[SSSD] [PATCH] LDAP provider needs to link against krb libraries
Hi, since the LDAP provider does calls into the krb5 libs it should also be linked against them :). Attached patch should fix that. -- regards, Ralf From 6169242cc432b48d86eaae03fbee52af69527860 Mon Sep 17 00:00:00 2001 From: Ralf Haferkamp rha...@suse.de Date: Mon, 12 Oct 2009 11:50:30 +0200 Subject: [PATCH] LDAP provider needs to link against krb libraries --- server/Makefile.am |6 -- 1 files changed, 4 insertions(+), 2 deletions(-) diff --git a/server/Makefile.am b/server/Makefile.am index a65c9fa..6c08274 100644 --- a/server/Makefile.am +++ b/server/Makefile.am @@ -424,9 +424,11 @@ libsss_ldap_la_SOURCES = \ providers/ldap/sdap.c libsss_ldap_la_CFLAGS = \ $(AM_CFLAGS) \ -$(LDAP_CFLAGS) +$(LDAP_CFLAGS) \ +$(KRB5_CFLAGS) libsss_ldap_la_LIBADD = \ -$(OPENLDAP_LIBS) +$(OPENLDAP_LIBS) \ +$(KRB5_LIBS) libsss_ldap_la_LDFLAGS = \ -version-info 1:0:0 \ -module -- 1.6.4.2 ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] LDAP provider needs to link against krb libraries
On Mon, Oct 12, 2009 at 12:20:37PM +0200, Ralf Haferkamp wrote: Hi, since the LDAP provider does calls into the krb5 libs it should also be linked against them :). Attached patch should fix that. -- regards, Ralf Obviously correct. ACK Thanks. bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
[SSSD] [PATCH] fix a wrong argument to unpack_buffer
Hi, Martin was so nice to point me to a bug introduced by the short read patch. This patch should fix it. bye, Sumit From 190ac953255966ad49d915f9ce6741543a3fa824 Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Mon, 12 Oct 2009 12:13:36 +0200 Subject: [PATCH] fix a wrong argument to unpack_buffer - the patch to handle short read introduced a new variable len to store the amount of data read. Instead of using this variable unpack_buffer was called with the old variable ret. Thanks to mn...@redhat.com for finding this. - this patch also fixes a potential error when the message size is equal to the buffer size. --- server/providers/krb5/krb5_child.c | 58 --- 1 files changed, 40 insertions(+), 18 deletions(-) diff --git a/server/providers/krb5/krb5_child.c b/server/providers/krb5/krb5_child.c index 7649406..9b1be9c 100644 --- a/server/providers/krb5/krb5_child.c +++ b/server/providers/krb5/krb5_child.c @@ -419,49 +419,71 @@ sendresponse: return EOK; } +uint8_t *copy_buffer_and_add_zero(TALLOC_CTX *mem_ctx, const uint8_t *src, size_t len) +{ +uint8_t *str; + +str = talloc_size(mem_ctx, len + 1); +if (str == NULL) { +DEBUG(1, (talloc_size failed.\n)); +return NULL; +} +memcpy(str, src, len); +str[len] = '\0'; + +return str; +} + static errno_t unpack_buffer(uint8_t *buf, size_t size, struct pam_data *pd, char **ccname) { size_t p = 0; uint32_t *len; -uint8_t *str; +if ((p + sizeof(uint32_t)) size) return EINVAL; len = ((uint32_t *)(buf+p)); pd-cmd = *len; p += sizeof(uint32_t); +if ((p + sizeof(uint32_t)) size) return EINVAL; len = ((uint32_t *)(buf+p)); p += sizeof(uint32_t); -str = talloc_memdup(pd, buf+p, sizeof(char) * (*len + 1)); -if (str == NULL) return ENOMEM; -str[*len] = '\0'; -pd-upn = (char *) str; + +if ((p + *len ) size) return EINVAL; +pd-upn = (char *) copy_buffer_and_add_zero(pd, buf+p, +sizeof(char) * (*len)); +if (pd-upn == NULL) return ENOMEM; p += *len; +if ((p + sizeof(uint32_t)) size) return EINVAL; len = ((uint32_t *)(buf+p)); p += sizeof(uint32_t); -str = talloc_memdup(pd, buf+p, sizeof(char) * (*len + 1)); -if (str == NULL) return ENOMEM; -str[*len] = '\0'; -*ccname = (char *) str; + +if ((p + *len ) size) return EINVAL; +*ccname = (char *) copy_buffer_and_add_zero(pd, buf+p, +sizeof(char) * (*len)); +if (*ccname == NULL) return ENOMEM; p += *len; +if ((p + sizeof(uint32_t)) size) return EINVAL; len = ((uint32_t *)(buf+p)); p += sizeof(uint32_t); -str = talloc_memdup(pd, buf+p, sizeof(char) * (*len + 1)); -if (str == NULL) return ENOMEM; -str[*len] = '\0'; -pd-authtok = str; + +if ((p + *len) size) return EINVAL; +pd-authtok = copy_buffer_and_add_zero(pd, buf+p, sizeof(char) * (*len)); +if (pd-authtok == NULL) return ENOMEM; pd-authtok_size = *len + 1; p += *len; if (pd-cmd == SSS_PAM_CHAUTHTOK) { +if ((p + sizeof(uint32_t)) size) return EINVAL; len = ((uint32_t *)(buf+p)); p += sizeof(uint32_t); -str = talloc_memdup(pd, buf+p, sizeof(char) * (*len + 1)); -if (str == NULL) return ENOMEM; -str[*len] = '\0'; -pd-newauthtok = str; + +if ((p + *len) size) return EINVAL; +pd-newauthtok = copy_buffer_and_add_zero(pd, buf+p, + sizeof(char) * (*len)); +if (pd-newauthtok == NULL) return ENOMEM; pd-newauthtok_size = *len + 1; p += *len; } else { @@ -659,7 +681,7 @@ int main(int argc, char *argv[]) } close(STDIN_FILENO); -ret = unpack_buffer(buf, ret, pd, ccname); +ret = unpack_buffer(buf, len, pd, ccname); if (ret != EOK) { DEBUG(1, (unpack_buffer failed.\n)); goto fail; -- 1.6.2.5 ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] fix a wrong argument to unpack_buffer
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 10/12/2009 06:35 AM, Sumit Bose wrote: Hi, Martin was so nice to point me to a bug introduced by the short read patch. This patch should fix it. bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel Ack - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkrTF4UACgkQeiVVYja6o6MVWACeKUej43HbnKz4XcLeu/3UiAEh kskAnj20z0WZwpK1LmCCPvOZe/hY4Yhs =IjTX -END PGP SIGNATURE- ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] use old password if available during password change
On Fri, Oct 09, 2009 at 04:29:42PM -0400, Simo Sorce wrote: On Fri, 2009-10-09 at 21:02 +0200, Sumit Bose wrote: Hi, this one should fix #223. Because sshd runs as root the old password was not sent to sssd and changing the user password failed. Please review carefully. I guess the problem here is to understand what do current pam modules, when used through the proxy backend, expect. The current pam modules do not expect anything here, because they will handle expired passowrd during pam_acct_mgmt and not during pam_authenticate. Do they skip checks or ignore if the provided password is valid or not ? Should we think of forking a child in proxy and running it as the user that is attempting the password change? (Assuming we know it ?) I think forking isn't needed here, because pam_sss should be kept simple. Send everything you know to sssd and wait for a response. bye, Sumit Otherwise the patch looks sane to me, so I'd give a tentative ack. Simo. ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
[SSSD] [PATCH] enable debugging of krb5_child
Hi, Although there are lots of DEBUG calls in krb5_child it always runs with debug_level=0. This patch starts krb5_child with the debugging options of the backend. There is a problem with --debug-to-files. krb5_child runs as the user requesting the ticket so the path to krb5_child.log needs to have matching permissions. A possible solution would be to create the file with 666 permissions during the setup of the kerberos backend. Any other ideas? bye, Sumit From b6b92883b333107e743cb6665716a17e6cdee964 Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Mon, 12 Oct 2009 15:38:29 +0200 Subject: [PATCH] enable debugging of krb5_child --- server/Makefile.am |2 + server/providers/krb5/krb5_auth.c | 56 ++- server/providers/krb5/krb5_child.c | 41 +- 3 files changed, 95 insertions(+), 4 deletions(-) diff --git a/server/Makefile.am b/server/Makefile.am index a65c9fa..99c6867 100644 --- a/server/Makefile.am +++ b/server/Makefile.am @@ -458,9 +458,11 @@ krb5_child_SOURCES = \ providers/krb5/krb5_child.c krb5_child_CFLAGS = \ $(AM_CFLAGS) \ +$(POPT_CFLAGS) \ $(KRB5_CFLAGS) krb5_child_LDADD = \ $(TALLOC_LIBS) \ +$(POPT_LIBS) \ $(KRB5_LIBS) memberof_la_SOURCES = \ diff --git a/server/providers/krb5/krb5_auth.c b/server/providers/krb5/krb5_auth.c index 582d013..61c529f 100644 --- a/server/providers/krb5/krb5_auth.c +++ b/server/providers/krb5/krb5_auth.c @@ -325,6 +325,51 @@ static void wait_for_child_handler(struct tevent_context *ev, return; } +static errno_t prepare_child_argv(TALLOC_CTX *mem_ctx, char ***_argv) +{ +uint_t argc = 2; /* program name and NULL */ +char ** argv; + +if (debug_level != 0) argc ++; +if (debug_to_file != 0) argc++; +if (debug_timestamps != 0) argc++; + +argv = talloc_array(mem_ctx, char *, argc); +if (argv == NULL) { +DEBUG(1, (talloc_array failed.\n)); +return ENOMEM; +} + +if (argc 2) goto fail; +argv[--argc] = NULL; + +if (debug_level != 0) { +if (argc 2) goto fail; +argv[--argc] = talloc_asprintf(argv, --debug-level=%d, debug_level); +} + +if (debug_to_file != 0) { +if (argc 2) goto fail; +argv[--argc] = talloc_strdup(argv, --debug-to-files); +} + +if (debug_timestamps != 0) { +if (argc 2) goto fail; +argv[--argc] = talloc_strdup(argv, --debug-timestamps); +} + +if (argc != 1) goto fail; +argv[0] = talloc_strdup(argv, KRB5_CHILD); + +*_argv = argv; + +return EOK; + +fail: +talloc_free(*argv); +return EINVAL; +} + static errno_t fork_child(struct krb5child_req *kr) { int pipefd_to_child[2]; @@ -332,6 +377,7 @@ static errno_t fork_child(struct krb5child_req *kr) pid_t pid; int ret; errno_t err; +char **argv; ret = pipe(pipefd_from_child); if (ret == -1) { @@ -381,10 +427,16 @@ static errno_t fork_child(struct krb5child_req *kr) return err; } -ret = execl(KRB5_CHILD, KRB5_CHILD, NULL); +ret = prepare_child_argv(kr, argv); +if (ret != EOK) { +DEBUG(1, (prepare_child_argv.\n)); +return ret; +} + +ret = execv(KRB5_CHILD, argv); if (ret == -1) { err = errno; -DEBUG(1, (execl failed [%d][%s].\n, errno, strerror(errno))); +DEBUG(1, (execv failed [%d][%s].\n, errno, strerror(errno))); return err; } } else if (pid 0) { /* parent */ diff --git a/server/providers/krb5/krb5_child.c b/server/providers/krb5/krb5_child.c index 9b1be9c..70fd6b7 100644 --- a/server/providers/krb5/krb5_child.c +++ b/server/providers/krb5/krb5_child.c @@ -25,6 +25,7 @@ #include sys/types.h #include unistd.h #include sys/stat.h +#include popt.h #include security/pam_modules.h @@ -641,7 +642,7 @@ failed: return kerr; } -int main(int argc, char *argv[]) +int main(int argc, const char *argv[]) { uint8_t *buf = NULL; int ret; @@ -649,10 +650,46 @@ int main(int argc, char *argv[]) struct pam_data *pd = NULL; struct krb5_req *kr = NULL; char *ccname; +int opt; +poptContext pc; -debug_prg_name = argv[0]; +struct poptOption long_options[] = { +POPT_AUTOHELP +SSSD_DEBUG_OPTS +POPT_TABLEEND +}; + + +pc = poptGetContext(argv[0], argc, argv, long_options, 0); +while((opt = poptGetNextOpt(pc)) != -1) { +switch(opt) { +default: +fprintf(stderr, \nInvalid option %s: %s\n\n, + poptBadOption(pc, 0), poptStrerror(opt)); +poptPrintUsage(pc, stderr, 0); +_exit(-1); +} +} + +poptFreeContext(pc); pd = talloc(NULL, struct pam_data); +if (pd == NULL) { +DEBUG(1, (malloc failed.\n)); +_exit(-1); +} + +debug_log_file = krb5_child; +
Re: [SSSD] [PATCH] enable debugging of krb5_child
On Mon, 2009-10-12 at 15:46 +0200, Sumit Bose wrote: There is a problem with --debug-to-files. krb5_child runs as the user requesting the ticket so the path to krb5_child.log needs to have matching permissions. A possible solution would be to create the file with 666 permissions during the setup of the kerberos backend. Any other ideas? You *really* don't want to have log files 666 ever. The easiest way would be to open the log file from the parent *without* CLOSE_ON_EXEC, and pass the fd number to krb5_child on the command line, and then have krb5_child use that fd to send debug messages. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] enable debugging of krb5_child
On Mon, 2009-10-12 at 09:49 -0400, Stephen Gallagher wrote: This is what the ELAPI is for. No ELAPI is for logging not for the debug stuff, and an api can't overcome file permissions no more than anything else. Just pass the fd to the client, it's simple and doesn't require us to replicate logic to open/close debug files in the children. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] enable debugging of krb5_child
Stephen Gallagher wrote: On 10/12/2009 10:29 AM, Simo Sorce wrote: On Mon, 2009-10-12 at 09:49 -0400, Stephen Gallagher wrote: This is what the ELAPI is for. No ELAPI is for logging not for the debug stuff, and an api can't overcome file permissions no more than anything else. ELAPI has sinks that could pass it to the log daemon running as root. This is what I was proposing. ELAPI is intended to be used for debug streams too. One of the things I was planning to add is permissions and ownership of the log file. I will open a ticket for that anyways. Just pass the fd to the client, it's simple and doesn't require us to replicate logic to open/close debug files in the children. I didn't realize you could do that. I am not sure this approach is portable. I know Solaris and Linux can do it. I am not sure HP-UX can. Simo. ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] enable debugging of krb5_child
Simo Sorce wrote: On Mon, 2009-10-12 at 10:47 -0400, Dmitri Pal wrote: Just pass the fd to the client, it's simple and doesn't require us to replicate logic to open/close debug files in the children. I didn't realize you could do that. I am not sure this approach is portable. I know Solaris and Linux can do it. I am not sure HP-UX can. We are not *transferring* a socket between process, we are merely not closing it on fork/exec. It is standard posix behavior that file descriptors are inherited by children afaik. Simo. Yes this way it is standard. I thought you wanted to pass a socket between processes later after fork. But here is the question. If you have multiple children writing to the same fd at the same time how you then sort which one has written what. Would it be better to have a log per child process instead and have a pid appended to the name of the log file than all output in one file mixed? It is usually hard to read and debug when everything is mixed in one file. -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] enable debugging of krb5_child
On Mon, Oct 12, 2009 at 12:10:43PM -0400, Dmitri Pal wrote: Simo Sorce wrote: On Mon, 2009-10-12 at 10:47 -0400, Dmitri Pal wrote: Just pass the fd to the client, it's simple and doesn't require us to replicate logic to open/close debug files in the children. I didn't realize you could do that. I am not sure this approach is portable. I know Solaris and Linux can do it. I am not sure HP-UX can. We are not *transferring* a socket between process, we are merely not closing it on fork/exec. It is standard posix behavior that file descriptors are inherited by children afaik. Simo. Yes this way it is standard. I thought you wanted to pass a socket between processes later after fork. But here is the question. If you have multiple children writing to the same fd at the same time how you then sort which one has written what. Would it be better to have a log per child process instead and have a pid appended to the name of the log file than all output in one file mixed? It is usually hard to read and debug when everything is mixed in one file. -- Thank you, Dmitri Pal Currently I'll use the pid in the starting block of the log messsage. bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
[SSSD] [PATCH] Package SSSDConfig API
-- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From f5db2669075b92a636098c65d9e7acf630e87eb6 Mon Sep 17 00:00:00 2001 From: Stephen Gallagher sgall...@redhat.com Date: Mon, 12 Oct 2009 17:20:22 -0400 Subject: [PATCH] Package SSSDConfig API --- contrib/sssd.spec.in |4 server/Makefile.am | 12 server/config/setup.py | 34 ++ 3 files changed, 50 insertions(+), 0 deletions(-) create mode 100644 server/config/setup.py diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in index 9cd657a..b3c1181 100644 --- a/contrib/sssd.spec.in +++ b/contrib/sssd.spec.in @@ -1,4 +1,5 @@ %{!?python_sitearch: %global python_sitearch %(%{__python} -c from distutils.sysconfig import get_python_lib; print get_python_lib(1))} +%{!?python_sitelib: %global python_sitelib %(%{__python} -c from distutils.sysconfig import get_python_lib; print get_python_lib())} Name: @PACKAGE_NAME@ Version: @PACKAGE_VERSION@ @@ -145,6 +146,9 @@ rm -rf $RPM_BUILD_ROOT %{_datadir}/locale/*/LC_MESSAGES/sss_client.mo %{_datadir}/locale/*/LC_MESSAGES/sss_daemon.mo %{python_sitearch}/pysss.so +%{python_sitelib}/*.py* +%{python_sitelib}/*.egg-info + %files client /%{_lib}/libnss_sss.so.2 diff --git a/server/Makefile.am b/server/Makefile.am index 6c08274..4ec3c34 100644 --- a/server/Makefile.am +++ b/server/Makefile.am @@ -100,6 +100,10 @@ pyexec_LTLIBRARIES = \ pysss.la endif +dist_noinst_SCRIPTS = \ +config/setup.py \ +config/SSSDConfig.py + ### # Global compilation settings # ### @@ -561,6 +565,14 @@ installsssddirs:: $(DESTDIR)$(logpath) install-exec-hook: installsssddirs + if [ $(DESTDIR) = ]; then \ + cd $(srcdir)/config; $(PYTHON) setup.py install; \ + else \ + cd $(srcdir)/config; $(PYTHON) setup.py install --root=$(DESTDIR); \ + fi + +clean-local: + cd $(srcdir)/config; $(PYTHON) setup.py clean --all CLEANFILES = *.X */*.X */*/*.X diff --git a/server/config/setup.py b/server/config/setup.py new file mode 100644 index 000..7f108a3 --- /dev/null +++ b/server/config/setup.py @@ -0,0 +1,34 @@ +# Authors: +# Stephen Gallagher sgall...@redhat.com +# +# Copyright (C) 2009 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + + +Python-level packaging using distutils. + + +from distutils.core import setup + +setup( +name='SSSDConfig', +version='1', +license='GPLv3+', +url='http://fedorahosted.org/sssd', +py_modules=[ +'SSSDConfig', +], +) -- 1.6.2.5 signature.asc Description: OpenPGP digital signature ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] Package SSSDConfig API
On Mon, 2009-10-12 at 17:21 -0400, Stephen Gallagher wrote: ACK -- Simo Sorce * Red Hat, Inc * New York ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel