date:20170329

[SSSD] [sssd PR#217][-Accepted] KCM: Fix off-by-one error in secrets key validation

2017-03-29 Thread fidencio

  URL: https://github.com/SSSD/sssd/pull/217
Title: #217: KCM: Fix off-by-one error in secrets key validation

Label: -Accepted
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#217][comment] KCM: Fix off-by-one error in secrets key validation

2017-03-29 Thread fidencio

  URL: https://github.com/SSSD/sssd/pull/217
Title: #217: KCM: Fix off-by-one error in secrets key validation

fidencio commented:
"""
Feel free to push it after running CI (I'll fire one here before calling it a 
day),

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/217#issuecomment-290231249
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#217][+Accepted] KCM: Fix off-by-one error in secrets key validation

2017-03-29 Thread fidencio

  URL: https://github.com/SSSD/sssd/pull/217
Title: #217: KCM: Fix off-by-one error in secrets key validation

Label: +Accepted
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#217][comment] KCM: Fix off-by-one error in secrets key validation

2017-03-29 Thread fidencio

  URL: https://github.com/SSSD/sssd/pull/217
Title: #217: KCM: Fix off-by-one error in secrets key validation

fidencio commented:
"""
I've just tested it locally here. It works as expected.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/217#issuecomment-290230115
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#217][opened] KCM: Fix off-by-one error in secrets key validation

2017-03-29 Thread jhrozek

   URL: https://github.com/SSSD/sssd/pull/217
Author: jhrozek
 Title: #217: KCM: Fix off-by-one error in secrets key validation
Action: opened

PR body:
"""
This is a fix for a bug found by Fabiano. A simple reproducer is to try to 
kinit as root with KCM.
"""

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/217/head:pr217
git checkout pr217
From f0bdf4563b325e6fa4cd35db9da86444d3a07187 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek 
Date: Wed, 29 Mar 2017 22:49:09 +0200
Subject: [PATCH] KCM: Fix off-by-one error in secrets key parsing

When parsing the secrets key, the code tried to protect against malformed keys
or keys that are too short, but it did an error - the UUID stringified
form is 36 bytes long, so the UUID_STR_SIZE is 37 because UUID_STR_SIZE
accounts for the null terminator.

But the code, that was trying to assert that there are two characters after
the UUID string (separator and at least a single character for the name)
didn't take the NULL terminator (which strlen() doesn't return) into
account and ended up rejecting all ccaches whose name is only a single
character.
---
 src/responder/kcm/kcmsrv_ccache_json.c   | 43 +---
 src/tests/cmocka/test_kcm_json_marshalling.c | 75 
 2 files changed, 101 insertions(+), 17 deletions(-)

diff --git a/src/responder/kcm/kcmsrv_ccache_json.c b/src/responder/kcm/kcmsrv_ccache_json.c
index 40b6486..ba7d7f4 100644
--- a/src/responder/kcm/kcmsrv_ccache_json.c
+++ b/src/responder/kcm/kcmsrv_ccache_json.c
@@ -109,6 +109,28 @@ static const char *sec_key_create(TALLOC_CTX *mem_ctx,
"%s%c%s", uuid_str, SEC_KEY_SEPARATOR, name);
 }
 
+static bool sec_key_valid(const char *sec_key)
+{
+if (sec_key == NULL) {
+return false;
+}
+
+if (strlen(sec_key) < UUID_STR_SIZE + 1) {
+/* One char for separator (at UUID_STR_SIZE, because strlen doesn't
+ * include the '\0', but UUID_STR_SIZE does) and at least one for
+ * the name */
+DEBUG(SSSDBG_CRIT_FAILURE, "Key %s is too short\n", sec_key);
+return false;
+}
+
+if (sec_key[UUID_STR_SIZE-1] != SEC_KEY_SEPARATOR) {
+DEBUG(SSSDBG_CRIT_FAILURE, "Key doesn't contain the separator\n");
+return false;
+}
+
+return true;
+}
+
 static errno_t sec_key_parse(TALLOC_CTX *mem_ctx,
  const char *sec_key,
  const char **_name,
@@ -116,9 +138,7 @@ static errno_t sec_key_parse(TALLOC_CTX *mem_ctx,
 {
 char uuid_str[UUID_STR_SIZE];
 
-if (strlen(sec_key) < UUID_STR_SIZE + 2) {
-/* One char for separator and at least one for the name */
-DEBUG(SSSDBG_CRIT_FAILURE, "Key %s is too short\n", sec_key);
+if (!sec_key_valid(sec_key)) {
 return EINVAL;
 }
 
@@ -143,14 +163,7 @@ errno_t sec_key_get_uuid(const char *sec_key,
 {
 char uuid_str[UUID_STR_SIZE];
 
-if (strlen(sec_key) < UUID_STR_SIZE + 2) {
-/* One char for separator and at least one for the name */
-DEBUG(SSSDBG_CRIT_FAILURE, "Key %s is too short\n", sec_key);
-return EINVAL;
-}
-
-if (sec_key[UUID_STR_SIZE-1] != SEC_KEY_SEPARATOR) {
-DEBUG(SSSDBG_CRIT_FAILURE, "Key doesn't contain the separator\n");
+if (!sec_key_valid(sec_key)) {
 return EINVAL;
 }
 
@@ -162,9 +175,7 @@ errno_t sec_key_get_uuid(const char *sec_key,
 
 const char *sec_key_get_name(const char *sec_key)
 {
-if (strlen(sec_key) < UUID_STR_SIZE + 2) {
-/* One char for separator and at least one for the name */
-DEBUG(SSSDBG_CRIT_FAILURE, "Key %s is too short\n", sec_key);
+if (!sec_key_valid(sec_key)) {
 return NULL;
 }
 
@@ -174,9 +185,7 @@ const char *sec_key_get_name(const char *sec_key)
 bool sec_key_match_name(const char *sec_key,
 const char *name)
 {
-if (strlen(sec_key) < UUID_STR_SIZE + 2) {
-/* One char for separator and at least one for the name */
-DEBUG(SSSDBG_MINOR_FAILURE, "Key %s is too short\n", sec_key);
+if (!sec_key_valid(sec_key) || name == NULL) {
 return false;
 }
 
diff --git a/src/tests/cmocka/test_kcm_json_marshalling.c b/src/tests/cmocka/test_kcm_json_marshalling.c
index 8eff2f5..108eaf5 100644
--- a/src/tests/cmocka/test_kcm_json_marshalling.c
+++ b/src/tests/cmocka/test_kcm_json_marshalling.c
@@ -32,6 +32,12 @@
 
 #define TEST_CREDS"TESTCREDS"
 
+#define TEST_UUID_STR "5f8f296b-02be-4e86-9235-500e82354186"
+#define TEST_SEC_KEY_ONEDIGIT TEST_UUID_STR"-0"
+#define TEST_SEC_KEY_MULTIDIGITS  TEST_UUID_STR"-123456"
+
+#define TEST_SEC_KEY_NOSEPTEST_UUID_STR"+0"
+
 const struct kcm_ccdb_ops ccdb_mem_ops;
 const struct kcm_ccdb_ops ccdb_sec_ops;
 
@@ -188,6 +194,72 @@ static void test_kcm_ccache_marshall_unmarshall(void **state)
 assert_int_equal(ret, EOK);

[SSSD] [sssd PR#215][comment] Support for non-POSIX users and groups

2017-03-29 Thread jhrozek

  URL: https://github.com/SSSD/sssd/pull/215
Title: #215: Support for non-POSIX users and groups

jhrozek commented:
"""
CI is happier now: http://sssd-ci.duckdns.org/logs/job/66/49/summary.html
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/215#issuecomment-290205579
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#136][comment] Tlog integration

2017-03-29 Thread spbnick

  URL: https://github.com/SSSD/sssd/pull/136
Title: #136: Tlog integration

spbnick commented:
"""
A better CI result: http://sssd-ci.duckdns.org/logs/job/66/48/summary.html
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/136#issuecomment-290197456
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#215][comment] Support for non-POSIX users and groups

2017-03-29 Thread jhrozek

  URL: https://github.com/SSSD/sssd/pull/215
Title: #215: Support for non-POSIX users and groups

jhrozek commented:
"""
CI: http://sssd-ci.duckdns.org/logs/job/66/47/summary.html

there is a RHEL6 failure in the enumeration code. Because the test only failed 
on RHEL-6, I don't think it's related to the changes, but to be on the safe 
side, I resubmitted the patches to CI again.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/215#issuecomment-290178794
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#209][comment] IPA: lookup AD users by certificates on IPA clients

2017-03-29 Thread lslebodn

  URL: https://github.com/SSSD/sssd/pull/209
Title: #209: IPA: lookup AD users by certificates on IPA clients

lslebodn commented:
"""
On (29/03/17 05:57), Jakub Hrozek wrote:
>So then the consumer of the API is expected to iterate over the paths and find 
>a non-empty attribute? Because the paths from the domains where the user is 
>not are not usable in the sense the getters return only the default attribute
>```
>[jhrozek@client] sssd $ [(review)] dbus-send --print-reply --system 
>--dest=org.freedesktop.sssd.infopipe  
>/org/freedesktop/sssd/infopipe/Users/ipa_2etest/679800500 
>org.freedesktop.DBus.Properties.Get 
>string:org.freedesktop.sssd.infopipe.Users.User string:name
>method return time=1490792119.531265 sender=:1.61 -> destination=:1.70 
>serial=9 reply_serial=2
>   variant   string ""
>```
>
>THe path from the correct domain works
>```
>[jhrozek@client] sssd $ [(review)] dbus-send --print-reply --system 
>--dest=org.freedesktop.sssd.infopipe  
>/org/freedesktop/sssd/infopipe/Users/win_2etrust_2etest/679800500 
>org.freedesktop.DBus.Properties.Get 
>string:org.freedesktop.sssd.infopipe.Users.User string:name
>method return time=1490792131.291432 sender=:1.61 -> destination=:1.71 
>serial=11 reply_serial=2
>   variant   string "administra...@win.trust.test"
>```
>

IMHO it worth to file a ticket. (at least)

LS

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/209#issuecomment-290151595
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] Re: Regarding sssd.conf syntax check, going thru dinglib

2017-03-29 Thread Lukas Slebodnik

On (29/03/17 19:13), amit kumar wrote:
>Hello,
>
>*Present **Behavior*:
># vim  /usr/local/etc/sssd/sssd.conf
>[sssd]
>services = nss, pam
>config_file_version = 2
>domains = LDAP
>
>[domain/LDAP]
>ldap_search_base = dc=example,dc=com
>id_provider = ldap
>*auth_provider = ldap9001**<== '**sssctl config_check' does not
 ^^
ATM it reports just an invalid option name
and "auth_provider" is valid.

Validating values need to be implemented.
I think we have ticket somewhere.

LS
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#136][comment] Tlog integration

2017-03-29 Thread spbnick

  URL: https://github.com/SSSD/sssd/pull/136
Title: #136: Tlog integration

spbnick commented:
"""
Alright, this one includes PAM exporting the original shell as well. One thing 
that bothers me about the implementation is that now all responders are reading 
the shell settings from the NSS section.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/136#issuecomment-290127604
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#215][comment] Support for non-POSIX users and groups

2017-03-29 Thread jhrozek

  URL: https://github.com/SSSD/sssd/pull/215
Title: #215: Support for non-POSIX users and groups

jhrozek commented:
"""
retest this please
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/215#issuecomment-290113327
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#215][comment] Support for non-POSIX users and groups

2017-03-29 Thread jhrozek

  URL: https://github.com/SSSD/sssd/pull/215
Title: #215: Support for non-POSIX users and groups

jhrozek commented:
"""
I fixed the minor issues in comments and the man pages. I also fixed the issue 
in the Kerberos provider with the following hunk:
```
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
index 0aa25ac..2faf18d 100644
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -42,6 +42,8 @@
 #include "providers/krb5/krb5_utils.h"
 #include "providers/krb5/krb5_ccache.h"
 
+#define  NON_POSIX_CCNAME_FMT   "MEMORY:sssd_nonposix_dummy_%u"
+
 static int krb5_mod_ccname(TALLOC_CTX *mem_ctx,
struct sysdb_ctx *sysdb,
struct sss_domain_info *domain,
@@ -317,7 +319,12 @@ static errno_t krb5_auth_prepare_ccache_name(struct 
krb5child_req *kr,
 case DOM_TYPE_APPLICATION:
 DEBUG(SSSDBG_TRACE_FUNC,
"Domain type application, will use in-memory ccache\n");
-kr->ccname = talloc_asprintf(kr, "MEMORY:%s", kr->pd->user);
+/* We don't care about using cryptographic randomness, just
+ * a non-predictable ccname, so using rand() here is fine
+ */
+kr->ccname = talloc_asprintf(kr,
+ NON_POSIX_CCNAME_FMT,
+ rand() % UINT_MAX);
 if (kr->ccname == NULL) {
 DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
 return ENOMEM;
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index e9fe185..cbbc892 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -1572,6 +1572,15 @@ static krb5_error_code get_and_save_tgt(struct krb5_req 
*kr,
 DEBUG(SSSDBG_CONF_SETTINGS, "TGT validation is disabled.\n");
 }
 
+/* In a non-POSIX environment, we only care about the return code from
+ * krb5_child, so let's not even attempt to create the ccache
+ */
+if (kr->posix_domain == false) {
+DEBUG(SSSDBG_TRACE_LIBS,
+  "Finished authentication in a non-POSIX domain\n");
+goto done;
+}
+
 /* If kr->ccname is cache collection (DIR:/...), we want to work
  * directly with file ccache (DIR::/...), but cache collection
  * should be returned back to back end.
@@ -1613,18 +1622,6 @@ static krb5_error_code get_and_save_tgt(struct krb5_req 
*kr,
   "add_ticket_times_and_upn_to_response failed.\n");
 }
 
-/* In a non-POSIX environment, we only care about the return code from
- * krb5_child, so let's just destroy the credentials immediatelly
- */
-if (kr->posix_domain == false) {
-kerr = sss_krb5_cc_destroy(kr->ccname, kr->uid, kr->gid);
-if (kerr != EOK) {
-DEBUG(SSSDBG_OP_FAILURE,
-  "Failed to destroy the in-memory ccache\n");
-goto done;
-}
-}
-
 kerr = 0;
 
 done:
diff --git a/src/providers/krb5/krb5_init.c b/src/providers/krb5/krb5_init.c
index 12c8dfc..66ae68f 100644
--- a/src/providers/krb5/krb5_init.c
+++ b/src/providers/krb5/krb5_init.c
@@ -136,6 +136,9 @@ errno_t sssm_krb5_init(TALLOC_CTX *mem_ctx,
 return ENOMEM;
 }
 
+/* Only needed to generate random ccache names for non-POSIX domains */
+srand(time(NULL) * getpid());
+
 ret = sss_krb5_get_options(ctx, be_ctx->cdb, be_ctx->conf_path, 
>opts);
 if (ret != EOK) {
 DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get krb5 options [%d]: %s\n",
```

I'm not sure if the srand and rand calls are nice, if you prefer I can just use 
some hardcoded name like you suggested..

And I also fixed the issue with the short boolean evaluations with the 
following hunk:
```
diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c
index e51cf80..7400dc1 100644
--- a/src/providers/ldap/ldap_id.c
+++ b/src/providers/ldap/ldap_id.c
@@ -297,7 +297,7 @@ struct tevent_req *users_get_send(TALLOC_CTX *memctx,
 }
 }
 
-if (state->non_posix == true) {
+if (state->non_posix) {
 state->filter = talloc_asprintf(state,
 "(&%s(objectclass=%s)(%s=*))",
 user_filter,
diff --git a/src/providers/ldap/sdap_async_enum.c 
b/src/providers/ldap/sdap_async_enum.c
index 17f1cdf..91e481c 100644
--- a/src/providers/ldap/sdap_async_enum.c
+++ b/src/providers/ldap/sdap_async_enum.c
@@ -754,7 +754,7 @@ static struct tevent_req *enum_groups_send(TALLOC_CTX 
*memctx,
 goto fail;
 }
 
-if (non_posix == false && use_mapping) {
+if (!non_posix && use_mapping) {
 /* If we're ID-mapping, check for the objectSID as well */
 state->filter = talloc_asprintf_append_buffer(
 state->filter, "(%s=*)",
diff --git a/src/providers/ldap/sdap_async_initgroups.c 
b/src/providers/ldap/sdap_async_initgroups.c
index 6c63a3e..c926ddc 100644
---

[SSSD] [sssd PR#136][synchronized] Tlog integration

2017-03-29 Thread spbnick

   URL: https://github.com/SSSD/sssd/pull/136
Author: spbnick
 Title: #136: Tlog integration
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/136/head:pr136
git checkout pr136
From 22256f94283bce43698b903f6ccb93e58031784c Mon Sep 17 00:00:00 2001
From: Nikolai Kondrashov 
Date: Fri, 24 Mar 2017 16:24:22 +0200
Subject: [PATCH 01/17] CACHE_REQ: Propagate num_results to cache_req_state

The num_results field in struct cache_req_state was only set in case of
well-known objects, set it also for the regular results for uniformity,
and for later use by session recording code.
---
 src/responder/common/cache_req/cache_req.c | 9 +++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/responder/common/cache_req/cache_req.c b/src/responder/common/cache_req/cache_req.c
index 4831263..96e7a26 100644
--- a/src/responder/common/cache_req/cache_req.c
+++ b/src/responder/common/cache_req/cache_req.c
@@ -548,7 +548,8 @@ static void cache_req_search_domains_done(struct tevent_req *subreq)
 static errno_t
 cache_req_search_domains_recv(TALLOC_CTX *mem_ctx,
   struct tevent_req *req,
-  struct cache_req_result ***_results)
+  struct cache_req_result ***_results,
+  size_t *_num_results)
 {
 struct cache_req_search_domains_state *state;
 
@@ -559,6 +560,9 @@ cache_req_search_domains_recv(TALLOC_CTX *mem_ctx,
 if (_results != NULL) {
 *_results = talloc_steal(mem_ctx, state->results);
 }
+if (_num_results != NULL) {
+*_num_results = state->num_results;
+}
 
 return EOK;
 }
@@ -866,7 +870,8 @@ static void cache_req_done(struct tevent_req *subreq)
 req = tevent_req_callback_data(subreq, struct tevent_req);
 state = tevent_req_data(req, struct cache_req_state);
 
-ret = cache_req_search_domains_recv(state, subreq, >results);
+ret = cache_req_search_domains_recv(state, subreq,
+>results, >num_results);
 talloc_zfree(subreq);
 
 if (ret == ENOENT && state->first_iteration) {

From 842c010e7cf5bb2599fa851ec91ab3e5fd369da2 Mon Sep 17 00:00:00 2001
From: Nikolai Kondrashov 
Date: Wed, 22 Mar 2017 14:32:35 +0200
Subject: [PATCH 02/17] NSS: Move output name formatting to utils

Move NSS nss_get_name_from_msg and the core of sized_output_name to the
utils to make them available to provider and other responders.
---
 src/responder/nss/nss_protocol_grent.c |  3 +-
 src/responder/nss/nss_protocol_pwent.c |  2 +-
 src/responder/nss/nss_protocol_sid.c   |  3 +-
 src/responder/nss/nss_utils.c  | 55 +--
 src/util/sss_nss.c | 68 ++
 src/util/sss_nss.h | 12 ++
 6 files changed, 94 insertions(+), 49 deletions(-)

diff --git a/src/responder/nss/nss_protocol_grent.c b/src/responder/nss/nss_protocol_grent.c
index 283ab9f..5f208e0 100644
--- a/src/responder/nss/nss_protocol_grent.c
+++ b/src/responder/nss/nss_protocol_grent.c
@@ -19,6 +19,7 @@
 */
 
 #include "responder/nss/nss_protocol.h"
+#include "util/sss_nss.h"
 
 static errno_t
 nss_get_grent(TALLOC_CTX *mem_ctx,
@@ -41,7 +42,7 @@ nss_get_grent(TALLOC_CTX *mem_ctx,
 }
 
 /* Get fields. */
-name = nss_get_name_from_msg(domain, msg);
+name = sss_nss_get_name_from_msg(domain, msg);
 gid = sss_view_ldb_msg_find_attr_as_uint64(domain, msg, SYSDB_GIDNUM, 0);
 
 if (name == NULL || gid == 0) {
diff --git a/src/responder/nss/nss_protocol_pwent.c b/src/responder/nss/nss_protocol_pwent.c
index edda9d3..c0b8e79 100644
--- a/src/responder/nss/nss_protocol_pwent.c
+++ b/src/responder/nss/nss_protocol_pwent.c
@@ -225,7 +225,7 @@ nss_get_pwent(TALLOC_CTX *mem_ctx,
 
 /* Get fields. */
 upn = ldb_msg_find_attr_as_string(msg, SYSDB_UPN, NULL);
-name = nss_get_name_from_msg(domain, msg);
+name = sss_nss_get_name_from_msg(domain, msg);
 gid = nss_get_gid(domain, msg);
 uid = sss_view_ldb_msg_find_attr_as_uint64(domain, msg, SYSDB_UIDNUM, 0);
 
diff --git a/src/responder/nss/nss_protocol_sid.c b/src/responder/nss/nss_protocol_sid.c
index a6a4e27..37bbec5 100644
--- a/src/responder/nss/nss_protocol_sid.c
+++ b/src/responder/nss/nss_protocol_sid.c
@@ -19,6 +19,7 @@
 */
 
 #include "util/crypto/sss_crypto.h"
+#include "util/sss_nss.h"
 #include "responder/nss/nss_protocol.h"
 
 static errno_t
@@ -532,7 +533,7 @@ nss_protocol_fill_name_list(struct nss_ctx *nss_ctx,
 return ret;
 }
 
-tmp_str = nss_get_name_from_msg(result->domain, result->msgs[c]);
+tmp_str = sss_nss_get_name_from_msg(result->domain, result->msgs[c]);
 if (tmp_str == NULL) {
 return EINVAL;
 }
diff --git a/src/responder/nss/nss_utils.c b/src/responder/nss/nss_utils.c

[SSSD] Regarding sssd.conf syntax check, going thru dinglib

2017-03-29 Thread amit kumar

Hello,

*Present **Behavior*:
# vim  /usr/local/etc/sssd/sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = LDAP

[domain/LDAP]
ldap_search_base = dc=example,dc=com
id_provider = ldap
*auth_provider = ldap9001**<== '**sssctl config_check' does not
reports this1*
ldap_uri = ldap://server.example.com
ldap_id_use_start_tls = True
ldap_tls_cacert = /etc/openldap/certs/cacert.asc
*debug_level = tt**<== 'sssctl config_check' does not reports
this2
**klala =  1<== '**sssctl config_check' r**eports
thi*s3

*My **Interpretation*:
sss_ini_call_validators_errobj()//sssd/src/util/sss_ini.c
ini_rules_read_from_file(rules_path, _cfgobj);   
//rules_path=/usr/share/sssd/cfg_rules.ini{All _keywords on left
side of __assignment__are rules_ which are _read from cfg_rules.ini_
fills in struct ini_cfgobj}

*Why sssd does**reports 3*?Because rule is not present in cfg_rules.ini
*Why sssd doe**s not report 1,2*?May be
- Because there is no such check in ding-lib about values of options.
- OR Check is broken.I also find
# cat /root/ding-libs-0.6.0/ini/ini.d/mysssd.conf
[service]
# Options available to all services
debug_level = int, None, false<=Now
what's this syntax. If it takes int, then is this broken.


Please throw some light...

-- 
Thanks
Amit Kumar
There are three ways to get something done:
  (1) Do it yourself.
  (2) Hire someone to do it for you.
  (3) Forbid your kids to do it.

___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#198][comment] secrets: support https in proxy provider

2017-03-29 Thread lslebodn

  URL: https://github.com/SSSD/sssd/pull/198
Title: #198: secrets: support https in proxy provider

lslebodn commented:
"""
There is still the same problem on rhel7 even with the latest version

```
(gdb) l 563
558 return;
559 }
560
561 len = http_parser_execute(>parser, >callbacks,
562   data.data, data.length);
563 if (len != data.length) {
564 DEBUG(SSSDBG_FATAL_FAILURE,
565   "Failed to parse request, aborting client!\n");
566 talloc_free(cctx);
567 return;
(gdb) p len != data.length
$4 = 1
(gdb) p len
$5 = 116
(gdb) p data
$6 = {data = 0x7ffc8fec2190 "POST /secrets/cont/ HTTP/1.1\r\nHost: 
localhost\r\nAccept: */*\r\nContent-type: 
application/octet-stream\r\nContent-Length: -1\r\n\r\n", length = 122}

```

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/198#issuecomment-290092914
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#209][comment] IPA: lookup AD users by certificates on IPA clients

2017-03-29 Thread jhrozek

  URL: https://github.com/SSSD/sssd/pull/209
Title: #209: IPA: lookup AD users by certificates on IPA clients

jhrozek commented:
"""
* master:
82843754193b177275ce16f2901edac2060a3998
2cf7becc05996eb6d8a3352d3d7b97c75652e590
415d93196533a6fcd90889c67396ef5af5bf791a
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/209#issuecomment-290084814
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#209][+Pushed] IPA: lookup AD users by certificates on IPA clients

2017-03-29 Thread jhrozek

  URL: https://github.com/SSSD/sssd/pull/209
Title: #209: IPA: lookup AD users by certificates on IPA clients

Label: +Pushed
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#209][closed] IPA: lookup AD users by certificates on IPA clients

2017-03-29 Thread jhrozek

   URL: https://github.com/SSSD/sssd/pull/209
Author: sumit-bose
 Title: #209: IPA: lookup AD users by certificates on IPA clients
Action: closed

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/209/head:pr209
git checkout pr209
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#204][comment] krb5: return to responder that pkinit is not available

2017-03-29 Thread jhrozek

  URL: https://github.com/SSSD/sssd/pull/204
Title: #204: krb5: return to responder that pkinit is not available

jhrozek commented:
"""
* master: 1c551b1373799643f3e9ba4f696d21b8fc57dafd
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/204#issuecomment-290083552
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#204][closed] krb5: return to responder that pkinit is not available

2017-03-29 Thread jhrozek

   URL: https://github.com/SSSD/sssd/pull/204
Author: sumit-bose
 Title: #204: krb5: return to responder that pkinit is not available
Action: closed

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/204/head:pr204
git checkout pr204
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#204][+Pushed] krb5: return to responder that pkinit is not available

2017-03-29 Thread jhrozek

  URL: https://github.com/SSSD/sssd/pull/204
Title: #204: krb5: return to responder that pkinit is not available

Label: +Pushed
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#201][closed] Fix handling of binary keys in the ssh responder

2017-03-29 Thread jhrozek

   URL: https://github.com/SSSD/sssd/pull/201
Author: sumit-bose
 Title: #201: Fix handling of binary keys in the ssh responder
Action: closed

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/201/head:pr201
git checkout pr201
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#201][comment] Fix handling of binary keys in the ssh responder

2017-03-29 Thread jhrozek

  URL: https://github.com/SSSD/sssd/pull/201
Title: #201: Fix handling of binary keys in the ssh responder

jhrozek commented:
"""
* master:
1b5d6b1afc9c3dc696b7b45f2d73b2634f42800a
bd1fa0ec90be717c3b7796d74b6f243f40178d16

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/201#issuecomment-290082631
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#209][comment] IPA: lookup AD users by certificates on IPA clients

2017-03-29 Thread jhrozek

  URL: https://github.com/SSSD/sssd/pull/209
Title: #209: IPA: lookup AD users by certificates on IPA clients

jhrozek commented:
"""
anyway, these patches work and we can push them
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/209#issuecomment-290081403
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#209][+Accepted] IPA: lookup AD users by certificates on IPA clients

2017-03-29 Thread jhrozek

  URL: https://github.com/SSSD/sssd/pull/209
Title: #209: IPA: lookup AD users by certificates on IPA clients

Label: +Accepted
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#209][comment] IPA: lookup AD users by certificates on IPA clients

2017-03-29 Thread jhrozek

  URL: https://github.com/SSSD/sssd/pull/209
Title: #209: IPA: lookup AD users by certificates on IPA clients

jhrozek commented:
"""
So then the consumer of the API is expected to iterate over the paths and find 
a non-empty attribute? Because the paths from the domains where the user is not 
are not usable in the sense the getters return only the default attribute
```
[jhrozek@client] sssd $ [(review)] dbus-send --print-reply --system 
--dest=org.freedesktop.sssd.infopipe  
/org/freedesktop/sssd/infopipe/Users/ipa_2etest/679800500 
org.freedesktop.DBus.Properties.Get 
string:org.freedesktop.sssd.infopipe.Users.User string:name
method return time=1490792119.531265 sender=:1.61 -> destination=:1.70 serial=9 
reply_serial=2
   variant   string ""
```

THe path from the correct domain works
```
[jhrozek@client] sssd $ [(review)] dbus-send --print-reply --system 
--dest=org.freedesktop.sssd.infopipe  
/org/freedesktop/sssd/infopipe/Users/win_2etrust_2etest/679800500 
org.freedesktop.DBus.Properties.Get 
string:org.freedesktop.sssd.infopipe.Users.User string:name
method return time=1490792131.291432 sender=:1.61 -> destination=:1.71 
serial=11 reply_serial=2
   variant   string "administra...@win.trust.test"
```

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/209#issuecomment-290081343
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#187][closed] Add support to lookup for users/groups in subdomains just by the user shortname

2017-03-29 Thread jhrozek

   URL: https://github.com/SSSD/sssd/pull/187
Author: fidencio
 Title: #187: Add support to lookup for users/groups in subdomains just by the 
user shortname
Action: closed

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/187/head:pr187
git checkout pr187
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#187][+Pushed] Add support to lookup for users/groups in subdomains just by the user shortname

2017-03-29 Thread jhrozek

  URL: https://github.com/SSSD/sssd/pull/187
Title: #187: Add support to lookup for users/groups in subdomains just by the 
user shortname

Label: +Pushed
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#187][comment] Add support to lookup for users/groups in subdomains just by the user shortname

2017-03-29 Thread jhrozek

  URL: https://github.com/SSSD/sssd/pull/187
Title: #187: Add support to lookup for users/groups in subdomains just by the 
user shortname

jhrozek commented:
"""
* master: 
16385568547351b5d2c562f3081f35f3341f695b
1e437af958f59a0b8bf2f751d3c2ea28365ac64d
66c8e92eb5a4985bb7f64c349a53b08030a000cf
34228050af1e25706f61ec9df648852284b61c2b
fb81f337b68c85471c3f5140850dccf549a2d0ac
17ab121a6c69d74acf1d40f2bbcbe90d77bb6b8a
3cbf0e7b63e8e6888917e9215bbdc5674c2fa852
723d514f641e2b5a5cbfe1c6c7bdd2a6f3c5070e
2e85b015d8dd231094a09eab69b86e8b6fcc8b2b
5856a621ac5909ca96520ac5a809eb83fd46d8bc
a3442e4a268ad2172c89d58e6daa759eb4b39e7c
46c99a59c8d6501aa3ad701c567fba577924b48b
dcc52d9c6411528bab815351d1e6145d211a4765
a63d74f65db2db7389cd373cb37adcdaaa2d56ea
e0e038218580166648ac24f23180f0f4c2769d99

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/187#issuecomment-290068633
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#187][+Accepted] Add support to lookup for users/groups in subdomains just by the user shortname

2017-03-29 Thread jhrozek

  URL: https://github.com/SSSD/sssd/pull/187
Title: #187: Add support to lookup for users/groups in subdomains just by the 
user shortname

Label: +Accepted
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#201][+Accepted] Fix handling of binary keys in the ssh responder

2017-03-29 Thread jhrozek

  URL: https://github.com/SSSD/sssd/pull/201
Title: #201: Fix handling of binary keys in the ssh responder

Label: +Accepted
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#201][comment] Fix handling of binary keys in the ssh responder

2017-03-29 Thread jhrozek

  URL: https://github.com/SSSD/sssd/pull/201
Title: #201: Fix handling of binary keys in the ssh responder

jhrozek commented:
"""
The code looks good to me and seems to work fine:
```
./sss_ssh_authorizedkeys administra...@win.trust.test
ssh-rsa 
B3NzaC1yc2EDAQABAAABAQDyLvhzmsoc5JFiBRFuWHPHYmzS4iGywzNv1FDdIdG5TxgI3PV1OFhWF1C4YIwcbq/4L8t8AnH9kdqxxSU3IomfZJLlu3Jt5I46q/wtps6XPNIBlTNhhvCm4TlLUekkcjiJfkQ68YgznOdk4DUbpn0pN7VLknMJSoSHWv8k5rx4vh7BELADnHgtTTuhfiAOMYXpYnHtWY0TVossAHBHw4nCizCWsoVSywn9HpblrVFKtVIXVRzoLbZjphH5POjkeg+Q/5Tff2hEAQSeMF2/HMUpuTlPxv3gUPB0fVIE04mVrC+sear/RNIGn/7FxaAYSXEV2ExTd0emc5slPcAU87kn
```

This is with a use set up like this:
```
ipa idoverrideuser-add clientview administra...@win.trust.test 
--certificate="$(base64 cert.der)"
```

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/201#issuecomment-290065970
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#209][comment] IPA: lookup AD users by certificates on IPA clients

2017-03-29 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/209
Title: #209: IPA: lookup AD users by certificates on IPA clients

sumit-bose commented:
"""
It is expected that ListByCertificate returns matches from all domains. So as 
long as all the listed users have the certficate in their corresponding user 
object (I assume you are not using other certmap rules), the result is expected.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/209#issuecomment-290065881
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#204][+Accepted] krb5: return to responder that pkinit is not available

2017-03-29 Thread jhrozek

  URL: https://github.com/SSSD/sssd/pull/204
Title: #204: krb5: return to responder that pkinit is not available

Label: +Accepted
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#204][comment] krb5: return to responder that pkinit is not available

2017-03-29 Thread jhrozek

  URL: https://github.com/SSSD/sssd/pull/204
Title: #204: krb5: return to responder that pkinit is not available

jhrozek commented:
"""
ok, thanks!
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/204#issuecomment-290063709
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#209][comment] IPA: lookup AD users by certificates on IPA clients

2017-03-29 Thread jhrozek

  URL: https://github.com/SSSD/sssd/pull/209
Title: #209: IPA: lookup AD users by certificates on IPA clients

jhrozek commented:
"""
Hmm, looking at the debug output, it might be the cache_req's code fault:
```
(Wed Mar 29 11:30:04 2017) [sssd[ifp]] [cache_req_set_domain] (0x0400): CR #6: 
Using domain [win.trust.test]
(Wed Mar 29 11:30:04 2017) [sssd[ifp]] [cache_req_search_send] (0x0400): CR #6: 
Looking up CERT:nxgxW/ww==@win.trust.test
...
(Wed Mar 29 11:30:04 2017) [sssd[ifp]] [cache_req_create_and_add_result] 
(0x0400): CR #6: Found 1 entries in domain win.trust.test
```

That's fine, but:
```
(Wed Mar 29 11:30:04 2017) [sssd[ifp]] [cache_req_set_domain] (0x0400): CR #8: 
Using domain [child.win.trust.test]
(Wed Mar 29 11:30:04 2017) [sssd[ifp]] [cache_req_search_send] (0x0400): CR #8: 
Looking up CERT:nxgxW/ww==@child.win.trust.test
...
(Wed Mar 29 11:30:04 2017) [sssd[ifp]] [cache_req_create_and_add_result] 
(0x0400): CR #8: Found 1 entries in domain child.win.trust.test
```

So it looks like cache_req is looking in all domains and returning the entries 
from all domains..

Please let me know if you prefer to file a separate ticket or fix the problem 
here.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/209#issuecomment-290062549
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#209][comment] IPA: lookup AD users by certificates on IPA clients

2017-03-29 Thread jhrozek

  URL: https://github.com/SSSD/sssd/pull/209
Title: #209: IPA: lookup AD users by certificates on IPA clients

jhrozek commented:
"""
These patches look OK, but I suspect we might have a bug in the IFP list code. 
I added a certificate to a user's idview entry and now listing the certificate 
shows:
```
dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe 
/org/freedesktop/sssd/infopipe/Users 
org.freedesktop.sssd.infopipe.Users.ListByCertificate string:"$(cat cert.pem)"  
uint32:100
method return time=1490786867.303117 sender=:1.40 -> destination=:1.42 serial=7 
reply_serial=2
   array [
  object path "/org/freedesktop/sssd/infopipe/Users/ipa_2etest/679800500"
  object path 
"/org/freedesktop/sssd/infopipe/Users/win_2etrust_2etest/679800500"
  object path 
"/org/freedesktop/sssd/infopipe/Users/sibling_2ewin_2etrust_2etest/679800500"
  object path 
"/org/freedesktop/sssd/infopipe/Users/child_2ewin_2etrust_2etest/679800500"
   ]
```

The user is only in the win.trust.test domain:
```
[jhrozek@client] sssd $ [(review)] getent passwd 679800500
administra...@win.trust.test:*:679800500:679800500:Administrator:/home/win.trust.test/administrator:
```
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/209#issuecomment-290061842
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#187][comment] Add support to lookup for users/groups in subdomains just by the user shortname

2017-03-29 Thread fidencio

  URL: https://github.com/SSSD/sssd/pull/187
Title: #187: Add support to lookup for users/groups in subdomains just by the 
user shortname

fidencio commented:
"""
CI: http://sssd-ci.duckdns.org/logs/job/66/41/summary.html

It failed on rhel6 but the failure doesn't seem to be related to these patches.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/187#issuecomment-290061157
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#193][+Changes requested] UTIL: Use max 15 characters for AD host UPN

2017-03-29 Thread mzidek-rh

  URL: https://github.com/SSSD/sssd/pull/193
Title: #193: UTIL: Use max 15 characters for AD host UPN

Label: +Changes requested
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#198][comment] secrets: support https in proxy provider

2017-03-29 Thread lslebodn

  URL: https://github.com/SSSD/sssd/pull/198
Title: #198: secrets: support https in proxy provider

lslebodn commented:
"""
rhel7 error
```
test_secrets.py::test_crd_ops PASSED
test_secrets.py::test_curlwrap_crd_ops FAILED
test_secrets.py::test_curlwrap_parallel PASSED
test_secrets.py::test_containers PASSED

=== FAILURES==
_ test_curlwrap_crd_ops __
Traceback (most recent call last):
  File "/home/build/sssd/src/tests/intg/test_secrets.py", line 278, in 
test_curlwrap_crd_ops
200)
  File "/home/build/sssd/src/tests/intg/test_secrets.py", line 207, in 
run_curlwrap_tool
assert exp_http_code_str in out
AssertionError: assert 'Request HTTP code: 200' in ''
```


+ test_kcm_sec_* are failing as well on rhel7
``
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/198#issuecomment-290052915
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#215][comment] Support for non-POSIX users and groups

2017-03-29 Thread pbrezina

  URL: https://github.com/SSSD/sssd/pull/215
Title: #215: Support for non-POSIX users and groups

pbrezina commented:
"""
```xml

POSIX domains are reachable by all services. 
Application
domains are only reachable from the D-Bus responder 
(see

sssd-ifp
5
) and the PAM responder.

```
The responder name is InfoPipe or IFP not D-Bus. I would rather rephrase it 
either to `IFP responder` or `through the D-Bus interface`.

Otherwise the patches looks good to me.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/215#issuecomment-290050853
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#204][comment] krb5: return to responder that pkinit is not available

2017-03-29 Thread lslebodn

  URL: https://github.com/SSSD/sssd/pull/204
Title: #204: krb5: return to responder that pkinit is not available

lslebodn commented:
"""
On (29/03/17 01:58), Jakub Hrozek wrote:
>I really don't mind one way or another. I find all the proposed versions of 
>the condition complex, that's why I'm glad there is a comment atop them.
>
>So from my point of view, I'm fine with the first version
>
OK, go ahead and push.
sorry for noise.

LS

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/204#issuecomment-290046824
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#198][comment] secrets: support https in proxy provider

2017-03-29 Thread lslebodn

  URL: https://github.com/SSSD/sssd/pull/198
Title: #198: secrets: support https in proxy provider

lslebodn commented:
"""
We should skip secrets test on rhel6.

So the patch "ci: do not build secrets on rhel6" should also contain
```
diff --git a/src/tests/intg/test_secrets.py b/src/tests/intg/test_secrets.py
index d71c19045..6dc4c81ed 100644
--- a/src/tests/intg/test_secrets.py
+++ b/src/tests/intg/test_secrets.py
@@ -32,6 +32,14 @@ from util import unindent
 from secrets import SecretsLocalClient
 
 
+RESP_PATH = os.path.join(config.LIBEXEC_PATH, "sssd", "sssd_secrets")
+if not os.access(RESP_PATH, os.X_OK):
+if pytest.__version__ < "3.0.0":
+pytest.skip()
+else:
+pytestmark = pytest.mark.skip
+
+
 def create_conf_fixture(request, contents):
 """Generate sssd.conf and add teardown for removing it"""
 conf = open(config.CONF_PATH, "w")
```

@jhrozek Did you mean something like this in comment "It would be cleaner to 
use pytest.mark.skipif on the package level" in `test_kcm.py` :-) BTW I am not 
sure whether it's the best pythonic way but it works :-)
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/198#issuecomment-290040874
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#198][comment] secrets: support https in proxy provider

2017-03-29 Thread pbrezina

  URL: https://github.com/SSSD/sssd/pull/198
Title: #198: secrets: support https in proxy provider

pbrezina commented:
"""
I fixed the hang. It was created due to newly added test in KCM patches that 
uses POST to create a container. Tcurl test tool can provide body to POST 
operation which was mandatory in the first patch, optional in the second.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/198#issuecomment-290040746
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#198][comment] secrets: support https in proxy provider

2017-03-29 Thread pbrezina

  URL: https://github.com/SSSD/sssd/pull/198
Title: #198: secrets: support https in proxy provider

pbrezina commented:
"""
I'm going to run CI before pushing these patches.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/198#issuecomment-290040911
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#193][comment] UTIL: Use max 15 characters for AD host UPN

2017-03-29 Thread mzidek-rh

  URL: https://github.com/SSSD/sssd/pull/193
Title: #193: UTIL: Use max 15 characters for AD host UPN

mzidek-rh commented:
"""
Hi, I have this on my "to test" list, but could you please add a comment to the 
code, why we use exactly 15. It is cleat from the ticket, but in the code the 
number is a magic number. So dispel that magic with some scroll... I mean 
comment.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/193#issuecomment-290034951
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#204][comment] krb5: return to responder that pkinit is not available

2017-03-29 Thread jhrozek

  URL: https://github.com/SSSD/sssd/pull/204
Title: #204: krb5: return to responder that pkinit is not available

jhrozek commented:
"""
I really don't mind one way or another. I find all the proposed versions of the 
condition complex, that's why I'm glad there is a comment atop them.

So from my point of view, I'm fine with the first version
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/204#issuecomment-290027496
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#187][comment] Add support to lookup for users/groups in subdomains just by the user shortname

2017-03-29 Thread fidencio

  URL: https://github.com/SSSD/sssd/pull/187
Title: #187: Add support to lookup for users/groups in subdomains just by the 
user shortname

fidencio commented:
"""
@lslebodn: your comment has been addressed in the latest patch series.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/187#issuecomment-290023234
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#187][comment] Add support to lookup for users/groups in subdomains just by the user shortname

2017-03-29 Thread lslebodn

  URL: https://github.com/SSSD/sssd/pull/187
Title: #187: Add support to lookup for users/groups in subdomains just by the 
user shortname

lslebodn commented:
"""
The patch "UTIL: Simplify usage of create_subdom_conf_path " did not move 
function to right module.
The function `create_subdom_conf_path` has nothing to do with string utils and 
moreover added dependency on "struct sss_domain_info". So the module 
`src/util/string_utils.c` could not be reused as string only module.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/187#issuecomment-290017295
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#198][comment] secrets: support https in proxy provider

2017-03-29 Thread jhrozek

  URL: https://github.com/SSSD/sssd/pull/198
Title: #198: secrets: support https in proxy provider

jhrozek commented:
"""
On Wed, Mar 29, 2017 at 12:29:27AM -0700, lslebodn wrote:
> BTW the 1st patch "tcurl: add support for ssl and raw output" caused a hang 
> in test_secrets and therefore internal CI was blocked whole night. The 2nd 
> patch "tcurl test: refactor so new options can be added more easily" fixed 
> the test.

Then I propose we merge the patches.

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/198#issuecomment-290007997
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#201][comment] Fix handling of binary keys in the ssh responder

2017-03-29 Thread jhrozek

  URL: https://github.com/SSSD/sssd/pull/201
Title: #201: Fix handling of binary keys in the ssh responder

jhrozek commented:
"""
CI: http://sssd-ci.duckdns.org/logs/job/66/04/summary.html
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/201#issuecomment-290007826
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#209][comment] IPA: lookup AD users by certificates on IPA clients

2017-03-29 Thread jhrozek

  URL: https://github.com/SSSD/sssd/pull/209
Title: #209: IPA: lookup AD users by certificates on IPA clients

jhrozek commented:
"""
(the machine in CI is broken, not the patches..)
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/209#issuecomment-290007734
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#209][comment] IPA: lookup AD users by certificates on IPA clients

2017-03-29 Thread jhrozek

  URL: https://github.com/SSSD/sssd/pull/209
Title: #209: IPA: lookup AD users by certificates on IPA clients

jhrozek commented:
"""
I started the review by running CI which passed except rawhide which seems 
broken: http://sssd-ci.duckdns.org/logs/job/66/06/summary.html
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/209#issuecomment-290007653
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#198][comment] secrets: support https in proxy provider

2017-03-29 Thread lslebodn

  URL: https://github.com/SSSD/sssd/pull/198
Title: #198: secrets: support https in proxy provider

lslebodn commented:
"""
BTW the 1st patch "tcurl: add support for ssl and raw output" caused a hang in 
test_secrets and therefore internal CI was blocked whole night. The 2nd patch 
"tcurl test: refactor so new options can be added more easily" fixed the test.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/198#issuecomment-290006897
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#187][comment] Add support to lookup for users/groups in subdomains just by the user shortname

2017-03-29 Thread fidencio

  URL: https://github.com/SSSD/sssd/pull/187
Title: #187: Add support to lookup for users/groups in subdomains just by the 
user shortname

fidencio commented:
"""
I'm removing the Accepted label till our internal CI passes
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/187#issuecomment-290004299
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#187][-Accepted] Add support to lookup for users/groups in subdomains just by the user shortname

2017-03-29 Thread fidencio

  URL: https://github.com/SSSD/sssd/pull/187
Title: #187: Add support to lookup for users/groups in subdomains just by the 
user shortname

Label: -Accepted
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#213][+Pushed] intg: Remove bashism from intgcheck-prepare

2017-03-29 Thread lslebodn

  URL: https://github.com/SSSD/sssd/pull/213
Title: #213: intg: Remove bashism from intgcheck-prepare

Label: +Pushed
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#213][comment] intg: Remove bashism from intgcheck-prepare

2017-03-29 Thread lslebodn

  URL: https://github.com/SSSD/sssd/pull/213
Title: #213: intg: Remove bashism from intgcheck-prepare

lslebodn commented:
"""
master:
* f75ba99fc8dd64e45af2f642d9fb7660860fd28f
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/213#issuecomment-290001091
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#213][closed] intg: Remove bashism from intgcheck-prepare

2017-03-29 Thread lslebodn

   URL: https://github.com/SSSD/sssd/pull/213
Author: lslebodn
 Title: #213: intg: Remove bashism from intgcheck-prepare
Action: closed

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/213/head:pr213
git checkout pr213
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#216][closed] Subdomain shortnames

2017-03-29 Thread fidencio

   URL: https://github.com/SSSD/sssd/pull/216
Author: mzidek-rh
 Title: #216: Subdomain shortnames
Action: closed

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/216/head:pr216
git checkout pr216
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#216][comment] Subdomain shortnames

2017-03-29 Thread fidencio

  URL: https://github.com/SSSD/sssd/pull/216
Title: #216: Subdomain shortnames

fidencio commented:
"""
I'm closing the PR as it's been superseded by PR 187, which was rebased on top 
of this patchset.

Btw, your patch was reviewed and ack-ed there. :-)
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/216#issuecomment-28007
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#187][comment] Add support to lookup for users/groups in subdomains just by the user shortname

2017-03-29 Thread fidencio

  URL: https://github.com/SSSD/sssd/pull/187
Title: #187: Add support to lookup for users/groups in subdomains just by the 
user shortname

fidencio commented:
"""
So, by @lslebodn comment I've dropped the "Allow subdomains to inherit 
"use_fully_qualified_names" option" patch and rebased my series on top of 
@mzidek-rh patch for adding this option to the subdomain directly.

As I've tested @mzidek-rh patch I've already added an "Acked-by: ..." there.

That's the only change from previous series to this one.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/187#issuecomment-289998692
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#198][comment] secrets: support https in proxy provider

2017-03-29 Thread lslebodn

  URL: https://github.com/SSSD/sssd/pull/198
Title: #198: secrets: support https in proxy provider

lslebodn commented:
"""
hmm, it still fails with rhel{6,7}.

http://sssd-ci.duckdns.org/logs/job/66/07/summary.html
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/198#issuecomment-289998205
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

64 matches

Mail list logo