krb5: Use command line arguments instead env vars for krb5_child Resolves: https://fedorahosted.org/sssd/ticket/697 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Remove double semicolon at the end of line Reviewed-by: Pavel Březina <pbrezina@redhat.com>

KRB5: Return ERR_NETWORK_IO on clock skew Adds two more return codes to the list of codes we translate to ERR_NETWORK_IO. Resolves: https://fedorahosted.org/sssd/ticket/3174 Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com>

PAM/KRB5: optional otp and password prompting Depending on the available Kerberos pre-authentication methods pam_sss will prompt the user for a password, 2 authentication factors or both. Resolves https://fedorahosted.org/sssd/ticket/2988 Reviewed-by: Nathaniel McCallum <npmccallum@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Rename dp_backend.h to backend.h Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Remove braces from DEBUG statements Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

krb5_child: Warn if user cannot read krb5.conf Attached patch should siplify troubleshoting of issues with permission of krb5.conf. It's not clear from krb5_child.log even with full debug level. [sss_get_ccache_name_for_principal] (0x4000): Location: [FILE:/tmp/krb5cc_12069_XXXXXX] [sss_get_ccache_name_for_principal] (0x2000): krb5_cc_cache_match failed: [-1765328243] [Can't find client principal user@EXAMPLE.COM in cache collection] [create_ccache] (0x0020): 735: [13][Permission denied] Resolves: https://fedorahosted.org/sssd/ticket/2931 Reviewed-by: Michal Židek <mzidek@redhat.com>

Krb5/PAM: Fix account lockout error handling The krb5 provider was mapping KRB5KDC_ERR_CLIENT_REVOKED as ERR_ACCOUNT_EXPIRED. This is incorrect as KRB5KDC_ERR_CLIENT_REVOKED is returned by the KDC when an account lockout is in effect. When an account is expired the kdc returns KRB5KDC_ERR_NAME_EXP. Fix the mapping by adding a new ERR_ACCOUNT_LOCKOUT sssd_error code. Resolves: https://fedorahosted.org/sssd/ticket/2924 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

KRB5_CHILD: Debug logs for PAC timeout This patch adds debug message that inform user when KRB5_CHILD calls PAC responder. This action might take a bit of time in case the cache is not populated or up to date. Resolves: https://fedorahosted.org/sssd/ticket/2846 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

KRB5: Handle KRB5_REALM_UNKNOWN as ERR_NETWORK_IO Resolves: https://fedorahosted.org/sssd/ticket/2866 This would help users who authenticate to AD trust servers while offline and see error messages such as: [get_and_save_tgt] (0x0020): 996: [-1765328230][Cannot find KDC for realm "AD.EXAMPLE.COM"] in the krb5_child.log Reviewed-by: Pavel Březina <pbrezina@redhat.com>

KRB5_CHILD: More restrictive umask We could use more restrictive umask in krb5_child. I found out that there is directory creation, but it is done by create_ccache_dir() which has its own umask setup. Resolves: https://fedorahosted.org/sssd/ticket/2424 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

REFACTOR: umask(077) --> umask(SSS_DFL_X_UMASK) There are many calls of umask function with 077 argument. This patch add new constant SSS_DFL_X_UMASK which stands fot 077. So all occurences of umask(077) are replaced by constant SSS_DFL_X_UMASK. Resolves: https://fedorahosted.org/sssd/ticket/2424 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

sssd: incorrect checks on length values during packet decoding https://fedorahosted.org/sssd/ticket/1697 It is safer to isolate the checked (unknown/untrusted) value on the left hand side in the conditions to avoid overflows/underflows. Reviewed-by: Petr Cech <pcech@redhat.com>

KRB5: Use sss_unique file in krb5_child In krb5_child, we intentionally don' set the owner of the temporary file, because we're not renaming it to a 'stable' name, but rather directly using it as the ccache. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

krb5-child: add preauth and split 2fa token support Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

KRB5: add debug hint Reviewed-by: Sumit Bose <sbose@redhat.com>

Add missing new lines to debug messages Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

KRB5: More debugging for create_ccache() It was difficult to find where the problem was without advanced techniques like strace. Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Open the PAC socket from krb5_child before dropping root The PAC responder by default allows only connections from the root user. This patch opens the socket to the PAC responder before the krb5_child drops privileges so the connection seemingly comes from root. https://fedorahosted.org/sssd/ticket/2559 Reviewed-by: Sumit Bose <sbose@redhat.com>

krb5_child: Return ERR_NETWORK_IO on KRB5_KDCREP_SKEW Previously, we were only handling KRB5KRB_AP_ERR_SKEW Reviewed-by: Sumit Bose <sbose@redhat.com>

krb5: handle KRB5KRB_ERR_GENERIC as unspecific error KRB5KRB_ERR_GENERIC is a generic error and we cannot make any assumptions about the cause. If there are cases where KRB5KRB_ERR_GENERIC is returned and SSSD should behave differently this must be solved by other means. Resolves https://fedorahosted.org/sssd/ticket/2535 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

krb5_child: Initialize REALM earlier Environment variable SSSD_KRB5_REALM was used to late for initialisation realm. and therefore default value NULL was used. The SSSD_KRB5_REALM (kr->realm) was used as fast_principal_realm for checking fast cache: privileged_krb5_setup -> k5c_setup_fast -> check_fast_ccache And therefore wrong principal was used when the option krb5_fast_principal is empty. [find_principal_in_keytab] (0x4000): Trying to find principal (null)@(null) in keytab. [match_principal] (0x1000): Principal matched to the sample ((null)@(null)). [get_tgt_times] (0x1000): FAST ccache must be recreated [get_tgt_times] (0x0020): krb5_cc_retrieve_cred failed [get_tgt_times] (0x0020): 1688: [-1765328243][Matching credential not found] [check_fast_ccache] (0x0040): Valid FAST TGT not found after attempting to renew it [k5c_setup_fast] (0x0020): check_fast_ccache failed. [k5c_setup_fast] (0x0020): 1956: [1432158213][Unknown code UUz 5] [privileged_krb5_setup] (0x0040): Cannot set up FAST [main] (0x0020): privileged_krb5_setup failed. [main] (0x0020): krb5_child failed! As a result of this user was not able to authenticate. Resolves: https://fedorahosted.org/sssd/ticket/2526 Reviewed-by: Sumit Bose <sbose@redhat.com>

KRB5: Check FAST kinit errors using get_tgt_times() Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

KRB5: Relax DEBUG message Reviewed-by: Sumit Bose <sbose@redhat.com>

sss_atomic_write_s() return value is signed Reviewed-by: Sumit Bose <sbose@redhat.com>

KRB5: Create the fast ccache in a child process Related: https://fedorahosted.org/sssd/ticket/2503 In order to avoid calling Kerberos library calls as root, the krb5_child forks itself and recreates the FAST ccache as the SSSD user. Reviewed-by: Sumit Bose <sbose@redhat.com>

krb5_child: become user earlier The host keytab and the FAST credential cache are copied into memory early at startup to allow to drop privileges earlier. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

krb5: do not fail if checking the old ccache failed https://fedorahosted.org/sssd/ticket/2510 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

krb5: Check return value of sss_krb5_princ_realm sss_krb5_princ_realm set output parameter realm to NULL and len to 0 in case of failure. Clang static analysers reported warning "Null pointer passed as an argument to a 'nonnull' parameter" in function match_principal. It was possible, that realm_name with value NULL could be used in strncmp. Reviewed-by: Pavel Reichl <preichl@redhat.com>

KRB5: Move all ccache operations to krb5_child.c The credential cache operations must be now performed by the krb5_child completely, because the sssd_be process might be running as the sssd user who doesn't have access to the ccaches. src/providers/krb5/krb5_ccache.c is still linked against libsss_krb5 until we fix Kerberos ticket renewal as non-root. Also includes a new error code that indicates that the back end should remove the old ccache attribute -- the child can't do that if it's running as the user. Related: https://fedorahosted.org/sssd/ticket/2370 Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

KRB5: Move ccache-related functions to krb5_ccache.c Add a new module krb5_ccache.c that contains all ccache-related operations. The only user of this module shall be krb5_child.c as the other modules will run unprivileged and accessing the ccache requires either privileges of root or the ccache owner. Related: https://fedorahosted.org/sssd/ticket/2370 Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

KRB5: Drop privileges in the child, not the back end In future patches, sssd_be will be running as a non-privileged user, who will execute the setuid krb5_child. In this case, the child will start as root and drop the privileges as soon as possible. However, we need to also remove the privilege drop in sssd_be, because if we dropped to the user who is authenticating, we wouldn't be even allowed to execute krb5_child. The krb5_child permissions should be 4750, owned by root.sssd, to make sure only root and sssd can execute the child and if executed by sssd, the child will run as root. Related: https://fedorahosted.org/sssd/ticket/2370 Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

KRB5: add missing debug-to-stderr option to krb5_child Without this option krb5_child cannot be run in interactive mode. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

KRB5: Go offline in case of generic error Resolves: https://fedorahosted.org/sssd/ticket/2313

krb5_child: Fix use after free in debug message debug_prg_name is used in debug_fn and it was allocated under talloc context "kr". The variable "kr" was removed before the last debug messages in function main. It is very little change that it will be overridden. It is possible to see this issue with exported environment variable TALLOC_FREE_FILL=255 Reviewed-by: Sumit Bose <sbose@redhat.com>

krb5_child: Remove unused krb5_context from set_changepw_options Reviewed-by: Pavel Reichl <preichl@redhat.com>

KRB5: Do not attempt to get a TGT after a password change using OTP https://fedorahosted.org/sssd/ticket/2271 The current krb5_child code attempts to get a TGT for the convenience of the user using the new password after a password change operation. However, an OTP should never be used twice, which means we can't perform the kinit operation after chpass is finished. Instead, we only print a PAM information instructing the user to log out and back in manually. Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>

krb5-child: add revert_changepw_options() After changing the Kerberos password krb5-child will try to get a fresh TGT with the new password. This patch tries to make sure the right gic options are used. Resolves: https://fedorahosted.org/sssd/ticket/2289 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

krb5_client: rename krb5_set_canonicalize() to set_canonicalize_option() Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

krb5-child: extract lifetime settings into set_lifetime_options() Additionally the lifetime option flags are unset if there are no explicit settings to make sure the defaults from krb5.conf are used even if other values were set manually in between. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

krb5_child: remove unused option lifetime_str from k5c_setup_fast() Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA/KRB5: handle KRB5_PROG_ETYPE_NOSUPP during IPA password migration Fixes https://fedorahosted.org/sssd/ticket/2279 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Fix krb5 changepw when FAST-only preauth methods are used (like OTP) Before this patch, a different set of options was used when calling krb5_get_init_creds_password() for the changepw principal. Because this set of options did not contain the same FAST settings as the options for normal requests, all authentication would fail when the password of a FAST-only account would expire. The two sets approach was cargo-cult from kinit where multiple requests could be issued using the same options set. However, in the case of krb5_child, only one request (or occasionally a well-defined second request) will be issued. Two option sets are therefore not required. To fix this problem we removed the second option set used for changepw requests. All requests now use a single option set which is modified, if needed, for well-defined subsequent requests. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com>

Update DEBUG* invocations to use new levels Use a script to update DEBUG* macro invocations, which use literal numbers for levels, to use bitmask macros instead: grep -rl --include '*.[hc]' DEBUG . | while read f; do mv "$f"{,.orig} perl -e 'use strict; use File::Slurp; my @map=qw" SSSDBG_FATAL_FAILURE SSSDBG_CRIT_FAILURE SSSDBG_OP_FAILURE SSSDBG_MINOR_FAILURE SSSDBG_CONF_SETTINGS SSSDBG_FUNC_DATA SSSDBG_TRACE_FUNC SSSDBG_TRACE_LIBS SSSDBG_TRACE_INTERNAL SSSDBG_TRACE_ALL "; my $text=read_file(\*STDIN); my $repl; $text=~s/ ^ ( .* \b (DEBUG|DEBUG_PAM_DATA|DEBUG_GR_MEM) \s* \(\s* )( [0-9] )( \s*, ) ( \s* ) ( .* ) $ / $repl = $1.$map[$3].$4.$5.$6, length($repl) <= 80 ? $repl : $1.$map[$3].$4."\n".(" " x length($1)).$6 /xmge; print $text; ' < "$f.orig" > "$f" rm "$f.orig" done Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

Make DEBUG macro invocations variadic Use a script to update DEBUG macro invocations to use it as a variadic macro, supplying format string and its arguments directly, instead of wrapping them in parens. This script was used to update the code: grep -rwl --include '*.[hc]' DEBUG . | while read f; do mv "$f"{,.orig} perl -e \ 'use strict; use File::Slurp; my $text=read_file(\*STDIN); $text=~s#(\bDEBUG\s*\([^(]+)\((.*?)\)\s*\)\s*;#$1$2);#gs; print $text;' < "$f.orig" > "$f" rm "$f.orig" done Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

KRB5: Go offline in case of clock skew https://fedorahosted.org/sssd/ticket/1096 In case the KDC has skewed time, we can retry with the next one and eventually go offline if no KDC has time in sync with the client. Previously, authentication with wrong time resulted in System Error.

krb5: Use right function to free data. In function create_empty_cred, krb5_creds was aloocated using calloc, but krb5_free_creds was used to remove this creds in done section. Therefore clang static analyzer repoted this as warning: Potential leak of memory pointed to by 'cred'

krb5: Remove warning dereference of a null pointer Variable kr->creds is initialized in function krb5_get_init_creds_password. It does not make sense to check kr->creds for null, because we have already checked return value of function krb5_get_init_creds_password. Resolves: https://fedorahosted.org/sssd/ticket/2112

KRB5: Return PAM_ACCT_EXPIRED when logging in as expired AD user If an expired AD user logs in, the SSSD receives KRB5KDC_ERR_CLIENT_REVOKED from the KDC. This error code was not handled by the SSSD which resulted in System Error being returned to the PAM stack.

krb5: fix warning may be used uninitialized

KRB5: Return ERR_NETWORK_IO when trusted AD server can't be resolved

KRB5: Call umask before mkstemp in the krb5 child code

Fix formating of variables with type: size_t

Fix formating of variables with type: long

krb5_child: Simplify ccache creation The containing ccache directory is precreated by the parent code, so there is no special need to do so here for any type. Also the special handling for the FILE ccache temporary file is not really useful, because libkrb5 internally unlinks and then recreate the file, so mkstemp cannot really prevent subtle races, it can only make sure the file is unique at creation time. Resolves: https://fedorahosted.org/sssd/ticket/2061

KRB5: Add support for KEYRING cache type https://fedorahosted.org/sssd/ticket/2036

KRB5: Remove unnecessary call to become_user() By the time that the create_ccache_in_dir() routine is called, we are already guaranteed to have dropped privileges. This has either happened because we dropped them before the exec() in the normal operation case or because we dropped them explicitly after we completed the TGT validation step if that or FAST is configured.

KRB5: Add new #define for collection cache types Kerberos now supports multiple types of collection caches, not just DIR: caches. We should add a macro for generic collection behavior and use that where appropriate.

KRB5: Do not log to syslog on each login

KRB5: Formatting changes

ldap, krb5: More descriptive msg on chpass failure. Print more descriptive message when wrong current password is given during password change operation. resolves: https://fedorahosted.org/sssd/ticket/2029

Fix warnings: uninitialized variable

Remove unused memory context from function unpack_authtok

print hint about password complexity when new password is rejected https://fedorahosted.org/sssd/ticket/1827

Use conditional build for retrieving ccache. Some krb5 functions needn't be available for retrieving ccache with principal. Therefore ifdef is used to solve this situation with older version of libkrb5. There were two functions with similar functionality in krb5_child and krb5_utils. They were merged to one universal function, which was moved to file src/util/sss_krb5.c

KRB5_CHILD: Fix handling of get_password return code The switch statement was dead code due to missing case/default.

Do not switch to credentials everytime. If user decide to kinit as another user we do not want to switch back to user ccache at another login. We will switch to new ccache if and only if default principal name is the same as current principal name, or there is not any default ccache. https://fedorahosted.org/sssd/ticket/1936

Every time return directory for krb5 cache collection. Function krb5_cc_get_full_name is called only as a way to validate that, we have the right cache. Instead of returned name, location will be returned from function cc_dir_cache_for_princ. https://fedorahosted.org/sssd/ticket/1936

krb5: do not send pac for IPA users from the local domain So far we didn't send the PAC of IPA users to the PAC responder during password authentication because group memberships for IPA users can be retrieved efficiently with LDAP calls. Recently patches added PAC support for the AD provider as well and removed the restriction for the IPA users. This patch restores the original behaviour by introducing a new flag in struct krb5_ctx which is only set for the IPA provider. Additionally a different flag is renamed to make it's purpose more clear. Fixes https://fedorahosted.org/sssd/ticket/1995

Revert "Always send the PAC to the PAC responder" This reverts commit d153941864fe481399665be8fe583c9317194a99.

Set default realm for enterprise principals Enterprise principals require that a default realm is available. To make SSSD more robust in the case that the default realm option is missing in krb5.conf or to allow SSSD to work with multiple unconnected realms (e.g. AD domains without trust between them) the default realm will be set explicitly. Fixes https://fedorahosted.org/sssd/ticket/1931

Use principal from the ticket to find validation entry If canonicalization or enterprise principals are enabled the realm of the client principal might have changed compared to the original request. To find the most suitable keytab entry to validate the TGT is it better to use the returned client principal. Fixes https://fedorahosted.org/sssd/ticket/1931

KRB: Handle preauthentication error correctly https://fedorahosted.org/sssd/ticket/1873 KRB preauthentication error was later mishandled like authentication error.

Always send the PAC to the PAC responder Currently while doing a Kerberos based authentication the PAC was only send to the PAC responder for principals from a different realm. This reflects the FreeIPA use case of users from trusted domains. This restriction does not make sense anymore when the data from the PAC should be used for the AD provider as well. It also makes only limited sense for the IPA use case, because when using GSSAPI the PAC of users from the local IPA domain are already evaluated by the PAC responder.

Fixing critical format string issues. --missing arguments. --format '%s', but argument is integer. --wrong format string, examle: '%\n'

Allow usage of enterprise principals Enterprise principals are currently most useful for the AD provider and hence enabled here by default while for the other Kerberos based authentication providers they are disabled by default. If additional UPN suffixes are configured for the AD domain the user principal stored in the AD LDAP server might not contain the real Kerberos realm of the AD domain but one of the additional suffixes which might be completely randomly chooses, e.g. are not related to any existing DNS domain. This make it hard for a client to figure out the right KDC to send requests to. To get around this enterprise principals (see http://tools.ietf.org/html/rfc6806 for details) were introduced. Basically a default realm is added to the principal so that the Kerberos client libraries at least know where to send the request to. It is not in the responsibility of the KDC to either handle the request itself, return a client referral if he thinks a different KDC can handle the request or return and error. This feature is also use to allow authentication in AD environments with cross forest trusts. Fixes https://fedorahosted.org/sssd/ticket/1842

Check for correct variable name https://fedorahosted.org/sssd/ticket/1864

krb5 child: Use the correct type when processing OTP

Making the authtok structure really opaque. Definition of structure sss_auth_token was removed from header file authtok.h and there left only declaration of this structure. Therefore only way how to use this structure is to use accessory function from same header file. To creating new empty authotok can only be used newly created function sss_authtok_new(). TALLOC context was removed from copy and setter functions, because pointer to stuct sss_auth_token is used as a memory context. All declaration of struct sss_auth_token variables was replaced with pointer to this structure and related changes was made in source code. Function copy_pam_data can copy from argument src which was dynamically allocated with function create_pam_data() or zero initialized struct pam_data allocated on stack. https://fedorahosted.org/sssd/ticket/1830

Reusing create_pam_data() on the other places. Function create_pam_data() should be only one way how to create new struct pam_data, because it also initialize destructor to created object.

Add support for krb5 1.11's responder callback. krb5 1.11 adds support for a new method for responding to structured data queries. This method, called the responder, provides an alternative to the prompter interface. This patch adds support for this method. It takes the password and provides it via a responder instead of the prompter. In the case of OTP authentication, it also disables the caching of credentials (since the credentials are one-time only).

Cleanup error message handling for krb5 child Use the new internal SSSD errors, to simplify error handling. Instead of using up to 3 different error types (system, krb5 and pam_status), collapse all error reporting into one error type mapped on errno_t. The returned error can contain either SSSD internal errors, kerberos errors or system errors, they all use different number spaces so there is no overlap and they can be safely merged. This means that errors being sent from the child to the parent are not pam status error messages anymore. The callers have been changed to properly deal with that. Also note that this patch removes returning SSS_PAM_SYSTEM_INFO from the krb5_child for kerberos errors as all it was doing was simply to make the parent emit the same debug log already emitted by the child, and the code is simpler if we do not do that.

krb5_child: fix value type and initialization ret was defined as integer, instead of errno_t, and was uninitialized

Refactor krb5 child The aim of this refactoring is to make the code readable and understandable. This code has grown organically over time and has becomed confused and baroque enough that understanding it's very simple flow had become very complex for the uninitiated. Complex flows easily hide nasty bugs. Improvements: - Remove dead/unused data storage - Fix and simplify talloc hierarchy, use a memory context (kr) for the whole code and allocate kr->pd where it is filled up. - Rename some functions to create a better name space (easier for searching fucntions across the tree) - Streamline setup function, by spliting out fast setup in a subroutine. - Avoid confusing indirection in executng actual functions by not using the krb5_req child_req member. - Make main() flow s now simmetric, send abck data from the main function instead of delegating a reply to every inner function that implements a command. Now the flow is evident from the main function: 1. read request 2. setup data 3. execute command 4. send reply back

krb5_child style fix Use the standard 'done' label for exceptions.

Change pam data auth tokens. Use the new authtok abstraction and interfaces throught the code.

Disable canonicalization during password changes If canonicalization is enabled Active Directory KDCs return 'krbtgt/AD.DOMAIN' as service name instead of the expected 'kadmin/changepw' which causes a 'KDC reply did not match expectations' error. Additionally the forwardable and proxiable flags are disabled, the renewable lifetime is set to 0 and the lifetime of the ticket is set to 5 minutes as recommended in https://fedorahosted.org/sssd/ticket/1405 and also done by the kpasswd utility. Fixes: https://fedorahosted.org/sssd/ticket/1405 https://fedorahosted.org/sssd/ticket/1615

Just use the service name with krb5_get_init_creds_password() Currently we add the realm name to change password principal but according to the MIT Kerberos docs and the upstream usage the realm name is just ignored. Dropping the realm name also does not lead to confusion if the change password request was received for a user of a trusted domain.

Only build extract_and_send_pac on platforms that support it

Include talloc log in our debug facility https://fedorahosted.org/sssd/ticket/1495

krb5_child: send back the client principal In general Kerberos is case sensitive but the KDC of Active Directory typically handles request case in-sensitive. In the case where we guess a user principal by combining the user name and the realm and are not sure about the cases of the letters used in the user name we might get a valid ticket from the AD KDC but are not able to access it with the Kerberos client library because we assume a wrong case. The client principal in the returned credentials will always have the right cases. To be able to update the cache user principal name the krb5_child will return the principal for further processing.

krb5_child: send PAC to PAC responder If the authenticated user comes from a different realm the service ticket which was returned during the validation of the TGT is used to extract the PAC which is send to the pac responder for evaluation.

krb5_auth: send different_realm flag to krb5_child The different_realm flag which was set by the responder is send to the krb5_child so that it can act differently on users from other realms. To avoid code duplication and inconsistent behaviour the krb5_child will not set the flag on its own but use the one from the provider.

Only call krb5_set_trace_callback on platforms that support it

Collect krb5 trace on high debug levels If the debug level contains SSSDBG_TRACE_ALL, then the logs would also include tracing information from libkrb5. https://fedorahosted.org/sssd/ticket/1539

Two fixes to child processes There was an unused structure member in the krb5_child. Declaration of __krb5_error_msg was shadowing the same variable from sss_krb5.h which is not nice. Also we might actually use the error context directly instead of passing it as parameter.

Add more info about ticket validation https://fedorahosted.org/sssd/ticket/1499 Adds log message about not finding appropriate entry in keytab and using the last keytab entry when validation is enabled. Adds more information about validation into manpage.

Log possibly non-randomizable ccache file template fixes https://fedorahosted.org/sssd/ticket/1533 ccache file template is now checked for appended XXXXXX for use with mkstemp. When those characters are not present, warning is written to log.

KRB5 child: handle more error codes gracefully This patch changes handling of krb5 child error codes so that it's on par with the 1.8 branch after Joschi Brauchle reviewed the 1.8 backport.

KRB5 child: Don't return System Error on empty password https://fedorahosted.org/sssd/ticket/1310

KRB5: Return PAM_AUTH_ERR on incorrect password https://fedorahosted.org/sssd/ticket/1515

Use new debug levels in validate_tgt()

Fix fallback in validate_tgt() To validate a TGT a keytab entry from the client realm is preferred but if none ca be found the last entry should be used. But the entry was freed and zeroed before it could be used. This should also fix the trusted domain use case mentioned in https://fedorahosted.org/sssd/ticket/1396 although a different approach then suggested in the ticket is used.

Cast uid_t to unsigned long long in DEBUG messages

Print based on pointer contents not address

heimdal: use sss_krb5_princ_realm to access realm

Revert commit 4c157ecedd52602f75574605ef48d0c48e9bfbe8 * This broke corner cases when used with default_tkt_types = des-cbc-crc and DES enabled on an AD domain. * This is fixed in kerberos instead, in a more correct way and in a way which we cannot replicate.

KRB5: Some logging enhancements for krb5_child

KRB5: Auto-detect DIR cache support in configure We can't support the DIR cache features in systems with kerberos libraries older than 1.10. Make sure we don't build it on those systems.

Use Kerberos context in KRB5_DEBUG Passing Kerberos context to sss_krb5_get_error_message will allow us to get better error messages.

Add support for storing credential caches in the DIR: back end https://fedorahosted.org/sssd/ticket/974

Provide more debugging in krb5_child and ldap_child https://fedorahosted.org/sssd/ticket/1225

Two small krb5_child fixes * Allocation check was missing * a DEBUG statement overwrote errno

added DEBUG messages to krb5_child and ldap_child

Limit krb5_get_init_creds_keytab() to etypes in keytab * Load the enctypes for the keys in the keytab and pass them to krb5_get_init_creds_keytab(). * This fixes the problem where the server offers a enctype that krb5 supports, but we don't have a key for in the keytab. https://bugzilla.redhat.com/show_bug.cgi?id=811375

Remove erroneous failure message in find_principal_in_keytab * When it's actually a failure, then the callers will print a message. Fine tune this.

If canon'ing principals, write ccache with updated default principal * When calling krb5_get_init_creds_keytab() with krb5_get_init_creds_opt_set_canonicalize() the credential principal can get updated. * Create the cache file with the correct default credential. * LDAP GSSAPI SASL would fail due to the mismatched credentials before this patch. https://bugzilla.redhat.com/show_bug.cgi?id=811518

Convert read and write operations to sss_atomic_read https://fedorahosted.org/sssd/ticket/1209

Clean up log messages about keytab_name There were many places where we were printing (null) to the logs because a NULL keytab name tells libkrb5 to use its configured default instead of a particular path. This patch should clean up all uses of this to print "default" in the logs. https://fedorahosted.org/sssd/ticket/1288

krb5_child: set debugging sooner

KRB5: Add syslog messages for Kerberos failures https://fedorahosted.org/sssd/ticket/1137

Add compatibility layer for Heimdal Kerberos implementation

Securely set umask when using mkstemp Coverity 12394, 12395, 12396, 12397 and 12398

Move child_common routines to util

Add support to request canonicalization on krb AS requests https://fedorahosted.org/sssd/ticket/957

Multiline macro cleanup This is mostly a cosmetic patch. The purpose of wrapping a multi-line macro in a do { } while(0) is to make the macro usable as a regular statement, not a compound statement. When the while(0) is terminated with a semicolon, the do { } while(0); block becomes a compound statement again.

DEBUG timestamps offer higher precision https://fedorahosted.org/sssd/ticket/956 Added: --debug-microseconds=0/1 Added: debug_microseconds to sssd.conf

New DEBUG facility - SSSDBG_UNRESOLVED changed from -1 to 0 Removed: SSS_UNRESOLVED_DEBUG_LEVEL (completely replaced with SSSDBG_UNRESOLVED) Added new macro: CONVERT_AND_SET_DEBUG_LEVEL(new_value) Changes unresolved debug level value (SSSDBG_UNRESOLVED) from -1 to 0 so DEBUG macro could be reduced by one condition. Anyway, it has a minor effect, every time you want to load debug_level from command line parameters, you have to use following pattern: /* Set debug level to invalid value so we can deside if -d 0 was used. */ debug_level = SSSDBG_INVALID; pc = poptGetContext(argv[0], argc, argv, long_options, 0); while((opt = poptGetNextOpt(pc)) != -1) { ... } CONVERT_AND_SET_DEBUG_LEVEL(debug_level);

New DEBUG facility - conversion https://fedorahosted.org/sssd/ticket/925 Conversion of the old debug_level format to the new one. (only where it was necessary) Removed: SSS_DEFAULT_DEBUG_LEVEL (completely replaced with SSSDBG_DEFAULT)

Added some kerberos functions for building on RHEL5

Allow new option to specify principal for FAST https://fedorahosted.org/sssd/ticket/700

Extend and move function for finding principal in keytab The function now supports finding principal in keytab not only based on realm, but based on both realm and primary/instance parts. The function also supports * wildcard at the beginning or at the end of primary principal part. The function for finding principal has been moved to util/sss_krb5.c, so it can be used in other parts of the code.

Fixes for automatic ticket renewal - do not recreate the ccache file when renewing the TGT - use user principal name as hash key instead of ccfile name - let krb5_child return Kerberos error codes

Fix build issue with older Kerberos library

Add support for FAST in krb5 provider

Refactor krb5_child to make helpers more flexible

krb5_child returns TGT lifetime

Add krb5_lifetime option

Add krb5_renewable_lifetime option

Check authtok type for krb5 auth and chpass

Add a renew task to krb5_child

Send authtok_type to krb5_child

Add krb5_kuserok() access check to krb5_child

Make krb5_setup() public

Use new MIT krb5 API for better password expiration warnings

Dead assignments cleanup in providers code Dead assignments were deleted. Also prototype of function sdap_access_decide_offline() has been changed, since its return code was never used. Ticket: #586

Standardize on correct spelling of "principal" for krb5 https://fedorahosted.org/sssd/ticket/542

Remove krb5_changepw_principal option Fixes: #531

Add a missing initializer

Initialize pam_data in Kerberos child.

Handle Krb5 password expiration warning

Allow arbitrary-length PAM messages The PAM standard allows for messages of any length to be returned to the client. We were discarding all messages of length greater than 255. This patch dynamically allocates the message buffers so we can pass the complete message. This resolves https://fedorahosted.org/sssd/ticket/432

Add krb5_kpasswd option

Improve safe alignment buffer handling macros Make the counter optional so that alignment safe macros can be used also where there is no counter to update. Change arguments names so that they are not deceiving (ptr normlly identify a pointer) Turn the memcpy substitute into an inline function so that passing a pointer to rp and checking for it doesn't make the compiler spit lots of warnings.

Handle expired passwords like other PAM modules So far we handled expired password during authentication. Other PAM modules typically detect expired password during account management and return PAM_NEW_AUTHTOK_REQD if the password is expired and should be changed. The PAM library then calls the change password routines. To meet these standards pam_sss is change accordingly. As a result it is now possible to update an expired password via ssh if sssd is running with PasswordAuthentication=yes. One drawback due to limitations of PAM is that the user now has to type his current password again before setting a new one.

Remove unneeded items from struct pam_data

Rename server/ directory to src/ Also update BUILD.txt