[SSSD] [sssd PR#228][comment] test_ldap.py: Add test for filter_{users,group}
URL: https://github.com/SSSD/sssd/pull/228 Title: #228: test_ldap.py: Add test for filter_{users,group} fidencio commented: """ Okay, I've removed the label rejected but I do believe my comment was quite clear about having this patch as part of another PR. """ See the full comment at https://github.com/SSSD/sssd/pull/228#issuecomment-296919598 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#228][-Rejected] test_ldap.py: Add test for filter_{users,group}
URL: https://github.com/SSSD/sssd/pull/228 Title: #228: test_ldap.py: Add test for filter_{users,group} Label: -Rejected ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#228][comment] test_ldap.py: Add test for filter_{users,group}
URL: https://github.com/SSSD/sssd/pull/228 Title: #228: test_ldap.py: Add test for filter_{users,group} lslebodn commented: """ This patch was not rejected so label should be removed. Other users might be really confused. We should either not include patches in different PR or use better labels when closing PR """ See the full comment at https://github.com/SSSD/sssd/pull/228#issuecomment-296823556 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#234][comment] HBAC: Use memberof ASQ search instead of originalMemberOf
URL: https://github.com/SSSD/sssd/pull/234 Title: #234: HBAC: Use memberof ASQ search instead of originalMemberOf jhrozek commented: """ Done. I'm sorry it took so long. The downstream tests all passed for me. Unfortunately, I can't provide a job ID for those tests, because I had to run them more or less manually, otherwise they wouldn't pass (I think this can be caused be the tests being faster than `ipa_hbac_refresh` and I asked the developer of those tests to take a look) """ See the full comment at https://github.com/SSSD/sssd/pull/234#issuecomment-296798223 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#234][synchronized] HBAC: Use memberof ASQ search instead of originalMemberOf
URL: https://github.com/SSSD/sssd/pull/234 Author: jhrozek Title: #234: HBAC: Use memberof ASQ search instead of originalMemberOf Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/234/head:pr234 git checkout pr234 From d4aa2dfa38515f084f16e20ad8d2b007dae1ff8d Mon Sep 17 00:00:00 2001 From: Jakub HrozekDate: Sun, 9 Apr 2017 20:50:47 +0200 Subject: [PATCH] HBAC: Do not rely on originalMemberOf, use the sysdb memberof links instead The IPA HBAC code used to read the group members from the the originalMemberOf attribute value for performance reasons. However, especially on IPA clients trusting an AD domain, the originalMemberOf attribute value is often not synchronized correctly. Instead of going through the work of maintaining both member/memberOf and originalMemberOf, let's just do an ASQ search for the group names of the groups the user is a member of in the cache and read their SYSBD_NAME attribute. To avoid clashing between similarly-named groups in IPA and in AD, we look at the container of the group. Resolves: https://pagure.io/SSSD/sssd/issue/3382 --- src/providers/ipa/ipa_hbac_common.c | 111 +++- 1 file changed, 83 insertions(+), 28 deletions(-) diff --git a/src/providers/ipa/ipa_hbac_common.c b/src/providers/ipa/ipa_hbac_common.c index b99b75d..6efff3e 100644 --- a/src/providers/ipa/ipa_hbac_common.c +++ b/src/providers/ipa/ipa_hbac_common.c @@ -507,15 +507,18 @@ hbac_eval_user_element(TALLOC_CTX *mem_ctx, struct hbac_request_element **user_element) { errno_t ret; -unsigned int i; unsigned int num_groups = 0; TALLOC_CTX *tmp_ctx; -const char *member_dn; struct hbac_request_element *users; struct ldb_message *msg; -struct ldb_message_element *el; -const char *attrs[] = { SYSDB_ORIG_MEMBEROF, NULL }; +const char *attrs[] = { SYSDB_NAME, NULL }; char *shortname; +struct ldb_message **members; +size_t m_count; +const char *fqgroupname; +struct sss_domain_info *ipa_domain; +struct ldb_dn *ipa_groups_basedn; +struct ldb_dn *member_group_container; tmp_ctx = talloc_new(mem_ctx); if (tmp_ctx == NULL) return ENOMEM; @@ -533,12 +536,21 @@ hbac_eval_user_element(TALLOC_CTX *mem_ctx, } users->name = talloc_steal(users, shortname); -/* Read the originalMemberOf attribute - * This will give us the list of both POSIX and - * non-POSIX groups that this user belongs to. - */ +ipa_domain = get_domains_head(domain); +if (ipa_domain == NULL) { +ret = EINVAL; +goto done; +} + +ipa_groups_basedn = ldb_dn_new_fmt(tmp_ctx, sysdb_ctx_get_ldb(domain->sysdb), +SYSDB_TMPL_GROUP_BASE, ipa_domain->name); +if (ipa_groups_basedn == NULL) { +ret = ENOMEM; +goto done; +} + ret = sysdb_search_user_by_name(tmp_ctx, domain, username, -attrs, ); +NULL, ); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, "Could not determine user memberships for [%s]\n", @@ -546,43 +558,86 @@ hbac_eval_user_element(TALLOC_CTX *mem_ctx, goto done; } -el = ldb_msg_find_element(msg, SYSDB_ORIG_MEMBEROF); -if (el == NULL || el->num_values == 0) { +/* + * Get the name attribute of all groups pointed to by the memberof + * attribute. This includes both POSIX and non-POSIX groups. + */ +ret = sysdb_asq_search(tmp_ctx, domain, msg->dn, + "("SYSDB_OBJECTCLASS"="SYSDB_GROUP_CLASS")", + SYSDB_MEMBEROF, + attrs, + _count, ); +if (ret != EOK) { +DEBUG(SSSDBG_CRIT_FAILURE, + "sysdb_asq_search failed [%d]: %s\n", ret, sss_strerror(ret)); +goto done; +} + +if (m_count == 0) { DEBUG(SSSDBG_TRACE_LIBS, "No groups for [%s]\n", users->name); ret = create_empty_grouplist(users); goto done; } -DEBUG(SSSDBG_TRACE_LIBS, - "[%d] groups for [%s]\n", el->num_values, users->name); +DEBUG(SSSDBG_TRACE_LIBS, "[%zu] groups for [%s]\n", m_count, username); -users->groups = talloc_array(users, const char *, el->num_values + 1); +users->groups = talloc_array(users, const char *, m_count + 1); if (users->groups == NULL) { ret = ENOMEM; goto done; } -for (i = 0; i < el->num_values; i++) { -member_dn = (const char *)el->values[i].data; +for (size_t i = 0; i < m_count; i++) { +fqgroupname = ldb_msg_find_attr_as_string(members[i], SYSDB_NAME, NULL); +if (fqgroupname == NULL) { +DEBUG(SSSDBG_MINOR_FAILURE, + "Skipping malformed entry [%s]\n", +
[SSSD] [sssd PR#234][-Changes requested] HBAC: Use memberof ASQ search instead of originalMemberOf
URL: https://github.com/SSSD/sssd/pull/234 Title: #234: HBAC: Use memberof ASQ search instead of originalMemberOf Label: -Changes requested ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#235][-Changes requested] Allow using the "shortnames" feature without requiring any configuration from the client side
URL: https://github.com/SSSD/sssd/pull/235 Title: #235: Allow using the "shortnames" feature without requiring any configuration from the client side Label: -Changes requested ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#235][comment] Allow using the "shortnames" feature without requiring any configuration from the client side
URL: https://github.com/SSSD/sssd/pull/235 Title: #235: Allow using the "shortnames" feature without requiring any configuration from the client side fidencio commented: """ Patch set updated according to @pbrezina's comments. """ See the full comment at https://github.com/SSSD/sssd/pull/235#issuecomment-296793840 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#235][synchronized] Allow using the "shortnames" feature without requiring any configuration from the client side
URL: https://github.com/SSSD/sssd/pull/235 Author: fidencio Title: #235: Allow using the "shortnames" feature without requiring any configuration from the client side Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/235/head:pr235 git checkout pr235 From 694e1ab706e82141487aeb3f08ab53bef399227b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?=Date: Wed, 12 Apr 2017 10:43:25 +0200 Subject: [PATCH 1/5] RESPONDER: Fallback to global domain resolution order in case the view doesn't have this option set MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The current code has been ignoring the domain resolution order set globally on IPA in case there's a view but this doesn't have any domain resolution order set. It happens because we haven't been checking whether the view attribute didn't exist and then we ended up populating the list cache_req domains' list assuming that no order has been set instead of falling back to the next preferred method. Related: https://pagure.io/SSSD/sssd/issue/3001 Signed-off-by: Fabiano FidĂȘncio --- src/responder/common/cache_req/cache_req_domain.c | 14 ++- src/responder/common/cache_req/cache_req_domain.h | 5 +- src/responder/common/responder_common.c | 108 +- 3 files changed, 74 insertions(+), 53 deletions(-) diff --git a/src/responder/common/cache_req/cache_req_domain.c b/src/responder/common/cache_req/cache_req_domain.c index bbabd69..86a88ef 100644 --- a/src/responder/common/cache_req/cache_req_domain.c +++ b/src/responder/common/cache_req/cache_req_domain.c @@ -120,20 +120,21 @@ cache_req_domain_new_list_from_string_list(TALLOC_CTX *mem_ctx, return cr_domains; } -struct cache_req_domain * +errno_t cache_req_domain_new_list_from_domain_resolution_order( TALLOC_CTX *mem_ctx, struct sss_domain_info *domains, -const char *domain_resolution_order) +const char *domain_resolution_order, +struct cache_req_domain **_cr_domains) { TALLOC_CTX *tmp_ctx; -struct cache_req_domain *cr_domains = NULL; +struct cache_req_domain *cr_domains; char **list = NULL; errno_t ret; tmp_ctx = talloc_new(NULL); if (tmp_ctx == NULL) { -return NULL; +return ENOMEM; } if (domain_resolution_order != NULL) { @@ -160,7 +161,10 @@ cache_req_domain_new_list_from_domain_resolution_order( goto done; } +*_cr_domains = cr_domains; +ret = EOK; + done: talloc_free(tmp_ctx); -return cr_domains; +return ret; } diff --git a/src/responder/common/cache_req/cache_req_domain.h b/src/responder/common/cache_req/cache_req_domain.h index 41c50e8..87e 100644 --- a/src/responder/common/cache_req/cache_req_domain.h +++ b/src/responder/common/cache_req/cache_req_domain.h @@ -34,11 +34,12 @@ struct cache_req_domain * cache_req_domain_get_domain_by_name(struct cache_req_domain *domains, const char *name); -struct cache_req_domain * +errno_t cache_req_domain_new_list_from_domain_resolution_order( TALLOC_CTX *mem_ctx, struct sss_domain_info *domains, -const char *domain_resolution_order); +const char *domain_resolution_order, +struct cache_req_domain **_cr_domains); void cache_req_domain_list_zfree(struct cache_req_domain **cr_domains); diff --git a/src/responder/common/responder_common.c b/src/responder/common/responder_common.c index ac6320b..62b71b5 100644 --- a/src/responder/common/responder_common.c +++ b/src/responder/common/responder_common.c @@ -1486,10 +1486,11 @@ errno_t responder_setup_idle_timeout_config(struct resp_ctx *rctx) } /* == Helper functions for the domain resolution order === */ -static struct cache_req_domain * +static errno_t sss_resp_new_cr_domains_from_ipa_id_view(TALLOC_CTX *mem_ctx, struct sss_domain_info *domains, - struct sysdb_ctx *sysdb) + struct sysdb_ctx *sysdb, + struct cache_req_domain **_cr_domains) { TALLOC_CTX *tmp_ctx; struct cache_req_domain *cr_domains = NULL; @@ -1498,7 +1499,7 @@ sss_resp_new_cr_domains_from_ipa_id_view(TALLOC_CTX *mem_ctx, tmp_ctx = talloc_new(NULL); if (tmp_ctx == NULL) { -return NULL; +return ENOMEM; } ret = sysdb_get_view_domain_resolution_order(tmp_ctx, sysdb, @@ -1510,12
[SSSD] [sssd PR#228][+Rejected] test_ldap.py: Add test for filter_{users,group}
URL: https://github.com/SSSD/sssd/pull/228 Title: #228: test_ldap.py: Add test for filter_{users,group} Label: +Rejected ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#228][closed] test_ldap.py: Add test for filter_{users,group}
URL: https://github.com/SSSD/sssd/pull/228 Author: lslebodn Title: #228: test_ldap.py: Add test for filter_{users,group} Action: closed To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/228/head:pr228 git checkout pr228 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#228][comment] test_ldap.py: Add test for filter_{users,group}
URL: https://github.com/SSSD/sssd/pull/228 Title: #228: test_ldap.py: Add test for filter_{users,group} fidencio commented: """ Closing this PR as the very same patch is part of PR #246 """ See the full comment at https://github.com/SSSD/sssd/pull/228#issuecomment-296789919 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#246][opened] filter_users and filter_groups stop working properly in v 1.15
URL: https://github.com/SSSD/sssd/pull/246 Author: fidencio Title: #246: filter_users and filter_groups stop working properly in v 1.15 Action: opened PR body: """ This patchset fix the issue reported on https://pagure.io/SSSD/sssd/issue/3362. @pbrezina suggested to do the changes in a new cache_req module, but I'm really not sure whether we want to have NSS specific code (like nss_get_pwent() and nss_get_grent() calls) there. For now I'm leaving this as it was before the nss/cache_req refactoring. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/246/head:pr246 git checkout pr246 From 5870f184220fcf2f46ca0b96caacab83bc3612fe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?=Date: Mon, 24 Apr 2017 12:11:46 +0200 Subject: [PATCH 1/4] NSS: Use fqnames when performing a ncache check MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The names stored in the negative cache are fully qualified, so we have to use fully qualified names when checking whether a user/group is part of negative cache or not. This regression was introduced by commit 4049b63. Related: https://pagure.io/SSSD/sssd/issue/3362 Signed-off-by: Fabiano FidĂȘncio --- src/responder/nss/nss_protocol_grent.c | 12 +++- src/responder/nss/nss_protocol_pwent.c | 12 +++- 2 files changed, 22 insertions(+), 2 deletions(-) diff --git a/src/responder/nss/nss_protocol_grent.c b/src/responder/nss/nss_protocol_grent.c index fae1d47..6f6ad9e 100644 --- a/src/responder/nss/nss_protocol_grent.c +++ b/src/responder/nss/nss_protocol_grent.c @@ -205,6 +205,7 @@ nss_protocol_fill_grent(struct nss_ctx *nss_ctx, uint32_t num_results; uint32_t num_members; char *members; +char *fqname; size_t members_size; size_t rp; size_t rp_members; @@ -243,8 +244,17 @@ nss_protocol_fill_grent(struct nss_ctx *nss_ctx, /* Check negative cache during enumeration. */ if (cmd_ctx->enumeration) { +fqname = sss_create_internal_fqname(tmp_ctx, name->str, +result->domain->name); +if (fqname == NULL) { +DEBUG(SSSDBG_OP_FAILURE, + "sss_create_internal_fqname() failed\n"); +ret = ENOMEM; +goto done; +} + ret = sss_ncache_check_group(nss_ctx->rctx->ncache, - result->domain, name->str); + result->domain, fqname); if (ret == EEXIST) { DEBUG(SSSDBG_TRACE_FUNC, "User [%s] filtered out! (negative cache)\n", diff --git a/src/responder/nss/nss_protocol_pwent.c b/src/responder/nss/nss_protocol_pwent.c index edda9d3..e781352 100644 --- a/src/responder/nss/nss_protocol_pwent.c +++ b/src/responder/nss/nss_protocol_pwent.c @@ -273,6 +273,7 @@ nss_protocol_fill_pwent(struct nss_ctx *nss_ctx, struct sized_string gecos; struct sized_string homedir; struct sized_string shell; +char *fqname; uint32_t gid; uint32_t uid; uint32_t num_results; @@ -311,8 +312,17 @@ nss_protocol_fill_pwent(struct nss_ctx *nss_ctx, /* Check negative cache during enumeration. */ if (cmd_ctx->enumeration) { +fqname = sss_create_internal_fqname(tmp_ctx, name->str, +result->domain->name); +if (fqname == NULL) { +DEBUG(SSSDBG_OP_FAILURE, + "sss_create_internal_fqname() failed\n"); +ret = ENOMEM; +goto done; +} + ret = sss_ncache_check_user(nss_ctx->rctx->ncache, -result->domain, name->str); +result->domain, fqname); if (ret == EEXIST) { DEBUG(SSSDBG_TRACE_FUNC, "User [%s] filtered out! (negative cache)\n", name->str); From 38036e7cbdc0661a45dd028247be35eb2315b31c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Mon, 24 Apr 2017 14:43:01 +0200 Subject: [PATCH 2/4] NSS: Check the ncache when filling pwent from id lookup MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit It's needed when looking up for a user by its id and the id is not part of the negative cache, but the user is. Unfortunately it can't be done on cache_req level because there we do not know which is the user owner of the search UID. This regression was introduced by commit 4049b63. Related: https://pagure.io/SSSD/sssd/issue/3362 Signed-off-by: Fabiano FidĂȘncio --- src/responder/nss/nss_cmd.c| 6 +++--- src/responder/nss/nss_protocol.h | 14 ++
[SSSD] [sssd PR#245][opened] ad: handle forest root not listed in ad_enabled_domains
URL: https://github.com/SSSD/sssd/pull/245 Author: sumit-bose Title: #245: ad: handle forest root not listed in ad_enabled_domains Action: opened PR body: """ Although users and groups from the forest root should be ignored SSSD will still try to get information about the forest topology from a DC from the forest root. So even if the forest root domain is disabled we should makes sure it is usable for those searches. Resolves https://pagure.io/SSSD/sssd/issue/3361 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/245/head:pr245 git checkout pr245 From 9d8d34e2f7e611771777a4ef1cd732a8ac3ba92a Mon Sep 17 00:00:00 2001 From: Sumit BoseDate: Tue, 4 Apr 2017 14:35:47 +0200 Subject: [PATCH 1/2] utils: add sss_domain_is_forest_root() Related to https://pagure.io/SSSD/sssd/issue/3361 --- src/util/domain_info_utils.c | 5 + src/util/util.h | 1 + 2 files changed, 6 insertions(+) diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c index 2af7852..541058a 100644 --- a/src/util/domain_info_utils.c +++ b/src/util/domain_info_utils.c @@ -844,6 +844,11 @@ void sss_domain_set_state(struct sss_domain_info *dom, "Domain %s is %s\n", dom->name, domain_state_str(dom)); } +bool sss_domain_is_forest_root(struct sss_domain_info *dom) +{ +return (dom->forest_root == dom); +} + bool is_email_from_domain(const char *email, struct sss_domain_info *dom) { const char *p; diff --git a/src/util/util.h b/src/util/util.h index 436550f..4ef13ce 100644 --- a/src/util/util.h +++ b/src/util/util.h @@ -539,6 +539,7 @@ enum sss_domain_state sss_domain_get_state(struct sss_domain_info *dom); void sss_domain_set_state(struct sss_domain_info *dom, enum sss_domain_state state); bool is_email_from_domain(const char *email, struct sss_domain_info *dom); +bool sss_domain_is_forest_root(struct sss_domain_info *dom); const char *sss_domain_type_str(struct sss_domain_info *dom); struct sss_domain_info* From af99072d9202ec894c15d6d3c4912fa4f7bff6f2 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Mon, 3 Apr 2017 21:27:32 +0200 Subject: [PATCH 2/2] ad: handle forest root not listed in ad_enabled_domains Although users and groups from the forest root should be ignored SSSD will still try to get information about the forest topology from a DC from the forest root. So even if the forest root domain is disabled we should makes sure it is usable for those searches. Resolves https://pagure.io/SSSD/sssd/issue/3361 --- src/providers/ad/ad_subdomains.c | 39 --- 1 file changed, 36 insertions(+), 3 deletions(-) diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c index bc659b2..ef16644 100644 --- a/src/providers/ad/ad_subdomains.c +++ b/src/providers/ad/ad_subdomains.c @@ -433,6 +433,14 @@ static errno_t ad_subdomains_refresh(struct be_ctx *be_ctx, if (c >= num_subdomains) { /* ok this subdomain does not exist anymore, let's clean up */ sss_domain_set_state(dom, DOM_DISABLED); + +/* Just disable the forest root but do not remove sdap data */ +if (sss_domain_is_forest_root(dom)) { +DEBUG(SSSDBG_TRACE_ALL, + "Skipping removal of forest root sdap data.\n"); +continue; +} + ret = sysdb_subdomain_delete(dom->sysdb, dom->name); if (ret != EOK) { goto done; @@ -633,6 +641,7 @@ static errno_t ad_subdom_reinit(struct ad_subdomains_ctx *subdoms_ctx) const char *path; errno_t ret; bool canonicalize = false; +struct sss_domain_info *dom; path = dp_opt_get_string(subdoms_ctx->ad_id_ctx->ad_options->basic, AD_KRB5_CONFD_PATH); @@ -675,6 +684,17 @@ static errno_t ad_subdom_reinit(struct ad_subdomains_ctx *subdoms_ctx) return ret; } +/* Make sure disabled domains are not re-enabled accidentially */ +if (subdoms_ctx->ad_enabled_domains != NULL) { +for (dom = subdoms_ctx->be_ctx->domain->subdomains; dom; +dom = get_next_domain(dom, false)) { +if (!is_domain_enabled(dom->name, + subdoms_ctx->ad_enabled_domains)) { +sss_domain_set_state(dom, DOM_DISABLED); +} +} +} + return EOK; } @@ -898,7 +918,7 @@ static errno_t ad_get_slave_domain_recv(struct tevent_req *req) static struct sss_domain_info * ads_get_root_domain(struct be_ctx *be_ctx, struct sysdb_attrs *attrs) { -struct sss_domain_info *root; +struct sss_domain_info *dom; const char *name; errno_t ret; @@ -909,9 +929,22 @@ ads_get_root_domain(struct be_ctx *be_ctx, struct sysdb_attrs *attrs) } /* With a subsequent run, the root should already be
[SSSD] [sssd PR#235][+Changes requested] Allow using the "shortnames" feature without requiring any configuration from the client side
URL: https://github.com/SSSD/sssd/pull/235 Title: #235: Allow using the "shortnames" feature without requiring any configuration from the client side Label: +Changes requested ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#243][+Accepted] IPA: Use search bases from sdap_domain instead of inferring search base from IPA domain structure
URL: https://github.com/SSSD/sssd/pull/243 Title: #243: IPA: Use search bases from sdap_domain instead of inferring search base from IPA domain structure Label: +Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#136][comment] Tlog integration
URL: https://github.com/SSSD/sssd/pull/136 Title: #136: Tlog integration spbnick commented: """ Pavel, I tried to address all your comments, and also added the fix you made to data provider initialization regarding overrides. I also improved the tests. This is ready for another review. """ See the full comment at https://github.com/SSSD/sssd/pull/136#issuecomment-296623885 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#243][comment] IPA: Use search bases from sdap_domain instead of inferring search base from IPA domain structure
URL: https://github.com/SSSD/sssd/pull/243 Title: #243: IPA: Use search bases from sdap_domain instead of inferring search base from IPA domain structure pbrezina commented: """ Ack. """ See the full comment at https://github.com/SSSD/sssd/pull/243#issuecomment-296622691 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#235][comment] Allow using the "shortnames" feature without requiring any configuration from the client side
URL: https://github.com/SSSD/sssd/pull/235 Title: #235: Allow using the "shortnames" feature without requiring any configuration from the client side pbrezina commented: """ Functional ack, but please, do the same change also for `sss_resp_new_cr_domains_from_ipa_id_view`. I would also welcome some debug messages so we can known that shortname lookup was used etc. and some comments in `cache_req_domain_new_list_from_string_list` describing what the for cycles do. """ See the full comment at https://github.com/SSSD/sssd/pull/235#issuecomment-296618933 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#242][comment] IPA: Improve DEBUG message if an external group has no SID
URL: https://github.com/SSSD/sssd/pull/242 Title: #242: IPA: Improve DEBUG message if an external group has no SID jhrozek commented: """ * master: ef019268d2d112ebff3577e551cd19478d73d93b """ See the full comment at https://github.com/SSSD/sssd/pull/242#issuecomment-296572962 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#242][closed] IPA: Improve DEBUG message if an external group has no SID
URL: https://github.com/SSSD/sssd/pull/242 Author: jhrozek Title: #242: IPA: Improve DEBUG message if an external group has no SID Action: closed To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/242/head:pr242 git checkout pr242 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org