[SSSD] [sssd PR#217][-Accepted] KCM: Fix off-by-one error in secrets key validation
URL: https://github.com/SSSD/sssd/pull/217 Title: #217: KCM: Fix off-by-one error in secrets key validation Label: -Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#217][comment] KCM: Fix off-by-one error in secrets key validation
URL: https://github.com/SSSD/sssd/pull/217 Title: #217: KCM: Fix off-by-one error in secrets key validation fidencio commented: """ Feel free to push it after running CI (I'll fire one here before calling it a day), """ See the full comment at https://github.com/SSSD/sssd/pull/217#issuecomment-290231249 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#217][+Accepted] KCM: Fix off-by-one error in secrets key validation
URL: https://github.com/SSSD/sssd/pull/217 Title: #217: KCM: Fix off-by-one error in secrets key validation Label: +Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#217][comment] KCM: Fix off-by-one error in secrets key validation
URL: https://github.com/SSSD/sssd/pull/217 Title: #217: KCM: Fix off-by-one error in secrets key validation fidencio commented: """ I've just tested it locally here. It works as expected. """ See the full comment at https://github.com/SSSD/sssd/pull/217#issuecomment-290230115 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#217][opened] KCM: Fix off-by-one error in secrets key validation
URL: https://github.com/SSSD/sssd/pull/217 Author: jhrozek Title: #217: KCM: Fix off-by-one error in secrets key validation Action: opened PR body: """ This is a fix for a bug found by Fabiano. A simple reproducer is to try to kinit as root with KCM. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/217/head:pr217 git checkout pr217 From f0bdf4563b325e6fa4cd35db9da86444d3a07187 Mon Sep 17 00:00:00 2001 From: Jakub HrozekDate: Wed, 29 Mar 2017 22:49:09 +0200 Subject: [PATCH] KCM: Fix off-by-one error in secrets key parsing When parsing the secrets key, the code tried to protect against malformed keys or keys that are too short, but it did an error - the UUID stringified form is 36 bytes long, so the UUID_STR_SIZE is 37 because UUID_STR_SIZE accounts for the null terminator. But the code, that was trying to assert that there are two characters after the UUID string (separator and at least a single character for the name) didn't take the NULL terminator (which strlen() doesn't return) into account and ended up rejecting all ccaches whose name is only a single character. --- src/responder/kcm/kcmsrv_ccache_json.c | 43 +--- src/tests/cmocka/test_kcm_json_marshalling.c | 75 2 files changed, 101 insertions(+), 17 deletions(-) diff --git a/src/responder/kcm/kcmsrv_ccache_json.c b/src/responder/kcm/kcmsrv_ccache_json.c index 40b6486..ba7d7f4 100644 --- a/src/responder/kcm/kcmsrv_ccache_json.c +++ b/src/responder/kcm/kcmsrv_ccache_json.c @@ -109,6 +109,28 @@ static const char *sec_key_create(TALLOC_CTX *mem_ctx, "%s%c%s", uuid_str, SEC_KEY_SEPARATOR, name); } +static bool sec_key_valid(const char *sec_key) +{ +if (sec_key == NULL) { +return false; +} + +if (strlen(sec_key) < UUID_STR_SIZE + 1) { +/* One char for separator (at UUID_STR_SIZE, because strlen doesn't + * include the '\0', but UUID_STR_SIZE does) and at least one for + * the name */ +DEBUG(SSSDBG_CRIT_FAILURE, "Key %s is too short\n", sec_key); +return false; +} + +if (sec_key[UUID_STR_SIZE-1] != SEC_KEY_SEPARATOR) { +DEBUG(SSSDBG_CRIT_FAILURE, "Key doesn't contain the separator\n"); +return false; +} + +return true; +} + static errno_t sec_key_parse(TALLOC_CTX *mem_ctx, const char *sec_key, const char **_name, @@ -116,9 +138,7 @@ static errno_t sec_key_parse(TALLOC_CTX *mem_ctx, { char uuid_str[UUID_STR_SIZE]; -if (strlen(sec_key) < UUID_STR_SIZE + 2) { -/* One char for separator and at least one for the name */ -DEBUG(SSSDBG_CRIT_FAILURE, "Key %s is too short\n", sec_key); +if (!sec_key_valid(sec_key)) { return EINVAL; } @@ -143,14 +163,7 @@ errno_t sec_key_get_uuid(const char *sec_key, { char uuid_str[UUID_STR_SIZE]; -if (strlen(sec_key) < UUID_STR_SIZE + 2) { -/* One char for separator and at least one for the name */ -DEBUG(SSSDBG_CRIT_FAILURE, "Key %s is too short\n", sec_key); -return EINVAL; -} - -if (sec_key[UUID_STR_SIZE-1] != SEC_KEY_SEPARATOR) { -DEBUG(SSSDBG_CRIT_FAILURE, "Key doesn't contain the separator\n"); +if (!sec_key_valid(sec_key)) { return EINVAL; } @@ -162,9 +175,7 @@ errno_t sec_key_get_uuid(const char *sec_key, const char *sec_key_get_name(const char *sec_key) { -if (strlen(sec_key) < UUID_STR_SIZE + 2) { -/* One char for separator and at least one for the name */ -DEBUG(SSSDBG_CRIT_FAILURE, "Key %s is too short\n", sec_key); +if (!sec_key_valid(sec_key)) { return NULL; } @@ -174,9 +185,7 @@ const char *sec_key_get_name(const char *sec_key) bool sec_key_match_name(const char *sec_key, const char *name) { -if (strlen(sec_key) < UUID_STR_SIZE + 2) { -/* One char for separator and at least one for the name */ -DEBUG(SSSDBG_MINOR_FAILURE, "Key %s is too short\n", sec_key); +if (!sec_key_valid(sec_key) || name == NULL) { return false; } diff --git a/src/tests/cmocka/test_kcm_json_marshalling.c b/src/tests/cmocka/test_kcm_json_marshalling.c index 8eff2f5..108eaf5 100644 --- a/src/tests/cmocka/test_kcm_json_marshalling.c +++ b/src/tests/cmocka/test_kcm_json_marshalling.c @@ -32,6 +32,12 @@ #define TEST_CREDS"TESTCREDS" +#define TEST_UUID_STR "5f8f296b-02be-4e86-9235-500e82354186" +#define TEST_SEC_KEY_ONEDIGIT TEST_UUID_STR"-0" +#define TEST_SEC_KEY_MULTIDIGITS TEST_UUID_STR"-123456" + +#define TEST_SEC_KEY_NOSEPTEST_UUID_STR"+0" + const struct kcm_ccdb_ops ccdb_mem_ops; const struct kcm_ccdb_ops ccdb_sec_ops; @@ -188,6 +194,72 @@ static void test_kcm_ccache_marshall_unmarshall(void **state) assert_int_equal(ret, EOK);
[SSSD] [sssd PR#215][comment] Support for non-POSIX users and groups
URL: https://github.com/SSSD/sssd/pull/215 Title: #215: Support for non-POSIX users and groups jhrozek commented: """ CI is happier now: http://sssd-ci.duckdns.org/logs/job/66/49/summary.html """ See the full comment at https://github.com/SSSD/sssd/pull/215#issuecomment-290205579 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#136][comment] Tlog integration
URL: https://github.com/SSSD/sssd/pull/136 Title: #136: Tlog integration spbnick commented: """ A better CI result: http://sssd-ci.duckdns.org/logs/job/66/48/summary.html """ See the full comment at https://github.com/SSSD/sssd/pull/136#issuecomment-290197456 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#215][comment] Support for non-POSIX users and groups
URL: https://github.com/SSSD/sssd/pull/215 Title: #215: Support for non-POSIX users and groups jhrozek commented: """ CI: http://sssd-ci.duckdns.org/logs/job/66/47/summary.html there is a RHEL6 failure in the enumeration code. Because the test only failed on RHEL-6, I don't think it's related to the changes, but to be on the safe side, I resubmitted the patches to CI again. """ See the full comment at https://github.com/SSSD/sssd/pull/215#issuecomment-290178794 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#209][comment] IPA: lookup AD users by certificates on IPA clients
URL: https://github.com/SSSD/sssd/pull/209 Title: #209: IPA: lookup AD users by certificates on IPA clients lslebodn commented: """ On (29/03/17 05:57), Jakub Hrozek wrote: >So then the consumer of the API is expected to iterate over the paths and find >a non-empty attribute? Because the paths from the domains where the user is >not are not usable in the sense the getters return only the default attribute >``` >[jhrozek@client] sssd $ [(review)] dbus-send --print-reply --system >--dest=org.freedesktop.sssd.infopipe >/org/freedesktop/sssd/infopipe/Users/ipa_2etest/679800500 >org.freedesktop.DBus.Properties.Get >string:org.freedesktop.sssd.infopipe.Users.User string:name >method return time=1490792119.531265 sender=:1.61 -> destination=:1.70 >serial=9 reply_serial=2 > variant string "" >``` > >THe path from the correct domain works >``` >[jhrozek@client] sssd $ [(review)] dbus-send --print-reply --system >--dest=org.freedesktop.sssd.infopipe >/org/freedesktop/sssd/infopipe/Users/win_2etrust_2etest/679800500 >org.freedesktop.DBus.Properties.Get >string:org.freedesktop.sssd.infopipe.Users.User string:name >method return time=1490792131.291432 sender=:1.61 -> destination=:1.71 >serial=11 reply_serial=2 > variant string "administra...@win.trust.test" >``` > IMHO it worth to file a ticket. (at least) LS """ See the full comment at https://github.com/SSSD/sssd/pull/209#issuecomment-290151595 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] Re: Regarding sssd.conf syntax check, going thru dinglib
On (29/03/17 19:13), amit kumar wrote: >Hello, > >*Present **Behavior*: ># vim /usr/local/etc/sssd/sssd.conf >[sssd] >services = nss, pam >config_file_version = 2 >domains = LDAP > >[domain/LDAP] >ldap_search_base = dc=example,dc=com >id_provider = ldap >*auth_provider = ldap9001**<== '**sssctl config_check' does not ^^ ATM it reports just an invalid option name and "auth_provider" is valid. Validating values need to be implemented. I think we have ticket somewhere. LS ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#136][comment] Tlog integration
URL: https://github.com/SSSD/sssd/pull/136 Title: #136: Tlog integration spbnick commented: """ Alright, this one includes PAM exporting the original shell as well. One thing that bothers me about the implementation is that now all responders are reading the shell settings from the NSS section. """ See the full comment at https://github.com/SSSD/sssd/pull/136#issuecomment-290127604 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#215][comment] Support for non-POSIX users and groups
URL: https://github.com/SSSD/sssd/pull/215 Title: #215: Support for non-POSIX users and groups jhrozek commented: """ retest this please """ See the full comment at https://github.com/SSSD/sssd/pull/215#issuecomment-290113327 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#215][comment] Support for non-POSIX users and groups
URL: https://github.com/SSSD/sssd/pull/215 Title: #215: Support for non-POSIX users and groups jhrozek commented: """ I fixed the minor issues in comments and the man pages. I also fixed the issue in the Kerberos provider with the following hunk: ``` diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c index 0aa25ac..2faf18d 100644 --- a/src/providers/krb5/krb5_auth.c +++ b/src/providers/krb5/krb5_auth.c @@ -42,6 +42,8 @@ #include "providers/krb5/krb5_utils.h" #include "providers/krb5/krb5_ccache.h" +#define NON_POSIX_CCNAME_FMT "MEMORY:sssd_nonposix_dummy_%u" + static int krb5_mod_ccname(TALLOC_CTX *mem_ctx, struct sysdb_ctx *sysdb, struct sss_domain_info *domain, @@ -317,7 +319,12 @@ static errno_t krb5_auth_prepare_ccache_name(struct krb5child_req *kr, case DOM_TYPE_APPLICATION: DEBUG(SSSDBG_TRACE_FUNC, "Domain type application, will use in-memory ccache\n"); -kr->ccname = talloc_asprintf(kr, "MEMORY:%s", kr->pd->user); +/* We don't care about using cryptographic randomness, just + * a non-predictable ccname, so using rand() here is fine + */ +kr->ccname = talloc_asprintf(kr, + NON_POSIX_CCNAME_FMT, + rand() % UINT_MAX); if (kr->ccname == NULL) { DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n"); return ENOMEM; diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index e9fe185..cbbc892 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -1572,6 +1572,15 @@ static krb5_error_code get_and_save_tgt(struct krb5_req *kr, DEBUG(SSSDBG_CONF_SETTINGS, "TGT validation is disabled.\n"); } +/* In a non-POSIX environment, we only care about the return code from + * krb5_child, so let's not even attempt to create the ccache + */ +if (kr->posix_domain == false) { +DEBUG(SSSDBG_TRACE_LIBS, + "Finished authentication in a non-POSIX domain\n"); +goto done; +} + /* If kr->ccname is cache collection (DIR:/...), we want to work * directly with file ccache (DIR::/...), but cache collection * should be returned back to back end. @@ -1613,18 +1622,6 @@ static krb5_error_code get_and_save_tgt(struct krb5_req *kr, "add_ticket_times_and_upn_to_response failed.\n"); } -/* In a non-POSIX environment, we only care about the return code from - * krb5_child, so let's just destroy the credentials immediatelly - */ -if (kr->posix_domain == false) { -kerr = sss_krb5_cc_destroy(kr->ccname, kr->uid, kr->gid); -if (kerr != EOK) { -DEBUG(SSSDBG_OP_FAILURE, - "Failed to destroy the in-memory ccache\n"); -goto done; -} -} - kerr = 0; done: diff --git a/src/providers/krb5/krb5_init.c b/src/providers/krb5/krb5_init.c index 12c8dfc..66ae68f 100644 --- a/src/providers/krb5/krb5_init.c +++ b/src/providers/krb5/krb5_init.c @@ -136,6 +136,9 @@ errno_t sssm_krb5_init(TALLOC_CTX *mem_ctx, return ENOMEM; } +/* Only needed to generate random ccache names for non-POSIX domains */ +srand(time(NULL) * getpid()); + ret = sss_krb5_get_options(ctx, be_ctx->cdb, be_ctx->conf_path, >opts); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get krb5 options [%d]: %s\n", ``` I'm not sure if the srand and rand calls are nice, if you prefer I can just use some hardcoded name like you suggested.. And I also fixed the issue with the short boolean evaluations with the following hunk: ``` diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c index e51cf80..7400dc1 100644 --- a/src/providers/ldap/ldap_id.c +++ b/src/providers/ldap/ldap_id.c @@ -297,7 +297,7 @@ struct tevent_req *users_get_send(TALLOC_CTX *memctx, } } -if (state->non_posix == true) { +if (state->non_posix) { state->filter = talloc_asprintf(state, "(&%s(objectclass=%s)(%s=*))", user_filter, diff --git a/src/providers/ldap/sdap_async_enum.c b/src/providers/ldap/sdap_async_enum.c index 17f1cdf..91e481c 100644 --- a/src/providers/ldap/sdap_async_enum.c +++ b/src/providers/ldap/sdap_async_enum.c @@ -754,7 +754,7 @@ static struct tevent_req *enum_groups_send(TALLOC_CTX *memctx, goto fail; } -if (non_posix == false && use_mapping) { +if (!non_posix && use_mapping) { /* If we're ID-mapping, check for the objectSID as well */ state->filter = talloc_asprintf_append_buffer( state->filter, "(%s=*)", diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c index 6c63a3e..c926ddc 100644 ---
[SSSD] [sssd PR#136][synchronized] Tlog integration
URL: https://github.com/SSSD/sssd/pull/136 Author: spbnick Title: #136: Tlog integration Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/136/head:pr136 git checkout pr136 From 22256f94283bce43698b903f6ccb93e58031784c Mon Sep 17 00:00:00 2001 From: Nikolai KondrashovDate: Fri, 24 Mar 2017 16:24:22 +0200 Subject: [PATCH 01/17] CACHE_REQ: Propagate num_results to cache_req_state The num_results field in struct cache_req_state was only set in case of well-known objects, set it also for the regular results for uniformity, and for later use by session recording code. --- src/responder/common/cache_req/cache_req.c | 9 +++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/src/responder/common/cache_req/cache_req.c b/src/responder/common/cache_req/cache_req.c index 4831263..96e7a26 100644 --- a/src/responder/common/cache_req/cache_req.c +++ b/src/responder/common/cache_req/cache_req.c @@ -548,7 +548,8 @@ static void cache_req_search_domains_done(struct tevent_req *subreq) static errno_t cache_req_search_domains_recv(TALLOC_CTX *mem_ctx, struct tevent_req *req, - struct cache_req_result ***_results) + struct cache_req_result ***_results, + size_t *_num_results) { struct cache_req_search_domains_state *state; @@ -559,6 +560,9 @@ cache_req_search_domains_recv(TALLOC_CTX *mem_ctx, if (_results != NULL) { *_results = talloc_steal(mem_ctx, state->results); } +if (_num_results != NULL) { +*_num_results = state->num_results; +} return EOK; } @@ -866,7 +870,8 @@ static void cache_req_done(struct tevent_req *subreq) req = tevent_req_callback_data(subreq, struct tevent_req); state = tevent_req_data(req, struct cache_req_state); -ret = cache_req_search_domains_recv(state, subreq, >results); +ret = cache_req_search_domains_recv(state, subreq, +>results, >num_results); talloc_zfree(subreq); if (ret == ENOENT && state->first_iteration) { From 842c010e7cf5bb2599fa851ec91ab3e5fd369da2 Mon Sep 17 00:00:00 2001 From: Nikolai Kondrashov Date: Wed, 22 Mar 2017 14:32:35 +0200 Subject: [PATCH 02/17] NSS: Move output name formatting to utils Move NSS nss_get_name_from_msg and the core of sized_output_name to the utils to make them available to provider and other responders. --- src/responder/nss/nss_protocol_grent.c | 3 +- src/responder/nss/nss_protocol_pwent.c | 2 +- src/responder/nss/nss_protocol_sid.c | 3 +- src/responder/nss/nss_utils.c | 55 +-- src/util/sss_nss.c | 68 ++ src/util/sss_nss.h | 12 ++ 6 files changed, 94 insertions(+), 49 deletions(-) diff --git a/src/responder/nss/nss_protocol_grent.c b/src/responder/nss/nss_protocol_grent.c index 283ab9f..5f208e0 100644 --- a/src/responder/nss/nss_protocol_grent.c +++ b/src/responder/nss/nss_protocol_grent.c @@ -19,6 +19,7 @@ */ #include "responder/nss/nss_protocol.h" +#include "util/sss_nss.h" static errno_t nss_get_grent(TALLOC_CTX *mem_ctx, @@ -41,7 +42,7 @@ nss_get_grent(TALLOC_CTX *mem_ctx, } /* Get fields. */ -name = nss_get_name_from_msg(domain, msg); +name = sss_nss_get_name_from_msg(domain, msg); gid = sss_view_ldb_msg_find_attr_as_uint64(domain, msg, SYSDB_GIDNUM, 0); if (name == NULL || gid == 0) { diff --git a/src/responder/nss/nss_protocol_pwent.c b/src/responder/nss/nss_protocol_pwent.c index edda9d3..c0b8e79 100644 --- a/src/responder/nss/nss_protocol_pwent.c +++ b/src/responder/nss/nss_protocol_pwent.c @@ -225,7 +225,7 @@ nss_get_pwent(TALLOC_CTX *mem_ctx, /* Get fields. */ upn = ldb_msg_find_attr_as_string(msg, SYSDB_UPN, NULL); -name = nss_get_name_from_msg(domain, msg); +name = sss_nss_get_name_from_msg(domain, msg); gid = nss_get_gid(domain, msg); uid = sss_view_ldb_msg_find_attr_as_uint64(domain, msg, SYSDB_UIDNUM, 0); diff --git a/src/responder/nss/nss_protocol_sid.c b/src/responder/nss/nss_protocol_sid.c index a6a4e27..37bbec5 100644 --- a/src/responder/nss/nss_protocol_sid.c +++ b/src/responder/nss/nss_protocol_sid.c @@ -19,6 +19,7 @@ */ #include "util/crypto/sss_crypto.h" +#include "util/sss_nss.h" #include "responder/nss/nss_protocol.h" static errno_t @@ -532,7 +533,7 @@ nss_protocol_fill_name_list(struct nss_ctx *nss_ctx, return ret; } -tmp_str = nss_get_name_from_msg(result->domain, result->msgs[c]); +tmp_str = sss_nss_get_name_from_msg(result->domain, result->msgs[c]); if (tmp_str == NULL) { return EINVAL; } diff --git a/src/responder/nss/nss_utils.c b/src/responder/nss/nss_utils.c
[SSSD] Regarding sssd.conf syntax check, going thru dinglib
Hello, *Present **Behavior*: # vim /usr/local/etc/sssd/sssd.conf [sssd] services = nss, pam config_file_version = 2 domains = LDAP [domain/LDAP] ldap_search_base = dc=example,dc=com id_provider = ldap *auth_provider = ldap9001**<== '**sssctl config_check' does not reports this1* ldap_uri = ldap://server.example.com ldap_id_use_start_tls = True ldap_tls_cacert = /etc/openldap/certs/cacert.asc *debug_level = tt**<== 'sssctl config_check' does not reports this2 **klala = 1<== '**sssctl config_check' r**eports thi*s3 *My **Interpretation*: sss_ini_call_validators_errobj()//sssd/src/util/sss_ini.c ini_rules_read_from_file(rules_path, _cfgobj); //rules_path=/usr/share/sssd/cfg_rules.ini{All _keywords on left side of __assignment__are rules_ which are _read from cfg_rules.ini_ fills in struct ini_cfgobj} *Why sssd does**reports 3*?Because rule is not present in cfg_rules.ini *Why sssd doe**s not report 1,2*?May be - Because there is no such check in ding-lib about values of options. - OR Check is broken.I also find # cat /root/ding-libs-0.6.0/ini/ini.d/mysssd.conf [service] # Options available to all services debug_level = int, None, false<=Now what's this syntax. If it takes int, then is this broken. Please throw some light... -- Thanks Amit Kumar There are three ways to get something done: (1) Do it yourself. (2) Hire someone to do it for you. (3) Forbid your kids to do it. ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#198][comment] secrets: support https in proxy provider
URL: https://github.com/SSSD/sssd/pull/198 Title: #198: secrets: support https in proxy provider lslebodn commented: """ There is still the same problem on rhel7 even with the latest version ``` (gdb) l 563 558 return; 559 } 560 561 len = http_parser_execute(>parser, >callbacks, 562 data.data, data.length); 563 if (len != data.length) { 564 DEBUG(SSSDBG_FATAL_FAILURE, 565 "Failed to parse request, aborting client!\n"); 566 talloc_free(cctx); 567 return; (gdb) p len != data.length $4 = 1 (gdb) p len $5 = 116 (gdb) p data $6 = {data = 0x7ffc8fec2190 "POST /secrets/cont/ HTTP/1.1\r\nHost: localhost\r\nAccept: */*\r\nContent-type: application/octet-stream\r\nContent-Length: -1\r\n\r\n", length = 122} ``` """ See the full comment at https://github.com/SSSD/sssd/pull/198#issuecomment-290092914 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#209][comment] IPA: lookup AD users by certificates on IPA clients
URL: https://github.com/SSSD/sssd/pull/209 Title: #209: IPA: lookup AD users by certificates on IPA clients jhrozek commented: """ * master: 82843754193b177275ce16f2901edac2060a3998 2cf7becc05996eb6d8a3352d3d7b97c75652e590 415d93196533a6fcd90889c67396ef5af5bf791a """ See the full comment at https://github.com/SSSD/sssd/pull/209#issuecomment-290084814 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#209][+Pushed] IPA: lookup AD users by certificates on IPA clients
URL: https://github.com/SSSD/sssd/pull/209 Title: #209: IPA: lookup AD users by certificates on IPA clients Label: +Pushed ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#209][closed] IPA: lookup AD users by certificates on IPA clients
URL: https://github.com/SSSD/sssd/pull/209 Author: sumit-bose Title: #209: IPA: lookup AD users by certificates on IPA clients Action: closed To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/209/head:pr209 git checkout pr209 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#204][comment] krb5: return to responder that pkinit is not available
URL: https://github.com/SSSD/sssd/pull/204 Title: #204: krb5: return to responder that pkinit is not available jhrozek commented: """ * master: 1c551b1373799643f3e9ba4f696d21b8fc57dafd """ See the full comment at https://github.com/SSSD/sssd/pull/204#issuecomment-290083552 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#204][closed] krb5: return to responder that pkinit is not available
URL: https://github.com/SSSD/sssd/pull/204 Author: sumit-bose Title: #204: krb5: return to responder that pkinit is not available Action: closed To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/204/head:pr204 git checkout pr204 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#204][+Pushed] krb5: return to responder that pkinit is not available
URL: https://github.com/SSSD/sssd/pull/204 Title: #204: krb5: return to responder that pkinit is not available Label: +Pushed ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#201][closed] Fix handling of binary keys in the ssh responder
URL: https://github.com/SSSD/sssd/pull/201 Author: sumit-bose Title: #201: Fix handling of binary keys in the ssh responder Action: closed To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/201/head:pr201 git checkout pr201 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#201][comment] Fix handling of binary keys in the ssh responder
URL: https://github.com/SSSD/sssd/pull/201 Title: #201: Fix handling of binary keys in the ssh responder jhrozek commented: """ * master: 1b5d6b1afc9c3dc696b7b45f2d73b2634f42800a bd1fa0ec90be717c3b7796d74b6f243f40178d16 """ See the full comment at https://github.com/SSSD/sssd/pull/201#issuecomment-290082631 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#209][comment] IPA: lookup AD users by certificates on IPA clients
URL: https://github.com/SSSD/sssd/pull/209 Title: #209: IPA: lookup AD users by certificates on IPA clients jhrozek commented: """ anyway, these patches work and we can push them """ See the full comment at https://github.com/SSSD/sssd/pull/209#issuecomment-290081403 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#209][+Accepted] IPA: lookup AD users by certificates on IPA clients
URL: https://github.com/SSSD/sssd/pull/209 Title: #209: IPA: lookup AD users by certificates on IPA clients Label: +Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#209][comment] IPA: lookup AD users by certificates on IPA clients
URL: https://github.com/SSSD/sssd/pull/209 Title: #209: IPA: lookup AD users by certificates on IPA clients jhrozek commented: """ So then the consumer of the API is expected to iterate over the paths and find a non-empty attribute? Because the paths from the domains where the user is not are not usable in the sense the getters return only the default attribute ``` [jhrozek@client] sssd $ [(review)] dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users/ipa_2etest/679800500 org.freedesktop.DBus.Properties.Get string:org.freedesktop.sssd.infopipe.Users.User string:name method return time=1490792119.531265 sender=:1.61 -> destination=:1.70 serial=9 reply_serial=2 variant string "" ``` THe path from the correct domain works ``` [jhrozek@client] sssd $ [(review)] dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users/win_2etrust_2etest/679800500 org.freedesktop.DBus.Properties.Get string:org.freedesktop.sssd.infopipe.Users.User string:name method return time=1490792131.291432 sender=:1.61 -> destination=:1.71 serial=11 reply_serial=2 variant string "administra...@win.trust.test" ``` """ See the full comment at https://github.com/SSSD/sssd/pull/209#issuecomment-290081343 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#187][closed] Add support to lookup for users/groups in subdomains just by the user shortname
URL: https://github.com/SSSD/sssd/pull/187 Author: fidencio Title: #187: Add support to lookup for users/groups in subdomains just by the user shortname Action: closed To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/187/head:pr187 git checkout pr187 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#187][+Pushed] Add support to lookup for users/groups in subdomains just by the user shortname
URL: https://github.com/SSSD/sssd/pull/187 Title: #187: Add support to lookup for users/groups in subdomains just by the user shortname Label: +Pushed ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#187][comment] Add support to lookup for users/groups in subdomains just by the user shortname
URL: https://github.com/SSSD/sssd/pull/187 Title: #187: Add support to lookup for users/groups in subdomains just by the user shortname jhrozek commented: """ * master: 16385568547351b5d2c562f3081f35f3341f695b 1e437af958f59a0b8bf2f751d3c2ea28365ac64d 66c8e92eb5a4985bb7f64c349a53b08030a000cf 34228050af1e25706f61ec9df648852284b61c2b fb81f337b68c85471c3f5140850dccf549a2d0ac 17ab121a6c69d74acf1d40f2bbcbe90d77bb6b8a 3cbf0e7b63e8e6888917e9215bbdc5674c2fa852 723d514f641e2b5a5cbfe1c6c7bdd2a6f3c5070e 2e85b015d8dd231094a09eab69b86e8b6fcc8b2b 5856a621ac5909ca96520ac5a809eb83fd46d8bc a3442e4a268ad2172c89d58e6daa759eb4b39e7c 46c99a59c8d6501aa3ad701c567fba577924b48b dcc52d9c6411528bab815351d1e6145d211a4765 a63d74f65db2db7389cd373cb37adcdaaa2d56ea e0e038218580166648ac24f23180f0f4c2769d99 """ See the full comment at https://github.com/SSSD/sssd/pull/187#issuecomment-290068633 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#187][+Accepted] Add support to lookup for users/groups in subdomains just by the user shortname
URL: https://github.com/SSSD/sssd/pull/187 Title: #187: Add support to lookup for users/groups in subdomains just by the user shortname Label: +Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#201][+Accepted] Fix handling of binary keys in the ssh responder
URL: https://github.com/SSSD/sssd/pull/201 Title: #201: Fix handling of binary keys in the ssh responder Label: +Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#201][comment] Fix handling of binary keys in the ssh responder
URL: https://github.com/SSSD/sssd/pull/201 Title: #201: Fix handling of binary keys in the ssh responder jhrozek commented: """ The code looks good to me and seems to work fine: ``` ./sss_ssh_authorizedkeys administra...@win.trust.test ssh-rsa B3NzaC1yc2EDAQABAAABAQDyLvhzmsoc5JFiBRFuWHPHYmzS4iGywzNv1FDdIdG5TxgI3PV1OFhWF1C4YIwcbq/4L8t8AnH9kdqxxSU3IomfZJLlu3Jt5I46q/wtps6XPNIBlTNhhvCm4TlLUekkcjiJfkQ68YgznOdk4DUbpn0pN7VLknMJSoSHWv8k5rx4vh7BELADnHgtTTuhfiAOMYXpYnHtWY0TVossAHBHw4nCizCWsoVSywn9HpblrVFKtVIXVRzoLbZjphH5POjkeg+Q/5Tff2hEAQSeMF2/HMUpuTlPxv3gUPB0fVIE04mVrC+sear/RNIGn/7FxaAYSXEV2ExTd0emc5slPcAU87kn ``` This is with a use set up like this: ``` ipa idoverrideuser-add clientview administra...@win.trust.test --certificate="$(base64 cert.der)" ``` """ See the full comment at https://github.com/SSSD/sssd/pull/201#issuecomment-290065970 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#209][comment] IPA: lookup AD users by certificates on IPA clients
URL: https://github.com/SSSD/sssd/pull/209 Title: #209: IPA: lookup AD users by certificates on IPA clients sumit-bose commented: """ It is expected that ListByCertificate returns matches from all domains. So as long as all the listed users have the certficate in their corresponding user object (I assume you are not using other certmap rules), the result is expected. """ See the full comment at https://github.com/SSSD/sssd/pull/209#issuecomment-290065881 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#204][+Accepted] krb5: return to responder that pkinit is not available
URL: https://github.com/SSSD/sssd/pull/204 Title: #204: krb5: return to responder that pkinit is not available Label: +Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#204][comment] krb5: return to responder that pkinit is not available
URL: https://github.com/SSSD/sssd/pull/204 Title: #204: krb5: return to responder that pkinit is not available jhrozek commented: """ ok, thanks! """ See the full comment at https://github.com/SSSD/sssd/pull/204#issuecomment-290063709 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#209][comment] IPA: lookup AD users by certificates on IPA clients
URL: https://github.com/SSSD/sssd/pull/209 Title: #209: IPA: lookup AD users by certificates on IPA clients jhrozek commented: """ Hmm, looking at the debug output, it might be the cache_req's code fault: ``` (Wed Mar 29 11:30:04 2017) [sssd[ifp]] [cache_req_set_domain] (0x0400): CR #6: Using domain [win.trust.test] (Wed Mar 29 11:30:04 2017) [sssd[ifp]] [cache_req_search_send] (0x0400): CR #6: Looking up CERT:nxgxW/ww==@win.trust.test ... (Wed Mar 29 11:30:04 2017) [sssd[ifp]] [cache_req_create_and_add_result] (0x0400): CR #6: Found 1 entries in domain win.trust.test ``` That's fine, but: ``` (Wed Mar 29 11:30:04 2017) [sssd[ifp]] [cache_req_set_domain] (0x0400): CR #8: Using domain [child.win.trust.test] (Wed Mar 29 11:30:04 2017) [sssd[ifp]] [cache_req_search_send] (0x0400): CR #8: Looking up CERT:nxgxW/ww==@child.win.trust.test ... (Wed Mar 29 11:30:04 2017) [sssd[ifp]] [cache_req_create_and_add_result] (0x0400): CR #8: Found 1 entries in domain child.win.trust.test ``` So it looks like cache_req is looking in all domains and returning the entries from all domains.. Please let me know if you prefer to file a separate ticket or fix the problem here. """ See the full comment at https://github.com/SSSD/sssd/pull/209#issuecomment-290062549 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#209][comment] IPA: lookup AD users by certificates on IPA clients
URL: https://github.com/SSSD/sssd/pull/209 Title: #209: IPA: lookup AD users by certificates on IPA clients jhrozek commented: """ These patches look OK, but I suspect we might have a bug in the IFP list code. I added a certificate to a user's idview entry and now listing the certificate shows: ``` dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.ListByCertificate string:"$(cat cert.pem)" uint32:100 method return time=1490786867.303117 sender=:1.40 -> destination=:1.42 serial=7 reply_serial=2 array [ object path "/org/freedesktop/sssd/infopipe/Users/ipa_2etest/679800500" object path "/org/freedesktop/sssd/infopipe/Users/win_2etrust_2etest/679800500" object path "/org/freedesktop/sssd/infopipe/Users/sibling_2ewin_2etrust_2etest/679800500" object path "/org/freedesktop/sssd/infopipe/Users/child_2ewin_2etrust_2etest/679800500" ] ``` The user is only in the win.trust.test domain: ``` [jhrozek@client] sssd $ [(review)] getent passwd 679800500 administra...@win.trust.test:*:679800500:679800500:Administrator:/home/win.trust.test/administrator: ``` """ See the full comment at https://github.com/SSSD/sssd/pull/209#issuecomment-290061842 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#187][comment] Add support to lookup for users/groups in subdomains just by the user shortname
URL: https://github.com/SSSD/sssd/pull/187 Title: #187: Add support to lookup for users/groups in subdomains just by the user shortname fidencio commented: """ CI: http://sssd-ci.duckdns.org/logs/job/66/41/summary.html It failed on rhel6 but the failure doesn't seem to be related to these patches. """ See the full comment at https://github.com/SSSD/sssd/pull/187#issuecomment-290061157 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#193][+Changes requested] UTIL: Use max 15 characters for AD host UPN
URL: https://github.com/SSSD/sssd/pull/193 Title: #193: UTIL: Use max 15 characters for AD host UPN Label: +Changes requested ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#198][comment] secrets: support https in proxy provider
URL: https://github.com/SSSD/sssd/pull/198 Title: #198: secrets: support https in proxy provider lslebodn commented: """ rhel7 error ``` test_secrets.py::test_crd_ops PASSED test_secrets.py::test_curlwrap_crd_ops FAILED test_secrets.py::test_curlwrap_parallel PASSED test_secrets.py::test_containers PASSED === FAILURES== _ test_curlwrap_crd_ops __ Traceback (most recent call last): File "/home/build/sssd/src/tests/intg/test_secrets.py", line 278, in test_curlwrap_crd_ops 200) File "/home/build/sssd/src/tests/intg/test_secrets.py", line 207, in run_curlwrap_tool assert exp_http_code_str in out AssertionError: assert 'Request HTTP code: 200' in '' ``` + test_kcm_sec_* are failing as well on rhel7 `` """ See the full comment at https://github.com/SSSD/sssd/pull/198#issuecomment-290052915 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#215][comment] Support for non-POSIX users and groups
URL: https://github.com/SSSD/sssd/pull/215 Title: #215: Support for non-POSIX users and groups pbrezina commented: """ ```xml POSIX domains are reachable by all services. Application domains are only reachable from the D-Bus responder (see sssd-ifp 5 ) and the PAM responder. ``` The responder name is InfoPipe or IFP not D-Bus. I would rather rephrase it either to `IFP responder` or `through the D-Bus interface`. Otherwise the patches looks good to me. """ See the full comment at https://github.com/SSSD/sssd/pull/215#issuecomment-290050853 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#204][comment] krb5: return to responder that pkinit is not available
URL: https://github.com/SSSD/sssd/pull/204 Title: #204: krb5: return to responder that pkinit is not available lslebodn commented: """ On (29/03/17 01:58), Jakub Hrozek wrote: >I really don't mind one way or another. I find all the proposed versions of >the condition complex, that's why I'm glad there is a comment atop them. > >So from my point of view, I'm fine with the first version > OK, go ahead and push. sorry for noise. LS """ See the full comment at https://github.com/SSSD/sssd/pull/204#issuecomment-290046824 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#198][comment] secrets: support https in proxy provider
URL: https://github.com/SSSD/sssd/pull/198 Title: #198: secrets: support https in proxy provider lslebodn commented: """ We should skip secrets test on rhel6. So the patch "ci: do not build secrets on rhel6" should also contain ``` diff --git a/src/tests/intg/test_secrets.py b/src/tests/intg/test_secrets.py index d71c19045..6dc4c81ed 100644 --- a/src/tests/intg/test_secrets.py +++ b/src/tests/intg/test_secrets.py @@ -32,6 +32,14 @@ from util import unindent from secrets import SecretsLocalClient +RESP_PATH = os.path.join(config.LIBEXEC_PATH, "sssd", "sssd_secrets") +if not os.access(RESP_PATH, os.X_OK): +if pytest.__version__ < "3.0.0": +pytest.skip() +else: +pytestmark = pytest.mark.skip + + def create_conf_fixture(request, contents): """Generate sssd.conf and add teardown for removing it""" conf = open(config.CONF_PATH, "w") ``` @jhrozek Did you mean something like this in comment "It would be cleaner to use pytest.mark.skipif on the package level" in `test_kcm.py` :-) BTW I am not sure whether it's the best pythonic way but it works :-) """ See the full comment at https://github.com/SSSD/sssd/pull/198#issuecomment-290040874 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#198][comment] secrets: support https in proxy provider
URL: https://github.com/SSSD/sssd/pull/198 Title: #198: secrets: support https in proxy provider pbrezina commented: """ I fixed the hang. It was created due to newly added test in KCM patches that uses POST to create a container. Tcurl test tool can provide body to POST operation which was mandatory in the first patch, optional in the second. """ See the full comment at https://github.com/SSSD/sssd/pull/198#issuecomment-290040746 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#198][comment] secrets: support https in proxy provider
URL: https://github.com/SSSD/sssd/pull/198 Title: #198: secrets: support https in proxy provider pbrezina commented: """ I'm going to run CI before pushing these patches. """ See the full comment at https://github.com/SSSD/sssd/pull/198#issuecomment-290040911 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#193][comment] UTIL: Use max 15 characters for AD host UPN
URL: https://github.com/SSSD/sssd/pull/193 Title: #193: UTIL: Use max 15 characters for AD host UPN mzidek-rh commented: """ Hi, I have this on my "to test" list, but could you please add a comment to the code, why we use exactly 15. It is cleat from the ticket, but in the code the number is a magic number. So dispel that magic with some scroll... I mean comment. """ See the full comment at https://github.com/SSSD/sssd/pull/193#issuecomment-290034951 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#204][comment] krb5: return to responder that pkinit is not available
URL: https://github.com/SSSD/sssd/pull/204 Title: #204: krb5: return to responder that pkinit is not available jhrozek commented: """ I really don't mind one way or another. I find all the proposed versions of the condition complex, that's why I'm glad there is a comment atop them. So from my point of view, I'm fine with the first version """ See the full comment at https://github.com/SSSD/sssd/pull/204#issuecomment-290027496 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#187][comment] Add support to lookup for users/groups in subdomains just by the user shortname
URL: https://github.com/SSSD/sssd/pull/187 Title: #187: Add support to lookup for users/groups in subdomains just by the user shortname fidencio commented: """ @lslebodn: your comment has been addressed in the latest patch series. """ See the full comment at https://github.com/SSSD/sssd/pull/187#issuecomment-290023234 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#187][comment] Add support to lookup for users/groups in subdomains just by the user shortname
URL: https://github.com/SSSD/sssd/pull/187 Title: #187: Add support to lookup for users/groups in subdomains just by the user shortname lslebodn commented: """ The patch "UTIL: Simplify usage of create_subdom_conf_path " did not move function to right module. The function `create_subdom_conf_path` has nothing to do with string utils and moreover added dependency on "struct sss_domain_info". So the module `src/util/string_utils.c` could not be reused as string only module. """ See the full comment at https://github.com/SSSD/sssd/pull/187#issuecomment-290017295 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#198][comment] secrets: support https in proxy provider
URL: https://github.com/SSSD/sssd/pull/198 Title: #198: secrets: support https in proxy provider jhrozek commented: """ On Wed, Mar 29, 2017 at 12:29:27AM -0700, lslebodn wrote: > BTW the 1st patch "tcurl: add support for ssl and raw output" caused a hang > in test_secrets and therefore internal CI was blocked whole night. The 2nd > patch "tcurl test: refactor so new options can be added more easily" fixed > the test. Then I propose we merge the patches. """ See the full comment at https://github.com/SSSD/sssd/pull/198#issuecomment-290007997 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#201][comment] Fix handling of binary keys in the ssh responder
URL: https://github.com/SSSD/sssd/pull/201 Title: #201: Fix handling of binary keys in the ssh responder jhrozek commented: """ CI: http://sssd-ci.duckdns.org/logs/job/66/04/summary.html """ See the full comment at https://github.com/SSSD/sssd/pull/201#issuecomment-290007826 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#209][comment] IPA: lookup AD users by certificates on IPA clients
URL: https://github.com/SSSD/sssd/pull/209 Title: #209: IPA: lookup AD users by certificates on IPA clients jhrozek commented: """ (the machine in CI is broken, not the patches..) """ See the full comment at https://github.com/SSSD/sssd/pull/209#issuecomment-290007734 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#209][comment] IPA: lookup AD users by certificates on IPA clients
URL: https://github.com/SSSD/sssd/pull/209 Title: #209: IPA: lookup AD users by certificates on IPA clients jhrozek commented: """ I started the review by running CI which passed except rawhide which seems broken: http://sssd-ci.duckdns.org/logs/job/66/06/summary.html """ See the full comment at https://github.com/SSSD/sssd/pull/209#issuecomment-290007653 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#198][comment] secrets: support https in proxy provider
URL: https://github.com/SSSD/sssd/pull/198 Title: #198: secrets: support https in proxy provider lslebodn commented: """ BTW the 1st patch "tcurl: add support for ssl and raw output" caused a hang in test_secrets and therefore internal CI was blocked whole night. The 2nd patch "tcurl test: refactor so new options can be added more easily" fixed the test. """ See the full comment at https://github.com/SSSD/sssd/pull/198#issuecomment-290006897 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#187][comment] Add support to lookup for users/groups in subdomains just by the user shortname
URL: https://github.com/SSSD/sssd/pull/187 Title: #187: Add support to lookup for users/groups in subdomains just by the user shortname fidencio commented: """ I'm removing the Accepted label till our internal CI passes """ See the full comment at https://github.com/SSSD/sssd/pull/187#issuecomment-290004299 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#187][-Accepted] Add support to lookup for users/groups in subdomains just by the user shortname
URL: https://github.com/SSSD/sssd/pull/187 Title: #187: Add support to lookup for users/groups in subdomains just by the user shortname Label: -Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#213][+Pushed] intg: Remove bashism from intgcheck-prepare
URL: https://github.com/SSSD/sssd/pull/213 Title: #213: intg: Remove bashism from intgcheck-prepare Label: +Pushed ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#213][comment] intg: Remove bashism from intgcheck-prepare
URL: https://github.com/SSSD/sssd/pull/213 Title: #213: intg: Remove bashism from intgcheck-prepare lslebodn commented: """ master: * f75ba99fc8dd64e45af2f642d9fb7660860fd28f """ See the full comment at https://github.com/SSSD/sssd/pull/213#issuecomment-290001091 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#213][closed] intg: Remove bashism from intgcheck-prepare
URL: https://github.com/SSSD/sssd/pull/213 Author: lslebodn Title: #213: intg: Remove bashism from intgcheck-prepare Action: closed To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/213/head:pr213 git checkout pr213 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#216][closed] Subdomain shortnames
URL: https://github.com/SSSD/sssd/pull/216 Author: mzidek-rh Title: #216: Subdomain shortnames Action: closed To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/216/head:pr216 git checkout pr216 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#216][comment] Subdomain shortnames
URL: https://github.com/SSSD/sssd/pull/216 Title: #216: Subdomain shortnames fidencio commented: """ I'm closing the PR as it's been superseded by PR 187, which was rebased on top of this patchset. Btw, your patch was reviewed and ack-ed there. :-) """ See the full comment at https://github.com/SSSD/sssd/pull/216#issuecomment-28007 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#187][comment] Add support to lookup for users/groups in subdomains just by the user shortname
URL: https://github.com/SSSD/sssd/pull/187 Title: #187: Add support to lookup for users/groups in subdomains just by the user shortname fidencio commented: """ So, by @lslebodn comment I've dropped the "Allow subdomains to inherit "use_fully_qualified_names" option" patch and rebased my series on top of @mzidek-rh patch for adding this option to the subdomain directly. As I've tested @mzidek-rh patch I've already added an "Acked-by: ..." there. That's the only change from previous series to this one. """ See the full comment at https://github.com/SSSD/sssd/pull/187#issuecomment-289998692 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#198][comment] secrets: support https in proxy provider
URL: https://github.com/SSSD/sssd/pull/198 Title: #198: secrets: support https in proxy provider lslebodn commented: """ hmm, it still fails with rhel{6,7}. http://sssd-ci.duckdns.org/logs/job/66/07/summary.html """ See the full comment at https://github.com/SSSD/sssd/pull/198#issuecomment-289998205 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org