[SSSD] Re: [sssd PR#5524][+Accepted] Fix setXYent(): rewind always

[Heiko Schlittermann]

elkoniu  (Mo 15 Mär 2021 13:03:38 
CET):
>   URL: https://github.com/SSSD/sssd/pull/5524
> Title: #5524: Fix setXYent(): rewind always
> Label: +Accepted

Thank you.
-- 
Heiko


signature.asc
Description: PGP signature
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5537][opened] negcache: use right domain in nss_protocol_fill_initgr()

[sumit-bose]

   URL: https://github.com/SSSD/sssd/pull/5537
Author: sumit-bose
 Title: #5537: negcache: use right domain in nss_protocol_fill_initgr()
Action: opened

PR body:
"""
When checking if a group returned by an initgroups request is filtered
in the negative cache the domain of the user was used. This does not
work reliable if the user can be a member of groups from multiple
domains.

With this patch th domain the group belongs to is determined and used
while checking the negative cache.

Resolves: https://github.com/SSSD/sssd/issues/5534
"""

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5537/head:pr5537
git checkout pr5537
From 45bd84bbbf8a2302bd1578039dc387477aec346a Mon Sep 17 00:00:00 2001
From: Sumit Bose 
Date: Fri, 12 Mar 2021 14:38:54 +0100
Subject: [PATCH] negcache: use right domain in nss_protocol_fill_initgr()

When checking if a group returned by an initgroups request is filtered
in the negative cache the domain of the user was used. This does not
work reliable if the user can be a member of groups from multiple
domains.

With this patch th domain the group belongs to is determined and used
while checking the negative cache.

Resolves: https://github.com/SSSD/sssd/issues/5534
---
 src/db/sysdb.c | 20 
 src/db/sysdb.h |  8 
 src/responder/nss/nss_protocol_grent.c |  8 +---
 3 files changed, 33 insertions(+), 3 deletions(-)

diff --git a/src/db/sysdb.c b/src/db/sysdb.c
index d78991e368..1390a070e3 100644
--- a/src/db/sysdb.c
+++ b/src/db/sysdb.c
@@ -2113,3 +2113,23 @@ bool sysdb_entry_attrs_diff(struct sysdb_ctx *sysdb,
 talloc_free(tmp_ctx);
 return differs;
 }
+
+struct sss_domain_info *find_domain_by_msg(struct sss_domain_info *dom,
+   struct ldb_message *msg)
+{
+const char *name;
+struct sss_domain_info *obj_dom = NULL;
+
+name = ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL);
+if (name == NULL) {
+DEBUG(SSSDBG_OP_FAILURE,
+  "Object does not have a name attribute.\n");
+} else {
+obj_dom = find_domain_by_object_name(get_domains_head(dom), name);
+if (obj_dom == NULL) {
+DEBUG(SSSDBG_OP_FAILURE, "No domain found for [%s].\n", name);
+}
+}
+
+return obj_dom == NULL ? dom : obj_dom;
+}
diff --git a/src/db/sysdb.h b/src/db/sysdb.h
index 880f3b7a09..3b821e3c8f 100644
--- a/src/db/sysdb.h
+++ b/src/db/sysdb.h
@@ -1529,4 +1529,12 @@ errno_t sysdb_cert_derb64_to_ldap_filter(TALLOC_CTX *mem_ctx,
 /* define old name for backward compatibility */
 #define sysdb_error_to_errno(ldberr) sss_ldb_error_to_errno(ldberr)
 
+
+/* Try to detect the object domain from the object's SYSDB_NAME attribute and
+ * return the matching sss_domain_info. This should work reliable with user
+ * and group objects since fully-qualified names are used here. If the proper
+ * domain cannot be detected the given domain is returned. */
+struct sss_domain_info *find_domain_by_msg(struct sss_domain_info *dom,
+   struct ldb_message *msg);
+
 #endif /* __SYS_DB_H__ */
diff --git a/src/responder/nss/nss_protocol_grent.c b/src/responder/nss/nss_protocol_grent.c
index 135b392f74..f6e00eb10e 100644
--- a/src/responder/nss/nss_protocol_grent.c
+++ b/src/responder/nss/nss_protocol_grent.c
@@ -361,6 +361,7 @@ nss_protocol_fill_initgr(struct nss_ctx *nss_ctx,
  struct cache_req_result *result)
 {
 struct sss_domain_info *domain;
+struct sss_domain_info *grp_dom;
 struct ldb_message *user;
 struct ldb_message *msg;
 struct ldb_message *primary_group_msg;
@@ -418,10 +419,11 @@ nss_protocol_fill_initgr(struct nss_ctx *nss_ctx,
 num_results = 0;
 for (i = 1; i < result->count; i++) {
 msg = result->msgs[i];
-gid = sss_view_ldb_msg_find_attr_as_uint64(domain, msg, SYSDB_GIDNUM,
+grp_dom = find_domain_by_msg(domain, msg);
+gid = sss_view_ldb_msg_find_attr_as_uint64(grp_dom, msg, SYSDB_GIDNUM,
0);
 posix = ldb_msg_find_attr_as_string(msg, SYSDB_POSIX, NULL);
-grp_name = sss_view_ldb_msg_find_attr_as_string(domain, msg, SYSDB_NAME,
+grp_name = sss_view_ldb_msg_find_attr_as_string(grp_dom, msg, SYSDB_NAME,
 NULL);
 
 if (gid == 0) {
@@ -435,7 +437,7 @@ nss_protocol_fill_initgr(struct nss_ctx *nss_ctx,
 }
 }
 
-if (is_group_filtered(nss_ctx->rctx->ncache, domain, grp_name, gid)) {
+if (is_group_filtered(nss_ctx->rctx->ncache, grp_dom, grp_name, gid)) {
 continue;
 }
 
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:

[SSSD] [sssd PR#5517][synchronized] Translations update from Weblate

[weblate]

   URL: https://github.com/SSSD/sssd/pull/5517
Author: weblate
 Title: #5517: Translations update from Weblate
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5517/head:pr5517
git checkout pr5517
From 7b7660e7b64da0450c029ceb01eff10476b20fdd Mon Sep 17 00:00:00 2001
From: Weblate 
Date: Mon, 15 Mar 2021 17:06:14 +0100
Subject: [PATCH] Translated using Weblate (Polish)

Currently translated at 100.0% (726 of 726 strings)

Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pl/
---
 po/pl.po | 24 
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/po/pl.po b/po/pl.po
index 909c54e440..019dfb36e4 100644
--- a/po/pl.po
+++ b/po/pl.po
@@ -3,20 +3,20 @@
 # This file is distributed under the same license as the PACKAGE package.
 #
 # Translators:
-# Piotr Drąg , 2011-2014, 2020.
+# Piotr Drąg , 2011-2014, 2020, 2021.
 # sgallagh , 2011
-# Piotr Drąg , 2015. #zanata, 2020.
-# Piotr Drąg , 2016. #zanata, 2020.
-# Piotr Drąg , 2017. #zanata, 2020.
-# Piotr Drąg , 2018. #zanata, 2020.
-# Piotr Drąg , 2019. #zanata, 2020.
-# Piotr Drąg , 2020. #zanata
+# Piotr Drąg , 2015. #zanata, 2020, 2021.
+# Piotr Drąg , 2016. #zanata, 2020, 2021.
+# Piotr Drąg , 2017. #zanata, 2020, 2021.
+# Piotr Drąg , 2018. #zanata, 2020, 2021.
+# Piotr Drąg , 2019. #zanata, 2020, 2021.
+# Piotr Drąg , 2020. #zanata, 2021.
 msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n"
 "POT-Creation-Date: 2021-02-05 11:58+0100\n"
-"PO-Revision-Date: 2020-10-07 20:40+\n"
+"PO-Revision-Date: 2021-03-15 16:06+\n"
 "Last-Translator: Piotr Drąg \n"
 "Language-Team: Polish \n"
@@ -26,7 +26,7 @@ msgstr ""
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=3; plural=n==1 ? 0 : n%10>=2 && n%10<=4 && (n%100<10 "
 "|| n%100>=20) ? 1 : 2;\n"
-"X-Generator: Weblate 4.2.2\n"
+"X-Generator: Weblate 4.5.1\n"
 
 #: src/config/SSSDConfig/sssdoptions.py:20
 #: src/config/SSSDConfig/sssdoptions.py:21
@@ -387,11 +387,11 @@ msgstr "Kiedy program odpowiadający PAM ma wymuszać żądanie grup inicjacji"
 
 #: src/config/SSSDConfig/sssdoptions.py:107
 msgid "List of PAM services that are allowed to authenticate with GSSAPI."
-msgstr ""
+msgstr "Lista usług PAM, które mogą się uwierzytelniać za pomocą GSSAPI."
 
 #: src/config/SSSDConfig/sssdoptions.py:108
 msgid "Whether to match authenticated UPN with target user"
-msgstr ""
+msgstr "Czy dopasowywać uwierzytelnione UPN z użytkownikiem docelowym"
 
 #: src/config/SSSDConfig/sssdoptions.py:111
 msgid "Whether to evaluate the time-based attributes in sudo rules"
@@ -1250,7 +1250,7 @@ msgstr "Włącza naczelników enterprise"
 
 #: src/config/SSSDConfig/sssdoptions.py:351
 msgid "Enables using of subdomains realms for authentication"
-msgstr ""
+msgstr "Umożliwia korzystanie z obszarów poddomen do uwierzytelniania"
 
 #: src/config/SSSDConfig/sssdoptions.py:352
 msgid "A mapping from user names to Kerberos principal names"
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5434][+Tests] Adding multihost tests for ad_allow_remote_domain_local_groups, bz1883488 bz1756240

[elkoniu]

  URL: https://github.com/SSSD/sssd/pull/5434
Title: #5434: Adding multihost tests for ad_allow_remote_domain_local_groups, 
bz1883488 bz1756240

Label: +Tests
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5442][+Tests] Adding multihost test for supporting asymmetric nsupdate auth

[elkoniu]

  URL: https://github.com/SSSD/sssd/pull/5442
Title: #5442: Adding multihost test for supporting asymmetric nsupdate auth

Label: +Tests
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5419][+Tests] tests: Adding tests to cover ad discovery improvements using cldap

[elkoniu]

  URL: https://github.com/SSSD/sssd/pull/5419
Title: #5419: tests: Adding tests to cover ad discovery improvements using cldap

Label: +Tests
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5478][+Tests] Tests: alltests: fetch autofs maps after coming online

[elkoniu]

  URL: https://github.com/SSSD/sssd/pull/5478
Title: #5478: Tests: alltests: fetch autofs maps after coming online

Label: +Tests
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5481][+Tests] Tests: 'getent group ldapgroupname' doesn't show

[elkoniu]

  URL: https://github.com/SSSD/sssd/pull/5481
Title: #5481: Tests: 'getent group ldapgroupname' doesn't show

Label: +Tests
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5511][+Tests] TEST: Update test docstrings to enable auto polarion updates

[elkoniu]

  URL: https://github.com/SSSD/sssd/pull/5511
Title: #5511: TEST: Update test docstrings to enable auto polarion updates

Label: +Tests
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5527][+Tests] TEST: missing multihost in service_ctrl

[elkoniu]

  URL: https://github.com/SSSD/sssd/pull/5527
Title: #5527: TEST: missing multihost in service_ctrl

Label: +Tests
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5473][+Tests] Tests: alltests: Check default debug level of sssd and corresponding logs

[elkoniu]

  URL: https://github.com/SSSD/sssd/pull/5473
Title: #5473: Tests: alltests: Check default debug level of sssd and 
corresponding logs

Label: +Tests
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5450][comment] kcm: add support for kerberos tgt renewals

[justin-stephenson]

  URL: https://github.com/SSSD/sssd/pull/5450
Title: #5450: kcm: add support for kerberos tgt renewals

justin-stephenson commented:
"""
> Ah, I missed the last patch: `KCM: Disable responder idle timeout with 
> renewals`. So it will work correclty. But I wonder if it would be better to 
> keep the idle timeout enabled. What we could do is to make systemd timer send 
> a SSSD-specific KCM op code periodically and renew the tickets per-request. 
> This would also simplify the logic by a lot since you would not have to keep 
> the hash table and timers.

I'm fine with this approach, but if the systemd timer file is installed 
conditionally at build time(if KCM renewals are built), then what interval 
value, i.e. amount of time that KCM wakes up to attempt renewals, should we set 
in the systemd timer file? Currently the renew interval is defined with the 
`krb5_renew_interval` option in sssd.conf. This is an important consideration 
because if the renewal interval is too high then we could miss renewing tickets 
that have already expired, too low and it may add unnecessary KCM load.


I suppose the other side effect is that falllback to `auth_provider=krb5` renew 
config options would no longer work.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5450#issuecomment-799506171
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5450][comment] kcm: add support for kerberos tgt renewals

[justin-stephenson]

  URL: https://github.com/SSSD/sssd/pull/5450
Title: #5450: kcm: add support for kerberos tgt renewals

justin-stephenson commented:
"""
> Ah, I missed the last patch: `KCM: Disable responder idle timeout with 
> renewals`. So it will work correclty. But I wonder if it would be better to 
> keep the idle timeout enabled. What we could do is to make systemd timer send 
> a SSSD-specific KCM op code periodically and renew the tickets per-request. 
> This would also simplify the logic by a lot since you would not have to keep 
> the hash table and timers.

I'm fine with this approach, but if the systemd timer file is installed 
conditionally at build time(if KCM renewals are built), then what interval 
value, i.e. amount of time that KCM wakes up to attempt renewals, should we set 
in the systemd timer file? Currently the renew interval is defined with the 
`krb5_renew_interval` option in sssd.conf. I suppose the other side effect is 
that falllback to `auth_provider=krb5` renew config options would no longer 
work.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5450#issuecomment-799506171
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5245][comment] WIP: RESOLV: Avoid DNS search to improve fail-over reaction

[alexey-tikhonov]

  URL: https://github.com/SSSD/sssd/pull/5245
Title: #5245: WIP: RESOLV: Avoid DNS search to improve fail-over reaction

alexey-tikhonov commented:
"""
This PR was discussed on a team meeting and Tomas said he plans to finish it.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5245#issuecomment-799420619
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5245][comment] WIP: RESOLV: Avoid DNS search to improve fail-over reaction

[elkoniu]

  URL: https://github.com/SSSD/sssd/pull/5245
Title: #5245: WIP: RESOLV: Avoid DNS search to improve fail-over reaction

elkoniu commented:
"""
@thalman If this PR is still alive and ongoing? If not maybe close it and 
reopen when there will be new changes? @alexey-tikhonov If I remember correct 
last time you run some upstream PR list cleaning to close long standing WIP PRs?
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5245#issuecomment-799415378
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5450][comment] kcm: add support for kerberos tgt renewals

[alexey-tikhonov]

  URL: https://github.com/SSSD/sssd/pull/5450
Title: #5450: kcm: add support for kerberos tgt renewals

alexey-tikhonov commented:
"""
> It's not sleeping, it still spins in tevent loop doing stuff which may have a 
> negative impact on battery. 

That's exactly my question: what is it doing? IIUC, it should be sleeping on 
`epoll()` (say 99.999% of the time)

If it actually does something useful, it means process would have to be socket 
activated otherwise which is much more expensive than awaking from epoll().
If it doesn't do anything usefull, then what is it doing?
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5450#issuecomment-799394082
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5450][comment] kcm: add support for kerberos tgt renewals

[pbrezina]

  URL: https://github.com/SSSD/sssd/pull/5450
Title: #5450: kcm: add support for kerberos tgt renewals

pbrezina commented:
"""
> > But I wonder if it would be better to keep the idle timeout enabled.
> 
> What's wrong with keeping an idle process "running"? Sleeping process with 
> small memory footprint shouldn't have any resource implications, right?

It's not sleeping, it still spins in tevent loop doing stuff which may have a 
negative impact on battery. The impact from a single process may not be 
significant, but there are lots of such processes so if it can be avoided it is 
certainly welcomed. However, there's nothing wrong about it per say. It just 
makes sense to me to keep KCM a short lived service, especially since it will 
also reduce the amount of code that is required to provide the functionality.

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5450#issuecomment-799376424
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5524][+Accepted] Fix setXYent(): rewind always

[elkoniu]

  URL: https://github.com/SSSD/sssd/pull/5524
Title: #5524: Fix setXYent(): rewind always

Label: +Accepted
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5535][+Waiting for review] A set of patches to sanitize logger code a little bit.

[alexey-tikhonov]

  URL: https://github.com/SSSD/sssd/pull/5535
Title: #5535: A set of patches to sanitize logger code a little bit.

Label: +Waiting for review
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5535][edited] A set of patches to sanitize logger code a little bit.

[alexey-tikhonov]

   URL: https://github.com/SSSD/sssd/pull/5535
Author: alexey-tikhonov
 Title: #5535: A set of patches to sanitize logger code a little bit.
Action: edited

 Changed field: body
Original value:
"""

"""

___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5450][comment] kcm: add support for kerberos tgt renewals

[alexey-tikhonov]

  URL: https://github.com/SSSD/sssd/pull/5450
Title: #5450: kcm: add support for kerberos tgt renewals

alexey-tikhonov commented:
"""
> But I wonder if it would be better to keep the idle timeout enabled. 

What's wrong with keeping an idle process "running"? Sleeping process with 
small memory footprint shouldn't have any resource implications, right?
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5450#issuecomment-799351188
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5450][comment] kcm: add support for kerberos tgt renewals

[pbrezina]

  URL: https://github.com/SSSD/sssd/pull/5450
Title: #5450: kcm: add support for kerberos tgt renewals

pbrezina commented:
"""
> There are few minor comments... but:
> 
> If I understand it correctly, this functionality requires KCM to be running. 
> KCM is currently socket activated so I see two problems:
> 
> 1. Unless somebody use Kerberos regularly, keeping the KCM busy, the 
> renewal will not work. So this makes the feature unfortunately useless, since 
> you want to renew the ticket mostly when you don't use the computer for 
> longer period of times, e.g. when you have session locked during a weekend.
>
>* the timer will be always scheduled in a destined future time when 
> KCM is started, but KCM will likely terminate before we get even close to 
> this time (idle timeout is five minutes).
> 
> 2. You add creds to renew table on two places:
>a) when KCM process starts `kcm_process_init`
>b) when renew timer is triggers `kcm_renew_tgt_timer_handler`
>However, since it is socket activated, b) is very unlikely to happen. 
> And we already have performance issues so its probably not a very good idea 
> to do it in a).
> 
> 
> The code itself is fine, but unless I am missing something, it is currently 
> unusable. We have to either avoid socket activation, which is not desirable. 
> Or find a way how to execute the process periodically in certain intervals 
> (systemd timer might help here) and change the renew table logic.

Ah, I missed the last patch: `KCM: Disable responder idle timeout with 
renewals`. So it will work correclty. But I wonder if it would be better to 
keep the idle timeout enabled. What we could do is to make systemd timer send a 
SSSD-specific KCM op code periodically and renew the tickets per-request. This 
would also simplify the logic by a lot since you would not have to keep the 
hash table and timers.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5450#issuecomment-799333755
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5532][comment] Handle ldap_install_tls() configuration and retrial

[alexey-tikhonov]

  URL: https://github.com/SSSD/sssd/pull/5532
Title: #5532: Handle ldap_install_tls() configuration and retrial

alexey-tikhonov commented:
"""
**Wrt 1st patch**
I don't understand it's description, specifically `Configure socket options 
when calling ldap_install_tls() to avoid hitting EINTR during connect.` part.
IIUC as a result of this patch blocking `read()` is replaced with timed 
`poll()` under the hood of openlap:openssl (`LDAP_OPT_CONNECT_ASYNC`). 
As for `LDAP_OPT_NETWORK_TIMEOUT` - it is set in 
[`sdap_sys_connect_done()`](https://github.com/SSSD/sssd/blob/master/src/providers/ldap/sdap_async_connection.c#L199).
 Does this happen too late? Do we need to set it in both places?
Also take a note of `LDAP_OPT_RESTART` set a little bit above and a 
corresponding comment. This comment looks interesting.

In general, this clearly doesn't "avoid" the issue (both read() with our socket 
options and poll() return EINTR being interrupted with a signal) and, taking 
into account our default timeout 6 seconds, I think it won't even make 
probability lower.

So... does it make sense to make openldap switch to timed poll() instead of 
blocking read()? Probably "yes" as a general improvement for a 2-x branch, but 
at least I wouldn't propose this change for 1-16 branch without a better 
reason. And anyway this requires a better explanation.


**Wrt 2nd patch**
I think we shouldn't rely on undocumented usage of `errno`, i.e. it's better to 
check watchdog's context.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5532#issuecomment-799332143
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure