[SSSD] [sssd PR#5733][comment] Work around issue #5729
URL: https://github.com/SSSD/sssd/pull/5733 Title: #5733: Work around issue #5729 joakim-tjernlund commented: """ > Closing this in favor of #5734 Mind merging #5734 ? """ See the full comment at https://github.com/SSSD/sssd/pull/5733#issuecomment-901956180 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5734][comment] MONITOR: Return success from genconf with no config
URL: https://github.com/SSSD/sssd/pull/5734 Title: #5734: MONITOR: Return success from genconf with no config joakim-tjernlund commented: """ Can this be merged soon? Would save me the trouble to hack around this issue. """ See the full comment at https://github.com/SSSD/sssd/pull/5734#issuecomment-897589013 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5733][comment] Work around issue #5729
URL: https://github.com/SSSD/sssd/pull/5733 Title: #5733: Work around issue #5729 joakim-tjernlund commented: """ > > > @joakim-tjernlund I created #5734 to fix this properly, sorry for the > > > delay. Do you still want/need this workaround PR ? > > > > > > We can hold that PR for now. Just clarify that is OK for KCM to start > > before sssd (and with a empty cache) without impacting KCM functionality? > > If it starts up and typical kerberos commands are working, then it is no > issue. Sure, but I want a statement too. Is it a kcm bug if it does not? If not one would have to change start order deps on both openrc and systemd I think. """ See the full comment at https://github.com/SSSD/sssd/pull/5733#issuecomment-892773429 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5733][comment] Work around issue #5729
URL: https://github.com/SSSD/sssd/pull/5733 Title: #5733: Work around issue #5729 joakim-tjernlund commented: """ > @joakim-tjernlund I created #5734 to fix this properly, sorry for the delay. > Do you still want/need this workaround PR ? We can hold that PR for now. Just clarify that is OK for KCM to start before sssd (and with a empty cache) without impacting KCM functionality? I do not see that systemd KCm has a dep on sssd either but I am no systemd expert. """ See the full comment at https://github.com/SSSD/sssd/pull/5733#issuecomment-892753964 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5733][comment] Work around issue #5729
URL: https://github.com/SSSD/sssd/pull/5733 Title: #5733: Work around issue #5729 joakim-tjernlund commented: """ > Hi @joakim-tjernlund Could you provide a more descriptive commit message? > Then you can add on a separate line: > > Resolves: #5729 Done """ See the full comment at https://github.com/SSSD/sssd/pull/5733#issuecomment-891965537 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5733][synchronized] Work around issue #5729
URL: https://github.com/SSSD/sssd/pull/5733 Author: joakim-tjernlund Title: #5733: Work around issue #5729 Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5733/head:pr5733 git checkout pr5733 From b1a2db9ced06cd7a9ec9c54e2061d915e5c7d7a2 Mon Sep 17 00:00:00 2001 From: Joakim Tjernlund Date: Tue, 3 Aug 2021 12:54:26 +0200 Subject: [PATCH] sssd-kcm, OpenRC: Ignore errors from sssd --genconf sssd --genconf=kcm can return false non zero exit codes. Ignore these and reroute any output to /dev/null Resolves: #5729 --- src/sysv/gentoo/sssd-kcm.in | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/sysv/gentoo/sssd-kcm.in b/src/sysv/gentoo/sssd-kcm.in index c9242bf9fb..b1670fdfeb 100644 --- a/src/sysv/gentoo/sssd-kcm.in +++ b/src/sysv/gentoo/sssd-kcm.in @@ -10,7 +10,8 @@ pidfile="@pidpath@/sssd_kcm.pid" start_pre() { -"@sbindir@/sssd" --genconf-section=kcm || return $? +"@sbindir@/sssd" --genconf-section=kcm >/dev/null 2>/dev/null +return 0 } depend() ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5733][opened] Work around issue #5729
URL: https://github.com/SSSD/sssd/pull/5733 Author: joakim-tjernlund Title: #5733: Work around issue #5729 Action: opened PR body: """ Handles unexpected errors by sssd --genconf """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5733/head:pr5733 git checkout pr5733 From e3510ca54adbbc13a2bc0933dcf4052c2a6c3151 Mon Sep 17 00:00:00 2001 From: Joakim Tjernlund Date: Tue, 3 Aug 2021 12:54:26 +0200 Subject: [PATCH] Work around issue #5729 --- src/sysv/gentoo/sssd-kcm.in | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/sysv/gentoo/sssd-kcm.in b/src/sysv/gentoo/sssd-kcm.in index c9242bf9fb..28527fc4cf 100644 --- a/src/sysv/gentoo/sssd-kcm.in +++ b/src/sysv/gentoo/sssd-kcm.in @@ -10,7 +10,8 @@ pidfile="@pidpath@/sssd_kcm.pid" start_pre() { -"@sbindir@/sssd" --genconf-section=kcm || return $? +"@sbindir@/sssd" --genconf-section=kcm +return 0 } depend() ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5633][comment] Gentoo/openrc: Add sssd-kcm service script
URL: https://github.com/SSSD/sssd/pull/5633 Title: #5633: Gentoo/openrc: Add sssd-kcm service script joakim-tjernlund commented: """ I am done now, please merge. """ See the full comment at https://github.com/SSSD/sssd/pull/5633#issuecomment-844334755 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5633][synchronized] Gentoo/openrc: Add sssd-kcm service script
URL: https://github.com/SSSD/sssd/pull/5633 Author: joakim-tjernlund Title: #5633: Gentoo/openrc: Add sssd-kcm service script Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5633/head:pr5633 git checkout pr5633 From 6a14b2444e0df7ea9d8e07feaeae23bfa1196fcd Mon Sep 17 00:00:00 2001 From: Joakim Tjernlund Date: Sun, 16 May 2021 17:53:21 +0200 Subject: [PATCH] Gentoo/openrc: Add sssd-kcm service script --- Makefile.am | 3 ++- configure.ac| 2 +- src/sysv/gentoo/sssd-kcm.in | 21 + 3 files changed, 24 insertions(+), 2 deletions(-) create mode 100644 src/sysv/gentoo/sssd-kcm.in diff --git a/Makefile.am b/Makefile.am index 4d9acaef99..12cdfbc606 100644 --- a/Makefile.am +++ b/Makefile.am @@ -5079,7 +5079,8 @@ endif else if HAVE_GENTOO init_SCRIPTS += \ -src/sysv/gentoo/sssd +src/sysv/gentoo/sssd \ +src/sysv/gentoo/sssd-kcm else init_SCRIPTS += \ src/sysv/sssd diff --git a/configure.ac b/configure.ac index 496c558fb8..e98487cae0 100644 --- a/configure.ac +++ b/configure.ac @@ -524,7 +524,7 @@ AC_DEFINE_UNQUOTED([ABS_SRC_DIR], ["$my_srcdir"], [Absolute path to the source d AC_CONFIG_FILES([Makefile contrib/sssd.spec src/examples/rwtab src/doxy.config contrib/sssd-pcsc.rules - src/sysv/sssd src/sysv/gentoo/sssd + src/sysv/sssd src/sysv/gentoo/sssd src/sysv/gentoo/sssd-kcm po/Makefile.in src/man/Makefile src/tests/cwrap/Makefile src/tests/intg/Makefile src/tests/test_CA/Makefile src/tests/test_CA/intermediate_CA/Makefile diff --git a/src/sysv/gentoo/sssd-kcm.in b/src/sysv/gentoo/sssd-kcm.in new file mode 100644 index 00..c9242bf9fb --- /dev/null +++ b/src/sysv/gentoo/sssd-kcm.in @@ -0,0 +1,21 @@ +#!/sbin/openrc-run +# Copyright 1999-2021 Gentoo Authors +# Distributed under the terms of the GNU General Public License v3 + +description="SSSD Kerberos Cache Manager" +command="@libexecdir@/sssd/sssd_kcm" +command_background="true" +command_args="--uid=0 --gid=0 --logger=files ${SSSD_KCM_OPTIONS}" +pidfile="@pidpath@/sssd_kcm.pid" + +start_pre() +{ +"@sbindir@/sssd" --genconf-section=kcm || return $? +} + +depend() +{ +need localmount clock +use syslog +before sssd +} ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5633][comment] Gentoo/openrc: Add sssd-kcm service script
URL: https://github.com/SSSD/sssd/pull/5633 Title: #5633: Gentoo/openrc: Add sssd-kcm service script joakim-tjernlund commented: """ Added missing pre start cmd to generate kcm config """ See the full comment at https://github.com/SSSD/sssd/pull/5633#issuecomment-844310812 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5633][synchronized] Gentoo/openrc: Add sssd-kcm service script
URL: https://github.com/SSSD/sssd/pull/5633 Author: joakim-tjernlund Title: #5633: Gentoo/openrc: Add sssd-kcm service script Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5633/head:pr5633 git checkout pr5633 From 29f59bd19af3f3b09a2b1d9f3e592631d85dce98 Mon Sep 17 00:00:00 2001 From: Joakim Tjernlund Date: Sun, 16 May 2021 17:53:21 +0200 Subject: [PATCH] Gentoo/openrc: Add sssd-kcm service script --- Makefile.am | 3 ++- configure.ac| 2 +- src/sysv/gentoo/sssd-kcm.in | 22 ++ 3 files changed, 25 insertions(+), 2 deletions(-) create mode 100644 src/sysv/gentoo/sssd-kcm.in diff --git a/Makefile.am b/Makefile.am index 4d9acaef99..12cdfbc606 100644 --- a/Makefile.am +++ b/Makefile.am @@ -5079,7 +5079,8 @@ endif else if HAVE_GENTOO init_SCRIPTS += \ -src/sysv/gentoo/sssd +src/sysv/gentoo/sssd \ +src/sysv/gentoo/sssd-kcm else init_SCRIPTS += \ src/sysv/sssd diff --git a/configure.ac b/configure.ac index 496c558fb8..e98487cae0 100644 --- a/configure.ac +++ b/configure.ac @@ -524,7 +524,7 @@ AC_DEFINE_UNQUOTED([ABS_SRC_DIR], ["$my_srcdir"], [Absolute path to the source d AC_CONFIG_FILES([Makefile contrib/sssd.spec src/examples/rwtab src/doxy.config contrib/sssd-pcsc.rules - src/sysv/sssd src/sysv/gentoo/sssd + src/sysv/sssd src/sysv/gentoo/sssd src/sysv/gentoo/sssd-kcm po/Makefile.in src/man/Makefile src/tests/cwrap/Makefile src/tests/intg/Makefile src/tests/test_CA/Makefile src/tests/test_CA/intermediate_CA/Makefile diff --git a/src/sysv/gentoo/sssd-kcm.in b/src/sysv/gentoo/sssd-kcm.in new file mode 100644 index 00..0f0374f909 --- /dev/null +++ b/src/sysv/gentoo/sssd-kcm.in @@ -0,0 +1,22 @@ +#!/sbin/openrc-run +# Copyright 1999-2021 Gentoo Authors +# Distributed under the terms of the GNU General Public License v3 + +description="SSSD Kerberos Cache Manager" +command="@libexecdir@/sssd/sssd_kcm" +command_background="true" +command_args="--uid=0 --gid=0 --logger=files ${SSSD_KCM_OPTIONS}" +description="SSSD Kerberos Cache Manager" +pidfile="@pidpath@/sssd_kcm.pid" + +start_pre() +{ +"@sbindir@/sssd" --genconf-section=kcm || return $? +} + +depend() +{ +need localmount clock +use syslog +before sssd +} ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5633][comment] Gentoo/openrc: Add sssd-kcm service script
URL: https://github.com/SSSD/sssd/pull/5633 Title: #5633: Gentoo/openrc: Add sssd-kcm service script joakim-tjernlund commented: """ > Not exclusively related to this PR, but rather a question in general: do we > really want to keep (and extend) any distribution specific stuff in upstream > repo? (Besides some stuff for Fedora that can be considered as examples.) Since there are paths in these scripts that need to be changed I think it makes sense to have them here. Lots of other apps does have such scripts as well. """ See the full comment at https://github.com/SSSD/sssd/pull/5633#issuecomment-843054506 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5633][opened] Gentoo/openrc: Add sssd-kcm service script
URL: https://github.com/SSSD/sssd/pull/5633 Author: joakim-tjernlund Title: #5633: Gentoo/openrc: Add sssd-kcm service script Action: opened PR body: """ """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5633/head:pr5633 git checkout pr5633 From f6928b56dfeeeb01c61bfbfc950671236fc533f3 Mon Sep 17 00:00:00 2001 From: Joakim Tjernlund Date: Sun, 16 May 2021 17:53:21 +0200 Subject: [PATCH] Gentoo/openrc: Add sssd-kcm service script --- Makefile.am | 3 ++- configure.ac| 2 +- src/sysv/gentoo/sssd-kcm.in | 16 3 files changed, 19 insertions(+), 2 deletions(-) create mode 100644 src/sysv/gentoo/sssd-kcm.in diff --git a/Makefile.am b/Makefile.am index 4d9acaef99..12cdfbc606 100644 --- a/Makefile.am +++ b/Makefile.am @@ -5079,7 +5079,8 @@ endif else if HAVE_GENTOO init_SCRIPTS += \ -src/sysv/gentoo/sssd +src/sysv/gentoo/sssd \ +src/sysv/gentoo/sssd-kcm else init_SCRIPTS += \ src/sysv/sssd diff --git a/configure.ac b/configure.ac index 496c558fb8..e98487cae0 100644 --- a/configure.ac +++ b/configure.ac @@ -524,7 +524,7 @@ AC_DEFINE_UNQUOTED([ABS_SRC_DIR], ["$my_srcdir"], [Absolute path to the source d AC_CONFIG_FILES([Makefile contrib/sssd.spec src/examples/rwtab src/doxy.config contrib/sssd-pcsc.rules - src/sysv/sssd src/sysv/gentoo/sssd + src/sysv/sssd src/sysv/gentoo/sssd src/sysv/gentoo/sssd-kcm po/Makefile.in src/man/Makefile src/tests/cwrap/Makefile src/tests/intg/Makefile src/tests/test_CA/Makefile src/tests/test_CA/intermediate_CA/Makefile diff --git a/src/sysv/gentoo/sssd-kcm.in b/src/sysv/gentoo/sssd-kcm.in new file mode 100644 index 00..2ecbec7291 --- /dev/null +++ b/src/sysv/gentoo/sssd-kcm.in @@ -0,0 +1,16 @@ +#!/sbin/openrc-run +# Copyright 1999-2021 Gentoo Authors +# Distributed under the terms of the GNU General Public License v3 + + +command="@libexecdir@/sssd/sssd_kcm" +command_background="true" +command_args="--uid=0 --gid=0 --logger=files ${SSSD_KCM_OPTIONS}" +description="SSSD Kerberos Cache Manager" +pidfile="@pidpath@/sssd_kcm.pid" + +depend(){ +need localmount clock +use syslog +before sssd +} ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] Re: [SSSD-users] Re: Announcing SSSD 2.5.0
On Tue, 2021-05-11 at 10:25 +0200, Pavel Březina wrote: > On 5/10/21 8:10 PM, Joakim Tjernlund wrote: > > On Mon, 2021-05-10 at 16:01 +0000, Joakim Tjernlund wrote: > > > On Mon, 2021-05-10 at 17:48 +0200, Pavel Březina wrote: > > > > On 5/10/21 5:12 PM, Joakim Tjernlund wrote: > > > > > On Mon, 2021-05-10 at 14:53 +, Joakim Tjernlund wrote: > > > > > > I decided to test new sssd/KCM and this is what I get: > > > > > > > > > > > > - ssh from non sssd/krb machine to new sssd machine, entered > > > > > > password > > > > > > ~ $ klist > > > > > > Ticket cache: KCM:1001 > > > > > > Default principal: jo...@infinera.com > > > > > > > > > > > > Valid starting ExpiresService principal > > > > > > 10/05/21 16:47:32 11/05/21 02:47:32 > > > > > > krbtgt/infinera@infinera.com > > > > > > renew until 17/05/21 16:47:32 > > > > > > ~ $ ksu > > > > > > ksu: Ccache function not supported: not implemented while selecting > > > > > > the best principal > > > > > > > > > > > > I also have mit-kr5b master installed. > > > > > > > > > > > > Did I miss something? > > > > > > > > > > > > krb5 master contains: > > > > https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fkrb5%2Fkrb5%2Fcommit%2F795ebba8c039be172ab93cd41105c73ffdba0fdb&data=04%7C01%7Cjoakim.tjernlund%40infinera.com%7C14ec542efa8846b7f5c808d9145665e4%7C285643de5f5b4b03a1530ae2dc8aaf77%7C1%7C0%7C637563183573713658%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=CWtAfLIp%2F29T2lL1VvmbtcI1jJMzsHL7xbhjh2KZWCk%3D&reserved=0 > > > > > > > > but RETRIEVE is not implemented in sssd-kcm. Kerberos should fallback to > > > > its own function that was used before this commit. > > > > FYI, reverting that commit makes it work. > > Thanks for the information. Please, open a ticket against krb5. Easier said than done. I could not find an issue tracker for mit-krb5, is there one? Found a bug email list I mailed but not sure it will get through(I am not joining yet another list just to report a bug) Jocke ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] Re: [SSSD-users] Re: Announcing SSSD 2.5.0
On Tue, 2021-05-11 at 11:09 +0200, Joakim Tjernlund wrote: > On Tue, 2021-05-11 at 10:25 +0200, Pavel Březina wrote: > > On 5/10/21 8:10 PM, Joakim Tjernlund wrote: > > > On Mon, 2021-05-10 at 16:01 +, Joakim Tjernlund wrote: > > > > On Mon, 2021-05-10 at 17:48 +0200, Pavel Březina wrote: > > > > > On 5/10/21 5:12 PM, Joakim Tjernlund wrote: > > > > > > On Mon, 2021-05-10 at 14:53 +, Joakim Tjernlund wrote: > > > > > > > I decided to test new sssd/KCM and this is what I get: > > > > > > > > > > > > > > - ssh from non sssd/krb machine to new sssd machine, entered > > > > > > > password > > > > > > > ~ $ klist > > > > > > > Ticket cache: KCM:1001 > > > > > > > Default principal: jo...@infinera.com > > > > > > > > > > > > > > Valid starting ExpiresService principal > > > > > > > 10/05/21 16:47:32 11/05/21 02:47:32 > > > > > > > krbtgt/infinera@infinera.com > > > > > > > renew until 17/05/21 16:47:32 > > > > > > > ~ $ ksu > > > > > > > ksu: Ccache function not supported: not implemented while > > > > > > > selecting the best principal > > > > > > > > > > > > > > I also have mit-kr5b master installed. > > > > > > > > > > > > > > Did I miss something? > > > > > > > > > > > > > > > krb5 master contains: > > > > > https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fkrb5%2Fkrb5%2Fcommit%2F795ebba8c039be172ab93cd41105c73ffdba0fdb&data=04%7C01%7Cjoakim.tjernlund%40infinera.com%7C14ec542efa8846b7f5c808d9145665e4%7C285643de5f5b4b03a1530ae2dc8aaf77%7C1%7C0%7C637563183573713658%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=CWtAfLIp%2F29T2lL1VvmbtcI1jJMzsHL7xbhjh2KZWCk%3D&reserved=0 > > > > > > > > > > but RETRIEVE is not implemented in sssd-kcm. Kerberos should fallback > > > > > to > > > > > its own function that was used before this commit. > > > > > > FYI, reverting that commit makes it work. > > > > Thanks for the information. Please, open a ticket against krb5. > > Easier said than done. I could not find an issue tracker for mit-krb5, is > there one? > Found a bug email list I mailed but not sure it will get through(I am not > joining yet another list just to report a bug) > > Jocke Managed to add a comment here: https://github.com/krb5/krb5/pull/1178 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] Re: [SSSD-users] Re: Announcing SSSD 2.5.0
On Mon, 2021-05-10 at 16:01 +, Joakim Tjernlund wrote: > On Mon, 2021-05-10 at 17:48 +0200, Pavel Březina wrote: > > On 5/10/21 5:12 PM, Joakim Tjernlund wrote: > > > On Mon, 2021-05-10 at 14:53 +, Joakim Tjernlund wrote: > > > > I decided to test new sssd/KCM and this is what I get: > > > > > > > > - ssh from non sssd/krb machine to new sssd machine, entered password > > > > ~ $ klist > > > > Ticket cache: KCM:1001 > > > > Default principal: jo...@infinera.com > > > > > > > > Valid starting ExpiresService principal > > > > 10/05/21 16:47:32 11/05/21 02:47:32 krbtgt/infinera@infinera.com > > > > renew until 17/05/21 16:47:32 > > > > ~ $ ksu > > > > ksu: Ccache function not supported: not implemented while selecting the > > > > best principal > > > > > > > > I also have mit-kr5b master installed. > > > > > > > > Did I miss something? > > > > > > krb5 master contains: > > https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fkrb5%2Fkrb5%2Fcommit%2F795ebba8c039be172ab93cd41105c73ffdba0fdb&data=04%7C01%7Cjoakim.tjernlund%40infinera.com%7C93db566696a14db59cce08d913cce404%7C285643de5f5b4b03a1530ae2dc8aaf77%7C1%7C0%7C637562592992020361%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=8lOd0n%2BRZkuSka%2FSJLMMz7Nz4avCJeenpzz6XhbV5PY%3D&reserved=0 > > > > but RETRIEVE is not implemented in sssd-kcm. Kerberos should fallback to > > its own function that was used before this commit. FYI, reverting that commit makes it work. Jocke ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] Re: [SSSD-users] Re: Announcing SSSD 2.5.0
On Mon, 2021-05-10 at 14:53 +, Joakim Tjernlund wrote: > I decided to test new sssd/KCM and this is what I get: > > - ssh from non sssd/krb machine to new sssd machine, entered password > ~ $ klist > Ticket cache: KCM:1001 > Default principal: jo...@infinera.com > > Valid starting ExpiresService principal > 10/05/21 16:47:32 11/05/21 02:47:32 krbtgt/infinera@infinera.com > renew until 17/05/21 16:47:32 > ~ $ ksu > ksu: Ccache function not supported: not implemented while selecting the best > principal > > I also have mit-kr5b master installed. > > Did I miss something? Get a KCM trace for ksu: (2021-05-10 17:09:47): [kcm] [get_client_cred] (0x4000): Client [0x56377e20ead0][14] creds: euid[1001] egid[100] pid[5871] cmd_line['ksu']. (2021-05-10 17:09:47): [kcm] [get_client_cred] (0x0080): The following failure is expected to happen in case SELinux is disabled: SELINUX_getpeercon failed [95][Operation not supported]. Please, consider enabling SELinux in your system. (2021-05-10 17:09:47): [kcm] [setup_client_idle_timer] (0x4000): Idle timer re-set for client [0x56377e20ead0][14] (2021-05-10 17:09:47): [kcm] [accept_fd_handler] (0x0400): Client [0x56377e20ead0][14] connected! (2021-05-10 17:09:47): [kcm] [kcm_input_parse] (0x1000): Received message with length 4 (2021-05-10 17:09:47): [kcm] [kcm_get_opt] (0x2000): The client requested operation 20 (2021-05-10 17:09:47): [kcm] [kcm_cmd_send] (0x0400): KCM operation GET_DEFAULT_CACHE (2021-05-10 17:09:47): [kcm] [kcm_cmd_send] (0x1000): 0 bytes on KCM input (2021-05-10 17:09:47): [kcm] [kcm_op_queue_send] (0x0200): Adding request by 1001 to the wait queue (2021-05-10 17:09:47): [kcm] [kcm_op_queue_get] (0x1000): No existing queue for this ID (2021-05-10 17:09:47): [kcm] [kcm_op_queue_send] (0x1000): Queue was empty, running the request immediately (2021-05-10 17:09:47): [kcm] [kcm_op_get_default_ccache_send] (0x1000): Getting client's default ccache (2021-05-10 17:09:47): [kcm] [ccdb_secdb_get_default_send] (0x2000): Getting the default ccache (2021-05-10 17:09:47): [kcm] [sss_sec_map_path] (0x1000): Mapping prefix /kcm/ (2021-05-10 17:09:47): [kcm] [kcm_map_url_to_path] (0x1000): User-specific KCM path is [/kcm/persistent/1001/default] (2021-05-10 17:09:47): [kcm] [local_db_dn] (0x2000): Local path for [persistent/1001/default] is [cn=default,cn=1001,cn=persistent,cn=kcm] (2021-05-10 17:09:47): [kcm] [sss_sec_new_req] (0x1000): Local DB path is persistent/1001/default (2021-05-10 17:09:47): [kcm] [secdb_dfl_url_req] (0x2000): Created request for URL /kcm/persistent/1001/default (2021-05-10 17:09:47): [kcm] [sss_sec_get] (0x0400): Retrieving a secret from [persistent/1001/default] (2021-05-10 17:09:47): [kcm] [sss_sec_get] (0x2000): Searching for [(|(type=simple)(type=binary))] at [cn=default,cn=1001,cn=persistent,cn=kcm] with scope=base (2021-05-10 17:09:47): [kcm] [sss_sec_get] (0x1000): No secret found (2021-05-10 17:09:47): [kcm] [sec_get] (0x0040): Cannot retrieve the secret [2]: No such file or directory (2021-05-10 17:09:47): [kcm] [ccdb_secdb_list_send] (0x2000): Listing all ccaches (2021-05-10 17:09:47): [kcm] [sss_sec_map_path] (0x1000): Mapping prefix /kcm/ (2021-05-10 17:09:47): [kcm] [kcm_map_url_to_path] (0x1000): User-specific KCM path is [/kcm/persistent/1001/ccache/] (2021-05-10 17:09:47): [kcm] [local_db_dn] (0x2000): Local path for [persistent/1001/ccache/] is [cn=ccache,cn=1001,cn=persistent,cn=kcm] (2021-05-10 17:09:47): [kcm] [sss_sec_new_req] (0x1000): Local DB path is persistent/1001/ccache/ (2021-05-10 17:09:47): [kcm] [secdb_container_url_req] (0x2000): Created request for URL /kcm/persistent/1001/ccache/ (2021-05-10 17:09:47): [kcm] [sss_sec_list] (0x0400): Listing keys at [persistent/1001/ccache/] (2021-05-10 17:09:47): [kcm] [sss_sec_list] (0x2000): Searching for [(|(type=simple)(type=binary))] at [cn=ccache,cn=1001,cn=persistent,cn=kcm] with scope=subtree (2021-05-10 17:09:47): [kcm] [local_dn_to_path] (0x2000): Secrets path for [cn=5005e896-bdfb-4116-8a11-eedacad1fa5b-1001,cn=ccache,cn=1001,cn=persistent,cn=kcm] is [5005e896- bdfb-4116-8a11-eedacad1fa5b-1001] (2021-05-10 17:09:47): [kcm] [sss_sec_list] (0x1000): Returning 1 secrets (2021-05-10 17:09:47): [kcm] [ccdb_secdb_list_send] (0x2000): Found 1 ccaches (2021-05-10 17:09:47): [kcm] [ccdb_secdb_list_send] (0x2000): Listing all caches done (2021-05-10 17:09:47): [kcm] [ccdb_secdb_name_by_uuid_send] (0x2000): Translating UUID to name (2021-05-10 17:09:47): [kcm] [sss_sec_map_path] (0x1000): Mapping prefix /kcm/ (2021-05-10 17:09:47): [kcm] [kcm_map_url_to_path] (0x1000): User-specific KCM path is [/kcm/persistent/1001/ccache/] (2021-05-10 17:09:47): [kcm] [local_db_dn] (0x2000): Local path for [persistent/1001/ccache/] is [cn=ccache,cn=1001,cn=persistent,cn=kcm] (2021-05-10 17:09:47): [kcm] [sss_sec_new_req] (0x1000): Loc
[SSSD] Re: [SSSD-users] Re: Announcing SSSD 2.5.0
On Mon, 2021-05-10 at 17:48 +0200, Pavel Březina wrote: > On 5/10/21 5:12 PM, Joakim Tjernlund wrote: > > On Mon, 2021-05-10 at 14:53 +0000, Joakim Tjernlund wrote: > > > I decided to test new sssd/KCM and this is what I get: > > > > > > - ssh from non sssd/krb machine to new sssd machine, entered password > > > ~ $ klist > > > Ticket cache: KCM:1001 > > > Default principal: jo...@infinera.com > > > > > > Valid starting ExpiresService principal > > > 10/05/21 16:47:32 11/05/21 02:47:32 krbtgt/infinera@infinera.com > > > renew until 17/05/21 16:47:32 > > > ~ $ ksu > > > ksu: Ccache function not supported: not implemented while selecting the > > > best principal > > > > > > I also have mit-kr5b master installed. > > > > > > Did I miss something? > > > krb5 master contains: > https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fkrb5%2Fkrb5%2Fcommit%2F795ebba8c039be172ab93cd41105c73ffdba0fdb&data=04%7C01%7Cjoakim.tjernlund%40infinera.com%7C6711baf1f6ab4e4cfb8f08d913cb27bf%7C285643de5f5b4b03a1530ae2dc8aaf77%7C1%7C0%7C637562585534486850%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=e0rLEUFUeX0hgdo7BlVWvc5%2F%2FqV6dNF25FtZEo4E1n4%3D&reserved=0 > > but RETRIEVE is not implemented in sssd-kcm. Kerberos should fallback to > its own function that was used before this commit. hmm, not sure what to do here, downgrade mit-krb5? Then I don't get the new KCM feature. The trace didn't help any? Here is a ssh trace in case that helps: KRB5_TRACE=/dev/stdout ssh devsrv [7615] 1620662408.437070: ccselect module realm chose cache KCM:1001 with client principal jo...@infinera.com for server principal host/devsrv.infinera@infinera.com [7615] 1620662408.437071: Getting credentials jo...@infinera.com -> host/devsrv.infinera@infinera.com using ccache KCM:1001 [7615] 1620662408.437072: Retrieving jo...@infinera.com -> krb5_ccache_conf_data/start_realm@X-CACHECONF: from KCM:1001 with result: -1765328137/Ccache function not supported: not implemented [7615] 1620662408.437073: Retrieving jo...@infinera.com -> host/devsrv.infinera@infinera.com from KCM:1001 with result: -1765328137/Ccache function not supported: not implemented [7615] 1620662408.437079: ccselect module realm chose cache KCM:1001 with client principal jo...@infinera.com for server principal host/devsrv.infinera@infinera.com [7615] 1620662408.437080: Getting credentials jo...@infinera.com -> host/devsrv.infinera@infinera.com using ccache KCM:1001 [7615] 1620662408.437081: Retrieving jo...@infinera.com -> krb5_ccache_conf_data/start_realm@X-CACHECONF: from KCM:1001 with result: -1765328137/Ccache function not supported: not implemented [7615] 1620662408.437082: Retrieving jo...@infinera.com -> host/devsrv.infinera@infinera.com from KCM:1001 with result: -1765328137/Ccache function not supported: not implemented (jocke@devsrv) Password: Jocke ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] Re: [SSSD-users] Announcing SSSD 2.5.0
I decided to test new sssd/KCM and this is what I get: - ssh from non sssd/krb machine to new sssd machine, entered password ~ $ klist Ticket cache: KCM:1001 Default principal: jo...@infinera.com Valid starting ExpiresService principal 10/05/21 16:47:32 11/05/21 02:47:32 krbtgt/infinera@infinera.com renew until 17/05/21 16:47:32 ~ $ ksu ksu: Ccache function not supported: not implemented while selecting the best principal I also have mit-kr5b master installed. Did I miss something? On Mon, 2021-05-10 at 15:49 +0200, Pavel Březina wrote: > # SSSD 2.5.0 > > The SSSD team is proud to announce the release of version 2.5.0 of the > System Security Services Daemon. The tarball can be downloaded from: > > https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FSSSD%2Fsssd%2Freleases%2Ftag%2F2.5.0&data=04%7C01%7Cjoakim.tjernlund%40infinera.com%7Cfb8e28d36f314a61217808d913ba7cba%7C285643de5f5b4b03a1530ae2dc8aaf77%7C1%7C0%7C637562513944783164%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=ZZv%2FaeMU6Wx5QFRtyzsHdzkNU7Vkn4q%2BrDi0IQjI9h0%3D&reserved=0 > > See the full release notes at: > > https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsssd.io%2Frelease-notes%2Fsssd-2.5.0.html&data=04%7C01%7Cjoakim.tjernlund%40infinera.com%7Cfb8e28d36f314a61217808d913ba7cba%7C285643de5f5b4b03a1530ae2dc8aaf77%7C1%7C0%7C637562513944783164%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=LMsuYLsuCaD5%2F3jqw9KYaHVOArmtu1ZLkVmc3nA4lP8%3D&reserved=0 > > RPM packages will be made available for Fedora shortly. > > ## Feedback > > Please provide comments, bugs and other feedback via the sssd-devel > or sssd-users mailing lists: > > https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.fedorahosted.org%2Fmailman%2Flistinfo%2Fsssd-devel&data=04%7C01%7Cjoakim.tjernlund%40infinera.com%7Cfb8e28d36f314a61217808d913ba7cba%7C285643de5f5b4b03a1530ae2dc8aaf77%7C1%7C0%7C637562513944783164%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=sXeSBIt%2FNd7S16ZfKVAAout3V%2FL8X3LbjDomF0LhPGU%3D&reserved=0 > > https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.fedorahosted.org%2Fmailman%2Flistinfo%2Fsssd-users&data=04%7C01%7Cjoakim.tjernlund%40infinera.com%7Cfb8e28d36f314a61217808d913ba7cba%7C285643de5f5b4b03a1530ae2dc8aaf77%7C1%7C0%7C637562513944783164%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Z0RpNieyohivktAEc5RJYhrF4bfJOToBs70MVzkxNB4%3D&reserved=0 > > ## Highlights > > ### General information > > * `secrets` support is deprecated and will be removed in one of the next > versions of SSSD. > * `local-provider` is deprecated and will be removed in one of the next > versions of SSSD. > * SSSD's implementation of `libwbclient` was removed as incompatible > with modern version of Samba. > * This release deprecates `pcre1` support. This support will be removed > completely in following releases. > * A home directory from a dedicated user override, either local or > centrally managed by IPA, will have a higher precedence than the > `override_homedir` option. > * `debug-to-files`, `debug-to-stderr` command line and undocumented > `debug_to_files` config options were removed. > > ### New features > > * Added support for automatic renewal of renewable TGTs that are stored > in KCM ccache. This can be enabled by setting `tgt_renewal = true`. See > the sssd-kcm man page for more details. This feature requires MIT > Kerberos krb5-1.19-0.beta2.3 or higher. > * Backround sudo periodic tasks (smart and full refresh) periods are now > extended by a random offset to spread the load on the server in > environments with many clients. The random offset can be changed with > `ldap_sudo_random_offset`. > * Completing a sudo full refresh now postpones the smart refresh by > `ldap_sudo_smart_refresh_interval` value. This ensure that the smart > refresh is not run too soon after a successful full refresh. > * If `debug_backtrace_enabled` is set to `true` then on any error all > prior debug messages (to some limit) are printed even if `debug_level` > is set to low value (for details see `man sssd.conf`: > `debug_backtrace_enabled` description). > * Besides trusted domains known by the forest root, trusted domains > known by the local domain are used as well. > * New configuration option `offline_timeout_random_offset` to control > random factor in backend probing interval when SSSD is in offline mode. > > ### Important fixes > > * `ad_gpo_implicit_deny` is now respected even if there are no > applicable GPOs present > * During the IPA subdomains request a failure in reading a single > specific configuration option is not considered fatal and the request > will continue > * unknown IPA id-
[SSSD] [sssd PR#5569][comment] SYSV files updates
URL: https://github.com/SSSD/sssd/pull/5569 Title: #5569: SYSV files updates joakim-tjernlund commented: """ Gentoo looks OK """ See the full comment at https://github.com/SSSD/sssd/pull/5569#issuecomment-814253500 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5535][comment] A set of patches to sanitize logger code a little bit.
URL: https://github.com/SSSD/sssd/pull/5535 Title: #5535: A set of patches to sanitize logger code a little bit. joakim-tjernlund commented: """ > > Hi, I don't think we need dist. specific ones but there are variables in > > there that needs processing. > > Is this file really used in Gentoo? > There are: > https://gitweb.gentoo.org/repo/gentoo.git/tree/sys-auth/sssd/files/sssd.service > https://gitweb.gentoo.org/repo/gentoo.git/tree/sys-auth/sssd/files/sssd > > But I'm really not familiar with Gentoo packaging thus asking. Yes, you can choose systemd or openrc at build time(Gentoo is a source based dist so every SW pkg are built locally) The sssd.service is just used in old 2.2.0. Same for sssd file. """ See the full comment at https://github.com/SSSD/sssd/pull/5535#issuecomment-814010211 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5535][comment] A set of patches to sanitize logger code a little bit.
URL: https://github.com/SSSD/sssd/pull/5535 Title: #5535: A set of patches to sanitize logger code a little bit. joakim-tjernlund commented: """ To be clear, you could have a generic openrc script and a generic SYSV shell script """ See the full comment at https://github.com/SSSD/sssd/pull/5535#issuecomment-814002391 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5535][comment] A set of patches to sanitize logger code a little bit.
URL: https://github.com/SSSD/sssd/pull/5535 Title: #5535: A set of patches to sanitize logger code a little bit. joakim-tjernlund commented: """ > > This PR forgot to change -f in src/sysv/gentoo/sssd.in so sssd now fails to > > start as -f option is not recognized. > > Please replace -f with --logger=files > > @joakim-tjernlund , do we really need distribution-specific config in > upstream repo? > > @scabrero , do you use > https://github.com/SSSD/sssd/blob/master/src/sysv/SUSE/sssd.in somehow? Hi, I don't think we need dist. specific ones but there are variables in there that needs processing. Also, Gentoo vs. SUSE, the Gentoo one is openrc while SUSE is a plain script so you cannot merge them into one. """ See the full comment at https://github.com/SSSD/sssd/pull/5535#issuecomment-813997650 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5535][comment] A set of patches to sanitize logger code a little bit.
URL: https://github.com/SSSD/sssd/pull/5535 Title: #5535: A set of patches to sanitize logger code a little bit. joakim-tjernlund commented: """ This PR forgot to change -f in src/sysv/gentoo/sssd.in so sssd now fails to start as -f option is not recognized. Please replace -f with --logger=files """ See the full comment at https://github.com/SSSD/sssd/pull/5535#issuecomment-812456635 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5283][synchronized] Add dyndns_auth_ptr support
URL: https://github.com/SSSD/sssd/pull/5283 Author: joakim-tjernlund Title: #5283: Add dyndns_auth_ptr support Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5283/head:pr5283 git checkout pr5283 From 6976ca75830175e08c9fd975fb0c27b4b203c711 Mon Sep 17 00:00:00 2001 From: Joakim Tjernlund Date: Sat, 15 Aug 2020 11:47:42 +0200 Subject: [PATCH] Add dyndns_auth_ptr support Allows to specify auth method for DNS PTR updates. Default to same as dyndns_auth. Resolves: https://github.com/SSSD/sssd/issues/5274 --- src/config/cfg_rules.ini | 1 + src/man/sssd-ad.5.xml| 15 +++ src/man/sssd-ipa.5.xml | 15 +++ src/providers/ad/ad_dyndns.c | 1 + src/providers/ad/ad_opts.c | 1 + src/providers/be_dyndns.c| 13 + src/providers/be_dyndns.h| 2 ++ src/providers/ipa/ipa_dyndns.c | 1 + src/providers/ipa/ipa_opts.c | 1 + src/providers/ldap/sdap_dyndns.c | 5 - src/providers/ldap/sdap_dyndns.h | 1 + 11 files changed, 55 insertions(+), 1 deletion(-) diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini index 2874ea048b..6347024278 100644 --- a/src/config/cfg_rules.ini +++ b/src/config/cfg_rules.ini @@ -421,6 +421,7 @@ option = dyndns_refresh_interval option = dyndns_update_ptr option = dyndns_force_tcp option = dyndns_auth +option = dyndns_auth_ptr option = dyndns_server # files provider specific options diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml index 5c2f465462..e4712e26d9 100644 --- a/src/man/sssd-ad.5.xml +++ b/src/man/sssd-ad.5.xml @@ -1165,6 +1165,21 @@ ad_gpo_map_deny = +my_pam_service + +dyndns_auth_ptr (string) + + +Whether the nsupdate utility should use GSS-TSIG +authentication for secure PTR updates with the DNS +server, insecure updates can be sent by setting +this option to 'none'. + + +Default: Same as dyndns_auth + + + + dyndns_server (string) diff --git a/src/man/sssd-ipa.5.xml b/src/man/sssd-ipa.5.xml index 0de866740a..7b630493da 100644 --- a/src/man/sssd-ipa.5.xml +++ b/src/man/sssd-ipa.5.xml @@ -214,6 +214,21 @@ + +dyndns_auth_ptr (string) + + +Whether the nsupdate utility should use GSS-TSIG +authentication for secure PTR updates with the DNS +server, insecure updates can be sent by setting +this option to 'none'. + + +Default: Same as dyndns_auth + + + + ipa_enable_dns_sites (boolean) diff --git a/src/providers/ad/ad_dyndns.c b/src/providers/ad/ad_dyndns.c index 00e1d253ae..71ef16c0b5 100644 --- a/src/providers/ad/ad_dyndns.c +++ b/src/providers/ad/ad_dyndns.c @@ -238,6 +238,7 @@ static void ad_dyndns_update_connect_done(struct tevent_req *subreq) ctx->dyndns_ctx->opts, sdap_ctx, ctx->dyndns_ctx->auth_type, + ctx->dyndns_ctx->auth_ptr_type, dp_opt_get_string(ctx->dyndns_ctx->opts, DP_OPT_DYNDNS_IFACE), dp_opt_get_string(ctx->basic, diff --git a/src/providers/ad/ad_opts.c b/src/providers/ad/ad_opts.c index 25b1367731..b61de2838e 100644 --- a/src/providers/ad/ad_opts.c +++ b/src/providers/ad/ad_opts.c @@ -309,6 +309,7 @@ struct dp_option ad_dyndns_opts[] = { { "dyndns_update_ptr", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, { "dyndns_force_tcp", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, { "dyndns_auth", DP_OPT_STRING, { "gss-tsig" }, NULL_STRING }, +{ "dyndns_auth_ptr", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "dyndns_server", DP_OPT_STRING, NULL_STRING, NULL_STRING }, DP_OPTION_TERMINATOR }; diff --git a/src/providers/be_dyndns.c b/src/providers/be_dyndns.c index 54f3cc08a3..2de3b11bb7 100644 --- a/src/providers/be_dyndns.c +++ b/src/providers/be_dyndns.c @@ -1217,6 +1217,7 @@ static struct dp_option default_dyndns_opts[] =
[SSSD] [sssd PR#5283][comment] Add dyndns_auth_ptr support
URL: https://github.com/SSSD/sssd/pull/5283 Title: #5283: Add dyndns_auth_ptr support joakim-tjernlund commented: """ > Do I understand it correctly that this patch fixes #5274? If yes, can you > please add: > > ``` > Resolves: https://github.com/SSSD/sssd/issues/5274 > ``` > > to the commit message? Done """ See the full comment at https://github.com/SSSD/sssd/pull/5283#issuecomment-70062 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#5283][comment] Add dyndns_auth_ptr support
URL: https://github.com/SSSD/sssd/pull/5283 Title: #5283: Add dyndns_auth_ptr support joakim-tjernlund commented: """ > Hi, > > I'm fine with the patch but I still would like to understand how to test this > behavior. Which settings do you need for your environment > > ``` > dyndns_auth = none > dyndns_auth_ptr = GSS-TSIG > ``` Yes, that way. Still too much legacy EQ not speaking GSS-TSIG so only GSS-TSIG on RDNS """ See the full comment at https://github.com/SSSD/sssd/pull/5283#issuecomment-693211402 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#5283][comment] Add dyndns_auth_ptr support
URL: https://github.com/SSSD/sssd/pull/5283 Title: #5283: Add dyndns_auth_ptr support joakim-tjernlund commented: """ @sumit-bose , mind setting this PR in Reviewed status? """ See the full comment at https://github.com/SSSD/sssd/pull/5283#issuecomment-692733807 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#5283][comment] Add dyndns_auth_ptr support
URL: https://github.com/SSSD/sssd/pull/5283 Title: #5283: Add dyndns_auth_ptr support joakim-tjernlund commented: """ I would really appreciate if this could be merged to master, then I can install sssd on a few more computers that uses master """ See the full comment at https://github.com/SSSD/sssd/pull/5283#issuecomment-688194108 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#5283][synchronized] Add dyndns_auth_ptr support
URL: https://github.com/SSSD/sssd/pull/5283 Author: joakim-tjernlund Title: #5283: Add dyndns_auth_ptr support Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5283/head:pr5283 git checkout pr5283 From 487f3b552e6897a70572152228033d12b58a90ee Mon Sep 17 00:00:00 2001 From: Joakim Tjernlund Date: Sat, 15 Aug 2020 11:47:42 +0200 Subject: [PATCH] Add dyndns_auth_ptr support Allows to specify auth method for DNS PTR updates. Default to same as dyndns_auth. --- src/config/cfg_rules.ini | 1 + src/man/sssd-ad.5.xml| 15 +++ src/man/sssd-ipa.5.xml | 15 +++ src/providers/ad/ad_dyndns.c | 1 + src/providers/ad/ad_opts.c | 1 + src/providers/be_dyndns.c| 13 + src/providers/be_dyndns.h| 2 ++ src/providers/ipa/ipa_dyndns.c | 1 + src/providers/ipa/ipa_opts.c | 1 + src/providers/ldap/sdap_dyndns.c | 5 - src/providers/ldap/sdap_dyndns.h | 1 + 11 files changed, 55 insertions(+), 1 deletion(-) diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini index 2874ea048b..6347024278 100644 --- a/src/config/cfg_rules.ini +++ b/src/config/cfg_rules.ini @@ -421,6 +421,7 @@ option = dyndns_refresh_interval option = dyndns_update_ptr option = dyndns_force_tcp option = dyndns_auth +option = dyndns_auth_ptr option = dyndns_server # files provider specific options diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml index 5c2f465462..e4712e26d9 100644 --- a/src/man/sssd-ad.5.xml +++ b/src/man/sssd-ad.5.xml @@ -1165,6 +1165,21 @@ ad_gpo_map_deny = +my_pam_service + +dyndns_auth_ptr (string) + + +Whether the nsupdate utility should use GSS-TSIG +authentication for secure PTR updates with the DNS +server, insecure updates can be sent by setting +this option to 'none'. + + +Default: Same as dyndns_auth + + + + dyndns_server (string) diff --git a/src/man/sssd-ipa.5.xml b/src/man/sssd-ipa.5.xml index 0de866740a..7b630493da 100644 --- a/src/man/sssd-ipa.5.xml +++ b/src/man/sssd-ipa.5.xml @@ -214,6 +214,21 @@ + +dyndns_auth_ptr (string) + + +Whether the nsupdate utility should use GSS-TSIG +authentication for secure PTR updates with the DNS +server, insecure updates can be sent by setting +this option to 'none'. + + +Default: Same as dyndns_auth + + + + ipa_enable_dns_sites (boolean) diff --git a/src/providers/ad/ad_dyndns.c b/src/providers/ad/ad_dyndns.c index 00e1d253ae..71ef16c0b5 100644 --- a/src/providers/ad/ad_dyndns.c +++ b/src/providers/ad/ad_dyndns.c @@ -238,6 +238,7 @@ static void ad_dyndns_update_connect_done(struct tevent_req *subreq) ctx->dyndns_ctx->opts, sdap_ctx, ctx->dyndns_ctx->auth_type, + ctx->dyndns_ctx->auth_ptr_type, dp_opt_get_string(ctx->dyndns_ctx->opts, DP_OPT_DYNDNS_IFACE), dp_opt_get_string(ctx->basic, diff --git a/src/providers/ad/ad_opts.c b/src/providers/ad/ad_opts.c index 25b1367731..b61de2838e 100644 --- a/src/providers/ad/ad_opts.c +++ b/src/providers/ad/ad_opts.c @@ -309,6 +309,7 @@ struct dp_option ad_dyndns_opts[] = { { "dyndns_update_ptr", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, { "dyndns_force_tcp", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, { "dyndns_auth", DP_OPT_STRING, { "gss-tsig" }, NULL_STRING }, +{ "dyndns_auth_ptr", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "dyndns_server", DP_OPT_STRING, NULL_STRING, NULL_STRING }, DP_OPTION_TERMINATOR }; diff --git a/src/providers/be_dyndns.c b/src/providers/be_dyndns.c index 54f3cc08a3..2de3b11bb7 100644 --- a/src/providers/be_dyndns.c +++ b/src/providers/be_dyndns.c @@ -1217,6 +1217,7 @@ static struct dp_option default_dyndns_opts[] = { { "dyndns_update_ptr", DP_OPT
[SSSD] [sssd PR#5283][comment] Add dyndns_auth_ptr support
URL: https://github.com/SSSD/sssd/pull/5283 Title: #5283: Add dyndns_auth_ptr support joakim-tjernlund commented: """ > Hi, > > thank you for the patch. Except a minor issue I'm fine with the patch. Thanks > > I wonder if you can give an example configuration how to configure a DNS > server for asymmetrical authentication so that the patch can be tested > properly. I cannot, don't have access to these servers. Sorry """ See the full comment at https://github.com/SSSD/sssd/pull/5283#issuecomment-685071593 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#5283][comment] Add dyndns_auth_ptr support
URL: https://github.com/SSSD/sssd/pull/5283 Title: #5283: Add dyndns_auth_ptr support joakim-tjernlund commented: """ > Is there any reason to have two patches instead squashing into single? Just wanted to show what I changed, I can squash into one commit, NP """ See the full comment at https://github.com/SSSD/sssd/pull/5283#issuecomment-685070637 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#5283][synchronized] Add dyndns_auth_ptr support
URL: https://github.com/SSSD/sssd/pull/5283 Author: joakim-tjernlund Title: #5283: Add dyndns_auth_ptr support Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5283/head:pr5283 git checkout pr5283 From a95b6c87e965c4833bc1fe045590c6ddb98f04d6 Mon Sep 17 00:00:00 2001 From: Joakim Tjernlund Date: Sat, 15 Aug 2020 11:47:42 +0200 Subject: [PATCH 1/2] Add dyndns_auth_ptr support Allows to specify auth method for DNS PTR updates. Default to same as dyndns_auth. --- src/config/cfg_rules.ini | 1 + src/man/sssd-ad.5.xml| 15 +++ src/man/sssd-ipa.5.xml | 15 +++ src/providers/ad/ad_dyndns.c | 1 + src/providers/ad/ad_opts.c | 1 + src/providers/be_dyndns.c| 13 + src/providers/be_dyndns.h| 2 ++ src/providers/ipa/ipa_dyndns.c | 1 + src/providers/ipa/ipa_opts.c | 1 + src/providers/ldap/sdap_dyndns.c | 5 - src/providers/ldap/sdap_dyndns.h | 1 + 11 files changed, 55 insertions(+), 1 deletion(-) diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini index 2874ea048b..6347024278 100644 --- a/src/config/cfg_rules.ini +++ b/src/config/cfg_rules.ini @@ -421,6 +421,7 @@ option = dyndns_refresh_interval option = dyndns_update_ptr option = dyndns_force_tcp option = dyndns_auth +option = dyndns_auth_ptr option = dyndns_server # files provider specific options diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml index 5c2f465462..e4712e26d9 100644 --- a/src/man/sssd-ad.5.xml +++ b/src/man/sssd-ad.5.xml @@ -1165,6 +1165,21 @@ ad_gpo_map_deny = +my_pam_service + +dyndns_auth_ptr (string) + + +Whether the nsupdate utility should use GSS-TSIG +authentication for secure PTR updates with the DNS +server, insecure updates can be sent by setting +this option to 'none'. + + +Default: Same as dyndns_auth + + + + dyndns_server (string) diff --git a/src/man/sssd-ipa.5.xml b/src/man/sssd-ipa.5.xml index 0de866740a..7b630493da 100644 --- a/src/man/sssd-ipa.5.xml +++ b/src/man/sssd-ipa.5.xml @@ -214,6 +214,21 @@ + +dyndns_auth_ptr (string) + + +Whether the nsupdate utility should use GSS-TSIG +authentication for secure PTR updates with the DNS +server, insecure updates can be sent by setting +this option to 'none'. + + +Default: Same as dyndns_auth + + + + ipa_enable_dns_sites (boolean) diff --git a/src/providers/ad/ad_dyndns.c b/src/providers/ad/ad_dyndns.c index 00e1d253ae..71ef16c0b5 100644 --- a/src/providers/ad/ad_dyndns.c +++ b/src/providers/ad/ad_dyndns.c @@ -238,6 +238,7 @@ static void ad_dyndns_update_connect_done(struct tevent_req *subreq) ctx->dyndns_ctx->opts, sdap_ctx, ctx->dyndns_ctx->auth_type, + ctx->dyndns_ctx->auth_ptr_type, dp_opt_get_string(ctx->dyndns_ctx->opts, DP_OPT_DYNDNS_IFACE), dp_opt_get_string(ctx->basic, diff --git a/src/providers/ad/ad_opts.c b/src/providers/ad/ad_opts.c index 25b1367731..9ebb9ad1a4 100644 --- a/src/providers/ad/ad_opts.c +++ b/src/providers/ad/ad_opts.c @@ -309,6 +309,7 @@ struct dp_option ad_dyndns_opts[] = { { "dyndns_update_ptr", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, { "dyndns_force_tcp", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, { "dyndns_auth", DP_OPT_STRING, { "gss-tsig" }, NULL_STRING }, +{ "dyndns_auth_ptr", DP_OPT_STRING, { "" }, NULL_STRING }, { "dyndns_server", DP_OPT_STRING, NULL_STRING, NULL_STRING }, DP_OPTION_TERMINATOR }; diff --git a/src/providers/be_dyndns.c b/src/providers/be_dyndns.c index 54f3cc08a3..f97779e1dc 100644 --- a/src/providers/be_dyndns.c +++ b/src/providers/be_dyndns.c @@ -1217,6 +1217,7 @@ static struct dp_option default_dyndns_opts[] = { { "dyndns_update_ptr&quo
[SSSD] [sssd PR#5283][comment] Add dyndns_auth_ptr support
URL: https://github.com/SSSD/sssd/pull/5283 Title: #5283: Add dyndns_auth_ptr support joakim-tjernlund commented: """ @sumit-bose , could you have a look at this PR? """ See the full comment at https://github.com/SSSD/sssd/pull/5283#issuecomment-681910420 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#5283][comment] Add dyndns_auth_ptr support
URL: https://github.com/SSSD/sssd/pull/5283 Title: #5283: Add dyndns_auth_ptr support joakim-tjernlund commented: """ See issue https://github.com/SSSD/sssd/issues/5274 """ See the full comment at https://github.com/SSSD/sssd/pull/5283#issuecomment-675923680 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#5283][opened] Add dyndns_auth_ptr support
URL: https://github.com/SSSD/sssd/pull/5283 Author: joakim-tjernlund Title: #5283: Add dyndns_auth_ptr support Action: opened PR body: """ Allows to specify auth method for DNS PTR updates. Default to same as dyndns_auth. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5283/head:pr5283 git checkout pr5283 From a95b6c87e965c4833bc1fe045590c6ddb98f04d6 Mon Sep 17 00:00:00 2001 From: Joakim Tjernlund Date: Sat, 15 Aug 2020 11:47:42 +0200 Subject: [PATCH] Add dyndns_auth_ptr support Allows to specify auth method for DNS PTR updates. Default to same as dyndns_auth. --- src/config/cfg_rules.ini | 1 + src/man/sssd-ad.5.xml| 15 +++ src/man/sssd-ipa.5.xml | 15 +++ src/providers/ad/ad_dyndns.c | 1 + src/providers/ad/ad_opts.c | 1 + src/providers/be_dyndns.c| 13 + src/providers/be_dyndns.h| 2 ++ src/providers/ipa/ipa_dyndns.c | 1 + src/providers/ipa/ipa_opts.c | 1 + src/providers/ldap/sdap_dyndns.c | 5 - src/providers/ldap/sdap_dyndns.h | 1 + 11 files changed, 55 insertions(+), 1 deletion(-) diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini index 2874ea048b..6347024278 100644 --- a/src/config/cfg_rules.ini +++ b/src/config/cfg_rules.ini @@ -421,6 +421,7 @@ option = dyndns_refresh_interval option = dyndns_update_ptr option = dyndns_force_tcp option = dyndns_auth +option = dyndns_auth_ptr option = dyndns_server # files provider specific options diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml index 5c2f465462..e4712e26d9 100644 --- a/src/man/sssd-ad.5.xml +++ b/src/man/sssd-ad.5.xml @@ -1165,6 +1165,21 @@ ad_gpo_map_deny = +my_pam_service + +dyndns_auth_ptr (string) + + +Whether the nsupdate utility should use GSS-TSIG +authentication for secure PTR updates with the DNS +server, insecure updates can be sent by setting +this option to 'none'. + + +Default: Same as dyndns_auth + + + + dyndns_server (string) diff --git a/src/man/sssd-ipa.5.xml b/src/man/sssd-ipa.5.xml index 0de866740a..7b630493da 100644 --- a/src/man/sssd-ipa.5.xml +++ b/src/man/sssd-ipa.5.xml @@ -214,6 +214,21 @@ + +dyndns_auth_ptr (string) + + +Whether the nsupdate utility should use GSS-TSIG +authentication for secure PTR updates with the DNS +server, insecure updates can be sent by setting +this option to 'none'. + + +Default: Same as dyndns_auth + + + + ipa_enable_dns_sites (boolean) diff --git a/src/providers/ad/ad_dyndns.c b/src/providers/ad/ad_dyndns.c index 00e1d253ae..71ef16c0b5 100644 --- a/src/providers/ad/ad_dyndns.c +++ b/src/providers/ad/ad_dyndns.c @@ -238,6 +238,7 @@ static void ad_dyndns_update_connect_done(struct tevent_req *subreq) ctx->dyndns_ctx->opts, sdap_ctx, ctx->dyndns_ctx->auth_type, + ctx->dyndns_ctx->auth_ptr_type, dp_opt_get_string(ctx->dyndns_ctx->opts, DP_OPT_DYNDNS_IFACE), dp_opt_get_string(ctx->basic, diff --git a/src/providers/ad/ad_opts.c b/src/providers/ad/ad_opts.c index 25b1367731..9ebb9ad1a4 100644 --- a/src/providers/ad/ad_opts.c +++ b/src/providers/ad/ad_opts.c @@ -309,6 +309,7 @@ struct dp_option ad_dyndns_opts[] = { { "dyndns_update_ptr", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, { "dyndns_force_tcp", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, { "dyndns_auth", DP_OPT_STRING, { "gss-tsig" }, NULL_STRING }, +{ "dyndns_auth_ptr", DP_OPT_STRING, { "" }, NULL_STRING }, { "dyndns_server", DP_OPT_STRING, NULL_STRING, NULL_STRING }, DP_OPTION_TERMINATOR }; diff --git a/src/providers/be_dyndns.c b/src/providers/be_dyndns.c index 54f3cc08a3..f97779e1dc 100644 --- a/src/providers/be_dyndns.c +++ b/src/providers
[SSSD] Re: [SSSD-users] Re: Announcing SSSD 1.16.1
On Sun, 2018-03-11 at 21:38 +0100, Jakub Hrozek wrote: > CAUTION: This email originated from outside of the organization. Do not click > links or open attachments unless you recognize the sender and know the > content is safe. > > > > On 9 Mar 2018, at 14:45, Joakim Tjernlund > > wrote: > > > > On Fri, 2018-03-09 at 13:28 +0100, Jakub Hrozek wrote: > > > CAUTION: This email originated from outside of the organization. Do not > > > click links or open attachments unless you recognize the sender and know > > > the content is safe. > > > > > > > > > SSSD 1.16.1 > > > === > > > > > > The SSSD team is proud to announce the release of version 1.16.1 of the > > > System Security Services Daemon. > > > > > > The tarball can be downloaded from https://releases.pagure.org/SSSD/sssd/ > > > > > > RPM packages will be made available for Fedora shortly. > > > > > > Feedback > > > > > > Please provide comments, bugs and other feedback > > > via the sssd-devel or sssd-users mailing lists: > > > https://lists.fedorahosted.org/mailman/listinfo/sssd-devel > > > https://lists.fedorahosted.org/mailman/listinfo/sssd-users > > > > > > > Did a quick test here and it seems like enumerate = true is > > broken. Is it just me or .. ? > > I don’t know about any bugs around enumeration in 1.16.1. Maybe you found an > issue, but it’s hard to say without more context. OK, thanks. I am a bit pressed for time but I did install 1.16.1 on another machine as well and now I see a pattern: I cleared the sss/db and rebooted, logged in and tested again with good old finger command and it failed, I waited 5-10 mins and finger still failed. Went on lunch and when I got back finger worked! It seems that enumerate can take a very long time? sssd.conf(minor edits): [sssd] config_file_version = 2 domains = xxx.com services = nss, pam #debug_level = 0x0fff [nss] fallback_homedir = /home/%u default_shell = /bin/bash #debug_level = 0x0fff enum_cache_timeout = 3600 entry_negative_timeout = 300 [pam] #debug_level = 0x0fff [domain/xxx.com] #debug_level = 0x timeout = 30 ad_maximum_machine_account_password_age = 0 ignore_group_members = false ldap_id_mapping = false cache_credentials = true enumerate = false ldap_enumeration_refresh_timeout = 1800 entry_cache_timeout = 3600 refresh_expired_interval = 2700 id_provider = ad auth_provider = ad access_provider = permit chpass_provider = ad dyndns_update = true dyndns_refresh_interval = 600 dyndns_update_ptr = true dyndns_ttl = 3600 case_sensitive = false ldap_referrals = false ldap_sasl_mech = GSSAPI ldap_schema = rfc2307bis ldap_access_order = expire ldap_account_expire_policy = ad ldap_force_upper_case_realm = true krb5_realm = .COM krb5_canonicalize = true krb5_store_password_if_offline = true krb5_use_kdcinfo = False krb5_renewable_lifetime = 7d krb5_lifetime = 24h krb5_renew_interval = 4h Jocke ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] Re: [SSSD-users] Announcing SSSD 1.16.1
On Fri, 2018-03-09 at 13:28 +0100, Jakub Hrozek wrote: > CAUTION: This email originated from outside of the organization. Do not click > links or open attachments unless you recognize the sender and know the > content is safe. > > > SSSD 1.16.1 > === > > The SSSD team is proud to announce the release of version 1.16.1 of the > System Security Services Daemon. > > The tarball can be downloaded from https://releases.pagure.org/SSSD/sssd/ > > RPM packages will be made available for Fedora shortly. > > Feedback > > Please provide comments, bugs and other feedback > via the sssd-devel or sssd-users mailing lists: >https://lists.fedorahosted.org/mailman/listinfo/sssd-devel >https://lists.fedorahosted.org/mailman/listinfo/sssd-users > Did a quick test here and it seems like enumerate = true is broken. Is it just me or .. ? Jocke ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] SSSD not reregister DDNS when interface goes up down
Starting up with eth0 plugged I gest DNS registered. But if I pull eth0 and enable WiFi I get a new IP but the old IP is still in DNS. Restarting sssd register the new WiFi IP. Bug or feature ? Jocke ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] Re: [SSSD-users] Re: Re: Announcing SSSD 1.14.2
On Mon, 2016-11-07 at 12:08 +0100, Lukas Slebodnik wrote: > On (20/10/16 06:58), Joakim Tjernlund wrote: > > > > On Wed, 2016-10-19 at 21:48 +0200, Jakub Hrozek wrote: > > > > > > === SSSD 1.14.2 === > > > > > > The SSSD team is proud to announce the release of version 1.14.2 of > > > the System Security Services Daemon. > > > > > > As always, the source is available from https://fedorahosted.org/sssd > > > > > > RPM packages will be made available for Fedora shortly. > > > > > > == Feedback == > > > Please provide comments, bugs and other feedback via the sssd-devel > > > or sssd-users mailing lists: > > > https://lists.fedorahosted.org/mailman/listinfo/sssd-devel > > > https://lists.fedorahosted.org/mailman/listinfo/sssd-users > > > > > > > hmm, I still get: > > libtool: link: x86_64-pc-linux-gnu-gcc -shared -fPIC -DPIC > > src/providers/krb5/.libs/libsss_krb5_la- > > krb5_init.o -Wl,-rpath > > -Wl,/var/tmp/portage/sys-auth/sssd-1.14.2/work/sssd-1.14.2-abi_x86_64.amd64/.libs > > > > -Wl,-rpath -Wl,/usr/lib64/sssd > > -L/var/tmp/portage/sys-auth/sssd-1.14.2/work/sssd-1.14.2- > > abi_x86_64.amd64/.libs -Wl,--as-needed -L/usr/lib64 ./.libs/libsss_util.so > > -lpopt -lldb -ldbus-1 -lpcre > > /usr/lib64/libini_config.so /usr/lib64/libpath_utils.so > > /usr/lib64/libbasicobjects.so > > /usr/lib64/libref_array.so /usr/lib64/libcollection.so > > /usr/lib64/libldap.so /usr/lib64/liblber.so > > -lresolv -lsasl2 -lgnutls /usr/lib64/libgcrypt.so -lgpg-error -ltdb > > -lglib-2.0 /var/tmp/portage/sys- > > auth/sssd-1.14.2/work/sssd-1.14.2-abi_x86_64.amd64/.libs/libsss_child.so > > /var/tmp/portage/sys-auth/sssd- > > 1.14.2/work/sssd-1.14.2-abi_x86_64.amd64/.libs/libsss_cert.so > > /var/tmp/portage/sys-auth/sssd- > > 1.14.2/work/sssd-1.14.2-abi_x86_64.amd64/.libs/libsss_crypt.so > > ./.libs/libsss_crypt.so -lcrypto > > ./.libs/libsss_debug.so ./.libs/libsss_child.so -ltevent -ltalloc > > /var/tmp/portage/sys-auth/sssd- > > 1.14.2/work/sssd-1.14.2-abi_x86_64.amd64/.libs/libsss_debug.so > > ./.libs/libsss_krb5_common.so -lkeyutils > > /usr/lib64/libdhash.so -lkrb5 -lk5crypto -lcom_err -O2 -Wl,-O1 > > -Wl,-soname -Wl,libsss_krb5.so -o > > .libs/libsss_krb5.so > > ./.libs/libsss_util.so: undefined reference to `timer_settime' > > ./.libs/libsss_util.so: undefined reference to `timer_delete' > > ./.libs/libsss_util.so: undefined reference to `timer_create' > > collect2: error: ld returned 1 exit status > > libtool: link: x86_64-pc-linux-gnu-gcc -Wall -Wshadow -Wstrict-prototypes > > -Wpointer-arith -Wcast-qual > > -Wcast-align -Wwrite-strings -Wundef -Werror-implicit-function-declaration > > -Winit-self -Wmissing-include- > > dirs -fno-strict-aliasing -std=gnu99 -O2 -pipe -D_FILE_OFFSET_BITS=64 > > -D_LARGEFILE_SOURCE > > -D_LARGEFILE64_SOURCE -Wl,-O1 -o .libs/sss_ssh_knownhostsproxy > > src/sss_client/sss_ssh_knownhostsproxy- > > common.o src/sss_client/ssh/sss_ssh_knownhostsproxy-sss_ssh_client.o > > src/sss_client/ssh/sss_ssh_knownhostsproxy-sss_ssh_knownhostsproxy.o > > -Wl,-rpath -Wl,/usr/lib64 -Wl,--as- > > needed ./.libs/libsss_util.so -L/usr/lib64 -lldb -ldbus-1 -lpcre > > /usr/lib64/libini_config.so > > /usr/lib64/libpath_utils.so /usr/lib64/libbasicobjects.so > > /usr/lib64/libref_array.so > > /usr/lib64/libcollection.so /usr/lib64/libldap.so /usr/lib64/liblber.so > > -lresolv -lsasl2 -lgnutls > > /usr/lib64/libgcrypt.so -lgpg-error -ltdb -lglib-2.0 > > /var/tmp/portage/sys-auth/sssd-1.14.2/work/sssd- > > 1.14.2-abi_x86_64.amd64/.libs/libsss_child.so > > /var/tmp/portage/sys-auth/sssd-1.14.2/work/sssd-1.14.2- > > abi_x86_64.amd64/.libs/libsss_cert.so > > /var/tmp/portage/sys-auth/sssd-1.14.2/work/sssd-1.14.2- > > abi_x86_64.amd64/.libs/libsss_crypt.so ./.libs/libsss_crypt.so -lcrypto > > ./.libs/libsss_debug.so > > ./.libs/libsss_child.so -ltevent /usr/lib64/libdhash.so > > /var/tmp/portage/sys-auth/sssd-1.14.2/work/sssd- > > 1.14.2-abi_x86_64.amd64/.libs/libsss_debug.so -lpthread -ltalloc -lpopt > > -Wl,-rpath -Wl,/usr/lib64/sssd > > Makefile:11323: recipe for target 'sss_ssh_authorizedkeys' failed > > make[2]: *** [sss_ssh_authorizedkeys] Error 1 > > make[2]: *** Waiting for unfinished jobs > > ./.libs/libsss_util.so: undefined reference to `timer_settime' > > ./.libs/libsss_util.so: undefined reference to `timer_delete' > > ./.libs/libsss_util.so: undefined reference to `timer_create' > > collect2: error: ld returned 1 exit status > > Makefile:11336: recipe for target 'sss_ssh_knownhostsproxy' failed > > make[2]: *** [sss_ssh_knownhostsproxy] Error 1 > > > > I thought this was fixed(linking with librt that is)? > > > Could you test attached patch? Tested: ... checking for library containing timer_create... -lrt and it builds and starts too :) Jocke ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] Re: [SSSD-users] Announcing SSSD 1.14.2
On Wed, 2016-10-19 at 21:48 +0200, Jakub Hrozek wrote: > === SSSD 1.14.2 === > > The SSSD team is proud to announce the release of version 1.14.2 of > the System Security Services Daemon. > > As always, the source is available from https://fedorahosted.org/sssd > > RPM packages will be made available for Fedora shortly. > > == Feedback == > Please provide comments, bugs and other feedback via the sssd-devel > or sssd-users mailing lists: > https://lists.fedorahosted.org/mailman/listinfo/sssd-devel > https://lists.fedorahosted.org/mailman/listinfo/sssd-users > hmm, I still get: libtool: link: x86_64-pc-linux-gnu-gcc -shared -fPIC -DPIC src/providers/krb5/.libs/libsss_krb5_la-krb5_init.o -Wl,-rpath -Wl,/var/tmp/portage/sys-auth/sssd-1.14.2/work/sssd-1.14.2-abi_x86_64.amd64/.libs -Wl,-rpath -Wl,/usr/lib64/sssd -L/var/tmp/portage/sys-auth/sssd-1.14.2/work/sssd-1.14.2-abi_x86_64.amd64/.libs -Wl,--as-needed -L/usr/lib64 ./.libs/libsss_util.so -lpopt -lldb -ldbus-1 -lpcre /usr/lib64/libini_config.so /usr/lib64/libpath_utils.so /usr/lib64/libbasicobjects.so /usr/lib64/libref_array.so /usr/lib64/libcollection.so /usr/lib64/libldap.so /usr/lib64/liblber.so -lresolv -lsasl2 -lgnutls /usr/lib64/libgcrypt.so -lgpg-error -ltdb -lglib-2.0 /var/tmp/portage/sys-auth/sssd-1.14.2/work/sssd-1.14.2-abi_x86_64.amd64/.libs/libsss_child.so /var/tmp/portage/sys-auth/sssd-1.14.2/work/sssd-1.14.2-abi_x86_64.amd64/.libs/libsss_cert.so /var/tmp/portage/sys-auth/sssd-1.14.2/work/sssd-1.14.2-abi_x86_64.amd64/.libs/libsss_crypt.so ./.libs/libsss_crypt.so -lcrypto ./.libs/libsss_debug.so ./.libs/libsss_child.so -ltevent -ltalloc /var/tmp/portage/sys-auth/sssd-1.14.2/work/sssd-1.14.2-abi_x86_64.amd64/.libs/libsss_debug.so ./.libs/libsss_krb5_common.so -lkeyutils /usr/lib64/libdhash.so -lkrb5 -lk5crypto -lcom_err -O2 -Wl,-O1 -Wl,-soname -Wl,libsss_krb5.so -o .libs/libsss_krb5.so ./.libs/libsss_util.so: undefined reference to `timer_settime' ./.libs/libsss_util.so: undefined reference to `timer_delete' ./.libs/libsss_util.so: undefined reference to `timer_create' collect2: error: ld returned 1 exit status libtool: link: x86_64-pc-linux-gnu-gcc -Wall -Wshadow -Wstrict-prototypes -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wundef -Werror-implicit-function-declaration -Winit-self -Wmissing-include-dirs -fno-strict-aliasing -std=gnu99 -O2 -pipe -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -Wl,-O1 -o .libs/sss_ssh_knownhostsproxy src/sss_client/sss_ssh_knownhostsproxy-common.o src/sss_client/ssh/sss_ssh_knownhostsproxy-sss_ssh_client.o src/sss_client/ssh/sss_ssh_knownhostsproxy-sss_ssh_knownhostsproxy.o -Wl,-rpath -Wl,/usr/lib64 -Wl,--as-needed ./.libs/libsss_util.so -L/usr/lib64 -lldb -ldbus-1 -lpcre /usr/lib64/libini_config.so /usr/lib64/libpath_utils.so /usr/lib64/libbasicobjects.so /usr/lib64/libref_array.so /usr/lib64/libcollection.so /usr/lib64/libldap.so /usr/lib64/liblber.so -lresolv -lsasl2 -lgnutls /usr/lib64/libgcrypt.so -lgpg-error -ltdb -lglib-2.0 /var/tmp/portage/sys-auth/sssd-1.14.2/work/sssd-1.14.2-abi_x86_64.amd64/.libs/libsss_child.so /var/tmp/portage/sys-auth/sssd-1.14.2/work/sssd-1.14.2-abi_x86_64.amd64/.libs/libsss_cert.so /var/tmp/portage/sys-auth/sssd-1.14.2/work/sssd-1.14.2-abi_x86_64.amd64/.libs/libsss_crypt.so ./.libs/libsss_crypt.so -lcrypto ./.libs/libsss_debug.so ./.libs/libsss_child.so -ltevent /usr/lib64/libdhash.so /var/tmp/portage/sys-auth/sssd-1.14.2/work/sssd-1.14.2-abi_x86_64.amd64/.libs/libsss_debug.so -lpthread -ltalloc -lpopt -Wl,-rpath -Wl,/usr/lib64/sssd Makefile:11323: recipe for target 'sss_ssh_authorizedkeys' failed make[2]: *** [sss_ssh_authorizedkeys] Error 1 make[2]: *** Waiting for unfinished jobs ./.libs/libsss_util.so: undefined reference to `timer_settime' ./.libs/libsss_util.so: undefined reference to `timer_delete' ./.libs/libsss_util.so: undefined reference to `timer_create' collect2: error: ld returned 1 exit status Makefile:11336: recipe for target 'sss_ssh_knownhostsproxy' failed make[2]: *** [sss_ssh_knownhostsproxy] Error 1 I thought this was fixed(linking with librt that is)? Also, could you fix this warning: /etc/init.d/sssd[3049]: /etc/init.d/sssd uses runscript, please convert to openrc-run. Just apply sed -i 's:#!/sbin/runscript:#!/sbin/openrc-run:' src/sysv/gentoo/sssd.in Jocke ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org