Re: [SSSD] krb5 ticket renewal via gnome-screensaver not working
On Tue, Nov 10, 2009 at 11:36:45PM -0500, Brian J. Murrell wrote: On Mon, 2009-11-09 at 21:19 +0100, Sumit Bose wrote: Does this mean you are still seeing [Credentials cache I/O operation failed XXX] in krb5_child.log? No. I am seeing nothing new at all in the krb5_child.log when authentications happen. this indicates that everything is ok, please send krb5_child.log, if possible with debug level 10. Even with debug level 10, there is nothing new in the krb5_child.log: $ ls -ltar /var/log/sssd/ total 420 -rw--- 1 root root438 2009-11-09 09:23 krb5_child.log drwxr-xr-x 15 root root 4096 2009-11-10 07:41 .. drwxr-xr-x 2 root root 4096 2009-11-10 23:32 . -rw--- 1 root root 152408 2009-11-10 23:32 sssd_pam.log -rw--- 1 root root 238167 2009-11-10 23:32 sssd_KRB.log I have debug_level = 10 in my [domain/KRB] as well as the [pam] section. Also, I asked previously why I would want per-login unique ccache files with: krb5_ccname_template = FILE:%d/krb5cc_%U_XX but nobody answered. Do I really want this or is a single ccache file per user (i.e. drop the _XX in the template) not more ideal? b. ah, sorry, I misinterpreted your original post. I thought a ccache file wasn't created at all when using gnome-screensaver. You are right, if you use 'krb5_ccname_template = FILE:%d/krb5cc_%U_XX' with the current version every authentication will create a new ccache file. If you want to renew the TGT with every authentication you have to use a per-user unique ccache file, e.g. FILE:%d/krb5cc_%U. We are currently discussing how to handle renewals in a more general way so that it would be possible to renew FILE:%d/krb5cc_%U_XX-style files too. HTH. bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] wildcard chars for sssd.conf?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/11/2009 01:26 AM, David O'Brien wrote: from IRC when everyone was sleeping ;-) davido [Mon 18:28] is there such a thing as a wildcard character that works in /etc/sssd/sssd.conf ? davido [Mon 18:29] I tried filter_groups = * to see if I could break it but it didn't work davido [Mon 18:30] I should rephrase that... it didn't break thanks Not wildcards as such, though we do have a couple of advanced options in the kerberos provider such as krb5_ccname_template that can offer printf-style substitutions. In the case of filter_groups, all you've done is tell it to ignore a group named * (which should be impossible anyway) - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkr6sSEACgkQeiVVYja6o6OtFwCeIogyC2Kk557un1CKSf/3peLo +ycAmgPptbiQewzcwKHNu7cpSmaXJzs6 =xG5Y -END PGP SIGNATURE- ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] Fixes for proxy provider
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/11/2009 09:22 AM, Sumit Bose wrote: Hi, this patch fixes a bug in the procy provider and makes proxy_pam_target a mandatory option, because we do not ship a matching pam configuration for the old default. bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel Nack The code is still assuming that an unspecified access backend should be using the ID provider. It's failing to start because of a missing proxy_pam_target option now. As discussed on IRC, defaulting to the ID provider for access control doesn't make sense to me. [sssd[be[sgallagh_proxy]]] [load_backend_module] (7): Loading backend [proxy] with path [/usr/lib64/sssd/libsss_proxy.so]. [sssd[be[sgallagh_proxy]]] [be_process_init] (9): ID backend target successfully loaded from provider [proxy]. [sssd[be[sgallagh_proxy]]] [load_backend_module] (7): Loading backend [krb5] with path [/usr/lib64/sssd/libsss_krb5.so]. [sssd[be[sgallagh_proxy]]] [dp_get_options] (6): Option krb5_kdcip has value vm-094.idm.lab.bos.redhat.com [sssd[be[sgallagh_proxy]]] [dp_get_options] (6): Option krb5_realm has value SGALLAGH.EXAMPLE.COM [sssd[be[sgallagh_proxy]]] [dp_get_options] (6): Option krb5_ccachedir has value /tmp [sssd[be[sgallagh_proxy]]] [dp_get_options] (6): Option krb5_ccname_tmpl has value FILE:%d/krb5cc_%U_XX [sssd[be[sgallagh_proxy]]] [dp_get_options] (6): Option krb5_changepw_principle has value kadmin/changepw [sssd[be[sgallagh_proxy]]] [dp_get_options] (6): Option krb5_auth_timeout has value 15 [sssd[be[sgallagh_proxy]]] [be_process_init] (9): AUTH backend target successfully loaded from provider [krb5]. [sssd[be[sgallagh_proxy]]] [load_backend_module] (5): no module name found in confdb, using [proxy]. [sssd[be[sgallagh_proxy]]] [load_backend_module] (7): Backend [proxy] already loaded. [sssd[be[sgallagh_proxy]]] [sssm_proxy_auth_init] (1): Missing option proxy_pam_target. [sssd[be[sgallagh_proxy]]] [load_backend_module] (0): Error (22) in module (proxy) initialization (sssm_proxy_access_init)! [sssd[be[sgallagh_proxy]]] [be_process_init] (0): No ACCESS backend target available. [sssd[be[sgallagh_proxy]]] [main] (0): Could not initialize backend [22] - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkr60FcACgkQeiVVYja6o6N9qgCcCAn54rnO27fINxA3QlgECsz3 QNcAnigGn8aSFmVWuni4PO+TjQSnBvqk =S9d+ -END PGP SIGNATURE- ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] found a double free while testing rawhide
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/11/2009 10:07 AM, Simo Sorce wrote: abrtd in rawhide is quite handy, it catches segfaulted apps and dumps the core and other accessory info in a directory for the admin to see. Here it is a fix for a segfault I found on one of my test systems. Simo. ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel Ack - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkr61CsACgkQeiVVYja6o6M7pgCgg58Zp0EpxQoN6vfQwTWQ/JwW fzgAniYqTR71I0jC9go+7arvDwxcfnuf =OhVx -END PGP SIGNATURE- ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
[SSSD] [PATCH] rework check_cache()
Today I stumbled on check_cache while working on the initgroups caching. It took a long discussion on IRC with Steven to find out exactly how it behaved, and we found a bug in it. Given the complexity I decide to refactor it so that hopefully it will be clearer and will not require arguing over it again in a few months time :) Unfortunately I don't have the time to actually test it today, although it should just work (latest famous words :) Simo. -- Simo Sorce * Red Hat, Inc * New York From a83c6e27616cf18650feeb83b9eee739f6c05c98 Mon Sep 17 00:00:00 2001 From: Simo Sorce sso...@redhat.com Date: Wed, 11 Nov 2009 13:48:08 -0500 Subject: [PATCH] Fix check_cache bug in dealing with the callback Also rework check_cache so that the operations it makes are more explicit. Also add comments about why we are doing something. Should make the code easier to understand in future (took quite some time and discussion on IRC to understand exactly how this function was behaving and to find the callback passing bug). --- server/responder/nss/nsssrv_cmd.c | 207 +++-- 1 files changed, 107 insertions(+), 100 deletions(-) diff --git a/server/responder/nss/nsssrv_cmd.c b/server/responder/nss/nsssrv_cmd.c index 8f4f5db..b2a2035 100644 --- a/server/responder/nss/nsssrv_cmd.c +++ b/server/responder/nss/nsssrv_cmd.c @@ -284,77 +284,88 @@ static errno_t check_cache(struct nss_dom_ctx *dctx, uint64_t midpoint_refresh; struct nss_cmd_ctx *cmdctx = dctx-cmdctx; struct cli_ctx *cctx = cmdctx-cctx; -bool call_provider = false; -sss_dp_callback_t cb = NULL; - -if (dctx-check_provider) { -if (res-count == 0) { -/* This is a cache miss. We need to get the updated user - * information before returning it. - */ -call_provider = true; -cb = callback; +bool off_band_update = false; -} else if ((req_type == SSS_DP_GROUP) || - ((req_type == SSS_DP_USER) (res-count == 1))) { +/* when searching for a user, more than one reply is a db error */ +if ((req_type == SSS_DP_USER) (res-count 1)) { +DEBUG(1, (getpwXXX call returned more than one result! + DB Corrupted?\n)); +ret = nss_cmd_send_error(cmdctx, ENOENT); +if (ret != EOK) { +NSS_CMD_FATAL_ERROR_CODE(cctx, ENOENT); +} +sss_cmd_done(cctx, cmdctx); +return ENOENT; +} -now = time(NULL); +/* if we have any reply let's check cache validity */ +if (res-count 0) { -lastUpdate = ldb_msg_find_attr_as_uint64(res-msgs[0], - SYSDB_LAST_UPDATE, 0); -cacheExpire = ldb_msg_find_attr_as_uint64(res-msgs[0], - SYSDB_CACHE_EXPIRE, 0); +now = time(NULL); -midpoint_refresh = 0; -if(nctx-cache_refresh_percent) { -midpoint_refresh = lastUpdate + - (cacheExpire - lastUpdate)*nctx-cache_refresh_percent/100; -if (midpoint_refresh - lastUpdate 10) { -/* If the percentage results in an expiration - * less than ten seconds after the lastUpdate time, - * that's too often we will simply set it to 10s - */ -midpoint_refresh = lastUpdate+10; -} -} +lastUpdate = ldb_msg_find_attr_as_uint64(res-msgs[0], + SYSDB_LAST_UPDATE, 0); +cacheExpire = ldb_msg_find_attr_as_uint64(res-msgs[0], + SYSDB_CACHE_EXPIRE, 0); -if (cacheExpire now) { -/* This is a cache miss. We need to get the updated user - * information before returning it. +midpoint_refresh = 0; +if(nctx-cache_refresh_percent) { +midpoint_refresh = lastUpdate + + (cacheExpire - lastUpdate)*nctx-cache_refresh_percent/100; +if (midpoint_refresh - lastUpdate 10) { +/* If the percentage results in an expiration + * less than ten seconds after the lastUpdate time, + * that's too often we will simply set it to 10s */ -call_provider = true; -cb = callback; +midpoint_refresh = lastUpdate+10; } -else if (midpoint_refresh midpoint_refresh now) { +} + +if (cacheExpire now) { +/* cache still valid */ + +if (midpoint_refresh midpoint_refresh now) { /* We're past the the cache refresh timeout * We'll return the value from the cache, but we'll also * queue the cache entry for update out-of-band. */ -
[SSSD] [PATCH] Make 'permit' the default for the access target
Hi, this patch make 'permit' the default for the access target. This means that access_provider has to be set explicitly if a specific provider should be used, e.g. access_provider=ipa. bye, Sumit From ee3ff411494c7bae1158b7baef1adc24ebdbe342 Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Wed, 11 Nov 2009 23:06:09 +0100 Subject: [PATCH] Make 'permit' the default for the access target --- server/man/sssd.conf.5.xml |4 +--- server/providers/data_provider_be.c | 17 - 2 files changed, 5 insertions(+), 16 deletions(-) diff --git a/server/man/sssd.conf.5.xml b/server/man/sssd.conf.5.xml index c342499..4facea6 100644 --- a/server/man/sssd.conf.5.xml +++ b/server/man/sssd.conf.5.xml @@ -513,9 +513,7 @@ quotedeny/quote always deny access. /para para -Default: quoteid_provider/quote is used if it -is set and can handle access control requests or -quotepermit/quote otherwise. +Default: quotepermit/quote /para /listitem /varlistentry diff --git a/server/providers/data_provider_be.c b/server/providers/data_provider_be.c index b20ac1f..d5c2492 100644 --- a/server/providers/data_provider_be.c +++ b/server/providers/data_provider_be.c @@ -1039,20 +1039,11 @@ int be_process_init(TALLOC_CTX *mem_ctx, from provider [%s].\n, ctx-bet_info[BET_AUTH].mod_name)); } -ret = load_backend_module(ctx, BET_ACCESS, - ctx-bet_info[BET_ACCESS], - ctx-bet_info[BET_ID].mod_name); +ret = load_backend_module(ctx, BET_ACCESS, ctx-bet_info[BET_ACCESS], + ACCESS_PERMIT); if (ret != EOK) { -if (ret != ENOENT) { -DEBUG(0, (No ACCESS backend target available.\n)); -return ret; -} -ret = load_backend_module(ctx, BET_ACCESS, - ctx-bet_info[BET_ACCESS], ACCESS_PERMIT); -if (ret != EOK) { -DEBUG(0, (Failed to set ACCESS backend to default (permit).\n)); -return ret; -} +DEBUG(0, (Failed to setup ACCESS backend.\n)); +return ret; } DEBUG(9, (ACCESS backend target successfully loaded from provider [%s].\n, ctx-bet_info[BET_ACCESS].mod_name)); -- 1.6.2.5 ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] krb5 ticket renewal via gnome-screensaver not working
On Wed, 2009-11-11 at 09:35 +0100, Sumit Bose wrote: ah, sorry, I misinterpreted your original post. I thought a ccache file wasn't created at all when using gnome-screensaver. No, you didn't mis-interpret I don't think. Here's what happened: 1. Logged into gnome, got a ccache file 2. Noticed that unlocking the screen with gnome-screensaver and notice that tickets are not refreshed 1. in fact I noticed tickets were not being refreshed because eventually, all of my kerberos authorized services (i.e. imap) were failing with expired tickets despite having unlocked my screen many times prior 3. Removed all ccache files 4. Locked screen with gnome-screensaver 5. Successfully unlocked screen with password 6. Observed that the expected ccache file was not re-created by the gnome-screensaver unlocking process Removing the ccache file(s) was just an effort to further prove that sssd via gnome-screensaver is not renewing tickets. If it were, wouldn't it have created a new ccache file, just like: $ kinit $ rm $ccache_file $ kinit would? You are right, if you use 'krb5_ccname_template = FILE:%d/krb5cc_%U_XX' with the current version every authentication will create a new ccache file. No. Every unique login will create a new ccache file. A gnome desktop user logged in gets a single ccache ticket which every application in the session will use. But that also means that a gnome-screensaver authentication will (re-)use that same ccache file. If you want to renew the TGT with every authentication you have to use a per-user unique ccache file, e.g. FILE:%d/krb5cc_%U. I don't think so. I think even a per-login-session ccache file that will be created by a gnome session should work if sssd is correctly renewing the TGT, because the same ccache file that was created by gdm should be updated by gnome-screensaver. We are currently discussing how to handle renewals in a more general way so that it would be possible to renew FILE:%d/krb5cc_%U_XX-style files too. I really don't see why these FILE:%d/krb5cc_%U_XX-style files would not renew in the context of a gnome session. On the other hand, I don't really see the purpose of FILE:%d/krb5cc_% U_XX-style files where every login session is a new ccache. Can anyone share a use-case where this is needed? b. signature.asc Description: This is a digitally signed message part ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] krb5 ticket renewal via gnome-screensaver not working
On Wed, 2009-11-11 at 17:27 -0500, Brian J. Murrell wrote: If you want to renew the TGT with every authentication you have to use a per-user unique ccache file, e.g. FILE:%d/krb5cc_%U. I don't think so. I think even a per-login-session ccache file that will be created by a gnome session should work if sssd is correctly renewing the TGT, because the same ccache file that was created by gdm should be updated by gnome-screensaver. I have tested this yesterday (with git master), if you set FILE:% d/krb5cc_%U sssd will happily refresh the crdentials at screen unlock. Unfortunately the code and the docs disagree on the parm name but we already have a patch on the list to fix this. We are currently discussing how to handle renewals in a more general way so that it would be possible to renew FILE:%d/krb5cc_%U_XX-style files too. I really don't see why these FILE:%d/krb5cc_%U_XX-style files would not renew in the context of a gnome session. Because sssd is generating a new one each time for now (yes it's a bug). On the other hand, I don't really see the purpose of FILE:%d/krb5cc_% U_XX-style files where every login session is a new ccache. Can anyone share a use-case where this is needed? Well I think people were worried that using a predictable name (krb5cc_% U) could be used by malicious user to mount symlink race attacks. We have just copied what is already an available scheme for the krb5 libraries, although we might switch to a default of FILE:%d/krb5cc_%U for the 1.0 release to avoid issues. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] rework check_cache()
On Wed, 2009-11-11 at 13:55 -0500, Simo Sorce wrote: Today I stumbled on check_cache while working on the initgroups caching. It took a long discussion on IRC with Steven to find out exactly how it behaved, and we found a bug in it. Given the complexity I decide to refactor it so that hopefully it will be clearer and will not require arguing over it again in a few months time :) Unfortunately I don't have the time to actually test it today, although it should just work (latest famous words :) I found time to briefly test it, seem to work just fine here. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
[SSSD] [PATCH] better var name
Comment in patch says all. Simo. -- Simo Sorce * Red Hat, Inc * New York From cf01eae6e4518c1abdd75c37b0796d468e76eaa5 Mon Sep 17 00:00:00 2001 From: Simo Sorce sso...@redhat.com Date: Wed, 11 Nov 2009 20:44:23 -0500 Subject: [PATCH] Change var name to make its use more clear. Change memctx to make clear it should be used only when a callback is being used. --- server/responder/common/responder.h|2 +- server/responder/common/responder_dp.c | 12 ++-- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/server/responder/common/responder.h b/server/responder/common/responder.h index 439bf87..a597e68 100644 --- a/server/responder/common/responder.h +++ b/server/responder/common/responder.h @@ -143,7 +143,7 @@ struct cli_protocol_version *register_cli_protocol_version(void); typedef void (*sss_dp_callback_t)(uint16_t err_maj, uint32_t err_min, const char *err_msg, void *ptr); -int sss_dp_send_acct_req(struct resp_ctx *rctx, TALLOC_CTX *memctx, +int sss_dp_send_acct_req(struct resp_ctx *rctx, TALLOC_CTX *callback_memctx, sss_dp_callback_t callback, void *callback_ctx, int timeout, const char *domain, int type, const char *opt_name, uint32_t opt_id); diff --git a/server/responder/common/responder_dp.c b/server/responder/common/responder_dp.c index 236755f..943b72c 100644 --- a/server/responder/common/responder_dp.c +++ b/server/responder/common/responder_dp.c @@ -232,7 +232,7 @@ error: } static int sss_dp_send_acct_req_create(struct resp_ctx *rctx, - TALLOC_CTX *memctx, + TALLOC_CTX *callback_memctx, const char *domain, uint32_t be_type, char *filter, @@ -241,7 +241,7 @@ static int sss_dp_send_acct_req_create(struct resp_ctx *rctx, void *callback_ctx, struct sss_dp_req **ndp); -int sss_dp_send_acct_req(struct resp_ctx *rctx, TALLOC_CTX *memctx, +int sss_dp_send_acct_req(struct resp_ctx *rctx, TALLOC_CTX *callback_memctx, sss_dp_callback_t callback, void *callback_ctx, int timeout, const char *domain, int type, const char *opt_name, uint32_t opt_id) @@ -329,7 +329,7 @@ int sss_dp_send_acct_req(struct resp_ctx *rctx, TALLOC_CTX *memctx, goto done; } -cb = talloc_zero(memctx, struct sss_dp_callback); +cb = talloc_zero(callback_memctx, struct sss_dp_callback); if (!cb) { ret = ENOMEM; goto done; @@ -350,7 +350,7 @@ int sss_dp_send_acct_req(struct resp_ctx *rctx, TALLOC_CTX *memctx, /* No such request in progress * Create a new request */ -ret = sss_dp_send_acct_req_create(rctx, memctx, domain, +ret = sss_dp_send_acct_req_create(rctx, callback_memctx, domain, be_type, filter, timeout, callback, callback_ctx, sdp_req); @@ -402,7 +402,7 @@ done: } static int sss_dp_send_acct_req_create(struct resp_ctx *rctx, - TALLOC_CTX *memctx, + TALLOC_CTX *callback_memctx, const char *domain, uint32_t be_type, char *filter, @@ -478,7 +478,7 @@ static int sss_dp_send_acct_req_create(struct resp_ctx *rctx, sdp_req-pending_reply = pending_reply; if (callback) { -cb = talloc_zero(memctx, struct sss_dp_callback); +cb = talloc_zero(callback_memctx, struct sss_dp_callback); if (!cb) { dbus_message_unref(msg); talloc_zfree(sdp_req); -- 1.6.2.5 ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel