Fix minor spelling mistakes in responder/* Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

pam: filter certificates in the responder not in the child With the new selection option and the handling of multiple certificates in the PAM responder it is not needed anymore to filter the certificates in p11_child but the matching rules can be applied by the PAM responder directly. Related to https://pagure.io/SSSD/sssd/issue/3560 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> Tested-by: Scott Poore <spoore@redhat.com>

PAM: allow missing logon_name during certificate authentication If only one certificate is available and the logon_name is the user is not given the PAM responder already tried to find the name during the pre-auth step. With multiple certificates this might cause useless extra effort and the name should be determined after the certificate is selected in the authentication step. This might currently only happen with GDM because all other PAM clients will prompt for the user name unconditionally. New unit tests are added to cover this new case. Related to https://pagure.io/SSSD/sssd/issue/3560 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> Tested-by: Scott Poore <spoore@redhat.com>

PAM: handled multiple certs in the responder This patch refactors the handling of the certificate and the attributes to address the certificate on the Smartcard (module name, token name and key id). Instead of using individual variables the values are put into a new struct cert_auth_info. Since the new struct can be used as a list the PAM responder can now handle multiple certificates on the Smartcard and can send the needed data to pam_sss with multiple SSS_PAM_CERT_INFO messages. Unit tests are added to confirm the expected behavior. Related to https://pagure.io/SSSD/sssd/issue/3560 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> Tested-by: Scott Poore <spoore@redhat.com>

PAM: Avoid overwriting pam_status in _lookup_by_cert_done() In case add_pam_cert_response() failed pam_status has to be set to PAM_AUTHINFO_UNAVAIL. Although it's done properly in the code, pam_status was overwritten just after the if block with PAM_SUCCESS. The original faulty code was added as part of 32474fa2f0. Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com>

PAM: Export original shell to tlog-rec-session Add exporting of original user shell (as returned by NSS) as an environment variable for use by tlog-rec-session, when session recording is enabled for the user. This lets tlog-rec-session start the actual user shell, after tlog-rec-session is started in its place. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

PAM: make sure the files provider uses the right auth provider Only the 'local' provider will use the 'local' auth provider, for all other id providers the configured auth provider in the backend should be checked. Resolves https://pagure.io/SSSD/sssd/issue/3447 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

PAM: send user name hint response when needed If the PAM client didn't send a user name and promtusername is enable the PAM responder will tell pam_sss to ask for an optional user name as well. Resolves: https://pagure.io/SSSD/sssd/issue/3395 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

add_pam_cert_response: add support for SSS_PAM_CERT_INFO_WITH_HINT Related to https://pagure.io/SSSD/sssd/issue/3395 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

pam: properly support UPN logon names Many logon applications like /bin/login or sshd canonicalize the user name before they call pam_start() and hence the UPN is not seen by SSSD's pam responder. But some like e.g. gdm don't and authentication might fail if a UPN is used. The reason is that currently the already parsed short name of the user was used in the cache_req and hence the cache_req was not able to fall back to the UPN lookup code. This patch uses the name originally provided by the user as input to allow the fallback to the UPN lookup. Resolves https://pagure.io/SSSD/sssd/issue/3240 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

PAM: check matching certificates from all domains Although the cache_req lookup found matching in multiple domains only the results from the first domain were used. With this patch the results from all domains are checked. Resolves https://pagure.io/SSSD/sssd/issue/3385 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

PAM: Add application services Related to: https://pagure.io/SSSD/sssd/issue/3310 Adds a new PAM responder option 'pam_app_services'. This option can hold a list of PAM services that are allowed to contact the application non-POSIX domains. These services are NOT allowed to contact any of the POSIX domains. Reviewed-by: Sumit Bose <sbose@redhat.com>

CACHE_REQ: Domain type selection in cache_req Related to: https://pagure.io/SSSD/sssd/issue/3310 Adds a new enumeration cache_req_dom_type. It is a tri-state that allows the caller to select which domains can be contacted - either only POSIX, only application domains or any type. Not all plugins of cache_req have the new parameter added -- only those that are usable/useful in a non-POSIX environment. For example, it makes no sense to allow the selection for calls by ID because those are inherently POSIX-specific. Also, services or netgroups are supported only coming from POSIX domains. At the moment, the patch should not change any behaviour as all calls default to contacting POSIX domains only. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

PAM: allow muliple users mapped to a certificate Related to https://pagure.io/SSSD/sssd/issue/3050 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

PAM: Improve debugging on smartcard creds forward Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

PAM: Use cache_req to perform initgroups lookups PAM responder has been already taking advantage of the cache_req interface, so this patch is just replacing some code that performs initgroups lookups by using cache_req to do so. Resolves: https://fedorahosted.org/sssd/ticket/1126 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

pam: enhance Smartcard authentication token Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

p11: return name of PKCS#11 module and key id to pam_sss Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

PAM: forward Smartcard credentials to backends Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

PAM: store user object in the preq context Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

responders: remove checks that are handled inside cache_req Those checks were redundant, since they are already part of cache_req. Resolves: https://fedorahosted.org/sssd/ticket/3151 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

cache_req: encapsulate output data into structure In enumeration calls we want to get objects from all domains, not only from the first matched domain. We move the cache search result into a structure that contains combination of domain and ldb_result. This is preparation for enumeration support inside cache_req. Resolves: https://fedorahosted.org/sssd/ticket/3151 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

PAM: add pam_response_filter option Currently the main use-case for this new option is to not set the KRB5CCNAME environment varible for services like 'sudo-i'. Resolves https://fedorahosted.org/sssd/ticket/2296 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

PAM: add a test for filter_responses() Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

cache_req: switch to new code This patch switch the old switch-based cache req code to the new plugin-based. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Remove double semicolon at the end of line Reviewed-by: Pavel Březina <pbrezina@redhat.com>

PAM: Do not act on ldb_message in case of a failure Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

PAM: Fix domain for UPN based lookups Since sysdb_search_user_by_upn() searches the whole cache we have to set the domain so that it matches the result. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

PAM: continue with UPN/email search if name was not found Currently we only search for UPNs if the domain part of the name was not know, with Kerberos aliases and email addresses we have to do this even if the domain name is a know domain. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

PAM: Use qualified names internally in the PAM responder The name is converted from whatever we receive on input to the internal format before processing the data further. Reviewed-by: Sumit Bose <sbose@redhat.com>

Responders: Make the client context more generic This is useufl to allow reusing the responder code with other protocols. Store protocol data and responder state data behind opaque pointers and use tallog_get_type to check they are of the right type. This also allows to store per responder state_ctx so that, for example, the autofs responder does not have to carry useless variables used only by the nss responder. Resolves: https://fedorahosted.org/sssd/ticket/2918 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

RESPONDER: Removing ncache from pam_ctx This patch switches ncache from pam_ctx to resp_ctx. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

RESPONDER: Removing neg_timeout from pam responder It removes neg_timeout parameter from struct pam_ctx. Timeout is handled by context of negative cache internally. This patch additioanlly removes neg_timeout from struct cache_req_state. Resolves: https://fedorahosted.org/sssd/ticket/2317 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

NEGCACHE: Removing timeout from sss_ncache_check_* It removes timeout parameter from check functions of negative cache. Timeout is set ny init function and it is handled internally. API change: * int sss_ncache_check_...(struct sss_nc_ctx *ctx, int ttl, <----- timeout vanished struct sss_domain_info *dom, ...); Resolves: https://fedorahosted.org/sssd/ticket/2317 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

PAM: Pass account lockout status and display message Tested against Windows Server 2012. Resolves: https://fedorahosted.org/sssd/ticket/2839 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Util: Improve code to get connection credentials Adds support to get SELINUX context and make code more abstract so that struct ucred (if availale) can be used w/o redefining uid,gid,pid to int32. Also gives a layer of indirection that may come handy if we want to improve the code further in the future. Signed-off-by: Lukas Slebodnik <lslebodn@redhat.com> Reviewed-by: Michal Židek <mzidek@redhat.com>

p11: enable ocsp checks This patch enables the Online Certificate Status Protocol in NSS and adds an option to disable it if needed. To make further tuning of certificate verification more easy it is not an option on its own but an option to the new certificate_verification configuration option. Resolves https://fedorahosted.org/sssd/ticket/2812 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

pam-srv-tests: Add UT for cached 'online' auth. Extend PAM responder unit test to check 'online' cached authentication. Resolves: https://fedorahosted.org/sssd/ticket/2697 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

util: Update get_next_domain's interface Update get next domain to be able to include disbled domains and change the interface to accept flags instead of multiple booleans. Ticket: https://fedorahosted.org/sssd/ticket/2673 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

PAM: remove unused parameter cdb Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

PAM: only allow missing user name for certificate authentication Resolves: https://fedorahosted.org/sssd/ticket/2811 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

PAM: Make p11_child timeout configurable Ticket: https://fedorahosted.org/sssd/ticket/2773 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Pavel Reichl <preichl@redhat.com>

pam: Incerease p11 child timeout Ticket: https://fedorahosted.org/sssd/ticket/2746 It was timeouting often in CI machines. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

PAM: add certificate support to PAM (pre-)auth requests Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

PAM: Only cache first-factor Reviewed-by: Sumit Bose <sbose@redhat.com>

PAM: authenticate agains cache Enable authenticating users from cache even when SSSD is in online mode. Introduce new option `cached_auth_timeout`. Resolves: https://fedorahosted.org/sssd/ticket/1807 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

sysdb: new attribute lastOnlineAuthWithCurrentToken Introduce new user attribute lastOnlineAuthWithCurrentToken. This attribute behaves similarly to lastOnlineAuth but is set to NULL after password is changed. This attribute is needed for use-case when cached authentication is used, to request online authentication after password is locally changed. Resolves: https://fedorahosted.org/sssd/ticket/1807 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

2FA offline auth Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Add pre-auth request Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

pam: handle 2FA authentication token in the responder Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

PAM: use the logon_name as the key for the PAM initgr cache Currently the name member of the pam_data struct is used as a key but it can change during a request. Especially for sub-domain users the name is changed from the short to the fully-qualified version before the cache entry is created. As a result the cache searches are always done with the short name while the entry was written with the fully-qualified name. The logon_name member of the pam_data struct contains the name which was send by the PAM client and is never changed during the request. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

PAM: check return value of confdb_get_string Coverity found this neglect. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

PAM: print the pam status as string, too On several places, let's add a pam_strerror() call so that it's easier to debug user problems. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Signed-off-by: Lukas Slebodnik <lslebodn@redhat.com>

PAM: warn all services about account expiration if pam_verbose is above one then output warning about account expiration for all services. Resolves: https://fedorahosted.org/sssd/ticket/2050 Reviewed-by: Sumit Bose <sbose@redhat.com>

PAM: new option pam_account_expired_message This option sets string to be printed when authenticating using SSH keys and account is expired. Resolves: https://fedorahosted.org/sssd/ticket/2050 Reviewed-by: Sumit Bose <sbose@redhat.com>

PAM: do not reject abruptly If account has expired then pass message. Resolves: https://fedorahosted.org/sssd/ticket/2050 Reviewed-by: Sumit Bose <sbose@redhat.com>

RESPONDERS: Warn to syslog about colliding objects Resolves: https://fedorahosted.org/sssd/ticket/2203 Reviewed-by: Pavel Reichl <preichl@redhat.com>

PAM: Domain names are case-insensitive The pam_public_domains option and matching the domain requested by a trusted process was done in a case-sensitive manner which is different from how we match domain names in SSSD normally. Reviewed-by: Pavel Reichl <preichl@redhat.com>

PAM: Move is_uid_trusted from pam_ctx to preq Keeping a per-request flag in a global structure is really dangerous. Reviewed-by: Sumit Bose <sbose@redhat.com>

PAM: Check for trusted domain before sending the request to BE https://fedorahosted.org/sssd/ticket/2501 Moving the checks to one place has the advantage of not duplicating security decisions. Previously, the checks were scattered all over the responder code, making testing hard. The disadvantage is that we actually check for the presence of the user, which might trigger some back end lookups. But I think the benefits overweight the disadvantage. Also only check the requested domains from a trusted client. An untrusted client should simply have no say in what domains he wants to talk to, it should ignore the 'domains' option. Reviewed-by: Sumit Bose <sbose@redhat.com>

PAM: Make pam_forwarder_parse_data static Reviewed-by: Pavel Reichl <preichl@redhat.com>

pam: make pam responder aware if views Reviewed-by: Pavel Březina <pbrezina@redhat.com>

pam: sub-domain authentication fix With a recent patch sysdb_getpwnam() was replaced by sysdb_get_user_by_name() in the PAM responder. Unfortunately both behave differently with respect to sub-domain users. As a consequence the PAM responder was not able to resolve users from sub-domains. This patch reverts this change and uses sysdb_getpwnam() again. Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>

PAM: Add domains= option to pam_sss Design document: https://fedorahosted.org/sssd/wiki/DesignDocs/RestrictDomainsInPAM Fixes: https://fedorahosted.org/sssd/ticket/1021 Signed-off-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Sven-Thorsten Dietrich <sven@brocade.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

PAM: new options pam_trusted_users & pam_public_domains pam_public_domains option is a list of numerical UIDs or user names that are trusted. pam_public_domains option is a list of domains accessible even for untrusted users. Based on: https://fedorahosted.org/sssd/wiki/DesignDocs/RestrictDomainsInPAM Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

PAM, NSS: allow UPN login names With this patch the NSS and PAM responders can handle user principal names besides the fully qualified user names. User principal names are build from a user name and a domain suffix separated by an '@' sign. But the domain suffix does not necessarily has to be the same as the configured domain name in sssd.conf of the dynamically discovered DNS domain name of a domain. The typical use case is an Active Directory forest with lots of different domains. To not force the users to remember the name of the individual domain they belong to the AD administrator can set a common domain suffix for all users from all domains in the forest. This is typically the domain name used for emails to make it even more easy to the users to remember it. Since SSSD splits name and domain part at the '@' sign and the common domain suffix might not be resolvable by DNS or the given user is not a member of that domain (e.g. in the case where the forest root is used as common domain suffix) SSSD might fail to look up the user. With this patch the NSS and PAM responder will do an extra lookup for a UPN if the domain part of the given name is not known or the user was not found and the login name contained the '@' sign. Resolves https://fedorahosted.org/sssd/ticket/1749

PAM: remove ldb_result member from pam_auth_req context This member was used only in a single call where a local variable suits better.

PAM: extract checks from parsing routines This patch saves the original name given at a login prompt and send to the PAM responder in the logon_name member of the pam_data struct for later use. Additionally it separates the parsing of the data send by the PAM client and the checks of this data.

PAM: Use the override_space option https://fedorahosted.org/sssd/ticket/2397 When using the override_default_space option, this patch allows to log in using both the original name (space user) as well as the normalized name (space_user). Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Update DEBUG* invocations to use new levels Use a script to update DEBUG* macro invocations, which use literal numbers for levels, to use bitmask macros instead: grep -rl --include '*.[hc]' DEBUG . | while read f; do mv "$f"{,.orig} perl -e 'use strict; use File::Slurp; my @map=qw" SSSDBG_FATAL_FAILURE SSSDBG_CRIT_FAILURE SSSDBG_OP_FAILURE SSSDBG_MINOR_FAILURE SSSDBG_CONF_SETTINGS SSSDBG_FUNC_DATA SSSDBG_TRACE_FUNC SSSDBG_TRACE_LIBS SSSDBG_TRACE_INTERNAL SSSDBG_TRACE_ALL "; my $text=read_file(\*STDIN); my $repl; $text=~s/ ^ ( .* \b (DEBUG|DEBUG_PAM_DATA|DEBUG_GR_MEM) \s* \(\s* )( [0-9] )( \s*, ) ( \s* ) ( .* ) $ / $repl = $1.$map[$3].$4.$5.$6, length($repl) <= 80 ? $repl : $1.$map[$3].$4."\n".(" " x length($1)).$6 /xmge; print $text; ' < "$f.orig" > "$f" rm "$f.orig" done Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

Make DEBUG macro invocations variadic Use a script to update DEBUG macro invocations to use it as a variadic macro, supplying format string and its arguments directly, instead of wrapping them in parens. This script was used to update the code: grep -rwl --include '*.[hc]' DEBUG . | while read f; do mv "$f"{,.orig} perl -e \ 'use strict; use File::Slurp; my $text=read_file(\*STDIN); $text=~s#(\bDEBUG\s*\([^(]+)\((.*?)\)\s*\)\s*;#$1$2);#gs; print $text;' < "$f.orig" > "$f" rm "$f.orig" done Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

responder: Use SAFEALIGN macro when checking pam data validity. resolves: https://fedorahosted.org/sssd/ticket/1359

SYSDB: Drop the sysdb_ctx parameter - module sysdb_ops (part 2)

SYSDB: Drop the sysdb_ctx parameter - module sysdb_ops (part 1)

SYSDB: Drop the sysdb_ctx parameter from the sysdb_search module

Fix formating of variables with type: size_t

pam: Bad debug message format and parameter.

PAM: Set negcache if user is not found after provider check

PAM: Check negcache when searching for fully qualified users, too

Remove unused memory context

Do not try to set password when authtok_length is zero https://fedorahosted.org/sssd/ticket/1814 When the authtok_length is zero, it shouldn't call sss_authtok_set_password, because it tries to determine lenght of passed string by itself and would read parts of DBus message behind boundaries of authtok.

Fixing critical format string issues. --missing arguments. --format '%s', but argument is integer. --wrong format string, examle: '%\n'

Remove unused TALLOC_CTX from responder_get_domain() Recent refactoring removed the need to copy the domain info data of sub-domains because the related objects will not be removed from memory anymore.

Allocate PAM DP request data on responder context https://fedorahosted.org/sssd/ticket/1869 Currently the private data passed to the PAM request is a structure allocated on the client context. But in the odd case where the back end would be stopped or stuck until the idle timeout hits, the DP callback would access data that were freed when the client timed out. This patch introduces a new structure allocated on responder context, whose only purpose is to live as long as the request is active.

Making the authtok structure really opaque. Definition of structure sss_auth_token was removed from header file authtok.h and there left only declaration of this structure. Therefore only way how to use this structure is to use accessory function from same header file. To creating new empty authotok can only be used newly created function sss_authtok_new(). TALLOC context was removed from copy and setter functions, because pointer to stuct sss_auth_token is used as a memory context. All declaration of struct sss_auth_token variables was replaced with pointer to this structure and related changes was made in source code. Function copy_pam_data can copy from argument src which was dynamically allocated with function create_pam_data() or zero initialized struct pam_data allocated on stack. https://fedorahosted.org/sssd/ticket/1830

Reusing create_pam_data() on the other places. Function create_pam_data() should be only one way how to create new struct pam_data, because it also initialize destructor to created object.

Move SELinux processing to provider. The SELinux processing was distributed between provider and pam responder which resulted in hard to maintain code. This patch moves the logic to provider. IT ALSO REQUIRES CHANGE IN THE SELINUX POLICY, because the provider also writes the content of selinux login file to disk (which was done by responder before). https://fedorahosted.org/sssd/ticket/1743

Use the same dbg level for all ncache hits. We used different debug levels for messages informing about negative cache hits (old levels 2,3,4). Now it is only SSSDBG_TRACE_FUNC (same level is used in nsssrv_services.c and proposed in the ticket bellow). https://fedorahosted.org/sssd/ticket/1771

if selinux is disabled, ignore that selogin dir is missing https://fedorahosted.org/sssd/ticket/1817

Add function get_next_domain() Use this function instead of explicitly calling domain->next This function allows to get the next primary domain or to descend into the subdomains and replaces also get_next_dom_or_subdom()

Add domain argument to sysdb selinux functions

Add domain argument to sysdb_cache_auth()

Add domain argument to sysdb_set_user_attr()

Pass domain to sysdb_get<pw/gr>nam() functions Also allows us to remove sysdb_subdom_get<pw/gr>nam() wrappers and restore fqnames proper value in subdomains, by testing for a parent domain being present or not.

Change pam data auth tokens. Use the new authtok abstraction and interfaces throught the code.

Code can only check for cached passwords Make it clear to the API users that we can not take arbitrary auth tokens. We can only take a password for now so simplify and clarify the interface.

Refactor the way subdomain accounts are saved The original sysdb code had a strong assumption that only users from one domain are saved in the databse, with the subdomain feature, we have changed reality, but have not adjusted all the code arund the sysdb calls to not rely on the original assumption. One of the side effects of this incongrunece is that currently group memberships do not return fully qualified names for subdomain users as they should. In oreder to fix this and other potential issues surrounding the violation of the original assumption, we need to fully qualify subdomain user names. By savin them fully qualified we do not risk aliasing local users and have group memberhips or other name based matching code mistake a domain user with subdomain usr or vice versa.

Do not always return PAM_SYSTEM_ERR when offline krb5 authentication fails

PAM: Do not leak fd after SELinux context file is written https://fedorahosted.org/sssd/ticket/1619 We don't close the fd when we write the selinux login file in the pam responder. This results in a fd leak.

Add new option default_domain_suffix

SELinux: Always use the default if it exists on the server https://fedorahosted.org/sssd/ticket/1513 This is a counterpart of the FreeIPA ticket https://fedorahosted.org/freeipa/ticket/3045 During an e-mail discussion, it was decided that * if the default is set in the IPA config object, the SSSD would use that default no matter what * if the default is not set (aka empty or missing), the SSSD would just use the system default and skip creating the login file altogether

Check if the SELinux login directory exists https://fedorahosted.org/sssd/ticket/1492

Only create the SELinux login file if there are mappings on the server https://fedorahosted.org/sssd/ticket/1455 In case there are no rules on the IPA server, we must simply avoid generating the login file. That would make us fall back to the system-wide default defined in /etc/selinux/targeted/seusers. The IPA default must be only used if there *are* rules on the server, but none matches.

Do not try to remove the temp login file if already renamed write_selinux_string() would try to unlink the temporary file even after it was renamed. Failure to unlink the file would not be fatal, but would produce a confusing error message. Also don't use "0" for the default fd number, that's reserved for stdin. Using -1 is safer.

Build SELinux code in responder conditionally https://fedorahosted.org/sssd/ticket/1480

Fix bad check

Write SELinux config files in responder instead of PAM module

Move SELinux processing from session to account PAM stack The idea is to rename session provider to selinux provider. Processing of SELinux rules has to be performed in account stack in order to ensure that pam_selinux (which is the first module in PAM session stack) will get the correct input from SSSD. Processing of account PAM stack is bound to access provider. That means we need to have two providers executed when SSS_PAM_ACCT_MGMT message is received from PAM responder. Change in data_provider_be.c ensures just that - after access provider finishes its actions, the control is given to selinux provider and only after this provider finishes is the result returned to PAM responder.

PAM: Fix off-by-one-error in the SELinux session code

Fix uninitialized values https://fedorahosted.org/sssd/ticket/1379

SELinux user maps: pick just one map This patch modifies behavior of SSSD when putting together content of the file for pam_selinux. SSSD will now pick only the first user map in the priority list which matches to the user logging in. Other maps are ignored. https://fedorahosted.org/sssd/ticket/1360

Fix re_expression matching with subdomains This patch fixes an issue which resulted in a need to initialize responder with data from local domain, otherwise it would not correctly detect requests for subdomains. Similar situation can occur if new subdomain is added at runtime. The solution is to ask for a list of subdomains in case there is a candidate domain identified in the process of matching re_expressions with given name.

Make re_expression and full_name_format per domain options * Allows different user/domain qualified names for different domains. For example Domain\User or user@domain. * The global re_expression and full_name_format options remain as defaults for the domains. * Subdomains get the re_expression and full_name_format of their parent domain. https://bugzilla.redhat.com/show_bug.cgi?id=811663

PAM: Better pam_reply message

Modify behavior of pam_pwd_expiration_warning New option pwd_expiration_warning is introduced which can be set per domain and can override the value specified by the original pam_pwd_expiration_warning. If the value of expiration warning is set to zero, the filter isn't apllied at all - if backend server returns the warning, it will be automatically displayed. Default value for Kerberos: 7 days Default value for LDAP: don't apply the filter Technical note: default value when creating the domain is -1. This is important so we can distinguish between "no value set" and 0. Without this possibility it would be impossible to set different values for LDAP and Kerberos provider.

Send PAM requests for subdomains to the right provider

Modified responder_get_domain() Now it checks for subdomains as well as for the domain itself

Prevent printing NULL from DEBUG messages

Remove sysdb_get_ctx_from_list()

Don't give memory context in confdb where not needed

Only fetch SELinux string if the user is found

SELinux support in PAM responder

PAM: Do not overwrite ret

DP: Fix bugs in sss_dp_get_account_int The conversion to the tevent_req style introduced numerous bugs related to memory management of the various client requests. In some circumstances, this could cause memory corruption and segmentation faults in the NSS responder. This patch makes the following changes: 1) Rename the internal lookup from subreq to sidereq, to indicate that it is not a sub-request of the current lookup (and therefore is not cancelled if the current request is). 2) Change the handling of the callback loops since they call tevent_req_[done|error], which results in them being freed (and therefore removed from the cb_list. This was the source of the memory corruption that would occasionally result in dereferencing an unreadable request. 3) Remove the unnecessary sss_dp_get_account_int_recv() function and change sss_dp_get_account_done() so that it only frees the sidereq. All of the waiting processes have already been signaled with the final results from sss_dp_get_account_int_done()

RESPONDER: Extend sss_dp_account_send() to include extra data Some NSS maps such as 'services' require more values to be passed to the data provider than just the name or ID. In these cases, we will amend an optional component to filter value to pass to the data provider backend.

PAM: Fix reversed logic

sss_get_cased_name utility function

PAM: make initgroups timeout work across multiple clients Instead of timing out the initgroups lookup on a per-cctx basis, we will maintain a hash table of recently-seen users and use this instead. This will allow SSSD to handle user's logging into multiple services simultaneously more graciously, as well as playing nicer with SSH (which makes calls to PAM both before and after a fork). https://fedorahosted.org/sssd/ticket/1063

Use the case sensitivity flag in responders

Canonicalize username in PAM provider

Responders: Split getting domain by name into separate function

Ignore NULL-terminator when checking UTF8-validity Glib fails if the NULL-terminator is included when a length is specified.

RESPONDER: Refactor DP requests into tevent_req style

RESPONDER: Ensure that all input strings are valid UTF-8

sysdb refactoring: memory context deleted This patch deletes memory context parameter in those places in sysdb where it is not necessary. The code using modified functions has been updated. Tests updated as well.

sysdb refactoring: deleted domain variables in sysdb API The patch also updates code using modified functions. Tests have also been adjusted.

Revert "Allow LDAP to decide when an expiration warning is warranted" This reverts commit b0b9c38dfce3e3ccbfaa4d00fdf2ea08a70d41a6.

Allow LDAP to decide when an expiration warning is warranted Previously, we were only displaying expiration warnings if the password was going to expire within a day. We'll allow LDAP to make this decision (by whether it passes us the expiration time). In the future, we can add an option to clamp this down to a shorter period if the local admin prefers it.

Fix unchecked return values of pam_add_response https://fedorahosted.org/sssd/ticket/798

Perform initgroups lookups for all domains Previously, we were setting the client context PAM lookup timeout after the first domain replied. However, if the user wasn't a member of the first domain, their information wasn't being updated. This patch ensures that we only set this timeout after the user has been found or all domains were searched.

Perform initgroups lookup for PAM Previously we were only looking up the user, but we need to make sure that all groups are available for use by access providers.

Use DEFAULT_PAM_VERBOSITY if config value cannot be retrieved

Add pam_pwd_expiration_warning config option

Validate user supplied size of data items Specially crafted packages might lead to an integer overflow and the parsing of the input buffer might not continue as expected. This issue was identified by Sebastian Krahmer <krahmer@suse.de>.

Update the ID cache for any PAM request Also adds an option to limit how often we check the ID provider, so that conversations with multiple PAM requests won't update the cache multiple times. https://fedorahosted.org/sssd/ticket/749

Ensure ID is checked in all domains for PAM Previously, this was initialized to zero, so the first domain in the list wouldn't be checked for ID updates in pam_check_user_search. This initializes the first domain to check the provider.

Eliminate possible NULL-dereference in pam_check_user_search https://fedorahosted.org/sssd/ticket/719

Add support for server-side pam response messages

Introduce pam_verbosity config option Currently we display all PAM messages generated by sssd to the user. But only some of them are important and others are just some useful information. This patch introduces a new option to the PAM responder which controls what kind of messages are displayed. As an example the 'Authenticated with cached credentials' message is used. This message is only displayed if pam_verbosity=1 or if there is an expire date.

Avoid long long in messages to PAM client use int64_t

Honor filter_users in PAM

Add support for delayed kinit if offline If the configuration option krb5_store_password_if_offline is set to true and the backend is offline the plain text user password is stored and used to request a TGT if the backend becomes online. If available the Linux kernel key retention service is used.

sysdb: convert sysdb_getpwnam

Remove remaining use of sysdb_transaction_send

sysdb: convert sysdb_cache_auth

sysdb: convert sysdb_set_entry/user/group_attr

Store lastLogin attribute when authenticating online

Remove unneeded items from struct pam_data

Rename server/ directory to src/ Also update BUILD.txt