[SSSD] [sssd PR#522][synchronized] Prepare SSSD to support IPA in trust to Samba AD

2018-03-02 Thread abbra 
   URL: https://github.com/SSSD/sssd/pull/522
Author: abbra
 Title: #522: Prepare SSSD to support IPA in trust to Samba AD
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/522/head:pr522
git checkout pr522
From 150f410045944bfbb23830a912f0548e1b1bf6f2 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy 
Date: Thu, 22 Feb 2018 14:38:51 +0200
Subject: [PATCH 1/2] ipa provider: expand search base to cover trusted domain
 objects

In case of a two-way trust between FreeIPA and an Active Directory,
domain controller would use a TDO object in the trusting domain to
authenticate. Due to how trusted domain objects are used in Active
Directory, a domain controller from the trusted domain will synthesize
a Kerberos ticket for the TDO in the trusting domain. This ticket
will lack MS-PAC information because a trusted DC has no idea what
to put there. On IPA master smbd process will attempt to validate
successfully authenticated TDO principal by looking at its MS-PAC
structure, only to find it is missing. As result, smbd will revert
to a direct getpwnam().

Because TDO objects are stored under cn=trusts,$SUFFIX in FreeIPA,
they couldn't be found by SSSD which uses cn=accounts,$SUFFIX by
default. Add second search base to look up cn=trusts,$SUFFX to
allow TDO objects to be queried.

On FreeIPA side access controls are put in place so that only
AD trust agents are able to see a content of the cn=trusts,$SUFFIX
subtree.

Signed-of-by: Alexander Bokovoy 
---
 src/providers/ipa/ipa_common.c | 36 +++-
 1 file changed, 31 insertions(+), 5 deletions(-)

diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c
index 2b81d7f3f..d91ba1c8e 100644
--- a/src/providers/ipa/ipa_common.c
+++ b/src/providers/ipa/ipa_common.c
@@ -176,9 +176,10 @@ int ipa_get_id_options(struct ipa_options *ipa_opts,
 TALLOC_CTX *tmpctx;
 char *basedn;
 char *realm;
-char *value;
+char *value, *user_base;
 int ret;
 int i;
+bool server_mode;
 
 tmpctx = talloc_new(ipa_opts);
 if (!tmpctx) {
@@ -272,11 +273,36 @@ int ipa_get_id_options(struct ipa_options *ipa_opts,
 ipa_opts->id->schema_type = SDAP_SCHEMA_IPA_V1;
 
 /* set user/group search bases if they are not specified */
-if (NULL == dp_opt_get_string(ipa_opts->id->basic,
-  SDAP_USER_SEARCH_BASE)) {
+user_base = dp_opt_get_string(ipa_opts->id->basic, SDAP_USER_SEARCH_BASE);
+
+/* In server mode we need to search both cn=accounts,$SUFFIX and
+ * cn=trusts,$SUFFIX to allow trusted domain object accounts to be found.
+ * Update user base if it wasn't set explicitly to multiple base DNs
+ */
+server_mode = dp_opt_get_bool(ipa_opts->basic, IPA_SERVER_MODE);
+if (server_mode != false) {
+if ((NULL == user_base) || (NULL == strstr(user_base, "?cn=trusts,"))) {
+/* Search both cn=accounts,$SUFFIX and cn=trusts,$SUFFIX.  This allows
+ * to catch trusted domain objects used by trusted AD DCs to talk to
+ * Samba on IPA master */
+value = talloc_asprintf(tmpctx,
+"%s?cn=trusts,%s??(objectclass=ipaIDObject)",
+user_base ? user_base :
+dp_opt_get_string(ipa_opts->id->basic,
+  SDAP_SEARCH_BASE),
+basedn);
+}
+} else {
+value = dp_opt_get_string(ipa_opts->id->basic, SDAP_SEARCH_BASE);
+}
+
+if (NULL == user_base) {
+if (!value) {
+ret = ENOMEM;
+goto done;
+}
 ret = dp_opt_set_string(ipa_opts->id->basic, SDAP_USER_SEARCH_BASE,
-dp_opt_get_string(ipa_opts->id->basic,
-  SDAP_SEARCH_BASE));
+value);
 if (ret != EOK) {
 goto done;
 }

From d311450a1e45f5123db6ccd3083391f607b540f6 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy 
Date: Thu, 22 Feb 2018 14:45:16 +0200
Subject: [PATCH 2/2] ipa provider: always use a special keytab to talk to a
 trusted DC

When FreeIPA is set up to trust an Active Directory forest, we should be
using trusted domain object credentials regardless of the trust
direction. Previously, SSSD relied on FreeIPA KDC issuing a cross-realm
referral towards a trusted domain. However, this does not work
currently with Samba AD and in general we want to move away to use
TDO in all cases as it is guaranteed to have correct permissions on AD
side.

Signed-of-by: Alexander Bokovoy 
---
 src/providers/ipa/ipa_subdomains_server.c | 24 ++-
 src/tests/cmocka/test_ipa_subdomains_server.c | 44 +--

[SSSD] [sssd PR#527][comment] PEP8 Fixes and enable PEP8 check in CI

2018-03-02 Thread lslebodn 
  URL: https://github.com/SSSD/sssd/pull/527
Title: #527: PEP8 Fixes and enable PEP8 check in CI

lslebodn commented:
"""
I would like to also ask whether it make a sense fix pep8 issues in the file 
src/tests/python-test.py.
The file/test will be removed as part of PR #430.
Fortunately, there is already a way how skip checking of pep8 errors in ci 
script.

BTW I tried really hard but I was not able to have "green" results from the 
test.
(I  manually create sssd.conf for local provider, install required dependencies 
python2-sss, python3-sss, sssd-tools, nscd, ldb-tools)

@mzidek-rh, or could you five me a tips how did you ensure that it still works?
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/527#issuecomment-370041624
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#527][comment] PEP8 Fixes and enable PEP8 check in CI

2018-03-02 Thread lslebodn 
  URL: https://github.com/SSSD/sssd/pull/527
Title: #527: PEP8 Fixes and enable PEP8 check in CI

lslebodn commented:
"""
@mzidek-rh,
Could you help me to find a way how to enable catching warning in commit 
"TESTS: Fix E501 pep8 issues on utils.py"?

```
sh-4.4$ git rev-parse --verify HEAD
47362caf4c30c3ff5a143f4f4a7fd5599db03b48
sh-4.4$ pep8 --version
1.6.2
sh-4.4$ pep8  src/tests/python/sssd/testlib/common/utils.py
sh-4.4$ pep8 --max-line-length=79 src/tests/python/sssd/testlib/common/utils.py
sh-4.4$ pep8 --max-line-length=79 --select=E501 
src/tests/python/sssd/testlib/common/utils.py
sh-4.4$ pep8 --ignore=E121,E123,E126,E226,E24,E704,W503,E722 
src/tests/python/sssd/testlib/common/utils.py
```

It is also not reproducible with older and newer version (also tested with 
1.5.7, 1.7.1 and 2.3.1)
Maybe it is reproducible with older version of pep8. But it would be good to 
see that working on recent systems. BTW patch is correct and it is obvious 
after checking the file with editor.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/527#issuecomment-370039380
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#527][opened] PEP8 Fixes and enable PEP8 check in CI

2018-03-02 Thread mzidek-rh 
   URL: https://github.com/SSSD/sssd/pull/527
Author: mzidek-rh
 Title: #527: PEP8 Fixes and enable PEP8 check in CI
Action: opened

PR body:
"""
Hi,

because @fidencio is on PTO I allowed myself to rebase and update his branch: 
https://github.com/fidencio/sssd/tree/wip/ci_enable_pep8_check

and present it here as new PR.

Here is link to the ticket: https://pagure.io/SSSD/sssd/issue/3605

What I did:
- reviewed all the patches that were not reviewed yet (some were already 
reviewed)
- rebased them on top of current master (there were only minor conflicts)
- if there are some missing patches that is because the issue that they fixed 
was no longer present in the current master, so I deleted them
- added "Resolves" and "Reviewed" tags (so the person that pushes it does not 
need to add them)
- pushed the patchset to CI (passed)
- added pep8 issue and tried the CI (issue was detected on all platforms)

The patchest is now fully ACKed.

Note: because of the way I rebased the patches, some are not in the original 
order
"""

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/527/head:pr527
git checkout pr527
From 4a5b20eb86ceae6fabc74b792a5f9fabf12709dd Mon Sep 17 00:00:00 2001
From: Jakub Hrozek 
Date: Tue, 19 Sep 2017 17:53:42 +0200
Subject: [PATCH 01/35] TESTS: Fix E266 pep8 issues on test_ldap.py
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

E266: too many leading '#' for block comment

Resolves:
https://pagure.io/SSSD/sssd/issue/3605

Reviewed-by: Fabiano Fidêncio 
---
 src/tests/intg/test_ldap.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/tests/intg/test_ldap.py b/src/tests/intg/test_ldap.py
index a6659b1b7..391e46392 100644
--- a/src/tests/intg/test_ldap.py
+++ b/src/tests/intg/test_ldap.py
@@ -998,7 +998,7 @@ def test_zero_nesting_level(ldap_conn, rfc2307bis_no_nesting):
 assert res == sssd_id.NssReturnCode.SUCCESS, \
 "Could not find groups for user1, %d" % errno
 
-## test nestedgroup is not returned in group list
+# test nestedgroup is not returned in group list
 assert sorted(grp_list) == sorted(["primarygroup", "parentgroup"])
 
 

From 43c57c56c6058d66e02b644d164faf70f3e86bc4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= 
Date: Thu, 14 Dec 2017 09:39:54 +0100
Subject: [PATCH 02/35] TESTS: Fix E501 pep8 issues on test_ldap.py
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

E501: line too long (longer than 79 characters)

Resolves:
https://pagure.io/SSSD/sssd/issue/3605

Reviewed-by: Michal Židek 

Signed-off-by: Fabiano Fidêncio 
---
 src/tests/intg/test_ldap.py | 9 +
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/src/tests/intg/test_ldap.py b/src/tests/intg/test_ldap.py
index 391e46392..df5633097 100644
--- a/src/tests/intg/test_ldap.py
+++ b/src/tests/intg/test_ldap.py
@@ -1219,8 +1219,9 @@ def test_ldap_auto_private_groups_direct(ldap_conn, mpg_setup):
 ent.assert_group_by_gid(2001, dict(name="group1", mem=ent.contains_only()))
 
 # The user's secondary groups list must be correct as well
-# Note that the original GID is listed as well -- this is correct and expected
-# because we save the original GID in the SYSDB_PRIMARY_GROUP_GIDNUM attribute
+# Note that the original GID is listed as well -- this is correct and
+# expected because we save the original GID in the
+# SYSDB_PRIMARY_GROUP_GIDNUM attribute
 user1_expected_gids = [1001, 2001, 2012, 2015]
 (res, errno, gids) = sssd_id.call_sssd_initgroups("user1", 1001)
 assert res == sssd_id.NssReturnCode.SUCCESS
@@ -1232,8 +1233,8 @@ def test_ldap_auto_private_groups_direct(ldap_conn, mpg_setup):
 )
 
 # Request user2's private group by GID without resolving the user first.
-# This must trigger user resolution through by-GID resolution, since the GID
-# doesn't exist on its own in LDAP
+# This must trigger user resolution through by-GID resolution, since the
+# GID doesn't exist on its own in LDAP
 ent.assert_group_by_gid(1002, dict(name="user2", mem=ent.contains_only()))
 
 # Test supplementary groups for user2 as well

From a31f5a45b4c4b02a19da1850492d7c1daec4658e Mon Sep 17 00:00:00 2001
From: Jakub Hrozek 
Date: Tue, 19 Sep 2017 18:02:39 +0200
Subject: [PATCH 03/35] TESTS: Fix E231 pep8 issues on
 test_session_recording.py
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

E231: missing whitespace after ':'

Resolves:
https://pagure.io/SSSD/sssd/issue/3605

Reviewed-by: Fabiano Fidêncio 
Reviewed-by: Lukáš Slebodník 
---
 src/tests/intg/test_session_recording.py | 100 +++
 1 file changed, 50

[SSSD] [sssd PR#515][comment] sssctl: Showing help even when sssd not configured

2018-03-02 Thread amitkumar50 
  URL: https://github.com/SSSD/sssd/pull/515
Title: #515: sssctl: Showing help even when sssd not configured

amitkumar50 commented:
"""
@pbrezina Done thanks.
But passed "help" value back 3 functions..
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/515#issuecomment-369913626
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#515][synchronized] sssctl: Showing help even when sssd not configured

2018-03-02 Thread amitkumar50 
   URL: https://github.com/SSSD/sssd/pull/515
Author: amitkumar50
 Title: #515: sssctl: Showing help even when sssd not configured
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/515/head:pr515
git checkout pr515
From 97e1ee34f47203a024e1461cc6d423ceb2c71fc7 Mon Sep 17 00:00:00 2001
From: amitkuma 
Date: Thu, 15 Feb 2018 18:21:10 +0530
Subject: [PATCH] sssctl: Showing help even when sssd not configured

On a clean and unconfigured system, it's not possible
to use --help.
1) dnf install sssd-tools
2) sssctl cache-remove --help
Shows:
[confdb_get_domains] (0x0010): No domains configured, fatal error!

Solution: Donot check for confdb initialization when sssctl 3rd
command line argument passed is '--help'.

Please note when we run 'sssctl --help' on unconfigured system
confdb check is not done and proper o/p is seen.

Resolves: https://pagure.io/SSSD/sssd/issue/3634
---
 src/tools/common/sss_tools.c | 36 ++--
 src/tools/common/sss_tools.h |  5 +++--
 2 files changed, 25 insertions(+), 16 deletions(-)

diff --git a/src/tools/common/sss_tools.c b/src/tools/common/sss_tools.c
index e491a1286..05179b378 100644
--- a/src/tools/common/sss_tools.c
+++ b/src/tools/common/sss_tools.c
@@ -53,16 +53,20 @@ static struct poptOption *sss_tool_common_opts_table(void)
 }
 
 static void sss_tool_common_opts(struct sss_tool_ctx *tool_ctx,
- int *argc, const char **argv)
+ int *argc, const char **argv,
+ bool *_help)
 {
 poptContext pc;
 int debug = SSSDBG_DEFAULT;
 int orig_argc = *argc;
+int help = 0;
 int opt;
 
 struct poptOption options[] = {
 {"debug", '\0', POPT_ARG_INT | POPT_ARGFLAG_STRIP, ,
 0, _("The debug level to run with"), NULL },
+{"help", '?', POPT_ARG_VAL | POPT_ARGFLAG_DOC_HIDDEN, ,
+1, NULL, NULL },
 POPT_TABLEEND
 };
 
@@ -74,6 +78,7 @@ static void sss_tool_common_opts(struct sss_tool_ctx *tool_ctx,
 /* Strip common options from arguments. We will discard_const here,
  * since it is not worth the trouble to convert it back and forth. */
 *argc = poptStrippedArgv(pc, orig_argc, discard_const_p(char *, argv));
+*_help = help;
 
 DEBUG_CLI_INIT(debug);
 
@@ -168,7 +173,8 @@ static errno_t sss_tool_domains_init(TALLOC_CTX *mem_ctx,
 
 errno_t sss_tool_init(TALLOC_CTX *mem_ctx,
   int *argc, const char **argv,
-  struct sss_tool_ctx **_tool_ctx)
+  struct sss_tool_ctx **_tool_ctx,
+  bool *_help)
 {
 struct sss_tool_ctx *tool_ctx;
 
@@ -178,8 +184,7 @@ errno_t sss_tool_init(TALLOC_CTX *mem_ctx,
 return ENOMEM;
 }
 
-sss_tool_common_opts(tool_ctx, argc, argv);
-
+sss_tool_common_opts(tool_ctx, argc, argv, _help);
 *_tool_ctx = tool_ctx;
 
 return EOK;
@@ -296,7 +301,7 @@ static int tool_cmd_init(struct sss_tool_ctx *tool_ctx,
 errno_t sss_tool_route(int argc, const char **argv,
struct sss_tool_ctx *tool_ctx,
struct sss_route_cmd *commands,
-   void *pvt)
+   void *pvt, bool _help)
 {
 struct sss_cmdline cmdline;
 const char *cmd;
@@ -333,13 +338,15 @@ errno_t sss_tool_route(int argc, const char **argv,
 return tool_ctx->init_err;
 }
 
-ret = tool_cmd_init(tool_ctx, [i]);
-if (ret != EOK) {
-DEBUG(SSSDBG_FATAL_FAILURE,
-  "Command initialization failed [%d] %s\n",
-  ret, sss_strerror(ret));
-return ret;
-}
+	if (!_help) {
+ret = tool_cmd_init(tool_ctx, [i]);
+if (ret != EOK) {
+DEBUG(SSSDBG_FATAL_FAILURE,
+  "Command initialization failed [%d] %s\n",
+  ret, sss_strerror(ret));
+return ret;
+}
+	}
 
 return commands[i].fn(, tool_ctx, pvt);
 }
@@ -494,6 +501,7 @@ int sss_tool_main(int argc, const char **argv,
 struct sss_tool_ctx *tool_ctx;
 uid_t uid;
 errno_t ret;
+bool _help=0;
 
 uid = getuid();
 if (uid != 0) {
@@ -502,7 +510,7 @@ int sss_tool_main(int argc, const char **argv,
 return EXIT_FAILURE;
 }
 
-ret = sss_tool_init(NULL, , argv, _ctx);
+ret = sss_tool_init(NULL, , argv, _ctx, &_help);
 if (ret == ERR_SYSDB_VERSION_TOO_OLD) {
 tool_ctx->init_err = ret;
 } else if (ret != EOK) {
@@ -510,7 +518,7 @@ int sss_tool_main(int argc, const char **argv,
 return EXIT_FAILURE;
 }
 
-ret = sss_tool_route(argc, argv, tool_ctx, commands, pvt);
+ret = sss_tool_route(argc, argv, tool_ctx, commands, pvt, _help);

[SSSD] [sssd PR#515][comment] sssctl: Showing help even when sssd not configured

2018-03-02 Thread pbrezina 
  URL: https://github.com/SSSD/sssd/pull/515
Title: #515: sssctl: Showing help even when sssd not configured

pbrezina commented:
"""
You have to let popt to parse the options first, i.e.:
```c
poptContext pc;
int debug = SSSDBG_DEFAULT;
int orig_argc = *argc;
int help = 0;
int opt;

struct poptOption options[] = {
{"debug", '\0', POPT_ARG_INT | POPT_ARGFLAG_STRIP, ,
0, _("The debug level to run with"), NULL },
{"help", '?', POPT_ARG_VAL | POPT_ARGFLAG_DOC_HIDDEN, ,
1, NULL, NULL },
POPT_TABLEEND
};

pc = poptGetContext(argv[0], orig_argc, argv, options, 0);
while ((opt = poptGetNextOpt(pc)) != -1) {
/* do nothing */
}

DEBUG(SSSDBG_CRIT_FAILURE,"\n[Amit] help_value=%d\n", help);
...
```
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/515#issuecomment-369870631
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org