PAM: add pam_response_filter option Currently the main use-case for this new option is to not set the KRB5CCNAME environment varible for services like 'sudo-i'. Resolves https://fedorahosted.org/sssd/ticket/2296 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

PAM: add a test for filter_responses() Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

cache_req: switch to new code This patch switch the old switch-based cache req code to the new plugin-based. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Remove double semicolon at the end of line Reviewed-by: Pavel Březina <pbrezina@redhat.com>

PAM: Do not act on ldb_message in case of a failure Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

PAM: Fix domain for UPN based lookups Since sysdb_search_user_by_upn() searches the whole cache we have to set the domain so that it matches the result. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

PAM: continue with UPN/email search if name was not found Currently we only search for UPNs if the domain part of the name was not know, with Kerberos aliases and email addresses we have to do this even if the domain name is a know domain. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

PAM: Use qualified names internally in the PAM responder The name is converted from whatever we receive on input to the internal format before processing the data further. Reviewed-by: Sumit Bose <sbose@redhat.com>

Responders: Make the client context more generic This is useufl to allow reusing the responder code with other protocols. Store protocol data and responder state data behind opaque pointers and use tallog_get_type to check they are of the right type. This also allows to store per responder state_ctx so that, for example, the autofs responder does not have to carry useless variables used only by the nss responder. Resolves: https://fedorahosted.org/sssd/ticket/2918 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

RESPONDER: Removing ncache from pam_ctx This patch switches ncache from pam_ctx to resp_ctx. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

RESPONDER: Removing neg_timeout from pam responder It removes neg_timeout parameter from struct pam_ctx. Timeout is handled by context of negative cache internally. This patch additioanlly removes neg_timeout from struct cache_req_state. Resolves: https://fedorahosted.org/sssd/ticket/2317 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

NEGCACHE: Removing timeout from sss_ncache_check_* It removes timeout parameter from check functions of negative cache. Timeout is set ny init function and it is handled internally. API change: * int sss_ncache_check_...(struct sss_nc_ctx *ctx, int ttl, <----- timeout vanished struct sss_domain_info *dom, ...); Resolves: https://fedorahosted.org/sssd/ticket/2317 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

PAM: Pass account lockout status and display message Tested against Windows Server 2012. Resolves: https://fedorahosted.org/sssd/ticket/2839 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Util: Improve code to get connection credentials Adds support to get SELINUX context and make code more abstract so that struct ucred (if availale) can be used w/o redefining uid,gid,pid to int32. Also gives a layer of indirection that may come handy if we want to improve the code further in the future. Signed-off-by: Lukas Slebodnik <lslebodn@redhat.com> Reviewed-by: Michal Židek <mzidek@redhat.com>

p11: enable ocsp checks This patch enables the Online Certificate Status Protocol in NSS and adds an option to disable it if needed. To make further tuning of certificate verification more easy it is not an option on its own but an option to the new certificate_verification configuration option. Resolves https://fedorahosted.org/sssd/ticket/2812 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

pam-srv-tests: Add UT for cached 'online' auth. Extend PAM responder unit test to check 'online' cached authentication. Resolves: https://fedorahosted.org/sssd/ticket/2697 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

util: Update get_next_domain's interface Update get next domain to be able to include disbled domains and change the interface to accept flags instead of multiple booleans. Ticket: https://fedorahosted.org/sssd/ticket/2673 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

PAM: remove unused parameter cdb Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

PAM: only allow missing user name for certificate authentication Resolves: https://fedorahosted.org/sssd/ticket/2811 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

PAM: Make p11_child timeout configurable Ticket: https://fedorahosted.org/sssd/ticket/2773 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Pavel Reichl <preichl@redhat.com>

pam: Incerease p11 child timeout Ticket: https://fedorahosted.org/sssd/ticket/2746 It was timeouting often in CI machines. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

PAM: add certificate support to PAM (pre-)auth requests Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

PAM: Only cache first-factor Reviewed-by: Sumit Bose <sbose@redhat.com>

PAM: authenticate agains cache Enable authenticating users from cache even when SSSD is in online mode. Introduce new option `cached_auth_timeout`. Resolves: https://fedorahosted.org/sssd/ticket/1807 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

sysdb: new attribute lastOnlineAuthWithCurrentToken Introduce new user attribute lastOnlineAuthWithCurrentToken. This attribute behaves similarly to lastOnlineAuth but is set to NULL after password is changed. This attribute is needed for use-case when cached authentication is used, to request online authentication after password is locally changed. Resolves: https://fedorahosted.org/sssd/ticket/1807 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

2FA offline auth Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Add pre-auth request Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

pam: handle 2FA authentication token in the responder Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

PAM: use the logon_name as the key for the PAM initgr cache Currently the name member of the pam_data struct is used as a key but it can change during a request. Especially for sub-domain users the name is changed from the short to the fully-qualified version before the cache entry is created. As a result the cache searches are always done with the short name while the entry was written with the fully-qualified name. The logon_name member of the pam_data struct contains the name which was send by the PAM client and is never changed during the request. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

PAM: check return value of confdb_get_string Coverity found this neglect. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

PAM: print the pam status as string, too On several places, let's add a pam_strerror() call so that it's easier to debug user problems. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Signed-off-by: Lukas Slebodnik <lslebodn@redhat.com>

PAM: warn all services about account expiration if pam_verbose is above one then output warning about account expiration for all services. Resolves: https://fedorahosted.org/sssd/ticket/2050 Reviewed-by: Sumit Bose <sbose@redhat.com>

PAM: new option pam_account_expired_message This option sets string to be printed when authenticating using SSH keys and account is expired. Resolves: https://fedorahosted.org/sssd/ticket/2050 Reviewed-by: Sumit Bose <sbose@redhat.com>

PAM: do not reject abruptly If account has expired then pass message. Resolves: https://fedorahosted.org/sssd/ticket/2050 Reviewed-by: Sumit Bose <sbose@redhat.com>

RESPONDERS: Warn to syslog about colliding objects Resolves: https://fedorahosted.org/sssd/ticket/2203 Reviewed-by: Pavel Reichl <preichl@redhat.com>

PAM: Domain names are case-insensitive The pam_public_domains option and matching the domain requested by a trusted process was done in a case-sensitive manner which is different from how we match domain names in SSSD normally. Reviewed-by: Pavel Reichl <preichl@redhat.com>

PAM: Move is_uid_trusted from pam_ctx to preq Keeping a per-request flag in a global structure is really dangerous. Reviewed-by: Sumit Bose <sbose@redhat.com>

PAM: Check for trusted domain before sending the request to BE https://fedorahosted.org/sssd/ticket/2501 Moving the checks to one place has the advantage of not duplicating security decisions. Previously, the checks were scattered all over the responder code, making testing hard. The disadvantage is that we actually check for the presence of the user, which might trigger some back end lookups. But I think the benefits overweight the disadvantage. Also only check the requested domains from a trusted client. An untrusted client should simply have no say in what domains he wants to talk to, it should ignore the 'domains' option. Reviewed-by: Sumit Bose <sbose@redhat.com>

PAM: Make pam_forwarder_parse_data static Reviewed-by: Pavel Reichl <preichl@redhat.com>

pam: make pam responder aware if views Reviewed-by: Pavel Březina <pbrezina@redhat.com>

pam: sub-domain authentication fix With a recent patch sysdb_getpwnam() was replaced by sysdb_get_user_by_name() in the PAM responder. Unfortunately both behave differently with respect to sub-domain users. As a consequence the PAM responder was not able to resolve users from sub-domains. This patch reverts this change and uses sysdb_getpwnam() again. Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>

PAM: Add domains= option to pam_sss Design document: https://fedorahosted.org/sssd/wiki/DesignDocs/RestrictDomainsInPAM Fixes: https://fedorahosted.org/sssd/ticket/1021 Signed-off-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Sven-Thorsten Dietrich <sven@brocade.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

PAM: new options pam_trusted_users & pam_public_domains pam_public_domains option is a list of numerical UIDs or user names that are trusted. pam_public_domains option is a list of domains accessible even for untrusted users. Based on: https://fedorahosted.org/sssd/wiki/DesignDocs/RestrictDomainsInPAM Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

PAM, NSS: allow UPN login names With this patch the NSS and PAM responders can handle user principal names besides the fully qualified user names. User principal names are build from a user name and a domain suffix separated by an '@' sign. But the domain suffix does not necessarily has to be the same as the configured domain name in sssd.conf of the dynamically discovered DNS domain name of a domain. The typical use case is an Active Directory forest with lots of different domains. To not force the users to remember the name of the individual domain they belong to the AD administrator can set a common domain suffix for all users from all domains in the forest. This is typically the domain name used for emails to make it even more easy to the users to remember it. Since SSSD splits name and domain part at the '@' sign and the common domain suffix might not be resolvable by DNS or the given user is not a member of that domain (e.g. in the case where the forest root is used as common domain suffix) SSSD might fail to look up the user. With this patch the NSS and PAM responder will do an extra lookup for a UPN if the domain part of the given name is not known or the user was not found and the login name contained the '@' sign. Resolves https://fedorahosted.org/sssd/ticket/1749

PAM: remove ldb_result member from pam_auth_req context This member was used only in a single call where a local variable suits better.

PAM: extract checks from parsing routines This patch saves the original name given at a login prompt and send to the PAM responder in the logon_name member of the pam_data struct for later use. Additionally it separates the parsing of the data send by the PAM client and the checks of this data.

PAM: Use the override_space option https://fedorahosted.org/sssd/ticket/2397 When using the override_default_space option, this patch allows to log in using both the original name (space user) as well as the normalized name (space_user). Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Update DEBUG* invocations to use new levels Use a script to update DEBUG* macro invocations, which use literal numbers for levels, to use bitmask macros instead: grep -rl --include '*.[hc]' DEBUG . | while read f; do mv "$f"{,.orig} perl -e 'use strict; use File::Slurp; my @map=qw" SSSDBG_FATAL_FAILURE SSSDBG_CRIT_FAILURE SSSDBG_OP_FAILURE SSSDBG_MINOR_FAILURE SSSDBG_CONF_SETTINGS SSSDBG_FUNC_DATA SSSDBG_TRACE_FUNC SSSDBG_TRACE_LIBS SSSDBG_TRACE_INTERNAL SSSDBG_TRACE_ALL "; my $text=read_file(\*STDIN); my $repl; $text=~s/ ^ ( .* \b (DEBUG|DEBUG_PAM_DATA|DEBUG_GR_MEM) \s* \(\s* )( [0-9] )( \s*, ) ( \s* ) ( .* ) $ / $repl = $1.$map[$3].$4.$5.$6, length($repl) <= 80 ? $repl : $1.$map[$3].$4."\n".(" " x length($1)).$6 /xmge; print $text; ' < "$f.orig" > "$f" rm "$f.orig" done Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

Make DEBUG macro invocations variadic Use a script to update DEBUG macro invocations to use it as a variadic macro, supplying format string and its arguments directly, instead of wrapping them in parens. This script was used to update the code: grep -rwl --include '*.[hc]' DEBUG . | while read f; do mv "$f"{,.orig} perl -e \ 'use strict; use File::Slurp; my $text=read_file(\*STDIN); $text=~s#(\bDEBUG\s*\([^(]+)\((.*?)\)\s*\)\s*;#$1$2);#gs; print $text;' < "$f.orig" > "$f" rm "$f.orig" done Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

responder: Use SAFEALIGN macro when checking pam data validity. resolves: https://fedorahosted.org/sssd/ticket/1359

SYSDB: Drop the sysdb_ctx parameter - module sysdb_ops (part 2)

SYSDB: Drop the sysdb_ctx parameter - module sysdb_ops (part 1)

SYSDB: Drop the sysdb_ctx parameter from the sysdb_search module

Fix formating of variables with type: size_t

pam: Bad debug message format and parameter.

PAM: Set negcache if user is not found after provider check

PAM: Check negcache when searching for fully qualified users, too

Remove unused memory context

Do not try to set password when authtok_length is zero https://fedorahosted.org/sssd/ticket/1814 When the authtok_length is zero, it shouldn't call sss_authtok_set_password, because it tries to determine lenght of passed string by itself and would read parts of DBus message behind boundaries of authtok.

Fixing critical format string issues. --missing arguments. --format '%s', but argument is integer. --wrong format string, examle: '%\n'

Remove unused TALLOC_CTX from responder_get_domain() Recent refactoring removed the need to copy the domain info data of sub-domains because the related objects will not be removed from memory anymore.

Allocate PAM DP request data on responder context https://fedorahosted.org/sssd/ticket/1869 Currently the private data passed to the PAM request is a structure allocated on the client context. But in the odd case where the back end would be stopped or stuck until the idle timeout hits, the DP callback would access data that were freed when the client timed out. This patch introduces a new structure allocated on responder context, whose only purpose is to live as long as the request is active.

Making the authtok structure really opaque. Definition of structure sss_auth_token was removed from header file authtok.h and there left only declaration of this structure. Therefore only way how to use this structure is to use accessory function from same header file. To creating new empty authotok can only be used newly created function sss_authtok_new(). TALLOC context was removed from copy and setter functions, because pointer to stuct sss_auth_token is used as a memory context. All declaration of struct sss_auth_token variables was replaced with pointer to this structure and related changes was made in source code. Function copy_pam_data can copy from argument src which was dynamically allocated with function create_pam_data() or zero initialized struct pam_data allocated on stack. https://fedorahosted.org/sssd/ticket/1830

Reusing create_pam_data() on the other places. Function create_pam_data() should be only one way how to create new struct pam_data, because it also initialize destructor to created object.

Move SELinux processing to provider. The SELinux processing was distributed between provider and pam responder which resulted in hard to maintain code. This patch moves the logic to provider. IT ALSO REQUIRES CHANGE IN THE SELINUX POLICY, because the provider also writes the content of selinux login file to disk (which was done by responder before). https://fedorahosted.org/sssd/ticket/1743

Use the same dbg level for all ncache hits. We used different debug levels for messages informing about negative cache hits (old levels 2,3,4). Now it is only SSSDBG_TRACE_FUNC (same level is used in nsssrv_services.c and proposed in the ticket bellow). https://fedorahosted.org/sssd/ticket/1771

if selinux is disabled, ignore that selogin dir is missing https://fedorahosted.org/sssd/ticket/1817

Add function get_next_domain() Use this function instead of explicitly calling domain->next This function allows to get the next primary domain or to descend into the subdomains and replaces also get_next_dom_or_subdom()

Add domain argument to sysdb selinux functions

Add domain argument to sysdb_cache_auth()

Add domain argument to sysdb_set_user_attr()

Pass domain to sysdb_get<pw/gr>nam() functions Also allows us to remove sysdb_subdom_get<pw/gr>nam() wrappers and restore fqnames proper value in subdomains, by testing for a parent domain being present or not.

Change pam data auth tokens. Use the new authtok abstraction and interfaces throught the code.

Code can only check for cached passwords Make it clear to the API users that we can not take arbitrary auth tokens. We can only take a password for now so simplify and clarify the interface.

Refactor the way subdomain accounts are saved The original sysdb code had a strong assumption that only users from one domain are saved in the databse, with the subdomain feature, we have changed reality, but have not adjusted all the code arund the sysdb calls to not rely on the original assumption. One of the side effects of this incongrunece is that currently group memberships do not return fully qualified names for subdomain users as they should. In oreder to fix this and other potential issues surrounding the violation of the original assumption, we need to fully qualify subdomain user names. By savin them fully qualified we do not risk aliasing local users and have group memberhips or other name based matching code mistake a domain user with subdomain usr or vice versa.

Do not always return PAM_SYSTEM_ERR when offline krb5 authentication fails

PAM: Do not leak fd after SELinux context file is written https://fedorahosted.org/sssd/ticket/1619 We don't close the fd when we write the selinux login file in the pam responder. This results in a fd leak.

Add new option default_domain_suffix

SELinux: Always use the default if it exists on the server https://fedorahosted.org/sssd/ticket/1513 This is a counterpart of the FreeIPA ticket https://fedorahosted.org/freeipa/ticket/3045 During an e-mail discussion, it was decided that * if the default is set in the IPA config object, the SSSD would use that default no matter what * if the default is not set (aka empty or missing), the SSSD would just use the system default and skip creating the login file altogether

Check if the SELinux login directory exists https://fedorahosted.org/sssd/ticket/1492

Only create the SELinux login file if there are mappings on the server https://fedorahosted.org/sssd/ticket/1455 In case there are no rules on the IPA server, we must simply avoid generating the login file. That would make us fall back to the system-wide default defined in /etc/selinux/targeted/seusers. The IPA default must be only used if there *are* rules on the server, but none matches.

Do not try to remove the temp login file if already renamed write_selinux_string() would try to unlink the temporary file even after it was renamed. Failure to unlink the file would not be fatal, but would produce a confusing error message. Also don't use "0" for the default fd number, that's reserved for stdin. Using -1 is safer.

Build SELinux code in responder conditionally https://fedorahosted.org/sssd/ticket/1480

Fix bad check

Write SELinux config files in responder instead of PAM module

Move SELinux processing from session to account PAM stack The idea is to rename session provider to selinux provider. Processing of SELinux rules has to be performed in account stack in order to ensure that pam_selinux (which is the first module in PAM session stack) will get the correct input from SSSD. Processing of account PAM stack is bound to access provider. That means we need to have two providers executed when SSS_PAM_ACCT_MGMT message is received from PAM responder. Change in data_provider_be.c ensures just that - after access provider finishes its actions, the control is given to selinux provider and only after this provider finishes is the result returned to PAM responder.

PAM: Fix off-by-one-error in the SELinux session code

Fix uninitialized values https://fedorahosted.org/sssd/ticket/1379

SELinux user maps: pick just one map This patch modifies behavior of SSSD when putting together content of the file for pam_selinux. SSSD will now pick only the first user map in the priority list which matches to the user logging in. Other maps are ignored. https://fedorahosted.org/sssd/ticket/1360

Fix re_expression matching with subdomains This patch fixes an issue which resulted in a need to initialize responder with data from local domain, otherwise it would not correctly detect requests for subdomains. Similar situation can occur if new subdomain is added at runtime. The solution is to ask for a list of subdomains in case there is a candidate domain identified in the process of matching re_expressions with given name.

Make re_expression and full_name_format per domain options * Allows different user/domain qualified names for different domains. For example Domain\User or user@domain. * The global re_expression and full_name_format options remain as defaults for the domains. * Subdomains get the re_expression and full_name_format of their parent domain. https://bugzilla.redhat.com/show_bug.cgi?id=811663

PAM: Better pam_reply message

Modify behavior of pam_pwd_expiration_warning New option pwd_expiration_warning is introduced which can be set per domain and can override the value specified by the original pam_pwd_expiration_warning. If the value of expiration warning is set to zero, the filter isn't apllied at all - if backend server returns the warning, it will be automatically displayed. Default value for Kerberos: 7 days Default value for LDAP: don't apply the filter Technical note: default value when creating the domain is -1. This is important so we can distinguish between "no value set" and 0. Without this possibility it would be impossible to set different values for LDAP and Kerberos provider.

Send PAM requests for subdomains to the right provider

Modified responder_get_domain() Now it checks for subdomains as well as for the domain itself

Prevent printing NULL from DEBUG messages

Remove sysdb_get_ctx_from_list()

Don't give memory context in confdb where not needed

Only fetch SELinux string if the user is found

SELinux support in PAM responder

PAM: Do not overwrite ret

DP: Fix bugs in sss_dp_get_account_int The conversion to the tevent_req style introduced numerous bugs related to memory management of the various client requests. In some circumstances, this could cause memory corruption and segmentation faults in the NSS responder. This patch makes the following changes: 1) Rename the internal lookup from subreq to sidereq, to indicate that it is not a sub-request of the current lookup (and therefore is not cancelled if the current request is). 2) Change the handling of the callback loops since they call tevent_req_[done|error], which results in them being freed (and therefore removed from the cb_list. This was the source of the memory corruption that would occasionally result in dereferencing an unreadable request. 3) Remove the unnecessary sss_dp_get_account_int_recv() function and change sss_dp_get_account_done() so that it only frees the sidereq. All of the waiting processes have already been signaled with the final results from sss_dp_get_account_int_done()

RESPONDER: Extend sss_dp_account_send() to include extra data Some NSS maps such as 'services' require more values to be passed to the data provider than just the name or ID. In these cases, we will amend an optional component to filter value to pass to the data provider backend.

PAM: Fix reversed logic

sss_get_cased_name utility function

PAM: make initgroups timeout work across multiple clients Instead of timing out the initgroups lookup on a per-cctx basis, we will maintain a hash table of recently-seen users and use this instead. This will allow SSSD to handle user's logging into multiple services simultaneously more graciously, as well as playing nicer with SSH (which makes calls to PAM both before and after a fork). https://fedorahosted.org/sssd/ticket/1063

Use the case sensitivity flag in responders

Canonicalize username in PAM provider

Responders: Split getting domain by name into separate function

Ignore NULL-terminator when checking UTF8-validity Glib fails if the NULL-terminator is included when a length is specified.

RESPONDER: Refactor DP requests into tevent_req style

RESPONDER: Ensure that all input strings are valid UTF-8

sysdb refactoring: memory context deleted This patch deletes memory context parameter in those places in sysdb where it is not necessary. The code using modified functions has been updated. Tests updated as well.

sysdb refactoring: deleted domain variables in sysdb API The patch also updates code using modified functions. Tests have also been adjusted.

Revert "Allow LDAP to decide when an expiration warning is warranted" This reverts commit b0b9c38dfce3e3ccbfaa4d00fdf2ea08a70d41a6.

Allow LDAP to decide when an expiration warning is warranted Previously, we were only displaying expiration warnings if the password was going to expire within a day. We'll allow LDAP to make this decision (by whether it passes us the expiration time). In the future, we can add an option to clamp this down to a shorter period if the local admin prefers it.

Fix unchecked return values of pam_add_response https://fedorahosted.org/sssd/ticket/798

Perform initgroups lookups for all domains Previously, we were setting the client context PAM lookup timeout after the first domain replied. However, if the user wasn't a member of the first domain, their information wasn't being updated. This patch ensures that we only set this timeout after the user has been found or all domains were searched.

Perform initgroups lookup for PAM Previously we were only looking up the user, but we need to make sure that all groups are available for use by access providers.

Use DEFAULT_PAM_VERBOSITY if config value cannot be retrieved

Add pam_pwd_expiration_warning config option

Validate user supplied size of data items Specially crafted packages might lead to an integer overflow and the parsing of the input buffer might not continue as expected. This issue was identified by Sebastian Krahmer <krahmer@suse.de>.

Update the ID cache for any PAM request Also adds an option to limit how often we check the ID provider, so that conversations with multiple PAM requests won't update the cache multiple times. https://fedorahosted.org/sssd/ticket/749

Ensure ID is checked in all domains for PAM Previously, this was initialized to zero, so the first domain in the list wouldn't be checked for ID updates in pam_check_user_search. This initializes the first domain to check the provider.

Eliminate possible NULL-dereference in pam_check_user_search https://fedorahosted.org/sssd/ticket/719

Add support for server-side pam response messages

Introduce pam_verbosity config option Currently we display all PAM messages generated by sssd to the user. But only some of them are important and others are just some useful information. This patch introduces a new option to the PAM responder which controls what kind of messages are displayed. As an example the 'Authenticated with cached credentials' message is used. This message is only displayed if pam_verbosity=1 or if there is an expire date.

Avoid long long in messages to PAM client use int64_t

Honor filter_users in PAM

Add support for delayed kinit if offline If the configuration option krb5_store_password_if_offline is set to true and the backend is offline the plain text user password is stored and used to request a TGT if the backend becomes online. If available the Linux kernel key retention service is used.

sysdb: convert sysdb_getpwnam

Remove remaining use of sysdb_transaction_send

sysdb: convert sysdb_cache_auth

sysdb: convert sysdb_set_entry/user/group_attr

Store lastLogin attribute when authenticating online

Remove unneeded items from struct pam_data

Rename server/ directory to src/ Also update BUILD.txt