[SSSD] [sssd PR#793][synchronized] ci: improve Jenkinsfile and add Fedora 30
URL: https://github.com/SSSD/sssd/pull/793 Author: pbrezina Title: #793: ci: improve Jenkinsfile and add Fedora 30 Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/793/head:pr793 git checkout pr793 From a8296c027449828f6fb7b87dd867ff69164374c1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= Date: Wed, 20 Mar 2019 12:52:52 +0100 Subject: [PATCH 1/6] ci: do not fail everything when one distro fails Currently if test on one distribution fails, it will trigger the failure branch in post block of all stages. This is a known issue and we must work around it. --- Jenkinsfile | 75 + 1 file changed, 58 insertions(+), 17 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index 653c08cfec..a70674e189 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -1,3 +1,19 @@ +/** + * Workaround for https://issues.jenkins-ci.org/browse/JENKINS-39203 + * + * At this moment if one stage in parallel block fails, failure branch in + * post block is run in all stages even though they might have been successful. + * + * We remember result of test stages in this variable so we can correctly + * report a success or error even if one of the stages that are run in + * parallel failed. + */ +def ci_result = [:] + +/** + * Remember that the build failed because one of the untrusted files were + * modified. + */ def untrusted = false pipeline { @@ -13,6 +29,7 @@ pipeline { GH_SUCCESS = "Success." GH_PENDING = "Build is pending." GH_FAILURE = "Build failed." +GH_ABORTED = "Aborted." GH_URL = "https://pagure.io/SSSD/sssd"; AWS_BASE = "https://s3.eu-central-1.amazonaws.com/sssd-ci"; SUITE_DIR = "$BASE_DIR/sssd-test-suite" @@ -51,18 +68,26 @@ pipeline { steps { githubNotify status: 'PENDING', context: "$GH_CONTEXT", description: "$GH_PENDING", targetUrl: "$GH_URL" sh '$RUN "$WORKSPACE/sssd" "$SUITE_DIR" "$WORKSPACE/artifacts/$TEST_SYSTEM" "$CONFIG"' +script { + ci_result[env.TEST_SYSTEM] = "success" +} } post { always { archiveArtifacts artifacts: "artifacts/**", allowEmptyArchive: true sh '$ARCHIVE $TEST_SYSTEM $WORKSPACE/artifacts/$TEST_SYSTEM $NAME' sh 'rm -fr "$WORKSPACE/artifacts/$TEST_SYSTEM"' + + script { +if (ci_result[env.TEST_SYSTEM] == "success") { + githubNotify status: 'SUCCESS', context: "$GH_CONTEXT", description: "$GH_SUCCESS", targetUrl: "$GH_URL" +} else { + githubNotify status: 'FAILURE', context: "$GH_CONTEXT", description: "$GH_FAILURE", targetUrl: "$GH_URL" +} + } } -failure { - githubNotify status: 'FAILURE', context: "$GH_CONTEXT", description: "$GH_FAILURE", targetUrl: "$GH_URL" -} -success { - githubNotify status: 'SUCCESS', context: "$GH_CONTEXT", description: "$GH_SUCCESS", targetUrl: "$GH_URL" +aborted { + githubNotify status: 'ERROR', context: "$GH_CONTEXT", description: "$GH_ABORTED", targetUrl: "$GH_URL" } } } @@ -77,18 +102,26 @@ pipeline { steps { githubNotify status: 'PENDING', context: "$GH_CONTEXT", description: "$GH_PENDING", targetUrl: "$GH_URL" sh '$RUN "$WORKSPACE/sssd" "$SUITE_DIR" "$WORKSPACE/artifacts/$TEST_SYSTEM" "$CONFIG"' +script { + ci_result[env.TEST_SYSTEM] = "success" +} } post { always { archiveArtifacts artifacts: "artifacts/**", allowEmptyArchive: true sh '$ARCHIVE $TEST_SYSTEM $WORKSPACE/artifacts/$TEST_SYSTEM $NAME' sh 'rm -fr "$WORKSPACE/artifacts/$TEST_SYSTEM"' + + script { +if (ci_result[env.TEST_SYSTEM] == "success") { + githubNotify status: 'SUCCESS', context: "$GH_CONTEXT", description: "$GH_SUCCESS", targetUrl: "$GH_URL" +} else { + githubNotify status: 'FAILURE', context: "$GH_CONTEXT", description: "$GH_FAILURE", targetUrl: "$GH_URL" +} + } } -failure { - githubNotify status: 'FAILURE', context: "$GH_CONTEXT", description: "$GH_FAILURE", targetUrl: "$GH_URL" -} -success { - githubNotify status: 'SUCCESS', context: "$GH_CONTEXT", description: "$GH_SUCCESS", targetUrl: "$GH_URL" +aborted { + githubNotify status: 'ERROR', context: "$GH_CONTEXT", description: "$GH_ABORTED", targetUrl: "$GH_URL" } } } @@ -103,18 +136,26 @@ pipeline { steps { githubNotify status: 'PENDING', context: "$GH_CONTEXT",
[SSSD] [sssd PR#820][comment] ad: delete domains disabled through ad_enabled_domains from cache
URL: https://github.com/SSSD/sssd/pull/820 Title: #820: ad: delete domains disabled through ad_enabled_domains from cache pbrezina commented: """ Pull request: https://github.com/SSSD/sssd/pull/820 """ See the full comment at https://github.com/SSSD/sssd/pull/820#issuecomment-497295105 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#820][comment] ad: delete domains disabled through ad_enabled_domains from cache
URL: https://github.com/SSSD/sssd/pull/820 Title: #820: ad: delete domains disabled through ad_enabled_domains from cache pbrezina commented: """ I did not test the "root" domain case because I was not able to establish trust with a non-root domain so far. But the pull request is straightforward, so it does not necessarily blocks review. ``` [r...@master.client.vm /home/vagrant]# realm join child.ad.vm Password for Administrator: See: journalctl REALMD_OPERATION=r1521.5100 realm: Couldn't join realm: Insufficient permissions to join the domain [r...@master.client.vm /home/vagrant]# journalctl REALMD_OPERATION=r1521.5100 -- Logs begin at Sun 2019-05-26 19:54:19 UTC, end at Thu 2019-05-30 09:40:15 UTC. -- May 30 09:40:13 master.client.vm realmd[5103]: * Resolving: _ldap._tcp.child.ad.vm May 30 09:40:13 master.client.vm realmd[5103]: * Performing LDAP DSE lookup on: 192.168.100.120 May 30 09:40:13 master.client.vm realmd[5103]: * Performing LDAP DSE lookup on: 192.168.121.248 May 30 09:40:13 master.client.vm realmd[5103]: * Successfully discovered: child.ad.vm May 30 09:40:15 master.client.vm realmd[5103]: * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/sbin/adcli May 30 09:40:15 master.client.vm realmd[5103]: * LANG=C /usr/sbin/adcli join --verbose --domain child.ad.vm --domain-realm CHILD.AD.VM --domain-controller 192.168.100.120 --login-type user --login-user Administrator --stdin-password May 30 09:40:15 master.client.vm realmd[5103]: * Using domain name: child.ad.vm May 30 09:40:15 master.client.vm realmd[5103]: * Calculated computer account name from fqdn: MASTER May 30 09:40:15 master.client.vm realmd[5103]: * Using domain realm: child.ad.vm May 30 09:40:15 master.client.vm realmd[5103]: * Sending netlogon pings to domain controller: cldap://192.168.100.120 May 30 09:40:15 master.client.vm realmd[5103]: * Received NetLogon info from: child-dc.child.ad.vm May 30 09:40:15 master.client.vm realmd[5103]: * Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-uxaCvi/krb5.d/adcli-krb5-conf-iAtYIJ May 30 09:40:15 master.client.vm realmd[5103]: * Authenticated as user: administra...@child.ad.vm May 30 09:40:15 master.client.vm realmd[5103]: * Looked up short domain name: ADCHILD May 30 09:40:15 master.client.vm realmd[5103]: * Looked up domain SID: S-1-5-21-2624477844-534582034-2536808417 May 30 09:40:15 master.client.vm realmd[5103]: * Using fully qualified name: master.client.vm May 30 09:40:15 master.client.vm realmd[5103]: * Using domain name: child.ad.vm May 30 09:40:15 master.client.vm realmd[5103]: * Using computer account name: MASTER May 30 09:40:15 master.client.vm realmd[5103]: * Using domain realm: child.ad.vm May 30 09:40:15 master.client.vm realmd[5103]: * Calculated computer account name from fqdn: MASTER May 30 09:40:15 master.client.vm realmd[5103]: * Generated 120 character computer password May 30 09:40:15 master.client.vm realmd[5103]: * Using keytab: FILE:/etc/krb5.keytab May 30 09:40:15 master.client.vm realmd[5103]: * Computer account for MASTER$ does not exist May 30 09:40:15 master.client.vm realmd[5103]: * Found well known computer container at: CN=Computers,DC=child,DC=ad,DC=vm May 30 09:40:15 master.client.vm realmd[5103]: * Calculated computer account: CN=MASTER,CN=Computers,DC=child,DC=ad,DC=vm May 30 09:40:15 master.client.vm realmd[5103]: ! Insufficient permissions to modify computer account: CN=MASTER,CN=Computers,DC=child,DC=ad,DC=vm: 21C7: AtrErr: DSID-03200BBC, #1: May 30 09:40:15 master.client.vm realmd[5103]: 0: 21C7: DSID-03200BBC, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 90303 (servicePrincipalName) May 30 09:40:15 master.client.vm realmd[5103]: May 30 09:40:15 master.client.vm realmd[5103]: adcli: joining domain child.ad.vm failed: Insufficient permissions to modify computer account: CN=MASTER,CN=Computers,DC=child,DC=ad,DC=vm: 21C7: AtrErr: DSID-03200BBC, #1: May 30 09:40:15 master.client.vm realmd[5103]: 0: 21C7: DSID-03200BBC, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 90303 (servicePrincipalName) May 30 09:40:15 master.client.vm realmd[5103]: May 30 09:40:15 master.client.vm realmd[5103]: ! Insufficient permissions to join the domain ``` """ See the full comment at https://github.com/SSSD/sssd/pull/820#issuecomment-497294985 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#820][opened] ad: delete domains disabled through ad_enabled_domains from cache
URL: https://github.com/SSSD/sssd/pull/820 Author: pbrezina Title: #820: ad: delete domains disabled through ad_enabled_domains from cache Action: opened PR body: """ Steps to reproduce: 1. Have at least one subdomain in ad domain (e.g. child.ad.vm is subdomain of ad.vm). 2. Enable all domains, set ad_enabled_domains = [ad.vm] ... ad_enabled_domains = 3. Look up 'administra...@child.ad.vm' $ id administra...@child.ad.vm uid=1678800500(administra...@child.ad.vm) ... 4. Disable the subdomain by setting 'ad_enabled_domains = ad.vm' 5. Restart sssd without clearing the cache 6. Request for *@child.ad.vm will go to data provider and try to lookup the user in child.ad.vm domain which will yield 'domain not found'. However if the user is cached it will return the user. $ id administra...@child.ad.vm uid=1678800500(administra...@child.ad.vm) ... Subdomains that are not root domains are removed from cache. Root domains are disabled in sysdb with new `enabled` attribute. Resolves: https://pagure.io/SSSD/sssd/issue/4009 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/820/head:pr820 git checkout pr820 From 5893608b6a2b85c3e0474ccc86c86434d67f03d0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= Date: Thu, 30 May 2019 10:48:07 +0200 Subject: [PATCH 1/4] ad: remove subdomain that has been disabled through ad_enabled_domains from sysdb If previously enabled subdomain was disabled by removing it from ad_enabled_domains option in sssd.conf, its cached content (including the domain object itself) was kept in sysdb. Therefore eventhough the domain was effectively disabled in backed its cached data was still available in responders. Subdomains that are disabled on server side are correctly removed from sysdb in `ad_subdomains_refresh()` so this issue is related only to the configuration option. Resolves: https://pagure.io/SSSD/sssd/issue/4009 --- src/providers/ad/ad_subdomains.c | 9 + 1 file changed, 9 insertions(+) diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c index c4ac230653..5a96decbfc 100644 --- a/src/providers/ad/ad_subdomains.c +++ b/src/providers/ad/ad_subdomains.c @@ -825,6 +825,15 @@ static errno_t ad_subdomains_process(TALLOC_CTX *mem_ctx, if (is_domain_enabled(sd_name, enabled_domains_list) == false) { DEBUG(SSSDBG_TRACE_FUNC, "Disabling subdomain %s\n", sd_name); + +/* The subdomain is now disabled in configuraiton file, we + * need to delete its cached content so it is not returned + * by responders. The subdomain shares sysdb with its parent + * domain so it is OK to use domain->sysdb. */ +ret = sysdb_subdomain_delete(domain->sysdb, sd_name); +if (ret != EOK) { +goto fail; +} continue; } else { DEBUG(SSSDBG_TRACE_FUNC, "Enabling subdomain %s\n", sd_name); From 276a5612aaf4f7086a5569c46eca4d80a5830880 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= Date: Thu, 30 May 2019 12:14:58 +0200 Subject: [PATCH 2/4] sysdb: add sysdb_domain_set_enabled() This will be used in subsequent patches to disable subdomains. Resolves: https://pagure.io/SSSD/sssd/issue/4009 --- src/db/sysdb.c| 7 ++- src/db/sysdb.h| 6 ++ src/db/sysdb_subdomains.c | 31 +++ 3 files changed, 43 insertions(+), 1 deletion(-) diff --git a/src/db/sysdb.c b/src/db/sysdb.c index 51acb86056..6bbc6abb9b 100644 --- a/src/db/sysdb.c +++ b/src/db/sysdb.c @@ -1110,7 +1110,7 @@ errno_t sysdb_set_bool(struct sysdb_ctx *sysdb, errno_t ret; int lret; -if (dn == NULL || cn_value == NULL || attr_name == NULL) { +if (dn == NULL || attr_name == NULL) { return EINVAL; } @@ -1134,6 +1134,11 @@ errno_t sysdb_set_bool(struct sysdb_ctx *sysdb, msg->dn = dn; if (res->count == 0) { +if (cn_value == NULL) { +ret = ENOENT; +goto done; +} + lret = ldb_msg_add_string(msg, "cn", cn_value); if (lret != LDB_SUCCESS) { ret = sysdb_error_to_errno(lret); diff --git a/src/db/sysdb.h b/src/db/sysdb.h index 89b0d95715..ab65067380 100644 --- a/src/db/sysdb.h +++ b/src/db/sysdb.h @@ -155,6 +155,7 @@ #define SYSDB_SUBDOMAIN_TRUST_DIRECTION "trustDirection" #define SYSDB_UPN_SUFFIXES "upnSuffixes" #define SYSDB_SITE "site" +#define SYSDB_ENABLED "enabled" #define SYSDB_BASE_ID "baseID" #define SYSDB_ID_RANGE_SIZE "idRangeSize" @@ -520,6 +521,11 @@ errno_t sysdb_set_site(struct sss_domain_info *dom, const char *site); +errno_t +sysdb_domain_set_enabled(struct sysdb_ctx *sysdb, + const char *name, + bool enabled); + errno_t sysdb_subdomain_store(struct sysdb_ctx *sysdb, const char *name,