History log of /sssd-io/src/util/sss_krb5.h
Revision Date Author Comments Expand
2c10819750a8d920ab755eba1278e6e20e684e93 28-Nov-2017 Sumit Bose <sbose@redhat.com>

krb5: show error message for krb5_init_context() failures If there are typos in /etc/krb5.conf (or one of the included config snippets) krb5_init_context(), the initial call always needed to do any other operation with libkrb5, fails because /etc/krb5.conf cannot be parsed. Currently the related debug/syslog messages might be misleading, e.g. failed to read keytab. This is because SSSD does not use a global krb5 context but creates a fresh one for every new request or operation (to always use the latest settings from /etc/krb5.conf) and typically there is an error message indicating that the related operation failed but not giving more details. Since krb5_init_context() is fundamental for Kerberos support this patch tries to add as much details as libkrb5 provides in the logs if the call fails. Resolves: https://pagure.io/SSSD/sssd/issue/3586 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Robbie Harwood <rharwood@redhat.com>
1dbf09404e20b6e30a24afe72b6d349734aee62f 27-Mar-2017 Jakub Hrozek <jhrozek@redhat.com>

UTIL: krb5 principal (un)marshalling The KCM responder needs to read the contents of the principal blob that the Kerberos library sends. Since libkrb5 doesn't export any API to do so, we need to implement marshalling and unmarshalling of the principal ourselves. In future, when the KCM server also supports renewals, we will also need to unmarshall the credentials, but until that is not really needed, the credentials will be stored as a blob. Reviewed-by: Michal Židek <mzidek@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
9a847b5d7dfea403d838274950402cccc36659d0 14-Sep-2015 Sumit Bose <sbose@redhat.com>

utils: make sss_krb5_get_primary() private Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
7bb9ba8688ec1ca930d693eea05e936bc38f6d1b 05-Aug-2015 Sumit Bose <sbose@redhat.com>

krb5 utils: add sss_krb5_realm_has_proxy() Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
5dcf3ffa3aa228701a79556dc0b889dba0aac535 07-Dec-2014 Sumit Bose <sbose@redhat.com>

krb5: add wrapper for krb5_kt_have_content() krb5_kt_have_content() was introduced in MIT Kerberos 1.11. For older platforms this patch adds sss_krb5_kt_have_content() as a wrapper. Resolves https://fedorahosted.org/sssd/ticket/2518 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
0348c74bad010d35f92400c749a7acc2fea8b2cb 05-Nov-2014 Jakub Hrozek <jhrozek@redhat.com>

LDAP: Move sss_krb5_verify_keytab_ex to ldap_child The function was called from one place only, so it makes no sense to keep it in a shared module. Moreover, the function should only be called from code that runs as root. Reviewed-by: Michal Židek <mzidek@redhat.com>
5ae539828197f032d3e2ccb27e87ccf2a1d94996 29-Sep-2014 Stephen Gallagher <sgallagh@redhat.com>

krb5: make get_primary() a public call This patch changes get_primary() into sss_krb5_get_primary() so it can be used by the AD provider to get the sAMAccountName from the hostname. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
fa0938a6e3cb928602633c3da0b909deb269369d 14-Mar-2014 Lukas Slebodnik <lslebodn@redhat.com>

Use pattern #elif defined(identifier) We had in source code following pattern #elif HAVE_<name> It worked because undefined identifier(in some cases) was evaluated to 0. But we do not care about value of HAVE_SOMETHING. We just need to know whether identifier was defined. There is not equivalent to #ifdef (short for of #if definded) We need to use long form: #elif defined HAVE_<name> It causes also compiler warning with enabled compiler flag -Wundef. Reviewed-by: Pavel Reichl <preichl@redhat.com>
a3c8390d19593b1e5277d95bfb4ab206d4785150 12-Feb-2014 Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>

Make DEBUG macro invocations variadic Use a script to update DEBUG macro invocations to use it as a variadic macro, supplying format string and its arguments directly, instead of wrapping them in parens. This script was used to update the code: grep -rwl --include '*.[hc]' DEBUG . | while read f; do mv "$f"{,.orig} perl -e \ 'use strict; use File::Slurp; my $text=read_file(\*STDIN); $text=~s#(\bDEBUG\s*\([^(]+)\((.*?)\)\s*\)\s*;#$1$2);#gs; print $text;' < "$f.orig" > "$f" rm "$f.orig" done Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

/sssd-io/src/confdb/confdb.c /sssd-io/src/confdb/confdb_setup.c /sssd-io/src/db/sysdb.c /sssd-io/src/db/sysdb_autofs.c /sssd-io/src/db/sysdb_idmap.c /sssd-io/src/db/sysdb_ops.c /sssd-io/src/db/sysdb_ranges.c /sssd-io/src/db/sysdb_search.c /sssd-io/src/db/sysdb_selinux.c /sssd-io/src/db/sysdb_services.c /sssd-io/src/db/sysdb_ssh.c /sssd-io/src/db/sysdb_subdomains.c /sssd-io/src/db/sysdb_sudo.c /sssd-io/src/db/sysdb_upgrade.c /sssd-io/src/monitor/monitor.c /sssd-io/src/monitor/monitor_netlink.c /sssd-io/src/monitor/monitor_sbus.c /sssd-io/src/providers/ad/ad_access.c /sssd-io/src/providers/ad/ad_common.c /sssd-io/src/providers/ad/ad_domain_info.c /sssd-io/src/providers/ad/ad_dyndns.c /sssd-io/src/providers/ad/ad_id.c /sssd-io/src/providers/ad/ad_init.c /sssd-io/src/providers/ad/ad_srv.c /sssd-io/src/providers/ad/ad_subdomains.c /sssd-io/src/providers/data_provider_be.c /sssd-io/src/providers/data_provider_callbacks.c /sssd-io/src/providers/data_provider_fo.c /sssd-io/src/providers/data_provider_opts.c /sssd-io/src/providers/dp_auth_util.c /sssd-io/src/providers/dp_dyndns.c /sssd-io/src/providers/dp_pam_data_util.c /sssd-io/src/providers/dp_ptask.c /sssd-io/src/providers/dp_refresh.c /sssd-io/src/providers/fail_over.c /sssd-io/src/providers/fail_over_srv.c /sssd-io/src/providers/ipa/ipa_access.c /sssd-io/src/providers/ipa/ipa_auth.c /sssd-io/src/providers/ipa/ipa_autofs.c /sssd-io/src/providers/ipa/ipa_common.c /sssd-io/src/providers/ipa/ipa_config.c /sssd-io/src/providers/ipa/ipa_dyndns.c /sssd-io/src/providers/ipa/ipa_hbac_common.c /sssd-io/src/providers/ipa/ipa_hbac_hosts.c /sssd-io/src/providers/ipa/ipa_hbac_rules.c /sssd-io/src/providers/ipa/ipa_hbac_services.c /sssd-io/src/providers/ipa/ipa_hbac_users.c /sssd-io/src/providers/ipa/ipa_hostid.c /sssd-io/src/providers/ipa/ipa_hosts.c /sssd-io/src/providers/ipa/ipa_id.c /sssd-io/src/providers/ipa/ipa_idmap.c /sssd-io/src/providers/ipa/ipa_init.c /sssd-io/src/providers/ipa/ipa_netgroups.c /sssd-io/src/providers/ipa/ipa_s2n_exop.c /sssd-io/src/providers/ipa/ipa_selinux.c /sssd-io/src/providers/ipa/ipa_selinux_maps.c /sssd-io/src/providers/ipa/ipa_srv.c /sssd-io/src/providers/ipa/ipa_subdomains.c /sssd-io/src/providers/ipa/ipa_subdomains_ext_groups.c /sssd-io/src/providers/ipa/ipa_subdomains_id.c /sssd-io/src/providers/ipa/ipa_sudo.c /sssd-io/src/providers/krb5/krb5_access.c /sssd-io/src/providers/krb5/krb5_auth.c /sssd-io/src/providers/krb5/krb5_become_user.c /sssd-io/src/providers/krb5/krb5_child.c /sssd-io/src/providers/krb5/krb5_child_handler.c /sssd-io/src/providers/krb5/krb5_common.c /sssd-io/src/providers/krb5/krb5_delayed_online_authentication.c /sssd-io/src/providers/krb5/krb5_init.c /sssd-io/src/providers/krb5/krb5_init_shared.c /sssd-io/src/providers/krb5/krb5_renew_tgt.c /sssd-io/src/providers/krb5/krb5_utils.c /sssd-io/src/providers/krb5/krb5_wait_queue.c /sssd-io/src/providers/ldap/ldap_access.c /sssd-io/src/providers/ldap/ldap_auth.c /sssd-io/src/providers/ldap/ldap_child.c /sssd-io/src/providers/ldap/ldap_common.c /sssd-io/src/providers/ldap/ldap_id.c /sssd-io/src/providers/ldap/ldap_id_cleanup.c /sssd-io/src/providers/ldap/ldap_id_enum.c /sssd-io/src/providers/ldap/ldap_id_netgroup.c /sssd-io/src/providers/ldap/ldap_id_services.c /sssd-io/src/providers/ldap/ldap_init.c /sssd-io/src/providers/ldap/sdap.c /sssd-io/src/providers/ldap/sdap_access.c /sssd-io/src/providers/ldap/sdap_async.c /sssd-io/src/providers/ldap/sdap_async_autofs.c /sssd-io/src/providers/ldap/sdap_async_connection.c /sssd-io/src/providers/ldap/sdap_async_enum.c /sssd-io/src/providers/ldap/sdap_async_groups.c /sssd-io/src/providers/ldap/sdap_async_groups_ad.c /sssd-io/src/providers/ldap/sdap_async_initgroups.c /sssd-io/src/providers/ldap/sdap_async_initgroups_ad.c /sssd-io/src/providers/ldap/sdap_async_nested_groups.c /sssd-io/src/providers/ldap/sdap_async_netgroups.c /sssd-io/src/providers/ldap/sdap_async_services.c /sssd-io/src/providers/ldap/sdap_async_sudo.c /sssd-io/src/providers/ldap/sdap_async_sudo_hostinfo.c /sssd-io/src/providers/ldap/sdap_async_sudo_timer.c /sssd-io/src/providers/ldap/sdap_async_users.c /sssd-io/src/providers/ldap/sdap_autofs.c /sssd-io/src/providers/ldap/sdap_child_helpers.c /sssd-io/src/providers/ldap/sdap_dyndns.c /sssd-io/src/providers/ldap/sdap_fd_events.c /sssd-io/src/providers/ldap/sdap_id_op.c /sssd-io/src/providers/ldap/sdap_idmap.c /sssd-io/src/providers/ldap/sdap_range.c /sssd-io/src/providers/ldap/sdap_refresh.c /sssd-io/src/providers/ldap/sdap_reinit.c /sssd-io/src/providers/ldap/sdap_sudo.c /sssd-io/src/providers/ldap/sdap_sudo_cache.c /sssd-io/src/providers/proxy/proxy_auth.c /sssd-io/src/providers/proxy/proxy_child.c /sssd-io/src/providers/proxy/proxy_id.c /sssd-io/src/providers/proxy/proxy_init.c /sssd-io/src/providers/proxy/proxy_netgroup.c /sssd-io/src/providers/proxy/proxy_services.c /sssd-io/src/providers/simple/simple_access.c /sssd-io/src/providers/simple/simple_access_check.c /sssd-io/src/resolv/async_resolv.c /sssd-io/src/resolv/async_resolv_utils.c /sssd-io/src/responder/autofs/autofssrv.c /sssd-io/src/responder/autofs/autofssrv_cmd.c /sssd-io/src/responder/autofs/autofssrv_dp.c /sssd-io/src/responder/common/negcache.c /sssd-io/src/responder/common/responder_cmd.c /sssd-io/src/responder/common/responder_common.c /sssd-io/src/responder/common/responder_dp.c /sssd-io/src/responder/common/responder_get_domains.c /sssd-io/src/responder/nss/nsssrv.c /sssd-io/src/responder/nss/nsssrv_cmd.c /sssd-io/src/responder/nss/nsssrv_mmap_cache.c /sssd-io/src/responder/nss/nsssrv_netgroup.c /sssd-io/src/responder/nss/nsssrv_private.h /sssd-io/src/responder/nss/nsssrv_services.c /sssd-io/src/responder/pac/pacsrv.c /sssd-io/src/responder/pac/pacsrv_cmd.c /sssd-io/src/responder/pac/pacsrv_utils.c /sssd-io/src/responder/pam/pam_LOCAL_domain.c /sssd-io/src/responder/pam/pam_helpers.c /sssd-io/src/responder/pam/pamsrv.c /sssd-io/src/responder/pam/pamsrv_cmd.c /sssd-io/src/responder/pam/pamsrv_dp.c /sssd-io/src/responder/ssh/sshsrv.c /sssd-io/src/responder/ssh/sshsrv_cmd.c /sssd-io/src/responder/ssh/sshsrv_dp.c /sssd-io/src/responder/sudo/sudosrv.c /sssd-io/src/responder/sudo/sudosrv_cmd.c /sssd-io/src/responder/sudo/sudosrv_dp.c /sssd-io/src/responder/sudo/sudosrv_get_sudorules.c /sssd-io/src/responder/sudo/sudosrv_query.c /sssd-io/src/sbus/sbus_client.c /sssd-io/src/sbus/sssd_dbus_common.c /sssd-io/src/sbus/sssd_dbus_connection.c /sssd-io/src/sbus/sssd_dbus_server.c /sssd-io/src/sss_client/ssh/sss_ssh_authorizedkeys.c /sssd-io/src/sss_client/ssh/sss_ssh_knownhostsproxy.c /sssd-io/src/tests/auth-tests.c /sssd-io/src/tests/cmocka/test_dyndns.c /sssd-io/src/tests/cmocka/test_fqnames.c /sssd-io/src/tests/cmocka/test_nss_srv.c /sssd-io/src/tests/cmocka/test_utils.c /sssd-io/src/tests/common_dom.c /sssd-io/src/tests/common_tev.c /sssd-io/src/tests/debug-tests.c /sssd-io/src/tests/files-tests.c /sssd-io/src/tests/krb5_child-test.c /sssd-io/src/tests/resolv-tests.c /sssd-io/src/tests/simple_access-tests.c /sssd-io/src/tests/sysdb-tests.c /sssd-io/src/tests/sysdb_ssh-tests.c /sssd-io/src/tools/files.c /sssd-io/src/tools/selinux.c /sssd-io/src/tools/sss_cache.c /sssd-io/src/tools/sss_debuglevel.c /sssd-io/src/tools/sss_groupadd.c /sssd-io/src/tools/sss_groupdel.c /sssd-io/src/tools/sss_groupmod.c /sssd-io/src/tools/sss_groupshow.c /sssd-io/src/tools/sss_seed.c /sssd-io/src/tools/sss_sync_ops.c /sssd-io/src/tools/sss_useradd.c /sssd-io/src/tools/sss_userdel.c /sssd-io/src/tools/sss_usermod.c /sssd-io/src/tools/tools_mc_util.c /sssd-io/src/tools/tools_util.c /sssd-io/src/tools/tools_util.h authtok.c backup_file.c check_and_open.c child_common.c crypto/libcrypto/crypto_base64.c crypto/libcrypto/crypto_obfuscate.c crypto/nss/nss_obfuscate.c crypto/nss/nss_util.c debug.c domain_info_utils.c find_uid.c nscd.c server.c signal.c sss_ini.c sss_krb5.c sss_krb5.h sss_ldap.c sss_nss.c sss_selinux.c sss_ssh.c sss_tc_utf8.c user_info_msg.c usertools.c util.c util.h util_lock.c well_known_sids.c
077fa994f62641a13665b6a07d38b3d5a903dcdc 09-Sep-2013 Simo Sorce <simo@redhat.com>

krb5: Remove unused helper functions these functions are not needed anymore. Related: https://fedorahosted.org/sssd/ticket/2061
0dbcc64a5cee58d5fffaaef923302d9c7a951a7d 09-Sep-2013 Simo Sorce <simo@redhat.com>

krb5: Remove unused function Related: https://fedorahosted.org/sssd/ticket/2061
c121e65ed592bf3611053ee38032fd33c8d1b285 09-Sep-2013 Simo Sorce <simo@redhat.com>

krb5: Make check_for_valid_tgt() static check_for_valid_tgt() is used exclusively in krb5_uitls.c so move it there. Resolves: https://fedorahosted.org/sssd/ticket/2061
aeb1e654c337037b6bdb350e1ec8aaa065e86794 27-Aug-2013 Stephen Gallagher <sgallagh@redhat.com>

KRB5: Add support for KEYRING cache type https://fedorahosted.org/sssd/ticket/2036
8340ca480e0fe823441633720d67efc9e4a4bc64 22-Aug-2013 Stephen Gallagher <sgallagh@redhat.com>

KRB5: Add new #define for collection cache types Kerberos now supports multiple types of collection caches, not just DIR: caches. We should add a macro for generic collection behavior and use that where appropriate.
dbf4dd47aa7f314a6a6bb2c8f9bb4ddd09de9e8b 15-Jul-2013 Lukas Slebodnik <lslebodn@redhat.com>

Use conditional build for retrieving ccache. Some krb5 functions needn't be available for retrieving ccache with principal. Therefore ifdef is used to solve this situation with older version of libkrb5. There were two functions with similar functionality in krb5_child and krb5_utils. They were merged to one universal function, which was moved to file src/util/sss_krb5.c
58dd26b1c5b60ee992dd5d1214bb168aebb42d54 27-Jun-2013 Jakub Hrozek <jhrozek@redhat.com>

AD: Write out domain-realm mappings This patch reuses the code from IPA provider to make sure that domain-realm mappings are written even for AD sub domains.
03713859dffacc7142393e53c73d8d4cf7dee8d5 16-Jun-2013 Pavel Březina <pbrezina@redhat.com>

subdomains: touch krb5.conf when creating new domain-realm mappings https://fedorahosted.org/sssd/ticket/1815
edaa983d094c239c3e1ba667bcd20ed3934be3b8 22-Apr-2013 Sumit Bose <sbose@redhat.com>

Allow usage of enterprise principals Enterprise principals are currently most useful for the AD provider and hence enabled here by default while for the other Kerberos based authentication providers they are disabled by default. If additional UPN suffixes are configured for the AD domain the user principal stored in the AD LDAP server might not contain the real Kerberos realm of the AD domain but one of the additional suffixes which might be completely randomly chooses, e.g. are not related to any existing DNS domain. This make it hard for a client to figure out the right KDC to send requests to. To get around this enterprise principals (see http://tools.ietf.org/html/rfc6806 for details) were introduced. Basically a default realm is added to the principal so that the Kerberos client libraries at least know where to send the request to. It is not in the responsibility of the KDC to either handle the request itself, return a client referral if he thinks a different KDC can handle the request or return and error. This feature is also use to allow authentication in AD environments with cross forest trusts. Fixes https://fedorahosted.org/sssd/ticket/1842
0f76569b4cecc048974e837c92d4ca806ca3bbac 12-Nov-2012 Jakub Hrozek <jhrozek@redhat.com>

Only build extract_and_send_pac on platforms that support it
7219ef88751bb05edd77629b8068330bb6d9b117 26-Oct-2012 Sumit Bose <sbose@redhat.com>

Add replacement for krb5_find_authdata() krb5_find_authdata() is only available in MIT Kerberos 1.10 or higher. To allow sssd to be compiled on platform with lower version of MIT Kerberos a replacement call is added. Please note that on those platform the replacement call will only return an error. If the krb5_find_authdata functionality is really needed on those platform it must be implemented by a different patch.
c5e4d4e9a3f6896f0f3c631ea26bb49a79b5cd8e 12-Oct-2012 Jakub Hrozek <jhrozek@redhat.com>

Only call krb5_set_trace_callback on platforms that support it
e7a24374d97e1d1c32d3e18561a20e8c5e6319ec 12-Oct-2012 Jakub Hrozek <jhrozek@redhat.com>

Collect krb5 trace on high debug levels If the debug level contains SSSDBG_TRACE_ALL, then the logs would also include tracing information from libkrb5. https://fedorahosted.org/sssd/ticket/1539
798a227df11f49147fa43e515910ec11e21e0caa 02-Oct-2012 Pavel Březina <pbrezina@redhat.com>

remove left over principal selection https://fedorahosted.org/sssd/ticket/1303 Domain start up was taking too long when there are many principals in a kerberos keytab. We were looking up in the keytab two times. The first time we try to select a proper principal and remember it. The second call happens almost right after the first one and it is just a check if the principal exists in the keytab, without any output information other than success/failure. It is probably a left over from https://fedorahosted.org/sssd/ticket/781. This patch removes the second call.
aa2c6f469414668e56aa03d5ba5cecde64bc713e 06-Jul-2012 Stef Walter <stefw@gnome.org>

Revert commit 4c157ecedd52602f75574605ef48d0c48e9bfbe8 * This broke corner cases when used with default_tkt_types = des-cbc-crc and DES enabled on an AD domain. * This is fixed in kerberos instead, in a more correct way and in a way which we cannot replicate.
f618c95957bea1bcc748df520902518e819bf458 18-Jun-2012 Stephen Gallagher <sgallagh@redhat.com>

Fix typo breaking DIR cache detection
6ca87e797982061576885f944e2ccfaba9573897 15-Jun-2012 Stephen Gallagher <sgallagh@redhat.com>

KRB5: Auto-detect DIR cache support in configure We can't support the DIR cache features in systems with kerberos libraries older than 1.10. Make sure we don't build it on those systems.
95cc3f4be93d3cb5bb28bb3787f0aace4edb3124 14-Jun-2012 Jakub Hrozek <jhrozek@redhat.com>

Use Kerberos context in KRB5_DEBUG Passing Kerberos context to sss_krb5_get_error_message will allow us to get better error messages.
9a3ba9ca00e73adc3fb17ce8afa532076768023b 14-Jun-2012 Jakub Hrozek <jhrozek@redhat.com>

Add support for storing credential caches in the DIR: back end https://fedorahosted.org/sssd/ticket/974
f674270b1068e4ad51c80dcd528ae996a4fe99ef 14-Jun-2012 Jakub Hrozek <jhrozek@redhat.com>

Residual util functions Kerberos credential caches can be specified by TYPE:RESIDUAL. This patch adds a couple of utilities to support parsing if ccache locations, checking types etc.
4c157ecedd52602f75574605ef48d0c48e9bfbe8 07-May-2012 Stef Walter <stefw@gnome.org>

Limit krb5_get_init_creds_keytab() to etypes in keytab * Load the enctypes for the keys in the keytab and pass them to krb5_get_init_creds_keytab(). * This fixes the problem where the server offers a enctype that krb5 supports, but we don't have a key for in the keytab. https://bugzilla.redhat.com/show_bug.cgi?id=811375
bf8cce77a35cb0a3cdb0d21fb9c39b7b6372bc11 04-May-2012 Jan Zeleny <jzeleny@redhat.com>

Modify behavior of pam_pwd_expiration_warning New option pwd_expiration_warning is introduced which can be set per domain and can override the value specified by the original pam_pwd_expiration_warning. If the value of expiration warning is set to zero, the filter isn't apllied at all - if backend server returns the warning, it will be automatically displayed. Default value for Kerberos: 7 days Default value for LDAP: don't apply the filter Technical note: default value when creating the domain is -1. This is important so we can distinguish between "no value set" and 0. Without this possibility it would be impossible to set different values for LDAP and Kerberos provider.
c87a579a23b27e65ae956bc42cf0a247f2ca0baf 06-Apr-2012 Stephen Gallagher <sgallagh@redhat.com>

Clean up log messages about keytab_name There were many places where we were printing (null) to the logs because a NULL keytab name tells libkrb5 to use its configured default instead of a particular path. This patch should clean up all uses of this to print "default" in the logs. https://fedorahosted.org/sssd/ticket/1288
768591607fc89d3a14fa00c9c8f78e83f3f6b565 22-Dec-2011 Stephen Gallagher <sgallagh@redhat.com>

Add compatibility layer for Heimdal Kerberos implementation
20c187339201a95558a9b237af37b461665d9340 02-Nov-2011 Jan Zeleny <jzeleny@redhat.com>

Add wrapper for krb5_get_init_creds_opt_set_canonicalize
628187049e815ee54637398c8011883d762c8a64 05-May-2011 Jan Zeleny <jzeleny@redhat.com>

Added some kerberos functions for building on RHEL5
e81a816cddab4a62f263d1a0274d5d3f101e8e0f 25-Apr-2011 Jan Zeleny <jzeleny@redhat.com>

Modify principal selection for keytab authentication Currently we construct the principal as host/fqdn@REALM. The problem with this is that this principal doesn't have to be in the keytab. In that case the provider fails to start. It is better to scan the keytab and find the most suitable principal to use. Only in case no suitable principal is found the backend should fail to start. The second issue solved by this patch is that the realm we are authenticating the machine to can be in general different from the realm our users are part of (in case of cross Kerberos trust). The patch adds new configuration option SDAP_SASL_REALM. https://fedorahosted.org/sssd/ticket/781
cfd79b92d3813ed53ef51ae2cf93be6287e73a27 25-Apr-2011 Jan Zeleny <jzeleny@redhat.com>

Extend and move function for finding principal in keytab The function now supports finding principal in keytab not only based on realm, but based on both realm and primary/instance parts. The function also supports * wildcard at the beginning or at the end of primary principal part. The function for finding principal has been moved to util/sss_krb5.c, so it can be used in other parts of the code.
6369396f3b6e87ee8322b7bae9d2901e1a2fa37d 08-Dec-2010 Sumit Bose <sbose@redhat.com>

Fix build issue with older Kerberos library
5843ad321944a028f6dee7e1fd4f9381c4953d07 07-Dec-2010 Sumit Bose <sbose@redhat.com>

Add support for FAST in krb5 provider
047332ebbe8397a70c92e5e3a5fbd40a9d00d0b5 23-Sep-2010 Sumit Bose <sbose@redhat.com>

Use new MIT krb5 API for better password expiration warnings
2f4e8fbdf1d4ba1e00fcab93af91fe4f4f40250d 03-Aug-2010 Jakub Hrozek <jhrozek@redhat.com>

Validate keytab at startup In addition to validating the keytab everytime a TGT is requested, we also validate the keytab on back end startup to give early warning that the keytab is not usable. Fixes: #556
1c48b5a62f73234ed26bb20f0ab345ab61cda0ab 18-Feb-2010 Stephen Gallagher <sgallagh@redhat.com>

Rename server/ directory to src/ Also update BUILD.txt

/sssd-io/BUILD.txt /sssd-io/Makefile.am /sssd-io/configure.ac /sssd-io/contrib/sssd.spec.in /sssd-io/src/Makefile.am /sssd-io/src/build_macros.m4 /sssd-io/src/conf_macros.m4 /sssd-io/src/confdb/confdb.c /sssd-io/src/confdb/confdb.h /sssd-io/src/confdb/confdb_private.h /sssd-io/src/confdb/confdb_setup.c /sssd-io/src/confdb/confdb_setup.h /sssd-io/src/config/SSSDConfig.py /sssd-io/src/config/SSSDConfigTest.py /sssd-io/src/config/etc/sssd.api.conf /sssd-io/src/config/etc/sssd.api.d/sssd-ipa.conf /sssd-io/src/config/etc/sssd.api.d/sssd-krb5.conf /sssd-io/src/config/etc/sssd.api.d/sssd-ldap.conf /sssd-io/src/config/etc/sssd.api.d/sssd-local.conf /sssd-io/src/config/etc/sssd.api.d/sssd-proxy.conf /sssd-io/src/config/ipachangeconf.py /sssd-io/src/config/setup.py /sssd-io/src/config/testconfigs/noparse.api.conf /sssd-io/src/config/testconfigs/sssd-badversion.conf /sssd-io/src/config/testconfigs/sssd-invalid-badbool.conf /sssd-io/src/config/testconfigs/sssd-invalid.conf /sssd-io/src/config/testconfigs/sssd-noversion.conf /sssd-io/src/config/testconfigs/sssd-valid.conf /sssd-io/src/config/upgrade_config.py /sssd-io/src/configure.ac /sssd-io/src/db/sysdb.c /sssd-io/src/db/sysdb.h /sssd-io/src/db/sysdb_ops.c /sssd-io/src/db/sysdb_private.h /sssd-io/src/db/sysdb_search.c /sssd-io/src/doxy.config.in /sssd-io/src/examples/sssd.conf /sssd-io/src/examples/sssdproxytest /sssd-io/src/examples/sudo /sssd-io/src/external/crypto.m4 /sssd-io/src/external/docbook.m4 /sssd-io/src/external/krb5.m4 /sssd-io/src/external/ldap.m4 /sssd-io/src/external/libcares.m4 /sssd-io/src/external/libcollection.m4 /sssd-io/src/external/libdhash.m4 /sssd-io/src/external/libini_config.m4 /sssd-io/src/external/libldb.m4 /sssd-io/src/external/libpcre.m4 /sssd-io/src/external/libpopt.m4 /sssd-io/src/external/libtalloc.m4 /sssd-io/src/external/libtdb.m4 /sssd-io/src/external/libtevent.m4 /sssd-io/src/external/pam.m4 /sssd-io/src/external/pkg.m4 /sssd-io/src/external/platform.m4 /sssd-io/src/external/python.m4 /sssd-io/src/external/selinux.m4 /sssd-io/src/external/sizes.m4 /sssd-io/src/krb5_plugin/sssd_krb5_locator_plugin.c /sssd-io/src/ldb_modules/memberof.c /sssd-io/src/m4/.dir /sssd-io/src/man/include/failover.xml /sssd-io/src/man/include/param_help.xml /sssd-io/src/man/include/upstream.xml /sssd-io/src/man/sss_groupadd.8.xml /sssd-io/src/man/sss_groupdel.8.xml /sssd-io/src/man/sss_groupmod.8.xml /sssd-io/src/man/sss_groupshow.8.xml /sssd-io/src/man/sss_useradd.8.xml /sssd-io/src/man/sss_userdel.8.xml /sssd-io/src/man/sss_usermod.8.xml /sssd-io/src/man/sssd-ipa.5.xml /sssd-io/src/man/sssd-krb5.5.xml /sssd-io/src/man/sssd-ldap.5.xml /sssd-io/src/man/sssd.8.xml /sssd-io/src/man/sssd.conf.5.xml /sssd-io/src/man/sssd_krb5_locator_plugin.8.xml /sssd-io/src/monitor/monitor.c /sssd-io/src/monitor/monitor.h /sssd-io/src/monitor/monitor_interfaces.h /sssd-io/src/monitor/monitor_sbus.c /sssd-io/src/po/LINGUAS /sssd-io/src/po/Makevars /sssd-io/src/po/POTFILES.in /sssd-io/src/po/de.po /sssd-io/src/po/es.po /sssd-io/src/po/fr.po /sssd-io/src/po/it.po /sssd-io/src/po/ja.po /sssd-io/src/po/nl.po /sssd-io/src/po/pl.po /sssd-io/src/po/pt.po /sssd-io/src/po/sss_daemon.pot /sssd-io/src/po/sv.po /sssd-io/src/providers/child_common.c /sssd-io/src/providers/child_common.h /sssd-io/src/providers/data_provider.h /sssd-io/src/providers/data_provider_be.c /sssd-io/src/providers/data_provider_fo.c /sssd-io/src/providers/data_provider_opts.c /sssd-io/src/providers/dp_auth_util.c /sssd-io/src/providers/dp_backend.h /sssd-io/src/providers/dp_sbus.c /sssd-io/src/providers/fail_over.c /sssd-io/src/providers/fail_over.h /sssd-io/src/providers/ipa/ipa_access.c /sssd-io/src/providers/ipa/ipa_access.h /sssd-io/src/providers/ipa/ipa_auth.c /sssd-io/src/providers/ipa/ipa_auth.h /sssd-io/src/providers/ipa/ipa_common.c /sssd-io/src/providers/ipa/ipa_common.h /sssd-io/src/providers/ipa/ipa_init.c /sssd-io/src/providers/ipa/ipa_timerules.c /sssd-io/src/providers/ipa/ipa_timerules.h /sssd-io/src/providers/krb5/krb5_auth.c /sssd-io/src/providers/krb5/krb5_auth.h /sssd-io/src/providers/krb5/krb5_become_user.c /sssd-io/src/providers/krb5/krb5_child.c /sssd-io/src/providers/krb5/krb5_common.c /sssd-io/src/providers/krb5/krb5_common.h /sssd-io/src/providers/krb5/krb5_init.c /sssd-io/src/providers/krb5/krb5_utils.c /sssd-io/src/providers/krb5/krb5_utils.h /sssd-io/src/providers/ldap/ldap_auth.c /sssd-io/src/providers/ldap/ldap_child.c /sssd-io/src/providers/ldap/ldap_common.c /sssd-io/src/providers/ldap/ldap_common.h /sssd-io/src/providers/ldap/ldap_id.c /sssd-io/src/providers/ldap/ldap_id_cleanup.c /sssd-io/src/providers/ldap/ldap_id_enum.c /sssd-io/src/providers/ldap/ldap_init.c /sssd-io/src/providers/ldap/sdap.c /sssd-io/src/providers/ldap/sdap.h /sssd-io/src/providers/ldap/sdap_async.c /sssd-io/src/providers/ldap/sdap_async.h /sssd-io/src/providers/ldap/sdap_async_accounts.c /sssd-io/src/providers/ldap/sdap_async_connection.c /sssd-io/src/providers/ldap/sdap_async_private.h /sssd-io/src/providers/ldap/sdap_child_helpers.c /sssd-io/src/providers/providers.h /sssd-io/src/providers/proxy.c /sssd-io/src/providers/sssd_be.exports /sssd-io/src/python/pysss.c /sssd-io/src/resolv/ares/ares_data.c /sssd-io/src/resolv/ares/ares_data.h /sssd-io/src/resolv/ares/ares_dns.h /sssd-io/src/resolv/ares/ares_parse_srv_reply.c /sssd-io/src/resolv/ares/ares_parse_srv_reply.h /sssd-io/src/resolv/ares/ares_parse_txt_reply.c /sssd-io/src/resolv/ares/ares_parse_txt_reply.h /sssd-io/src/resolv/async_resolv.c /sssd-io/src/resolv/async_resolv.h /sssd-io/src/responder/common/responder.h /sssd-io/src/responder/common/responder_cmd.c /sssd-io/src/responder/common/responder_common.c /sssd-io/src/responder/common/responder_dp.c /sssd-io/src/responder/common/responder_packet.c /sssd-io/src/responder/common/responder_packet.h /sssd-io/src/responder/nss/nsssrv.c /sssd-io/src/responder/nss/nsssrv.h /sssd-io/src/responder/nss/nsssrv_cmd.c /sssd-io/src/responder/nss/nsssrv_nc.c /sssd-io/src/responder/nss/nsssrv_nc.h /sssd-io/src/responder/pam/pam_LOCAL_domain.c /sssd-io/src/responder/pam/pamsrv.c /sssd-io/src/responder/pam/pamsrv.h /sssd-io/src/responder/pam/pamsrv_cmd.c /sssd-io/src/responder/pam/pamsrv_dp.c /sssd-io/src/sbus/sbus_client.c /sssd-io/src/sbus/sbus_client.h /sssd-io/src/sbus/sssd_dbus.h /sssd-io/src/sbus/sssd_dbus_common.c /sssd-io/src/sbus/sssd_dbus_connection.c /sssd-io/src/sbus/sssd_dbus_private.h /sssd-io/src/sbus/sssd_dbus_server.c /sssd-io/src/sss_client/common.c /sssd-io/src/sss_client/group.c /sssd-io/src/sss_client/man/pam_sss.8.xml /sssd-io/src/sss_client/pam_sss.c /sssd-io/src/sss_client/pam_test_client.c /sssd-io/src/sss_client/passwd.c /sssd-io/src/sss_client/protos.h /sssd-io/src/sss_client/sss_cli.h /sssd-io/src/sss_client/sss_nss.exports /sssd-io/src/sss_client/sss_pam.exports /sssd-io/src/sss_client/sss_pam_macros.h /sssd-io/src/sysv/SUSE/sssd /sssd-io/src/sysv/sssd /sssd-io/src/tests/auth-tests.c /sssd-io/src/tests/check_and_open-tests.c /sssd-io/src/tests/common.c /sssd-io/src/tests/common.h /sssd-io/src/tests/fail_over-tests.c /sssd-io/src/tests/files-tests.c /sssd-io/src/tests/find_uid-tests.c /sssd-io/src/tests/ipa_ldap_opt-tests.c /sssd-io/src/tests/ipa_timerules-tests.c /sssd-io/src/tests/krb5_utils-tests.c /sssd-io/src/tests/python-test.py /sssd-io/src/tests/refcount-tests.c /sssd-io/src/tests/resolv-tests.c /sssd-io/src/tests/stress-tests.c /sssd-io/src/tests/strtonum-tests.c /sssd-io/src/tests/sysdb-tests.c /sssd-io/src/tools/files.c /sssd-io/src/tools/sss_groupadd.c /sssd-io/src/tools/sss_groupdel.c /sssd-io/src/tools/sss_groupmod.c /sssd-io/src/tools/sss_groupshow.c /sssd-io/src/tools/sss_sync_ops.c /sssd-io/src/tools/sss_sync_ops.h /sssd-io/src/tools/sss_useradd.c /sssd-io/src/tools/sss_userdel.c /sssd-io/src/tools/sss_usermod.c /sssd-io/src/tools/tools_util.c /sssd-io/src/tools/tools_util.h backup_file.c check_and_open.c crypto_sha512crypt.c debug.c dlinklist.h find_uid.c find_uid.h memory.c nss_sha512crypt.c refcount.c refcount.h server.c sha512crypt.h signal.c signal.m4 sss_krb5.c sss_krb5.h sss_ldap.c sss_ldap.h strtonum.c strtonum.h user_info_msg.c user_info_msg.h usertools.c util.c util.h