IPA/AD: check auth ctx before using it In e6b6b9fa79c67d7d2698bc7e33d2e2f6bb53d483 a feature was introduced to set the 'canonicalize' option in the system-wide Kerberos configuration according to the settings in SSSD if the AD or IPA provider were used. Unfortunately the patch implied that the auth provider is the same as the id provider which might not always be the case. A different auth provider caused a crash in the backend which is fixed by this patch. Resolves https://fedorahosted.org/sssd/ticket/3234 Reviewed-by: Petr Cech <pcech@redhat.com>

AD_PROVIDER: ad_enabled_domains - other then master We can skip looking up other domains if option ad_enabled_domains doesn't contain them. Resolves: https://fedorahosted.org/sssd/ticket/2828 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

AD_PROVIDER: ad_enabled_domains - only master We can skip looking up other domains if option ad_enabled_domains contains only master domain. Resolves: https://fedorahosted.org/sssd/ticket/2828 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

AD_PROVIDER: Initializing of ad_enabled_domains We add ad_enabled_domains into ad_subdomains_ctx. Resolves: https://fedorahosted.org/sssd/ticket/2828 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

failover: mark subdomain service with sd_ prefix Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

AD: netlogon_get_domain_info() allow missing arguments and empty results netlogon_get_domain_info() should not fail if not all parameters can be retrieved. It should be the responsibility of the caller to see if the needed data is available and act accordingly. Resolves: https://fedorahosted.org/sssd/ticket/3104 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

sysdb: make subdomain calls aware of upn_suffixes sysdb_subdomain_store() and sysdb_update_subdomains() can now update upn_suffixes as well. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

sysdb: add UPN suffix support for the master domain sysdb_master_domain_update() and sysdb_master_domain_add_info() are now aware of the UPN suffix attribute. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA/AD: globally set krb5 canonicalization flag If Kerberos principal canonicalization is configured in SSSD, currently it is the default for the IPA provider, a configuration snippet is generated for the system-wide libkrb5 configuration so that all kerberized applications will use canonicalization by default. Resolves https://fedorahosted.org/sssd/ticket/3041 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

DP: Switch to new interface Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Remove braces from DEBUG statements Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

AD: use krb5_keytab for subdomain initialization During the initialization of AD subdomains parameters like the SASL auth id are determined. Since subdomains use a default set of the AD specific configuration options the default keytab will be used. If krb5_keytab is set in sssd.conf for the AD domain this keytab should be used for the subdomains (domains of the same AD forest) as well. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

DP: Reduce code duplication in the callback handlers Instead of calling sbus_request_return_and_finish() directly with the same checks copied over, add a be_sbus_reply() helper instead. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

util: Update get_next_domain's interface Update get next domain to be able to include disbled domains and change the interface to accept flags instead of multiple booleans. Ticket: https://fedorahosted.org/sssd/ticket/2673 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

AD: inicialize root_domain_attrs field Resolves: https://fedorahosted.org/sssd/ticket/2805 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

AD: Set ignore_mark_offline=false when resolving AD root domain https://fedorahosted.org/sssd/ticket/2637 Avoid going offline in cases where SSSD is connected to a child domain but the root domain is not accessible. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

UTIL: Convert domain->disabled into tri-state with domain states Required for: https://fedorahosted.org/sssd/ticket/2637 This is a first step towards making it possible for domain to be around, but not contacted by Data Provider. Also explicitly create domains as active, previously we only relied on talloc_zero marking dom->disabled as false. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

IPA/AD: Set up AD domain in ad_create_2way_trust_options Related: https://fedorahosted.org/sssd/ticket/2638 Removed code duplication. Amends unit test to make sure we don't regress. Reviewed-by: Sumit Bose <sbose@redhat.com>

AD: Rename ad_create_default_options to ad_create_2way_trust_options Related: https://fedorahosted.org/sssd/ticket/2638 Better reflects what's going on in the function. Also adds a unit test. Reviewed-by: Sumit Bose <sbose@redhat.com>

SYSDB: Add realm to sysdb_master_domain_add_info Adding realm to both master domain and subdomain will make it easier to set and select forest roots. Even master domains can be forest members, it's preferable to avoid special-casing as much as possible. Includes a unit test. Reviewed-by: Sumit Bose <sbose@redhat.com>

SYSDB: Store trust direction for subdomains We need to store the subdomain trust direction in order to recover the structure after SSSD restart. The trust direction is a plain uint32_t to avoid leaking the knowledge about AD trust directions to sysdb while at the same time making it easy to compare values between sysdb and LDAP and avoid translating the values. Reviewed-by: Sumit Bose <sbose@redhat.com>

subdomains: Inherit cleanup period and tokengroup settings from parent domain Allows the administrator to extend the functionality of ldap_purge_cache_timeout, ldap_user_principal and ldap_use_tokengroups to the subdomains. This is a less intrusive way of achieving: https://fedorahosted.org/sssd/ticket/2627 Reviewed-by: Pavel Reichl <preichl@redhat.com>

Add missing new lines to debug messages Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

AD: support for AD site override Override AD site found during DNS discovery. Resolves: https://fedorahosted.org/sssd/ticket/2486 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

AD/IPA: add krb5_confd_path configuration option With this new parameter the directory where Kerberos configuration snippets are created can be specified. Fixes https://fedorahosted.org/sssd/ticket/2473 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

UTIL: Always write capaths We used to only generate the [capaths] section on the IPA server itself, when running in a trusted setup. But we also found out that the capaths are often required to make SSO fully work, so it's better to always generate them. Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>

UTIL: rename find_subdomain_by_name The function was named "find_subdomain" yet it could find both main domain and subdomain. sed 's/find_subdomain_by_name/find_domain_by_name/' -i `find . -name "*.[ch]"` Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

AD: cleanup redundant #define statements Resolves: https://fedorahosted.org/sssd/ticket/2185 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

Implemented LDAP component of GPO-based access control Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

AD: Do not remove non-root domains when looking up root domain https://fedorahosted.org/sssd/ticket/2322 When the AD subdomains code looked up the root domain subsequently (after the domain list was already populated), the non-root domains might have been removed along with their respective tasks, because the root domain lookup only ever matched a single root domain. This could cause havoc especially during login when different lookups for different domains might be going on during user group refresh. Reviewed-by: Pavel Reichl <preichl@redhat.com>

AD Provider: bug-fix uninitialized variable ad_subdomains_refresh() always set value to output parameter 'changes' if EOK is returned. Reviewed-by: Sumit Bose <sbose@redhat.com>

AD Provider: Fix crash looking up forest on Samba 4 We were assuming that the forest had been looked up by netlogon, but this is not available on Samba 4 domains. We need to check that the forest is NULL and force the lookup. Resolves: https://fedorahosted.org/sssd/ticket/2311 Reviewed-by: Sumit Bose <sbose@redhat.com>

AD: connect to forest root when downloading the list of subdomains https://fedorahosted.org/sssd/ticket/2285 Only the forest root has the knowledge about all the domains in the forest, the forest leaves only see themselves and the forest root. This patch switches to connecting to the forest root for downloading the trusted domains instead of the server we are connected to. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com>

Make DEBUG macro invocations variadic Use a script to update DEBUG macro invocations to use it as a variadic macro, supplying format string and its arguments directly, instead of wrapping them in parens. This script was used to update the code: grep -rwl --include '*.[hc]' DEBUG . | while read f; do mv "$f"{,.orig} perl -e \ 'use strict; use File::Slurp; my $text=read_file(\*STDIN); $text=~s#(\bDEBUG\s*\([^(]+)\((.*?)\)\s*\)\s*;#$1$2);#gs; print $text;' < "$f.orig" > "$f" rm "$f.orig" done Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

AD: Establish cross-domain memberships after enumeration finishes Because domain enumeration currently works for each domain separately, the code has to establish cross-domain memberships after all domains are enumerated. The code works as follows: 1) check if any *sub*domains were enumerated. If not, do nothing 2) if any of the groups saved had more original members than sysdb members, check if members of these groups can be linked now that all users and groups are saved using the orig_member attribute of the group matched against originalDN member of the user. Related: https://fedorahosted.org/sssd/ticket/2142

LDAP: Pass a private context to enumeration ptask instead of hardcoded connection Previously, the sdap-domain enumeration request used a single connection context to download all the data. Now we'd like to use different connections to download different objects, so the ID context is passed in and the request itself decides which connection to use for the sdap-domain enumeration.

AD: Store info on whether a subdomain is set to enumerate Depending on the state of the subdomain_enumerate variable, the newly created subdomain object is created with the right value of "enumerate" attribute in the sysdb.

responder: Set forest attribute in AD domains Resolves: https://fedorahosted.org/sssd/ticket/2160

AD: Refresh subdomain data structures on startup Previously, if no changes were done to the list of subdomains, the SSSD didn't update its list of sdap_domain mappings for the new subdomain. This resulted in errors as no id_ctx was present for the subdomain during lookup. This patch moves the block of code performed during update to a function of its own and calls it during provider initialization as well.

AD: use LDAP for group lookups The group memberships cannot be reliable retrieved from the Global Catalog. By default the memberOf attribute is not replicated to the GC at all and the member attribute is copied from the local LDAP instance to the GC running on the same host, but is only replicated to other GC instances for groups with universal scope. Additionally the tokenGroups attribute contains invalid SIDs when used with the GC for users from a different domains than the GC belongs to. As a result the requests which tries to resolve group-memberships of a AD user have to go to a LDAP server from the domain of the user. Fixes https://fedorahosted.org/sssd/ticket/2161 and https://fedorahosted.org/sssd/ticket/2148 as a side-effect.

SUBDOMAINS: Reuse cached results if DP is offline If Data Provider was unable to refresh the subdomain list, the sss_domain_info->subdomains list was NULL. Which meant that no DP request matched any known domain and hence offline authentication was not working correctly. Resolves: https://fedorahosted.org/sssd/ticket/2168

Initialize sid_str to NULL to avoid freeing random data If any function before failed, sss_idmap_free_sid() might have been called with random data.

free idmapped SIDs correctly Resolves: https://fedorahosted.org/sssd/ticket/2133

ad_subdom_store: check ID mapping of the domain not of the parent

ad: destroy ptasks when subdomain is removed Resolves: https://fedorahosted.org/sssd/ticket/1968

dp: free sdap domain if subdomain is removed Resolves: https://fedorahosted.org/sssd/ticket/1968

dp: make subdomains refresh interval configurable This patch makes the refresh of available subdomains configurable. New option: subdomain_refresh_interval (undocumented) Resolves: https://fedorahosted.org/sssd/ticket/1968

sdap_idmap_domain_has_algorithmic_mapping: add domain name argument When libss_idmap was only used to algorithmically map a SID to a POSIX ID a domain SID was strictly necessary and the only information needed to find a domain. With the introduction of external mappings there are cases where a domain SID is not available. Currently we relied on the fact that external mapping was always used as a default if not specific information about the domain was found. The lead to extra CPU cycles and potentially confusing debug messages. Adding the domain name as a search parameter will avoid this.

AD: talk to GC first even for local domain objects Related: https://fedorahosted.org/sssd/ticket/2070 Since we are recommending to configure the POSIX attributes so that they are replicated to the Global Catalog, we can start connecting to the GC by default even for local users. If the object is not matches in the GC, there is a possibility to fall back to LDAP.

ipa_server_mode: write capaths to krb5 include file If there are member domains in a trusted forest which are DNS-wise not proper children of the forest root the IPA KDC needs some help to determine the right authentication path. In general this should be done internally by the IPA KDC but this works requires more effort than letting sssd write the needed data to the include file for krb5.conf. If this functionality is available for the IPA KDC this patch might be removed from the sssd tree. Fixes https://fedorahosted.org/sssd/ticket/2093

IPA: store forest name for forest member domains In order to fix https://fedorahosted.org/sssd/ticket/2093 the name of the forest must be known for a member domain of the forest.

AD: Failure to get flat name is not fatal https://fedorahosted.org/sssd/ticket/2067 Some AD or AD-like servers do not contain the netlogon attribute in the master domain name. Instead of failing completely, we should just abort the master domain request and carry on. The only functionality we miss would be getting users by domain flat name.

AD: async request to retrieve master domain info Adds a reusable async request to download the master domain info.

util: add sss_idmap_talloc[_free] Remove code duplication.

SYSDB: Store enumerate flag for subdomain

DB: remove unused realm parameter from sysdb_master_domain_add_info The parameter was not used at all.

AD: Move storing sdap_domain for subdomain to generic LDAP code Makes creating the sdap_domain structure for a subdomain reusable outside AD subdomain code where it was created initially. Subtask of: https://fedorahosted.org/sssd/ticket/1962

Save mpg state for subdomains The information of a subdomain will use magic private groups (mpg) or not will be stored together with other information about the domain in the cache.

AD: Write out domain-realm mappings This patch reuses the code from IPA provider to make sure that domain-realm mappings are written even for AD sub domains.

Use the correct talloc context when creating AD subdomains sdom was only ever guaranteed to be set when a new domain was being created. sditer is a valid pointer in both cases, so just use that.

AD: Store trusted AD domains as subdomains https://fedorahosted.org/sssd/ticket/364 Looks up trusted domain objects in the LDAP and stores them as AD subdomains. Currently only trusted domains that run NT5 or newer from the same forest are looked up and stored.

LDAP: new SDAP domain structure Previously an sdap_id_ctx was always tied to one domain with a single set of search bases. But with the introduction of Global Catalog lookups, primary domain and subdomains might have different search bases. This patch introduces a new structure sdap_domain that contains an sssd domain or subdomain and a set of search bases. With this patch, there is only one sdap_domain that describes the primary domain.

LDAP: sdap_id_ctx might contain several connections With some LDAP server implementations, one server might provide different "views" of the identites on different ports. One example is the Active Directory Global catalog. The provider would contact different view depending on which operation it is performing and against which SSSD domain. At the same time, these views run on the same server, which means the same server options, enumeration, cleanup or Kerberos service should be used. So instead of using several different failover ports or several instances of sdap_id_ctx, this patch introduces a new "struct sdap_id_conn_ctx" that contains the connection cache to the particular view and an instance of "struct sdap_options" that contains the URI. No functional changes are present in this patch, currently all providers use a single connection. Multiple connections will be used later in the upcoming patches.

Fix return code for AD subdomain request

Fix segfault in AD Subdomains Module In function ad_subdomains_get_netlogon_done: If variable "reply_count" is zero then variable "reply" will not be initialized. Therefore we should not continue.

AD: read flat name and SID of the AD domain For various features either the flat/short/NetBIOS domain name or the domain SID is needed. Since the responders already try to do a subdomain lookup when and known domain name is encountered I added a subdomain lookup to the AD provider which currently only reads the SID from the base DN and the NetBIOS name from a reply of a LDAP ping. The results are written to the cache to have them available even if SSSD is started in offline mode. Looking up trusted domains can be added later. Since all the needed responder code is already available from the corresponding work for the IPA provider this patch fixes https://fedorahosted.org/sssd/ticket/1468