Remove double semicolon at the end of line Reviewed-by: Pavel Březina <pbrezina@redhat.com>

gpo: gPCMachineExtensionNames with just whitespaces Resolves: https://fedorahosted.org/sssd/ticket/3114 We failed GPO procesing if the gPCMachineExtensionNames attribute contained just whitespaces. This coused failures in some server settings. Comment from Alexander Bokovoy quoting: You should use MS-GPOL spec. 2.2.4 'GPO Search' section says that when processing gPCMachineExtensionNames, "Group Policy processing terminates at the first <CSE GUIDn> out of sequence." Since ' ' (space only) does not fall into defined syntax for gPCMachineExtensionNames, this Group Policy processing is stopped and its CSE GUIDs are set to 'empty list'. Because of the 3.2.5.1.10 'Extension Protocol Sequences' language ------------------------------------------------------------------------ The Group Policy client MUST evaluate the subset of the abstract element Filtered GPO list separately for each Group Policy extension by including in the subset only those GPOs whose gPCUserExtensionNames (for user policy mode) or gPCMachineExtensionNames (for computer policy mode) attributes contain CSE GUID that correspond to the Group Policy extension. If the CSE GUID corresponding to the Group Policy extension is present in Extension List, it is invoked using the Implementation Identifier field. Applicability is determined as specified in section 3.2.1.5. The Group Policy Registry Extension MUST always execute first. All other applicable Group Policy extensions in the Extension List MUST be loaded and executed in Extension List order. A failure in any Group Policy extension sequence MUST NOT affect the execution of other Group Policy extensions. ------------------------------------------------------------------------- I think we can practically treat wrong content of gPCMachineExtensionNames (and gPCUserExtensionNames) as inability of the GPO to pass through the Filtered GPO list. Thus, the GPO would be ignored. Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

AD: netlogon_get_domain_info() allow missing arguments and empty results netlogon_get_domain_info() should not fail if not all parameters can be retrieved. It should be the responsibility of the caller to see if the needed data is available and act accordingly. Resolves: https://fedorahosted.org/sssd/ticket/3104 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

GPO: ignore non-KVP lines if possible Ticket: https://fedorahosted.org/sssd/ticket/2751 Non-KVP break GPO processing. They are used for values we are not interested in so it is safe to ignore them. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Rename dp_backend.h to backend.h Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

GPO: Add "polkit-1" to ad_gpo_map_allow Polkit is an authorization mechanism of its own (similar to sudo). SSSD doesn't need to apply additional authorization decisions atop it, so we'll just accept it as "allow". Resolves: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1578415 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Do not leak fds in case of failures setting up a child process Resolves: https://fedorahosted.org/sssd/ticket/3006 The handling of open pipes in failure cases was suboptimal. Moreover, the faulty logic was copied all over the place. This patch introduces helper macros to: - initialize the pipe endpoints to -1 - close an open pipe fd and set it to -1 afterwards - close both ends unless already closed These macros are used in the child handling code. The patch also uses child_io_destructor in the p11_child code for safer fd handling. Reviewed-by: Petr Cech <pcech@redhat.com>

UTIL: exit() the forked process if exec()-ing a child process fails When exec() fails, we should not attempt to continue, but just kill the forked process. The patch adds this logic to the exec_child() and exec_child_ex() functions to avoid code duplication Resolves: https://fedorahosted.org/sssd/ticket/3016 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

GPO: Add "unity" to ad_gpo_map_interactive Ubuntu systems use "unity" as their screen-locker. Without this in the defaults, people often get locked out of their machines when the screen locks. Resolves: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1578415 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

GPO: Process GPOS in offline mode if ldap search failed Initgroup requests use global catalog for LDAP queries. Only port for global catalog is marked as offline if request fails due to problems with connection. However, GPO code uses standard LDAP port for retrieving of target DNs and other information. Previously, GPOs were processed in offline mode only if there were issues with connection to AD server. But connection can be cached and ldap search can still fail. Resolves: https://fedorahosted.org/sssd/ticket/2964 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

GPO: log specific ini parse error messages We should log error messages generated by libini if there are problems with parsing gpo files. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

GPO: Add other display managers to interactive logon Gone are the days when all systems used GDM or KDM. We need to support other display managers in the default configuration to avoid issues when enrolled in AD domains. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

GPO: Add Cockpit to the Remote Interactive defaults The Cockpit Project is an administrative console that is gaining in popularity and is a default component on some operating systems (such as Fedora Server). Since it is becoming more common, we should ensure that it is part of the standard mapping. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

UTIL: allow to skip default options for child processes Currently the SSSD default options like e.g. --debug-level are added unconditionally to the command line options of a child process when started with the child helper functions. If a binary from a different source should be started as a child by SSSD those options might not be known or used differently. This patch adds an option to exec_child_ex() which allows to skip the default options and only add specific options. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

DEBUG: Add missing new lines Reviewed-by: Petr Cech <pcech@redhat.com>

Changes to allow SSSD to be used for access control with a machine account belonging to a domain controller. Resolves: https://fedorahosted.org/sssd/ticket/2870 Reviewed-by: Sumit Bose <sbose@redhat.com>

GPO: use SDAP_SASL_AUTHID as samAccountName The samAccountName for AD hosts is the hosts NetBIOS name with a trailing $. Since there is a size limit on NetBIOS names long DNS names must be truncated to find a matching entry in the AD LDAP tree. The NetBIOS name is already needed during kinit/SASL bind where the SDAP_SASL_AUTHID config option is used. Since the GPO lookup code is only reached after the SASL bind was successful we can safely assume that the name is correct and use it for the GPO lookup. Resolves https://fedorahosted.org/sssd/ticket/2692 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

GPO: fix memory leak Resolves: https://fedorahosted.org/sssd/ticket/2777 Reviewed-by: Michal Židek <mzidek@redhat.com>

AD: Handle cases where no GPOs apply It is possible to have a machine where none of the GPOs associated with it include access-control rules. Currently, this results in a denial-by-system-error. We need to treat this case as allowing the user (see the test cases in https://fedorahosted.org/sssd/wiki/DesignDocs/ActiveDirectoryGPOIntegration We also need to delete the result object from the cache to ensure that offline operation will also grant access. Resolves: https://fedorahosted.org/sssd/ticket/2713 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

GPO: Fix incorrect strerror on GPO access denial We're attempting to use strerror() to print the result from ad_gpo_access_check(), but that function returns an extended SSSD errno Signed-off-by: Lukas Slebodnik <lslebodn@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

AD GPO: Support processing referrals For GPOs assigned to a site, it's possible that their definition actually exists in another domain. To retrieve this information, we need to follow the referral and perform a base search on another domain controller. Resolves: https://fedorahosted.org/sssd/ticket/2645 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

GPO: Do not ignore missing attrs for GPOs We don't want to skip over a GPO that might properly be denying users. [sssd[be[a.foo.com]]] [sdap_sd_search_send] (0x0400): Searching entry [cn={2BA15B73-9524-419F-B4B7-185E1F0D3DCF},cn=policies,cn=system,DC=foo,DC=com] using SD [sssd[be[a.foo.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=*)][cn={2BA15B73-9524-419F-B4B7-185E1F0D3DCF},cn=policies,cn=system,DC=lzb,DC=hq]. [sssd[be[a.foo.com]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] [sssd[be[a.foo.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Referral(10), 0000202B: RefErr: DSID-0310063C, data 0, 1 access points ref 1: 'lzb.hq' [sssd[be[a.foo.com]]] [sdap_get_generic_op_finished] (0x1000): Ref: ldap://foo.com/cn=%7B2BA15B73-9524-419F-B4B7-185E1F0D3DCF%7D,cn=policies,cn=system,DC=foo,DC=com [sssd[be[a.foo.com]]] [ad_gpo_get_gpo_attrs_done] (0x0040): no attrs found for GPO; try next GPO. Resolves: https://fedorahosted.org/sssd/ticket/2629 Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>

AD GPO: Always look up GPOs from machine domain When dealing with users from a child domain, SSSD was attempting to use the subdomain for lookups. However, all GPOs applicable to this machine are stored in the primary domain (the domain the host directly joined). This patch has the GPO processing use the primary domain instead of the user domain. Resolves: https://fedorahosted.org/sssd/ticket/2606 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

AD: Clean up ad_access_gpo Align goto usage with conventions in the rest of the source. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

GPO: Check return value of ad_gpo_store_policy_settings Reviewed-by: Pavel Reichl <preichl@redhat.com>

GPO: error out instead of leaving array element uninitialized In general every object created by the AD provider should have a SID attribute. Since SIDs and GPOs are used for access control a missing SID should be treated as error for now until it is known if there is a valid reason why the SID is missing. Resolves https://fedorahosted.org/sssd/ticket/2608 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

GPO: add systemd-user to gpo default permit list Resolves: https://fedorahosted.org/sssd/ticket/2556 Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>

UTIL: Unify the fd_nonblocking implementation The responder and child_common modules each had their own implementation. Unify it instead and add a unit test. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

GPO: Extract server hostname after connecting https://fedorahosted.org/sssd/ticket/2543 The LDAP URI is not valid prior to connecting to LDAP. Moreover, reconnecting to a different server might invalidate the URI. Move reading the URI after the connection has been established. Reviewed-by: Sumit Bose <sbose@redhat.com>

GPO: Don't use stdout for output in gpo_child Resolves: https://fedorahosted.org/sssd/ticket/2544 Use a dedicated fd instead to work around https://bugzilla.samba.org/show_bug.cgi?id=11036 Reviewed-by: Sumit Bose <sbose@redhat.com>

UTIL: Allow dup-ing child pipe to a different FD Related to: https://fedorahosted.org/sssd/ticket/2544 Adds a new function exec_child_ex and moves setting the extra_argv[] to exec_child_ex() along with specifying the input and output fds. Reviewed-by: Sumit Bose <sbose@redhat.com>

GPO: Ignore ENOENT result from sysdb_gpo_get_gpo_result_setting() https://fedorahosted.org/sssd/ticket/2542 If the GPO result object was missing completely, we would error out with a fatal error code. It's more user-friendly to treat the missing object as if the requested attribute was missing on the provider level. Reviewed-by: Pavel Reichl <preichl@redhat.com>

Add extra_args to exec_child() Related: https://fedorahosted.org/sssd/ticket/2503 Currently all child processes use the same arguments, the construction of argv[] is even hardcoded in exec_child(). Add an extra_args[] array that extends the common set of argvs so that we can have child-specific arguments. Also adds a unit test. Reviewed-by: Sumit Bose <sbose@redhat.com>

UTIL: Remove more code duplication setting up child processes All our child processes duplicated the same code that set up the debugging all around. Instead of adding yet another copy for the selinux_child, add a common utility function. Reviewed-by: Michal Židek <mzidek@redhat.com>

UTIL: Remove code duplication of struct io We had struct io and the associated destructor copied twice in the code already and need it again in the SELinux provider. Instead of adding another copy, move the code to a shared subtree under util/ Reviewed-by: Michal Židek <mzidek@redhat.com>

GPO: Terminate request on error Reviewed-by: Pavel Reichl <preichl@redhat.com>

GPO: Do not use output argument if function failed deny_size and allow_size were initialized in function parse_policy_setting_value (output argument). If function parse_policy_setting_value fails then output arguments will not initialized and will be used uninitialized in debug macro. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

GPO: Fail if we cannot retrieve gpo from cache. The variable value could be used uninitialized. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

GPO: fail if there is problem with storing gpo into sysdb Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

GPO: remove unused talloc contexts Talloc context was not used in functions ad_gpo_parse_gpo_child_response ad_gpo_process_cse_recv, ad_gpo_store_policy_settings. Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>

AD-GPO resolve conflicting policy settings correctly Resolves: https://fedorahosted.org/sssd/ticket/2437 Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>

AD GPO: Fix incorrect return of EACCES In the access providers, we expect to receive ERR_ACCESS_DENIED when access is denied, but we were returning EACCES here. The effect was the same, except that it presented ultimately as a system error instead of a proper denial. Related: https://fedorahosted.org/sssd/ticket/2437 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

AD: Add a missing break statement to the GPO code Reviewed-by: Pavel Reichl <preichl@redhat.com>

AD GPO: Fix incorrect sAMAccountName selection Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

AD-GPO: delete stale GPOs https://fedorahosted.org/sssd/ticket/2431 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

AD-GPO: processing changes for gpo_map_* options Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

AD-GPO: ad_gpo changes for offline gpo support Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

AD-GPO: add ad_gpo_cache_timeout option Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

AD-GPO: only download policy files if gpo version changes Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

AD: Increment som_index when advancing to the next GPO When the GPO processing tried to advance to the next GPO on encountering an error, the som_index was not incremented, causing an infinite loop. Reviewed-by: Yassir Elley <yelley@redhat.com>

AD: Check return value of ad_gpo_evaluate_dacl Reviewed-by: Pavel Reichl <preichl@redhat.com>

AD-GPO: Store policy settings in local files Reviewed-by: Sumit Bose <sbose@redhat.com>

AD-GPO: Add support for gpo permissive mode Reviewed-by: Sumit Bose <sbose@redhat.com>

Use ldap_url_parse to extract hostname from ldap uri Reviewed-by: Sumit Bose <sbose@redhat.com>

AD-GPO: Add gpo-smb implementation in gpo_child process Reviewed-by: Sumit Bose <sbose@redhat.com>

AD-GPO: Fix some failure modes in ad_gpo.c Reviewed-by: Sumit Bose <sbose@redhat.com>

AD-GPO: Remove dependency on libsamba-security Reviewed-by: Sumit Bose <sbose@redhat.com>

Implemented LDAP component of GPO-based access control Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>