[SSSD] [sssd PR#713][opened] krb5_child: fix permissions during SC auth
URL: https://github.com/SSSD/sssd/pull/713 Author: sumit-bose Title: #713: krb5_child: fix permissions during SC auth Action: opened PR body: """ For PKINIT we might need access to the pcscd socket which by default is only allowed for authenticated users. Since PKINIT is part of the authentication and the user is not authenticated yet, we have to use different privileges and can only drop it only after the TGT is received. The fast_uid and fast_gid are the IDs the backend is running with. This can be either root or the 'sssd' user. Root is allowed by default and the 'sssd' user is allowed with the help of the sssd-pcsc.rules policy-kit rule. So those IDs are a suitable choice. We can only call switch_creds() because after the TGT is returned we have to switch to the IDs of the user to store the TGT. The final change to the IDs of the user is not only important for KCM type credential caches but for file based ccache types like FILE or DIR as well. Related to https://pagure.io/SSSD/sssd/issue/3376 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/713/head:pr713 git checkout pr713 From b799df745312935497ca4cd13395404343ea32e9 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Mon, 10 Dec 2018 17:44:13 +0100 Subject: [PATCH] krb5_child: fix permissions during SC auth For PKINIT we might need access to the pcscd socket which by default is only allowed for authenticated users. Since PKINIT is part of the authentication and the user is not authenticated yet, we have to use different privileges and can only drop it only after the TGT is received. The fast_uid and fast_gid are the IDs the backend is running with. This can be either root or the 'sssd' user. Root is allowed by default and the 'sssd' user is allowed with the help of the sssd-pcsc.rules policy-kit rule. So those IDs are a suitable choice. We can only call switch_creds() because after the TGT is returned we have to switch to the IDs of the user to store the TGT. The final change to the IDs of the user is not only important for KCM type credential caches but for file based ccache types like FILE or DIR as well. Related to https://pagure.io/SSSD/sssd/issue/3376 --- src/providers/krb5/krb5_child.c | 65 - 1 file changed, 40 insertions(+), 25 deletions(-) diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index a578930a9..95a824ddf 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -108,6 +108,7 @@ struct krb5_req { uid_t fast_uid; gid_t fast_gid; +struct sss_creds *pcsc_saved_creds; struct cli_opts *cli_opts; }; @@ -1746,6 +1747,23 @@ static krb5_error_code get_and_save_tgt(struct krb5_req *kr, goto done; } +kerr = restore_creds(kr->pcsc_saved_creds); +if (kerr != 0) { +DEBUG(SSSDBG_OP_FAILURE, "restore_creds failed.\n"); +} +/* Make sure ccache is created and written as the user */ +if (geteuid() != kr->uid || getegid() != kr->gid) { +kerr = k5c_become_user(kr->uid, kr->gid, kr->posix_domain); +if (kerr != 0) { +DEBUG(SSSDBG_CRIT_FAILURE, "become_user failed.\n"); +ret = EFAULT; +goto done; +} +} + +DEBUG(SSSDBG_TRACE_INTERNAL, + "Running as [%"SPRIuid"][%"SPRIgid"].\n", geteuid(), getegid()); + /* If kr->ccname is cache collection (DIR:/...), we want to work * directly with file ccache (DIR::/...), but cache collection * should be returned back to back end. @@ -2998,20 +3016,6 @@ static int k5c_setup(struct krb5_req *kr, uint32_t offline) krb5_error_code kerr; int parse_flags; -if (offline || (kr->fast_val == K5C_FAST_NEVER && kr->validate == false)) { -/* If krb5_child was started as setuid, but we don't need to - * perform either validation or FAST, just drop privileges to - * the user who is logging in. The same applies to the offline case. - */ -kerr = k5c_become_user(kr->uid, kr->gid, kr->posix_domain); -if (kerr != 0) { -DEBUG(SSSDBG_CRIT_FAILURE, "become_user failed.\n"); -return kerr; -} -} -DEBUG(SSSDBG_TRACE_INTERNAL, - "Running as [%"SPRIuid"][%"SPRIgid"].\n", geteuid(), getegid()); - /* Set the global error context */ krb5_error_ctx = kr->ctx; @@ -3205,8 +3209,8 @@ int main(int argc, const char *argv[]) const char *opt_logger = NULL; errno_t ret; krb5_error_code kerr; -uid_t fast_uid; -gid_t fast_gid; +uid_t fast_uid = 0; +gid_t fast_gid = 0; struct cli_opts cli_opts = { 0 }; int sss_creds_password = 0; @@ -3320,20 +3324,31 @@ int main(int argc, const char *argv[]) goto done; } -/* pkinit needs access to pcscd */ -if ((sss_authtok_get_type(kr->pd->authtok) != SSS_AUTHTOK_TYPE_SC_PIN -&&
[SSSD] [sssd PR#703][closed] nss: sssd returns '/' for emtpy home directories
URL: https://github.com/SSSD/sssd/pull/703 Author: thalman Title: #703: nss: sssd returns '/' for emtpy home directories Action: closed To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/703/head:pr703 git checkout pr703 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#703][comment] nss: sssd returns '/' for emtpy home directories
URL: https://github.com/SSSD/sssd/pull/703 Title: #703: nss: sssd returns '/' for emtpy home directories jhrozek commented: """ * sssd-1-16: 28792523a01a7d21bcc8931794164f253e691a68 """ See the full comment at https://github.com/SSSD/sssd/pull/703#issuecomment-446378330 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#703][+Pushed] nss: sssd returns '/' for emtpy home directories
URL: https://github.com/SSSD/sssd/pull/703 Title: #703: nss: sssd returns '/' for emtpy home directories Label: +Pushed ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#703][comment] nss: sssd returns '/' for emtpy home directories
URL: https://github.com/SSSD/sssd/pull/703 Title: #703: nss: sssd returns '/' for emtpy home directories jhrozek commented: """ * master: 90f32399b4100ce39cf665649fde82d215e5eb49 """ See the full comment at https://github.com/SSSD/sssd/pull/703#issuecomment-446378006 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#711][comment] ipa: use only the global catalog service of the forest root
URL: https://github.com/SSSD/sssd/pull/711 Title: #711: ipa: use only the global catalog service of the forest root jhrozek commented: """ * sssd-1-16: * 74568bdde833f752187cb1a38b39715556c91279 * d33ec64423087261fcc14acb5922793fadb83342 """ See the full comment at https://github.com/SSSD/sssd/pull/711#issuecomment-446371448 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#711][+Pushed] ipa: use only the global catalog service of the forest root
URL: https://github.com/SSSD/sssd/pull/711 Title: #711: ipa: use only the global catalog service of the forest root Label: +Pushed ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#711][closed] ipa: use only the global catalog service of the forest root
URL: https://github.com/SSSD/sssd/pull/711 Author: sumit-bose Title: #711: ipa: use only the global catalog service of the forest root Action: closed To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/711/head:pr711 git checkout pr711 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#711][comment] ipa: use only the global catalog service of the forest root
URL: https://github.com/SSSD/sssd/pull/711 Title: #711: ipa: use only the global catalog service of the forest root jhrozek commented: """ * master: * 62d671b874a66101c0f4bff39fc6d7f49cb8fca6 * 9096fc01cca8fcaeb19c36a27f3a9fa09d60772a """ See the full comment at https://github.com/SSSD/sssd/pull/711#issuecomment-446370333 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#677][comment] pcre: port to pcre2
URL: https://github.com/SSSD/sssd/pull/677 Title: #677: pcre: port to pcre2 jhrozek commented: """ I'm sorry to keep beating the error code from *sss_regexp_new...but why not just return int from that function, which would be EOK on success, in which case a **self pointer would also be returned and if there is an error, just return an error code. The extended error message from pcre can be just printed with a debug message and then thrown away. Currently it seems like the code tries too hard to emulate pcre exactly while also having the embedded self.. btw what strikes me as odd in particular is this: ``` 159 ctx->illegal_path_re = sss_regexp_new(ctx, ILLEGAL_PATH_PATTERN, 0, 160 , , ); 161 if (errval != 0) { ``` ...returning a pointer but not checing its value, but checking errval instead.. """ See the full comment at https://github.com/SSSD/sssd/pull/677#issuecomment-446365550 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#705][-Changes requested] KCM: Add configurable quotas
URL: https://github.com/SSSD/sssd/pull/705 Title: #705: KCM: Add configurable quotas Label: -Changes requested ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#705][synchronized] KCM: Add configurable quotas
URL: https://github.com/SSSD/sssd/pull/705 Author: jhrozek Title: #705: KCM: Add configurable quotas Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/705/head:pr705 git checkout pr705 From aeaa27423ee1b5a70f556a937bc45068e2ef48e0 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Fri, 5 Oct 2018 13:17:14 +0200 Subject: [PATCH 1/8] MAN: Get rid of sssd-secrets reference Related: https://pagure.io/SSSD/sssd/issue/3685 There were some stray references to the secrets responder in the sssd-kcm manual page. --- src/man/sssd-kcm.8.xml | 8 +++- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/src/man/sssd-kcm.8.xml b/src/man/sssd-kcm.8.xml index fff8b0a16..90b9ad09c 100644 --- a/src/man/sssd-kcm.8.xml +++ b/src/man/sssd-kcm.8.xml @@ -58,11 +58,9 @@ -the SSSD implementation stores the ccaches in the SSSD - -sssd-secrets5 - -secrets store, allowing the ccaches to survive KCM server restarts or machine reboots. +the SSSD implementation stores the ccaches in a database, +typically located at /var/lib/sss/secrets +allowing the ccaches to survive KCM server restarts or machine reboots. From fd731ed430cd406a5419b059c97f34c5b63c637a Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Fri, 30 Nov 2018 13:15:58 +0100 Subject: [PATCH 2/8] MAN: Document that it is enough to systemctl restart sssd-kcm.service lately Related: https://pagure.io/SSSD/sssd/issue/3862 We forgot to amend the man page after implementing the sssd-kcm service reload. --- src/man/sssd-kcm.8.xml | 17 +++-- 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/src/man/sssd-kcm.8.xml b/src/man/sssd-kcm.8.xml index 90b9ad09c..4e4aaa38e 100644 --- a/src/man/sssd-kcm.8.xml +++ b/src/man/sssd-kcm.8.xml @@ -162,12 +162,17 @@ systemctl restart sssd-kcm.service CONFIGURATION OPTIONS The KCM service is configured in the kcm -section of the sssd.conf file. Please note that currently, -is it not sufficient to restart the sssd-kcm service, because -the sssd configuration is only parsed and read to an internal -configuration database by the sssd service. Therefore you -must restart the sssd service if you change anything in the -kcm section of sssd.conf. +section of the sssd.conf file. Please note that because +the KCM service is typically socket-activated, it is +enough to just restart the sssd-kcm service +after changing options in the kcm section +of sssd.conf: + +systemctl restart sssd-kcm.service + + + +The KCM service is configured in the kcm For a detailed syntax reference, refer to the FILE FORMAT section of the sssd.conf From bf41cfe654d0f7c1421d05759d71b04c872c8567 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Mon, 26 Nov 2018 13:44:08 +0100 Subject: [PATCH 3/8] SECRETS: Use different option names from secrets and KCM for quota options Related: https://pagure.io/SSSD/sssd/issue/3386 With the separate secrets responder, the quotas for the /secrets and /kcm hives were configurable in a sub-section of the [secrets] sssd.conf section using the same option -- the /secrets vs. /kcm distinction was made using the subsection name. With the standalone KCM responder writing directly to the database, it makes sense to have options with more descriptive names better suitable for the KCM usage. For that we need the options for secrets quotas and kcm quotas to be named differently. For now, the patch only passes the option name to sss_sec_get_quota() and sss_sec_get_hive_config() together with the default value in an instance of a new structure sss_sec_quota_opt. The secrets responder still uses the same option names for backwards compatibility. --- src/responder/secrets/secsrv.c | 70 ++ src/util/secrets/config.c | 40 +-- src/util/secrets/secrets.h | 21 ++ 3 files changed, 88 insertions(+), 43 deletions(-) diff --git a/src/responder/secrets/secsrv.c b/src/responder/secrets/secsrv.c index 2de93dedc..e783e231d 100644 --- a/src/responder/secrets/secsrv.c +++ b/src/responder/secrets/secsrv.c @@ -47,6 +47,39 @@ static void adjust_global_quota(struct sec_ctx *sctx, static int sec_get_config(struct sec_ctx *sctx) { int ret; +struct sss_sec_quota_opt dfl_sec_nest_level = { +.opt_name = CONFDB_SEC_CONTAINERS_NEST_LEVEL, +.default_value = DEFAULT_SEC_CONTAINERS_NEST_LEVEL, +}; +struct
[SSSD] [sssd PR#705][comment] KCM: Add configurable quotas
URL: https://github.com/SSSD/sssd/pull/705 Title: #705: KCM: Add configurable quotas jhrozek commented: """ OK, I'll squash this diff: ``` diff --git a/src/responder/secrets/secsrv.c b/src/responder/secrets/secsrv.c index b18bbfd19..e783e231d 100644 --- a/src/responder/secrets/secsrv.c +++ b/src/responder/secrets/secsrv.c @@ -98,9 +98,6 @@ static int sec_get_config(struct sec_ctx *sctx) sctx->max_payload_size = 1; /* Read the global quota first -- this should be removed in a future release */ -/* Note that this sets the defaults for the sec_config quota to be used - * in sec_get_hive_config() - */ ret = sss_sec_get_quota(sctx->rctx->cdb, sctx->rctx->confdb_service_path, _sec_nest_level, @@ -114,6 +111,16 @@ static int sec_get_config(struct sec_ctx *sctx) goto fail; } +/* Use the global quota values as defaults for the secrets/secrets section */ +dfl_sec_nest_level.default_value = \ +sctx->sec_config.quota.containers_nest_level; +dfl_sec_max_secrets.default_value = \ +sctx->sec_config.quota.max_secrets; +dfl_sec_max_uid_secrets.default_value = \ +sctx->sec_config.quota.max_uid_secrets; +dfl_sec_max_payload_size.default_value = \ +sctx->sec_config.quota.max_payload_size; + /* Read the per-hive configuration */ ret = sss_sec_get_hive_config(sctx->rctx->cdb, "secrets", ``` Into "SECRETS: Use different option names from secrets and KCM for quota options". The previous code never used the (deprecated) quotas from the global [secrets] question. (The removed comment also gives a nice hint at what the previous code did) """ See the full comment at https://github.com/SSSD/sssd/pull/705#issuecomment-446359085 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#711][+Accepted] ipa: use only the global catalog service of the forest root
URL: https://github.com/SSSD/sssd/pull/711 Title: #711: ipa: use only the global catalog service of the forest root Label: +Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#705][+Changes requested] KCM: Add configurable quotas
URL: https://github.com/SSSD/sssd/pull/705 Title: #705: KCM: Add configurable quotas Label: +Changes requested ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#705][comment] KCM: Add configurable quotas
URL: https://github.com/SSSD/sssd/pull/705 Title: #705: KCM: Add configurable quotas jhrozek commented: """ I'm adding changes requested, but since the issue is 'only' in tests, I would still appreciate a review """ See the full comment at https://github.com/SSSD/sssd/pull/705#issuecomment-446216805 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#705][comment] KCM: Add configurable quotas
URL: https://github.com/SSSD/sssd/pull/705 Title: #705: KCM: Add configurable quotas jhrozek commented: """ I still need to amend the tests: ``` === short test summary info FAIL test_kcm.py::test_kcm_secrets_quota FAIL test_secrets.py::test_global_quota === FAILURES === test_kcm_secrets_quota Traceback (most recent call last): File "/var/lib/jenkins/workspace/ci/label/fedora28/src/tests/intg/test_kcm.py", line 555, in test_kcm_secrets_quota cli.set_secret(str(MAX_SECRETS), sec_value) File "/usr/lib/python2.7/site-packages/_pytest/python_api.py", line 627, in __exit__ fail(self.message) File "/usr/lib/python2.7/site-packages/_pytest/outcomes.py", line 92, in fail raise Failed(msg=msg, pytrace=pytrace) Failed: DID NOT RAISE __ test_global_quota ___ Traceback (most recent call last): File "/var/lib/jenkins/workspace/ci/label/fedora28/src/tests/intg/test_secrets.py", line 480, in test_global_quota run_quota_test(cli, 10, 2) File "/var/lib/jenkins/workspace/ci/label/fedora28/src/tests/intg/test_secrets.py", line 429, in run_quota_test cli.set_secret(str(max_secrets), sec_value) File "/usr/lib/python2.7/site-packages/_pytest/python_api.py", line 627, in __exit__ fail(self.message) File "/usr/lib/python2.7/site-packages/_pytest/outcomes.py", line 92, in fail raise Failed(msg=msg, pytrace=pytrace) Failed: DID NOT RAISE ``` I have no idea why didn't the sssd-ci tests catch this...maybe somethng for @pbrezina to look at? """ See the full comment at https://github.com/SSSD/sssd/pull/705#issuecomment-446215481 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#703][comment] nss: sssd returns '/' for emtpy home directories
URL: https://github.com/SSSD/sssd/pull/703 Title: #703: nss: sssd returns '/' for emtpy home directories simo5 commented: """ Thank @jhrozek this clears it! """ See the full comment at https://github.com/SSSD/sssd/pull/703#issuecomment-446204376 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#703][comment] nss: sssd returns '/' for emtpy home directories
URL: https://github.com/SSSD/sssd/pull/703 Title: #703: nss: sssd returns '/' for emtpy home directories jhrozek commented: """ The patch does change the behaviour, but it's also just a fallback, so whatever you had defined in AD LDAP is still used. Let me give an example: - before the patch: - user with no homedir: "/" - user with homedir: the homedir is used - after the patch: - user with no homedir: /home/domain/username - user with homedir: the homedir is used """ See the full comment at https://github.com/SSSD/sssd/pull/703#issuecomment-446200551 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#710][synchronized] data_provider_fo: fix error in hostname retrieval
URL: https://github.com/SSSD/sssd/pull/710 Author: alexey-tikhonov Title: #710: data_provider_fo: fix error in hostname retrieval Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/710/head:pr710 git checkout pr710 From 0e922caf960e4fe19b4a6e3e2f44c907756b5c6a Mon Sep 17 00:00:00 2001 From: Alexey Tikhonov Date: Fri, 7 Dec 2018 17:38:30 +0100 Subject: [PATCH] Fix error in hostname retrieval Fix off-by-one error in gethostname() param Resolves: https://pagure.io/SSSD/sssd/issue/3865 --- src/providers/ad/ad_common.c | 2 +- src/providers/data_provider_fo.c | 2 +- src/providers/ipa/ipa_common.c| 2 +- src/providers/ldap/ldap_child.c | 2 +- src/providers/ldap/sdap_access.c | 2 +- src/providers/ldap/sdap_async_sudo_hostinfo.c | 2 +- src/resolv/async_resolv_utils.c | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c index 6d395cfb1..0d154ca57 100644 --- a/src/providers/ad/ad_common.c +++ b/src/providers/ad/ad_common.c @@ -458,7 +458,7 @@ ad_get_common_options(TALLOC_CTX *mem_ctx, */ ad_hostname = dp_opt_get_string(opts->basic, AD_HOSTNAME); if (ad_hostname == NULL) { -gret = gethostname(hostname, HOST_NAME_MAX); +gret = gethostname(hostname, sizeof(hostname)); if (gret != 0) { ret = errno; DEBUG(SSSDBG_FATAL_FAILURE, diff --git a/src/providers/data_provider_fo.c b/src/providers/data_provider_fo.c index 332174e34..4d561dcc6 100644 --- a/src/providers/data_provider_fo.c +++ b/src/providers/data_provider_fo.c @@ -239,7 +239,7 @@ errno_t be_fo_set_dns_srv_lookup_plugin(struct be_ctx *be_ctx, errno_t ret; if (hostname == NULL) { -ret = gethostname(resolved_hostname, HOST_NAME_MAX); +ret = gethostname(resolved_hostname, sizeof(resolved_hostname)); if (ret != EOK) { ret = errno; DEBUG(SSSDBG_CRIT_FAILURE, diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c index c71eca8cd..17d14e6b0 100644 --- a/src/providers/ipa/ipa_common.c +++ b/src/providers/ipa/ipa_common.c @@ -79,7 +79,7 @@ int ipa_get_options(TALLOC_CTX *memctx, ipa_hostname = dp_opt_get_string(opts->basic, IPA_HOSTNAME); if (ipa_hostname == NULL) { -ret = gethostname(hostname, HOST_NAME_MAX); +ret = gethostname(hostname, sizeof(hostname)); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, "gethostname failed [%d][%s].\n", errno, strerror(errno)); diff --git a/src/providers/ldap/ldap_child.c b/src/providers/ldap/ldap_child.c index 8c11d7896..368bb91e1 100644 --- a/src/providers/ldap/ldap_child.c +++ b/src/providers/ldap/ldap_child.c @@ -326,7 +326,7 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx, } else { char hostname[HOST_NAME_MAX + 1]; -ret = gethostname(hostname, HOST_NAME_MAX); +ret = gethostname(hostname, sizeof(hostname)); if (ret == -1) { krberr = KRB5KRB_ERR_GENERIC; goto done; diff --git a/src/providers/ldap/sdap_access.c b/src/providers/ldap/sdap_access.c index 1ee4dcd2b..dd04ec512 100644 --- a/src/providers/ldap/sdap_access.c +++ b/src/providers/ldap/sdap_access.c @@ -1255,7 +1255,7 @@ static errno_t sdap_access_host(struct ldb_message *user_entry) return ERR_ACCESS_DENIED; } -if (gethostname(hostname, HOST_NAME_MAX) == -1) { +if (gethostname(hostname, sizeof(hostname)) == -1) { DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get system hostname. Access denied\n"); return ERR_ACCESS_DENIED; diff --git a/src/providers/ldap/sdap_async_sudo_hostinfo.c b/src/providers/ldap/sdap_async_sudo_hostinfo.c index 42f95df85..a3c3e1068 100644 --- a/src/providers/ldap/sdap_async_sudo_hostinfo.c +++ b/src/providers/ldap/sdap_async_sudo_hostinfo.c @@ -380,7 +380,7 @@ static struct tevent_req *sdap_sudo_get_hostnames_send(TALLOC_CTX *mem_ctx, /* get hostname */ errno = 0; -ret = gethostname(hostname, HOST_NAME_MAX); +ret = gethostname(hostname, sizeof(hostname)); if (ret != EOK) { ret = errno; DEBUG(SSSDBG_CRIT_FAILURE, "Unable to retrieve machine hostname " diff --git a/src/resolv/async_resolv_utils.c b/src/resolv/async_resolv_utils.c index 8d077d060..f86181b91 100644 --- a/src/resolv/async_resolv_utils.c +++ b/src/resolv/async_resolv_utils.c @@ -57,7 +57,7 @@ resolv_get_domain_send(TALLOC_CTX *mem_ctx, if (hostname == NULL) { /* use system hostname */ -ret = gethostname(system_hostname, HOST_NAME_MAX); +ret = gethostname(system_hostname, sizeof(system_hostname)); if (ret) { ret = errno; DEBUG(SSSDBG_CRIT_FAILURE, "gethostname() failed: [%d]: %s\n",
[SSSD] [sssd PR#703][comment] nss: sssd returns '/' for emtpy home directories
URL: https://github.com/SSSD/sssd/pull/703 Title: #703: nss: sssd returns '/' for emtpy home directories simo5 commented: """ Wait, does this mean it changes current behavior for AD domains ? """ See the full comment at https://github.com/SSSD/sssd/pull/703#issuecomment-446198589 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#703][comment] nss: sssd returns '/' for emtpy home directories
URL: https://github.com/SSSD/sssd/pull/703 Title: #703: nss: sssd returns '/' for emtpy home directories simo5 commented: """ Or would it previously return "/" unconditionally ? """ See the full comment at https://github.com/SSSD/sssd/pull/703#issuecomment-446198697 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#711][synchronized] ipa: use only the global catalog service of the forest root
URL: https://github.com/SSSD/sssd/pull/711 Author: sumit-bose Title: #711: ipa: use only the global catalog service of the forest root Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/711/head:pr711 git checkout pr711 From 64aa84c3e9f85e7a4f6d7b9491058f10fd804dac Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Tue, 4 Dec 2018 13:08:11 +0100 Subject: [PATCH 1/2] Revert "IPA: use forest name when looking up the Global Catalog" This reverts commit 149174acae677d1e72a0da431bf0850d55f2ccb4. --- src/providers/ipa/ipa_subdomains_server.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/providers/ipa/ipa_subdomains_server.c b/src/providers/ipa/ipa_subdomains_server.c index e5ea4bd02..43a3053cb 100644 --- a/src/providers/ipa/ipa_subdomains_server.c +++ b/src/providers/ipa/ipa_subdomains_server.c @@ -266,7 +266,7 @@ ipa_ad_ctx_new(struct be_ctx *be_ctx, DEBUG(SSSDBG_TRACE_ALL, "No extra attrs set.\n"); } -gc_service_name = talloc_asprintf(ad_options, "sd_gc_%s", subdom->forest); +gc_service_name = talloc_asprintf(ad_options, "sd_gc_%s", subdom->name); if (gc_service_name == NULL) { talloc_free(ad_options); return ENOMEM; From 84a1387ca99e79c006c1bede1bc6f028b4b8cba3 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Tue, 4 Dec 2018 13:06:23 +0100 Subject: [PATCH 2/2] ipa: use only the global catalog service of the forest root While creating the domains and sub-domains each domain gets a global catalog services assigned but only one should be used because the global catalog is by definition responsible for the whole forest so it does not make sense to use a global catalog service for each domain and in the worst case connect to the same GC multiple times. In the AD provider this is simple because the GC service of the configured domain AD_GC_SERVICE_NAME ("AD_GC") can be used. In the IPA case all domains from the trusted forest are on the level of sub-domains so we have to pick one. Since the forest root is linked from all domain of the same forest it will be the most straight forward choice. Related to https://pagure.io/SSSD/sssd/issue/3902 --- src/providers/ipa/ipa_subdomains_id.c | 50 +-- 1 file changed, 47 insertions(+), 3 deletions(-) diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c index a16eed284..48cf74460 100644 --- a/src/providers/ipa/ipa_subdomains_id.c +++ b/src/providers/ipa/ipa_subdomains_id.c @@ -713,6 +713,52 @@ int ipa_get_subdom_acct_recv(struct tevent_req *req, int *dp_error_out) return EOK; } +static struct ad_id_ctx *ipa_get_ad_id_ctx(struct ipa_id_ctx *ipa_ctx, + struct sss_domain_info *dom); + +static struct sdap_id_conn_ctx ** +ipa_ad_gc_conn_list(TALLOC_CTX *mem_ctx, struct ipa_id_ctx *ipa_ctx, +struct ad_id_ctx *ad_ctx, struct sss_domain_info *dom) +{ +struct ad_id_ctx *forest_root_ad_id_ctx; +struct sdap_id_conn_ctx **clist; +int cindex = 0; + +/* While creating the domains and sub-domains each domain gets a global + * catalog services assigned but only one should be used because the + * global catalog is by definition responsible for the whole forest so it + * does not make sense to use a global catalog service for each domain and + * in the worst case connect to the same GC multiple times. + * + * In the AD provider this is simple because the GC service of the + * configured domain AD_GC_SERVICE_NAME ("AD_GC") can be used. In the IPA + * case all domains from the trusted forest are on the level of + * sub-domains so we have to pick one. Since the forest root is linked + * from all domain of the same forest it will be the most straight forward + * choice. */ +forest_root_ad_id_ctx = ipa_get_ad_id_ctx(ipa_ctx, dom->forest_root); +if (forest_root_ad_id_ctx == NULL) { +DEBUG(SSSDBG_OP_FAILURE, "Missing ad_id_ctx for forest root.\n"); +return NULL; +} + +clist = talloc_zero_array(mem_ctx, struct sdap_id_conn_ctx *, 3); +if (clist == NULL) return NULL; + +/* Always try GC first */ +if (dp_opt_get_bool(forest_root_ad_id_ctx->ad_options->basic, +AD_ENABLE_GC)) { +clist[cindex] = forest_root_ad_id_ctx->gc_ctx; +clist[cindex]->ignore_mark_offline = true; +clist[cindex]->no_mpg_user_fallback = true; +cindex++; +} + +clist[cindex] = ad_get_dom_ldap_conn(ad_ctx, dom); + +return clist; +} + /* IPA lookup for server mode. Directly to AD. */ struct ipa_get_ad_acct_state { int dp_error; @@ -731,8 +777,6 @@ static errno_t ipa_get_ad_apply_override_step(struct tevent_req *req); static errno_t ipa_get_ad_ipa_membership_step(struct tevent_req *req); static void ipa_id_get_groups_overrides_done(struct tevent_req *subreq); static void
[SSSD] [sssd PR#705][comment] KCM: Add configurable quotas
URL: https://github.com/SSSD/sssd/pull/705 Title: #705: KCM: Add configurable quotas jhrozek commented: """ retest this please """ See the full comment at https://github.com/SSSD/sssd/pull/705#issuecomment-446184702 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#712][opened] SSSCTL: user-checks does not show custom attributes
URL: https://github.com/SSSD/sssd/pull/712 Author: thalman Title: #712: SSSCTL: user-checks does not show custom attributes Action: opened PR body: """ "sssctl user-checks" also query the IFP interface of sssd. The problem is, that this command only displays POSIX user attrs, no matter if we configured the InfoPipe for additional user attributes. With this patch additional attributes are also printed out. Resolves: https://pagure.io/SSSD/sssd/issue/3866 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/712/head:pr712 git checkout pr712 From 29f303c7197edf08e8f1496da2f41acdf4e3c446 Mon Sep 17 00:00:00 2001 From: Tomas Halman Date: Tue, 11 Dec 2018 12:46:02 +0100 Subject: [PATCH] SSSCTL: user-checks does not show custom attributes "sssctl user-checks" also query the IFP interface of sssd. The problem is, that this command only displays POSIX user attrs, no matter if we configured the InfoPipe for additional user attributes. With this patch additional attributes are also printed out. Resolves: https://pagure.io/SSSD/sssd/issue/3866 --- src/tools/sssctl/sssctl_user_checks.c | 22 ++ 1 file changed, 22 insertions(+) diff --git a/src/tools/sssctl/sssctl_user_checks.c b/src/tools/sssctl/sssctl_user_checks.c index 49ef200f8..5fb207e2d 100644 --- a/src/tools/sssctl/sssctl_user_checks.c +++ b/src/tools/sssctl/sssctl_user_checks.c @@ -78,6 +78,10 @@ static errno_t get_ifp_user(const char *username) struct sbus_sync_connection *conn; struct sbus_all_ifp_user *user; const char *path; +struct hash_iter_context_t *extra_iter; +char **extra_values; +hash_entry_t *extra_entry; +int extra_idx; errno_t ret; tmp_ctx = talloc_new(NULL); @@ -117,6 +121,24 @@ static errno_t get_ifp_user(const char *username) PRINT_IFP_PROPERTY(user, gecos, "s"); PRINT_IFP_PROPERTY(user, homeDirectory, "s"); PRINT_IFP_PROPERTY(user, loginShell, "s"); + +/* print extra attributes */ +if (user->extraAttributes.is_set) { +extra_iter = new_hash_iter_context(user->extraAttributes.value); +if (extra_iter == NULL) { +DEBUG(SSSDBG_OP_FAILURE, "new_hash_iter_context failed.\n"); +ret = EINVAL; +goto done; +} + +while ((extra_entry = extra_iter->next(extra_iter)) != NULL) { +extra_values = extra_entry->value.ptr; +for(extra_idx = 0; extra_values[extra_idx] != NULL; ++extra_idx) { +fprintf(stdout, " - %s: %s\n", extra_entry->key.str, extra_values[extra_idx]); +} +} +} + fprintf(stdout, "\n"); ret = EOK; ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#703][+Accepted] nss: sssd returns '/' for emtpy home directories
URL: https://github.com/SSSD/sssd/pull/703 Title: #703: nss: sssd returns '/' for emtpy home directories Label: +Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#703][comment] nss: sssd returns '/' for emtpy home directories
URL: https://github.com/SSSD/sssd/pull/703 Title: #703: nss: sssd returns '/' for emtpy home directories jhrozek commented: """ Seems to work fine, by default I get /home/domain/username for all admins, when I set fallback_homedir=%o then the unixHomeDirectory attribute is used instead. """ See the full comment at https://github.com/SSSD/sssd/pull/703#issuecomment-446140500 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org