[SSSD] Re: Changes to default ccache in krb5.conf

[Simo Sorce]

On Wed, 2017-05-31 at 10:59 +0200, Jakub Hrozek wrote:
> On Wed, May 31, 2017 at 10:31:38AM +0200, Lukas Slebodnik wrote:
> > ehlo,
> > 
> > I had a discussion with QEs and realized that sssd need to be
> > restarted
> > if default_ccache_name is changed in krb5 configuration files.
> > 
> > The reason is that we cache the value but do not refresh it.
> > https://pagure.io/SSSD/sssd/blob/master/f/src/providers/krb5/krb5_c
> > ommon.c#_264
> > 
> > We might changed that using inotify. But we would need to change.
> > I am not sure whether it will be trivail to change because we would
> > need to
> > change cached value in "struct dp_option *opts" for all domains
> > (including
> > subdomains)
> > 
> > ATM the safest way is to restart sssd. But do we want to be more
> > flexible here?
> 
> We could do one thing that Simo proposed some time ago which is to
> not
> cache the KRB5CCNAME at all if it only contains 'predictable'
> components.
> 
> For example, KEYRING:$uid or KCM: don't need to be cached at all.
> FILE:krb5ccname_X does.

+1

Simo.
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#274][comment] Merge sss_cache and sss_debuglevel into sssctl

[justin-stephenson]

  URL: https://github.com/SSSD/sssd/pull/274
Title: #274: Merge sss_cache and sss_debuglevel into sssctl

justin-stephenson commented:
"""
I am not sure what is the least intrusive way to handle this but moving the 
`sss_cache` wrapper to `sssd-tools` makes sense to me. Also, I can add some 
information to the wrapper to cover the 'sss_cache lost during upgrade' case:

```
+#!/bin/sh
+sbindir=@sbindir@
+echo "Due to packaging changes, please make sure the sssd-tools package is 
installed"
+echo "Redirecting to $sbindir/sssctl expire-cache"
+$sbindir/sssctl expire-cache $@
```

@lslebodn what do you think about it?
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/274#issuecomment-305550258
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#285][comment] SSSCTL: Add primary or subdomain information

[justin-stephenson]

  URL: https://github.com/SSSD/sssd/pull/285
Title: #285: SSSCTL: Add primary or subdomain information

justin-stephenson commented:
"""
@fidencio you are right, I was trying to be overly explicit but in this 
situation it is not really necessary. PR updated.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/285#issuecomment-305543570
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#285][synchronized] SSSCTL: Add primary or subdomain information

[justin-stephenson]

   URL: https://github.com/SSSD/sssd/pull/285
Author: justin-stephenson
 Title: #285: SSSCTL: Add primary or subdomain information
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/285/head:pr285
git checkout pr285
From f0a0fe29710d74629e42b7471bed9b18d556ce42 Mon Sep 17 00:00:00 2001
From: Justin Stephenson 
Date: Wed, 24 May 2017 12:39:56 -0400
Subject: [PATCH] SSSCTL: Add primary or subdomain information

Add verbose option to sssctl domain-list, when this option is provided
SSSD will print the domain type(primary or subdomain) retrieved from
infopipe API, in addition to the domain name.

Resolves:
https://pagure.io/SSSD/sssd/issue/3065
---
 src/tools/sssctl/sssctl_domains.c | 50 +++
 1 file changed, 50 insertions(+)

diff --git a/src/tools/sssctl/sssctl_domains.c b/src/tools/sssctl/sssctl_domains.c
index 545ed95f4..bc7ffb651 100644
--- a/src/tools/sssctl/sssctl_domains.c
+++ b/src/tools/sssctl/sssctl_domains.c
@@ -27,20 +27,52 @@
 #include "sbus/sssd_dbus.h"
 #include "responder/ifp/ifp_iface.h"
 
+#define SSS_SIFP_ATTR_SUBDOMAIN "subdomain"
+
+errno_t domain_is_subdomain_check(sss_sifp_ctx *sifp_ctx,
+  char *domain,
+  bool *_is_subdom)
+{
+bool is_subdom;
+sss_sifp_error error;
+sss_sifp_object *domain_obj;
+
+error = sss_sifp_fetch_domain_by_name(sifp_ctx, domain, &domain_obj);
+if (error != SSS_SIFP_OK) {
+sssctl_sifp_error(sifp_ctx, error, "Unable to fetch domain by name");
+return EIO;
+}
+
+error = sss_sifp_find_attr_as_bool(domain_obj->attrs,
+   SSS_SIFP_ATTR_SUBDOMAIN,
+   &is_subdom);
+if (error != SSS_SIFP_OK) {
+sssctl_sifp_error(sifp_ctx, error, "Unable to find subdomain attr");
+return EIO;
+}
+
+*_is_subdom = is_subdom;
+
+return EOK;
+}
+
 errno_t sssctl_domain_list(struct sss_cmdline *cmdline,
struct sss_tool_ctx *tool_ctx,
void *pvt)
 {
 sss_sifp_ctx *sifp;
 sss_sifp_error error;
+bool is_subdom;
 char **domains;
 int start = 0;
+int verbose = 0;
 errno_t ret;
 int i;
 
 /* Parse command line. */
 struct poptOption options[] = {
 {"start", 's', POPT_ARG_NONE, &start, 0, _("Start SSSD if it is not running"), NULL },
+{"verbose", 'v', POPT_ARG_NONE, &verbose, 0, _("Show domain list including primary or subdomain type"), NULL },
 POPT_TABLEEND
 };
 
@@ -66,6 +98,24 @@ errno_t sssctl_domain_list(struct sss_cmdline *cmdline,
 return EIO;
 }
 
+if (verbose) {
+for (i = 0; domains[i] != NULL; i++) {
+ret = domain_is_subdomain_check(sifp, domains[i], &is_subdom);
+if (ret != EOK) {
+DEBUG(SSSDBG_CRIT_FAILURE, "Subdomain check failed\n");
+return ret;
+}
+
+if (is_subdom) {
+printf("Subdomain: %s\n", domains[i]);
+} else {
+printf("Primary domain: %s\n", domains[i]);
+}
+}
+
+return EOK;
+}
+
 for (i = 0; domains[i] != NULL; i++) {
 puts(domains[i]);
 }
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#261][comment] Add systemtap probes into the top-level data provider requests

[justin-stephenson]

  URL: https://github.com/SSSD/sssd/pull/261
Title: #261: Add systemtap probes into the top-level data provider requests

justin-stephenson commented:
"""
@lslebodn added constant definitions as suggested, thank you.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/261#issuecomment-305541949
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#261][synchronized] Add systemtap probes into the top-level data provider requests

[justin-stephenson]

   URL: https://github.com/SSSD/sssd/pull/261
Author: justin-stephenson
 Title: #261: Add systemtap probes into the top-level data provider requests
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/261/head:pr261
git checkout pr261
From 987b6a16cfa758054c27726e433b46b910c4570f Mon Sep 17 00:00:00 2001
From: Justin Stephenson 
Date: Wed, 3 May 2017 16:36:57 -0400
Subject: [PATCH 1/3] DP: Add Generic DP Request Probes

Add the ability to analyze performance and monitor Data Provider
requests at a high-level, probes fire when a request is sent and when
a request is completed.

Request name, domain, target, method, and return code information
is passed as target variables to the systemtap probe tapsets which
can be used in systemtap scripts.

Resolves: https://pagure.io/SSSD/sssd/issue/3061
---
 Makefile.am  |  9 +
 src/providers/data_provider/dp_request.c |  5 +++
 src/systemtap/sssd.stp.in| 18 +
 src/systemtap/sssd_functions.stp | 68 
 src/systemtap/sssd_probes.d  |  5 +++
 5 files changed, 105 insertions(+)

diff --git a/Makefile.am b/Makefile.am
index c947e31e5..23dc7877f 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1578,6 +1578,9 @@ sssd_be_LDADD = \
 sssd_be_LDFLAGS = \
 -Wl,--version-script,$(srcdir)/src/providers/sssd_be.exports \
 -export-dynamic
+if BUILD_SYSTEMTAP
+sssd_be_LDADD += stap_generated_probes.lo
+endif
 
 if BUILD_PYTHON_BINDINGS
 sss_obfuscate_pythondir = $(sbindir)
@@ -1883,6 +1886,9 @@ libdlopen_test_providers_la_LIBADD = \
 $(SSSD_LIBS) \
 $(CARES_LIBS) \
 $(SSSD_INTERNAL_LTLIBS)
+if BUILD_SYSTEMTAP
+libdlopen_test_providers_la_LIBADD += stap_generated_probes.lo
+endif
 libdlopen_test_providers_la_LDFLAGS = \
 -shared \
 -avoid-version \
@@ -3285,6 +3291,9 @@ test_dp_request_LDADD = \
 $(LIBADD_DL) \
 libsss_test_common.la \
 $(NULL)
+if BUILD_SYSTEMTAP
+test_dp_request_LDADD += stap_generated_probes.lo
+endif
 
 test_dp_builtin_SOURCES = \
 src/providers/data_provider/dp_modules.c \
diff --git a/src/providers/data_provider/dp_request.c b/src/providers/data_provider/dp_request.c
index 6c0a0b72d..a6bc020e0 100644
--- a/src/providers/data_provider/dp_request.c
+++ b/src/providers/data_provider/dp_request.c
@@ -27,6 +27,7 @@
 #include "providers/backend.h"
 #include "util/dlinklist.h"
 #include "util/util.h"
+#include "util/probes.h"
 
 struct dp_req {
 struct data_provider *provider;
@@ -309,6 +310,7 @@ struct tevent_req *dp_req_send(TALLOC_CTX *mem_ctx,
 goto immediately;
 }
 
+PROBE(DP_REQ_SEND, domain, dp_req->name, target, method);
 state->dp_req = dp_req;
 if (_request_name != NULL) {
 request_name = talloc_strdup(mem_ctx, dp_req->name);
@@ -363,6 +365,9 @@ static void dp_req_done(struct tevent_req *subreq)
 talloc_zfree(subreq);
 state->dp_req->handler_req = NULL;
 
+PROBE(DP_REQ_DONE, state->dp_req->name, state->dp_req->target,
+  state->dp_req->method, ret, sss_strerror(ret));
+
 DP_REQ_DEBUG(SSSDBG_TRACE_FUNC, state->dp_req->name,
  "Request handler finished [%d]: %s", ret, sss_strerror(ret));
 
diff --git a/src/systemtap/sssd.stp.in b/src/systemtap/sssd.stp.in
index 199916383..25a68cd04 100644
--- a/src/systemtap/sssd.stp.in
+++ b/src/systemtap/sssd.stp.in
@@ -254,3 +254,21 @@ probe sdap_nested_group_process_recv = process("@libdir@/sssd/libsss_ldap_common
 probestr = sprintf("-> %s(orig_dn=[%s])",
$$name, orig_dn);
 }
+
+## Data Provider Request Probes
+probe dp_req_send = process("@libexecdir@/sssd/sssd_be").mark("dp_req_send")
+{
+dp_req_domain = user_string($arg1, "NULL");
+dp_req_name = user_string($arg2, "NULL");
+dp_req_target = $arg3;
+dp_req_method = $arg4;
+}
+
+probe dp_req_done = process("@libexecdir@/sssd/sssd_be").mark("dp_req_done")
+{
+dp_req_name = user_string($arg1, "NULL");
+dp_req_target = $arg2;
+dp_req_method = $arg3;
+dp_ret = $arg4;
+dp_errorstr = user_string($arg5, "NULL");
+}
diff --git a/src/systemtap/sssd_functions.stp b/src/systemtap/sssd_functions.stp
index bad194ead..e249aac98 100644
--- a/src/systemtap/sssd_functions.stp
+++ b/src/systemtap/sssd_functions.stp
@@ -1,3 +1,13 @@
+// constants
+global TARGET_ID=0, TARGET_AUTH=1, TARGET_ACCESS=2, TARGET_CHPASS=3,
+   TARGET_SUDO=4, TARGET_AUTOFS=5, TARGET_SELINUX=6, TARGET_HOSTID=7,
+   TARGET_SUBDOMAINS=8, TARGET_SENTINEL=9
+
+global METHOD_CHECK_ONLINE=0, METHOD_ACCOUNT_HANDLER=1, METHOD_AUTH_HANDLER=2,
+   METHOD_ACCESS_HANDLER=3, METHOD_SELINUX_HANDLER=4, METHOD_SUDO_HANDLER=5,
+   METHOD_AUTOFS_HANDLER=6, METHOD_HOSTID_HANDLER=7, METHOD_DOMAINS_HANDLER=8,
+   METHOD_SENTINEL=9
+
 function acct_req_desc(entry_type)
 {
 if (entry_type == 0x0001) {
@@ -64,3 +74,61 @@ function sssd_acct_req_probestr(fc_name, entr

[SSSD] [sssd PR#268][closed] pam_sss: add support for SSS_PAM_CERT_INFO_WITH_HINT

[lslebodn]

   URL: https://github.com/SSSD/sssd/pull/268
Author: sumit-bose
 Title: #268: pam_sss: add support for SSS_PAM_CERT_INFO_WITH_HINT
Action: closed

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/268/head:pr268
git checkout pr268
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#268][+Pushed] pam_sss: add support for SSS_PAM_CERT_INFO_WITH_HINT

[lslebodn]

  URL: https://github.com/SSSD/sssd/pull/268
Title: #268: pam_sss: add support for SSS_PAM_CERT_INFO_WITH_HINT

Label: +Pushed
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#268][comment] pam_sss: add support for SSS_PAM_CERT_INFO_WITH_HINT

[lslebodn]

  URL: https://github.com/SSSD/sssd/pull/268
Title: #268: pam_sss: add support for SSS_PAM_CERT_INFO_WITH_HINT

lslebodn commented:
"""
master:
* b130adaa3934d0531aca0f32961ab8b4cc720820
* ee7e72a65d323636600ffda271d5b5c4ddbc78b1
* 32474fa2f0a6dc09386bab405fc3461cb3dd12ac
* 6073cfc40747cd6d3142f0f98b880fc390dd7aad
* a192a1d72e92dae3e71e062b333e51a5095a0395
* 89ff140d7ab92fce52d6730a7d27c8d73c7d9e4a
* 749963195393efa3a4f9b168dd02fbcc68976ba3
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/268#issuecomment-305518786
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#277][comment] CACHE_REQ_SEARCH: Check for filtered users/groups also on cache_req_send()

[fidencio]

  URL: https://github.com/SSSD/sssd/pull/277
Title: #277: CACHE_REQ_SEARCH: Check for filtered users/groups also on 
cache_req_send()

fidencio commented:
"""
CI: http://sssd-ci.duckdns.org/logs/job/70/89/summary.html
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/277#issuecomment-305516201
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#277][synchronized] CACHE_REQ_SEARCH: Check for filtered users/groups also on cache_req_send()

[fidencio]

   URL: https://github.com/SSSD/sssd/pull/277
Author: fidencio
 Title: #277: CACHE_REQ_SEARCH: Check for filtered users/groups also on 
cache_req_send()
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/277/head:pr277
git checkout pr277
From 1b8fc05c3162a2faa11c1c2f0aee4ff49d5db7c6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= 
Date: Mon, 29 May 2017 14:58:33 +0200
Subject: [PATCH 1/2] CACHE_REQ: Simplify _search_ncache_filter()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Let's make the result and input/output argument for
_search_ncache_filter() and free it inside the function whenever it's
needed instead of leaving this responsibility for the caller.

Related:
https://pagure.io/SSSD/sssd/issue/3362

Signed-off-by: Fabiano Fidêncio 
---
 src/responder/common/cache_req/cache_req_search.c | 27 ++-
 1 file changed, 7 insertions(+), 20 deletions(-)

diff --git a/src/responder/common/cache_req/cache_req_search.c b/src/responder/common/cache_req/cache_req_search.c
index 70448a763..d3aaa7542 100644
--- a/src/responder/common/cache_req/cache_req_search.c
+++ b/src/responder/common/cache_req/cache_req_search.c
@@ -86,7 +86,6 @@ static void cache_req_search_ncache_add(struct cache_req *cr)
 
 static errno_t cache_req_search_ncache_filter(TALLOC_CTX *mem_ctx,
   struct cache_req *cr,
-  struct ldb_result *result,
   struct ldb_result **_result)
 {
 TALLOC_CTX *tmp_ctx;
@@ -106,8 +105,6 @@ static errno_t cache_req_search_ncache_filter(TALLOC_CTX *mem_ctx,
 "This request type does not support filtering "
 "result by negative cache\n");
 
-*_result = talloc_steal(mem_ctx, result);
-
 ret = EOK;
 goto done;
 }
@@ -115,11 +112,11 @@ static errno_t cache_req_search_ncache_filter(TALLOC_CTX *mem_ctx,
 CACHE_REQ_DEBUG(SSSDBG_TRACE_FUNC, cr,
 "Filtering out results by negative cache\n");
 
-msgs = talloc_zero_array(tmp_ctx, struct ldb_message *, result->count);
+msgs = talloc_zero_array(tmp_ctx, struct ldb_message *, (*_result)->count);
 msg_count = 0;
 
-for (size_t i = 0; i < result->count; i++) {
-name = sss_get_name_from_msg(cr->domain, result->msgs[i]);
+for (size_t i = 0; i < (*_result)->count; i++) {
+name = sss_get_name_from_msg(cr->domain, (*_result)->msgs[i]);
 if (name == NULL) {
 CACHE_REQ_DEBUG(SSSDBG_CRIT_FAILURE, cr,
   "sss_get_name_from_msg() returned NULL, which should never "
@@ -141,7 +138,7 @@ static errno_t cache_req_search_ncache_filter(TALLOC_CTX *mem_ctx,
 goto done;
 }
 
-msgs[msg_count] = talloc_steal(msgs, result->msgs[i]);
+msgs[msg_count] = talloc_steal(msgs, (*_result)->msgs[i]);
 msg_count++;
 }
 
@@ -157,6 +154,7 @@ static errno_t cache_req_search_ncache_filter(TALLOC_CTX *mem_ctx,
 goto done;
 }
 
+talloc_zfree(*_result);
 *_result = talloc_steal(mem_ctx, filtered_result);
 ret = EOK;
 
@@ -419,10 +417,8 @@ static void cache_req_search_oob_done(struct tevent_req *subreq)
 
 static void cache_req_search_done(struct tevent_req *subreq)
 {
-TALLOC_CTX *tmp_ctx;
 struct cache_req_search_state *state;
 struct tevent_req *req;
-struct ldb_result *result = NULL;
 errno_t ret;
 
 req = tevent_req_callback_data(subreq, struct tevent_req);
@@ -431,14 +427,8 @@ static void cache_req_search_done(struct tevent_req *subreq)
 state->dp_success = state->cr->plugin->dp_recv_fn(subreq, state->cr);
 talloc_zfree(subreq);
 
-tmp_ctx = talloc_new(NULL);
-if (tmp_ctx == NULL) {
-ret = ENOMEM;
-goto done;
-}
-
 /* Get result from cache again. */
-ret = cache_req_search_cache(tmp_ctx, state->cr, &result);
+ret = cache_req_search_cache(state, state->cr, &state->result);
 if (ret != EOK) {
 if (ret == ENOENT) {
 /* Only store entry in negative cache if DP request succeeded
@@ -451,8 +441,7 @@ static void cache_req_search_done(struct tevent_req *subreq)
 }
 
 /* ret == EOK */
-ret = cache_req_search_ncache_filter(state, state->cr, result,
- &state->result);
+ret = cache_req_search_ncache_filter(state, state->cr, &state->result);
 if (ret != EOK) {
 goto done;
 }
@@ -461,8 +450,6 @@ static void cache_req_search_done(struct tevent_req *subreq)
 "Returning updated object [%s]\n", state->cr->debugobj);
 
 done:
-talloc_free(tmp_ctx);
-
 if (ret != EOK) {
 tevent_req_error(req, ret);
 return;

From c9fb00db72baf6b9831c8fe07a4fc19f7c1f91d5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fab

[SSSD] [sssd PR#296][comment] TESTS: Add one config-check test case

[fidencio]

  URL: https://github.com/SSSD/sssd/pull/296
Title: #296: TESTS: Add one config-check test case

fidencio commented:
"""
@lslebodn, ah did you already fired a CI build? :-)
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/296#issuecomment-305479053
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#296][comment] TESTS: Add one config-check test case

[fidencio]

  URL: https://github.com/SSSD/sssd/pull/296
Title: #296: TESTS: Add one config-check test case

fidencio commented:
"""
@lslebodn, ah did you already fired a CI build? :-)
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/296#issuecomment-305479053
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#296][comment] TESTS: Add one config-check test case

[fidencio]

  URL: https://github.com/SSSD/sssd/pull/296
Title: #296: TESTS: Add one config-check test case

fidencio commented:
"""
I do like it. I'll fire a CI build and ack as soon as I get the results. Thanks!
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/296#issuecomment-305478967
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#296][comment] TESTS: Add one config-check test case

[lslebodn]

  URL: https://github.com/SSSD/sssd/pull/296
Title: #296: TESTS: Add one config-check test case

lslebodn commented:
"""
LGTM. @fidencio do you like it :-)
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/296#issuecomment-305478189
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#294][comment] KRB5: Fix access_provider=krb5

[lslebodn]

  URL: https://github.com/SSSD/sssd/pull/294
Title: #294: KRB5: Fix access_provider=krb5

lslebodn commented:
"""
master:
* f772649cb8b624f4b4dfa5521f487ef38e3f8931
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/294#issuecomment-305475950
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#294][closed] KRB5: Fix access_provider=krb5

[lslebodn]

   URL: https://github.com/SSSD/sssd/pull/294
Author: jhrozek
 Title: #294: KRB5: Fix access_provider=krb5
Action: closed

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/294/head:pr294
git checkout pr294
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#294][+Pushed] KRB5: Fix access_provider=krb5

[lslebodn]

  URL: https://github.com/SSSD/sssd/pull/294
Title: #294: KRB5: Fix access_provider=krb5

Label: +Pushed
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#294][comment] KRB5: Fix access_provider=krb5

[lslebodn]

  URL: https://github.com/SSSD/sssd/pull/294
Title: #294: KRB5: Fix access_provider=krb5

lslebodn commented:
"""
I  am able to see issue in valgrind log.  Issue was on my side :-) I tried to 
find(grep) ERROR summary in valgrind log but it is done only after finishing 
process. And I didn't stop sssd 
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/294#issuecomment-305473615
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#296][synchronized] TESTS: Add one config-check test case

[mzidek-rh]

   URL: https://github.com/SSSD/sssd/pull/296
Author: mzidek-rh
 Title: #296: TESTS: Add one config-check test case
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/296/head:pr296
git checkout pr296
From a563687011ebc260854efea7105c1b341c02182e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= 
Date: Thu, 1 Jun 2017 13:47:07 +0200
Subject: [PATCH] TESTS: Add one config-check test case

Add test case with wrong subdomain section format, where the too many
domains are used to identify the trusted domain instead of just the
connected domain and the one trusted domain that is being configured.
---
 src/tests/cmocka/test_config_check.c | 12 
 1 file changed, 12 insertions(+)

diff --git a/src/tests/cmocka/test_config_check.c b/src/tests/cmocka/test_config_check.c
index 0066ebe77..a2958de63 100644
--- a/src/tests/cmocka/test_config_check.c
+++ b/src/tests/cmocka/test_config_check.c
@@ -106,6 +106,17 @@ void config_check_test_bad_section_name(void **state)
 config_check_test_common(cfg_str, 1, expected_errors);
 }
 
+void config_check_test_too_many_subdomains(void **state)
+{
+char cfg_str[] = "[domain/ad.test/b.test/c.test]";
+const char *expected_errors[] = {
+"[rule/allowed_sections]: Section [domain/ad.test/b.test/c.test] is not allowed. "
+"Check for typos.",
+};
+
+config_check_test_common(cfg_str, 1, expected_errors);
+}
+
 void config_check_test_bad_sssd_option_name(void **state)
 {
 char cfg_str[] = "[sssd]\n"
@@ -253,6 +264,7 @@ int main(int argc, const char *argv[])
 
 const struct CMUnitTest tests[] = {
 cmocka_unit_test(config_check_test_bad_section_name),
+cmocka_unit_test(config_check_test_too_many_subdomains),
 cmocka_unit_test(config_check_test_bad_sssd_option_name),
 cmocka_unit_test(config_check_test_bad_pam_option_name),
 cmocka_unit_test(config_check_test_bad_nss_option_name),
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#296][opened] TESTS: Add one config-check test case

[mzidek-rh]

   URL: https://github.com/SSSD/sssd/pull/296
Author: mzidek-rh
 Title: #296: TESTS: Add one config-check test case
Action: opened

PR body:
"""
Add test case with wrong subdomain section format, where the too many
domains are used to identify the trusted domain instead of just the
connected domain and the one trusted domain that is being configured.

This test case came out of discussion I had a while ago with Fabiano when we 
came to conclusion that some people may try to falsely set the subdomain 
configuration by putting all domains in the forest between the connected domain 
and the trusted domain. Fabiano suggested it would be good to have explicit 
tests for this in the config-check tests and I agreed :)
"""

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/296/head:pr296
git checkout pr296
From cc349fe2d0c2c2dd696b32803e476c27f6404516 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= 
Date: Thu, 1 Jun 2017 13:47:07 +0200
Subject: [PATCH] TESTS: Add one config-check test case

Add test case with wrong subdomain section format, where the too many
domains are used to identify the trusted domain instead of just the
connected domain and the one trusted domain that is being configured.
---
 src/tests/cmocka/test_config_check.c | 13 +
 1 file changed, 13 insertions(+)

diff --git a/src/tests/cmocka/test_config_check.c b/src/tests/cmocka/test_config_check.c
index 0066ebe77..cf03e0538 100644
--- a/src/tests/cmocka/test_config_check.c
+++ b/src/tests/cmocka/test_config_check.c
@@ -106,6 +106,18 @@ void config_check_test_bad_section_name(void **state)
 config_check_test_common(cfg_str, 1, expected_errors);
 }
 
+void config_check_test_too_many_subdomains(void **state)
+{
+char cfg_str[] = "[domain/ad.test/b.test/c.test]";
+const char *expected_errors[] = {
+"[rule/allowed_sections]: Section [domain/ad.test/b.test/c.test] is not allowed. "
+"Check for typos.",
+};
+
+config_check_test_common(cfg_str, 1, expected_errors);
+}
+
+
 void config_check_test_bad_sssd_option_name(void **state)
 {
 char cfg_str[] = "[sssd]\n"
@@ -253,6 +265,7 @@ int main(int argc, const char *argv[])
 
 const struct CMUnitTest tests[] = {
 cmocka_unit_test(config_check_test_bad_section_name),
+cmocka_unit_test(config_check_test_too_many_subdomains),
 cmocka_unit_test(config_check_test_bad_sssd_option_name),
 cmocka_unit_test(config_check_test_bad_pam_option_name),
 cmocka_unit_test(config_check_test_bad_nss_option_name),
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#294][comment] KRB5: Fix access_provider=krb5

[lslebodn]

  URL: https://github.com/SSSD/sssd/pull/294
Title: #294: KRB5: Fix access_provider=krb5

lslebodn commented:
"""
I tested with:
```
[domain/sssdad.com]
debug_level = 0xFFF0
id_provider = ad
access_provider = krb5
krb5_realm = SSSDAD
```

and I could not see any valgrind errors.
But I could see errors in debug log files
```
[write_pipe_handler] (0x0400): All data has been sent!
[read_pipe_handler] (0x0400): EOF received, client finished
[krb5_access_done] (0x0020): message has the wrong size.
[krb5_pam_handler_access_done] (0x1000): Access denied for user 
[testuser01-12...@sssdad.com].
[dp_req_done] (0x0400): DP Request [PAM Account #3]: Request handler finished 
[0]: Success
[_dp_req_recv] (0x0400): DP Request [PAM Account #3]: Receiving request data. 
[dp_req_destructor] (0x0400): DP Request [PAM Account #3]: Request removed.
[dp_req_destructor] (0x0400): Number of active DP request: 0
[dp_method_enabled] (0x0400): Target selinux is not configured
[dp_pam_reply] (0x1000): DP Request [PAM Account #3]: Sending result 
[6][sssdad.com]
```
and
```
[[sssd[krb5_child[7203 [main] (0x0400): krb5_child started.
[[sssd[krb5_child[7203 [unpack_buffer] (0x1000): total buffer size: [79]
[[sssd[krb5_child[7203 [unpack_buffer] (0x0100): cmd [243] uid [406918239] 
gid [1239000513] validate [false] enterprise principal [false] offline [false] 
UPN [testuser01-12...@sssdad.com]
[[sssd[krb5_child[7203 [k5c_recv_data] (0x0020): unpack_buffer failed.
[[sssd[krb5_child[7203 [main] (0x0020): krb5_child failed!
```

errors are gone with patch but I haven't tested with `id_provider = ldap` and 
`access_provider = krb5`

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/294#issuecomment-305468782
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#292][closed] Test config check

[lslebodn]

   URL: https://github.com/SSSD/sssd/pull/292
Author: lslebodn
 Title: #292: Test config check
Action: closed

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/292/head:pr292
git checkout pr292
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#292][comment] Test config check

[lslebodn]

  URL: https://github.com/SSSD/sssd/pull/292
Title: #292: Test config check

lslebodn commented:
"""
master:
* 291b6bfd499fd64416b75c05c8846a5102600f3c
* 5919e884d3f71456f50b92236e002d98747be017
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/292#issuecomment-305455852
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#292][+Pushed] Test config check

[lslebodn]

  URL: https://github.com/SSSD/sssd/pull/292
Title: #292: Test config check

Label: +Pushed
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#268][comment] pam_sss: add support for SSS_PAM_CERT_INFO_WITH_HINT

[sumit-bose]

  URL: https://github.com/SSSD/sssd/pull/268
Title: #268: pam_sss: add support for SSS_PAM_CERT_INFO_WITH_HINT

sumit-bose commented:
"""
jfyi, I opend https://pagure.io/SSSD/sssd/issue/3419 to track the issue with 
the expired password.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/268#issuecomment-305454746
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#225][comment] SECRETS: Apply separate quotas for cn=secrets and cn=kcm

[fidencio]

  URL: https://github.com/SSSD/sssd/pull/225
Title: #225: SECRETS: Apply separate quotas for cn=secrets and cn=kcm

fidencio commented:
"""
On Thu, Jun 1, 2017 at 11:30 AM, Simo Sorce 
wrote:

>
>1.
>
>I do not think we need to add explicitly a quota subsection, but if I
>do not want to set a quota, what values should I use ? 0 ? Why the default
>is to have a quota ?
>2.
>
>what is max_secrets? Given you suggest adding max_user_secrets I
>assume these are not the same thing ? I am confused.
>
>
Let me try to reply the second question (as I've implemented this one). The
original idea was to have it per user but I've noticed that (probably) the
name and the documentation are misleading. /o\.

It was introduced in 65a38b8.


> You are receiving this because you are subscribed to this thread.
> Reply to this email directly, view it on GitHub
> , or mute
> the thread
> 
> .
>

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/225#issuecomment-305445005
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#292][+Accepted] Test config check

[mzidek-rh]

  URL: https://github.com/SSSD/sssd/pull/292
Title: #292: Test config check

Label: +Accepted
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#292][comment] Test config check

[mzidek-rh]

  URL: https://github.com/SSSD/sssd/pull/292
Title: #292: Test config check

mzidek-rh commented:
"""
ACK.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/292#issuecomment-305444789
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#225][comment] SECRETS: Apply separate quotas for cn=secrets and cn=kcm

[simo5]

  URL: https://github.com/SSSD/sssd/pull/225
Title: #225: SECRETS: Apply separate quotas for cn=secrets and cn=kcm

simo5 commented:
"""
1) I do not think we need to add explicitly a quota subsection, but if I do not 
want to set a quota, what values should I use ? 0 ? Why the default is to have 
a quota ?

2) what is max_secrets? Given you suggest adding max_user_secrets I assume 
these are not the same thing ? I am confused.


"""

See the full comment at 
https://github.com/SSSD/sssd/pull/225#issuecomment-305440884
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#268][+Accepted] pam_sss: add support for SSS_PAM_CERT_INFO_WITH_HINT

[fidencio]

  URL: https://github.com/SSSD/sssd/pull/268
Title: #268: pam_sss: add support for SSS_PAM_CERT_INFO_WITH_HINT

Label: +Accepted
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#268][comment] pam_sss: add support for SSS_PAM_CERT_INFO_WITH_HINT

[fidencio]

  URL: https://github.com/SSSD/sssd/pull/268
Title: #268: pam_sss: add support for SSS_PAM_CERT_INFO_WITH_HINT

fidencio commented:
"""
As I have not noticed any new warning on coverity and as CI passed successfully 
(although I will not share the link due to issues with our internal CI) and 
according to the tests done above, I am ACKing this patch set.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/268#issuecomment-305434511
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#268][comment] pam_sss: add support for SSS_PAM_CERT_INFO_WITH_HINT

[fidencio]

  URL: https://github.com/SSSD/sssd/pull/268
Title: #268: pam_sss: add support for SSS_PAM_CERT_INFO_WITH_HINT

fidencio commented:
"""
@sumit-bose, you nailed it. That's exactly the issue you described.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/268#issuecomment-305433730
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#268][comment] pam_sss: add support for SSS_PAM_CERT_INFO_WITH_HINT

[sumit-bose]

  URL: https://github.com/SSSD/sssd/pull/268
Title: #268: pam_sss: add support for SSS_PAM_CERT_INFO_WITH_HINT

sumit-bose commented:
"""
Yes, I think this is unrelated. I assume you just set the password as admin but 
did not use it as  the user. In this case the password is expired and must be 
reset by the user. It looks that although PKINIT was used for authentication 
the KDC reply still contains information about the expired password and SSSD 
sends a reply to the PAM client to request a new password.

Can you try to call 'kinit al...@sc.ff' to set a new password and then check 
Smartcard authentication again. If it then works it is the issue I assumed 
above and I can try to fix it in a different ticket.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/268#issuecomment-305430782
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#136][comment] Tlog integration

[pbrezina]

  URL: https://github.com/SSSD/sssd/pull/136
Title: #136: Tlog integration

pbrezina commented:
"""
Ack. Thank you.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/136#issuecomment-305426853
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#295][opened] MAN: Document that the secrets provider can only be specified in a per-client section

[jhrozek]

   URL: https://github.com/SSSD/sssd/pull/295
Author: jhrozek
 Title: #295: MAN: Document that the secrets provider can only be specified in 
a per-client section
Action: opened

PR body:
"""
Resolves:
https://pagure.io/SSSD/sssd/issue/3417
"""

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/295/head:pr295
git checkout pr295
From a75fc206d9d064f68b6773a3cb5bf5f04aa1e32f Mon Sep 17 00:00:00 2001
From: Jakub Hrozek 
Date: Thu, 1 Jun 2017 09:51:31 +0200
Subject: [PATCH 1/2] KRB5: Fix access_provider=krb5

Resolves:
https://pagure.io/SSSD/sssd/issue/3418

The domain type (posix or not) was being sent to the krb5_child always,
but the buffer only had enough space in case of authentication, not
authorization.

This patch makes the buffer one uint32_t unit larger.

To reproduce, just set up sssd.conf with:
access_provider = krb5

Without the patch, you would see messages like:
==14111== Invalid write of size 2
==14111==at 0x4C3041B: memcpy@@GLIBC_2.14 (vg_replace_strmem.c:1018)
==14111==by 0xE0EE275: safealign_memcpy (util_safealign.h:51)
==14111==by 0xE0EECB3: create_send_buffer (krb5_child_handler.c:239)
==14111==by 0xE0EFDDE: handle_child_send (krb5_child_handler.c:529)
==14111==by 0xE0EDEDD: krb5_access_send (krb5_access.c:149)
==14111==by 0xE0ED32F: krb5_pam_handler_send (krb5_auth.c:1250)
==14111==by 0x418868: file_dp_request (dp_request.c:254)
==14111==by 0x418976: dp_req_send (dp_request.c:300)
==14111==by 0x41C25F: dp_pam_handler (dp_target_auth.c:219)
==14111==by 0x52B3456: sbus_request_invoke_or_finish (sssd_dbus_request.c:71)
==14111==by 0x52B0F37: sbus_message_handler_got_caller_id (sssd_dbus_interface.c:1048)
==14111==by 0x923C923: tevent_common_loop_immediate (tevent_immediate.c:135)
==14111==  Address 0x126ab506 is 150 bytes inside a block of size 151 alloc'd
==14111==at 0x4C2BBAD: malloc (vg_replace_malloc.c:299)
==14111==by 0x944D7F4: __talloc_with_prefix (talloc.c:698)
==14111==by 0x944D7F4: __talloc (talloc.c:739)
==14111==by 0x944D7F4: _talloc_named_const (talloc.c:896)
==14111==by 0x944D7F4: talloc_named_const (talloc.c:1675)
==14111==by 0xE0EE7B6: create_send_buffer (krb5_child_handler.c:185)
==14111==by 0xE0EFDDE: handle_child_send (krb5_child_handler.c:529)
==14111==by 0xE0EDEDD: krb5_access_send (krb5_access.c:149)
==14111==by 0xE0ED32F: krb5_pam_handler_send (krb5_auth.c:1250)
==14111==by 0x418868: file_dp_request (dp_request.c:254)
==14111==by 0x418976: dp_req_send (dp_request.c:300)
==14111==by 0x41C25F: dp_pam_handler (dp_target_auth.c:219)
==14111==by 0x52B3456: sbus_request_invoke_or_finish (sssd_dbus_request.c:71)
==14111==by 0x52B0F37: sbus_message_handler_got_caller_id (sssd_dbus_interface.c:1048)
==14111==by 0x923C923: tevent_common_loop_immediate (tevent_immediate.c:135)
---
 src/providers/krb5/krb5_child_handler.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/providers/krb5/krb5_child_handler.c b/src/providers/krb5/krb5_child_handler.c
index 87e79a06e..11ac867e6 100644
--- a/src/providers/krb5/krb5_child_handler.c
+++ b/src/providers/krb5/krb5_child_handler.c
@@ -156,14 +156,14 @@ static errno_t create_send_buffer(struct krb5child_req *kr,
 return ENOMEM;
 }
 
-buf->size = 8*sizeof(uint32_t) + strlen(kr->upn);
+buf->size = 9*sizeof(uint32_t) + strlen(kr->upn);
 
 if (kr->pd->cmd == SSS_PAM_AUTHENTICATE ||
 kr->pd->cmd == SSS_PAM_PREAUTH ||
 kr->pd->cmd == SSS_CMD_RENEW ||
 kr->pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM ||
 kr->pd->cmd == SSS_PAM_CHAUTHTOK) {
-buf->size += 5*sizeof(uint32_t) + strlen(kr->ccname) + strlen(keytab) +
+buf->size += 4*sizeof(uint32_t) + strlen(kr->ccname) + strlen(keytab) +
  sss_authtok_get_size(kr->pd->authtok);
 
 buf->size += sizeof(uint32_t);

From ca4b5e2ca23090799514578d1c729f04bf997422 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek 
Date: Thu, 1 Jun 2017 10:04:21 +0200
Subject: [PATCH 2/2] MAN: Document that the secrets provider can only be
 specified in a per-client section

Resolves:
https://pagure.io/SSSD/sssd/issue/3417
---
 src/man/sssd-secrets.5.xml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/man/sssd-secrets.5.xml b/src/man/sssd-secrets.5.xml
index 44a86c3fb..d833174b5 100644
--- a/src/man/sssd-secrets.5.xml
+++ b/src/man/sssd-secrets.5.xml
@@ -112,9 +112,9 @@ systemctl enable sssd-secrets.service
 per-user subsections that define which provider store
 the secrets for this particular user. The per-user
 subsections should contain all options for that user's
-provider. If a per-user section does not exist, the
-   

[SSSD] [sssd PR#294][opened] KRB5: Fix access_provider=krb5

[jhrozek]

   URL: https://github.com/SSSD/sssd/pull/294
Author: jhrozek
 Title: #294: KRB5: Fix access_provider=krb5
Action: opened

PR body:
"""
Resolves:
   https://pagure.io/SSSD/sssd/issue/3418

The domain type (posix or not) was being sent to the krb5_child always, but
the buffer only had enough space in case of authentication, not
authorization.

This patch makes the buffer one uint32_t unit larger.

To reproduce, just set up sssd.conf with:
```
   access_provider = krb5
```

Without the patch, you would see messages like:
```
   ==14111== Invalid write of size 2
   ==14111==at 0x4C3041B: memcpy@@GLIBC_2.14 (vg_replace_strmem.c:1018)
   ==14111==by 0xE0EE275: safealign_memcpy (util_safealign.h:51)
   ==14111==by 0xE0EECB3: create_send_buffer (krb5_child_handler.c:239)
   ==14111==by 0xE0EFDDE: handle_child_send (krb5_child_handler.c:529)
   ==14111==by 0xE0EDEDD: krb5_access_send (krb5_access.c:149)
   ==14111==by 0xE0ED32F: krb5_pam_handler_send (krb5_auth.c:1250)
   ==14111==by 0x418868: file_dp_request (dp_request.c:254)
   ==14111==by 0x418976: dp_req_send (dp_request.c:300)
   ==14111==by 0x41C25F: dp_pam_handler (dp_target_auth.c:219)
   ==14111==by 0x52B3456: sbus_request_invoke_or_finish
(sssd_dbus_request.c:71)
   ==14111==by 0x52B0F37: sbus_message_handler_got_caller_id
(sssd_dbus_interface.c:1048)
   ==14111==by 0x923C923: tevent_common_loop_immediate
(tevent_immediate.c:135)
   ==14111==  Address 0x126ab506 is 150 bytes inside a block of size 151
alloc'd
   ==14111==at 0x4C2BBAD: malloc (vg_replace_malloc.c:299)
   ==14111==by 0x944D7F4: __talloc_with_prefix (talloc.c:698)
   ==14111==by 0x944D7F4: __talloc (talloc.c:739)
   ==14111==by 0x944D7F4: _talloc_named_const (talloc.c:896)
   ==14111==by 0x944D7F4: talloc_named_const (talloc.c:1675)
   ==14111==by 0xE0EE7B6: create_send_buffer (krb5_child_handler.c:185)
   ==14111==by 0xE0EFDDE: handle_child_send (krb5_child_handler.c:529)
   ==14111==by 0xE0EDEDD: krb5_access_send (krb5_access.c:149)
   ==14111==by 0xE0ED32F: krb5_pam_handler_send (krb5_auth.c:1250)
   ==14111==by 0x418868: file_dp_request (dp_request.c:254)
   ==14111==by 0x418976: dp_req_send (dp_request.c:300)
   ==14111==by 0x41C25F: dp_pam_handler (dp_target_auth.c:219)
   ==14111==by 0x52B3456: sbus_request_invoke_or_finish
(sssd_dbus_request.c:71)
   ==14111==by 0x52B0F37: sbus_message_handler_got_caller_id
(sssd_dbus_interface.c:1048)
   ==14111==by 0x923C923: tevent_common_loop_immediate
(tevent_immediate.c:135)
```
"""

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/294/head:pr294
git checkout pr294
From a75fc206d9d064f68b6773a3cb5bf5f04aa1e32f Mon Sep 17 00:00:00 2001
From: Jakub Hrozek 
Date: Thu, 1 Jun 2017 09:51:31 +0200
Subject: [PATCH] KRB5: Fix access_provider=krb5

Resolves:
https://pagure.io/SSSD/sssd/issue/3418

The domain type (posix or not) was being sent to the krb5_child always,
but the buffer only had enough space in case of authentication, not
authorization.

This patch makes the buffer one uint32_t unit larger.

To reproduce, just set up sssd.conf with:
access_provider = krb5

Without the patch, you would see messages like:
==14111== Invalid write of size 2
==14111==at 0x4C3041B: memcpy@@GLIBC_2.14 (vg_replace_strmem.c:1018)
==14111==by 0xE0EE275: safealign_memcpy (util_safealign.h:51)
==14111==by 0xE0EECB3: create_send_buffer (krb5_child_handler.c:239)
==14111==by 0xE0EFDDE: handle_child_send (krb5_child_handler.c:529)
==14111==by 0xE0EDEDD: krb5_access_send (krb5_access.c:149)
==14111==by 0xE0ED32F: krb5_pam_handler_send (krb5_auth.c:1250)
==14111==by 0x418868: file_dp_request (dp_request.c:254)
==14111==by 0x418976: dp_req_send (dp_request.c:300)
==14111==by 0x41C25F: dp_pam_handler (dp_target_auth.c:219)
==14111==by 0x52B3456: sbus_request_invoke_or_finish (sssd_dbus_request.c:71)
==14111==by 0x52B0F37: sbus_message_handler_got_caller_id (sssd_dbus_interface.c:1048)
==14111==by 0x923C923: tevent_common_loop_immediate (tevent_immediate.c:135)
==14111==  Address 0x126ab506 is 150 bytes inside a block of size 151 alloc'd
==14111==at 0x4C2BBAD: malloc (vg_replace_malloc.c:299)
==14111==by 0x944D7F4: __talloc_with_prefix (talloc.c:698)
==14111==by 0x944D7F4: __talloc (talloc.c:739)
==14111==by 0x944D7F4: _talloc_named_const (talloc.c:896)
==14111==by 0x944D7F4: talloc_named_const (talloc.c:1675)
==14111==by 0xE0EE7B6: create_send_buffer (krb5_child_handler.c:185)
==14111==by 0xE0EFDDE: handle_child_send (krb5_child_handler.c:529)
==14111==by 0xE0EDEDD: krb5_access_send (krb5_access.c:149)
==14111==by 0xE0ED32F: krb5_pam_handler_send (krb5_auth.c:1250)
==14111==by 0x418868: file_dp_request (dp_request.c:254)
==

[SSSD] [sssd PR#293][opened] certmap: Remove unnecessary included files

[lslebodn]

   URL: https://github.com/SSSD/sssd/pull/293
Author: lslebodn
 Title: #293: certmap: Remove unnecessary included files
Action: opened

PR body:
"""
Patch also replace util.h on place where it was not needed directly
and directly include required header files.

+ some patches to reduce util/util.h
"""

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/293/head:pr293
git checkout pr293
From b571075f53e0e9356e489f19607adc0f9c35aa6b Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik 
Date: Sat, 27 May 2017 16:21:21 +0200
Subject: [PATCH 01/10] codegen: Remove util.h from generated files

---
 src/monitor/monitor_iface_generated.c  | 5 -
 src/monitor/monitor_iface_generated.h  | 1 +
 src/providers/data_provider/dp_iface_generated.c   | 5 -
 src/providers/data_provider/dp_iface_generated.h   | 1 +
 src/providers/proxy/proxy_iface_generated.c| 5 -
 src/providers/proxy/proxy_iface_generated.h| 1 +
 src/responder/common/iface/responder_iface_generated.c | 5 -
 src/responder/common/iface/responder_iface_generated.h | 1 +
 src/responder/ifp/ifp_iface_generated.c| 5 -
 src/responder/ifp/ifp_iface_generated.h| 1 +
 src/responder/nss/nss_iface_generated.c| 5 -
 src/responder/nss/nss_iface_generated.h| 1 +
 src/sbus/sbus_codegen  | 6 +-
 src/tests/sbus_codegen_tests_generated.c   | 5 -
 src/tests/sbus_codegen_tests_generated.h   | 1 +
 15 files changed, 40 insertions(+), 8 deletions(-)

diff --git a/src/monitor/monitor_iface_generated.c b/src/monitor/monitor_iface_generated.c
index 1ff1d4bb6..066612cc0 100644
--- a/src/monitor/monitor_iface_generated.c
+++ b/src/monitor/monitor_iface_generated.c
@@ -1,6 +1,9 @@
 /* The following definitions are auto-generated from monitor_iface.xml */
 
-#include "util/util.h"
+#include 
+
+#include "dbus/dbus-protocol.h"
+#include "util/util_errors.h"
 #include "sbus/sssd_dbus.h"
 #include "sbus/sssd_dbus_meta.h"
 #include "sbus/sssd_dbus_invokers.h"
diff --git a/src/monitor/monitor_iface_generated.h b/src/monitor/monitor_iface_generated.h
index a4647fcb9..58cc6f518 100644
--- a/src/monitor/monitor_iface_generated.h
+++ b/src/monitor/monitor_iface_generated.h
@@ -4,6 +4,7 @@
 #define __MONITOR_IFACE_XML__
 
 #include "sbus/sssd_dbus.h"
+#include "sbus/sssd_dbus_meta.h"
 
 /* 
  * DBus Constants
diff --git a/src/providers/data_provider/dp_iface_generated.c b/src/providers/data_provider/dp_iface_generated.c
index 25ec0e29b..e2e0216bd 100644
--- a/src/providers/data_provider/dp_iface_generated.c
+++ b/src/providers/data_provider/dp_iface_generated.c
@@ -1,6 +1,9 @@
 /* The following definitions are auto-generated from dp_iface.xml */
 
-#include "util/util.h"
+#include 
+
+#include "dbus/dbus-protocol.h"
+#include "util/util_errors.h"
 #include "sbus/sssd_dbus.h"
 #include "sbus/sssd_dbus_meta.h"
 #include "sbus/sssd_dbus_invokers.h"
diff --git a/src/providers/data_provider/dp_iface_generated.h b/src/providers/data_provider/dp_iface_generated.h
index c14b810cf..b7f63fb43 100644
--- a/src/providers/data_provider/dp_iface_generated.h
+++ b/src/providers/data_provider/dp_iface_generated.h
@@ -4,6 +4,7 @@
 #define __DP_IFACE_XML__
 
 #include "sbus/sssd_dbus.h"
+#include "sbus/sssd_dbus_meta.h"
 
 /* 
  * DBus Constants
diff --git a/src/providers/proxy/proxy_iface_generated.c b/src/providers/proxy/proxy_iface_generated.c
index 425727d14..9fb5b2c32 100644
--- a/src/providers/proxy/proxy_iface_generated.c
+++ b/src/providers/proxy/proxy_iface_generated.c
@@ -1,6 +1,9 @@
 /* The following definitions are auto-generated from proxy_iface.xml */
 
-#include "util/util.h"
+#include 
+
+#include "dbus/dbus-protocol.h"
+#include "util/util_errors.h"
 #include "sbus/sssd_dbus.h"
 #include "sbus/sssd_dbus_meta.h"
 #include "sbus/sssd_dbus_invokers.h"
diff --git a/src/providers/proxy/proxy_iface_generated.h b/src/providers/proxy/proxy_iface_generated.h
index 7af074fa3..6471eafae 100644
--- a/src/providers/proxy/proxy_iface_generated.h
+++ b/src/providers/proxy/proxy_iface_generated.h
@@ -4,6 +4,7 @@
 #define __PROXY_IFACE_XML__
 
 #include "sbus/sssd_dbus.h"
+#include "sbus/sssd_dbus_meta.h"
 
 /* 
  * DBus Constants
diff --git a/src/responder/common/iface/responder_iface_generated.c b/src/responder/common/iface/responder_iface_generated.c
index 837e67cfd..21cc14a78 100644
--- a/src/responder/common/iface/responder_iface_generated.c
+++ b/src/responder/common/iface/responder_iface_generated.c
@@ -1,6 +1,9 @@
 /* The following definitions are auto-generated from responder_iface.xml */
 
-#include "util/util.h"
+#include 
+
+#include