[SSSD] Re: SSSD Internals Document published

2019-08-08 Thread Jakub Hrozek
This is quite embarassing, but we still haven't converted that document
from the old wiki to pagure. I've been working on that on and off when I
had some free time, the current state can be viewed at:

https://pagure.io/fork/jhrozek/SSSD/docs/blob/42227852ef7059966fcac09c544b4cfeee47c011/f/developers/internals.rst

On Tue, Jul 30, 2019 at 09:44:01PM +, Ratnayake, Lalitha wrote:
> Hello,
> 
> Does anyone know where I could find the "SSSD Internals Document"?  The 
> following link redirects to 
> https://fedoraproject.org/wiki/Infrastructure/Fedorahosted-retirement !!
> 
> 
> https://fedorahosted.org/sssd/wiki/InternalsDocs
> 
> Thanks,
> Lali.
> 
> Lali Ratnayake
> GENView R&D - C20 Security
> 500 Palladium Dr. Suite 2100 | Ottawa, Ontario, Canada, K2V 1C2
> office: +1.343.883.2579
> [ribboncommunications.com]
> 
> 
> 
> ---
> Notice: This e-mail together with any attachments may contain information of 
> Ribbon Communications Inc. that
> is confidential and/or proprietary for the sole use of the intended 
> recipient.  Any review, disclosure, reliance or
> distribution by others or forwarding without express permission is strictly 
> prohibited.  If you are not the intended
> recipient, please notify the sender immediately and then delete all copies, 
> including any attachments.
> ---



> ___
> sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
> To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org


[SSSD] Re: Removing nscd from Fedora

2019-08-08 Thread Jakub Hrozek
On Thu, Aug 08, 2019 at 09:09:12PM +0200, Florian Weimer wrote:
> We'd like to propose removing nscd from Fedora, for Fedora 32.
> (The goal is to make this change downstream, too.)
> 
> Carlos told me that in the past, sssd couldn't do full caching for
> nss_files, and that was still a concern at the time.  Has this changed?

This has not changed. SSSD does not have support for some nss_files-type
maps at all, like networks or hosts, meaning that even if you had those
objects stored in LDAP, SSSD wouldn't even be able to resolve them
(although some friendly Suse developers are adding support for more
maps).

But even when this is implemented, then the request still has to go from
the client application over a socket to the deamon and back. We'd still
be missing the fast in-memory cache support like we do have for
passwd,group and initgroups. (the memory cache design is described
at 
https://docs.pagure.org/SSSD.sssd/developers/mmap_cache_1.15.html#how-does-the-memory-mapped-cache-work)

> 
> What about WINS/winbind?

Sorry, what about it? Are you asking if winbind has support for some
sort of nss_files caching or the other way around if sssd can wrap
wibind using its cache?

btw I've seen people using nscd mostly with maps that sssd does not
support at all, together with nslcd (nss-pam-ldap)
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org


[SSSD] [sssd PR#857][comment] Don't qualify users from files domain when default_domain_suffix is set

2019-08-08 Thread jhrozek
  URL: https://github.com/SSSD/sssd/pull/857
Title: #857: Don't qualify users from files domain when default_domain_suffix 
is set

jhrozek commented:
"""
Thanks @mzidek-rh for the review. How about now?
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/857#issuecomment-519664632
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org


[SSSD] [sssd PR#857][-Changes requested] Don't qualify users from files domain when default_domain_suffix is set

2019-08-08 Thread jhrozek
  URL: https://github.com/SSSD/sssd/pull/857
Title: #857: Don't qualify users from files domain when default_domain_suffix 
is set

Label: -Changes requested
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org


[SSSD] [sssd PR#857][synchronized] Don't qualify users from files domain when default_domain_suffix is set

2019-08-08 Thread jhrozek
   URL: https://github.com/SSSD/sssd/pull/857
Author: jhrozek
 Title: #857: Don't qualify users from files domain when default_domain_suffix 
is set
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/857/head:pr857
git checkout pr857
From e6f976bf3654d7936e0b5e591857cede758c0c95 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek 
Date: Fri, 2 Aug 2019 12:07:51 +0200
Subject: [PATCH] Don't qualify users from files domain when
 default_domain_suffix is set

Resolves:
https://pagure.io/SSSD/sssd/issue/4052

The files domain should always be non-qualified. The usual rules like
qualification of all domains except the one set with
default_domain_suffix should not apply.
---
 src/confdb/confdb.c   |  7 --
 src/man/sssd.conf.5.xml   |  8 ++-
 src/tests/intg/test_files_provider.py | 31 +++
 3 files changed, 43 insertions(+), 3 deletions(-)

diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
index f6fdbc3aa8..be65310dcc 100644
--- a/src/confdb/confdb.c
+++ b/src/confdb/confdb.c
@@ -1049,7 +1049,8 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
 
 /* Determine if user/group names will be Fully Qualified
  * in NSS interfaces */
-if (default_domain != NULL) {
+if (default_domain != NULL
+ && is_files_provider(domain) == false) {
 DEBUG(SSSDBG_CONF_SETTINGS,
   "Default domain suffix set. Changing default for "
   "use_fully_qualified_names to True.\n");
@@ -1064,7 +1065,9 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
 goto done;
 }
 
-if (default_domain != NULL && domain->fqnames == false) {
+if (default_domain != NULL
+&& domain->fqnames == false
+&& is_files_provider(domain) == false) {
 DEBUG(SSSDBG_FATAL_FAILURE,
   "Invalid configuration detected (default_domain_suffix is used "
   "while use_fully_qualified_names was set to false).\n");
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index 304a6a170c..c810123572 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -412,7 +412,13 @@
 to log in. Setting this option changes default
 of use_fully_qualified_names to True. It is not
 allowed to use this option together with
-use_fully_qualified_names set to False.
+use_fully_qualified_names set to False. One
+exception from this rule are domains with
+id_provider=files that always try
+to match the behaviour of nss_files
+and therefore their output is not
+qualified even when the default_domain_suffix
+option is used.
 
 
 Default: not set
diff --git a/src/tests/intg/test_files_provider.py b/src/tests/intg/test_files_provider.py
index 784bfa91f7..9f3aad9949 100644
--- a/src/tests/intg/test_files_provider.py
+++ b/src/tests/intg/test_files_provider.py
@@ -310,6 +310,22 @@ def domain_resolution_order(request):
 return None
 
 
+@pytest.fixture
+def default_domain_suffix(request):
+conf = unindent("""\
+[sssd]
+domains = files
+services= nss
+default_domain_suffix = foo
+
+[domain/files]
+id_provider = files
+""").format(**locals())
+create_conf_fixture(request, conf)
+create_sssd_fixture(request)
+return None
+
+
 @pytest.fixture
 def override_homedir_and_shell(request):
 conf = unindent("""\
@@ -1206,6 +1222,21 @@ def test_files_with_domain_resolution_order(add_user_with_canary,
 check_user(USER1)
 
 
+def test_files_with_default_domain_suffix(add_user_with_canary,
+  default_domain_suffix):
+"""
+Test that when using domain_resolution_order the user won't be using
+its fully-qualified name.
+"""
+ret = poll_canary(call_sssd_getpwuid, CANARY["uid"])
+if ret is False:
+return NssReturnCode.NOTFOUND, None
+
+res, found_user = call_sssd_getpwuid(USER1["uid"])
+assert res == NssReturnCode.SUCCESS
+assert found_user == USER1
+
+
 def test_files_with_override_homedir(add_user_with_canary,
  override_homedir_and_shell):
 res, user = sssd_getpwnam_sync(USER1["name"])
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelin

[SSSD] Re: SSSD Internals Document published

2019-08-08 Thread Ratnayake, Lalitha
Hello,

Does anyone know where I could find the "SSSD Internals Document"?  The 
following link redirects to 
https://fedoraproject.org/wiki/Infrastructure/Fedorahosted-retirement !!


https://fedorahosted.org/sssd/wiki/InternalsDocs

Thanks,
Lali.

Lali Ratnayake
GENView R&D - C20 Security
500 Palladium Dr. Suite 2100 | Ottawa, Ontario, Canada, K2V 1C2
office: +1.343.883.2579
[ribboncommunications.com]



---
Notice: This e-mail together with any attachments may contain information of 
Ribbon Communications Inc. that
is confidential and/or proprietary for the sole use of the intended recipient.  
Any review, disclosure, reliance or
distribution by others or forwarding without express permission is strictly 
prohibited.  If you are not the intended
recipient, please notify the sender immediately and then delete all copies, 
including any attachments.
---
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org


[SSSD] Removing nscd from Fedora

2019-08-08 Thread Florian Weimer
We'd like to propose removing nscd from Fedora, for Fedora 32.
(The goal is to make this change downstream, too.)

Carlos told me that in the past, sssd couldn't do full caching for
nss_files, and that was still a concern at the time.  Has this changed?

What about WINS/winbind?

Thanks,
Florian
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org


[SSSD] [sssd PR#862][opened] pam: fix loop in Smartcard authentication

2019-08-08 Thread sumit-bose
   URL: https://github.com/SSSD/sssd/pull/862
Author: sumit-bose
 Title: #862: pam: fix loop in Smartcard authentication
Action: opened

PR body:
"""
If 'try_cert_auth' or 'require_cert_auth' options are used and a wrong
PIN is entered the PAM responder might end in an endless loop. This
patch uses a flag to avoid the loop and makes sure that during
authentication the error code causing the loop is not returned.

Related to https://pagure.io/SSSD/sssd/issue/4051
"""

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/862/head:pr862
git checkout pr862
From c966b41c6d7f8c63d94d0bbab658d01a8c604a13 Mon Sep 17 00:00:00 2001
From: Sumit Bose 
Date: Fri, 2 Aug 2019 13:43:49 +0200
Subject: [PATCH] pam: fix loop in Smartcard authentication

If 'try_cert_auth' or 'require_cert_auth' options are used and a wrong
PIN is entered the PAM responder might end in an endless loop. This
patch uses a flag to avoid the loop and makes sure that during
authentication the error code causing the loop is not returned.

Related to https://pagure.io/SSSD/sssd/issue/4051
---
 src/responder/pam/pamsrv_cmd.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index 89bdb78a1f..72412204b4 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -814,6 +814,7 @@ static void pam_reply(struct pam_auth_req *preq)
   pd->pam_status, pam_strerror(NULL, pd->pam_status));
 
 if (pd->cmd == SSS_PAM_AUTHENTICATE
+&& !preq->cert_auth_local
 && (pd->pam_status == PAM_AUTHINFO_UNAVAIL
 || pd->pam_status == PAM_NO_MODULE_DATA
 || pd->pam_status == PAM_BAD_ITEM)
@@ -1475,7 +1476,8 @@ static void pam_forwarder_cert_cb(struct tevent_req *req)
   "No certificate found and no logon name given, " \
   "authentication not possible.\n");
 ret = ENOENT;
-} else if (pd->cli_flags & PAM_CLI_FLAGS_TRY_CERT_AUTH) {
+} else if (pd->cmd == SSS_PAM_PREAUTH
+&& (pd->cli_flags & PAM_CLI_FLAGS_TRY_CERT_AUTH)) {
 DEBUG(SSSDBG_TRACE_ALL,
   "try_cert_auth flag set but no certificate available, "
   "request finished.\n");
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org


[SSSD] [sssd PR#857][+Changes requested] Don't qualify users from files domain when default_domain_suffix is set

2019-08-08 Thread mzidek-rh
  URL: https://github.com/SSSD/sssd/pull/857
Title: #857: Don't qualify users from files domain when default_domain_suffix 
is set

Label: +Changes requested
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org


[SSSD] [sssd PR#857][comment] Don't qualify users from files domain when default_domain_suffix is set

2019-08-08 Thread mzidek-rh
  URL: https://github.com/SSSD/sssd/pull/857
Title: #857: Don't qualify users from files domain when default_domain_suffix 
is set

mzidek-rh commented:
"""
I have not tested the patch yet (LGTM so far), but IMO the 
default_domain_suffix man page should mention the exception in behavior for 
files domain.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/857#issuecomment-519513153
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org


[SSSD] [sssd PR#820][comment] ad: delete domains disabled through ad_enabled_domains from cache

2019-08-08 Thread sumit-bose
  URL: https://github.com/SSSD/sssd/pull/820
Title: #820: ad: delete domains disabled through ad_enabled_domains from cache

sumit-bose commented:
"""
Hi Pavel,

sorry for not being clear but your 3 points are exactly what I meant.

My tests went well. I had one issue where I'm not sure if should be fixed or 
not and if this is an issue in your patches or with 'ad_enabled_domains' in 
general. I have an AD domain with a mixed case name 'ChIlD.ad.devel' and if I 
add

ad_enabled_domains = child.ad.devel

(lower case is recommended by the man page), it does not work after the first 
restart only after the second I guess because the subdomains were re-discovered 
during the first restart and the domain was disabled here.

But if I add

ad_enabled_domains = ChIlD.ad.devel

it already works after the first restart. Do you have an idea where a strcmp() 
should be replaced with a strcasecmp()?

bye,
Sumit

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/820#issuecomment-519468024
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org


[SSSD] [sssd PR#824][comment] CONFDB: Files domain if activated without .conf

2019-08-08 Thread thalman
  URL: https://github.com/SSSD/sssd/pull/824
Title: #824: CONFDB: Files domain if activated without .conf

thalman commented:
"""
@jhrozek rebased/pushed. Still some CI tests fail. IMO errors are not connected 
with PR.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/824#issuecomment-519394752
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org