[SSSD] [sssd PR#69][comment] krb5: Use command line arguments instead env vars for krb5_child

[sumit-bose]

  URL: https://github.com/SSSD/sssd/pull/69
Title: #69: krb5: Use command line arguments instead env vars for krb5_child

sumit-bose commented:
"""
Thank you for the rigid testing, it was a typo in the command line option 
names. To avoid this I switched to #defines for all option name usage.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/69#issuecomment-261061796
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#69][-Changes requested] krb5: Use command line arguments instead env vars for krb5_child

[sumit-bose]

  URL: https://github.com/SSSD/sssd/pull/69
Title: #69: krb5: Use command line arguments instead env vars for krb5_child

Label: -Changes requested
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#69][synchronized] krb5: Use command line arguments instead env vars for krb5_child

[sumit-bose]

   URL: https://github.com/SSSD/sssd/pull/69
Author: sumit-bose
 Title: #69: krb5: Use command line arguments instead env vars for krb5_child
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/69/head:pr69
git checkout pr69
From 67d1e9ade4149145a7b0f01e3562a81fea285a07 Mon Sep 17 00:00:00 2001
From: Sumit Bose 
Date: Fri, 28 Oct 2016 21:29:45 +0200
Subject: [PATCH 1/3] krb5: Use command line arguments instead env vars for
 krb5_child

Resolves https://fedorahosted.org/sssd/ticket/697
---
 src/providers/krb5/krb5_auth.h  |   9 +++
 src/providers/krb5/krb5_child.c | 129 ++
 src/providers/krb5/krb5_child_handler.c | 134 ++--
 src/providers/krb5/krb5_common.c|  91 +-
 src/providers/krb5/krb5_common.h|  25 +++---
 src/providers/krb5/krb5_init_shared.c   |   5 +-
 6 files changed, 268 insertions(+), 125 deletions(-)

diff --git a/src/providers/krb5/krb5_auth.h b/src/providers/krb5/krb5_auth.h
index 11bb595..75ad916 100644
--- a/src/providers/krb5/krb5_auth.h
+++ b/src/providers/krb5/krb5_auth.h
@@ -38,6 +38,15 @@
 
 #define ILLEGAL_PATH_PATTERN "//|/\\./|/\\.\\./"
 
+#define CHILD_OPT_FAST_CCACHE_UID "fast-ccache-uid"
+#define CHILD_OPT_FAST_CCACHE_GID "fast-ccache-gid"
+#define CHILD_OPT_REALM "realm"
+#define CHILD_OPT_LIFETIME "lifetime"
+#define CHILD_OPT_RENEWABLE_LIFETIME "renewable-lifetime"
+#define CHILD_OPT_USE_FAST "use-fast"
+#define CHILD_OPT_FAST_PRINCIPAL "fast-principal"
+#define CHILD_OPT_CANONICALIZE "canonicalize"
+
 struct krb5child_req {
 struct pam_data *pd;
 struct krb5_ctx *krb5_ctx;
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index df94bc4..61a77db 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -48,6 +48,15 @@ enum k5c_fast_opt {
 K5C_FAST_DEMAND,
 };
 
+struct cli_opts {
+char *realm;
+char *lifetime;
+char *rtime;
+char *use_fast_str;
+char *fast_principal;
+bool canonicalize;
+};
+
 struct krb5_req {
 krb5_context ctx;
 krb5_principal princ;
@@ -81,73 +90,68 @@ struct krb5_req {
 
 uid_t fast_uid;
 gid_t fast_gid;
+
+struct cli_opts *cli_opts;
 };
 
 static krb5_context krb5_error_ctx;
 #define KRB5_CHILD_DEBUG(level, error) KRB5_DEBUG(level, krb5_error_ctx, error)
 
-static krb5_error_code set_lifetime_options(krb5_get_init_creds_opt *options)
+static krb5_error_code set_lifetime_options(struct cli_opts *cli_opts,
+krb5_get_init_creds_opt *options)
 {
-char *lifetime_str;
 krb5_error_code kerr;
 krb5_deltat lifetime;
 
-lifetime_str = getenv(SSSD_KRB5_RENEWABLE_LIFETIME);
-if (lifetime_str == NULL) {
-DEBUG(SSSDBG_CONF_SETTINGS, "Cannot read [%s] from environment.\n",
-  SSSD_KRB5_RENEWABLE_LIFETIME);
+if (cli_opts->rtime == NULL) {
+DEBUG(SSSDBG_CONF_SETTINGS,
+  "No specific renewable lifetime requested.\n");
 
 /* Unset option flag to make sure defaults from krb5.conf are used. */
 options->flags &= ~(KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE);
 } else {
-kerr = krb5_string_to_deltat(lifetime_str, &lifetime);
+kerr = krb5_string_to_deltat(cli_opts->rtime, &lifetime);
 if (kerr != 0) {
 DEBUG(SSSDBG_CRIT_FAILURE,
-  "krb5_string_to_deltat failed for [%s].\n",
-  lifetime_str);
+  "krb5_string_to_deltat failed for [%s].\n", cli_opts->rtime);
 KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr);
 return kerr;
 }
-DEBUG(SSSDBG_CONF_SETTINGS, "%s is set to [%s]\n",
-  SSSD_KRB5_RENEWABLE_LIFETIME, lifetime_str);
+DEBUG(SSSDBG_CONF_SETTINGS, "Renewable lifetime is set to [%s]\n",
+cli_opts->rtime);
 krb5_get_init_creds_opt_set_renew_life(options, lifetime);
 }
 
-lifetime_str = getenv(SSSD_KRB5_LIFETIME);
-if (lifetime_str == NULL) {
-DEBUG(SSSDBG_CONF_SETTINGS, "Cannot read [%s] from environment.\n",
-  SSSD_KRB5_LIFETIME);
+if (cli_opts->lifetime == NULL) {
+DEBUG(SSSDBG_CONF_SETTINGS, "No specific lifetime requested.\n");
 
 /* Unset option flag to make sure defaults from krb5.conf are used. */
 options->flags &= ~(KRB5_GET_INIT_CREDS_OPT_TKT_LIFE);
 } else {
-kerr = krb5_string_to_deltat(lifetime_str, &lifetime);
+kerr = krb5_string_to_deltat(cli_opts->lifetime, &lifetime);
 if (kerr != 0) {
 DEBUG(SSSDBG_CRIT_FAILURE,
   "krb5_string_to_deltat failed for [%s].\n",
-  lifetime_str);
+  cli_opts->lifetime);
 KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr);
 return kerr;
 }
-DEBUG(SSSDBG_CONF_SE

[SSSD] [sssd PR#77][closed] Qualify ghost users with RFC2307bis and ldap_nesting_level=0

[lslebodn]

   URL: https://github.com/SSSD/sssd/pull/77
Author: jhrozek
 Title: #77: Qualify ghost users with RFC2307bis and ldap_nesting_level=0
Action: closed

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/77/head:pr77
git checkout pr77
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#77][comment] Qualify ghost users with RFC2307bis and ldap_nesting_level=0

[lslebodn]

  URL: https://github.com/SSSD/sssd/pull/77
Title: #77: Qualify ghost users with RFC2307bis and ldap_nesting_level=0

lslebodn commented:
"""
master:
* 65e791f844b4513ca2c3ee23f8cd2979566b3719
* 538a7f1dd8339b90e0cfc64e7919a34d1d5c10d3

sssd-1-14:
* a7be684411aff42e03e181dd81de921185e16c34
* e0b544e6f664c2ce5ddd8df866d996607ce488cc

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/77#issuecomment-260959317
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#77][comment] Qualify ghost users with RFC2307bis and ldap_nesting_level=0

[lslebodn]

  URL: https://github.com/SSSD/sssd/pull/77
Title: #77: Qualify ghost users with RFC2307bis and ldap_nesting_level=0

lslebodn commented:
"""
There are few pep8 issues
```
diff --git a/src/tests/intg/test_ldap.py b/src/tests/intg/test_ldap.py
index 667ae27..bf25d95 100644
--- a/src/tests/intg/test_ldap.py
+++ b/src/tests/intg/test_ldap.py
@@ -952,6 +952,7 @@ def test_remove_user_from_nested_group(ldap_conn,
 ent.assert_group_by_name("group3",
  dict(mem=ent.contains_only()))
 
+
 def zero_nesting_sssd_conf(ldap_conn, schema):
 """Format an SSSD configuration with group nesting disabled"""
 return \
@@ -961,6 +962,7 @@ def zero_nesting_sssd_conf(ldap_conn, schema):
 ldap_group_nesting_level= 0
 """).format(INTERACTIVE_TIMEOUT)
 
+
 @pytest.fixture
 def rfc2307bis_no_nesting(request, ldap_conn):
 ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn)
@@ -974,6 +976,7 @@ def rfc2307bis_no_nesting(request, ldap_conn):
 create_sssd_fixture(request)
 return None
 
+
 def test_zero_nesting_level(ldap_conn, rfc2307bis_no_nesting):
 ent.assert_group_by_name("group1",
  dict(mem=ent.contains_only("user1")))
```

I will fix them before pushing patches.

Thank you very much for integration test.
BTW downstream tests did not find any regressions.

ACK

LS

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/77#issuecomment-260951073
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#69][+Changes requested] krb5: Use command line arguments instead env vars for krb5_child

[lslebodn]

  URL: https://github.com/SSSD/sssd/pull/69
Title: #69: krb5: Use command line arguments instead env vars for krb5_child

Label: +Changes requested
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#69][comment] krb5: Use command line arguments instead env vars for krb5_child

[lslebodn]

  URL: https://github.com/SSSD/sssd/pull/69
Title: #69: krb5: Use command line arguments instead env vars for krb5_child

lslebodn commented:
"""
On (11/11/16 03:13), sumit-bose wrote:
>Sorry, this issue was introduced by a assume simple last minute change which I 
>didn't test properly. I couldn't decide if I want to keep the options in the 
>global krb5_ctx since the currently do not change or if they will always be 
>generated on the fly. I finally picked the latter to avoid issues in future 
>with options changing per request but didn't do the change properly.
>
I ran some downstream tests and there are failures
with authentication for krb5-fast-principal related tests

sssd.conf lokks like:
```
[domain/LDAP-KRB5]
debug_level=0xFFF0
id_provider = ldap
ldap_uri = ldap://$SERVER
ldap_search_base = dc=example,dc=com
auth_provider = krb5
krb5_server = $SERVER
krb5_realm = EXAMPLE.COM
krb5_use_fast = demand
krb5_fast_principal = host/$CLIENT
```

```
[domain/LDAP-KRB5]
debug_level=0xFFF0
id_provider = ldap
ldap_uri = ldap://$SERVER
ldap_search_base = dc=example,dc=com
auth_provider = krb5
krb5_server = $SERVER
krb5_realm = EXAMPLE.COM
krb5_use_fast = demand
krb5_fast_principal = host/$CLIENT
krb5_validate = true
```

and maybe more issues later :-)

LS

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/69#issuecomment-260936892
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] Re: [RFC] Socket-activate responders

[Jakub Hrozek]

On Wed, Nov 16, 2016 at 11:46:03AM +0100, Fabiano Fidêncio wrote:
> On Wed, Nov 16, 2016 at 11:20 AM, Jakub Hrozek  wrote:
> > On Wed, Nov 16, 2016 at 10:03:36AM +0100, Fabiano Fidêncio wrote:
> >> People,
> >>
> >> I've spent some time looking at the code and trying to understand what
> >> are the needed changes in order to have this task done. I'll start by
> >> writing down how things are working nowadays, what we want to achieve,
> >> what are the parts that will need to be touched and what are the steps
> >> that I'm going to take. Please, keep in mind that I may have a wrong
> >> (or at least not so clear) understanding of all these points that I'm
> >> about to explain and in case I made some mistake feel free to jump in
> >> and correct me. Also, whatever we sum up from this email will be
> >> written down in our DesignFeatures page. Let's start ...
> >>
> >> How things work nowadays:
> >> 
> >>
> >> Nowadays all the services are started and taken care by the monitor.
> >> It basically means that the monitor checks which are the services
> >> listed to be started, starts those and registers them in order to
> >> relay them signals coming from our tools. Here I'm not sure whether
> >> the monitor relays signals from something else but the tools, but
> >> doesn't seem to be case (and please, correct me in case I'm wrong).
> >
> > Monitor also relays:
> > - signals that the administrator sends manually (see man sssd(8) and
> >   search for USR1/USR2/HUP)
> 
> This actually affects the responders, right?
> 
> > - notifications that /etc/resolv.conf had changed and the domains
> >   should reset their offline status
> > - notifications that networking on the machine had changed (received
> >   via the netlink socket) and the domains should reset their offline
> >   status
> 
> These don't as far as I understand.
> 
> >
> > These mostly (except for clearing the memory cache of NSS responder and
> > rotating the logs) concern the providers which we won't be changing now.
> >
> > And actually I wouldn't see too much harm with moving the resolv.conf
> > monitoring and netlink monitoring to back ends themselves..both 'just'
> > mean an open fd and the number of sssd_be processes running is usually 
> > small.
> 
> Right, I like the suggestion but I'd like to keep this out of the
> scope for this task right now.
> 
> >
> >>
> >> What we want to achieve:
> >> -
> >>
> >> While my personal desire is to start slowly killing the monitor,
> >> that's not going to be case right now.
> >
> > Well, we can incrementally downsize the monitor..
> >
> >> We don't want to do any change in the code that wouldn't also
> >> contemplate platforms where systemd is not available.
> >
> > Yes, but perhaps we can move the non-systemd code to a separate module
> > to avoid a lot of code in the monitor being #ifdef-ed out. (I don't know
> > if this will actually be the case in the end)
> 
> That's a good idea.
> I'll go pretty much if-def'ing the code and in the end split this part
> into a separate module in case it makes sense.
> 
> >
> >> That being said,
> >> let's move to the important part ...
> >>
> >> Here what we want to achieve is to have all responders (at least for
> >> now, yes, just the responders) socket-activatable as some of them
> >> don't actually have to be running all the time (that's the case, for
> >> example, of the ssh, sudo and ifp responders). We also have to keep
> >> into consideration that _any_ change in behaviour should _not_ happen,
> >> which means that we still have to honor our compromise with sssd.conf
> >> and still make the responders manually activated there to start and be
> >> running from the moment sssd is running (as we do nowadays).
> >
> > Right, this is a possibility. I think we can use the "services" line to
> > configure how the responders are started. If any service was explicitly
> > listed in "services", then it would be also explicitly started by the
> > monitor just as it is now.
> 
> Right.
> 
> >
> > I think we also want to add an idle timeout to the services and the services
> > that are started explicitly would just have an infinite idle timeout..
> 
> Why? If the services are started explicitly we can just use the same
> logic used nowadays.

Yes.

> So, I have the feeling that no changes would be needed at all in this case.

I thought we wanted to add an idle timeout to services that are only
seldom needed like secrets or sudo to avoid running them all the time..

This could be a tevent timer that is cancelled and restarted when a new
client connects and its period could be set from the command line or
from a config parameter.

> 
> >
> > Other systemd services that correspond to a responder might be disabled
> > by default and the admin can just activate them to allow them to be
> > started on demand (that's already the case with sssd-secrets, right?)
> 
> Yes, you're 

[SSSD] Re: [RFC] Socket-activate responders

[Fabiano Fidêncio]

On Wed, Nov 16, 2016 at 11:20 AM, Jakub Hrozek  wrote:
> On Wed, Nov 16, 2016 at 10:03:36AM +0100, Fabiano Fidêncio wrote:
>> People,
>>
>> I've spent some time looking at the code and trying to understand what
>> are the needed changes in order to have this task done. I'll start by
>> writing down how things are working nowadays, what we want to achieve,
>> what are the parts that will need to be touched and what are the steps
>> that I'm going to take. Please, keep in mind that I may have a wrong
>> (or at least not so clear) understanding of all these points that I'm
>> about to explain and in case I made some mistake feel free to jump in
>> and correct me. Also, whatever we sum up from this email will be
>> written down in our DesignFeatures page. Let's start ...
>>
>> How things work nowadays:
>> 
>>
>> Nowadays all the services are started and taken care by the monitor.
>> It basically means that the monitor checks which are the services
>> listed to be started, starts those and registers them in order to
>> relay them signals coming from our tools. Here I'm not sure whether
>> the monitor relays signals from something else but the tools, but
>> doesn't seem to be case (and please, correct me in case I'm wrong).
>
> Monitor also relays:
> - signals that the administrator sends manually (see man sssd(8) and
>   search for USR1/USR2/HUP)

This actually affects the responders, right?

> - notifications that /etc/resolv.conf had changed and the domains
>   should reset their offline status
> - notifications that networking on the machine had changed (received
>   via the netlink socket) and the domains should reset their offline
>   status

These don't as far as I understand.

>
> These mostly (except for clearing the memory cache of NSS responder and
> rotating the logs) concern the providers which we won't be changing now.
>
> And actually I wouldn't see too much harm with moving the resolv.conf
> monitoring and netlink monitoring to back ends themselves..both 'just'
> mean an open fd and the number of sssd_be processes running is usually small.

Right, I like the suggestion but I'd like to keep this out of the
scope for this task right now.

>
>>
>> What we want to achieve:
>> -
>>
>> While my personal desire is to start slowly killing the monitor,
>> that's not going to be case right now.
>
> Well, we can incrementally downsize the monitor..
>
>> We don't want to do any change in the code that wouldn't also
>> contemplate platforms where systemd is not available.
>
> Yes, but perhaps we can move the non-systemd code to a separate module
> to avoid a lot of code in the monitor being #ifdef-ed out. (I don't know
> if this will actually be the case in the end)

That's a good idea.
I'll go pretty much if-def'ing the code and in the end split this part
into a separate module in case it makes sense.

>
>> That being said,
>> let's move to the important part ...
>>
>> Here what we want to achieve is to have all responders (at least for
>> now, yes, just the responders) socket-activatable as some of them
>> don't actually have to be running all the time (that's the case, for
>> example, of the ssh, sudo and ifp responders). We also have to keep
>> into consideration that _any_ change in behaviour should _not_ happen,
>> which means that we still have to honor our compromise with sssd.conf
>> and still make the responders manually activated there to start and be
>> running from the moment sssd is running (as we do nowadays).
>
> Right, this is a possibility. I think we can use the "services" line to
> configure how the responders are started. If any service was explicitly
> listed in "services", then it would be also explicitly started by the
> monitor just as it is now.

Right.

>
> I think we also want to add an idle timeout to the services and the services
> that are started explicitly would just have an infinite idle timeout..

Why? If the services are started explicitly we can just use the same
logic used nowadays.
So, I have the feeling that no changes would be needed at all in this case.

>
> Other systemd services that correspond to a responder might be disabled
> by default and the admin can just activate them to allow them to be
> started on demand (that's already the case with sssd-secrets, right?)

Yes, you're right.

>
> But this could also be just a middle step..in future, since the responder
> Requires sssd.service, I think we could just let the monitor
> socket-activate the responder as well /after/ starting the back ends. Or
> is there another reason for starting some services explicitly except for
> maintaining the status quo and being a bit more on the safe side?

The reason for me would be, only, to be a bit more on the safe side.

>
>>
>> How we plan to achieve our goal:
>> ---
>>
>> Some parts I have a pretty clear idea on what to do, some ot

[SSSD] [sssd PR#80][opened] SYSDB: Sudorule without a sudoUser returns EINVAL

[celestian]

   URL: https://github.com/SSSD/sssd/pull/80
Author: celestian
 Title: #80: SYSDB: Sudorule without a sudoUser returns EINVAL
Action: opened

PR body:
"""
This patch solved a regression caused by the recent patches
to lowercase sudoUser -- in case sudoUser is missing completely,
we abort the processing of this rule and all others.

With this patch, we return EINVAL and gracefully skip
the malgormed rule instead.

Resolves:
https://fedorahosted.org/sssd/ticket/3241
"""

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/80/head:pr80
git checkout pr80
From 8877575954842bb2dfcf545b79a3db3ee06521a4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20=C4=8Cech?= 
Date: Wed, 16 Nov 2016 10:09:18 +0100
Subject: [PATCH] SYSDB: Sudorule without a sudoUser returns EINVAL

This patch solved a regression caused by the recent patches
to lowercase sudoUser -- in case sudoUser is missing completely,
we abort the processing of this rule and all others.

With this patch, we return EINVAL and gracefully skip
the malgormed rule instead.

Resolves:
https://fedorahosted.org/sssd/ticket/3241
---
 src/db/sysdb_sudo.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/db/sysdb_sudo.c b/src/db/sysdb_sudo.c
index 4bd93ff..0a59e89 100644
--- a/src/db/sysdb_sudo.c
+++ b/src/db/sysdb_sudo.c
@@ -874,6 +874,7 @@ static errno_t sysdb_sudo_add_lowered_users(struct sss_domain_info *domain,
 if (ret != EOK) {
 DEBUG(SSSDBG_OP_FAILURE, "Unable to get %s attribute [%d]: %s\n",
   SYSDB_SUDO_CACHE_AT_USER, ret, strerror(ret));
+ret = EINVAL;
 goto done;
 }
 
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] Re: [RFC] Socket-activate responders

[Jakub Hrozek]

On Wed, Nov 16, 2016 at 10:03:36AM +0100, Fabiano Fidêncio wrote:
> People,
> 
> I've spent some time looking at the code and trying to understand what
> are the needed changes in order to have this task done. I'll start by
> writing down how things are working nowadays, what we want to achieve,
> what are the parts that will need to be touched and what are the steps
> that I'm going to take. Please, keep in mind that I may have a wrong
> (or at least not so clear) understanding of all these points that I'm
> about to explain and in case I made some mistake feel free to jump in
> and correct me. Also, whatever we sum up from this email will be
> written down in our DesignFeatures page. Let's start ...
> 
> How things work nowadays:
> 
> 
> Nowadays all the services are started and taken care by the monitor.
> It basically means that the monitor checks which are the services
> listed to be started, starts those and registers them in order to
> relay them signals coming from our tools. Here I'm not sure whether
> the monitor relays signals from something else but the tools, but
> doesn't seem to be case (and please, correct me in case I'm wrong).

Monitor also relays:
- signals that the administrator sends manually (see man sssd(8) and
  search for USR1/USR2/HUP)
- notifications that /etc/resolv.conf had changed and the domains
  should reset their offline status
- notifications that networking on the machine had changed (received
  via the netlink socket) and the domains should reset their offline
  status

These mostly (except for clearing the memory cache of NSS responder and
rotating the logs) concern the providers which we won't be changing now.

And actually I wouldn't see too much harm with moving the resolv.conf
monitoring and netlink monitoring to back ends themselves..both 'just'
mean an open fd and the number of sssd_be processes running is usually small.

> 
> What we want to achieve:
> -
> 
> While my personal desire is to start slowly killing the monitor,
> that's not going to be case right now.

Well, we can incrementally downsize the monitor..

> We don't want to do any change in the code that wouldn't also
> contemplate platforms where systemd is not available. 

Yes, but perhaps we can move the non-systemd code to a separate module
to avoid a lot of code in the monitor being #ifdef-ed out. (I don't know
if this will actually be the case in the end)

> That being said,
> let's move to the important part ...
> 
> Here what we want to achieve is to have all responders (at least for
> now, yes, just the responders) socket-activatable as some of them
> don't actually have to be running all the time (that's the case, for
> example, of the ssh, sudo and ifp responders). We also have to keep
> into consideration that _any_ change in behaviour should _not_ happen,
> which means that we still have to honor our compromise with sssd.conf
> and still make the responders manually activated there to start and be
> running from the moment sssd is running (as we do nowadays).

Right, this is a possibility. I think we can use the "services" line to
configure how the responders are started. If any service was explicitly
listed in "services", then it would be also explicitly started by the
monitor just as it is now.

I think we also want to add an idle timeout to the services and the services
that are started explicitly would just have an infinite idle timeout..

Other systemd services that correspond to a responder might be disabled
by default and the admin can just activate them to allow them to be
started on demand (that's already the case with sssd-secrets, right?)

But this could also be just a middle step..in future, since the responder
Requires sssd.service, I think we could just let the monitor
socket-activate the responder as well /after/ starting the back ends. Or
is there another reason for starting some services explicitly except for
maintaining the status quo and being a bit more on the safe side?

> 
> How we plan to achieve our goal:
> ---
> 
> Some parts I have a pretty clear idea on what to do, some others not
> that much. The basic idea is to take as much advantage of systemd
> machinery as we can and "remove" as much duties as possible from the
> monitor. Let's go through this by parts ...
> 
> - Starting the service: the idea is to have a systemd unit for each of
> the responders. Whether these units will be automatically generated by
> us is a detail that doesn't worth attention right now. Let's take a
> look on what the unit will look like:
> 
> [Unit]
> Description=SSSD @responder@ service provider
> 
> [Install]
> Also=sssd-@responder@.socket
> 
> [Service]
> ExecStart==@libexecdir@/sssd/sssd_@responder@ --uid 0 --gid 0 --debug-to-files

I wonder if the service could start as root and then read the 'user'
from confdb to learn if it's suppose

[SSSD] [RFC] Socket-activate responders

[Fabiano Fidêncio]

People,

I've spent some time looking at the code and trying to understand what
are the needed changes in order to have this task done. I'll start by
writing down how things are working nowadays, what we want to achieve,
what are the parts that will need to be touched and what are the steps
that I'm going to take. Please, keep in mind that I may have a wrong
(or at least not so clear) understanding of all these points that I'm
about to explain and in case I made some mistake feel free to jump in
and correct me. Also, whatever we sum up from this email will be
written down in our DesignFeatures page. Let's start ...

How things work nowadays:


Nowadays all the services are started and taken care by the monitor.
It basically means that the monitor checks which are the services
listed to be started, starts those and registers them in order to
relay them signals coming from our tools. Here I'm not sure whether
the monitor relays signals from something else but the tools, but
doesn't seem to be case (and please, correct me in case I'm wrong).

What we want to achieve:
-

While my personal desire is to start slowly killing the monitor,
that's not going to be case right now.
We don't want to do any change in the code that wouldn't also
contemplate platforms where systemd is not available. That being said,
let's move to the important part ...

Here what we want to achieve is to have all responders (at least for
now, yes, just the responders) socket-activatable as some of them
don't actually have to be running all the time (that's the case, for
example, of the ssh, sudo and ifp responders). We also have to keep
into consideration that _any_ change in behaviour should _not_ happen,
which means that we still have to honor our compromise with sssd.conf
and still make the responders manually activated there to start and be
running from the moment sssd is running (as we do nowadays).

How we plan to achieve our goal:
---

Some parts I have a pretty clear idea on what to do, some others not
that much. The basic idea is to take as much advantage of systemd
machinery as we can and "remove" as much duties as possible from the
monitor. Let's go through this by parts ...

- Starting the service: the idea is to have a systemd unit for each of
the responders. Whether these units will be automatically generated by
us is a detail that doesn't worth attention right now. Let's take a
look on what the unit will look like:

[Unit]
Description=SSSD @responder@ service provider

[Install]
Also=sssd-@responder@.socket

[Service]
ExecStart==@libexecdir@/sssd/sssd_@responder@ --uid 0 --gid 0 --debug-to-files
Requires=sssd.service
PartOf=sssd.service

There's two options that deserve some explanation of their usage here:
  -- "Requires=sssd.service": This option guarantees that sssd will be
up when any of the responders are up. Considering that the providers
part won't be changed, those will still be initializated synchronously
by the monitor and only then notify init that its start up finished,
which also mean that the providers' sbus socket will be up.
 -- "PartOf=sssd.service": This options guarantees that when
sssd.service is restarted/stoped all the responders' services will be
restarted/stopped accordingly.

- Relaying signals: seems the best approach for this in order to
replace the registration currently done by the monitor, is to create a
named bus for each of the responders so the tools could talk directly
to them. By "named bus for each responder" I understand that's a pipe,
named sbus-@responder@ that will be used to send the dbus message
through it. It would require to adapt the tools code to actually check
whether the sbus-@responder@ pipe exists and then send the message, as
we won't have a list of the running responders, which may increase the
iterations to send a message but I do believe wouldn't hurt us too
much due to the small number of responders we have. It will also help
tools to be able to set different debug levels for each responder.

Seems, at least for me, that doing these steps we are covered with
respect to what we have nowadays. Does someone think that we are
missing something? What? Please, try to explain in the same way you
would explain to a 5 years old kid :-)

Coding plan:
--

My current plan is to start implementing this whole thing by creating
the named bus for each responder and have the communication between
the responders and the tools working. Next step will be to actually
have the responders started on demand by using socket-activation. And
the very last step will be to make sure we can have the responders
always running when they're listed in the sssd.conf.

I'm not comfortable on giving any estimation about when we will have
it done, mainly because I'd like to hear the feedback about this from
others in the team.

Looking forward for your reading back from you!

[SSSD] [sssd PR#39][comment] RESPONDER: Enable sudoRule in case insen. domains (1.13)

[celestian]

  URL: https://github.com/SSSD/sssd/pull/39
Title: #39: RESPONDER: Enable sudoRule in case insen. domains (1.13)

celestian commented:
"""
I am afraid there is the same issue as in 
https://fedorahosted.org/sssd/ticket/3241. The patch will be added soon. 
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/39#issuecomment-260886546
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#39][+Changes requested] RESPONDER: Enable sudoRule in case insen. domains (1.13)

[celestian]

  URL: https://github.com/SSSD/sssd/pull/39
Title: #39: RESPONDER: Enable sudoRule in case insen. domains (1.13)

Label: +Changes requested
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org