date:20200821

[SSSD] [sssd PR#5284][closed] Remove leftover ccache from SSH credentials delegation

2020-08-21 Thread justin-stephenson

   URL: https://github.com/SSSD/sssd/pull/5284
Author: justin-stephenson
 Title: #5284: Remove leftover ccache from SSH credentials delegation
Action: closed

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5284/head:pr5284
git checkout pr5284
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org

[SSSD] [sssd PR#5284][comment] Remove leftover ccache from SSH credentials delegation

2020-08-21 Thread justin-stephenson

  URL: https://github.com/SSSD/sssd/pull/5284
Title: #5284: Remove leftover ccache from SSH credentials delegation

justin-stephenson commented:
"""
Sounds good to me, thanks again for the input - closing this one.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5284#issuecomment-678425572
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org

[SSSD] [sssd PR#5284][comment] Remove leftover ccache from SSH credentials delegation

2020-08-21 Thread simo5

  URL: https://github.com/SSSD/sssd/pull/5284
Title: #5284: Remove leftover ccache from SSH credentials delegation

simo5 commented:
"""
@justin-stephenson first of all I'd like to thank you for this PR as it raised 
very interesting questions and aspects that evidently had not been though 
through enough.
At this poj tI think the only way to move forward is to first write down what 
is the behavior we need to employ exactly, from the pov of KCM, regardless of 
what client process is calling in.
After that, as much as possible we should write tests that expect the agreed on 
behavior.
And finally change code accordingly making sure test do not break.

I feel like proceeding w/o these steps would be stumbling in the dark and 
creating a semantic quagmire that will require endless course correction.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5284#issuecomment-678362457
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org

[SSSD] [sssd PR#5178][comment] ldap: add new option ldap_library_debug_level

2020-08-21 Thread alexey-tikhonov

  URL: https://github.com/SSSD/sssd/pull/5178
Title: #5178: ldap: add new option ldap_library_debug_level

alexey-tikhonov commented:
"""
> as I said I'd prefer to use a separate option for this because in more or 
> less all cases this debug output is not needed and -1 is very verbose. So I 
> think `"yet another one knob only few developers will be aware of"` is 
> completely find here because it should be only used if there are strong 
> indications that something is wrong on the libldap level.

Ok.

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5178#issuecomment-678344292
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org

[SSSD] [sssd PR#5262][synchronized] DN with white spaces

2020-08-21 Thread thalman

   URL: https://github.com/SSSD/sssd/pull/5262
Author: elkoniu
 Title: #5262: DN with white spaces
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5262/head:pr5262
git checkout pr5262
From 882307cdc1b596ba0cc346a0001f4fc014818d82 Mon Sep 17 00:00:00 2001
From: Tomas Halman 
Date: Fri, 31 Jul 2020 11:12:02 +0200
Subject: [PATCH 1/5] UTIL: DN sanitization

Some of the ldap servers returns DN in attributes such as isMemberOf
with spaces like dc=example, dc=com. That should be fine and we
should ignore them (cut them out) instead of escaping.

Resolves:
https://github.com/SSSD/sssd/issues/5261
---
 src/tests/cmocka/test_utils.c |  70 +++
 src/util/util.h   |  20 ++
 src/util/util_ext.c   | 126 ++
 3 files changed, 216 insertions(+)

diff --git a/src/tests/cmocka/test_utils.c b/src/tests/cmocka/test_utils.c
index c5eda4dd26..92ca783d9f 100644
--- a/src/tests/cmocka/test_utils.c
+++ b/src/tests/cmocka/test_utils.c
@@ -1955,6 +1955,73 @@ static void test_sss_get_domain_mappings_content(void **state)
  * capaths might not be as expected. */
 }
 
+
+static void test_sss_filter_sanitize_dn(void **state)
+{
+TALLOC_CTX *tmp_ctx;
+char *trimmed;
+int ret;
+const char *DN = "cn=user,ou=people,dc=example,dc=com";
+
+tmp_ctx = talloc_new(NULL);
+assert_non_null(tmp_ctx);
+
+/* test that we remove spaces around '=' and ','*/
+ret = sss_filter_sanitize_dn(tmp_ctx, DN, &trimmed);
+assert_int_equal(ret, EOK);
+assert_string_equal(DN, trimmed);
+talloc_free(trimmed);
+
+ret = sss_filter_sanitize_dn(tmp_ctx, "cn=user,ou=people,dc=example,dc=com", &trimmed);
+assert_int_equal(ret, EOK);
+assert_string_equal(DN, trimmed);
+talloc_free(trimmed);
+
+ret = sss_filter_sanitize_dn(tmp_ctx, "cn= user,ou =people,dc = example,dc  =  com", &trimmed);
+assert_int_equal(ret, EOK);
+assert_string_equal(DN, trimmed);
+talloc_free(trimmed);
+
+ret = sss_filter_sanitize_dn(tmp_ctx, "cn=user, ou=people ,dc=example , dc=com", &trimmed);
+assert_int_equal(ret, EOK);
+assert_string_equal(DN, trimmed);
+talloc_free(trimmed);
+
+ret = sss_filter_sanitize_dn(tmp_ctx, "cn=user,  ou=people  ,dc=example  ,   dc=com", &trimmed);
+assert_int_equal(ret, EOK);
+assert_string_equal(DN, trimmed);
+talloc_free(trimmed);
+
+ret = sss_filter_sanitize_dn(tmp_ctx, "cn= user, ou =people ,dc = example  ,  dc  = com", &trimmed);
+assert_int_equal(ret, EOK);
+assert_string_equal(DN, trimmed);
+talloc_free(trimmed);
+
+ret = sss_filter_sanitize_dn(tmp_ctx, " cn=user,ou=people,dc=example,dc=com ", &trimmed);
+assert_int_equal(ret, EOK);
+assert_string_equal(DN, trimmed);
+talloc_free(trimmed);
+
+ret = sss_filter_sanitize_dn(tmp_ctx, "  cn=user, ou=people, dc=example, dc=com  ", &trimmed);
+assert_int_equal(ret, EOK);
+assert_string_equal(DN, trimmed);
+talloc_free(trimmed);
+
+/* test that we keep spaces inside a value */
+ret = sss_filter_sanitize_dn(tmp_ctx, "cn = user one, ou=people  branch, dc=example, dc=com", &trimmed);
+assert_int_equal(ret, EOK);
+assert_string_equal("cn=user\\20one,ou=people\\20\\20branch,dc=example,dc=com", trimmed);
+talloc_free(trimmed);
+
+/* test that we keep escape special chars like () */
+ret = sss_filter_sanitize_dn(tmp_ctx, "cn = user one, ou=p(e)ople, dc=example, dc=com", &trimmed);
+assert_int_equal(ret, EOK);
+assert_string_equal("cn=user\\20one,ou=p\\28e\\29ople,dc=example,dc=com", trimmed);
+talloc_free(trimmed);
+
+talloc_free(tmp_ctx);
+}
+
 int main(int argc, const char *argv[])
 {
 poptContext pc;
@@ -2064,6 +2131,9 @@ int main(int argc, const char *argv[])
 cmocka_unit_test_setup_teardown(test_sss_ptr_hash_without_cb,
 setup_leak_tests,
 teardown_leak_tests),
+cmocka_unit_test_setup_teardown(test_sss_filter_sanitize_dn,
+setup_leak_tests,
+teardown_leak_tests),
 };
 
 /* Set debug level to invalid value so we can decide if -d 0 was used. */
diff --git a/src/util/util.h b/src/util/util.h
index d538e0674d..aa9bf97d4c 100644
--- a/src/util/util.h
+++ b/src/util/util.h
@@ -478,6 +478,26 @@ errno_t sss_filter_sanitize_for_dom(TALLOC_CTX *mem_ctx,
 char **sanitized,
 char **lc_sanitized);
 
+/* Sanitize an input string (e.g. a DN) for use in
+ * an LDAP/LDB filter
+ *
+ * It is basically the same as sss_filter_sanitize(_ex),
+ * just extra spaces inside DN around '=' and ',' are removed
+ * before sanitizing other characters . According the documentation
+ * spaces in DN are allowed and some ldap servers can return them
+ * in i

[SSSD] [sssd PR#5288][comment] KCM: Increase client idle timeout to 5 minutes

2020-08-21 Thread justin-stephenson

  URL: https://github.com/SSSD/sssd/pull/5288
Title: #5288: KCM: Increase client idle timeout to 5 minutes

justin-stephenson commented:
"""
Updated. I wasn't sure how to use a sssd.conf format similar to `Default: 7 
(Kerberos), 0 (LDAP)` for this case so I used `Default: 60, KCM: 300`. I don't 
mind changing it if there is a better way however.

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5288#issuecomment-678310975
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org

[SSSD] [sssd PR#5288][synchronized] KCM: Increase client idle timeout to 5 minutes

2020-08-21 Thread justin-stephenson

   URL: https://github.com/SSSD/sssd/pull/5288
Author: justin-stephenson
 Title: #5288: KCM: Increase client idle timeout to 5 minutes
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5288/head:pr5288
git checkout pr5288
From b4ebfe10fc7e3f77f688c917017ebc4e44cdf1a9 Mon Sep 17 00:00:00 2001
From: Justin Stephenson 
Date: Thu, 20 Aug 2020 15:35:34 -0400
Subject: [PATCH] KCM: Increase client idle timeout to 5 minutes

Increase the default timeout to allow time for
user interaction on the command-line with kinit.

Resolves:
https://github.com/SSSD/sssd/issues/4829
---
 src/man/sssd-kcm.8.xml  | 4 
 src/man/sssd.conf.5.xml | 2 +-
 src/responder/kcm/kcm.c | 3 ++-
 3 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/man/sssd-kcm.8.xml b/src/man/sssd-kcm.8.xml
index 2f66e56a4a..022a74ba09 100644
--- a/src/man/sssd-kcm.8.xml
+++ b/src/man/sssd-kcm.8.xml
@@ -68,6 +68,10 @@
 cache, yet share the credential cache between some or no
 containers by bind-mounting the socket.
 
+
+The KCM default client idle timeout is 5 minutes, this allows
+more time for user interaction with command line tools such as kinit.
+
 
 
 
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index 874a09c494..a86d95a72d 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -756,7 +756,7 @@
 will be adjusted to 10 seconds.
 
 
-Default: 60
+Default: 60, KCM: 300
 
 
 
diff --git a/src/responder/kcm/kcm.c b/src/responder/kcm/kcm.c
index 4371affef4..35c6091ada 100644
--- a/src/responder/kcm/kcm.c
+++ b/src/responder/kcm/kcm.c
@@ -31,6 +31,7 @@
 #include "util/sss_krb5.h"
 
 #define DEFAULT_KCM_FD_LIMIT 2048
+#define DEFAULT_KCM_CLI_IDLE_TIMEOUT 300
 
 #ifndef SSS_KCM_SOCKET_NAME
 #define SSS_KCM_SOCKET_NAME DEFAULT_KCM_SOCKET_PATH
@@ -101,7 +102,7 @@ static int kcm_get_config(struct kcm_ctx *kctx)
 ret = confdb_get_int(kctx->rctx->cdb,
  kctx->rctx->confdb_service_path,
  CONFDB_RESPONDER_CLI_IDLE_TIMEOUT,
- CONFDB_RESPONDER_CLI_IDLE_DEFAULT_TIMEOUT,
+ DEFAULT_KCM_CLI_IDLE_TIMEOUT,
  &kctx->rctx->client_idle_timeout);
 if (ret != EOK) {
 DEBUG(SSSDBG_OP_FAILURE,
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org

[SSSD] [sssd PR#5288][synchronized] KCM: Increase client idle timeout to 5 minutes

2020-08-21 Thread justin-stephenson

   URL: https://github.com/SSSD/sssd/pull/5288
Author: justin-stephenson
 Title: #5288: KCM: Increase client idle timeout to 5 minutes
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5288/head:pr5288
git checkout pr5288
From 68096f25c8c48e89198a825dfa3a9a57e7b5a1c7 Mon Sep 17 00:00:00 2001
From: Justin Stephenson 
Date: Thu, 20 Aug 2020 15:35:34 -0400
Subject: [PATCH] KCM: Increase client idle timeout to 5 minutes

Increase the default timeout to allow time for
user interaction on the command-line with kinit.
---
 src/man/sssd-kcm.8.xml  | 4 
 src/man/sssd.conf.5.xml | 2 +-
 src/responder/kcm/kcm.c | 3 ++-
 3 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/man/sssd-kcm.8.xml b/src/man/sssd-kcm.8.xml
index 2f66e56a4a..022a74ba09 100644
--- a/src/man/sssd-kcm.8.xml
+++ b/src/man/sssd-kcm.8.xml
@@ -68,6 +68,10 @@
 cache, yet share the credential cache between some or no
 containers by bind-mounting the socket.
 
+
+The KCM default client idle timeout is 5 minutes, this allows
+more time for user interaction with command line tools such as kinit.
+
 
 
 
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index 874a09c494..a86d95a72d 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -756,7 +756,7 @@
 will be adjusted to 10 seconds.
 
 
-Default: 60
+Default: 60, KCM: 300
 
 
 
diff --git a/src/responder/kcm/kcm.c b/src/responder/kcm/kcm.c
index 4371affef4..35c6091ada 100644
--- a/src/responder/kcm/kcm.c
+++ b/src/responder/kcm/kcm.c
@@ -31,6 +31,7 @@
 #include "util/sss_krb5.h"
 
 #define DEFAULT_KCM_FD_LIMIT 2048
+#define DEFAULT_KCM_CLI_IDLE_TIMEOUT 300
 
 #ifndef SSS_KCM_SOCKET_NAME
 #define SSS_KCM_SOCKET_NAME DEFAULT_KCM_SOCKET_PATH
@@ -101,7 +102,7 @@ static int kcm_get_config(struct kcm_ctx *kctx)
 ret = confdb_get_int(kctx->rctx->cdb,
  kctx->rctx->confdb_service_path,
  CONFDB_RESPONDER_CLI_IDLE_TIMEOUT,
- CONFDB_RESPONDER_CLI_IDLE_DEFAULT_TIMEOUT,
+ DEFAULT_KCM_CLI_IDLE_TIMEOUT,
  &kctx->rctx->client_idle_timeout);
 if (ret != EOK) {
 DEBUG(SSSDBG_OP_FAILURE,
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org

[SSSD] [sssd PR#5241][comment] GPO: respect ad_gpo_implicit_deny when evaluation rules

2020-08-21 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/5241
Title: #5241: GPO: respect ad_gpo_implicit_deny when evaluation rules

sumit-bose commented:
"""
> I can't reproduce this. I have two users 1) Administrator, 2) vagrant. I 
> allow access to the Administrator. Administrator is allowed to login as 
> expected, vagrant is not able to login either way regardless on the option 
> settings because an applicable gpo is found and the user is not explicitly 
> allowed.

Hi,

the issue happens when there is no allow rule, i.e. RemoteInteractiveLogonRight 
is empty.

bye,
Sumit

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5241#issuecomment-678307489
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org

[SSSD] [sssd PR#5288][comment] KCM: Increase client idle timeout to 5 minutes

2020-08-21 Thread pbrezina

  URL: https://github.com/SSSD/sssd/pull/5288
Title: #5288: KCM: Increase client idle timeout to 5 minutes

pbrezina commented:
"""
Ok, can you add the url to the end of commit message:

```
Resolves:
https://github.com/SSSD/sssd/issues/4829
```

And can you also update the description of client_idle_timeout for the kcm 
default?
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5288#issuecomment-678297794
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org

[SSSD] [sssd PR#5178][comment] ldap: add new option ldap_library_debug_level

2020-08-21 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/5178
Title: #5178: ldap: add new option ldap_library_debug_level

sumit-bose commented:
"""
Hi,

as I said I'd prefer to use a separate option for this because in more or less 
all cases this debug output is not needed and -1 is very verbose. So I think 
`"yet another one knob only few developers will be aware of"` is completely 
find here because it should be only used if there are strong indications that 
something is wrong on the libldap level.

bye,
Sumit
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5178#issuecomment-678295717
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org

[SSSD] [sssd PR#5241][comment] GPO: respect ad_gpo_implicit_deny when evaluation rules

2020-08-21 Thread pbrezina

  URL: https://github.com/SSSD/sssd/pull/5241
Title: #5241: GPO: respect ad_gpo_implicit_deny when evaluation rules

pbrezina commented:
"""
I can't reproduce this. I have two users 1) Administrator, 2) vagrant. I allow 
access to the Administrator. Administrator is allowed to login as expected, 
vagrant is not able to login either way regardless on the option settings 
because an applicable gpo is found and the user is not explicitly allowed.

```
(2020-08-21 15:36:40): [be[ad.vm]] [sysdb_gpo_store_gpo_result_setting] 
(0x0400): Storing setting: key [SeRemoteInteractiveLogonRight] value 
[*S-1-5-21-433998187-2822908608-1404606238-500]
(2020-08-21 15:36:40): [be[ad.vm]] [sysdb_gpo_get_gpo_result_setting] (0x0400): 
key [SeRemoteInteractiveLogonRight] value 
[*S-1-5-21-433998187-2822908608-1404606238-500]
(2020-08-21 15:36:40): [be[ad.vm]] [sysdb_gpo_get_gpo_result_setting] (0x0400): 
key [SeDenyRemoteInteractiveLogonRight] value [(null)]
(2020-08-21 15:36:40): [be[ad.vm]] [parse_policy_setting_value] (0x0400): No 
value for key [SeDenyRemoteInteractiveLogonRight] found in gpo result
(2020-08-21 15:36:40): [be[ad.vm]] [ad_gpo_access_check] (0x0400): RESULTANT 
POLICY:
(2020-08-21 15:36:40): [be[ad.vm]] [ad_gpo_access_check] (0x0400): 
gpo_map_type: Remote Interactive
(2020-08-21 15:36:40): [be[ad.vm]] [ad_gpo_access_check] (0x0400): allowed_size 
= 1
(2020-08-21 15:36:40): [be[ad.vm]] [ad_gpo_access_check] (0x0400): 
allowed_sids[0] = S-1-5-21-433998187-2822908608-1404606238-500
(2020-08-21 15:36:40): [be[ad.vm]] [ad_gpo_access_check] (0x0400): denied_size 
= 0
(2020-08-21 15:36:40): [be[ad.vm]] [ad_gpo_access_check] (0x0400): CURRENT USER:
(2020-08-21 15:36:40): [be[ad.vm]] [ad_gpo_access_check] (0x0400):
user_sid = S-1-5-21-433998187-2822908608-1404606238-1000
(2020-08-21 15:36:40): [be[ad.vm]] [ad_gpo_access_check] (0x0400):   
group_sids[0] = S-1-5-21-433998187-2822908608-1404606238-513
(2020-08-21 15:36:40): [be[ad.vm]] [ad_gpo_access_check] (0x0400):   
group_sids[1] = S-1-5-11
(2020-08-21 15:36:40): [be[ad.vm]] [ad_gpo_access_check] (0x0400): POLICY 
DECISION:
(2020-08-21 15:36:40): [be[ad.vm]] [ad_gpo_access_check] (0x0400):  
access_granted = 0
(2020-08-21 15:36:40): [be[ad.vm]] [ad_gpo_access_check] (0x0400):   
access_denied = 0
(2020-08-21 15:36:40): [be[ad.vm]] [ad_gpo_perform_hbac_processing] (0x0040): 
GPO access check failed: [1432158236](Host Access Denied)
```

The patch does not change the behavior.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5241#issuecomment-678295162
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org

[SSSD] [sssd PR#5288][comment] KCM: Increase client idle timeout to 5 minutes

2020-08-21 Thread justin-stephenson

  URL: https://github.com/SSSD/sssd/pull/5288
Title: #5288: KCM: Increase client idle timeout to 5 minutes

justin-stephenson commented:
"""
Thanks, updated.

This is for https://github.com/SSSD/sssd/issues/4829
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5288#issuecomment-678294183
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org

[SSSD] [sssd PR#5288][synchronized] KCM: Increase client idle timeout to 5 minutes

2020-08-21 Thread justin-stephenson

   URL: https://github.com/SSSD/sssd/pull/5288
Author: justin-stephenson
 Title: #5288: KCM: Increase client idle timeout to 5 minutes
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5288/head:pr5288
git checkout pr5288
From d00c677072e76a48689800c4a0455f577275d100 Mon Sep 17 00:00:00 2001
From: Justin Stephenson 
Date: Thu, 20 Aug 2020 15:35:34 -0400
Subject: [PATCH] KCM: Increase client idle timeout to 5 minutes

Increase the default timeout to allow time for
user interaction on the command-line with kinit.
---
 src/man/sssd-kcm.8.xml  | 4 
 src/responder/kcm/kcm.c | 3 ++-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/man/sssd-kcm.8.xml b/src/man/sssd-kcm.8.xml
index 2f66e56a4a..19d984ddc7 100644
--- a/src/man/sssd-kcm.8.xml
+++ b/src/man/sssd-kcm.8.xml
@@ -68,6 +68,10 @@
 cache, yet share the credential cache between some or no
 containers by bind-mounting the socket.
 
+
+The KCM default client idle timeout is 5 minutes, allowing more
+time for user interaction the command line.
+
 
 
 
diff --git a/src/responder/kcm/kcm.c b/src/responder/kcm/kcm.c
index 4371affef4..35c6091ada 100644
--- a/src/responder/kcm/kcm.c
+++ b/src/responder/kcm/kcm.c
@@ -31,6 +31,7 @@
 #include "util/sss_krb5.h"
 
 #define DEFAULT_KCM_FD_LIMIT 2048
+#define DEFAULT_KCM_CLI_IDLE_TIMEOUT 300
 
 #ifndef SSS_KCM_SOCKET_NAME
 #define SSS_KCM_SOCKET_NAME DEFAULT_KCM_SOCKET_PATH
@@ -101,7 +102,7 @@ static int kcm_get_config(struct kcm_ctx *kctx)
 ret = confdb_get_int(kctx->rctx->cdb,
  kctx->rctx->confdb_service_path,
  CONFDB_RESPONDER_CLI_IDLE_TIMEOUT,
- CONFDB_RESPONDER_CLI_IDLE_DEFAULT_TIMEOUT,
+ DEFAULT_KCM_CLI_IDLE_TIMEOUT,
  &kctx->rctx->client_idle_timeout);
 if (ret != EOK) {
 DEBUG(SSSDBG_OP_FAILURE,
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org

[SSSD] [sssd PR#5289][opened] build: Don't use AC_CHECK_FILE when building manpages

2020-08-21 Thread jonte

   URL: https://github.com/SSSD/sssd/pull/5289
Author: jonte
 Title: #5289: build: Don't use AC_CHECK_FILE when building manpages
Action: opened

PR body:
"""
AC_CHECK_FILE does not support cross-compilation, and will only check
the host rootfs. Replace AC_CHECK_FILE with a 'test -f ' instead,
to allow building manpages when cross-compiling.

Signed-off-by: Jonatan Pålsson 
"""

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5289/head:pr5289
git checkout pr5289
From d54aa109600bcd02bf72cfe64c01935890a102a1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jonatan=20P=C3=A5lsson?= 
Date: Fri, 21 Aug 2020 14:45:10 +0200
Subject: [PATCH] build: Don't use AC_CHECK_FILE when building manpages
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

AC_CHECK_FILE does not support cross-compilation, and will only check
the host rootfs. Replace AC_CHECK_FILE with a 'test -f ' instead,
to allow building manpages when cross-compiling.

Signed-off-by: Jonatan Pålsson 
---
 src/external/docbook.m4 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/external/docbook.m4 b/src/external/docbook.m4
index deb8632fad..acdc89a683 100644
--- a/src/external/docbook.m4
+++ b/src/external/docbook.m4
@@ -18,7 +18,7 @@ dnl Checks if the XML catalog given by FILE exists and
 dnl if a particular URI appears in the XML catalog
 AC_DEFUN([CHECK_STYLESHEET],
 [
-  AC_CHECK_FILE($1, [], [AC_MSG_ERROR([could not find XML catalog])])
+  AS_IF([test -f "$1"], [], [AC_MSG_ERROR([could not find XML catalog])])
 
   AC_MSG_CHECKING([for ifelse([$3],,[$2],[$3]) in XML catalog])
   if AC_RUN_LOG([$XSLTPROC --catalogs --nonet --noout "$2" >&2]); then
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org

[SSSD] [sssd PR#5178][comment] ldap: add new option ldap_library_debug_level

2020-08-21 Thread pbrezina

  URL: https://github.com/SSSD/sssd/pull/5178
Title: #5178: ldap: add new option ldap_library_debug_level

pbrezina commented:
"""
I just used this patch to debug something and it works as expected.

The SSSD debug level is a bitmask and the idea behind it is that you can enable 
or disable specific messages. So we can certainly add SSSDDBG_EXTERNAL_LDAP or 
something and enable -1 ldap level if this is set. But I'm fine with the option 
as well, especially if you think that something else then -1 (enable all) is 
helpful.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5178#issuecomment-678257102
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org

[SSSD] [sssd PR#5245][comment] RESOLV: Avoid DNS search to improve fail-over reaction

2020-08-21 Thread pbrezina

  URL: https://github.com/SSSD/sssd/pull/5245
Title: #5245: RESOLV: Avoid DNS search to improve fail-over reaction

pbrezina commented:
"""
Does SSSD even work if the hostname or domain name is not qualified? If not 
then what change of behavior do you refer to?
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5245#issuecomment-678255476
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org

[SSSD] [sssd PR#5234][+Changes requested] pam: use requested_domains to restrict cache_req searches

2020-08-21 Thread pbrezina

  URL: https://github.com/SSSD/sssd/pull/5234
Title: #5234: pam: use requested_domains to restrict cache_req searches

Label: +Changes requested
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org

[SSSD] [sssd PR#5246][+Changes requested] Drop support of libnss as a crypto backend

2020-08-21 Thread pbrezina

  URL: https://github.com/SSSD/sssd/pull/5246
Title: #5246: Drop support of libnss as a crypto backend

Label: +Changes requested
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org

[SSSD] [sssd PR#5246][-Waiting for review] Drop support of libnss as a crypto backend

2020-08-21 Thread pbrezina

  URL: https://github.com/SSSD/sssd/pull/5246
Title: #5246: Drop support of libnss as a crypto backend

Label: -Waiting for review
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org

[SSSD] [sssd PR#5246][comment] Drop support of libnss as a crypto backend

2020-08-21 Thread pbrezina

  URL: https://github.com/SSSD/sssd/pull/5246
Title: #5246: Drop support of libnss as a crypto backend

pbrezina commented:
"""
Works as expected. There is just a left over call to `WITH_CRYPTO` macro on 
configure.ac. Since you removed the macro this should be removed as well.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5246#issuecomment-678251761
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org

[SSSD] [sssd PR#5251][comment] [wip] subdomains: allow to inherit case_sensitive=Preserving

2020-08-21 Thread pbrezina

  URL: https://github.com/SSSD/sssd/pull/5251
Title: #5251: [wip] subdomains: allow to inherit case_sensitive=Preserving

pbrezina commented:
"""
@sumit-bose bump
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5251#issuecomment-678202940
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org

[SSSD] [sssd PR#5264][comment] Utils: White space replace with another character

2020-08-21 Thread pbrezina

  URL: https://github.com/SSSD/sssd/pull/5264
Title: #5264: Utils: White space replace with another character

pbrezina commented:
"""
I think this is not a correct solution since having the override character in 
name is in fact a real problem in the environment. It will either make the user 
unresolvable or even worse it will return different user if you have both names 
"user_1" and "user 1" in LDAP.

I think the root cause is that this option is set globally for the whole SSSD 
and ssh_keys is a local user. If it is a local user then we should probably 
figure out if we can somehow avoid using this override for files provider. If 
it is an LDAP user then they need to fix it on their side.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5264#issuecomment-678200050
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org

[SSSD] [sssd PR#5270][comment] CONFDB: fixed compilation warning

2020-08-21 Thread pbrezina

  URL: https://github.com/SSSD/sssd/pull/5270
Title: #5270: CONFDB: fixed compilation warning

pbrezina commented:
"""
Maybe also remove initialization of ret to EINVAL?
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5270#issuecomment-678179875
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org

[SSSD] [sssd PR#5287][comment] Got rid of ".tx" and "zanata.xml" due to migration to Weblate (1.16)

2020-08-21 Thread pbrezina

  URL: https://github.com/SSSD/sssd/pull/5287
Title: #5287: Got rid of ".tx" and "zanata.xml" due to migration to Weblate 
(1.16)

pbrezina commented:
"""
Thank you. Ack.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5287#issuecomment-678156779
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org

[SSSD] [sssd PR#5287][+Accepted] Got rid of ".tx" and "zanata.xml" due to migration to Weblate (1.16)

2020-08-21 Thread pbrezina

  URL: https://github.com/SSSD/sssd/pull/5287
Title: #5287: Got rid of ".tx" and "zanata.xml" due to migration to Weblate 
(1.16)

Label: +Accepted
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org

[SSSD] [sssd PR#5287][+Ready to push] Got rid of ".tx" and "zanata.xml" due to migration to Weblate (1.16)

2020-08-21 Thread pbrezina

  URL: https://github.com/SSSD/sssd/pull/5287
Title: #5287: Got rid of ".tx" and "zanata.xml" due to migration to Weblate 
(1.16)

Label: +Ready to push
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org

[SSSD] [sssd PR#5288][comment] KCM: Increase client idle timeout to 5 minutes

2020-08-21 Thread pbrezina

  URL: https://github.com/SSSD/sssd/pull/5288
Title: #5288: KCM: Increase client idle timeout to 5 minutes

pbrezina commented:
"""
Thank you. I think this makes sense. Can you also update man pages?

Is there any ticket for this or did you just stumble upon it?
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5288#issuecomment-678155976
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org

[SSSD] [sssd PR#5288][+Changes requested] KCM: Increase client idle timeout to 5 minutes

2020-08-21 Thread pbrezina

  URL: https://github.com/SSSD/sssd/pull/5288
Title: #5288: KCM: Increase client idle timeout to 5 minutes

Label: +Changes requested
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org

[SSSD] [sssd PR#5248][+Ready to push] Enable exclude functionality in sssd session recording configuration

2020-08-21 Thread pbrezina

  URL: https://github.com/SSSD/sssd/pull/5248
Title: #5248: Enable exclude functionality in sssd session recording 
configuration

Label: +Ready to push
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org

[SSSD] [sssd PR#5248][+Accepted] Enable exclude functionality in sssd session recording configuration

2020-08-21 Thread pbrezina

  URL: https://github.com/SSSD/sssd/pull/5248
Title: #5248: Enable exclude functionality in sssd session recording 
configuration

Label: +Accepted
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org

[SSSD] [sssd PR#5248][comment] Enable exclude functionality in sssd session recording configuration

2020-08-21 Thread pbrezina

  URL: https://github.com/SSSD/sssd/pull/5248
Title: #5248: Enable exclude functionality in sssd session recording 
configuration

pbrezina commented:
"""
Ack. Thank you.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5248#issuecomment-678148956
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org

[SSSD] [sssd PR#5280][comment] p11_child: switch default ocsp_dgst to sha1

2020-08-21 Thread pbrezina

  URL: https://github.com/SSSD/sssd/pull/5280
Title: #5280: p11_child: switch default ocsp_dgst to sha1

pbrezina commented:
"""
Pushed PR: https://github.com/SSSD/sssd/pull/5280

* `master`
* 10366b4ee8c01ea20d908102e92d52fdeda168c3 - p11_child: switch default 
ocsp_dgst to sha1

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5280#issuecomment-678123991
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org

[SSSD] [sssd PR#5280][-Accepted] p11_child: switch default ocsp_dgst to sha1

2020-08-21 Thread pbrezina

  URL: https://github.com/SSSD/sssd/pull/5280
Title: #5280: p11_child: switch default ocsp_dgst to sha1

Label: -Accepted
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org

[SSSD] [sssd PR#5280][-Ready to push] p11_child: switch default ocsp_dgst to sha1

2020-08-21 Thread pbrezina

  URL: https://github.com/SSSD/sssd/pull/5280
Title: #5280: p11_child: switch default ocsp_dgst to sha1

Label: -Ready to push
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org

[SSSD] [sssd PR#5280][+Pushed] p11_child: switch default ocsp_dgst to sha1

2020-08-21 Thread pbrezina

  URL: https://github.com/SSSD/sssd/pull/5280
Title: #5280: p11_child: switch default ocsp_dgst to sha1

Label: +Pushed
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org

[SSSD] [sssd PR#5280][closed] p11_child: switch default ocsp_dgst to sha1

2020-08-21 Thread pbrezina

   URL: https://github.com/SSSD/sssd/pull/5280
Author: alexey-tikhonov
 Title: #5280: p11_child: switch default ocsp_dgst to sha1
Action: closed

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5280/head:pr5280
git checkout pr5280
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org

[SSSD] [sssd PR#5280][+Ready to push] p11_child: switch default ocsp_dgst to sha1

2020-08-21 Thread pbrezina

  URL: https://github.com/SSSD/sssd/pull/5280
Title: #5280: p11_child: switch default ocsp_dgst to sha1

Label: +Ready to push
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org

[SSSD] [sssd PR#5284][comment] Remove leftover ccache from SSH credentials delegation

2020-08-21 Thread alexey-tikhonov

  URL: https://github.com/SSSD/sssd/pull/5284
Title: #5284: Remove leftover ccache from SSH credentials delegation

alexey-tikhonov commented:
"""
> A question also occurred to me, is there any concurrency issue with this 
> process?
> What happens if two ssh connections are initiated simultaneously by the same 
> user ?
> Could they end up trying to delete each other ccaches once both sshd workers 
> end up concurrently calling into sssd-kcm ?

Not KCM, but somewhat relevant case: 
https://bugzilla.redhat.com/show_bug.cgi?id=1828270
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5284#issuecomment-678102952
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org

39 matches

Mail list logo