[SSSD] PRs priorities for this release
People, We have 27 PRs opened by the moment I'm writing this email and I'd like to have a clear idea which ones are the *must* have for our next release. - Fix group renaming issue when "id_provider = ldap" is set (https://github.com/SSSD/sssd/pull/128) We have a bugzilla for this one. Code has been reviewed and last comments addressed. - Add "Wants=" to sssd unit (https://github.com/SSSD/sssd/pull/132) We don't have a bugzilla for this one. IMO, this can be postponed for the next release - Initial revision of sssd pytest framework (https://github.com/SSSD/sssd/pull/139) This PR will be reviewed on a phone session. IMO, this can be postponed for the next release. - Add module for starting services (https://github.com/SSSD/sssd/pull/175) This PR has been stalled for a quite long time. Although the idea/work seems quite nice, I don't see this one as something that we should prioritize. So, IMO, this can the postponed for the next release. - TEST: Adding krb5-libs to dependencies (https://github.com/SSSD/sssd/pull/218) This PR has been stalled since celestian left the project. It's something good to have but far from having high priority. IMO, this can be postponed to the next release. - changing all talloc_get_type() with talloc_get_type_abort() (https://github.com/SSSD/sssd/pull/231) This PR has been stalled for a quite long time. Can easily be postponed to the next release. - provider: Move hostid from ipa to sdap (https://github.com/SSSD/sssd/pull/237) This PR comes from an external contributor and as far as I understood they changed whatever has been requested. IMO this should be part of this release. - Subdomain inherit (https://github.com/SSSD/sssd/pull/247): This PR has been stalled for a long time and according to the dicussion in our phone meeting Today, it can be postponed to the next release. - Update sss_override.c (https://github.com/SSSD/sssd/pull/260) This PR has been stalled for some time and, IMO, can be postponed to the next release. - Add support for ActiveDirectory's logonHorous restrictions (https://github.com/SSSD/sssd/pull/269) This PR comes from an external contributor and as far as I understood there's still some work to be done. So, should be postponed to the next release - Merge sss_cache and sss_debuglevel into sssctl (https://github.com/SSSD/sssd/pull/274) This PR seems to be in a good shape and justin addressed the last comments. IMO, should be part of this release. - Implement access verification by rhost using ldap_access_order rhost option (https://github.com/SSSD/sssd/pull/275) By the comments I'm not sure whether we may or may not should have it in the next release. In any case, we must provide a feedback to the external contributor. - Print a warning when enumeration is requested but disabled (https://github.com/SSSD/sssd/pull/334) Already acked. - Fix for few el6 gcc warnings (https://github.com/SSSD/sssd/pull/371) - This patch set fixes a bunch warnings (https://github.com/SSSD/sssd/pull/377) PR 377 has all the patches contained in PR 371. Any of those have high priority IMO and both could just be postponed to the next release. - ldap: Change ldap_user_certificate to userCertificate;binary (https://github.com/SSSD/sssd/pull/372) Already reviewed. Whoever pushes the patches could squash the patches instead of keep waiting for the contributor. In any case, should be part of this release. - intg: Add sanity tests for pysss_nss_idmap (https://github.com/SSSD/sssd/pull/373) Already acked. - IPA: Add threshold for sudo command and command group searches (https://github.com/SSSD/sssd/pull/374) Does it have some bugzilla linked? I guess it would be nice to be reviewed and pushed for this release. - sssd-1.13 Backported patches for ticket 3505 (https://github.com/SSSD/sssd/pull/375) Doesn't affect our release at all - [RFC] Use GNULIB's compiler warning code (https://github.com/SSSD/sssd/pull/378) IMO this one can be postponed to the next release - CI: Enable pep8 check (https://github.com/SSSD/sssd/pull/379) IMO this one can be postponed to the next release - intg: prevent "TypeError: mustbe type, not classobj" (https://github.com/SSSD/sssd/pull/386) There's a small change requested that can be done by whoever pushes the patches instead of keep waiting for the contributor - Setting ldap_sudo_include_regexp to false (https://github.com/SSSD/sssd/pull/387) Should be part of 2.0 relase in the future - sssd_client: add mutex protected call to the PAC responder (https://github.com/SSSD/sssd/pull/389) Should be part of this release - NSS: Add option to disabled memcache (https://github.com/SSSD/sssd/pull/390) IMO this one be postponed to the next release - Use dbus-daemon in cwrap environment for test (https://github.com/SSSD/sssd/pull/391) IMO this one can be postponed to the next release - GPO: Don't use freed LDAPURLDesc if domain for AD DC cannot be found IMO this one should be part of this relea
[SSSD] [sssd PR#374][comment] IPA: Add threshold for sudo command and command group searches
URL: https://github.com/SSSD/sssd/pull/374 Title: #374: IPA: Add threshold for sudo command and command group searches jhrozek commented: """ ping @pbrezina do you have time to review this PR? """ See the full comment at https://github.com/SSSD/sssd/pull/374#issuecomment-331259509 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#218][+Accepted] TEST: Adding krb5-libs to dependencies
URL: https://github.com/SSSD/sssd/pull/218 Title: #218: TEST: Adding krb5-libs to dependencies Label: +Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#218][comment] TEST: Adding krb5-libs to dependencies
URL: https://github.com/SSSD/sssd/pull/218 Title: #218: TEST: Adding krb5-libs to dependencies jhrozek commented: """ LGTM """ See the full comment at https://github.com/SSSD/sssd/pull/218#issuecomment-331258743 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#372][comment] ldap: Change ldap_user_certificate to userCertificate; binary
URL: https://github.com/SSSD/sssd/pull/372 Title: #372: ldap: Change ldap_user_certificate to userCertificate;binary jhrozek commented: """ Thank you, this is what I wanted, but please squash the two patches together so we can push them as one (I think all the changes constitute one logical change, so it should be OK to push them both as one patch) """ See the full comment at https://github.com/SSSD/sssd/pull/372#issuecomment-331258415 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#334][+Accepted] Print a warning when enumeration is requested but disabled
URL: https://github.com/SSSD/sssd/pull/334 Title: #334: Print a warning when enumeration is requested but disabled Label: +Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#334][comment] Print a warning when enumeration is requested but disabled
URL: https://github.com/SSSD/sssd/pull/334 Title: #334: Print a warning when enumeration is requested but disabled jhrozek commented: """ This works fine. I just noticed a missing space after opening `(` but I don't think it's worth requesting another patch version: ``` if(cr->rctx->enumeration_warn_logged ``` So please whoever is pushing this patch, fix the whitespace. """ See the full comment at https://github.com/SSSD/sssd/pull/334#issuecomment-331257915 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#334][-Changes requested] Print a warning when enumeration is requested but disabled
URL: https://github.com/SSSD/sssd/pull/334 Title: #334: Print a warning when enumeration is requested but disabled Label: -Changes requested ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#274][-Changes requested] Merge sss_cache and sss_debuglevel into sssctl
URL: https://github.com/SSSD/sssd/pull/274 Title: #274: Merge sss_cache and sss_debuglevel into sssctl Label: -Changes requested ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] Re: kinit on IPA server does not exclusively talk to local KDC
On Thu, 2017-09-21 at 17:56 +0200, Sumit Bose wrote: > On Thu, Sep 21, 2017 at 11:23:20AM -0400, Simo Sorce wrote: > > On Thu, 2017-09-21 at 16:52 +0200, Lukas Slebodnik wrote: > > > Here you are. > > > local master: kvm-02-guest11.testrelm.test > > > replica: bkr-hv01-guest19.testrelm.test > > > > > > [root@kvm-02-guest11 ~]# cat /etc/krb5.conf > > > includedir /etc/krb5.conf.d/ > > > includedir /var/lib/sss/pubconf/krb5.include.d/ > > > > > > [logging] > > > default = FILE:/var/log/krb5libs.log > > > kdc = FILE:/var/log/krb5kdc.log > > > admin_server = FILE:/var/log/kadmind.log > > > > > > [libdefaults] > > > default_realm = TESTRELM.TEST > > > dns_lookup_realm = false > > > dns_lookup_kdc = true > > > > This sounds wrong on a master > > no, you need this to find any AD DC in a trusted forest. Shouldn't SSSD do that for us via proper site discovery ? Simo. > bye, > Sumit > > > > > Simo. > > > > -- > > Simo Sorce > > Sr. Principal Software Engineer > > Red Hat, Inc > > -- Simo Sorce Sr. Principal Software Engineer Red Hat, Inc ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#274][comment] Merge sss_cache and sss_debuglevel into sssctl
URL: https://github.com/SSSD/sssd/pull/274 Title: #274: Merge sss_cache and sss_debuglevel into sssctl justin-stephenson commented: """ @lslebodn comments addressed, I was primarily following similar sssctl functions as an example. """ See the full comment at https://github.com/SSSD/sssd/pull/274#issuecomment-331213596 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#274][synchronized] Merge sss_cache and sss_debuglevel into sssctl
URL: https://github.com/SSSD/sssd/pull/274
Author: justin-stephenson
Title: #274: Merge sss_cache and sss_debuglevel into sssctl
Action: synchronized
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/274/head:pr274
git checkout pr274
From a2c36d90b23f7089f32b56fc8579cce18265ec0d Mon Sep 17 00:00:00 2001
From: Justin Stephenson
Date: Fri, 12 May 2017 23:10:18 -0400
Subject: [PATCH 1/3] SSSCTL: Move sss_debuglevel to sssctl debug-level
Move code from sss_debuglevel to sssctl_logs.c and add new debug-logs
sssctl command to perform the same task of changing debug level
dynamically.
POPT_CONTEXT_KEEP_FIRST Flag added to poptGetContext call in
sssctl_debug_level() to fix argument parsing.
Resolves:
https://pagure.io/SSSD/sssd/issue/3057
---
src/tools/common/sss_tools.c | 7 -
src/tools/common/sss_tools.h | 7 +-
src/tools/sss_debuglevel.c | 323 -
src/tools/sssctl/sssctl.c | 1 +
src/tools/sssctl/sssctl.h | 4 +
src/tools/sssctl/sssctl_logs.c | 294 +
6 files changed, 305 insertions(+), 331 deletions(-)
delete mode 100644 src/tools/sss_debuglevel.c
diff --git a/src/tools/common/sss_tools.c b/src/tools/common/sss_tools.c
index 97a3caab3..0b676341f 100644
--- a/src/tools/common/sss_tools.c
+++ b/src/tools/common/sss_tools.c
@@ -30,13 +30,6 @@
#include "db/sysdb.h"
#include "tools/common/sss_tools.h"
-struct sss_cmdline {
-const char *exec; /* argv[0] */
-const char *command; /* command name */
-int argc; /* rest of arguments */
-const char **argv;
-};
-
static void sss_tool_print_common_opts(int min_len)
{
fprintf(stderr, _("Common options:\n"));
diff --git a/src/tools/common/sss_tools.h b/src/tools/common/sss_tools.h
index 49da7d634..848009365 100644
--- a/src/tools/common/sss_tools.h
+++ b/src/tools/common/sss_tools.h
@@ -38,7 +38,12 @@ errno_t sss_tool_init(TALLOC_CTX *mem_ctx,
int *argc, const char **argv,
struct sss_tool_ctx **_tool_ctx);
-struct sss_cmdline;
+struct sss_cmdline {
+const char *exec; /* argv[0] */
+const char *command; /* command name */
+int argc; /* rest of arguments */
+const char **argv;
+};
typedef errno_t
(*sss_route_fn)(struct sss_cmdline *cmdline,
diff --git a/src/tools/sss_debuglevel.c b/src/tools/sss_debuglevel.c
deleted file mode 100644
index e8b156ea1..0
--- a/src/tools/sss_debuglevel.c
+++ /dev/null
@@ -1,323 +0,0 @@
-/*
-Authors:
-Pavel Březina
-
-Copyright (C) 2011 Red Hat
-
-This program is free software; you can redistribute it and/or modify
-it under the terms of the GNU General Public License as published by
-the Free Software Foundation; either version 3 of the License, or
-(at your option) any later version.
-
-This program is distributed in the hope that it will be useful,
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-GNU General Public License for more details.
-
-You should have received a copy of the GNU General Public License
-along with this program. If not, see
[SSSD] Re: kinit on IPA server does not exclusively talk to local KDC
On Thu, Sep 21, 2017 at 11:23:20AM -0400, Simo Sorce wrote: > On Thu, 2017-09-21 at 16:52 +0200, Lukas Slebodnik wrote: > > Here you are. > > local master: kvm-02-guest11.testrelm.test > > replica: bkr-hv01-guest19.testrelm.test > > > > [root@kvm-02-guest11 ~]# cat /etc/krb5.conf > > includedir /etc/krb5.conf.d/ > > includedir /var/lib/sss/pubconf/krb5.include.d/ > > > > [logging] > > default = FILE:/var/log/krb5libs.log > > kdc = FILE:/var/log/krb5kdc.log > > admin_server = FILE:/var/log/kadmind.log > > > > [libdefaults] > > default_realm = TESTRELM.TEST > > dns_lookup_realm = false > > dns_lookup_kdc = true > > This sounds wrong on a master no, you need this to find any AD DC in a trusted forest. bye, Sumit > > Simo. > > -- > Simo Sorce > Sr. Principal Software Engineer > Red Hat, Inc > ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] Re: kinit on IPA server does not exclusively talk to local KDC
On Thu, Sep 21, 2017 at 04:52:32PM +0200, Lukas Slebodnik wrote:
> On (12/09/17 18:44), Sumit Bose wrote:
> >On Tue, Sep 12, 2017 at 03:45:52PM +0200, Lukas Slebodnik wrote:
> >> ehlo,
> >>
> >> I realized that it might be better to discuss it here rather then in
> >> pull requests because it seems to be related to two different commits.
> >>
> >> I will describe a test case on master with already created replica on
> >> another
> >> host.
> >> * kinit as admin
> >> // create user with dummy password
> >> * echo $dummypw | ipa user-add $login --first "$firstname" --last
> >> "$lastname" \
> >>--password
> >>
> >> // adding sleep think that first kinit hits slave sometimes and the
> >> user is
> >> // not replicated yet.
> >> * sleep 2
> >> * FirstKinitAs $login $dummypw $password
> >>
> >> FirstKinitAs is a bash function which change initial password
> >> something like: echo -e "$password\n$newpassword\n$newpassword" | kinit -V
> >> $username
> >>
> >> Such test works reliably with 1.15.3 and kinit always talk to local master
> >> (I didn't try to remove sleep 2)
> >>
> >>
> >> But situation changed a little bit with git master due to following commits
> >> IPA: Only generate kdcinfo files on clients
> >> https://pagure.io/SSSD/sssd/c/a309525cc47da726461aec1f238165c17aade2a6
> >
> >Do you have the /etc/krb5.conf available from the host where the test
> >failed. The above patch was written with the assumption that
> >/etc/krb5.conf on the IPA server points to the server itself as
> >ipa-server-install creates it:
> >
> >[realms]
> > IPA.DEVEL = {
> > kdc = ipa-devel.ipa.devel:88
> > master_kdc = ipa-devel.ipa.devel:88
> > admin_server = ipa-devel.ipa.devel:749
> > default_domain = ipa.devel
> > pkinit_anchors = FILE:/etc/ipa/ca.crt
> >}
> >
> >Currently I would assume that at least admin_server is missing.
> >
> Here you are.
> local master: kvm-02-guest11.testrelm.test
> replica: bkr-hv01-guest19.testrelm.test
>
> [root@kvm-02-guest11 ~]# cat /etc/krb5.conf
> includedir /etc/krb5.conf.d/
> includedir /var/lib/sss/pubconf/krb5.include.d/
>
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> default_realm = TESTRELM.TEST
> dns_lookup_realm = false
> dns_lookup_kdc = true
> rdns = false
> ticket_lifetime = 24h
> forwardable = true
> udp_preference_limit = 0
> default_ccache_name = KEYRING:persistent:%{uid}
>
> [realms]
> TESTRELM.TEST = {
> kdc = kvm-02-guest11.testrelm.test:88
> master_kdc = kvm-02-guest11.testrelm.test:88
> admin_server = kvm-02-guest11.testrelm.test:749
> default_domain = testrelm.test
> pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
> pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
> }
Thank you, so the krb5.conf has the expected entries. I did some testing
and found that libkrb5 does a DNS SRV lookup to find the kpasswd server
although the man page says:
"""
kpasswd_server
Points to the server where all the password changes are
performed. If there is no such entry, the port 464 on the admin_server
host will be tried.
"""
To me it looks like the advertised fallback to admin_server if there is
no kpasswd_server defined does not work.
Robbie, is this expected or is it possible that there is an issue in
libkrb5?
bye,
Sumit
>
> [domain_realm]
> .testrelm.test = TESTRELM.TEST
> testrelm.test = TESTRELM.TEST
> kvm-02-guest11.testrelm.test = TESTRELM.TEST
>
> [dbmodules]
> TESTRELM.TEST = {
> db_library = ipadb.so
> }
>
>
>
> [root@kvm-02-guest11 ~]# ls /etc/krb5.conf.d/
> ipa-certauth
> [root@kvm-02-guest11 ~]# cat /etc/krb5.conf.d/ipa-certauth
> [plugins]
> certauth = {
> module = ipakdb:kdb/ipadb.so
> enable_only = ipakdb
> }
>
>
>
> [root@kvm-02-guest11 ~]# ls /var/lib/sss/pubconf/krb5.include.d/
> domain_realm_testrelm_test krb5_libdefaults localauth_plugin
> [root@kvm-02-guest11 ~]# cat
> /var/lib/sss/pubconf/krb5.include.d/domain_realm_testrelm_test
> [domain_realm]
> [root@kvm-02-guest11 ~]# cat
> /var/lib/sss/pubconf/krb5.include.d/krb5_libdefaults
> [libdefaults]
> canonicalize = true
> [root@kvm-02-guest11 ~]# cat
> /var/lib/sss/pubconf/krb5.include.d/localauth_plugin
> [plugins]
> localauth = {
> module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so
> }
>
>
>
>
>
>
> -
> Added user "delegatuser2"
> -
> User login: delegatuser2
> First name: first
> Last name: last
> Full name: first last
> Display name: first last
> Initials: fl
> Home directory: /home/delegatuser2
> GECOS: first last
> Login shell: /bin/sh
> Principal name: delegatus...@testrelm.test
> Principal alias: delegatus...@testrelm.test
> Email address: delegatus...@testrelm.test
> UID: 1622800023
> GID: 1622800023
> Password: True
> Member of groups: ipaus
[SSSD] Re: kinit on IPA server does not exclusively talk to local KDC
On Thu, 2017-09-21 at 16:52 +0200, Lukas Slebodnik wrote: > Here you are. > local master: kvm-02-guest11.testrelm.test > replica: bkr-hv01-guest19.testrelm.test > > [root@kvm-02-guest11 ~]# cat /etc/krb5.conf > includedir /etc/krb5.conf.d/ > includedir /var/lib/sss/pubconf/krb5.include.d/ > > [logging] > default = FILE:/var/log/krb5libs.log > kdc = FILE:/var/log/krb5kdc.log > admin_server = FILE:/var/log/kadmind.log > > [libdefaults] > default_realm = TESTRELM.TEST > dns_lookup_realm = false > dns_lookup_kdc = true This sounds wrong on a master Simo. -- Simo Sorce Sr. Principal Software Engineer Red Hat, Inc ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#389][comment] sssd_client: add mutex protected call to the PAC responder
URL: https://github.com/SSSD/sssd/pull/389 Title: #389: sssd_client: add mutex protected call to the PAC responder sumit-bose commented: """ new version pushed """ See the full comment at https://github.com/SSSD/sssd/pull/389#issuecomment-331189434 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#389][-Changes requested] sssd_client: add mutex protected call to the PAC responder
URL: https://github.com/SSSD/sssd/pull/389 Title: #389: sssd_client: add mutex protected call to the PAC responder Label: -Changes requested ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#389][synchronized] sssd_client: add mutex protected call to the PAC responder
URL: https://github.com/SSSD/sssd/pull/389
Author: sumit-bose
Title: #389: sssd_client: add mutex protected call to the PAC responder
Action: synchronized
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/389/head:pr389
git checkout pr389
From 98ec1d09a378aabb7d08fb60a3493d480558639e Mon Sep 17 00:00:00 2001
From: Sumit Bose
Date: Mon, 18 Sep 2017 15:00:53 +0200
Subject: [PATCH] sssd_client: add mutex protected call to the PAC responder
SSSD's plugin for MIT Kerberos to send the PAC to the PAC responder
currently uses sss_pac_make_request() which does not protect the
communication with the PAC responder with a mutex as e.g. the NSS and
PAM clients.
If an application using threads loads this plugin via libkrb5 in
different threads and is heavily processing Kerberos tickets with PACs
chances are that two threads try to communicate with SSSD at once. In
this case one of the threads will miss a reply and will wait for it
until the default client timeout of 300s is passed.
This patch adds a call which uses a mutex to protect the communication
which will avoid the 300s delay mentioned above.
Resolves https://pagure.io/SSSD/sssd/issue/3518
---
Makefile.am | 20 +
src/sss_client/common.c | 30 +++
src/sss_client/sss_cli.h | 7 ++
src/sss_client/sss_pac_responder_client.c | 137 ++
src/sss_client/sssd_pac.c | 4 +-
src/tests/intg/Makefile.am| 1 +
src/tests/intg/test_pac_responder.py | 120 ++
7 files changed, 317 insertions(+), 2 deletions(-)
create mode 100644 src/sss_client/sss_pac_responder_client.c
create mode 100644 src/tests/intg/test_pac_responder.py
diff --git a/Makefile.am b/Makefile.am
index f1f467100..ed50c4219 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -3523,6 +3523,9 @@ endif
if BUILD_WITH_LIBCURL
noinst_PROGRAMS += tcurl-test-tool
endif
+if BUILD_PAC_RESPONDER
+noinst_PROGRAMS += sssd_pac_test_client
+endif
if BUILD_AUTOFS
autofs_test_client_SOURCES = \
@@ -4257,6 +4260,23 @@ sssd_pac_plugin_la_LDFLAGS = \
-avoid-version \
-module
+sssd_pac_test_client_SOURCES = \
+src/sss_client/sss_pac_responder_client.c \
+src/sss_client/common.c \
+src/util/strtonum.c \
+src/sss_client/sss_cli.h \
+src/sss_client/krb5_authdata_int.h \
+$(NULL)
+sssd_pac_test_client_CFLAGS = \
+$(AM_CFLAGS) \
+$(KRB5_CFLAGS) \
+$(NULL)
+sssd_pac_test_client_LDADD = \
+$(CLIENT_LIBS) \
+$(KRB5_LIBS) \
+-lpthread \
+$(NULL)
+
# python[23] bindings
pysss_la_SOURCES = \
$(SSSD_TOOLS_OBJ) \
diff --git a/src/sss_client/common.c b/src/sss_client/common.c
index b7a5ed760..b527c046e 100644
--- a/src/sss_client/common.c
+++ b/src/sss_client/common.c
@@ -821,6 +821,22 @@ int sss_pac_make_request(enum sss_cli_command cmd,
}
}
+int sss_pac_make_request_with_lock(enum sss_cli_command cmd,
+ struct sss_cli_req_data *rd,
+ uint8_t **repbuf, size_t *replen,
+ int *errnop)
+{
+int ret;
+
+sss_pac_lock();
+
+ret = sss_pac_make_request(cmd, rd, repbuf, replen, errnop);
+
+sss_pac_unlock();
+
+return ret;
+}
+
errno_t check_server_cred(int sockfd)
{
#ifdef HAVE_UCRED
@@ -1079,6 +1095,8 @@ static struct sss_mutex sss_pam_mtx = { .mtx = PTHREAD_MUTEX_INITIALIZER };
static struct sss_mutex sss_nss_mc_mtx = { .mtx = PTHREAD_MUTEX_INITIALIZER };
+static struct sss_mutex sss_pac_mtx = { .mtx = PTHREAD_MUTEX_INITIALIZER };
+
static void sss_mt_lock(struct sss_mutex *m)
{
pthread_mutex_lock(&m->mtx);
@@ -1121,6 +1139,16 @@ void sss_nss_mc_unlock(void)
sss_mt_unlock(&sss_nss_mc_mtx);
}
+/* PAC mutex wrappers */
+void sss_pac_lock(void)
+{
+sss_mt_lock(&sss_pac_mtx);
+}
+void sss_pac_unlock(void)
+{
+sss_mt_unlock(&sss_pac_mtx);
+}
+
#else
/* sorry no mutexes available */
@@ -1130,6 +1158,8 @@ void sss_pam_lock(void) { return; }
void sss_pam_unlock(void) { return; }
void sss_nss_mc_lock(void) { return; }
void sss_nss_mc_unlock(void) { return; }
+void sss_pac_lock(void) { return; }
+void sss_pac_unlock(void) { return; }
#endif
diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h
index 038406dec..0b97d492e 100644
--- a/src/sss_client/sss_cli.h
+++ b/src/sss_client/sss_cli.h
@@ -585,6 +585,11 @@ int sss_pac_make_request(enum sss_cli_command cmd,
uint8_t **repbuf, size_t *replen,
int *errnop);
+int sss_pac_make_request_with_lock(enum sss_cli_command cmd,
+ struct sss_cli_req_data *rd,
+ uint8_t **repbuf, size_t *replen,
+ int *errnop);
+
int sss_sudo_make_request(enum sss_cli_command cmd,
[SSSD] [sssd PR#274][+Changes requested] Merge sss_cache and sss_debuglevel into sssctl
URL: https://github.com/SSSD/sssd/pull/274 Title: #274: Merge sss_cache and sss_debuglevel into sssctl Label: +Changes requested ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#389][synchronized] sssd_client: add mutex protected call to the PAC responder
URL: https://github.com/SSSD/sssd/pull/389
Author: sumit-bose
Title: #389: sssd_client: add mutex protected call to the PAC responder
Action: synchronized
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/389/head:pr389
git checkout pr389
From 8f27be08378768ed52176d383bf804e82bcd4b74 Mon Sep 17 00:00:00 2001
From: Sumit Bose
Date: Mon, 18 Sep 2017 15:00:53 +0200
Subject: [PATCH] sssd_client: add mutex protected call to the PAC responder
SSSD's plugin for MIT Kerberos to send the PAC to the PAC responder
currently uses sss_pac_make_request() which does not protect the
communication with the PAC responder with a mutex as e.g. the NSS and
PAM clients.
If an application using threads loads this plugin via libkrb5 in
different threads and is heavily processing Kerberos tickets with PACs
chances are that two threads try to communicate with SSSD at once. In
this case one of the threads will miss a reply and will wait for it
until the default client timeout of 300s is passed.
This patch adds a call which uses a mutex to protect the communication
which will avoid the 300s delay mentioned above.
Resolves https://pagure.io/SSSD/sssd/issue/3518
---
Makefile.am | 20 +
src/sss_client/common.c | 30 +++
src/sss_client/sss_cli.h | 7 ++
src/sss_client/sss_pac_responder_client.c | 137 ++
src/sss_client/sssd_pac.c | 4 +-
src/tests/intg/Makefile.am| 1 +
src/tests/intg/test_pac_responder.py | 120 ++
7 files changed, 317 insertions(+), 2 deletions(-)
create mode 100644 src/sss_client/sss_pac_responder_client.c
create mode 100644 src/tests/intg/test_pac_responder.py
diff --git a/Makefile.am b/Makefile.am
index f1f467100..ed50c4219 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -3523,6 +3523,9 @@ endif
if BUILD_WITH_LIBCURL
noinst_PROGRAMS += tcurl-test-tool
endif
+if BUILD_PAC_RESPONDER
+noinst_PROGRAMS += sssd_pac_test_client
+endif
if BUILD_AUTOFS
autofs_test_client_SOURCES = \
@@ -4257,6 +4260,23 @@ sssd_pac_plugin_la_LDFLAGS = \
-avoid-version \
-module
+sssd_pac_test_client_SOURCES = \
+src/sss_client/sss_pac_responder_client.c \
+src/sss_client/common.c \
+src/util/strtonum.c \
+src/sss_client/sss_cli.h \
+src/sss_client/krb5_authdata_int.h \
+$(NULL)
+sssd_pac_test_client_CFLAGS = \
+$(AM_CFLAGS) \
+$(KRB5_CFLAGS) \
+$(NULL)
+sssd_pac_test_client_LDADD = \
+$(CLIENT_LIBS) \
+$(KRB5_LIBS) \
+-lpthread \
+$(NULL)
+
# python[23] bindings
pysss_la_SOURCES = \
$(SSSD_TOOLS_OBJ) \
diff --git a/src/sss_client/common.c b/src/sss_client/common.c
index b7a5ed760..b527c046e 100644
--- a/src/sss_client/common.c
+++ b/src/sss_client/common.c
@@ -821,6 +821,22 @@ int sss_pac_make_request(enum sss_cli_command cmd,
}
}
+int sss_pac_make_request_with_lock(enum sss_cli_command cmd,
+ struct sss_cli_req_data *rd,
+ uint8_t **repbuf, size_t *replen,
+ int *errnop)
+{
+int ret;
+
+sss_pac_lock();
+
+ret = sss_pac_make_request(cmd, rd, repbuf, replen, errnop);
+
+sss_pac_unlock();
+
+return ret;
+}
+
errno_t check_server_cred(int sockfd)
{
#ifdef HAVE_UCRED
@@ -1079,6 +1095,8 @@ static struct sss_mutex sss_pam_mtx = { .mtx = PTHREAD_MUTEX_INITIALIZER };
static struct sss_mutex sss_nss_mc_mtx = { .mtx = PTHREAD_MUTEX_INITIALIZER };
+static struct sss_mutex sss_pac_mtx = { .mtx = PTHREAD_MUTEX_INITIALIZER };
+
static void sss_mt_lock(struct sss_mutex *m)
{
pthread_mutex_lock(&m->mtx);
@@ -1121,6 +1139,16 @@ void sss_nss_mc_unlock(void)
sss_mt_unlock(&sss_nss_mc_mtx);
}
+/* PAC mutex wrappers */
+void sss_pac_lock(void)
+{
+sss_mt_lock(&sss_pac_mtx);
+}
+void sss_pac_unlock(void)
+{
+sss_mt_unlock(&sss_pac_mtx);
+}
+
#else
/* sorry no mutexes available */
@@ -1130,6 +1158,8 @@ void sss_pam_lock(void) { return; }
void sss_pam_unlock(void) { return; }
void sss_nss_mc_lock(void) { return; }
void sss_nss_mc_unlock(void) { return; }
+void sss_pac_lock(void) { return; }
+void sss_pac_unlock(void) { return; }
#endif
diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h
index 038406dec..0b97d492e 100644
--- a/src/sss_client/sss_cli.h
+++ b/src/sss_client/sss_cli.h
@@ -585,6 +585,11 @@ int sss_pac_make_request(enum sss_cli_command cmd,
uint8_t **repbuf, size_t *replen,
int *errnop);
+int sss_pac_make_request_with_lock(enum sss_cli_command cmd,
+ struct sss_cli_req_data *rd,
+ uint8_t **repbuf, size_t *replen,
+ int *errnop);
+
int sss_sudo_make_request(enum sss_cli_command cmd,
[SSSD] Re: kinit on IPA server does not exclusively talk to local KDC
On (21/09/17 13:33), Jakub Hrozek wrote: >On Thu, Sep 21, 2017 at 01:30:17PM +0200, Lukas Slebodnik wrote: >> On (21/09/17 13:22), Jakub Hrozek wrote: >> >clients. But I thought krb5.conf should also contain only the local >> >master..does the config file in the issue you saw contain something >> >else? >> > >> >I mean, if we revert the patch and krb5.conf contains no records or multiple >> >records, then I think the libkrb5 configuration is broken and we are relying >> >on sssd injecting a valid value into an otherwise invalid krb5 >> >configuration. >> > >> >> I'm waiting for machine to see content of krb5.conf and then I'll check >> Sumit's assumption. > >I also wonder if the bug might be in IPv4/IPv6 resolution. Because IIRC >libc prefers IPv6 addresses during resulution, but SSSD prefers IPv4 and >the kdcinfo file would contain a v4 address. > >But then I guess reverting the patch and injecting the kdcinfo file >would help.. If it's a bug in krb5-libs then we should fix it (because it can cause intermittent failures in other tests); * reverting the patch might be a temporary workaround. LS ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] Re: kinit on IPA server does not exclusively talk to local KDC
On (12/09/17 18:44), Sumit Bose wrote:
>On Tue, Sep 12, 2017 at 03:45:52PM +0200, Lukas Slebodnik wrote:
>> ehlo,
>>
>> I realized that it might be better to discuss it here rather then in
>> pull requests because it seems to be related to two different commits.
>>
>> I will describe a test case on master with already created replica on another
>> host.
>> * kinit as admin
>> // create user with dummy password
>> * echo $dummypw | ipa user-add $login --first "$firstname" --last
>> "$lastname" \
>>--password
>>
>> // adding sleep think that first kinit hits slave sometimes and the user
>> is
>> // not replicated yet.
>> * sleep 2
>> * FirstKinitAs $login $dummypw $password
>>
>> FirstKinitAs is a bash function which change initial password
>> something like: echo -e "$password\n$newpassword\n$newpassword" | kinit -V
>> $username
>>
>> Such test works reliably with 1.15.3 and kinit always talk to local master
>> (I didn't try to remove sleep 2)
>>
>>
>> But situation changed a little bit with git master due to following commits
>> IPA: Only generate kdcinfo files on clients
>> https://pagure.io/SSSD/sssd/c/a309525cc47da726461aec1f238165c17aade2a6
>
>Do you have the /etc/krb5.conf available from the host where the test
>failed. The above patch was written with the assumption that
>/etc/krb5.conf on the IPA server points to the server itself as
>ipa-server-install creates it:
>
>[realms]
> IPA.DEVEL = {
> kdc = ipa-devel.ipa.devel:88
> master_kdc = ipa-devel.ipa.devel:88
> admin_server = ipa-devel.ipa.devel:749
> default_domain = ipa.devel
> pkinit_anchors = FILE:/etc/ipa/ca.crt
>}
>
>Currently I would assume that at least admin_server is missing.
>
Here you are.
local master: kvm-02-guest11.testrelm.test
replica: bkr-hv01-guest19.testrelm.test
[root@kvm-02-guest11 ~]# cat /etc/krb5.conf
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = TESTRELM.TEST
dns_lookup_realm = false
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
TESTRELM.TEST = {
kdc = kvm-02-guest11.testrelm.test:88
master_kdc = kvm-02-guest11.testrelm.test:88
admin_server = kvm-02-guest11.testrelm.test:749
default_domain = testrelm.test
pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
}
[domain_realm]
.testrelm.test = TESTRELM.TEST
testrelm.test = TESTRELM.TEST
kvm-02-guest11.testrelm.test = TESTRELM.TEST
[dbmodules]
TESTRELM.TEST = {
db_library = ipadb.so
}
[root@kvm-02-guest11 ~]# ls /etc/krb5.conf.d/
ipa-certauth
[root@kvm-02-guest11 ~]# cat /etc/krb5.conf.d/ipa-certauth
[plugins]
certauth = {
module = ipakdb:kdb/ipadb.so
enable_only = ipakdb
}
[root@kvm-02-guest11 ~]# ls /var/lib/sss/pubconf/krb5.include.d/
domain_realm_testrelm_test krb5_libdefaults localauth_plugin
[root@kvm-02-guest11 ~]# cat
/var/lib/sss/pubconf/krb5.include.d/domain_realm_testrelm_test
[domain_realm]
[root@kvm-02-guest11 ~]# cat
/var/lib/sss/pubconf/krb5.include.d/krb5_libdefaults
[libdefaults]
canonicalize = true
[root@kvm-02-guest11 ~]# cat
/var/lib/sss/pubconf/krb5.include.d/localauth_plugin
[plugins]
localauth = {
module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so
}
-
Added user "delegatuser2"
-
User login: delegatuser2
First name: first
Last name: last
Full name: first last
Display name: first last
Initials: fl
Home directory: /home/delegatuser2
GECOS: first last
Login shell: /bin/sh
Principal name: delegatus...@testrelm.test
Principal alias: delegatus...@testrelm.test
Email address: delegatus...@testrelm.test
UID: 1622800023
GID: 1622800023
Password: True
Member of groups: ipausers
Kerberos keys available: True
:: [ PASS ] :: add test user account (Expected 0, got 0)
:: [ BEGIN ] :: Running 'FirstKinitAs delegatuser2 dummy...@ipa.com
passw0rd1'
[3190] 1505997473.156106: Destroying ccache KEYRING:persistent:0:0
Using default cache: persistent:0:0
Using principal: delegatus...@testrelm.test
[3192] 1505997473.161781: Getting initial credentials for
delegatus...@testrelm.test
[3192] 1505997473.163737: Sending request (182 bytes) to TESTRELM.TEST
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] open failed
[/var/lib/sss/pubconf/kdcinfo.TESTRELM.TEST][2][No such file or directory].
[sssd_krb5_locator] get_krb5info failed.
[sssd_krb5_locator] sssd_krb5_locator_close called
[3192] 1505997473.163848: Resolving hostname kvm-02-guest11.testrelm.test
[3192] 1505997473.164170: Initiating TCP connection to stream 10.16.68.117:88
[3192] 1505997473.164235: Sending TCP request t
[SSSD] [sssd PR#389][comment] sssd_client: add mutex protected call to the PAC responder
URL: https://github.com/SSSD/sssd/pull/389 Title: #389: sssd_client: add mutex protected call to the PAC responder lslebodn commented: """ On (21/09/17 06:25), sumit-bose wrote: >@lslebodn, what changes are you requesting? > I had few inline comments/questions. Sorry for confusion and missing context. LS """ See the full comment at https://github.com/SSSD/sssd/pull/389#issuecomment-331166108 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#392][comment] GPO: Don't use freed LDAPURLDesc if domain for AD DC cannot be found
URL: https://github.com/SSSD/sssd/pull/392 Title: #392: GPO: Don't use freed LDAPURLDesc if domain for AD DC cannot be found lslebodn commented: """ On (21/09/17 12:13), Jakub Hrozek wrote: >Since this is use-after-free and the only affected place is a DEBUG message >and even for the affected customer, the issue didn't cause a crash, the test >would be sanity only, but otherwise I guess not too complex. > If you are 100% sure that it is issue only in debug message then we needn't have ticket for it. It was not clear from commit message and I didn't try to dive to to details. Based on commit message, I had an assumption that consequences of use-after-free are little bit worse. Feel free to update commit message an push. Use-after-free errors usually deserve test, but it does not worth check garbage in debug message. LS """ See the full comment at https://github.com/SSSD/sssd/pull/392#issuecomment-331165778 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#389][comment] sssd_client: add mutex protected call to the PAC responder
URL: https://github.com/SSSD/sssd/pull/389 Title: #389: sssd_client: add mutex protected call to the PAC responder sumit-bose commented: """ @lslebodn, what changes are you requesting? """ See the full comment at https://github.com/SSSD/sssd/pull/389#issuecomment-331155346 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#392][comment] GPO: Don't use freed LDAPURLDesc if domain for AD DC cannot be found
URL: https://github.com/SSSD/sssd/pull/392 Title: #392: GPO: Don't use freed LDAPURLDesc if domain for AD DC cannot be found jhrozek commented: """ Since this is use-after-free and the only affected place is a DEBUG message and even for the affected customer, the issue didn't cause a crash, the test would be sanity only, but otherwise I guess not too complex. """ See the full comment at https://github.com/SSSD/sssd/pull/392#issuecomment-331138141 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#392][comment] GPO: Don't use freed LDAPURLDesc if domain for AD DC cannot be found
URL: https://github.com/SSSD/sssd/pull/392 Title: #392: GPO: Don't use freed LDAPURLDesc if domain for AD DC cannot be found lslebodn commented: """ I do not suggest rejecting this PR. Therefore upstream ticket + real integration(downstream) test will be enough. But for this we need a details in ticket. Or will it be complicated to write real integration test as well? """ See the full comment at https://github.com/SSSD/sssd/pull/392#issuecomment-331136553 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#392][comment] GPO: Don't use freed LDAPURLDesc if domain for AD DC cannot be found
URL: https://github.com/SSSD/sssd/pull/392 Title: #392: GPO: Don't use freed LDAPURLDesc if domain for AD DC cannot be found jhrozek commented: """ This is a minor fix for a use-after free during a failure in a static function. Writing a test would mean mocking quite a few interfaces (I guess, haven't tried). And currently I don't have any time for that. If you think we can't accept this fix without a test, please just close this PR as rejected. """ See the full comment at https://github.com/SSSD/sssd/pull/392#issuecomment-331134478 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#389][+Changes requested] sssd_client: add mutex protected call to the PAC responder
URL: https://github.com/SSSD/sssd/pull/389 Title: #389: sssd_client: add mutex protected call to the PAC responder Label: +Changes requested ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#389][-Accepted] sssd_client: add mutex protected call to the PAC responder
URL: https://github.com/SSSD/sssd/pull/389 Title: #389: sssd_client: add mutex protected call to the PAC responder Label: -Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#392][comment] GPO: Don't use freed LDAPURLDesc if domain for AD DC cannot be found
URL: https://github.com/SSSD/sssd/pull/392 Title: #392: GPO: Don't use freed LDAPURLDesc if domain for AD DC cannot be found lslebodn commented: """ >I noticed this while looking at logs in a downstream bugzilla. Do you want a >ticket to be filed? We needn't have a ticket if patchset contains also test/unittest :-) """ See the full comment at https://github.com/SSSD/sssd/pull/392#issuecomment-331132631 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#392][comment] GPO: Don't use freed LDAPURLDesc if domain for AD DC cannot be found
URL: https://github.com/SSSD/sssd/pull/392 Title: #392: GPO: Don't use freed LDAPURLDesc if domain for AD DC cannot be found lslebodn commented: """ >I noticed this while looking at logs in a downstream bugzilla. Do you want a >ticket to be filed? We needn't have a ticket if patchset contains also test/unittest :-) """ See the full comment at https://github.com/SSSD/sssd/pull/392#issuecomment-331132631 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#392][comment] GPO: Don't use freed LDAPURLDesc if domain for AD DC cannot be found
URL: https://github.com/SSSD/sssd/pull/392 Title: #392: GPO: Don't use freed LDAPURLDesc if domain for AD DC cannot be found jhrozek commented: """ I noticed this while looking at logs in a downstream bugzilla. Do you want a ticket to be filed? """ See the full comment at https://github.com/SSSD/sssd/pull/392#issuecomment-331130921 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] Re: kinit on IPA server does not exclusively talk to local KDC
On Thu, Sep 21, 2017 at 01:30:17PM +0200, Lukas Slebodnik wrote: > On (21/09/17 13:22), Jakub Hrozek wrote: > >clients. But I thought krb5.conf should also contain only the local > >master..does the config file in the issue you saw contain something > >else? > > > >I mean, if we revert the patch and krb5.conf contains no records or multiple > >records, then I think the libkrb5 configuration is broken and we are relying > >on sssd injecting a valid value into an otherwise invalid krb5 configuration. > > > > I'm waiting for machine to see content of krb5.conf and then I'll check > Sumit's assumption. I also wonder if the bug might be in IPv4/IPv6 resolution. Because IIRC libc prefers IPv6 addresses during resulution, but SSSD prefers IPv4 and the kdcinfo file would contain a v4 address. But then I guess reverting the patch and injecting the kdcinfo file would help.. ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#392][-Accepted] GPO: Don't use freed LDAPURLDesc if domain for AD DC cannot be found
URL: https://github.com/SSSD/sssd/pull/392 Title: #392: GPO: Don't use freed LDAPURLDesc if domain for AD DC cannot be found Label: -Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#392][+Changes requested] GPO: Don't use freed LDAPURLDesc if domain for AD DC cannot be found
URL: https://github.com/SSSD/sssd/pull/392 Title: #392: GPO: Don't use freed LDAPURLDesc if domain for AD DC cannot be found Label: +Changes requested ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#392][comment] GPO: Don't use freed LDAPURLDesc if domain for AD DC cannot be found
URL: https://github.com/SSSD/sssd/pull/392 Title: #392: GPO: Don't use freed LDAPURLDesc if domain for AD DC cannot be found lslebodn commented: """ This is something which should we test but it does not have any upstream ticket. Or details how issue was noticed; how to reproduce ... """ See the full comment at https://github.com/SSSD/sssd/pull/392#issuecomment-331130099 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] Re: 1.13.5 release?
On Thu, Sep 21, 2017 at 02:20:46PM +0300, Timo Aaltonen wrote: > On 21.09.2017 14:16, Jakub Hrozek wrote: > > On Thu, Sep 21, 2017 at 01:04:04PM +0200, Lukas Slebodnik wrote: > >> On (19/09/17 20:50), Jakub Hrozek wrote: > >>> Hi, > >>> > >>> Timo mentioned last week on IRC that he would appreciate if we released > >>> 1.13.5. > >>> > >>> Does anyone have some patches to merge in sssd-1-13 or can we release > >>> the tarball? > >>> > >>> I know there are some pending PRs with backports and some patches for > >>> RHEL-6 > >>> bugs were proposed in bugzilla.redhat.com, but there are already quite a > >>> few patches on top of 1.13.4 so I would prefer to release the tarball now > >>> and then, around the time of RHEL-6.10 development freeze, release 1.13.6. > >>> > >> There are patches for UPN on review. > >> > >> But sssd-1-13 master have more failures in ad_forest test then default > >> sssd in el6. I noticed even crashes > > > > Can you report those issues or send me links to test runs with those > > failures? We can't fix bugs that are not reported.. > > > >> > >> So we should not release 1.13.5 which is worse then previous release > > > > Yes, regressions are blocking the release. > > > > Timo, how much time do you have to upload the new tarball? Which patches > > were you most interested in? > > It's this https://pagure.io/SSSD/sssd/issue/2751 Ah, in that case, I would suggest to cherry-pick the patches into Debian in the meantime, sorry.. Note that the sssd patch itself was just using additional capability enabled by several ding-libs patches, so updating sssd on its own won't fix the bug. > > I'm in no rush, take your time fixing the issues or revert the offending > commits from the branch. OK, I still think it would be a good idea to release the tarball, but not with regressions.. ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] Re: kinit on IPA server does not exclusively talk to local KDC
On (21/09/17 13:22), Jakub Hrozek wrote: >On Thu, Sep 21, 2017 at 01:15:00PM +0200, Lukas Slebodnik wrote: >> On (12/09/17 15:45), Lukas Slebodnik wrote: >> >ehlo, >> > >> >I realized that it might be better to discuss it here rather then in >> >pull requests because it seems to be related to two different commits. >> > >> >I will describe a test case on master with already created replica on >> >another >> >host. >> >* kinit as admin >> >// create user with dummy password >> >* echo $dummypw | ipa user-add $login --first "$firstname" --last >> >"$lastname" \ >> > --password >> > >> >// adding sleep think that first kinit hits slave sometimes and the >> > user is >> >// not replicated yet. >> >* sleep 2 >> >* FirstKinitAs $login $dummypw $password >> > >> >FirstKinitAs is a bash function which change initial password >> >something like: echo -e "$password\n$newpassword\n$newpassword" | kinit -V >> >$username >> > >> >Such test works reliably with 1.15.3 and kinit always talk to local master >> >(I didn't try to remove sleep 2) >> > >> > >> >But situation changed a little bit with git master due to following commits >> >IPA: Only generate kdcinfo files on clients >> >https://pagure.io/SSSD/sssd/c/a309525cc47da726461aec1f238165c17aade2a6 >> >> Jakub, >> Could you explain what was the purpose of the patch? > >Protect against generating kdcinfo files that contain a different >address than the IPA master we are running at. The bug itself is just >additional protection from sssd messing up a valid krb5.conf >configuration. > >> Because I do not think that patch fix anything. >> >> If there were some issues with generated kdcinfo files on ipa replicas >> then I assume it is a bug in replica promotion which left _srv_ in >> ipa_server > >Yes, but even if that bug is fixed, it is pointless to generate the >files, because the only address that will ever make sense is the IPA >server. And it should be already defined in krb5.conf. > >> >> https://pagure.io/freeipa/issue/7127 >> https://github.com/freeipa/freeipa/pull/1005 >> >> Because my experience is that after reverting patch >> a309525cc47da726461aec1f238165c17aade2a6 sssd generate kdcinfo >> just for local kdc server and sssd_krb5_locator_plugin.so will >> use it and do not allow krb5 libs to try srv discovery. > >Yes, but you don't want to allow SRV discovery on the masters. Only on >clients. But I thought krb5.conf should also contain only the local >master..does the config file in the issue you saw contain something >else? > >I mean, if we revert the patch and krb5.conf contains no records or multiple >records, then I think the libkrb5 configuration is broken and we are relying >on sssd injecting a valid value into an otherwise invalid krb5 configuration. > I'm waiting for machine to see content of krb5.conf and then I'll check Sumit's assumption. LS ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] Re: kinit on IPA server does not exclusively talk to local KDC
On Thu, Sep 21, 2017 at 01:15:00PM +0200, Lukas Slebodnik wrote: > On (12/09/17 15:45), Lukas Slebodnik wrote: > >ehlo, > > > >I realized that it might be better to discuss it here rather then in > >pull requests because it seems to be related to two different commits. > > > >I will describe a test case on master with already created replica on another > >host. > >* kinit as admin > >// create user with dummy password > >* echo $dummypw | ipa user-add $login --first "$firstname" --last > >"$lastname" \ > > --password > > > >// adding sleep think that first kinit hits slave sometimes and the user > > is > >// not replicated yet. > >* sleep 2 > >* FirstKinitAs $login $dummypw $password > > > >FirstKinitAs is a bash function which change initial password > >something like: echo -e "$password\n$newpassword\n$newpassword" | kinit -V > >$username > > > >Such test works reliably with 1.15.3 and kinit always talk to local master > >(I didn't try to remove sleep 2) > > > > > >But situation changed a little bit with git master due to following commits > >IPA: Only generate kdcinfo files on clients > >https://pagure.io/SSSD/sssd/c/a309525cc47da726461aec1f238165c17aade2a6 > > Jakub, > Could you explain what was the purpose of the patch? Protect against generating kdcinfo files that contain a different address than the IPA master we are running at. The bug itself is just additional protection from sssd messing up a valid krb5.conf configuration. > Because I do not think that patch fix anything. > > If there were some issues with generated kdcinfo files on ipa replicas > then I assume it is a bug in replica promotion which left _srv_ in > ipa_server Yes, but even if that bug is fixed, it is pointless to generate the files, because the only address that will ever make sense is the IPA server. And it should be already defined in krb5.conf. > > https://pagure.io/freeipa/issue/7127 > https://github.com/freeipa/freeipa/pull/1005 > > Because my experience is that after reverting patch > a309525cc47da726461aec1f238165c17aade2a6 sssd generate kdcinfo > just for local kdc server and sssd_krb5_locator_plugin.so will > use it and do not allow krb5 libs to try srv discovery. Yes, but you don't want to allow SRV discovery on the masters. Only on clients. But I thought krb5.conf should also contain only the local master..does the config file in the issue you saw contain something else? I mean, if we revert the patch and krb5.conf contains no records or multiple records, then I think the libkrb5 configuration is broken and we are relying on sssd injecting a valid value into an otherwise invalid krb5 configuration. > > I might be wrong or I could miss something and there might be > something else fishy in ipa*-install. > > LS > ___ > sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org > To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] Re: 1.13.5 release?
On 21.09.2017 14:16, Jakub Hrozek wrote: > On Thu, Sep 21, 2017 at 01:04:04PM +0200, Lukas Slebodnik wrote: >> On (19/09/17 20:50), Jakub Hrozek wrote: >>> Hi, >>> >>> Timo mentioned last week on IRC that he would appreciate if we released >>> 1.13.5. >>> >>> Does anyone have some patches to merge in sssd-1-13 or can we release >>> the tarball? >>> >>> I know there are some pending PRs with backports and some patches for RHEL-6 >>> bugs were proposed in bugzilla.redhat.com, but there are already quite a >>> few patches on top of 1.13.4 so I would prefer to release the tarball now >>> and then, around the time of RHEL-6.10 development freeze, release 1.13.6. >>> >> There are patches for UPN on review. >> >> But sssd-1-13 master have more failures in ad_forest test then default >> sssd in el6. I noticed even crashes > > Can you report those issues or send me links to test runs with those > failures? We can't fix bugs that are not reported.. > >> >> So we should not release 1.13.5 which is worse then previous release > > Yes, regressions are blocking the release. > > Timo, how much time do you have to upload the new tarball? Which patches > were you most interested in? It's this https://pagure.io/SSSD/sssd/issue/2751 I'm in no rush, take your time fixing the issues or revert the offending commits from the branch. -- t ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] Re: 1.13.5 release?
On Thu, Sep 21, 2017 at 01:04:04PM +0200, Lukas Slebodnik wrote: > On (19/09/17 20:50), Jakub Hrozek wrote: > >Hi, > > > >Timo mentioned last week on IRC that he would appreciate if we released > >1.13.5. > > > >Does anyone have some patches to merge in sssd-1-13 or can we release > >the tarball? > > > >I know there are some pending PRs with backports and some patches for RHEL-6 > >bugs were proposed in bugzilla.redhat.com, but there are already quite a > >few patches on top of 1.13.4 so I would prefer to release the tarball now > >and then, around the time of RHEL-6.10 development freeze, release 1.13.6. > > > There are patches for UPN on review. > > But sssd-1-13 master have more failures in ad_forest test then default > sssd in el6. I noticed even crashes Can you report those issues or send me links to test runs with those failures? We can't fix bugs that are not reported.. > > So we should not release 1.13.5 which is worse then previous release Yes, regressions are blocking the release. Timo, how much time do you have to upload the new tarball? Which patches were you most interested in? ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] Re: kinit on IPA server does not exclusively talk to local KDC
On (12/09/17 15:45), Lukas Slebodnik wrote: >ehlo, > >I realized that it might be better to discuss it here rather then in >pull requests because it seems to be related to two different commits. > >I will describe a test case on master with already created replica on another >host. >* kinit as admin >// create user with dummy password >* echo $dummypw | ipa user-add $login --first "$firstname" --last "$lastname" \ > --password > >// adding sleep think that first kinit hits slave sometimes and the user is >// not replicated yet. >* sleep 2 >* FirstKinitAs $login $dummypw $password > >FirstKinitAs is a bash function which change initial password >something like: echo -e "$password\n$newpassword\n$newpassword" | kinit -V >$username > >Such test works reliably with 1.15.3 and kinit always talk to local master >(I didn't try to remove sleep 2) > > >But situation changed a little bit with git master due to following commits >IPA: Only generate kdcinfo files on clients >https://pagure.io/SSSD/sssd/c/a309525cc47da726461aec1f238165c17aade2a6 Jakub, Could you explain what was the purpose of the patch? Because I do not think that patch fix anything. If there were some issues with generated kdcinfo files on ipa replicas then I assume it is a bug in replica promotion which left _srv_ in ipa_server https://pagure.io/freeipa/issue/7127 https://github.com/freeipa/freeipa/pull/1005 Because my experience is that after reverting patch a309525cc47da726461aec1f238165c17aade2a6 sssd generate kdcinfo just for local kdc server and sssd_krb5_locator_plugin.so will use it and do not allow krb5 libs to try srv discovery. I might be wrong or I could miss something and there might be something else fishy in ipa*-install. LS ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#392][comment] GPO: Don't use freed LDAPURLDesc if domain for AD DC cannot be found
URL: https://github.com/SSSD/sssd/pull/392
Title: #392: GPO: Don't use freed LDAPURLDesc if domain for AD DC cannot be
found
fidencio commented:
"""
CI: http://vm-058-233.${abc}/logs/job/78/05/summary.html
"""
See the full comment at
https://github.com/SSSD/sssd/pull/392#issuecomment-331126072
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#392][+Accepted] GPO: Don't use freed LDAPURLDesc if domain for AD DC cannot be found
URL: https://github.com/SSSD/sssd/pull/392 Title: #392: GPO: Don't use freed LDAPURLDesc if domain for AD DC cannot be found Label: +Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] Re: kinit on IPA server does not exclusively talk to local KDC
On (12/09/17 18:44), Sumit Bose wrote:
>On Tue, Sep 12, 2017 at 03:45:52PM +0200, Lukas Slebodnik wrote:
>> ehlo,
>>
>> I realized that it might be better to discuss it here rather then in
>> pull requests because it seems to be related to two different commits.
>>
>> I will describe a test case on master with already created replica on another
>> host.
>> * kinit as admin
>> // create user with dummy password
>> * echo $dummypw | ipa user-add $login --first "$firstname" --last
>> "$lastname" \
>>--password
>>
>> // adding sleep think that first kinit hits slave sometimes and the user
>> is
>> // not replicated yet.
>> * sleep 2
>> * FirstKinitAs $login $dummypw $password
>>
>> FirstKinitAs is a bash function which change initial password
>> something like: echo -e "$password\n$newpassword\n$newpassword" | kinit -V
>> $username
>>
>> Such test works reliably with 1.15.3 and kinit always talk to local master
>> (I didn't try to remove sleep 2)
>>
>>
>> But situation changed a little bit with git master due to following commits
>> IPA: Only generate kdcinfo files on clients
>> https://pagure.io/SSSD/sssd/c/a309525cc47da726461aec1f238165c17aade2a6
>
>Do you have the /etc/krb5.conf available from the host where the test
>failed. The above patch was written with the assumption that
>/etc/krb5.conf on the IPA server points to the server itself as
>ipa-server-install creates it:
>
>[realms]
> IPA.DEVEL = {
> kdc = ipa-devel.ipa.devel:88
> master_kdc = ipa-devel.ipa.devel:88
> admin_server = ipa-devel.ipa.devel:749
> default_domain = ipa.devel
> pkinit_anchors = FILE:/etc/ipa/ca.crt
>}
>
>Currently I would assume that at least admin_server is missing.
>
>> localauth plugin: change return code of sss_an2ln
>> https://pagure.io/SSSD/sssd/c/3f94a979eebd1c9496b49b4e07b7823550dec97e
>
>I'm a bit surprised here because it is not clear to me where during the
>test an2ln is used. But if it is the case it might point to an issue at
>a different place because the old return code was wrong according to the
>documentation of the plugin.
>
I probably mixed versions of packages when I ran test. Because reverting
patch for krb5_localauth plugin did not help and it still fails
--
Added user "selfservuser1"
--
User login: selfservuser1
First name: first
Last name: last
Full name: first last
Display name: first last
Initials: fl
Home directory: /home/selfservuser1
GECOS: first last
Login shell: /bin/sh
Principal name: selfservus...@testrelm.test
Principal alias: selfservus...@testrelm.test
Email address: selfservus...@testrelm.test
UID: 71621
GID: 71621
Password: True
Member of groups: ipausers
Kerberos keys available: True
:: [ PASS ] :: add test user account (Expected 0, got 0)
:: [ BEGIN ] :: Running 'FirstKinitAs selfservuser1 dummy...@ipa.com
passw0rd1'
[1836] 1505231102.633534: Destroying ccache KEYRING:persistent:0:0
Using default cache: persistent:0:0
Using principal: selfservus...@testrelm.test
[1838] 1505231102.639333: Getting initial credentials for
selfservus...@testrelm.test
[1838] 1505231102.641609: Sending request (183 bytes) to TESTRELM.TEST
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] open failed
[/var/lib/sss/pubconf/kdcinfo.TESTRELM.TEST][2][No such file or directory].
[sssd_krb5_locator] get_krb5info failed.
[sssd_krb5_locator] sssd_krb5_locator_close called
[1838] 1505231102.641757: Resolving hostname bkr-hv03-guest38.testrelm.test
[1838] 1505231102.642102: Initiating TCP connection to stream 10.19.41.68:88
[1838] 1505231102.642170: Sending TCP request to stream 10.19.41.68:88
[1838] 1505231102.644813: Received answer (186 bytes) from stream 10.19.41.68:88
[1838] 1505231102.644822: Terminating TCP connection to stream 10.19.41.68:88
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] open failed
[/var/lib/sss/pubconf/kdcinfo.TESTRELM.TEST][2][No such file or directory].
[sssd_krb5_locator] get_krb5info failed.
[sssd_krb5_locator] sssd_krb5_locator_close called
[1838] 1505231102.644878: Response was from master KDC
[1838] 1505231102.644897: Received error from KDC: -1765328361/Password has
expired
[1838] 1505231102.644915: Principal expired; getting changepw ticket
[1838] 1505231102.644921: Getting initial credentials for
selfservus...@testrelm.test
[1838] 1505231102.644936: Setting initial creds service to kadmin/changepw
[1838] 1505231102.644954: Sending request (178 bytes) to TESTRELM.TEST (master)
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] open failed
[/var/lib/sss/pubconf/kdcinfo.TESTRELM.TEST][2][No such file or directory].
[sssd_krb5_locator] get_krb5info failed.
[sssd_krb5_locator] sssd_krb5_locator_close called
[1838] 1505231102.644973: Resolving hostname bkr-hv03-guest38.testrelm.test
[1838] 1505231102.645055: Initiating TCP connection to stream 10.19.41.68:88
[1838] 15052
[SSSD] Re: 1.13.5 release?
On (19/09/17 20:50), Jakub Hrozek wrote: >Hi, > >Timo mentioned last week on IRC that he would appreciate if we released >1.13.5. > >Does anyone have some patches to merge in sssd-1-13 or can we release >the tarball? > >I know there are some pending PRs with backports and some patches for RHEL-6 >bugs were proposed in bugzilla.redhat.com, but there are already quite a >few patches on top of 1.13.4 so I would prefer to release the tarball now >and then, around the time of RHEL-6.10 development freeze, release 1.13.6. > There are patches for UPN on review. But sssd-1-13 master have more failures in ad_forest test then default sssd in el6. I noticed even crashes So we should not release 1.13.5 which is worse then previous release LS ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#392][comment] GPO: Don't use freed LDAPURLDesc if domain for AD DC cannot be found
URL: https://github.com/SSSD/sssd/pull/392 Title: #392: GPO: Don't use freed LDAPURLDesc if domain for AD DC cannot be found fidencio commented: """ Code-wise it looks good. I've left a comment that may or may not be addressed depending on the contributor's opinion. I'm firing a CI build soon for this patch. """ See the full comment at https://github.com/SSSD/sssd/pull/392#issuecomment-331081220 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#389][+Accepted] sssd_client: add mutex protected call to the PAC responder
URL: https://github.com/SSSD/sssd/pull/389 Title: #389: sssd_client: add mutex protected call to the PAC responder Label: +Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#389][comment] sssd_client: add mutex protected call to the PAC responder
URL: https://github.com/SSSD/sssd/pull/389 Title: #389: sssd_client: add mutex protected call to the PAC responder sumit-bose commented: """ @fidencio, fixed, thank you for the review. """ See the full comment at https://github.com/SSSD/sssd/pull/389#issuecomment-331075683 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#389][synchronized] sssd_client: add mutex protected call to the PAC responder
URL: https://github.com/SSSD/sssd/pull/389
Author: sumit-bose
Title: #389: sssd_client: add mutex protected call to the PAC responder
Action: synchronized
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/389/head:pr389
git checkout pr389
From aff7a5dc3c595027646f36547dea63ea696432a5 Mon Sep 17 00:00:00 2001
From: Sumit Bose
Date: Mon, 18 Sep 2017 15:00:53 +0200
Subject: [PATCH] sssd_client: add mutex protected call to the PAC responder
SSSD's plugin for MIT Kerberos to send the PAC to the PAC responder
currently uses sss_pac_make_request() which does not protect the
communication with the PAC responder with a mutex as e.g. the NSS and
PAM clients.
If an application using threads loads this plugin via libkrb5 in
different threads and is heavily processing Kerberos tickets with PACs
chances are that two threads try to communicate with SSSD at once. In
this case one of the threads will miss a reply and will wait for it
until the default client timeout of 300s is passed.
This patch adds a call which uses a mutex to protect the communication
which will avoid the 300s delay mentioned above.
Resolves https://pagure.io/SSSD/sssd/issue/3518
---
Makefile.am | 20 +
src/sss_client/common.c | 30 +++
src/sss_client/sss_cli.h | 7 ++
src/sss_client/sss_pac_responder_client.c | 138 ++
src/sss_client/sssd_pac.c | 4 +-
src/tests/intg/Makefile.am| 1 +
src/tests/intg/test_pac_responder.py | 119 ++
7 files changed, 317 insertions(+), 2 deletions(-)
create mode 100644 src/sss_client/sss_pac_responder_client.c
create mode 100644 src/tests/intg/test_pac_responder.py
diff --git a/Makefile.am b/Makefile.am
index f1f467100..ed50c4219 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -3523,6 +3523,9 @@ endif
if BUILD_WITH_LIBCURL
noinst_PROGRAMS += tcurl-test-tool
endif
+if BUILD_PAC_RESPONDER
+noinst_PROGRAMS += sssd_pac_test_client
+endif
if BUILD_AUTOFS
autofs_test_client_SOURCES = \
@@ -4257,6 +4260,23 @@ sssd_pac_plugin_la_LDFLAGS = \
-avoid-version \
-module
+sssd_pac_test_client_SOURCES = \
+src/sss_client/sss_pac_responder_client.c \
+src/sss_client/common.c \
+src/util/strtonum.c \
+src/sss_client/sss_cli.h \
+src/sss_client/krb5_authdata_int.h \
+$(NULL)
+sssd_pac_test_client_CFLAGS = \
+$(AM_CFLAGS) \
+$(KRB5_CFLAGS) \
+$(NULL)
+sssd_pac_test_client_LDADD = \
+$(CLIENT_LIBS) \
+$(KRB5_LIBS) \
+-lpthread \
+$(NULL)
+
# python[23] bindings
pysss_la_SOURCES = \
$(SSSD_TOOLS_OBJ) \
diff --git a/src/sss_client/common.c b/src/sss_client/common.c
index b7a5ed760..b527c046e 100644
--- a/src/sss_client/common.c
+++ b/src/sss_client/common.c
@@ -821,6 +821,22 @@ int sss_pac_make_request(enum sss_cli_command cmd,
}
}
+int sss_pac_make_request_with_lock(enum sss_cli_command cmd,
+ struct sss_cli_req_data *rd,
+ uint8_t **repbuf, size_t *replen,
+ int *errnop)
+{
+int ret;
+
+sss_pac_lock();
+
+ret = sss_pac_make_request(cmd, rd, repbuf, replen, errnop);
+
+sss_pac_unlock();
+
+return ret;
+}
+
errno_t check_server_cred(int sockfd)
{
#ifdef HAVE_UCRED
@@ -1079,6 +1095,8 @@ static struct sss_mutex sss_pam_mtx = { .mtx = PTHREAD_MUTEX_INITIALIZER };
static struct sss_mutex sss_nss_mc_mtx = { .mtx = PTHREAD_MUTEX_INITIALIZER };
+static struct sss_mutex sss_pac_mtx = { .mtx = PTHREAD_MUTEX_INITIALIZER };
+
static void sss_mt_lock(struct sss_mutex *m)
{
pthread_mutex_lock(&m->mtx);
@@ -1121,6 +1139,16 @@ void sss_nss_mc_unlock(void)
sss_mt_unlock(&sss_nss_mc_mtx);
}
+/* PAC mutex wrappers */
+void sss_pac_lock(void)
+{
+sss_mt_lock(&sss_pac_mtx);
+}
+void sss_pac_unlock(void)
+{
+sss_mt_unlock(&sss_pac_mtx);
+}
+
#else
/* sorry no mutexes available */
@@ -1130,6 +1158,8 @@ void sss_pam_lock(void) { return; }
void sss_pam_unlock(void) { return; }
void sss_nss_mc_lock(void) { return; }
void sss_nss_mc_unlock(void) { return; }
+void sss_pac_lock(void) { return; }
+void sss_pac_unlock(void) { return; }
#endif
diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h
index 038406dec..0b97d492e 100644
--- a/src/sss_client/sss_cli.h
+++ b/src/sss_client/sss_cli.h
@@ -585,6 +585,11 @@ int sss_pac_make_request(enum sss_cli_command cmd,
uint8_t **repbuf, size_t *replen,
int *errnop);
+int sss_pac_make_request_with_lock(enum sss_cli_command cmd,
+ struct sss_cli_req_data *rd,
+ uint8_t **repbuf, size_t *replen,
+ int *errnop);
+
int sss_sudo_make_request(enum sss_cli_command cmd,
