail_over.h /sssd-io/src/providers/ipa/ipa_access.c /sssd-io/src/providers/ipa/ipa_access.h /sssd-io/src/providers/ipa/ipa_auth.c /sssd-io/src/providers/ipa/ipa_auth.h /sssd-io/src/providers/ipa/ipa_common.c /sssd-io/src/providers/ipa/ipa_common.h /sssd-io/src/providers/ipa/ipa_init.c /sssd-io/src/providers/ipa/ipa_timerules.c /sssd-io/src/providers/ipa/ipa_timerules.h krb5_auth.c krb5_auth.h krb5_become_user.c krb5_child.c krb5_common.c krb5_common.h krb5_init.c krb5_utils.c krb5_utils.h /sssd-io/src/providers/ldap/ldap_auth.c /sssd-io/src/providers/ldap/ldap_child.c /sssd-io/src/providers/ldap/ldap_common.c /sssd-io/src/providers/ldap/ldap_common.h /sssd-io/src/providers/ldap/ldap_id.c /sssd-io/src/providers/ldap/ldap_id_cleanup.c /sssd-io/src/providers/ldap/ldap_id_enum.c /sssd-io/src/providers/ldap/ldap_init.c /sssd-io/src/providers/ldap/sdap.c /sssd-io/src/providers/ldap/sdap.h /sssd-io/src/providers/ldap/sdap_async.c /sssd-io/src/providers/ldap/sdap_async.h /sssd-io/src/providers/ldap/sdap_async_accounts.c /sssd-io/src/providers/ldap/sdap_async_connection.c /sssd-io/src/providers/ldap/sdap_async_private.h /sssd-io/src/providers/ldap/sdap_child_helpers.c /sssd-io/src/providers/providers.h /sssd-io/src/providers/proxy.c /sssd-io/src/providers/sssd_be.exports /sssd-io/src/python/pysss.c /sssd-io/src/resolv/ares/ares_data.c /sssd-io/src/resolv/ares/ares_data.h /sssd-io/src/resolv/ares/ares_dns.h /sssd-io/src/resolv/ares/ares_parse_srv_reply.c /sssd-io/src/resolv/ares/ares_parse_srv_reply.h /sssd-io/src/resolv/ares/ares_parse_txt_reply.c /sssd-io/src/resolv/ares/ares_parse_txt_reply.h /sssd-io/src/resolv/async_resolv.c /sssd-io/src/resolv/async_resolv.h /sssd-io/src/responder/common/responder.h /sssd-io/src/responder/common/responder_cmd.c /sssd-io/src/responder/common/responder_common.c /sssd-io/src/responder/common/responder_dp.c /sssd-io/src/responder/common/responder_packet.c /sssd-io/src/responder/common/responder_packet.h /sssd-io/src/responder/nss/nsssrv.c /sssd-io/src/responder/nss/nsssrv.h /sssd-io/src/responder/nss/nsssrv_cmd.c /sssd-io/src/responder/nss/nsssrv_nc.c /sssd-io/src/responder/nss/nsssrv_nc.h /sssd-io/src/responder/pam/pam_LOCAL_domain.c /sssd-io/src/responder/pam/pamsrv.c /sssd-io/src/responder/pam/pamsrv.h /sssd-io/src/responder/pam/pamsrv_cmd.c /sssd-io/src/responder/pam/pamsrv_dp.c /sssd-io/src/sbus/sbus_client.c /sssd-io/src/sbus/sbus_client.h /sssd-io/src/sbus/sssd_dbus.h /sssd-io/src/sbus/sssd_dbus_common.c /sssd-io/src/sbus/sssd_dbus_connection.c /sssd-io/src/sbus/sssd_dbus_private.h /sssd-io/src/sbus/sssd_dbus_server.c /sssd-io/src/sss_client/common.c /sssd-io/src/sss_client/group.c /sssd-io/src/sss_client/man/pam_sss.8.xml /sssd-io/src/sss_client/pam_sss.c /sssd-io/src/sss_client/pam_test_client.c /sssd-io/src/sss_client/passwd.c /sssd-io/src/sss_client/protos.h /sssd-io/src/sss_client/sss_cli.h /sssd-io/src/sss_client/sss_nss.exports /sssd-io/src/sss_client/sss_pam.exports /sssd-io/src/sss_client/sss_pam_macros.h /sssd-io/src/sysv/SUSE/sssd /sssd-io/src/sysv/sssd /sssd-io/src/tests/auth-tests.c /sssd-io/src/tests/check_and_open-tests.c /sssd-io/src/tests/common.c /sssd-io/src/tests/common.h /sssd-io/src/tests/fail_over-tests.c /sssd-io/src/tests/files-tests.c /sssd-io/src/tests/find_uid-tests.c /sssd-io/src/tests/ipa_ldap_opt-tests.c /sssd-io/src/tests/ipa_timerules-tests.c /sssd-io/src/tests/krb5_utils-tests.c /sssd-io/src/tests/python-test.py /sssd-io/src/tests/refcount-tests.c /sssd-io/src/tests/resolv-tests.c /sssd-io/src/tests/stress-tests.c /sssd-io/src/tests/strtonum-tests.c /sssd-io/src/tests/sysdb-tests.c /sssd-io/src/tools/files.c /sssd-io/src/tools/sss_groupadd.c /sssd-io/src/tools/sss_groupdel.c /sssd-io/src/tools/sss_groupmod.c /sssd-io/src/tools/sss_groupshow.c /sssd-io/src/tools/sss_sync_ops.c /sssd-io/src/tools/sss_sync_ops.h /sssd-io/src/tools/sss_useradd.c /sssd-io/src/tools/sss_userdel.c /sssd-io/src/tools/sss_usermod.c /sssd-io/src/tools/tools_util.c /sssd-io/src/tools/tools_util.h /sssd-io/src/util/backup_file.c /sssd-io/src/util/check_and_open.c /sssd-io/src/util/crypto_sha512crypt.c /sssd-io/src/util/debug.c /sssd-io/src/util/dlinklist.h /sssd-io/src/util/find_uid.c /sssd-io/src/util/find_uid.h /sssd-io/src/util/memory.c /sssd-io/src/util/nss_sha512crypt.c /sssd-io/src/util/refcount.c /sssd-io/src/util/refcount.h /sssd-io/src/util/server.c /sssd-io/src/util/sha512crypt.h /sssd-io/src/util/signal.c /sssd-io/src/util/signal.m4 /sssd-io/src/util/sss_krb5.c /sssd-io/src/util/sss_krb5.h /sssd-io/src/util/sss_ldap.c /sssd-io/src/util/sss_ldap.h /sssd-io/src/util/strtonum.c /sssd-io/src/util/strtonum.h /sssd-io/src/util/user_info_msg.c /sssd-io/src/util/user_info_msg.h /sssd-io/src/util/usertools.c /sssd-io/src/util/util.c /sssd-io/src/util/util.h