[SSSD] Re: sssd-1.14.3 milestone cleanup

[Petr Cech]

On 01/12/2017 02:02 PM, Pavel Březina wrote:


* https://fedorahosted.org/sssd/ticket/3113 - Please move
sudo_timed option to sssd-sudo man page
 - 5 minutes patch and George is unlikely to send a patch, any
takers?


I looked at this ticket and I saw that we have no configuration options
in sssd-sudo.

We just say in sssd-sudo:
"There are many configuration options that can be used to adjust the
behavior. Please refer to "ldap_sudo_*" in sssd-ldap(5) and "sudo_*" in
sssd.conf(5)."

I am not sure if it is good idea to move exactly one option to this man
page. Any other opinions?


All or nothing.


Then I vote for nothing. It is better if all options are on the same place.

Regards

--
Petr^4 Čech
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] Re: sssd-1.14.3 milestone cleanup

[Petr Cech]

On 01/11/2017 04:31 PM, Jakub Hrozek wrote:

Hi,

despite new development happening in the sssd-1-15 branch (aka master),
there are still too many tickets in the 1.14.3 milestone. The tickets
should be moved out to current milestones unless someone is really
working on them.

These are:
* https://fedorahosted.org/sssd/ticket/3063 - add an integration test for 
the configuration include directories
- would it be enough to have two users in two search bases and drop
a snippet with the second base, then try to resolve a user? If yes,
this is a one-hour effort, any takers? If not, move to CI milestone
- Lukas said there would be issue with integration test would be
how to detect whether libini_config suports it (rhel6 does not
support it). Therefore I suggest we move the ticket to CI milestone.

 * https://fedorahosted.org/sssd/ticket/3085 - looks fixed in
 
https://git.fedorahosted.org/cgit/sssd.git/commit/?id=11540d9efb85b9ed0341e8a1fc97fc078c6ce418
 OK to close?
- Lukas already added a +1 last week on our meeting, so I'll
probably close the ticket.

* https://fedorahosted.org/sssd/ticket/3197 - add a line to sssd-ad
  man page on how does the POSIX attrs in GC work
  - Someone suggested reverting the logic for POSIX-attrs-in-GC lately,
  but I forgot the details, does anyone remember? Otherwise this is
  a 5-minute patch, so I suggest just closing it.

* https://fedorahosted.org/sssd/ticket/3208 - Need detailed information
about config-check option
 - what is this ticket about? Do we need it? I suggest we just close it

* https://fedorahosted.org/sssd/ticket/3222 - sssd still showing ipa
user after removed from last group
 - unless anyone is actively working on the ticket, just move to
   patches welcome

* https://fedorahosted.org/sssd/ticket/2554 - Update spec file according
to updated guidelines
 - Unless anyone would like to clean up our reference upstream specfile,
   I suggest we close the ticket

* https://fedorahosted.org/sssd/ticket/3113 - Please move sudo_timed option 
to sssd-sudo man page
 - 5 minutes patch and George is unlikely to send a patch, any takers?


I looked at this ticket and I saw that we have no configuration options 
in sssd-sudo.


We just say in sssd-sudo:
"There are many configuration options that can be used to adjust the 
behavior. Please refer to "ldap_sudo_*" in sssd-ldap(5) and "sudo_*" in 
sssd.conf(5)."


I am not sure if it is good idea to move exactly one option to this man 
page. Any other opinions?




* https://fedorahosted.org/sssd/ticket/3074 - Move timestamp cache to tmpfs
* https://fedorahosted.org/sssd/ticket/3097 - Measure the difference 
between tmpfs database and NOSYNC database
 - tmpfs provides very little benefit, close with an explanation

After this milestone is cleaned up, I'll finally populate the 1.15 Beta
milestone..
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org



Regards

--
Petr^4 Čech
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [Q] t3222 sssd still showing ipa user after removed from last group

[Petr Cech]

Hi all,

I came back to ticket #3222 "sssd still showing ipa user after removed 
from last group" [1]. And I have new knowledge. But I still do not see 
the light at the end of the tunnel.


[1] https://fedorahosted.org/sssd/ticket/3222

I attached patch which enables some basic debug on using of memcache. 
And two reproducers (with and without memcache) which are based on 
reproducer written in ticket.


If we use memcache, the issue occurs only sometimes.

The difference between both cases is mixed state of switch after 
sss_nss_mc_getgrnam() call in _nss_sss_getgrnam_r() function.


Note: code says (for default case):
/* if using the mmaped cache failed,
 * fall back to socket based comms */


Could anyone help, please?


The report is:

#--- WRONG

[root@mirach sssd]# date && getent group testgroup
Wed Nov  9 16:01:05 CET 2016
>>> [A] record not found (time[1478703665])
>>> [B] record not found (time[1478703665])
testgroup:*:1703800674:

Number of members added 1

[root@mirach sssd]# sss_cache -UG && date && getent group testgroup
Wed Nov  9 16:01:07 CET 2016
>>> [A] record not found (time[1478703667])
>>> [B] default (time[1478703667])
testgroup:*:1703800674:testuser

Number of members removed 1

[root@mirach sssd]# sss_cache -UG && date && getent group testgroup
Wed Nov  9 16:01:09 CET 2016
>>> mc record expires at [1478703967] | now [1478703669]
>>> [A] MC used (time[1478703669])
testgroup:*:1703800674:testuser

[root@mirach sssd]# grep '>>>' *.log
sssd_nss.log:(Wed Nov  9 16:01:06 2016) [sssd[nss]] 
[sss_mmap_set_rec_header] (0x0010): >>> MC STORE expiration [1478703966] 
| now [1478703666] | delta [300]
sssd_nss.log:(Wed Nov  9 16:01:06 2016) [sssd[nss]] 
[sss_mmap_cache_gr_store] (0x0010): >>> MC STORE [testgroup] [300] 
members [0]
sssd_nss.log:(Wed Nov  9 16:01:07 2016) [sssd[nss]] 
[sss_mmap_set_rec_header] (0x0010): >>> MC STORE expiration [1478703967] 
| now [1478703667] | delta [300]
sssd_nss.log:(Wed Nov  9 16:01:07 2016) [sssd[nss]] 
[sss_mmap_cache_gr_store] (0x0010): >>> MC STORE [testgroup] [300] 
members [1]




#--- RIGHT

[root@mirach sssd]# date && getent group testgroup
Wed Nov  9 15:56:54 CET 2016
>>> [A] record not found (time[1478703414])
>>> [B] record not found (time[1478703414])
testgroup:*:1703800674:

Number of members added 1

[root@mirach sssd]# sss_cache -UG && date && getent group testgroup
Wed Nov  9 15:56:56 CET 2016
>>> [A] default (time[1478703416])
>>> [B] default (time[1478703416])
testgroup:*:1703800674:testuser

Number of members removed 1

[root@mirach sssd]# sss_cache -UG && date && getent group testgroup
Wed Nov  9 15:56:58 CET 2016
>>> [A] record not found (time[1478703418])
>>> [B] record not found (time[1478703418])
testgroup:*:1703800674:

[root@mirach sssd]# grep '>>>' *.log
sssd_nss.log:(Wed Nov  9 15:56:54 2016) [sssd[nss]] 
[sss_mmap_set_rec_header] (0x0010): >>> MC STORE expiration [1478703714] 
| now [1478703414] | delta [300]
sssd_nss.log:(Wed Nov  9 15:56:54 2016) [sssd[nss]] 
[sss_mmap_cache_gr_store] (0x0010): >>> MC STORE [testgroup] [300] 
members [0]
sssd_nss.log:(Wed Nov  9 15:56:56 2016) [sssd[nss]] 
[sss_mmap_set_rec_header] (0x0010): >>> MC STORE expiration [1478703716] 
| now [1478703416] | delta [300]
sssd_nss.log:(Wed Nov  9 15:56:56 2016) [sssd[nss]] 
[sss_mmap_cache_gr_store] (0x0010): >>> MC STORE [testgroup] [300] 
members [1]
sssd_nss.log:(Wed Nov  9 15:56:58 2016) [sssd[nss]] 
[sss_mmap_set_rec_header] (0x0010): >>> MC STORE expiration [1478703718] 
| now [1478703418] | delta [300]
sssd_nss.log:(Wed Nov  9 15:56:58 2016) [sssd[nss]] 
[sss_mmap_cache_gr_store] (0x0010): >>> MC STORE [testgroup] [300] 
members [0]



Regards

--
Petr^4 Čech
>From 08ec8bbaaab760396747420e46f8190c3a2dfead Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20=C4=8Cech?= 
Date: Mon, 24 Oct 2016 15:16:34 +0200
Subject: [PATCH] WIP: debug for t3222

This patch enables debug messages needed for investigation of memory
cache.
---
 src/responder/nss/nsssrv_mmap_cache.c |  8 
 src/sss_client/nss_group.c| 10 ++
 src/sss_client/nss_mc_group.c |  3 +++
 3 files changed, 21 insertions(+)

diff --git a/src/responder/nss/nsssrv_mmap_cache.c b/src/responder/nss/nsssrv_mmap_cache.c
index f7f62733941cd3ae3b071d6d54c801f9be1ce800..f25357712bf06da49e3a96f0ff7a4812c4f63dca 100644
--- a/src/responder/nss/nsssrv_mmap_cache.c
+++ b/src/responder/nss/nsssrv_mmap_cache.c
@@ -643,6 +643,8 @@ static inline void sss_mmap_set_rec_header(struct sss_mc_ctx *mcc,
 rec->expire = time(NULL) + ttl;
 rec->hash1 = sss_mc_hash(mcc, key1, key1_len);
 rec->hash2 = sss_mc_hash(mcc, key2, key2_len);
+
+DEBUG(SSSDBG_FATAL_FAILURE, ">>> MC STORE expiration [%lu] | now [%lu] | delta [%li]\n", rec->expire, time(NULL), rec->expire - time(NULL));
 }
 
 static inline void sss_mmap_chain_in_rec(struct sss_mc_ctx *mcc,
@@ -846,11 +848,13 @@ int sss_mmap_cache_gr_store(struct sss_mc_ctx **_mcc,
 
 if (mcc == NULL) {
 /* cache not initialized

[SSSD] [Q] t3222 sssd still showing ipa user after removed from last group

[Petr Cech]

Hi all,

I came back to ticket #3222 "sssd still showing ipa user after removed 
from last group" [1]. And I have new knowledge. But I still do not see 
the light at the end of the tunnel.


[1] https://fedorahosted.org/sssd/ticket/3222

I attached patch which enables some basic debug on using of memcache. 
And two reproducers (with and without memcache) which are based on 
reproducer written in ticket.


If we use memcache, the issue occurs only sometimes.

The difference between both cases is mixed state of switch after 
sss_nss_mc_getgrnam() call in _nss_sss_getgrnam_r() function.


Note: code says (for default case):
/* if using the mmaped cache failed,
 * fall back to socket based comms */


Could anyone help, please?


The report is:

#--- WRONG

[root@mirach sssd]# date && getent group testgroup
Wed Nov  9 16:01:05 CET 2016
>>> [A] record not found (time[1478703665])
>>> [B] record not found (time[1478703665])
testgroup:*:1703800674:

Number of members added 1

[root@mirach sssd]# sss_cache -UG && date && getent group testgroup
Wed Nov  9 16:01:07 CET 2016
>>> [A] record not found (time[1478703667])
>>> [B] default (time[1478703667])
testgroup:*:1703800674:testuser

Number of members removed 1

[root@mirach sssd]# sss_cache -UG && date && getent group testgroup
Wed Nov  9 16:01:09 CET 2016
>>> mc record expires at [1478703967] | now [1478703669]
>>> [A] MC used (time[1478703669])
testgroup:*:1703800674:testuser

[root@mirach sssd]# grep '>>>' *.log
sssd_nss.log:(Wed Nov  9 16:01:06 2016) [sssd[nss]] 
[sss_mmap_set_rec_header] (0x0010): >>> MC STORE expiration [1478703966] 
| now [1478703666] | delta [300]
sssd_nss.log:(Wed Nov  9 16:01:06 2016) [sssd[nss]] 
[sss_mmap_cache_gr_store] (0x0010): >>> MC STORE [testgroup] [300] 
members [0]
sssd_nss.log:(Wed Nov  9 16:01:07 2016) [sssd[nss]] 
[sss_mmap_set_rec_header] (0x0010): >>> MC STORE expiration [1478703967] 
| now [1478703667] | delta [300]
sssd_nss.log:(Wed Nov  9 16:01:07 2016) [sssd[nss]] 
[sss_mmap_cache_gr_store] (0x0010): >>> MC STORE [testgroup] [300] 
members [1]




#--- RIGHT

[root@mirach sssd]# date && getent group testgroup
Wed Nov  9 15:56:54 CET 2016
>>> [A] record not found (time[1478703414])
>>> [B] record not found (time[1478703414])
testgroup:*:1703800674:

Number of members added 1

[root@mirach sssd]# sss_cache -UG && date && getent group testgroup
Wed Nov  9 15:56:56 CET 2016
>>> [A] default (time[1478703416])
>>> [B] default (time[1478703416])
testgroup:*:1703800674:testuser

Number of members removed 1

[root@mirach sssd]# sss_cache -UG && date && getent group testgroup
Wed Nov  9 15:56:58 CET 2016
>>> [A] record not found (time[1478703418])
>>> [B] record not found (time[1478703418])
testgroup:*:1703800674:

[root@mirach sssd]# grep '>>>' *.log
sssd_nss.log:(Wed Nov  9 15:56:54 2016) [sssd[nss]] 
[sss_mmap_set_rec_header] (0x0010): >>> MC STORE expiration [1478703714] 
| now [1478703414] | delta [300]
sssd_nss.log:(Wed Nov  9 15:56:54 2016) [sssd[nss]] 
[sss_mmap_cache_gr_store] (0x0010): >>> MC STORE [testgroup] [300] 
members [0]
sssd_nss.log:(Wed Nov  9 15:56:56 2016) [sssd[nss]] 
[sss_mmap_set_rec_header] (0x0010): >>> MC STORE expiration [1478703716] 
| now [1478703416] | delta [300]
sssd_nss.log:(Wed Nov  9 15:56:56 2016) [sssd[nss]] 
[sss_mmap_cache_gr_store] (0x0010): >>> MC STORE [testgroup] [300] 
members [1]
sssd_nss.log:(Wed Nov  9 15:56:58 2016) [sssd[nss]] 
[sss_mmap_set_rec_header] (0x0010): >>> MC STORE expiration [1478703718] 
| now [1478703418] | delta [300]
sssd_nss.log:(Wed Nov  9 15:56:58 2016) [sssd[nss]] 
[sss_mmap_cache_gr_store] (0x0010): >>> MC STORE [testgroup] [300] 
members [0]



Regards

--
Petr^4 Čech
>From 08ec8bbaaab760396747420e46f8190c3a2dfead Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20=C4=8Cech?= 
Date: Mon, 24 Oct 2016 15:16:34 +0200
Subject: [PATCH] WIP: debug for t3222

This patch enables debug messages needed for investigation of memory
cache.
---
 src/responder/nss/nsssrv_mmap_cache.c |  8 
 src/sss_client/nss_group.c| 10 ++
 src/sss_client/nss_mc_group.c |  3 +++
 3 files changed, 21 insertions(+)

diff --git a/src/responder/nss/nsssrv_mmap_cache.c b/src/responder/nss/nsssrv_mmap_cache.c
index f7f62733941cd3ae3b071d6d54c801f9be1ce800..f25357712bf06da49e3a96f0ff7a4812c4f63dca 100644
--- a/src/responder/nss/nsssrv_mmap_cache.c
+++ b/src/responder/nss/nsssrv_mmap_cache.c
@@ -643,6 +643,8 @@ static inline void sss_mmap_set_rec_header(struct sss_mc_ctx *mcc,
 rec->expire = time(NULL) + ttl;
 rec->hash1 = sss_mc_hash(mcc, key1, key1_len);
 rec->hash2 = sss_mc_hash(mcc, key2, key2_len);
+
+DEBUG(SSSDBG_FATAL_FAILURE, ">>> MC STORE expiration [%lu] | now [%lu] | delta [%li]\n", rec->expire, time(NULL), rec->expire - time(NULL));
 }
 
 static inline void sss_mmap_chain_in_rec(struct sss_mc_ctx *mcc,
@@ -846,11 +848,13 @@ int sss_mmap_cache_gr_store(struct sss_mc_ctx **_mcc,
 
 if (mcc == NULL) {
 /* cache not initialized

[SSSD] Re: [PATCH SET] SYSDB: Adding message to inform about cache

[Petr Cech]

Hi all,

after chat with Lukas I attached only first two patches. Author of the 
third one is Lukas and I am not sure if he is finished. (There was 
question of LD_PRELOAD.)


Regards

--
Petr^4 Čech
>From c67ccc872eb5dacc98f626c10740424cef205334 Mon Sep 17 00:00:00 2001
From: Petr Cech 
Date: Tue, 16 Aug 2016 09:32:18 +0200
Subject: [PATCH 1/3] SYSDB: Adding message to inform which cache is used

Resolves:
https://fedorahosted.org/sssd/ticket/3060
---
 src/db/sysdb_ops.c | 31 +++
 1 file changed, 31 insertions(+)

diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
index 29f4b1d1597bd98541a152dd6462caa864fbf2fd..8b194e3db48870aecd54b21bd3d0b77dc342f9e5 100644
--- a/src/db/sysdb_ops.c
+++ b/src/db/sysdb_ops.c
@@ -27,6 +27,11 @@
 #include "util/cert.h"
 #include 
 
+
+#define SSS_SYSDB_NO_CACHE 0x0
+#define SSS_SYSDB_CACHE 0x1
+#define SSS_SYSDB_TS_CACHE 0x2
+
 static uint32_t get_attr_as_uint32(struct ldb_message *msg, const char *attr)
 {
 const struct ldb_val *v = ldb_msg_find_ldb_val(msg, attr);
@@ -1176,6 +1181,21 @@ done:
 return ret;
 }
 
+static const char *get_attr_storage(int state_mask)
+{
+const char *storage = "unknown";
+
+if (state_mask == (SSS_SYSDB_CACHE | SSS_SYSDB_TS_CACHE)) {
+storage = "cache, ts_cache";
+} else if (state_mask == SSS_SYSDB_TS_CACHE) {
+storage = "ts_cache";
+} else if (state_mask == SSS_SYSDB_CACHE) {
+storage = "cache";
+}
+
+return storage;
+}
+
 int sysdb_set_entry_attr(struct sysdb_ctx *sysdb,
  struct ldb_dn *entry_dn,
  struct sysdb_attrs *attrs,
@@ -1184,6 +1204,7 @@ int sysdb_set_entry_attr(struct sysdb_ctx *sysdb,
 bool sysdb_write = true;
 errno_t ret = EOK;
 errno_t tret = EOK;
+int state_mask = SSS_SYSDB_NO_CACHE;
 
 sysdb_write = sysdb_entry_attrs_diff(sysdb, entry_dn, attrs, mod_op);
 if (sysdb_write == true) {
@@ -1192,6 +1213,8 @@ int sysdb_set_entry_attr(struct sysdb_ctx *sysdb,
 DEBUG(SSSDBG_MINOR_FAILURE,
   "Cannot set attrs for %s, %d [%s]\n",
   ldb_dn_get_linearized(entry_dn), ret, sss_strerror(ret));
+} else {
+state_mask |= SSS_SYSDB_CACHE;
 }
 }
 
@@ -1201,9 +1224,17 @@ int sysdb_set_entry_attr(struct sysdb_ctx *sysdb,
 DEBUG(SSSDBG_MINOR_FAILURE,
 "Cannot set ts attrs for %s\n", ldb_dn_get_linearized(entry_dn));
 /* Not fatal */
+} else {
+state_mask |= SSS_SYSDB_TS_CACHE;
 }
 }
 
+if (state_mask != SSS_SYSDB_NO_CACHE) {
+DEBUG(SSSDBG_FUNC_DATA, "Entry [%s] has set [%s] attrs.\n",
+ldb_dn_get_linearized(entry_dn),
+get_attr_storage(state_mask));
+}
+
 return ret;
 }
 
-- 
2.7.4

>From 1f4e5b03442ea87a117c54a30550fbc357ff10a7 Mon Sep 17 00:00:00 2001
From: Petr Cech 
Date: Tue, 16 Aug 2016 09:33:46 +0200
Subject: [PATCH 2/3] SYSDB: Adding message about reason why cache changed

Resolves:
https://fedorahosted.org/sssd/ticket/3060
---
 src/db/sysdb.c | 24 
 1 file changed, 20 insertions(+), 4 deletions(-)

diff --git a/src/db/sysdb.c b/src/db/sysdb.c
index 6f0b1b9e9b52bede68f03cb5674f65b91cc28c98..b67769ed11fc0796d1987f09aa568c2db4a0ffab 100644
--- a/src/db/sysdb.c
+++ b/src/db/sysdb.c
@@ -1821,7 +1821,8 @@ bool sysdb_msg_attrs_modts_differs(struct ldb_message *old_entry,
 return true;
 }
 
-static bool sysdb_ldb_msg_difference(struct ldb_message *db_msg,
+static bool sysdb_ldb_msg_difference(struct ldb_dn *entry_dn,
+ struct ldb_message *db_msg,
  struct ldb_message *mod_msg)
 {
 struct ldb_message_element *mod_msg_el;
@@ -1848,6 +1849,9 @@ static bool sysdb_ldb_msg_difference(struct ldb_message *db_msg,
  */
 if (mod_msg_el->num_values > 0) {
 /* We can ignore additions of timestamp attributes */
+DEBUG(SSSDBG_TRACE_INTERNAL,
+  "Added attr [%s] to entry [%s]\n",
+  mod_msg_el->name, ldb_dn_get_linearized(entry_dn));
 return true;
 }
 break;
@@ -1855,12 +1859,15 @@ static bool sysdb_ldb_msg_difference(struct ldb_message *db_msg,
 
 el_differs = ldb_msg_element_compare(db_msg_el, mod_msg_el);
 if (el_differs) {
-/* We are replacing or extending element, there is a difference. If
- * some values already exist and ldb_add is not permissive,
+/* We are replacing or extending element, there is a difference.
+ * If some values already exist and ldb_add is not permissive,
  * ldb will thr

[SSSD] Re: [PATCH SET] SYSDB: Adding message to inform about cache

[Petr Cech]

Bump.

--
Petr^4 Čech
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] Re: [PATCH SET] SYSDB: Adding message to inform about cache

[Petr Cech]

On 10/20/2016 01:14 PM, Petr Cech wrote:

On 09/22/2016 01:04 PM, Lukas Slebodnik wrote:

Attached is an alternative solution for debugging ldb functions
How to test:
LD_PRELOAD=.libs/sss_ldb_debug.so ./sysdb-tests -d 10

The only think would be to find out why LD_PRELOAD in
/etc/sysconfig/sssd is not passwd to child processes.
MY_LD_PRELOAD is passed without issue.

LS


Hello all,

I just replaced wrappers with Lukas patch. Thanks.

I tested manually LD_PRELOAD, it worked fine if you use
export LD_PRELOAD... how it has been described above in Lukas answer.
I wasn't successful with /etc/sysconfig/sssd too. And uncle google is
silent :-(

I propose to change the commit message of the third patch to `export
LD_PRELAOD=...` instead of `/etc/sysconfig/sssd`. So it should work.

Any other idea?


So,

I changed commit message in last commit to
`export LD_PRELAOD=...`
New patch set is attached.

Regards

--
Petr^4 Čech
>From c67ccc872eb5dacc98f626c10740424cef205334 Mon Sep 17 00:00:00 2001
From: Petr Cech 
Date: Tue, 16 Aug 2016 09:32:18 +0200
Subject: [PATCH 1/3] SYSDB: Adding message to inform which cache is used

Resolves:
https://fedorahosted.org/sssd/ticket/3060
---
 src/db/sysdb_ops.c | 31 +++
 1 file changed, 31 insertions(+)

diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
index 29f4b1d1597bd98541a152dd6462caa864fbf2fd..8b194e3db48870aecd54b21bd3d0b77dc342f9e5 100644
--- a/src/db/sysdb_ops.c
+++ b/src/db/sysdb_ops.c
@@ -27,6 +27,11 @@
 #include "util/cert.h"
 #include 
 
+
+#define SSS_SYSDB_NO_CACHE 0x0
+#define SSS_SYSDB_CACHE 0x1
+#define SSS_SYSDB_TS_CACHE 0x2
+
 static uint32_t get_attr_as_uint32(struct ldb_message *msg, const char *attr)
 {
 const struct ldb_val *v = ldb_msg_find_ldb_val(msg, attr);
@@ -1176,6 +1181,21 @@ done:
 return ret;
 }
 
+static const char *get_attr_storage(int state_mask)
+{
+const char *storage = "unknown";
+
+if (state_mask == (SSS_SYSDB_CACHE | SSS_SYSDB_TS_CACHE)) {
+storage = "cache, ts_cache";
+} else if (state_mask == SSS_SYSDB_TS_CACHE) {
+storage = "ts_cache";
+} else if (state_mask == SSS_SYSDB_CACHE) {
+storage = "cache";
+}
+
+return storage;
+}
+
 int sysdb_set_entry_attr(struct sysdb_ctx *sysdb,
  struct ldb_dn *entry_dn,
  struct sysdb_attrs *attrs,
@@ -1184,6 +1204,7 @@ int sysdb_set_entry_attr(struct sysdb_ctx *sysdb,
 bool sysdb_write = true;
 errno_t ret = EOK;
 errno_t tret = EOK;
+int state_mask = SSS_SYSDB_NO_CACHE;
 
 sysdb_write = sysdb_entry_attrs_diff(sysdb, entry_dn, attrs, mod_op);
 if (sysdb_write == true) {
@@ -1192,6 +1213,8 @@ int sysdb_set_entry_attr(struct sysdb_ctx *sysdb,
 DEBUG(SSSDBG_MINOR_FAILURE,
   "Cannot set attrs for %s, %d [%s]\n",
   ldb_dn_get_linearized(entry_dn), ret, sss_strerror(ret));
+} else {
+state_mask |= SSS_SYSDB_CACHE;
 }
 }
 
@@ -1201,9 +1224,17 @@ int sysdb_set_entry_attr(struct sysdb_ctx *sysdb,
 DEBUG(SSSDBG_MINOR_FAILURE,
 "Cannot set ts attrs for %s\n", ldb_dn_get_linearized(entry_dn));
 /* Not fatal */
+} else {
+state_mask |= SSS_SYSDB_TS_CACHE;
 }
 }
 
+if (state_mask != SSS_SYSDB_NO_CACHE) {
+DEBUG(SSSDBG_FUNC_DATA, "Entry [%s] has set [%s] attrs.\n",
+ldb_dn_get_linearized(entry_dn),
+get_attr_storage(state_mask));
+}
+
 return ret;
 }
 
-- 
2.7.4

>From 1f4e5b03442ea87a117c54a30550fbc357ff10a7 Mon Sep 17 00:00:00 2001
From: Petr Cech 
Date: Tue, 16 Aug 2016 09:33:46 +0200
Subject: [PATCH 2/3] SYSDB: Adding message about reason why cache changed

Resolves:
https://fedorahosted.org/sssd/ticket/3060
---
 src/db/sysdb.c | 24 
 1 file changed, 20 insertions(+), 4 deletions(-)

diff --git a/src/db/sysdb.c b/src/db/sysdb.c
index 6f0b1b9e9b52bede68f03cb5674f65b91cc28c98..b67769ed11fc0796d1987f09aa568c2db4a0ffab 100644
--- a/src/db/sysdb.c
+++ b/src/db/sysdb.c
@@ -1821,7 +1821,8 @@ bool sysdb_msg_attrs_modts_differs(struct ldb_message *old_entry,
 return true;
 }
 
-static bool sysdb_ldb_msg_difference(struct ldb_message *db_msg,
+static bool sysdb_ldb_msg_difference(struct ldb_dn *entry_dn,
+ struct ldb_message *db_msg,
  struct ldb_message *mod_msg)
 {
 struct ldb_message_element *mod_msg_el;
@@ -1848,6 +1849,9 @@ static bool sysdb_ldb_msg_difference(struct ldb_message *db_msg,
  */
 if (mod_msg_el->num_values > 0) {
 /* We can ignore additions of timestamp attributes */
+DEBUG(SSSDBG_TRACE_INTERNAL,
+  "Added a

[SSSD] WIP: sssd still showing ipa user after removed from last group

[Petr Cech]

Hello list,

I have worked on ticket #3222 [1]. The reproducer mentioned on this 
ticket doesn't work for 100%. After some investigation and discussion 
with SSSD team I recognized that the issue is caused by memory cache 
(fast cache).


This memcache saves users and groups. Default timeout is 300 seconds.
I prepare simple patch which shows important debug msg. for 
investigation of mem cache (in this case). And two reproducers, one with 
memcache and without one.



If we compiled SSSD with 'debug' patch and we run 
'group_member_with_memcache.sh' we could see i.e.:


[root@mirach sssd]# group_member_with_memcache.sh && grep '>>>' *.log
-
Added user "testuser"
-
[...]
---
Added group "testgroup"
---
  Group name: testgroup
  GID: 1703800630
Mon Oct 24 15:20:05 CEST 2016
>>> [A] record not found
>>> [B] record not found
testgroup:*:1703800630:
  Group name: testgroup
  GID: 1703800630
  Member users: testuser
-
Number of members added 1
-
ldb: unable to dlopen /usr/lib64/ldb/modules/ldb/memberof.la : 
/usr/lib64/ldb/modules/ldb/memberof.la: invalid ELF header

Mon Oct 24 15:20:09 CEST 2016
>>> [A] record not found
>>> [B] record not found
testgroup:*:1703800630:testuser
  Group name: testgroup
  GID: 1703800630
---
Number of members removed 1
---
ldb: unable to dlopen /usr/lib64/ldb/modules/ldb/memberof.la : 
/usr/lib64/ldb/modules/ldb/memberof.la: invalid ELF header

Mon Oct 24 15:20:13 CEST 2016
>>> mc record expires at [1477315509] | now [1477315213]
>>> [A] MC used
testgroup:*:1703800630:testuser
-
Deleted group "testgroup"
-
---
Deleted user "testuser"
---
sssd_nss.log:(Mon Oct 24 15:20:05 2016) [sssd[nss]] 
[sss_mmap_set_rec_header] (0x0010): >>> MC STORE expiration [1477315505] 
| now [1477315205]
sssd_nss.log:(Mon Oct 24 15:20:05 2016) [sssd[nss]] 
[sss_mmap_cache_gr_store] (0x0010): >>> MC STORE [testgroup] [300] 
members [0]
sssd_nss.log:(Mon Oct 24 15:20:09 2016) [sssd[nss]] 
[sss_mmap_set_rec_header] (0x0010): >>> MC STORE expiration [1477315509] 
| now [1477315209]
sssd_nss.log:(Mon Oct 24 15:20:09 2016) [sssd[nss]] 
[sss_mmap_cache_gr_store] (0x0010): >>> MC STORE [testgroup] [300] 
members [1]


How we can see the wrong result is just taken from memory cache. If you 
run 'group_member_without_memcache' it works right. So I suppose that 
the solution for ticket is simple just adjusting memcache_timeout option 
on problematic deployments.



If everybody agree I will close ticket as not a bug and write comment 
about memcache_timeout option.



Regards

[1] https://fedorahosted.org/sssd/ticket/3222


--
Petr^4 Čech
>From cd7fd91e0a20740541e0fc10e795e3259e1bc975 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20=C4=8Cech?= 
Date: Mon, 24 Oct 2016 15:16:34 +0200
Subject: [PATCH] WIP: debug for t3222

This patch enables debug messages needed for investigation of memory
cache.
---
 src/responder/nss/nsssrv_mmap_cache.c | 4 
 src/sss_client/nss_group.c| 9 +
 src/sss_client/nss_mc_group.c | 3 +++
 3 files changed, 16 insertions(+)

diff --git a/src/responder/nss/nsssrv_mmap_cache.c b/src/responder/nss/nsssrv_mmap_cache.c
index f7f62733941cd3ae3b071d6d54c801f9be1ce800..08f689d5be0020046a62d7118564574a87f405c5 100644
--- a/src/responder/nss/nsssrv_mmap_cache.c
+++ b/src/responder/nss/nsssrv_mmap_cache.c
@@ -643,6 +643,8 @@ static inline void sss_mmap_set_rec_header(struct sss_mc_ctx *mcc,
 rec->expire = time(NULL) + ttl;
 rec->hash1 = sss_mc_hash(mcc, key1, key1_len);
 rec->hash2 = sss_mc_hash(mcc, key2, key2_len);
+
+DEBUG(SSSDBG_FATAL_FAILURE, ">>> MC STORE expiration [%lu] | now [%lu]\n", rec->expire, time(NULL));
 }
 
 static inline void sss_mmap_chain_in_rec(struct sss_mc_ctx *mcc,
@@ -889,6 +891,8 @@ int sss_mmap_cache_gr_store(struct sss_mc_ctx **_mcc,
 memcpy(&data->strs[pos], membuf, memsize);
 pos += memsize;
 
+DEBUG(SSSDBG_FATAL_FAILURE, ">>> MC STORE [%s] [%li] members [%i]\n", name->str, mcc->valid_time_slot, data->members);
+
 MC_LOWER_BARRIER(rec);
 
 /* finally chain the rec in the hash table */
diff --git a/src/sss_client/nss_group.c b/src/sss_client/nss_group.c
index 0e686af43aeb84a5938315e3922e9fcf2fef4e83..39c25ad81e78f7b10a4b3699b4cd1260645bd4c5 100644
--- a/src/sss_client/nss_group.c
+++ b/src/sss_client/nss_group.c
@@ -24,6 +24,7 @@
 #include 
 #include 
 #include 
+#include 
 #include 
 #include 
 #include 
@@ -421,17 +422,21 @@ enum nss_status _nss_sss_getgrnam_r(const char *name, struct group *result,
 switch (ret) {
 case 0:
 *errnop = 0;
+printf(">>> [A] MC used\n");
 return NSS_STATUS_SUCCESS;
 case ERANGE:
 *errnop = ERANGE;
+printf(">>> [A] MC expired\n");
 return NSS_STATUS_TRYAGAIN;

[SSSD] Re: [PATCH SET] SYSDB: Adding message to inform about cache

[Petr Cech]

On 09/22/2016 01:04 PM, Lukas Slebodnik wrote:

Attached is an alternative solution for debugging ldb functions
How to test:
LD_PRELOAD=.libs/sss_ldb_debug.so ./sysdb-tests -d 10

The only think would be to find out why LD_PRELOAD in
/etc/sysconfig/sssd is not passwd to child processes.
MY_LD_PRELOAD is passed without issue.

LS


Hello all,

I just replaced wrappers with Lukas patch. Thanks.

I tested manually LD_PRELOAD, it worked fine if you use
export LD_PRELOAD... how it has been described above in Lukas answer.
I wasn't successful with /etc/sysconfig/sssd too. And uncle google is 
silent :-(


I propose to change the commit message of the third patch to `export 
LD_PRELAOD=...` instead of `/etc/sysconfig/sssd`. So it should work.


Any other idea?

Regards

--
Petr^4 Čech
>From 15b113dcea02e445dc297f336c543d71cb4ea338 Mon Sep 17 00:00:00 2001
From: Petr Cech 
Date: Tue, 16 Aug 2016 09:32:18 +0200
Subject: [PATCH 1/3] SYSDB: Adding message to inform which cache is used

Resolves:
https://fedorahosted.org/sssd/ticket/3060
---
 src/db/sysdb_ops.c | 31 +++
 1 file changed, 31 insertions(+)

diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
index 29f4b1d1597bd98541a152dd6462caa864fbf2fd..8b194e3db48870aecd54b21bd3d0b77dc342f9e5 100644
--- a/src/db/sysdb_ops.c
+++ b/src/db/sysdb_ops.c
@@ -27,6 +27,11 @@
 #include "util/cert.h"
 #include 
 
+
+#define SSS_SYSDB_NO_CACHE 0x0
+#define SSS_SYSDB_CACHE 0x1
+#define SSS_SYSDB_TS_CACHE 0x2
+
 static uint32_t get_attr_as_uint32(struct ldb_message *msg, const char *attr)
 {
 const struct ldb_val *v = ldb_msg_find_ldb_val(msg, attr);
@@ -1176,6 +1181,21 @@ done:
 return ret;
 }
 
+static const char *get_attr_storage(int state_mask)
+{
+const char *storage = "unknown";
+
+if (state_mask == (SSS_SYSDB_CACHE | SSS_SYSDB_TS_CACHE)) {
+storage = "cache, ts_cache";
+} else if (state_mask == SSS_SYSDB_TS_CACHE) {
+storage = "ts_cache";
+} else if (state_mask == SSS_SYSDB_CACHE) {
+storage = "cache";
+}
+
+return storage;
+}
+
 int sysdb_set_entry_attr(struct sysdb_ctx *sysdb,
  struct ldb_dn *entry_dn,
  struct sysdb_attrs *attrs,
@@ -1184,6 +1204,7 @@ int sysdb_set_entry_attr(struct sysdb_ctx *sysdb,
 bool sysdb_write = true;
 errno_t ret = EOK;
 errno_t tret = EOK;
+int state_mask = SSS_SYSDB_NO_CACHE;
 
 sysdb_write = sysdb_entry_attrs_diff(sysdb, entry_dn, attrs, mod_op);
 if (sysdb_write == true) {
@@ -1192,6 +1213,8 @@ int sysdb_set_entry_attr(struct sysdb_ctx *sysdb,
 DEBUG(SSSDBG_MINOR_FAILURE,
   "Cannot set attrs for %s, %d [%s]\n",
   ldb_dn_get_linearized(entry_dn), ret, sss_strerror(ret));
+} else {
+state_mask |= SSS_SYSDB_CACHE;
 }
 }
 
@@ -1201,9 +1224,17 @@ int sysdb_set_entry_attr(struct sysdb_ctx *sysdb,
 DEBUG(SSSDBG_MINOR_FAILURE,
 "Cannot set ts attrs for %s\n", ldb_dn_get_linearized(entry_dn));
 /* Not fatal */
+} else {
+state_mask |= SSS_SYSDB_TS_CACHE;
 }
 }
 
+if (state_mask != SSS_SYSDB_NO_CACHE) {
+DEBUG(SSSDBG_FUNC_DATA, "Entry [%s] has set [%s] attrs.\n",
+ldb_dn_get_linearized(entry_dn),
+get_attr_storage(state_mask));
+}
+
 return ret;
 }
 
-- 
2.7.4

>From 6b3eea9fbdc0775bce530a1567e51bafcfee3163 Mon Sep 17 00:00:00 2001
From: Petr Cech 
Date: Tue, 16 Aug 2016 09:33:46 +0200
Subject: [PATCH 2/3] SYSDB: Adding message about reason why cache changed

Resolves:
https://fedorahosted.org/sssd/ticket/3060
---
 src/db/sysdb.c | 24 
 1 file changed, 20 insertions(+), 4 deletions(-)

diff --git a/src/db/sysdb.c b/src/db/sysdb.c
index 6f0b1b9e9b52bede68f03cb5674f65b91cc28c98..b67769ed11fc0796d1987f09aa568c2db4a0ffab 100644
--- a/src/db/sysdb.c
+++ b/src/db/sysdb.c
@@ -1821,7 +1821,8 @@ bool sysdb_msg_attrs_modts_differs(struct ldb_message *old_entry,
 return true;
 }
 
-static bool sysdb_ldb_msg_difference(struct ldb_message *db_msg,
+static bool sysdb_ldb_msg_difference(struct ldb_dn *entry_dn,
+ struct ldb_message *db_msg,
  struct ldb_message *mod_msg)
 {
 struct ldb_message_element *mod_msg_el;
@@ -1848,6 +1849,9 @@ static bool sysdb_ldb_msg_difference(struct ldb_message *db_msg,
  */
 if (mod_msg_el->num_values > 0) {
 /* We can ignore additions of timestamp attributes */
+DEBUG(SSSDBG_TRACE_INTERNAL,
+  "Added attr [%s] to entry [%s]\n",
+  mod_msg_el->name, ldb_dn_get_linearized(entry_dn));
 return true;

[SSSD] Re: [sssd PR#13][comment] MEMBEROF: Don't resolve members if they are removed

[Petr Cech]

On 10/19/2016 07:45 AM, Lukas Slebodnik wrote:

On (18/10/16 09:35), Petr Cech wrote:

On 10/17/2016 07:06 PM, Lukas Slebodnik wrote:

On (14/10/16 13:54), lslebodn wrote:

 URL: https://github.com/SSSD/sssd/pull/13
Title: #13: MEMBEROF: Don't resolve members if they are removed

lslebodn commented:
"""
On (14/10/16 04:48), celestian wrote:

I did manual testing with reproducer above. And I ran chmake (it is without 
intg., isn't it).
Now I check ldap patch with intg.


Then the question is why manual testing is different than newly added
integration tests.

BTW It is possible that patch in memberof plugin can safe some unnecessary
ldb operations and can be considered as perfomance enhancement.
But it's impossible to say that without proper integration test.


Bump,

I am still expecting answer to the comment even though that some
patches were pushed.

LS


Hi Lukas,

the intg. tests in points:
* Adding one user to the group
* let have group with two users -- removing users one by one
* let have user_1 in group_1; user_2 in group_2; group_1 and group_2 in
group_3 -- removing groups (a and 2) one by one from group_3


Manual testing:

# prepare
ipa user-add --first=Adam --last=Adam --email=a...@persei.cz adam
ipa group-add group_1
ipa group-add-member --users=adam group_1
ipa group-add group_2

# reproducer

systemctl daemon-reload
sudo su -c "truncate -s0 /var/log/sssd/*.log"
sudo su -c "rm -f /var/lib/sss/db/*"
sudo su -c "rm -f /var/lib/sss/mc/*"
sudo systemctl restart sssd.service

ipa group-add-member --groups=group_1 group_2
sss_cache -UG
sudo su -c "truncate -s0 /var/log/sssd/*.log"
getent group group_2

ipa group-remove-member --groups=group_1 group_2
sss_cache -UG
sudo su -c "truncate -s0 /var/log/sssd/*.log"
getent group group_2

# clean

ipa group-del group_2
ipa group_del group_1
ipa user-del adam


In my opinion intg. tests and manual testing cover the same case.

I wrote 'memberof' patch when I have been working on similiar group tickets.
I assume I confused ticket for `memberof` patch.


Do I understand it correctly that you will write a new integration test
for member of patch?

LS


Yes, I am writing test for memberof plugin right now :-)
The memberof patch is fix for ticket [1].

(So memberof patch has slightly different reproducer. I will add it to 
comment of the new ticket.)


[1] https://fedorahosted.org/sssd/ticket/3222

Regards

--
Petr^4 Čech
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] Re: [sssd PR#13][comment] MEMBEROF: Don't resolve members if they are removed

[Petr Cech]

On 10/17/2016 07:06 PM, Lukas Slebodnik wrote:

On (14/10/16 13:54), lslebodn wrote:

 URL: https://github.com/SSSD/sssd/pull/13
Title: #13: MEMBEROF: Don't resolve members if they are removed

lslebodn commented:
"""
On (14/10/16 04:48), celestian wrote:

I did manual testing with reproducer above. And I ran chmake (it is without 
intg., isn't it).
Now I check ldap patch with intg.


Then the question is why manual testing is different than newly added
integration tests.

BTW It is possible that patch in memberof plugin can safe some unnecessary
ldb operations and can be considered as perfomance enhancement.
But it's impossible to say that without proper integration test.


Bump,

I am still expecting answer to the comment even though that some
patches were pushed.

LS


Hi Lukas,

the intg. tests in points:
* Adding one user to the group
* let have group with two users -- removing users one by one
* let have user_1 in group_1; user_2 in group_2; group_1 and group_2 in 
group_3 -- removing groups (a and 2) one by one from group_3



Manual testing:

# prepare
ipa user-add --first=Adam --last=Adam --email=a...@persei.cz adam
ipa group-add group_1
ipa group-add-member --users=adam group_1
ipa group-add group_2

# reproducer

systemctl daemon-reload
sudo su -c "truncate -s0 /var/log/sssd/*.log"
sudo su -c "rm -f /var/lib/sss/db/*"
sudo su -c "rm -f /var/lib/sss/mc/*"
sudo systemctl restart sssd.service

ipa group-add-member --groups=group_1 group_2
sss_cache -UG
sudo su -c "truncate -s0 /var/log/sssd/*.log"
getent group group_2

ipa group-remove-member --groups=group_1 group_2
sss_cache -UG
sudo su -c "truncate -s0 /var/log/sssd/*.log"
getent group group_2

# clean

ipa group-del group_2
ipa group_del group_1
ipa user-del adam


In my opinion intg. tests and manual testing cover the same case.

I wrote 'memberof' patch when I have been working on similiar group 
tickets. I assume I confused ticket for `memberof` patch.


Regards

--
Petr^4 Čech
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] Re: [PATCH SET] SYSDB: Adding message to inform about cache

[Petr Cech]

Bump.

--
Petr^4 Čech
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] Re: [PATCH ding-libs] Extend API to const key for clients that don't need to modify their keys

[Petr Cech]

On 10/05/2016 04:39 PM, Michal Židek wrote:

On 10/05/2016 04:30 PM, Petr Cech wrote:

On 10/05/2016 04:18 PM, Michal Židek wrote:

On 10/05/2016 03:47 PM, Philip Prindeville wrote:



On Oct 5, 2016, at 7:18 AM, Michal Židek  wrote:



Hello Michal,

I comment two things online.


I agree with the comments. New test attached.



0002-DHASH-Add-check-based-unit-test.patch


From 83b18c3ca4d70086bbdc645e0d09e7e027e5e9b3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= 
Date: Wed, 5 Oct 2016 13:10:35 +0200
Subject: [PATCH 2/2] DHASH: Add check based unit test

---


LGTM.
ACK.

Regards

--
Petr^4 Čech
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] Re: [PATCH ding-libs] Extend API to const key for clients that don't need to modify their keys

[Petr Cech]

On 10/05/2016 04:18 PM, Michal Židek wrote:

On 10/05/2016 03:47 PM, Philip Prindeville wrote:



On Oct 5, 2016, at 7:18 AM, Michal Židek  wrote:

I forgot to attach the patches.

Again the first one is acked by me, the second
needs a review.

Michal



Thanks for writing those tests.

Minor comment, dhash_ut_check.c and the existing checks don’t have any
negative tests, such as attempting to delete a non-existent key, or
deleting an already deleted key…  or entering a key which is already
present.

-Philip



Good point. I added some delete operations to these tests.
However these are just some sanity tests to cover the code that
was changed. My intention was not to test everything here.

New tests are attached.

Michal


Hello Michal,

I comment two things online.




0002-DHASH-Add-check-based-unit-test.patch


From 83b18c3ca4d70086bbdc645e0d09e7e027e5e9b3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= 
Date: Wed, 5 Oct 2016 13:10:35 +0200
Subject: [PATCH 2/2] DHASH: Add check based unit test

---
 Makefile.am|  14 
 dhash/dhash_ut_check.c | 210 +
 2 files changed, 224 insertions(+)
 create mode 100644 dhash/dhash_ut_check.c

diff --git a/Makefile.am b/Makefile.am
index 65528a8..ca9710e 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -114,12 +114,26 @@ libdhash_la_LDFLAGS = \
 check_PROGRAMS += dhash_test dhash_example
 TESTS += dhash_test dhash_example

+if HAVE_CHECK
+check_PROGRAMS += dhash_ut_check
+TESTS += dhash_ut_check
+endif
+
+
 dhash_test_SOURCES = dhash/examples/dhash_test.c
 dhash_test_LDADD = libdhash.la

 dhash_example_SOURCES = dhash/examples/dhash_example.c
 dhash_example_LDADD = libdhash.la

+dhash_ut_check_SOURCES = dhash/dhash_ut_check.c
+dhash_ut_chech_CFLAGS = $(AM_CFLAGS) \
+$(CHECK_CFLAGS) \
+$(NULL)
+dhash_ut_check_LDADD = libdhash.la \
+   $(CHECK_LIBS) \
+   $(NULL)
+
 dist_examples_DATA += \
 dhash/examples/dhash_test.c \
 dhash/examples/dhash_example.c
diff --git a/dhash/dhash_ut_check.c b/dhash/dhash_ut_check.c
new file mode 100644
index 000..b4b36fa
--- /dev/null
+++ b/dhash/dhash_ut_check.c
@@ -0,0 +1,210 @@
+/*
+Authors:
+Michal Zidek 
+
+Copyright (C) 2016 Red Hat
+
+This program is free software; you can redistribute it and/or modify
+it under the terms of the GNU Lesser General Public License as published by
+the Free Software Foundation; either version 3 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU Lesser General Public License for more details.
+
+You should have received a copy of the GNU Lesser General Public License
+along with this program.  If not, see .
+*/
+
+#include "config.h"
+
+#include 
+#include 
+#include 

IMO, this is unnecessary.



+#include 
+#include 
+
+/* #define TRACE_LEVEL 7 */
+#define TRACE_HOME
+#include "dhash.h"
+#include "path_utils.h"

IMO, this is unnecessary.


+
+#define HTABLE_SIZE 128
+
+int verbose = 0;
+
+/* There must be no warnings generated during this test
+ * without having to cast the key value. */
+START_TEST(test_key_const_string)
+{
+hash_table_t *htable;
+int ret;
+hash_value_t ret_val;
+hash_value_t enter_val1 = {.type = HASH_VALUE_INT, .i = 1};
+hash_value_t enter_val2 = {.type = HASH_VALUE_INT, .i = 2};
+hash_key_t key = {.type = HASH_KEY_CONST_STRING, .c_str = "constant"};
+
+ret = hash_create(HTABLE_SIZE, &htable, NULL, NULL);
+fail_unless(ret == 0);
+
+/* The table is empty, lookup should return error */
+ret = hash_lookup(htable, &key, &ret_val);
+fail_unless(ret == HASH_ERROR_KEY_NOT_FOUND);
+
+/* Deleting with non-existing key should return error */
+ret = hash_delete(htable, &key);
+fail_unless(ret == HASH_ERROR_KEY_NOT_FOUND);
+
+ret = hash_enter(htable, &key, &enter_val1);
+fail_unless(ret == 0);
+
+hash_lookup(htable, &key, &ret_val);
+fail_unless(ret == 0);
+fail_unless(ret_val.i == 1);
+
+/* Overwrite the entry */
+ret = hash_enter(htable, &key, &enter_val2);
+fail_unless(ret == 0);
+
+hash_lookup(htable, &key, &ret_val);
+fail_unless(ret == 0);
+fail_unless(ret_val.i == 2);
+
+ret = hash_delete(htable, &key);
+fail_unless(ret == 0);
+
+/* Delete again with the same key */
+ret = hash_delete(htable, &key);
+fail_unless(ret == HASH_ERROR_KEY_NOT_FOUND);
+
+ret = hash_destroy(htable);
+fail_unless(ret == 0);
+}
+END_TEST
+
+START_TEST(test_key_string)
+{
+hash_table_t *htable;
+int ret;
+hash_value_t ret_val;
+hash_value_t enter_val1 = {.type = HASH_VALUE_INT, .i = 1};
+hash_value_t ent

[SSSD] Re: [PATCH] SYSDB: Fix error handling in sysdb_get_user_members_recursively

[Petr Cech]

bump

--
Petr^4 Čech
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] Re: Question: LDAP provider doesn't show group member

[Petr Cech]

On 09/22/2016 12:40 PM, Jakub Hrozek wrote:

Yes, because your ldapsearch authenticates as a user DN, but sssd
doesn't authenticate by default.

Try adding:
ldap_sasl_mech = gssapi
krb5_server = algol.beta
krb5_realm = BETA

to your sssd.conf.

I wonder if this is visible in server logs for future..


Thanks Jakub, it works now.

So, ticket #3186 isn't bug.

Would you like to have similiar messages about filter
and attributes in ldap answer in our logs?

Regards

--
Petr^4 Čech
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] Re: Question: LDAP provider doesn't show group member

[Petr Cech]

On 09/22/2016 12:48 PM, Sumit Bose wrote:

Yes, you use an authenticated bind in the ldapsearch (-D
uid=admin,cn=users,cn=accounts,dc=beta) while you anonymously bind with
your ldap.beta configuration.

IPA does not show group member for anonymousy binds, please add

ldap_default_bind_dn = uid=admin,cn=users,cn=accounts,dc=beta
ldap_default_authtok = myspulin

to [domain/ldap.beta] and you should see the members, but please _never_
use the admin account for this in production. As an alternative you can
add the SASL bind related option to your configuration.

HTH

bye,
Sumit


Thanks, Sumit, it works now.

Regards

--
Petr^4 Čech
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] Question: LDAP provider doesn't show group member

[Petr Cech]

EBUG(SSSDBG_CRIT_FAILURE, ">>> LDAP Library error: %d(%s)\n",
   lerrno, sss_ldap_err2string(lerrno));
 ret = EIO;
 goto done;
diff --git a/src/providers/ldap/sdap_async.c b/src/providers/ldap/sdap_async.c
index f374112935a7befa1d059df97f3119c14d8f5da5..7a4237e97c261baa9cec618b5cef3b348717f401 100644
--- a/src/providers/ldap/sdap_async.c
+++ b/src/providers/ldap/sdap_async.c
@@ -1329,7 +1329,7 @@ static errno_t sdap_get_generic_ext_step(struct tevent_req *req)
 talloc_zfree(state->op);
 
 DEBUG(SSSDBG_TRACE_FUNC,
- "calling ldap_search_ext with [%s][%s].\n",
+ ">>> calling ldap_search_ext with [%s][%s].\n",
   state->filter ? state->filter : "no filter",
   state->search_base);
 if (DEBUG_IS_SET(SSSDBG_TRACE_LIBS)) {
@@ -1338,7 +1338,7 @@ static errno_t sdap_get_generic_ext_step(struct tevent_req *req)
 if (state->attrs) {
 for (i = 0; state->attrs[i]; i++) {
 DEBUG(SSSDBG_TRACE_LIBS,
-  "Requesting attrs: [%s]\n", state->attrs[i]);
+  ">>> Requesting attrs: [%s]\n", state->attrs[i]);
 }
 }
 }
diff --git a/src/providers/ldap/sdap_async_groups.c b/src/providers/ldap/sdap_async_groups.c
index 08dfa01b1bc0cbde94928a2b577fd55667fbd48a..75fd814efe9694439013fe31823ac4b9d248da41 100644
--- a/src/providers/ldap/sdap_async_groups.c
+++ b/src/providers/ldap/sdap_async_groups.c
@@ -1995,6 +1995,12 @@ static void sdap_get_groups_process(struct tevent_req *subreq)
 DEBUG(SSSDBG_TRACE_FUNC,
   "Search for groups, returned %zu results.\n", count);
 
+DEBUG(SSSDBG_TRACE_FUNC, ">>> Group contains:\n");
+for (int j = 0; j < groups[0]->num; j++) {
+DEBUG(SSSDBG_TRACE_FUNC, ">>>   %d: [%s]\n", j, groups[0]->a[j].name);
+}
+
+
 if (state->lookup_type == SDAP_LOOKUP_WILDCARD || \
 state->lookup_type == SDAP_LOOKUP_ENUMERATE || \
 count == 0) {
diff --git a/src/providers/ldap/sdap_async_nested_groups.c b/src/providers/ldap/sdap_async_nested_groups.c
index 3e3329c0e8fba1915e2e065abb0cb3f21be36e6f..440d9d355dad6e4a1e599ed27045414c20e71036 100644
--- a/src/providers/ldap/sdap_async_nested_groups.c
+++ b/src/providers/ldap/sdap_async_nested_groups.c
@@ -1055,7 +1055,7 @@ sdap_nested_group_process_send(TALLOC_CTX *mem_ctx,
 goto immediately;
 }
 
-DEBUG(SSSDBG_TRACE_INTERNAL, "About to process group [%s]\n", orig_dn);
+DEBUG(SSSDBG_TRACE_INTERNAL, ">>> About to process group [%s]\n", orig_dn);
 PROBE(SDAP_NESTED_GROUP_PROCESS_SEND, state->group_dn);
 
 /* get member list, both direct and external */
@@ -1117,7 +1117,7 @@ sdap_nested_group_process_send(TALLOC_CTX *mem_ctx,
  */
 
 DEBUG(SSSDBG_TRACE_INTERNAL,
-  "Looking up %d/%d members of group [%s]\n",
+  ">>> Looking up %d/%d members of group [%s]\n",
   state->num_missing_total,
   state->members ? state->members->num_values : 0,
   orig_dn);
@@ -1132,7 +1132,7 @@ sdap_nested_group_process_send(TALLOC_CTX *mem_ctx,
   state->members, orig_dn,
   state->nesting_level);
 } else {
-DEBUG(SSSDBG_TRACE_INTERNAL, "Members of group [%s] will be "
+DEBUG(SSSDBG_TRACE_INTERNAL, ">>> Members of group [%s] will be "
   "processed individually\n", orig_dn);
 state->deref = false;
 subreq = sdap_nested_group_single_send(state, ev, group_ctx,
-- 
2.7.4

>From f21c467a11f82d75f31d68e9d918746ff5a6cc2d Mon Sep 17 00:00:00 2001
From: Petr Cech 
Date: Tue, 16 Aug 2016 09:32:18 +0200
Subject: [PATCH 1/7] SYSDB: Adding message to inform which cache is used

Resolves:
https://fedorahosted.org/sssd/ticket/3060
---
 src/db/sysdb_ops.c | 81 ++
 1 file changed, 81 insertions(+)

diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
index 5d9c9fb24a149f8215b3027dcb4b0e1a183e4b43..32666f5d67621ec1f7f8122a27a087eacf4ca08a 100644
--- a/src/db/sysdb_ops.c
+++ b/src/db/sysdb_ops.c
@@ -27,6 +27,11 @@
 #include "util/cert.h"
 #include 
 
+
+#define SSS_SYSDB_NO_CACHE 0x0
+#define SSS_SYSDB_CACHE 0x1
+#define SSS_SYSDB_TS_CACHE 0x2
+
 static uint32_t get_attr_as_uint32(struct ldb_message *msg, const char *attr)
 {
 const struct ldb_val *v = ldb_msg_find_ldb_val(msg, attr);
@@ -1176,14 +1181,66 @@ done:
 return ret;
 }
 
+static errno_t get_attr_storage(TALLOC_CTX *mem_ctx,
+int state_mask,
+char **_storage)
+{
+TALLOC_CTX *tmp_ctx;
+char 

[SSSD] Re: [PATCH SET] SYSDB: Adding message to inform about cache

[Petr Cech]

On 09/22/2016 10:31 AM, Lukas Slebodnik wrote:

On (22/09/16 10:00), Lukas Slebodnik wrote:

On (16/09/16 16:19), Petr Cech wrote:

On 09/14/2016 04:00 PM, Lukas Slebodnik wrote:

Let's assume that we will add new type of cache in future
(e.g. SSS_SYSDB_SECRET_CACHE)

If the value of "state_mask" was CACHE | TS_CACHE SECRET_CACHE
then this condition would be true but return incorrent string.


So, I did it more dynamic way now. See attached patch please.


The more dynamic way does not work performance decradation
caused by many useless memory allocations.

Your patch calls get_attr_storage every time
even though the result would not be used
due to low debug_level

I prefer one of your previous versions
e.g.
+static const char *get_attr_storage(int state_mask)
+{
+const char *storage = "";

or maybe default can be "unknown"


+
+if (state_mask == SSS_SYSDB_BOTH_CACHE ) {
+storage = "cache, ts_cache";
+} else if (state_mask == SSS_SYSDB_TS_CACHE) {
+storage = "ts_cache";
+} else if (state_mask == SSS_SYSDB_CACHE) {
+storage = "cache";
+}
+
+return storage;
+}
+

Overhead is minimal and the wrong result will not be printed
in case of addition new tye of cache.



Hi Lukas,

new version is attached.

Regards

--
Petr^4 Čech
>From d480cfce5c4e3de6d33ff0d860d8f1edda2385b1 Mon Sep 17 00:00:00 2001
From: Petr Cech 
Date: Tue, 16 Aug 2016 09:32:18 +0200
Subject: [PATCH 1/3] SYSDB: Adding message to inform which cache is used

Resolves:
https://fedorahosted.org/sssd/ticket/3060
---
 src/db/sysdb_ops.c | 31 +++
 1 file changed, 31 insertions(+)

diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
index 29f4b1d1597bd98541a152dd6462caa864fbf2fd..8b194e3db48870aecd54b21bd3d0b77dc342f9e5 100644
--- a/src/db/sysdb_ops.c
+++ b/src/db/sysdb_ops.c
@@ -27,6 +27,11 @@
 #include "util/cert.h"
 #include 
 
+
+#define SSS_SYSDB_NO_CACHE 0x0
+#define SSS_SYSDB_CACHE 0x1
+#define SSS_SYSDB_TS_CACHE 0x2
+
 static uint32_t get_attr_as_uint32(struct ldb_message *msg, const char *attr)
 {
 const struct ldb_val *v = ldb_msg_find_ldb_val(msg, attr);
@@ -1176,6 +1181,21 @@ done:
 return ret;
 }
 
+static const char *get_attr_storage(int state_mask)
+{
+const char *storage = "unknown";
+
+if (state_mask == (SSS_SYSDB_CACHE | SSS_SYSDB_TS_CACHE)) {
+storage = "cache, ts_cache";
+} else if (state_mask == SSS_SYSDB_TS_CACHE) {
+storage = "ts_cache";
+} else if (state_mask == SSS_SYSDB_CACHE) {
+storage = "cache";
+}
+
+return storage;
+}
+
 int sysdb_set_entry_attr(struct sysdb_ctx *sysdb,
  struct ldb_dn *entry_dn,
  struct sysdb_attrs *attrs,
@@ -1184,6 +1204,7 @@ int sysdb_set_entry_attr(struct sysdb_ctx *sysdb,
 bool sysdb_write = true;
 errno_t ret = EOK;
 errno_t tret = EOK;
+int state_mask = SSS_SYSDB_NO_CACHE;
 
 sysdb_write = sysdb_entry_attrs_diff(sysdb, entry_dn, attrs, mod_op);
 if (sysdb_write == true) {
@@ -1192,6 +1213,8 @@ int sysdb_set_entry_attr(struct sysdb_ctx *sysdb,
 DEBUG(SSSDBG_MINOR_FAILURE,
   "Cannot set attrs for %s, %d [%s]\n",
   ldb_dn_get_linearized(entry_dn), ret, sss_strerror(ret));
+} else {
+state_mask |= SSS_SYSDB_CACHE;
 }
 }
 
@@ -1201,9 +1224,17 @@ int sysdb_set_entry_attr(struct sysdb_ctx *sysdb,
 DEBUG(SSSDBG_MINOR_FAILURE,
 "Cannot set ts attrs for %s\n", ldb_dn_get_linearized(entry_dn));
 /* Not fatal */
+} else {
+state_mask |= SSS_SYSDB_TS_CACHE;
 }
 }
 
+if (state_mask != SSS_SYSDB_NO_CACHE) {
+DEBUG(SSSDBG_FUNC_DATA, "Entry [%s] has set [%s] attrs.\n",
+ldb_dn_get_linearized(entry_dn),
+get_attr_storage(state_mask));
+}
+
 return ret;
 }
 
-- 
2.7.4

>From eab9f5259af8fc2ce9d88313d3ce95fe2a3ee08f Mon Sep 17 00:00:00 2001
From: Petr Cech 
Date: Tue, 16 Aug 2016 09:33:46 +0200
Subject: [PATCH 2/3] SYSDB: Adding message about reason why cache changed

Resolves:
https://fedorahosted.org/sssd/ticket/3060
---
 src/db/sysdb.c | 24 
 1 file changed, 20 insertions(+), 4 deletions(-)

diff --git a/src/db/sysdb.c b/src/db/sysdb.c
index 6f0b1b9e9b52bede68f03cb5674f65b91cc28c98..b67769ed11fc0796d1987f09aa568c2db4a0ffab 100644
--- a/src/db/sysdb.c
+++ b/src/db/sysdb.c
@@ -1821,7 +1821,8 @@ bool sysdb_msg_attrs_modts_differs(struct ldb_message *old_entry,
 return true;
 }
 
-static bool sysdb_ldb_msg_difference(struct ldb_message *db_msg,
+static bool sysdb_ldb_msg_difference(struct ldb_dn *entry_dn,
+ struct ldb_message *db_msg,
 

[SSSD] Re: [PATCH SET] SYSDB: Adding message to inform about cache

[Petr Cech]

bump

--
Petr^4 Čech
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] Re: [PATCH SET] AD_PROVIDER: ad_enabled_domains

[Petr Cech]

On 09/19/2016 10:16 AM, Jakub Hrozek wrote:

On Mon, Sep 19, 2016 at 09:52:57AM +0200, Lukas Slebodnik wrote:

On (19/09/16 09:46), Jakub Hrozek wrote:

On Wed, Aug 17, 2016 at 04:13:02PM +0200, Jakub Hrozek wrote:

On Wed, Aug 17, 2016 at 04:04:51PM +0200, Jakub Hrozek wrote:

On Wed, Aug 17, 2016 at 12:23:37PM +0200, Petr Cech wrote:

Thanks Jakub, Lukas.

CI tests almost passed, failure is not connected:
http://sssd-ci.duckdns.org/logs/job/51/82/summary.html

Fixed patch set attached.

Regards


ACK

CI: http://sssd-ci.duckdns.org/logs/job/51/86/summary.html


* master:
* e4d18b748fd8298b5cc6b6687ca05a20c574
* ba26252f43409a2e4c3d2396e4e7a21584bd725a
* 49f38702e62bbd1728757063ba407444e6270952
* a82baf596bac1fdac6addca6419d8992111a8aa2
* d6342c92c226becbdd254f90a0005b8c00c300dc


I would like to backport this feature to sssd-1-13, everyone OK with
that?

I assume tere will be some conflicts; at least in Makefile.
Might be better if Peter prepare backported paches.


Indeed...

Petr, can you prepare backports of this feature?
Thank you.


Jakub, of course, I can :-)

--
Petr^4 Čech
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] Re: [PATCH SET] SYSDB: Adding message to inform about cache

[Petr Cech]

On 09/14/2016 04:00 PM, Lukas Slebodnik wrote:

On (06/09/16 13:15), Petr Cech wrote:

On 09/05/2016 02:31 PM, Fabiano Fidêncio wrote:

On Mon, Sep 5, 2016 at 11:59 AM, Fabiano Fidêncio  wrote:

Petr,

I went through your patches and in general they look good to me.
However, I haven't done any tests yet with your patches (and I'll do
it after lunch).


I've done some tests and I've been able to see the ldif changes in the
domain log. So, I assume it's working.
For sure it's a good improvement! Would be worth to link some
documentation about ldiff as it may be confusing for someone who is
not used to it.

I'll wait for a new version of the patches and go through them again.

I really would like to have someone's else opinion on this series.



Please, below you can see a few comments. Feel completely free to
ignore the first one if you feel like doing it, it's just a minor :-)
For the other comments, I'd like to understand a few changes you have done.


Patch 0001: SYSDB: Adding message to inform which cache is used

About the following part of the patch:
+static const char *get_attr_storage(int state_mask)
+{
+const char *storage = "";
+
+if (state_mask == SSS_SYSDB_BOTH_CACHE ) {
+storage = "cache, ts_cache";
+} else if (state_mask == SSS_SYSDB_TS_CACHE) {
+storage = "ts_cache";
+} else if (state_mask == SSS_SYSDB_CACHE) {
+storage = "cache";
+}
+
+return storage;
+}

I personally don't like this kind of comparison done with flags. I'd
go for something like: if ((state_mask & SSS_SYSDB_BOTH_CACHE) != 0)
...
But this is a really minor and feel free to ignore it.


Patch 0002: SYSDB: Adding message about reason why cache changed

LGTM


Patch 0003: SYSDB: Adding wrappers for ldb_* operations

About the following parts of the patch:

On src/db/sysdb_ldb_wrapper.c

+#define ERR_FN_ENOMEM (-1 * ENOMEM)
+#define ERR_FN_ENOENT (-1 * ENOENT)

Why? I failed to understand why you're doing this here.

+if (print_ctx == NULL) {
+return -1;
+return ERR_FN_ENOMEM;
+}

I guess the return -1 is a leftover :-)

+if (print_ctx->ldif == NULL) {
+return -2;
+return ERR_FN_ENOENT;
+}

I guess the return -2 is also a leftover :-)

+if (ret < 0) {
+DEBUG(SSSDBG_MINOR_FAILURE, "ldb_ldif_write() failed with [%d][%s].\n",
+-1 * ret, sss_strerror(-1 * ret));
+goto done;
+}

And here again this dance multiplying by -1 that I don't understand
the reason :-\

+done:
+if (ldb_print_ctx != NULL && ldb_print_ctx->ldif != NULL) {
+talloc_free(ldb_print_ctx->ldif);
+}
+talloc_free(ldb_print_ctx);

AFAIU talloc_free can gracefully handle NULL. Considering that's the
case I'd just check for (if ldb_print_ctx != NULL)
talloc_free(ldb_print_ctx->ldif);
Considering it doesn't, we may have some issues on trying to free
(ldb_print_ctx)

On src/db/sysdb_ldb_wrapper.h:

+int sss_ldb_rename(struct ldb_context *ldb,
+   struct ldb_dn * olddn,
+   struct ldb_dn *newdn);

Just a really minor codying style change here, remove the extra space
between * and olddn: struct ldb_dn * olddn,  ->  struct ldb_dn *olddn,


Patch0004: SYSDB: ldb_add --> sss_ldb_add in sysdb
Patch0005: SYSDB: ldb_delete --> sss_ldb_delete in sysdb
Patch0006: SYSDB: ldb_modify --> sss_ldb_modify in sysdb
Patch0007: SYSDB: ldb_rename --> sss_ldb_rename in sysdb

LGTM


Best Regards,
--
Fabiano Fidêncio


Hello,


there is new patch set attached.
I replaced all ldb_* to new wrapper in whole code.

Regards

--
Petr^4 Čech



From 529b0d3009f8310b8257d5a69639a0fafa30140c Mon Sep 17 00:00:00 2001
From: Petr Cech 
Date: Tue, 16 Aug 2016 09:32:18 +0200
Subject: [PATCH 1/7] SYSDB: Adding message to inform which cache is used

Resolves:
https://fedorahosted.org/sssd/ticket/3060
---
src/db/sysdb_ops.c | 32 
1 file changed, 32 insertions(+)

diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
index 
5d9c9fb24a149f8215b3027dcb4b0e1a183e4b43..847b663bdb2ec31de3eb3b4c33e2b942145a4c42
 100644
--- a/src/db/sysdb_ops.c
+++ b/src/db/sysdb_ops.c
@@ -27,6 +27,12 @@
#include "util/cert.h"
#include 

+
+#define SSS_SYSDB_NO_CACHE 0x0
+#define SSS_SYSDB_CACHE 0x1
+#define SSS_SYSDB_TS_CACHE 0x2
+#define SSS_SYSDB_BOTH_CACHE (SSS_SYSDB_CACHE | SSS_SYSDB_TS_CACHE)
+
static uint32_t get_attr_as_uint32(struct ldb_message *msg, const char *attr)
{
const struct ldb_val *v = ldb_msg_find_ldb_val(msg, attr);
@@ -1176,6 +1182,21 @@ done:
return ret;
}

+static const char *get_attr_storage(int state_mask)
+{
+const char *storage = "";
+
+if ((state_mask & SSS_SYSDB_BOTH_CACHE) != 0) {

Let's assume that we will add new type of cache in future

[SSSD] Re: [PATCH] PROXY: Adding proxy_max_children option

[Petr Cech]

On 09/13/2016 04:27 PM, Lukas Slebodnik wrote:

On (13/09/16 16:24), Lukas Slebodnik wrote:

On (13/09/16 14:11), Fabiano Fidêncio wrote:

On Mon, Sep 12, 2016 at 9:40 AM, Petr Cech  wrote:

Bump.


--
Petr^4 Čech
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org


Patch looks good and all the requested changed were done.
I haven't done any tests with the patch, but the changes themselves
look good to me.


master:
* aef0171e0bdc9a683958d69c7ee984fb10cd5de7

http://sssd-ci.duckdns.org/logs/job/53/30/summary.html


Could you also prepare patch for 1.13 branch?


Yes, see attachment, please.

Regards

--
Petr^4 Čech
>From 476ec80536205bb538c329252a6a162009210253 Mon Sep 17 00:00:00 2001
From: Petr Cech 
Date: Wed, 24 Aug 2016 14:41:09 +0200
Subject: [PATCH] PROXY: Adding proxy_max_children option

The new option 'proxy_max_children' is applicable
in domain section. Default value is 10.

Resolves:
https://fedorahosted.org/sssd/ticket/3153
---
 src/confdb/confdb.h   |  1 +
 src/config/SSSDConfig/__init__.py.in  |  3 +++
 src/config/etc/sssd.api.d/sssd-proxy.conf |  1 +
 src/man/sssd.conf.5.xml   | 17 +
 src/providers/proxy/proxy_init.c  | 21 +++--
 5 files changed, 41 insertions(+), 2 deletions(-)

diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index 6d8601b31cf4ce1a42f824a8400cef8c4ffadf9a..3161fc2181f9af641c3019adbdb67bcb417efdd8 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -215,6 +215,7 @@
 #define CONFDB_PROXY_LIBNAME "proxy_lib_name"
 #define CONFDB_PROXY_PAM_TARGET "proxy_pam_target"
 #define CONFDB_PROXY_FAST_ALIAS "proxy_fast_alias"
+#define CONFDB_PROXY_MAX_CHILDREN "proxy_max_children"
 
 struct confdb_ctx;
 struct config_file_ctx;
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index a400c831eb0e44f562c010f2a3649def21913287..56ede34c4b4bf8002f0fe4ac8212ed8523726092 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -419,6 +419,9 @@ option_strings = {
 'default_shell' : _('Default shell, /bin/bash'),
 'base_directory' : _('Base for home directories'),
 
+# [provider/proxy]
+'proxy_max_children' : _('The number of preforked proxy children.'),
+
 # [provider/proxy/id]
 'proxy_lib_name' : _('The name of the NSS library to use'),
 'proxy_fast_alias' : _('Whether to look up canonical group name from cache if possible'),
diff --git a/src/config/etc/sssd.api.d/sssd-proxy.conf b/src/config/etc/sssd.api.d/sssd-proxy.conf
index 89a6503f9b84b7eab5fb3b0dd591dea905b43adb..09bf82affcb4263de3abbb67d1d484f6b01a1824 100644
--- a/src/config/etc/sssd.api.d/sssd-proxy.conf
+++ b/src/config/etc/sssd.api.d/sssd-proxy.conf
@@ -1,4 +1,5 @@
 [provider/proxy]
+proxy_max_children = int, None, false
 
 [provider/proxy/id]
 proxy_lib_name = str, None, true
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index 4f138e21940b1f13d864dd7c461dd981093ed2db..a76b19f447d4e1a441b64f2a4b3b99941b8bf9cd 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -2325,6 +2325,23 @@ pam_account_locked_message = Account locked, please contact help desk.
 
 
 
+
+
+proxy_max_children (integer)
+
+
+This option specifies the number of pre-forked
+proxy children. It is useful for high-load SSSD
+environments where sssd may run out of available
+child slots, which would cause some issues due to
+the requests being queued.
+
+
+Default: 10
+
+
+
+
 
 
 
diff --git a/src/providers/proxy/proxy_init.c b/src/providers/proxy/proxy_init.c
index 0a6b11d4a3f102782322c913d280b26fe47aecab..275a92c47e1009f36b2db51323a7d06858e31692 100644
--- a/src/providers/proxy/proxy_init.c
+++ b/src/providers/proxy/proxy_init.c
@@ -27,6 +27,8 @@
 #include "util/sss_format.h"
 #include "providers/proxy/proxy.h"
 
+#define OPT_MAX_CHILDREN_DEFAULT 10
+
 static int client_registration(struct sbus_request *dbus_req, void *data);
 
 static struct data_provider_iface proxy_methods = {
@@ -478,6 +480,7 @@ int sssm_proxy_auth_init(struct be_ctx *bectx,
 int ret;
 int hret;
 char *sbus_address;
+int max_children;
 
 /* If we're already set up, just return that */
 if(bectx

[SSSD] Re: [PATCH SET] SYSDB: Adding message to inform about cache

[Petr Cech]

On 09/12/2016 10:01 AM, Lukas Slebodnik wrote:

On (11/09/16 23:49), Jakub Hrozek wrote:

On Thu, Sep 08, 2016 at 12:56:08PM +0200, Lukas Slebodnik wrote:

Let me explain why wrappers are not good idea in production.
There was introduced new wrapper(#1991) for ldb_search
SSS_LDB_SEARCH. It should guarantee that ENONET will be
returned and not EOK + res->count == 0.

I found just a single usage of this wrapper since introducing
but many usage of ldb_search (I stopped counting after 10).
And there will be the same problem with newly introduced wrappers.
It's crystal clear that review does not help. Otherwise we would use
SSS_LDB_SEARCH everywhere.

That is a reason why I am fine with using wrappers just for a for development
but not for productions. Or try to propose some automatic way
how to simply log ldifs for *ALL* required ldb functions.
IMHO, it would be the best to implement it in libldb itself.


You have a point here (and I regret adding the ENOENT retval in general,
but the difference is that ldb_search wrapper changes /functionality/, this
just adds logging. So the only thing we would miss if we forget to use
the wrapper is the extra debugging. And in that case we would have to
build a new package and commit the messages to master, but that's no
different from missing debug messages in general.


Inconsistencies are bad. it does not matter wheter it's about ENOENT
or logging.


There's been quite a few cases where I wanted to see what exactly is
being added for example with duplicate member: attributes or a member
attribute that points nowhere or 'binary' attributes. These patches
would solve it nicely.

And for such few cases you can prepare custom build of sssd.

I am fine with first 3 patches but rest of patches (replacement
ldb_* with wrappers) have NACK or
a) you can find other way how to consistently log messages from ldb_ functions

BTW you will still be able to prepare test builds for debugging because
wrappers will be part of upstream (but will be ununsed by default.)


Hello Lukas,

I will be glad if we push first 3 patches now.

I am not happy we have no consensus for the other 4.
We could discuss if there is other way how to consistently
log messages from ldb_ functions on SSSD meeting.

Regards

--
Petr^4 Čech
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org

[SSSD] Re: [PATCH SET] SYSDB: Adding message to inform about cache

[Petr Cech]

On 09/12/2016 10:01 AM, Lukas Slebodnik wrote:

You have a point here (and I regret adding the ENOENT retval in general,
>but the difference is that ldb_search wrapper changes /functionality/, this
>just adds logging. So the only thing we would miss if we forget to use
>the wrapper is the extra debugging. And in that case we would have to
>build a new package and commit the messages to master, but that's no
>different from missing debug messages in general.
>

Inconsistencies are bad. it does not matter wheter it's about ENOENT
or logging.


Hi Lukas,

if you are afraid of inconsistency in using wrappers at all places in 
code I think I could prepare test which say you that you should write 
sss_ldb_* instead od ldb_*.


Regards

--
Petr^4 Čech
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org

[SSSD] Re: [PATCH] PROXY: Adding proxy_max_children option

[Petr Cech]

Bump.

--
Petr^4 Čech
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org

[SSSD] Re: [PATCH SET] SYSDB: Adding message to inform about cache

[Petr Cech]

On 09/07/2016 09:53 AM, Jakub Hrozek wrote:

On Wed, Sep 07, 2016 at 08:45:18AM +0200, Lukas Slebodnik wrote:

On (05/09/16 16:07), Jakub Hrozek wrote:

On Mon, Sep 05, 2016 at 03:32:48PM +0200, Lukas Slebodnik wrote:

On (05/09/16 15:24), Jakub Hrozek wrote:

On Mon, Sep 05, 2016 at 02:31:31PM +0200, Fabiano Fidêncio wrote:

On Mon, Sep 5, 2016 at 11:59 AM, Fabiano Fidêncio  wrote:

Petr,

I went through your patches and in general they look good to me.
However, I haven't done any tests yet with your patches (and I'll do
it after lunch).


I've done some tests and I've been able to see the ldif changes in the
domain log. So, I assume it's working.
For sure it's a good improvement! Would be worth to link some
documentation about ldiff as it may be confusing for someone who is
not used to it.

I'll wait for a new version of the patches and go through them again.

I really would like to have someone's else opinion on this series.


I quickly scrolled through the patches and the primary thing I don't
understand is why are the wrappers used only in sysdb? I think we should
just use them everywhere..

I do not like wrappers.
We should not log ldif by default.


That's why there is a separate log level, you need to turn these on
separately (yes, logging LDIFs by default would be too much..)


Even though it is a separate debug level users still might
enable them by a chance.


How, except reading the code? This new debug level is not documented
anywhere and even starts off at a different base so neither debug_level=10
nor debug_level=0xFFF0 will trigger this.


IMH0 it will be confusing for them.
There are many users which are confused when try to analyze
sudo logs. They can see some "LDAP like" filters which
are used for internal searching. Users think we use wrong attribute
due to sudoRule -> sudoRole.


really? Someone who will discover a magic constant on SSSD will then be
confused by more logging?

btw what if this extra debugging was controlled by an environment
variable, do you think then it would be safer?

Or if we prepend the LDIF with something like "SSSD cache modification
message" ?



These wrappers should not be used in sssd upstream.
They can be prepared for debugging purposes in development process.


...which means we will have to rebase the patches, build the correct
version, pass it on to the person and care about correct versioning...

Sorry, I just don't agree with any of the arguments, but I'm curious
to hear more.


Thanks, Jakub.

Lukas, I am afraid I am not able to imagine that we have some
wrappers which is not used in code but software engineers use them
for their daily job. It sounds like obstacle for me.

I understand that we have to be care of logs... but this high debug 
level isn't mentioned in man page. So if user will use it it will be 
accident anyway.


Regards

--
Petr^4 Čech
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org

[SSSD] Re: [PATCH SET] SYSDB: Adding message to inform about cache

[Petr Cech]

On 09/06/2016 01:18 PM, Petr Cech wrote:



On 09/06/2016 01:15 PM, Petr Cech wrote:

On 09/05/2016 02:31 PM, Fabiano Fidêncio wrote:

On Mon, Sep 5, 2016 at 11:59 AM, Fabiano Fidêncio
 wrote:

Petr,

I went through your patches and in general they look good to me.
However, I haven't done any tests yet with your patches (and I'll do
it after lunch).


I've done some tests and I've been able to see the ldif changes in the
domain log. So, I assume it's working.
For sure it's a good improvement! Would be worth to link some
documentation about ldiff as it may be confusing for someone who is
not used to it.

I'll wait for a new version of the patches and go through them again.

I really would like to have someone's else opinion on this series.



Please, below you can see a few comments. Feel completely free to
ignore the first one if you feel like doing it, it's just a minor :-)
For the other comments, I'd like to understand a few changes you have
done.


Patch 0001: SYSDB: Adding message to inform which cache is used

About the following part of the patch:
+static const char *get_attr_storage(int state_mask)
+{
+const char *storage = "";
+
+if (state_mask == SSS_SYSDB_BOTH_CACHE ) {
+storage = "cache, ts_cache";
+} else if (state_mask == SSS_SYSDB_TS_CACHE) {
+storage = "ts_cache";
+} else if (state_mask == SSS_SYSDB_CACHE) {
+storage = "cache";
+}
+
+return storage;
+}

I personally don't like this kind of comparison done with flags. I'd
go for something like: if ((state_mask & SSS_SYSDB_BOTH_CACHE) != 0)
...
But this is a really minor and feel free to ignore it.


Patch 0002: SYSDB: Adding message about reason why cache changed

LGTM


Patch 0003: SYSDB: Adding wrappers for ldb_* operations

About the following parts of the patch:

On src/db/sysdb_ldb_wrapper.c

+#define ERR_FN_ENOMEM (-1 * ENOMEM)
+#define ERR_FN_ENOENT (-1 * ENOENT)

Why? I failed to understand why you're doing this here.

+if (print_ctx == NULL) {
+return -1;
+return ERR_FN_ENOMEM;
+}

I guess the return -1 is a leftover :-)

+if (print_ctx->ldif == NULL) {
+return -2;
+return ERR_FN_ENOENT;
+}

I guess the return -2 is also a leftover :-)

+if (ret < 0) {
+DEBUG(SSSDBG_MINOR_FAILURE, "ldb_ldif_write() failed with
[%d][%s].\n",
+-1 * ret, sss_strerror(-1 * ret));
+goto done;
+}

And here again this dance multiplying by -1 that I don't understand
the reason :-\

+done:
+if (ldb_print_ctx != NULL && ldb_print_ctx->ldif != NULL) {
+talloc_free(ldb_print_ctx->ldif);
+}
+talloc_free(ldb_print_ctx);

AFAIU talloc_free can gracefully handle NULL. Considering that's the
case I'd just check for (if ldb_print_ctx != NULL)
talloc_free(ldb_print_ctx->ldif);
Considering it doesn't, we may have some issues on trying to free
(ldb_print_ctx)

On src/db/sysdb_ldb_wrapper.h:

+int sss_ldb_rename(struct ldb_context *ldb,
+   struct ldb_dn * olddn,
+   struct ldb_dn *newdn);

Just a really minor codying style change here, remove the extra space
between * and olddn: struct ldb_dn * olddn,  ->  struct ldb_dn *olddn,


Patch0004: SYSDB: ldb_add --> sss_ldb_add in sysdb
Patch0005: SYSDB: ldb_delete --> sss_ldb_delete in sysdb
Patch0006: SYSDB: ldb_modify --> sss_ldb_modify in sysdb
Patch0007: SYSDB: ldb_rename --> sss_ldb_rename in sysdb

LGTM


Best Regards,
--
Fabiano Fidêncio


Hello,


there is new patch set attached.
I replaced all ldb_* to new wrapper in whole code.


I wondered if my VM could push patches to our CI.
I will link the CI results after they finish.


OK, my VM is able to push to CI tests (I was afraid I have issue).
But result is not good:
http://sssd-ci.duckdns.org/logs/job/53/00/summary.html

--
Petr^4 Čech
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org

[SSSD] Re: [PATCH] PROXY: Adding proxy_max_children option

[Petr Cech]

On 09/06/2016 05:11 PM, Justin Stephenson wrote:

On 09/06/2016 10:57 AM, Petr Cech wrote:

On 09/06/2016 04:17 PM, Justin Stephenson wrote:



On 09/05/2016 10:20 AM, Petr Cech wrote:

On 09/05/2016 04:05 PM, Fabiano Fidêncio wrote:

Petr,

On Mon, Sep 5, 2016 at 3:43 PM, Petr Cech  wrote:

On 09/05/2016 09:57 AM, Fabiano Fidêncio wrote:


Petr,

I see you have updated the OPT_MAX_CHILDREN_DEFAULT to 10 instead of
50. However, you haven't update the value on sssd.conf.5.xml:

diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index
ae291e0fc8f2f9afabcdf32f18a5ec12252f..1bf3e799047d9c722487be8657bbee5cfd479cdd




100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -2464,6 +2464,18 @@ subdomain_inherit = ldap_purge_cache_timeout
 
 

+
+proxy_max_children (integer)
+
+
+The number of preforked proxy children.
+
+
+Default: 50
   here: ^^^

+
+
+
+
 
 

Apart from this minor the patch seems to be following everything
that
was requested during the review process. However, I'm not
comfortable
with the text used to describe the new option, so adding there a bit
more information would be super. Like, I don't know what's the
influence of the preforked proxy children to the rest of the code
(probably because I'm a newbie here ;-)), but would be nice to
have it
clear in the documentation (for newbies like myself ;-)).

Best Regards,
--
Fabiano Fidêncio



Hi Fabiano,

thanks for code review. I fixed the default value in man page and I
reformulated description. Is it better?

Regards

--
Petr^4 Čech

___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org







Looking at the changes in the manual ...

+In busy environments it is possible sssd
runs out of
+available child slots and starts queuing
requests
+in proxy mode. This option introduces the
number of
+preforked proxy children.

I personally go for something like:

"This option introduces the number of pre-forked proxy children. It's
useful for busy environments* where sssd may run out of available
child slots, which would cause some issues due to the requests being
queued".

*: Not sure whether busy environments is something clear for everyone
...

IMO the patch is good to go as soon as we have this part done/reviewed
by a native speaker.
Maybe Justin can help us here?

Best Regards,
--
Fabiano Fidêncio


Fabiano,

I took your suggestion, thanks. I don't know right term for 'busy
environments'. I will be glad if native speaker help me with the right
formulation of description.


Something like "it is useful for high-load SSSD environments" or "it is
useful for larger environments" may work - whichever you prefer.

Kind regards,
Justin Stephenson


Hello,

new version attached. Description is:

This option specifies the number of pre-forked
proxy children. It is useful for high-load SSSD
environments where sssd may run out of available
child slots, which would cause some issues due to
the requests being queued.

After hint from Michal I replaced introduces by specifies.

Is this version linguistic right?


This description looks good to me.

-Justin


Thanks, Justin.

--
Petr^4 Čech
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org

[SSSD] Re: [PATCH] PROXY: Adding proxy_max_children option

[Petr Cech]

On 09/06/2016 04:17 PM, Justin Stephenson wrote:



On 09/05/2016 10:20 AM, Petr Cech wrote:

On 09/05/2016 04:05 PM, Fabiano Fidêncio wrote:

Petr,

On Mon, Sep 5, 2016 at 3:43 PM, Petr Cech  wrote:

On 09/05/2016 09:57 AM, Fabiano Fidêncio wrote:


Petr,

I see you have updated the OPT_MAX_CHILDREN_DEFAULT to 10 instead of
50. However, you haven't update the value on sssd.conf.5.xml:

diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index
ae291e0fc8f2f9afabcdf32f18a5ec12252f..1bf3e799047d9c722487be8657bbee5cfd479cdd


100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -2464,6 +2464,18 @@ subdomain_inherit = ldap_purge_cache_timeout
 
 

+
+proxy_max_children (integer)
+
+
+The number of preforked proxy children.
+
+
+Default: 50
   here: ^^^

+
+
+
+
 
 

Apart from this minor the patch seems to be following everything that
was requested during the review process. However, I'm not comfortable
with the text used to describe the new option, so adding there a bit
more information would be super. Like, I don't know what's the
influence of the preforked proxy children to the rest of the code
(probably because I'm a newbie here ;-)), but would be nice to have it
clear in the documentation (for newbies like myself ;-)).

Best Regards,
--
Fabiano Fidêncio



Hi Fabiano,

thanks for code review. I fixed the default value in man page and I
reformulated description. Is it better?

Regards

--
Petr^4 Čech

___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org





Looking at the changes in the manual ...

+In busy environments it is possible sssd
runs out of
+available child slots and starts queuing
requests
+in proxy mode. This option introduces the
number of
+preforked proxy children.

I personally go for something like:

"This option introduces the number of pre-forked proxy children. It's
useful for busy environments* where sssd may run out of available
child slots, which would cause some issues due to the requests being
queued".

*: Not sure whether busy environments is something clear for everyone
...

IMO the patch is good to go as soon as we have this part done/reviewed
by a native speaker.
Maybe Justin can help us here?

Best Regards,
--
Fabiano Fidêncio


Fabiano,

I took your suggestion, thanks. I don't know right term for 'busy
environments'. I will be glad if native speaker help me with the right
formulation of description.


Something like "it is useful for high-load SSSD environments" or "it is
useful for larger environments" may work - whichever you prefer.

Kind regards,
Justin Stephenson


Hello,

new version attached. Description is:

This option specifies the number of pre-forked
proxy children. It is useful for high-load SSSD
environments where sssd may run out of available
child slots, which would cause some issues due to
the requests being queued.

After hint from Michal I replaced introduces by specifies.

Is this version linguistic right?

Regards

--
Petr^4 Čech
>From b8f5abd85cacde1aebea5cbd54e7914dcb975748 Mon Sep 17 00:00:00 2001
From: Petr Cech 
Date: Wed, 24 Aug 2016 14:41:09 +0200
Subject: [PATCH] PROXY: Adding proxy_max_children option

The new option 'proxy_max_children' is applicable
in domain section. Default value is 10.

Resolves:
https://fedorahosted.org/sssd/ticket/3153
---
 src/confdb/confdb.h   |  1 +
 src/config/SSSDConfig/__init__.py.in  |  3 +++
 src/config/cfg_rules.ini  |  1 +
 src/config/etc/sssd.api.d/sssd-proxy.conf |  1 +
 src/man/sssd.conf.5.xml   | 16 
 src/providers/proxy/proxy_init.c  | 21 +++--
 6 files changed, 41 insertions(+), 2 deletions(-)

diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index 401e5fbf7ed6bb9e8d7158dfab378c8159aa03db..9b5c7bc04bb8297842aa9a0ef50f239c50302757 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -218,6 +218,7 @@
 #define CONFDB_PROXY_LIBNAME "proxy_lib_name"
 #define CONFDB_PROXY_PAM_TARGET "proxy_pam_target"
 #define CONFDB_PROXY_FAST_ALIAS "proxy_fast_alias"
+#define CONFDB_PROXY_MAX_CHILDREN "proxy_max_children"
 
 /* Secrets Service */
 #define CONFDB_SEC_CONF_ENTRY "config/secrets"
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in

[SSSD] Re: [PATCH SET] SYSDB: Adding message to inform about cache

[Petr Cech]

On 09/06/2016 01:15 PM, Petr Cech wrote:

On 09/05/2016 02:31 PM, Fabiano Fidêncio wrote:

On Mon, Sep 5, 2016 at 11:59 AM, Fabiano Fidêncio
 wrote:

Petr,

I went through your patches and in general they look good to me.
However, I haven't done any tests yet with your patches (and I'll do
it after lunch).


I've done some tests and I've been able to see the ldif changes in the
domain log. So, I assume it's working.
For sure it's a good improvement! Would be worth to link some
documentation about ldiff as it may be confusing for someone who is
not used to it.

I'll wait for a new version of the patches and go through them again.

I really would like to have someone's else opinion on this series.



Please, below you can see a few comments. Feel completely free to
ignore the first one if you feel like doing it, it's just a minor :-)
For the other comments, I'd like to understand a few changes you have
done.


Patch 0001: SYSDB: Adding message to inform which cache is used

About the following part of the patch:
+static const char *get_attr_storage(int state_mask)
+{
+const char *storage = "";
+
+if (state_mask == SSS_SYSDB_BOTH_CACHE ) {
+storage = "cache, ts_cache";
+} else if (state_mask == SSS_SYSDB_TS_CACHE) {
+storage = "ts_cache";
+} else if (state_mask == SSS_SYSDB_CACHE) {
+storage = "cache";
+}
+
+return storage;
+}

I personally don't like this kind of comparison done with flags. I'd
go for something like: if ((state_mask & SSS_SYSDB_BOTH_CACHE) != 0)
...
But this is a really minor and feel free to ignore it.


Patch 0002: SYSDB: Adding message about reason why cache changed

LGTM


Patch 0003: SYSDB: Adding wrappers for ldb_* operations

About the following parts of the patch:

On src/db/sysdb_ldb_wrapper.c

+#define ERR_FN_ENOMEM (-1 * ENOMEM)
+#define ERR_FN_ENOENT (-1 * ENOENT)

Why? I failed to understand why you're doing this here.

+if (print_ctx == NULL) {
+return -1;
+return ERR_FN_ENOMEM;
+}

I guess the return -1 is a leftover :-)

+if (print_ctx->ldif == NULL) {
+return -2;
+return ERR_FN_ENOENT;
+}

I guess the return -2 is also a leftover :-)

+if (ret < 0) {
+DEBUG(SSSDBG_MINOR_FAILURE, "ldb_ldif_write() failed with
[%d][%s].\n",
+-1 * ret, sss_strerror(-1 * ret));
+goto done;
+}

And here again this dance multiplying by -1 that I don't understand
the reason :-\

+done:
+if (ldb_print_ctx != NULL && ldb_print_ctx->ldif != NULL) {
+talloc_free(ldb_print_ctx->ldif);
+}
+talloc_free(ldb_print_ctx);

AFAIU talloc_free can gracefully handle NULL. Considering that's the
case I'd just check for (if ldb_print_ctx != NULL)
talloc_free(ldb_print_ctx->ldif);
Considering it doesn't, we may have some issues on trying to free
(ldb_print_ctx)

On src/db/sysdb_ldb_wrapper.h:

+int sss_ldb_rename(struct ldb_context *ldb,
+   struct ldb_dn * olddn,
+   struct ldb_dn *newdn);

Just a really minor codying style change here, remove the extra space
between * and olddn: struct ldb_dn * olddn,  ->  struct ldb_dn *olddn,


Patch0004: SYSDB: ldb_add --> sss_ldb_add in sysdb
Patch0005: SYSDB: ldb_delete --> sss_ldb_delete in sysdb
Patch0006: SYSDB: ldb_modify --> sss_ldb_modify in sysdb
Patch0007: SYSDB: ldb_rename --> sss_ldb_rename in sysdb

LGTM


Best Regards,
--
Fabiano Fidêncio


Hello,


there is new patch set attached.
I replaced all ldb_* to new wrapper in whole code.


I wondered if my VM could push patches to our CI.
I will link the CI results after they finish.

--
Petr^4 Čech
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org

[SSSD] Re: [PATCH SET] SYSDB: Adding message to inform about cache

[Petr Cech]

On 09/05/2016 02:31 PM, Fabiano Fidêncio wrote:

On Mon, Sep 5, 2016 at 11:59 AM, Fabiano Fidêncio  wrote:

Petr,

I went through your patches and in general they look good to me.
However, I haven't done any tests yet with your patches (and I'll do
it after lunch).


I've done some tests and I've been able to see the ldif changes in the
domain log. So, I assume it's working.
For sure it's a good improvement! Would be worth to link some
documentation about ldiff as it may be confusing for someone who is
not used to it.

I'll wait for a new version of the patches and go through them again.

I really would like to have someone's else opinion on this series.



Please, below you can see a few comments. Feel completely free to
ignore the first one if you feel like doing it, it's just a minor :-)
For the other comments, I'd like to understand a few changes you have done.


Patch 0001: SYSDB: Adding message to inform which cache is used

About the following part of the patch:
+static const char *get_attr_storage(int state_mask)
+{
+const char *storage = "";
+
+if (state_mask == SSS_SYSDB_BOTH_CACHE ) {
+storage = "cache, ts_cache";
+} else if (state_mask == SSS_SYSDB_TS_CACHE) {
+storage = "ts_cache";
+} else if (state_mask == SSS_SYSDB_CACHE) {
+storage = "cache";
+}
+
+return storage;
+}

I personally don't like this kind of comparison done with flags. I'd
go for something like: if ((state_mask & SSS_SYSDB_BOTH_CACHE) != 0)
...
But this is a really minor and feel free to ignore it.


Patch 0002: SYSDB: Adding message about reason why cache changed

LGTM


Patch 0003: SYSDB: Adding wrappers for ldb_* operations

About the following parts of the patch:

On src/db/sysdb_ldb_wrapper.c

+#define ERR_FN_ENOMEM (-1 * ENOMEM)
+#define ERR_FN_ENOENT (-1 * ENOENT)

Why? I failed to understand why you're doing this here.

+if (print_ctx == NULL) {
+return -1;
+return ERR_FN_ENOMEM;
+}

I guess the return -1 is a leftover :-)

+if (print_ctx->ldif == NULL) {
+return -2;
+return ERR_FN_ENOENT;
+}

I guess the return -2 is also a leftover :-)

+if (ret < 0) {
+DEBUG(SSSDBG_MINOR_FAILURE, "ldb_ldif_write() failed with [%d][%s].\n",
+-1 * ret, sss_strerror(-1 * ret));
+goto done;
+}

And here again this dance multiplying by -1 that I don't understand
the reason :-\

+done:
+if (ldb_print_ctx != NULL && ldb_print_ctx->ldif != NULL) {
+talloc_free(ldb_print_ctx->ldif);
+}
+talloc_free(ldb_print_ctx);

AFAIU talloc_free can gracefully handle NULL. Considering that's the
case I'd just check for (if ldb_print_ctx != NULL)
talloc_free(ldb_print_ctx->ldif);
Considering it doesn't, we may have some issues on trying to free
(ldb_print_ctx)

On src/db/sysdb_ldb_wrapper.h:

+int sss_ldb_rename(struct ldb_context *ldb,
+   struct ldb_dn * olddn,
+   struct ldb_dn *newdn);

Just a really minor codying style change here, remove the extra space
between * and olddn: struct ldb_dn * olddn,  ->  struct ldb_dn *olddn,


Patch0004: SYSDB: ldb_add --> sss_ldb_add in sysdb
Patch0005: SYSDB: ldb_delete --> sss_ldb_delete in sysdb
Patch0006: SYSDB: ldb_modify --> sss_ldb_modify in sysdb
Patch0007: SYSDB: ldb_rename --> sss_ldb_rename in sysdb

LGTM


Best Regards,
--
Fabiano Fidêncio


Hello,


there is new patch set attached.
I replaced all ldb_* to new wrapper in whole code.

Regards

--
Petr^4 Čech
>From 529b0d3009f8310b8257d5a69639a0fafa30140c Mon Sep 17 00:00:00 2001
From: Petr Cech 
Date: Tue, 16 Aug 2016 09:32:18 +0200
Subject: [PATCH 1/7] SYSDB: Adding message to inform which cache is used

Resolves:
https://fedorahosted.org/sssd/ticket/3060
---
 src/db/sysdb_ops.c | 32 
 1 file changed, 32 insertions(+)

diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
index 5d9c9fb24a149f8215b3027dcb4b0e1a183e4b43..847b663bdb2ec31de3eb3b4c33e2b942145a4c42 100644
--- a/src/db/sysdb_ops.c
+++ b/src/db/sysdb_ops.c
@@ -27,6 +27,12 @@
 #include "util/cert.h"
 #include 
 
+
+#define SSS_SYSDB_NO_CACHE 0x0
+#define SSS_SYSDB_CACHE 0x1
+#define SSS_SYSDB_TS_CACHE 0x2
+#define SSS_SYSDB_BOTH_CACHE (SSS_SYSDB_CACHE | SSS_SYSDB_TS_CACHE)
+
 static uint32_t get_attr_as_uint32(struct ldb_message *msg, const char *attr)
 {
 const struct ldb_val *v = ldb_msg_find_ldb_val(msg, attr);
@@ -1176,6 +1182,21 @@ done:
 return ret;
 }
 
+static const char *get_attr_storage(int state_mask)
+{
+const char *storage = "";
+
+if ((state_mask & SSS_SYSDB_BOTH_CACHE) != 0) {
+storage = "cache, ts_cache";
+} else if ((state_mask != SSS_SYSDB_TS_CACHE) != 0) {
+storage = "t

[SSSD] Re: [PATCH] PROXY: Adding proxy_max_children option

[Petr Cech]

On 09/05/2016 04:05 PM, Fabiano Fidêncio wrote:

Petr,

On Mon, Sep 5, 2016 at 3:43 PM, Petr Cech  wrote:

On 09/05/2016 09:57 AM, Fabiano Fidêncio wrote:


Petr,

I see you have updated the OPT_MAX_CHILDREN_DEFAULT to 10 instead of
50. However, you haven't update the value on sssd.conf.5.xml:

diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index
ae291e0fc8f2f9afabcdf32f18a5ec12252f..1bf3e799047d9c722487be8657bbee5cfd479cdd
100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -2464,6 +2464,18 @@ subdomain_inherit = ldap_purge_cache_timeout
 
 

+
+proxy_max_children (integer)
+
+
+The number of preforked proxy children.
+
+
+Default: 50
   here: ^^^

+
+
+
+
 
 

Apart from this minor the patch seems to be following everything that
was requested during the review process. However, I'm not comfortable
with the text used to describe the new option, so adding there a bit
more information would be super. Like, I don't know what's the
influence of the preforked proxy children to the rest of the code
(probably because I'm a newbie here ;-)), but would be nice to have it
clear in the documentation (for newbies like myself ;-)).

Best Regards,
--
Fabiano Fidêncio



Hi Fabiano,

thanks for code review. I fixed the default value in man page and I
reformulated description. Is it better?

Regards

--
Petr^4 Čech

___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org



Looking at the changes in the manual ...

+In busy environments it is possible sssd
runs out of
+available child slots and starts queuing requests
+in proxy mode. This option introduces the number of
+preforked proxy children.

I personally go for something like:

"This option introduces the number of pre-forked proxy children. It's
useful for busy environments* where sssd may run out of available
child slots, which would cause some issues due to the requests being
queued".

*: Not sure whether busy environments is something clear for everyone ...

IMO the patch is good to go as soon as we have this part done/reviewed
by a native speaker.
Maybe Justin can help us here?

Best Regards,
--
Fabiano Fidêncio


Fabiano,

I took your suggestion, thanks. I don't know right term for 'busy 
environments'. I will be glad if native speaker help me with the right 
formulation of description.


Regards

--
Petr^4 Čech
>From 0f700afa2a18c6afae876fce12dc7e83ba22f605 Mon Sep 17 00:00:00 2001
From: Petr Cech 
Date: Wed, 24 Aug 2016 14:41:09 +0200
Subject: [PATCH] PROXY: Adding proxy_max_children option

The new option 'proxy_max_children' is applicable
in domain section. Default value is 10.

Resolves:
https://fedorahosted.org/sssd/ticket/3153
---
 src/confdb/confdb.h   |  1 +
 src/config/SSSDConfig/__init__.py.in  |  3 +++
 src/config/cfg_rules.ini  |  1 +
 src/config/etc/sssd.api.d/sssd-proxy.conf |  1 +
 src/man/sssd.conf.5.xml   | 16 
 src/providers/proxy/proxy_init.c  | 21 +++--
 6 files changed, 41 insertions(+), 2 deletions(-)

diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index 401e5fbf7ed6bb9e8d7158dfab378c8159aa03db..9b5c7bc04bb8297842aa9a0ef50f239c50302757 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -218,6 +218,7 @@
 #define CONFDB_PROXY_LIBNAME "proxy_lib_name"
 #define CONFDB_PROXY_PAM_TARGET "proxy_pam_target"
 #define CONFDB_PROXY_FAST_ALIAS "proxy_fast_alias"
+#define CONFDB_PROXY_MAX_CHILDREN "proxy_max_children"
 
 /* Secrets Service */
 #define CONFDB_SEC_CONF_ENTRY "config/secrets"
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index 0191920f93ab9016508e08785c25dd043c180c0b..8ba006fdfe710fbfba82b40fe9b20461813ef3c7 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -428,6 +428,9 @@ option_strings = {
 'default_shell' : _('Default shell, /bin/bash'),
 'base_directory' : _('Base for home directories'),
 
+# [provider/proxy]
+'proxy_max_children' : _('The number of preforked proxy children.'),
+
 # [provider/proxy/id]
 'proxy_lib_name' : _('The name of the NSS library to use'),
 'proxy_fast_alias' : _('Whethe

[SSSD] Re: MONITOR: Add disable_netlink sssd.conf option

[Petr Cech]

On 09/05/2016 09:45 AM, Lukas Slebodnik wrote:

On (02/09/16 15:34), Petr Cech wrote:



On 09/02/2016 03:31 PM, Justin Stephenson wrote:

On 09/02/2016 05:23 AM, Petr Cech wrote:

On 09/01/2016 03:36 PM, Justin Stephenson wrote:

On 08/30/2016 03:54 AM, Jakub Hrozek wrote:

On Sat, Aug 27, 2016 at 12:54:53PM -0400, Justin Stephenson wrote:

Hello,

The attached patches resolve https://fedorahosted.org/sssd/ticket/3142

However, I am having difficult with the man page addition to
'src/man/sssd.conf.5.xml' for this new option. I have stared at the
open and
close xml tags(for far too long) and it looks correct but when I
build sssd
I never see the sssd.conf man page inclusion. Could anyone tell me
what I am
missing here?

If you feel there is better wording for the description please let me
know.

Kind regards,
Justin Stephenson



From 0552c199dd37c7e280304b9bc92ff44a8a1a6d57 Mon Sep 17 00:00:00 2001
From: Justin Stephenson 
Date: Fri, 26 Aug 2016 15:15:32 -0400
Subject: [PATCH 1/2] MONITOR: Remove --disable-netlink
command-line option


I'm not sure I like removing the netlink option w/o letting admins who
use it at least know what happened. Could we keep the option in the
popt
option list, but use the HIDDEN argument so that it doesn't show up in
--help output and print a loud warning that the option was removed in
favor of a sssd.conf option?

I already know of two people from sssd-users list who might be using
this feature. On the other hand, it was just introduced in the last
version and not in any enterprise distro, so just printing a warning
and
removing even that warning in the next version would be fine for me..


Agreed, please see updated patches also with Petr's corrections. Once
this fix is pushed I can respond to the email and at least let these
users know.

I am still having trouble with the man page addition to sssd.conf not
showing, any ideas why?

diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index
ae291e0fc8f2f9afabcdf32f18a5ec12252f..6f231b8ab8fc078d83331bb7ef5b980528a30bd6


100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -482,6 +482,24 @@
 
 
 
+
+disable_netlink (boolean)
+
+
+SSSD hooks into the netlink
interface to
+monitor changes to routes, addresses,
links
+and trigger certain actions.
+
+
+The SSSD state changes caused by
netlink
+events may be undesirable and can be
disabled
+by setting this option to 'true'
+
+
+Default: false (netlink changes are
detected)
+
+
+
 
 
 

Kind regards,
Justin Stephenson




From c52c0c1a520cdf8509bac00fa3c7bec0dd73 Mon Sep 17 00:00:00 2001
From: Justin Stephenson 
Date: Fri, 26 Aug 2016 17:43:25 -0400
Subject: [PATCH 2/2] MONITOR: Add disable_netlink option


LGTM, untested, though.


Hello Justin and Jakub,

I tested it:
sssd --help ... option is gone

/sbin/sssd --disable-netlink
Option --disable-netlink has been removed and replaced as a Monitor
option in sssd.conf

I see disable-netlink in man sssd.conf.
Justin, I run 'make rpms' and reinstall all,
so man pages were reinstall too.


Thanks Petr, I was using the steps in the Contribute wiki 'reconfig &&
chmake' then 'sssinstall' but I guess that did not update the man pages
from my commit as expected.


So far as I know, 'sssinstall' isn't good for man pages. But 'make rpms'
build whole all necessary things.


Could you elaborate?
Why 'sssinstall is not good for man pages?

LS


Hi Lukas,

if I understand correctly, command 'reconfig'
prepare build environment to no producing man pages.
See contrib/fedora/bashrc_sssd:53:
${SSSD_NO_MANPAGES-} \
So if someone run reconfig before sssinstall it will
not install recent man pages.

Or did I understand it wrong way?

Regards

--
Petr^4 Čech
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org

[SSSD] Re: [PATCH] PROXY: Adding proxy_max_children option

[Petr Cech]

On 09/05/2016 09:57 AM, Fabiano Fidêncio wrote:

Petr,

I see you have updated the OPT_MAX_CHILDREN_DEFAULT to 10 instead of
50. However, you haven't update the value on sssd.conf.5.xml:

diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index 
ae291e0fc8f2f9afabcdf32f18a5ec12252f..1bf3e799047d9c722487be8657bbee5cfd479cdd
100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -2464,6 +2464,18 @@ subdomain_inherit = ldap_purge_cache_timeout
 
 

+
+proxy_max_children (integer)
+
+
+The number of preforked proxy children.
+
+
+Default: 50
   here: ^^^

+
+
+
+
 
 

Apart from this minor the patch seems to be following everything that
was requested during the review process. However, I'm not comfortable
with the text used to describe the new option, so adding there a bit
more information would be super. Like, I don't know what's the
influence of the preforked proxy children to the rest of the code
(probably because I'm a newbie here ;-)), but would be nice to have it
clear in the documentation (for newbies like myself ;-)).

Best Regards,
--
Fabiano Fidêncio


Hi Fabiano,

thanks for code review. I fixed the default value in man page and I 
reformulated description. Is it better?


Regards

--
Petr^4 Čech
>From 4645b8a9f2c3b98fe92343135aa09e70b8a019d3 Mon Sep 17 00:00:00 2001
From: Petr Cech 
Date: Wed, 24 Aug 2016 14:41:09 +0200
Subject: [PATCH] PROXY: Adding proxy_max_children option

The new option 'proxy_max_children' is applicable
in domain section. Default value is 10.

Resolves:
https://fedorahosted.org/sssd/ticket/3153
---
 src/confdb/confdb.h   |  1 +
 src/config/SSSDConfig/__init__.py.in  |  3 +++
 src/config/cfg_rules.ini  |  1 +
 src/config/etc/sssd.api.d/sssd-proxy.conf |  1 +
 src/man/sssd.conf.5.xml   | 15 +++
 src/providers/proxy/proxy_init.c  | 21 +++--
 6 files changed, 40 insertions(+), 2 deletions(-)

diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index 401e5fbf7ed6bb9e8d7158dfab378c8159aa03db..9b5c7bc04bb8297842aa9a0ef50f239c50302757 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -218,6 +218,7 @@
 #define CONFDB_PROXY_LIBNAME "proxy_lib_name"
 #define CONFDB_PROXY_PAM_TARGET "proxy_pam_target"
 #define CONFDB_PROXY_FAST_ALIAS "proxy_fast_alias"
+#define CONFDB_PROXY_MAX_CHILDREN "proxy_max_children"
 
 /* Secrets Service */
 #define CONFDB_SEC_CONF_ENTRY "config/secrets"
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index 0191920f93ab9016508e08785c25dd043c180c0b..8ba006fdfe710fbfba82b40fe9b20461813ef3c7 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -428,6 +428,9 @@ option_strings = {
 'default_shell' : _('Default shell, /bin/bash'),
 'base_directory' : _('Base for home directories'),
 
+# [provider/proxy]
+'proxy_max_children' : _('The number of preforked proxy children.'),
+
 # [provider/proxy/id]
 'proxy_lib_name' : _('The name of the NSS library to use'),
 'proxy_fast_alias' : _('Whether to look up canonical group name from cache if possible'),
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index 5e248066bd554d2a654a764f406f6b33c4d66733..5213ce4c7e623899edd305c43137a1dbdd7aac7e 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -304,6 +304,7 @@ option = base_directory
 option = proxy_lib_name
 option = proxy_fast_alias
 option = proxy_pam_target
+option = proxy_max_children
 
 # simple access provider specific options
 option = simple_allow_users
diff --git a/src/config/etc/sssd.api.d/sssd-proxy.conf b/src/config/etc/sssd.api.d/sssd-proxy.conf
index 89a6503f9b84b7eab5fb3b0dd591dea905b43adb..09bf82affcb4263de3abbb67d1d484f6b01a1824 100644
--- a/src/config/etc/sssd.api.d/sssd-proxy.conf
+++ b/src/config/etc/sssd.api.d/sssd-proxy.conf
@@ -1,4 +1,5 @@
 [provider/proxy]
+proxy_max_children = int, None, false
 
 [provider/proxy/id]
 proxy_lib_name = str, None, true
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index ae291e0fc8f2f9afabcdf32f18a5ec12252f..9ea331e721f8f1d35b1f891303c519033749bc8e 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -2464,6 +2464,21 @@ subdomain_inherit = ldap_purge_cache_timeout
 
 
 
+
+proxy_max_children (integer)
+   

[SSSD] Re: [PATCH SET] SYSDB: Adding message to inform about cache

[Petr Cech]

On 09/05/2016 03:32 PM, Lukas Slebodnik wrote:

On (05/09/16 15:24), Jakub Hrozek wrote:

On Mon, Sep 05, 2016 at 02:31:31PM +0200, Fabiano Fidêncio wrote:

On Mon, Sep 5, 2016 at 11:59 AM, Fabiano Fidêncio  wrote:

Petr,

I went through your patches and in general they look good to me.
However, I haven't done any tests yet with your patches (and I'll do
it after lunch).


I've done some tests and I've been able to see the ldif changes in the
domain log. So, I assume it's working.
For sure it's a good improvement! Would be worth to link some
documentation about ldiff as it may be confusing for someone who is
not used to it.

I'll wait for a new version of the patches and go through them again.

I really would like to have someone's else opinion on this series.


I quickly scrolled through the patches and the primary thing I don't
understand is why are the wrappers used only in sysdb? I think we should
just use them everywhere..

I do not like wrappers.
We should not log ldif by default.
I thought they would be used just for development purposes.
therefore they should not be used anywhere and not everywhere.

LS


Hello Lukas,

please, are you satisfied with those wrappers at really high debug level?

Regards

--
Petr^4 Čech
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org

[SSSD] Re: [PATCH SET] SYSDB: Adding message to inform about cache

[Petr Cech]

On 09/05/2016 03:24 PM, Jakub Hrozek wrote:

On Mon, Sep 05, 2016 at 02:31:31PM +0200, Fabiano Fidêncio wrote:

On Mon, Sep 5, 2016 at 11:59 AM, Fabiano Fidêncio  wrote:

Petr,

I went through your patches and in general they look good to me.
However, I haven't done any tests yet with your patches (and I'll do
it after lunch).


I've done some tests and I've been able to see the ldif changes in the
domain log. So, I assume it's working.
For sure it's a good improvement! Would be worth to link some
documentation about ldiff as it may be confusing for someone who is
not used to it.

I'll wait for a new version of the patches and go through them again.

I really would like to have someone's else opinion on this series.


I quickly scrolled through the patches and the primary thing I don't
understand is why are the wrappers used only in sysdb? I think we should
just use them everywhere..


Hi Jakub,

it was one of my question earlier in this thread. I did it only for the 
[ts]_cache, but I can quickly expand this solution into whole code.


Thanks for opinion.

Regards

--
Petr^4 Čech
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org

[SSSD] Re: [PATCH SET] SYSDB: Adding message to inform about cache

[Petr Cech]

On 09/05/2016 11:59 AM, Fabiano Fidêncio wrote:

Petr,

I went through your patches and in general they look good to me.
However, I haven't done any tests yet with your patches (and I'll do
it after lunch).

Please, below you can see a few comments. Feel completely free to
ignore the first one if you feel like doing it, it's just a minor :-)
For the other comments, I'd like to understand a few changes you have done.


Hi Fabiano,

thanks for the code review. Please, see my inline comments below:


Patch 0001: SYSDB: Adding message to inform which cache is used

About the following part of the patch:
+static const char *get_attr_storage(int state_mask)
+{
+const char *storage = "";
+
+if (state_mask == SSS_SYSDB_BOTH_CACHE ) {
+storage = "cache, ts_cache";
+} else if (state_mask == SSS_SYSDB_TS_CACHE) {
+storage = "ts_cache";
+} else if (state_mask == SSS_SYSDB_CACHE) {
+storage = "cache";
+}
+
+return storage;
+}

I personally don't like this kind of comparison done with flags. I'd
go for something like: if ((state_mask & SSS_SYSDB_BOTH_CACHE) != 0)
...
But this is a really minor and feel free to ignore it.


I agree, it is better to us it this way. Addressed.


Patch 0002: SYSDB: Adding message about reason why cache changed

LGTM


Patch 0003: SYSDB: Adding wrappers for ldb_* operations

About the following parts of the patch:

On src/db/sysdb_ldb_wrapper.c

+#define ERR_FN_ENOMEM (-1 * ENOMEM)
+#define ERR_FN_ENOENT (-1 * ENOENT)

Why? I failed to understand why you're doing this here.


I removed this definitions, it was useless.

But the reason is: The second argument of function ldb_ldif_write() is 
pointer to function ldif_vprintf_fn. The condition on this is that

errors < 0, because ret >= is length of written debug message.

I wrote comment on it to the code. I am sorry, it wasn't obvious.



+if (print_ctx == NULL) {
+return -1;
+return ERR_FN_ENOMEM;
+}

I guess the return -1 is a leftover :-)


Right, it was leftover.


+if (print_ctx->ldif == NULL) {
+return -2;
+return ERR_FN_ENOENT;
+}

I guess the return -2 is also a leftover :-)


The same.


+if (ret < 0) {
+DEBUG(SSSDBG_MINOR_FAILURE, "ldb_ldif_write() failed with [%d][%s].\n",
+-1 * ret, sss_strerror(-1 * ret));
+goto done;
+}

And here again this dance multiplying by -1 that I don't understand
the reason :-\





+done:
+if (ldb_print_ctx != NULL && ldb_print_ctx->ldif != NULL) {
+talloc_free(ldb_print_ctx->ldif);
+}
+talloc_free(ldb_print_ctx);

AFAIU talloc_free can gracefully handle NULL. Considering that's the
case I'd just check for (if ldb_print_ctx != NULL)
talloc_free(ldb_print_ctx->ldif);
Considering it doesn't, we may have some issues on trying to free
(ldb_print_ctx)


Addressed.


On src/db/sysdb_ldb_wrapper.h:

+int sss_ldb_rename(struct ldb_context *ldb,
+   struct ldb_dn * olddn,
+   struct ldb_dn *newdn);

Just a really minor codying style change here, remove the extra space
between * and olddn: struct ldb_dn * olddn,  ->  struct ldb_dn *olddn,


Thanks :-), addressed.


Patch0004: SYSDB: ldb_add --> sss_ldb_add in sysdb
Patch0005: SYSDB: ldb_delete --> sss_ldb_delete in sysdb
Patch0006: SYSDB: ldb_modify --> sss_ldb_modify in sysdb
Patch0007: SYSDB: ldb_rename --> sss_ldb_rename in sysdb

LGTM


Best Regards,
--
Fabiano Fidêncio


There was the question about testing... every time SSSD writes to the 
cache or ts_cache and debug_level in domain section is appropriate high, 
ldif debug message appears.


debug_level = 0x0 in the domain section

sudo su -c "truncate -s0 /var/log/sssd/*.log"
systemctl restart sssd
sss_cache -E
getent passwd remote_user

You can try modify the user or delete him after. It will change the ldif 
message.


PS: New patch set is attached.


Regards

--
Petr^4 Čech
>From 0b6ec52d3d43b8f0706272b5642d86da8b2381c9 Mon Sep 17 00:00:00 2001
From: Petr Cech 
Date: Tue, 16 Aug 2016 09:32:18 +0200
Subject: [PATCH 1/7] SYSDB: Adding message to inform which cache is used

Resolves:
https://fedorahosted.org/sssd/ticket/3060
---
 src/db/sysdb_ops.c | 32 
 1 file changed, 32 insertions(+)

diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
index 5d9c9fb24a149f8215b3027dcb4b0e1a183e4b43..847b663bdb2ec31de3eb3b4c33e2b942145a4c42 100644
--- a/src/db/sysdb_ops.c
+++ b/src/db/sysdb_ops.c
@@ -27,6 +27,12 @@
 #include "util/cert.h"
 #include 
 
+
+#define SSS_SYSDB_NO_CACHE 0x0
+#define SSS_SYSDB_CACHE 0x1
+#define SSS_SYSDB_TS_CACHE 0x2
+#define SSS_SYSDB_BOTH_CACHE (SSS_SYSDB_CACHE | SSS_SYSDB_TS_CACHE)
+
 static uint32_t get_attr_as_uint32(struct ldb_message *msg, const 

[SSSD] Re: [PATCH] PROXY: Adding proxy_max_children option

[Petr Cech]

Bump.

--
Petr^4 Čech
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org

[SSSD] Re: [PATCH SET] SYSDB: Adding message to inform about cache

[Petr Cech]

Bump.

--
Petr^4 Čech
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org

[SSSD] Re: MONITOR: Add disable_netlink sssd.conf option

[Petr Cech]

On 09/02/2016 03:31 PM, Justin Stephenson wrote:

On 09/02/2016 05:23 AM, Petr Cech wrote:

On 09/01/2016 03:36 PM, Justin Stephenson wrote:

On 08/30/2016 03:54 AM, Jakub Hrozek wrote:

On Sat, Aug 27, 2016 at 12:54:53PM -0400, Justin Stephenson wrote:

Hello,

The attached patches resolve https://fedorahosted.org/sssd/ticket/3142

However, I am having difficult with the man page addition to
'src/man/sssd.conf.5.xml' for this new option. I have stared at the
open and
close xml tags(for far too long) and it looks correct but when I
build sssd
I never see the sssd.conf man page inclusion. Could anyone tell me
what I am
missing here?

If you feel there is better wording for the description please let me
know.

Kind regards,
Justin Stephenson



From 0552c199dd37c7e280304b9bc92ff44a8a1a6d57 Mon Sep 17 00:00:00 2001
From: Justin Stephenson 
Date: Fri, 26 Aug 2016 15:15:32 -0400
Subject: [PATCH 1/2] MONITOR: Remove --disable-netlink
command-line option


I'm not sure I like removing the netlink option w/o letting admins who
use it at least know what happened. Could we keep the option in the
popt
option list, but use the HIDDEN argument so that it doesn't show up in
--help output and print a loud warning that the option was removed in
favor of a sssd.conf option?

I already know of two people from sssd-users list who might be using
this feature. On the other hand, it was just introduced in the last
version and not in any enterprise distro, so just printing a warning
and
removing even that warning in the next version would be fine for me..


Agreed, please see updated patches also with Petr's corrections. Once
this fix is pushed I can respond to the email and at least let these
users know.

I am still having trouble with the man page addition to sssd.conf not
showing, any ideas why?

diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index
ae291e0fc8f2f9afabcdf32f18a5ec12252f..6f231b8ab8fc078d83331bb7ef5b980528a30bd6


100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -482,6 +482,24 @@
 
 
 
+
+disable_netlink (boolean)
+
+
+SSSD hooks into the netlink
interface to
+monitor changes to routes, addresses,
links
+and trigger certain actions.
+
+
+The SSSD state changes caused by
netlink
+events may be undesirable and can be
disabled
+by setting this option to 'true'
+
+
+Default: false (netlink changes are
detected)
+
+
+
 
 
 

Kind regards,
Justin Stephenson




From c52c0c1a520cdf8509bac00fa3c7bec0dd73 Mon Sep 17 00:00:00 2001
From: Justin Stephenson 
Date: Fri, 26 Aug 2016 17:43:25 -0400
Subject: [PATCH 2/2] MONITOR: Add disable_netlink option


LGTM, untested, though.


Hello Justin and Jakub,

I tested it:
sssd --help ... option is gone

/sbin/sssd --disable-netlink
Option --disable-netlink has been removed and replaced as a Monitor
option in sssd.conf

I see disable-netlink in man sssd.conf.
Justin, I run 'make rpms' and reinstall all,
so man pages were reinstall too.


Thanks Petr, I was using the steps in the Contribute wiki 'reconfig &&
chmake' then 'sssinstall' but I guess that did not update the man pages
from my commit as expected.


So far as I know, 'sssinstall' isn't good for man pages. But 'make rpms' 
build whole all necessary things.


'sssinstall' is good for common developing process.




-Justin



LGTM

I just wait for CI :-)

Regards


___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org



--
Petr^4 Čech
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org

[SSSD] Re: MONITOR: Add disable_netlink sssd.conf option

[Petr Cech]

On 09/02/2016 11:23 AM, Petr Cech wrote:

On 09/01/2016 03:36 PM, Justin Stephenson wrote:

On 08/30/2016 03:54 AM, Jakub Hrozek wrote:

On Sat, Aug 27, 2016 at 12:54:53PM -0400, Justin Stephenson wrote:

Hello,

The attached patches resolve https://fedorahosted.org/sssd/ticket/3142

However, I am having difficult with the man page addition to
'src/man/sssd.conf.5.xml' for this new option. I have stared at the
open and
close xml tags(for far too long) and it looks correct but when I
build sssd
I never see the sssd.conf man page inclusion. Could anyone tell me
what I am
missing here?

If you feel there is better wording for the description please let me
know.

Kind regards,
Justin Stephenson



From 0552c199dd37c7e280304b9bc92ff44a8a1a6d57 Mon Sep 17 00:00:00 2001
From: Justin Stephenson 
Date: Fri, 26 Aug 2016 15:15:32 -0400
Subject: [PATCH 1/2] MONITOR: Remove --disable-netlink
command-line option


I'm not sure I like removing the netlink option w/o letting admins who
use it at least know what happened. Could we keep the option in the popt
option list, but use the HIDDEN argument so that it doesn't show up in
--help output and print a loud warning that the option was removed in
favor of a sssd.conf option?

I already know of two people from sssd-users list who might be using
this feature. On the other hand, it was just introduced in the last
version and not in any enterprise distro, so just printing a warning and
removing even that warning in the next version would be fine for me..


Agreed, please see updated patches also with Petr's corrections. Once
this fix is pushed I can respond to the email and at least let these
users know.

I am still having trouble with the man page addition to sssd.conf not
showing, any ideas why?

diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index
ae291e0fc8f2f9afabcdf32f18a5ec12252f..6f231b8ab8fc078d83331bb7ef5b980528a30bd6

100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -482,6 +482,24 @@
 
 
 
+
+disable_netlink (boolean)
+
+
+SSSD hooks into the netlink interface to
+monitor changes to routes, addresses,
links
+and trigger certain actions.
+
+
+The SSSD state changes caused by netlink
+events may be undesirable and can be
disabled
+by setting this option to 'true'
+
+
+Default: false (netlink changes are
detected)
+
+
+
 
 
 

Kind regards,
Justin Stephenson




From c52c0c1a520cdf8509bac00fa3c7bec0dd73 Mon Sep 17 00:00:00 2001
From: Justin Stephenson 
Date: Fri, 26 Aug 2016 17:43:25 -0400
Subject: [PATCH 2/2] MONITOR: Add disable_netlink option


LGTM, untested, though.


Hello Justin and Jakub,

I tested it:
sssd --help ... option is gone

/sbin/sssd --disable-netlink
Option --disable-netlink has been removed and replaced as a Monitor
option in sssd.conf

I see disable-netlink in man sssd.conf.
Justin, I run 'make rpms' and reinstall all,
so man pages were reinstall too.

LGTM

I just wait for CI :-)


CI passed:
http://sssd-ci.duckdns.org/logs/job/52/96/summary.html

=> ACK

Regards
--
Petr^4 Čech
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org

[SSSD] Re: MONITOR: Add disable_netlink sssd.conf option

[Petr Cech]

On 09/01/2016 03:36 PM, Justin Stephenson wrote:

On 08/30/2016 03:54 AM, Jakub Hrozek wrote:

On Sat, Aug 27, 2016 at 12:54:53PM -0400, Justin Stephenson wrote:

Hello,

The attached patches resolve https://fedorahosted.org/sssd/ticket/3142

However, I am having difficult with the man page addition to
'src/man/sssd.conf.5.xml' for this new option. I have stared at the
open and
close xml tags(for far too long) and it looks correct but when I
build sssd
I never see the sssd.conf man page inclusion. Could anyone tell me
what I am
missing here?

If you feel there is better wording for the description please let me
know.

Kind regards,
Justin Stephenson



From 0552c199dd37c7e280304b9bc92ff44a8a1a6d57 Mon Sep 17 00:00:00 2001
From: Justin Stephenson 
Date: Fri, 26 Aug 2016 15:15:32 -0400
Subject: [PATCH 1/2] MONITOR: Remove --disable-netlink
command-line option


I'm not sure I like removing the netlink option w/o letting admins who
use it at least know what happened. Could we keep the option in the popt
option list, but use the HIDDEN argument so that it doesn't show up in
--help output and print a loud warning that the option was removed in
favor of a sssd.conf option?

I already know of two people from sssd-users list who might be using
this feature. On the other hand, it was just introduced in the last
version and not in any enterprise distro, so just printing a warning and
removing even that warning in the next version would be fine for me..


Agreed, please see updated patches also with Petr's corrections. Once
this fix is pushed I can respond to the email and at least let these
users know.

I am still having trouble with the man page addition to sssd.conf not
showing, any ideas why?

diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index
ae291e0fc8f2f9afabcdf32f18a5ec12252f..6f231b8ab8fc078d83331bb7ef5b980528a30bd6
100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -482,6 +482,24 @@
 
 
 
+
+disable_netlink (boolean)
+
+
+SSSD hooks into the netlink interface to
+monitor changes to routes, addresses,
links
+and trigger certain actions.
+
+
+The SSSD state changes caused by netlink
+events may be undesirable and can be
disabled
+by setting this option to 'true'
+
+
+Default: false (netlink changes are
detected)
+
+
+
 
 
 

Kind regards,
Justin Stephenson




From c52c0c1a520cdf8509bac00fa3c7bec0dd73 Mon Sep 17 00:00:00 2001
From: Justin Stephenson 
Date: Fri, 26 Aug 2016 17:43:25 -0400
Subject: [PATCH 2/2] MONITOR: Add disable_netlink option


LGTM, untested, though.


Hello Justin and Jakub,

I tested it:
sssd --help ... option is gone

/sbin/sssd --disable-netlink
Option --disable-netlink has been removed and replaced as a Monitor 
option in sssd.conf


I see disable-netlink in man sssd.conf.
Justin, I run 'make rpms' and reinstall all,
so man pages were reinstall too.

LGTM

I just wait for CI :-)

Regards

--
Petr^4 Čech
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org

[SSSD] Re: RFC: github PR workflow

[Petr Cech]

On 08/31/2016 10:28 AM, Jakub Hrozek wrote:

Hi,

I documented workflow that we could use for submitting PRs:
https://fedorahosted.org/sssd/wiki/GithubWorkflow

It's quite similar to what the FreeIPA team uses (although I don't think
they publicly document it yet).

Comments or edits welcome. If there are none, I'll link the page from
the Contribute page later.


Hello,

I have note to 'Submitting a pull-request'.
Now we advice to:
* use github repo,
* fork it,
* add it like remote.

If I understand correctly there is no reason
for contributors to clone original
fedorahosted repo. Is it right?

We should rewrite Contribute wiki page in this manner.

Regards

--
Petr^4 Čech
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org

[SSSD] Re: [PATCH] LDAP: Improving debug message

[Petr Cech]

On 08/31/2016 09:36 AM, Lukas Slebodnik wrote:

On (31/08/16 08:28), Petr Cech wrote:

From b3ae463a7544bb9561126c5e05475d5b98928edc Mon Sep 17 00:00:00 2001
From: Petr Cech 
Date: Fri, 15 Jul 2016 14:54:35 +0200
Subject: [PATCH] LDAP: Improving debug message

There were debug messges refering to user by for loop variable.
We might obtain user name and refer to user by this.
---
src/providers/ldap/sdap_async_users.c | 21 +++--
1 file changed, 19 insertions(+), 2 deletions(-)

diff --git a/src/providers/ldap/sdap_async_users.c 
b/src/providers/ldap/sdap_async_users.c
index 
87d91d8247c37a4c6a1d83b7189399056528fc90..17d8680d82b25946e975034b852e24fcb731b535
 100644
--- a/src/providers/ldap/sdap_async_users.c
+++ b/src/providers/ldap/sdap_async_users.c
@@ -540,6 +540,7 @@ int sdap_save_users(TALLOC_CTX *memctx,
char **_usn_value)
{
TALLOC_CTX *tmpctx;
+const char *user_name = NULL;
char *higher_usn = NULL;
char *usn_value;
int ret;
@@ -569,14 +570,30 @@ int sdap_save_users(TALLOC_CTX *memctx,
for (i = 0; i < num_users; i++) {
usn_value = NULL;

+ret = sdap_get_user_primary_name(memctx, opts, users[i],
+ dom, &user_name);
+if (ret != EOK) {
+user_name = NULL;
+}
+
ret = sdap_save_user(tmpctx, opts, dom, users[i], &usn_value, now);

/* Do not fail completely on errors.
 * Just report the failure to save and go on */
if (ret) {
-DEBUG(SSSDBG_OP_FAILURE, "Failed to store user %d. Ignoring.\n", 
i);
+if (user_name != NULL) {
+   DEBUG(SSSDBG_OP_FAILURE, "Failed to store user %s. Ignoring.\n",
+user_name);
+} else {
+DEBUG(SSSDBG_OP_FAILURE, "Failed to store user %d. 
Ignoring.\n",
+  i);
+}
} else {
-DEBUG(SSSDBG_TRACE_ALL, "User %d processed!\n", i);
+if (user_name != NULL) {
+DEBUG(SSSDBG_TRACE_ALL, "User %s processed!\n", user_name);
+} else {
+DEBUG(SSSDBG_TRACE_ALL, "User %d processed!\n", i);
+}
}

I do not think that this patch improves anything.
Could you describe a use-case?

BTW W already log a message in sdap_save_user(<-singular)
e.g.
(Wed Aug 31 09:30:02 2016) [sssd[be[example.com]]] [sdap_get_primary_name] 
(0x0400): Processing object pcech
(Wed Aug 31 09:30:02 2016) [sssd[be[example.com]]] [sdap_save_user] (0x0400): 
Processing user pc...@example.com
(Wed Aug 31 09:30:02 2016) [sssd[be[example.com]]] [is_email_from_domain] 
(0x4000): Email [pc...@example.com] is from domain [example.com]
(Wed Aug 31 09:30:02 2016) [sssd[be[example.com]]] [sdap_save_user] (0x0400): 
Storing info for user pc...@example.com

And we log message there as soon as possible.
We cannot get a name earlier in the function.

LS


Hi Lukas, I acknowledge.

NACK

--
Petr^4 Čech
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org

[SSSD] Re: [PATCHES] Remove leftovers from diag_cmd and force_timeout

[Petr Cech]

On 08/31/2016 07:44 AM, Petr Cech wrote:

On 08/30/2016 06:35 PM, Fabiano Fidêncio wrote:

Seems that when I sent the v2 of 7579cf99 and ac35fe74 I attached the
wrong patches that ended up being pushed.
Those patches were incomplete as there are still some leftovers.

My bad, sorry :-\

See these 2 attached patches

Best Regards,
--
Fabiano Fidêncio


Hi Fabiano,

LGTM, make distcheck passed.
I am waiting for CI.


CI passed:
http://sssd-ci.duckdns.org/logs/job/52/83/summary.html

=> ACK

Regards
--
Petr^4 Čech
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org

[SSSD] Re: [PATCH] LDAP: Improving debug message

[Petr Cech]

On 08/30/2016 01:31 PM, Pavel Březina wrote:

On 08/30/2016 01:29 PM, Pavel Březina wrote:

On 08/04/2016 08:28 AM, Fabiano Fidêncio wrote:

On Thu, Aug 4, 2016 at 8:08 AM, Petr Cech  wrote:

On 08/03/2016 09:54 AM, Fabiano Fidêncio wrote:


Hey!

I'd do it a bit differently.



Hello Fabiano,

I am glad for another point of view.



diff --git a/src/providers/ldap/sdap_async_users.c
b/src/providers/ldap/sdap_async_users.c
index
e44c045b3f8ff6aed33a42cf2919bc01aa41a243..3a8efa4caacbad74f493de334a387104d0e7cec4


100644
--- a/src/providers/ldap/sdap_async_users.c
+++ b/src/providers/ldap/sdap_async_users.c
@@ -519,6 +519,7 @@ int sdap_save_users(TALLOC_CTX *memctx,
  char **_usn_value)
  {
  TALLOC_CTX *tmpctx;
+const char* user_name = NULL;


  ^-
I know this should be 'const char *'. I will fix it.


  char *higher_usn = NULL;
  char *usn_value;
  int ret;
@@ -548,14 +549,22 @@ int sdap_save_users(TALLOC_CTX *memctx,
  for (i = 0; i < num_users; i++) {
  usn_value = NULL;

+ret = sdap_get_user_primary_name(memctx, opts, users[i],
+ dom, &user_name);
+if (ret != EOK) {
+DEBUG(SSSDBG_OP_FAILURE, "Failed to get user name\n");
+goto done;
+}
+

IMO, if it fails, that's okay, then let's just go for using the loop
index.
IOW, please, remove the "goto done;" line.



Right, I will fix it.


  ret = sdap_save_user(tmpctx, opts, dom, users[i],
&usn_value,
now);

  /* Do not fail completely on errors.
   * Just report the failure to save and go on */
  if (ret) {
-DEBUG(SSSDBG_OP_FAILURE, "Failed to store user %d.
Ignoring.\n", i);
+DEBUG(SSSDBG_OP_FAILURE, "Failed to store user %s.
Ignoring.\n",
+ user_name);
  } else {
-DEBUG(SSSDBG_TRACE_ALL, "User %d processed!\n", i);
+DEBUG(SSSDBG_TRACE_ALL, "User %s processed!\n",
user_name);
  }


I didn't detailed check what sdap_get_user_primary_name() is doing,
but I have the feeling that when it fails, user_name is NULL.
So, when printing the debug message, you can check whether the
username is not NULL and print it, otherwise you could print the
array's index as it was done before your patch.



I did some investigation.

If error occurs in function sdap_get_user_primary_name(), the function
doesn't touch return argument (here it is &user_name), so there
needn't be a
NULL value in user_name.

I discussed this topic with Lukas offline. Our practise is:
   int function(input_arg, ..., _output_arg)
if (ret != 0) than there is no guarantee that _output_arg makes sense.

In our case, _output_arg isn't NULL. It's a pitty.


Why not? :-)
You set user_name to NULL in the beginning of the function and it is
just set again when sdap_get_primary_fqdn() is successful.
Checking whether _output_arg is NULL or not seems sane in this case.


There are some comments about using functions such
sdap_get_user_primary_name() in thread 'LDAP: Do not print "null" in
the
DEBUG message' (I need read this, thanks Lukas for info).


I'll check it out as well :-)


If this function fails, we may as well quit processing this user and
continue with the next one, since if it doesn't have a name, it is an
invalid record and we can't store it (it fails in subsequent call of
sdap_save_user).


BTW This is what we usually do when we can't get a name for debug
message in a cycle.


Hello,

Pavel, thanks for reminder, I solve similar case for groups now.
Please, see attached patch.

I removed DEBUG if sdap_get_user_primary_name() failes because it
is not important from global point of view. And there is no goto :-)

I hope this little improvement will be helpful for all admins.

Regards
--
Petr^4 Čech
>From b3ae463a7544bb9561126c5e05475d5b98928edc Mon Sep 17 00:00:00 2001
From: Petr Cech 
Date: Fri, 15 Jul 2016 14:54:35 +0200
Subject: [PATCH] LDAP: Improving debug message

There were debug messges refering to user by for loop variable.
We might obtain user name and refer to user by this.
---
 src/providers/ldap/sdap_async_users.c | 21 +++--
 1 file changed, 19 insertions(+), 2 deletions(-)

diff --git a/src/providers/ldap/sdap_async_users.c b/src/providers/ldap/sdap_async_users.c
index 87d91d8247c37a4c6a1d83b7189399056528fc90..17d8680d82b25946e975034b852e24fcb731b535 100644
--- a/src/providers/ldap/sdap_async_users.c
+++ b/src/providers/ldap/sdap_async_users.c
@@ -540,6 +540,7 @@ int sdap_save_users(TALLOC_CTX *memctx,
 char **_usn_value)
 {
 TALLOC_CTX *tmpctx;
+const char *user_name = NULL;
 char *higher_usn = NULL;
 char *usn_value;
 int ret;
@@ -569,14 +570,30 @

[SSSD] Re: [PATCH] SYSDB: Fix error handling in sysdb_get_user_members_recursively

[Petr Cech]

On 08/31/2016 07:26 AM, Petr Cech wrote:

On 08/30/2016 05:24 PM, Lukas Slebodnik wrote:

ehlo,

We should not ignore return values of functions.

LS


Hi Lukas,

thanks for patch.
LGTM, I am waiting for CI.


CI passed:
http://sssd-ci.duckdns.org/logs/job/52/82/summary.html

=> ACK

Regards
--
Petr^4 Čech
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org

[SSSD] Re: [PATCHES] Remove leftovers from diag_cmd and force_timeout

[Petr Cech]

On 08/30/2016 06:35 PM, Fabiano Fidêncio wrote:

Seems that when I sent the v2 of 7579cf99 and ac35fe74 I attached the
wrong patches that ended up being pushed.
Those patches were incomplete as there are still some leftovers.

My bad, sorry :-\

See these 2 attached patches

Best Regards,
--
Fabiano Fidêncio


Hi Fabiano,

LGTM, make distcheck passed.
I am waiting for CI.

Regards.

--
Petr^4 Čech
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org

[SSSD] Re: [PATCH] SYSDB: Fix error handling in sysdb_get_user_members_recursively

[Petr Cech]

On 08/30/2016 05:24 PM, Lukas Slebodnik wrote:

ehlo,

We should not ignore return values of functions.

LS


Hi Lukas,

thanks for patch.
LGTM, I am waiting for CI.

Regards

--
Petr^4 Čech
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org

[SSSD] Re: [PATCH SET] SYSDB: Adding message to inform about cache

[Petr Cech]

Bump.

--
Petr^4 Čech
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org

[SSSD] Re: [PATCH] PROXY: Adding proxy_max_children option

[Petr Cech]

On 08/30/2016 01:21 PM, Pavel Březina wrote:

On 08/30/2016 01:06 PM, Lukas Slebodnik wrote:

On (30/08/16 13:03), Petr Cech wrote:

On 08/30/2016 12:42 PM, Pavel Březina wrote:

On 08/25/2016 01:43 PM, Petr Cech wrote:

-/* FIXME: get max_children from configuration file */
-auth_ctx->max_children = 10;
+ret = confdb_get_int(be_ctx->cdb, be_ctx->conf_path,
+ CONFDB_PROXY_MAX_CHILDREN, 10,
+ &max_children);
+if (ret != EOK) {
+DEBUG(SSSDBG_CRIT_FAILURE, "Unable to read confdb [%d]:
%s\n",
+   ret, sss_strerror(ret));
+goto done;
+}
+if (max_children < 1) {
+DEBUG(SSSDBG_CRIT_FAILURE, "Option %s must be bigger then
1\n",
+   CONFDB_PROXY_MAX_CHILDREN);
+goto done;
+}


You need to either set ret here, or set max_children to some reasonable
value (10?).


Hello Pavel,

max_children is set on the next line as:
auth_ctx->max_children = max_children;


No it is not.


+if (ret != EOK) {
+DEBUG(SSSDBG_CRIT_FAILURE, "Unable to read confdb [%d]: %s\n",
+   ret, sss_strerror(ret));
+goto done;
+}
+if (max_children < 1) {
+DEBUG(SSSDBG_CRIT_FAILURE, "Option %s must be bigger then 1\n",
+   CONFDB_PROXY_MAX_CHILDREN);
+goto done;
+}
+auth_ctx->max_children = max_children;


if max_children < 1, you report an error and goto done, keeping ret =
EOK from previous successful call. Either we consider it as an error,
and set ret to e.g. EINVAL, or we set default value and continue.


I see, good point. Thank you.

I chose go to done. It prevents our users to have wrong configuration.



I use temporary variable max_children,
because there is issue with signed/unsigned
integer value.

10 was original value. I increase it to 50.
And I use constant OPT_MAX_CHILDREN_DEFAULT now.


10 is a reasonable default and works for most of users.
I do not think we need to increase default value.
This is a purpose of the new option


Agree.


--
Petr^4 Čech
>From 3783aed0c7127358e1708d5657773af50fd136a0 Mon Sep 17 00:00:00 2001
From: Petr Cech 
Date: Wed, 24 Aug 2016 14:41:09 +0200
Subject: [PATCH] PROXY: Adding proxy_max_children option

The new option 'proxy_max_children' is applicable
in domain section. Default value is 10.

Resolves:
https://fedorahosted.org/sssd/ticket/3153
---
 src/confdb/confdb.h   |  1 +
 src/config/SSSDConfig/__init__.py.in  |  3 +++
 src/config/cfg_rules.ini  |  1 +
 src/config/etc/sssd.api.d/sssd-proxy.conf |  1 +
 src/man/sssd.conf.5.xml   | 12 
 src/providers/proxy/proxy_init.c  | 21 +++--
 6 files changed, 37 insertions(+), 2 deletions(-)

diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index 401e5fbf7ed6bb9e8d7158dfab378c8159aa03db..9b5c7bc04bb8297842aa9a0ef50f239c50302757 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -218,6 +218,7 @@
 #define CONFDB_PROXY_LIBNAME "proxy_lib_name"
 #define CONFDB_PROXY_PAM_TARGET "proxy_pam_target"
 #define CONFDB_PROXY_FAST_ALIAS "proxy_fast_alias"
+#define CONFDB_PROXY_MAX_CHILDREN "proxy_max_children"
 
 /* Secrets Service */
 #define CONFDB_SEC_CONF_ENTRY "config/secrets"
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index b3f04ac26309bb5b518fb87cd0dae2962e853179..9076dd2c4bf630626d6d8eaef0e7ab67c0ac93f5 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -430,6 +430,9 @@ option_strings = {
 'default_shell' : _('Default shell, /bin/bash'),
 'base_directory' : _('Base for home directories'),
 
+# [provider/proxy]
+'proxy_max_children' : _('The number of preforked proxy children.'),
+
 # [provider/proxy/id]
 'proxy_lib_name' : _('The name of the NSS library to use'),
 'proxy_fast_alias' : _('Whether to look up canonical group name from cache if possible'),
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index df10538dee4a547a1b1af62a4cfe37b89e236b18..1b3c840199d64fe1a9088147c9c5c836216b25eb 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -323,6 +323,7 @@ option = base_directory
 option = proxy_lib_name
 option = proxy_fast_alias
 option = proxy_pam_target
+option = proxy_max_children
 
 # simple access provider specific options
 option = simple_allow_users
diff --git a/src/config/etc/sssd.api.d/sssd-proxy.conf b/src/config/etc/sssd.api.d/sssd-proxy.conf
index 89a6503f9b84b7eab5fb3b0dd591dea905b43adb..09bf82affcb4263de3abbb67d1d484f6b01a1824 100644
--- a/src/config/etc/sssd.api.d/sssd-prox

[SSSD] Re: [PATCH] PROXY: Adding proxy_max_children option

[Petr Cech]

On 08/30/2016 01:06 PM, Lukas Slebodnik wrote:

On (30/08/16 13:03), Petr Cech wrote:

On 08/30/2016 12:42 PM, Pavel Březina wrote:

On 08/25/2016 01:43 PM, Petr Cech wrote:

-/* FIXME: get max_children from configuration file */
-auth_ctx->max_children = 10;
+ret = confdb_get_int(be_ctx->cdb, be_ctx->conf_path,
+ CONFDB_PROXY_MAX_CHILDREN, 10,
+ &max_children);
+if (ret != EOK) {
+DEBUG(SSSDBG_CRIT_FAILURE, "Unable to read confdb [%d]: %s\n",
+   ret, sss_strerror(ret));
+goto done;
+}
+if (max_children < 1) {
+DEBUG(SSSDBG_CRIT_FAILURE, "Option %s must be bigger then 1\n",
+   CONFDB_PROXY_MAX_CHILDREN);
+goto done;
+}


You need to either set ret here, or set max_children to some reasonable
value (10?).



Hello Pavel,

max_children is set on the next line as:
auth_ctx->max_children = max_children;

I use temporary variable max_children,
because there is issue with signed/unsigned
integer value.

10 was original value. I increase it to 50.
And I use constant OPT_MAX_CHILDREN_DEFAULT now.


10 is a reasonable default and works for most of users.
I do not think we need to increase default value.
This is a purpose of the new option


I agree. I am sorry, I misunderstood to Pavel.

10 is back!

Regards

--
Petr^4 Čech
>From b24f2d546dd7045843de380aee22c654d23ad95b Mon Sep 17 00:00:00 2001
From: Petr Cech 
Date: Wed, 24 Aug 2016 14:41:09 +0200
Subject: [PATCH] PROXY: Adding proxy_max_children option

The new option 'proxy_max_children' is applicable
in domain section. Default value is 10.

Resolves:
https://fedorahosted.org/sssd/ticket/3153
---
 src/confdb/confdb.h   |  1 +
 src/config/SSSDConfig/__init__.py.in  |  3 +++
 src/config/cfg_rules.ini  |  1 +
 src/config/etc/sssd.api.d/sssd-proxy.conf |  1 +
 src/man/sssd.conf.5.xml   | 12 
 src/providers/proxy/proxy_init.c  | 20 ++--
 6 files changed, 36 insertions(+), 2 deletions(-)

diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index 401e5fbf7ed6bb9e8d7158dfab378c8159aa03db..9b5c7bc04bb8297842aa9a0ef50f239c50302757 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -218,6 +218,7 @@
 #define CONFDB_PROXY_LIBNAME "proxy_lib_name"
 #define CONFDB_PROXY_PAM_TARGET "proxy_pam_target"
 #define CONFDB_PROXY_FAST_ALIAS "proxy_fast_alias"
+#define CONFDB_PROXY_MAX_CHILDREN "proxy_max_children"
 
 /* Secrets Service */
 #define CONFDB_SEC_CONF_ENTRY "config/secrets"
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index b3f04ac26309bb5b518fb87cd0dae2962e853179..9076dd2c4bf630626d6d8eaef0e7ab67c0ac93f5 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -430,6 +430,9 @@ option_strings = {
 'default_shell' : _('Default shell, /bin/bash'),
 'base_directory' : _('Base for home directories'),
 
+# [provider/proxy]
+'proxy_max_children' : _('The number of preforked proxy children.'),
+
 # [provider/proxy/id]
 'proxy_lib_name' : _('The name of the NSS library to use'),
 'proxy_fast_alias' : _('Whether to look up canonical group name from cache if possible'),
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index df10538dee4a547a1b1af62a4cfe37b89e236b18..1b3c840199d64fe1a9088147c9c5c836216b25eb 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -323,6 +323,7 @@ option = base_directory
 option = proxy_lib_name
 option = proxy_fast_alias
 option = proxy_pam_target
+option = proxy_max_children
 
 # simple access provider specific options
 option = simple_allow_users
diff --git a/src/config/etc/sssd.api.d/sssd-proxy.conf b/src/config/etc/sssd.api.d/sssd-proxy.conf
index 89a6503f9b84b7eab5fb3b0dd591dea905b43adb..09bf82affcb4263de3abbb67d1d484f6b01a1824 100644
--- a/src/config/etc/sssd.api.d/sssd-proxy.conf
+++ b/src/config/etc/sssd.api.d/sssd-proxy.conf
@@ -1,4 +1,5 @@
 [provider/proxy]
+proxy_max_children = int, None, false
 
 [provider/proxy/id]
 proxy_lib_name = str, None, true
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index ae291e0fc8f2f9afabcdf32f18a5ec12252f..1bf3e799047d9c722487be8657bbee5cfd479cdd 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -2464,6 +2464,18 @@ subdomain_inherit = ldap_purge_cache_timeout
 
 
 
+
+proxy_max_children (integer)
+
+
+The number of preforked proxy children.
+
+
+  

[SSSD] Re: [PATCH] PROXY: Adding proxy_max_children option

[Petr Cech]

On 08/30/2016 12:42 PM, Pavel Březina wrote:

On 08/25/2016 01:43 PM, Petr Cech wrote:

-/* FIXME: get max_children from configuration file */
-auth_ctx->max_children = 10;
+ret = confdb_get_int(be_ctx->cdb, be_ctx->conf_path,
+ CONFDB_PROXY_MAX_CHILDREN, 10,
+ &max_children);
+if (ret != EOK) {
+DEBUG(SSSDBG_CRIT_FAILURE, "Unable to read confdb [%d]: %s\n",
+   ret, sss_strerror(ret));
+goto done;
+}
+if (max_children < 1) {
+DEBUG(SSSDBG_CRIT_FAILURE, "Option %s must be bigger then 1\n",
+   CONFDB_PROXY_MAX_CHILDREN);
+goto done;
+}


You need to either set ret here, or set max_children to some reasonable
value (10?).


Hello Pavel,

max_children is set on the next line as:
auth_ctx->max_children = max_children;

I use temporary variable max_children,
because there is issue with signed/unsigned
integer value.

10 was original value. I increase it to 50.
And I use constant OPT_MAX_CHILDREN_DEFAULT now.

Fixed patch is attached.

Regards

--
Petr^4 Čech
>From fb5818026adf0bb8dde45ccae5d94a6cb6331bec Mon Sep 17 00:00:00 2001
From: Petr Cech 
Date: Wed, 24 Aug 2016 14:41:09 +0200
Subject: [PATCH] PROXY: Adding proxy_max_children option

The new option 'proxy_max_children' is applicable
in domain section. Default value is 10.

Resolves:
https://fedorahosted.org/sssd/ticket/3153
---
 src/confdb/confdb.h   |  1 +
 src/config/SSSDConfig/__init__.py.in  |  3 +++
 src/config/cfg_rules.ini  |  1 +
 src/config/etc/sssd.api.d/sssd-proxy.conf |  1 +
 src/man/sssd.conf.5.xml   | 12 
 src/providers/proxy/proxy_init.c  | 20 ++--
 6 files changed, 36 insertions(+), 2 deletions(-)

diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index 401e5fbf7ed6bb9e8d7158dfab378c8159aa03db..9b5c7bc04bb8297842aa9a0ef50f239c50302757 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -218,6 +218,7 @@
 #define CONFDB_PROXY_LIBNAME "proxy_lib_name"
 #define CONFDB_PROXY_PAM_TARGET "proxy_pam_target"
 #define CONFDB_PROXY_FAST_ALIAS "proxy_fast_alias"
+#define CONFDB_PROXY_MAX_CHILDREN "proxy_max_children"
 
 /* Secrets Service */
 #define CONFDB_SEC_CONF_ENTRY "config/secrets"
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index b3f04ac26309bb5b518fb87cd0dae2962e853179..9076dd2c4bf630626d6d8eaef0e7ab67c0ac93f5 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -430,6 +430,9 @@ option_strings = {
 'default_shell' : _('Default shell, /bin/bash'),
 'base_directory' : _('Base for home directories'),
 
+# [provider/proxy]
+'proxy_max_children' : _('The number of preforked proxy children.'),
+
 # [provider/proxy/id]
 'proxy_lib_name' : _('The name of the NSS library to use'),
 'proxy_fast_alias' : _('Whether to look up canonical group name from cache if possible'),
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index df10538dee4a547a1b1af62a4cfe37b89e236b18..1b3c840199d64fe1a9088147c9c5c836216b25eb 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -323,6 +323,7 @@ option = base_directory
 option = proxy_lib_name
 option = proxy_fast_alias
 option = proxy_pam_target
+option = proxy_max_children
 
 # simple access provider specific options
 option = simple_allow_users
diff --git a/src/config/etc/sssd.api.d/sssd-proxy.conf b/src/config/etc/sssd.api.d/sssd-proxy.conf
index 89a6503f9b84b7eab5fb3b0dd591dea905b43adb..09bf82affcb4263de3abbb67d1d484f6b01a1824 100644
--- a/src/config/etc/sssd.api.d/sssd-proxy.conf
+++ b/src/config/etc/sssd.api.d/sssd-proxy.conf
@@ -1,4 +1,5 @@
 [provider/proxy]
+proxy_max_children = int, None, false
 
 [provider/proxy/id]
 proxy_lib_name = str, None, true
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index ae291e0fc8f2f9afabcdf32f18a5ec12252f..1bf3e799047d9c722487be8657bbee5cfd479cdd 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -2464,6 +2464,18 @@ subdomain_inherit = ldap_purge_cache_timeout
 
 
 
+
+proxy_max_children (integer)
+
+
+The number of preforked proxy children.
+
+
+Default: 50
+
+
+
+
 
 
 
diff --git a/src/providers/proxy/proxy_init.c b/src/providers/proxy/proxy_init.c
index 1edf4fd64e54f4f0df7a78a9e56eb232a1d3e948..ed5e825a730c

[SSSD] Re: [SSSD} [PATCH] Remove no longer used code

[Petr Cech]

On 08/30/2016 08:47 AM, Petr Cech wrote:



On 08/30/2016 08:28 AM, Fabiano Fidêncio wrote:

On Tue, Aug 30, 2016 at 8:23 AM, Petr Cech  wrote:

On 08/15/2016 02:58 PM, Fabiano Fidêncio wrote:


Those 3 patches are from Jakub and I've just done some minor
adjustments and add myself as co-author of the first 2 patches.

CI has passed: http://sssd-ci.duckdns.org/logs/job/51/55/summary.html

Best Regards,
--
Fabiano Fidêncio



Hello,

CI passed:
http://sssd-ci.duckdns.org/logs/job/52/71/summary.html


0001-MONITOR-Remove-the-no-longer-used-diag_cmd-command.patch


From aa6204816cde0a7d75b9303916d038ed06e467ba Mon Sep 17 00:00:00 2001
From: Jakub Hrozek 
Date: Sun, 8 May 2016 14:41:35 +0200
Subject: [PATCH 1/3] MONITOR: Remove the no longer used diag_cmd
command
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

After introducing the watchdog, the diag_cmd is longer used and
makes no
sense trying to make it usable by watchdog as the result of "pstack %p"
seems next to useless in this context.

Co-author: Fabiano Fidêncio 

Related:
https://fedorahosted.org/sssd/ticket/3051
---



ACK



0002-MONITOR-Remove-the-no-longer-used-kill_service-comma.patch


From 7954e0254752d0a830a0501f23a6a93d0345e5ce Mon Sep 17 00:00:00 2001
From: Jakub Hrozek 
Date: Sun, 8 May 2016 14:46:25 +0200
Subject: [PATCH 2/3] MONITOR: Remove the no longer used kill_service
command
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

After introducing the watchdog, the force_timeout option is no longer
used.

Co-author: Fabiano Fidêncio 

Resolves:
https://fedorahosted.org/sssd/ticket/3052
---



ACK



0003-WATCHDOG-define-and-use-_MAX_TICKS-as-3.patch


From 1302c5a95ac36dd674c8795cda0082b84d30978d Mon Sep 17 00:00:00 2001
From: Jakub Hrozek 
Date: Mon, 15 Aug 2016 12:54:20 +0200
Subject: [PATCH 3/3] WATCHDOG: define and use _MAX_TICKS as 3

Instead of using the number 3 directly, let's introduce and use
WATCHDOG_MAX_TICKS.
--



This patch is unfortunately inapplicable on top of master
(after two previous patches):

pcech@albireo ~/sssd: (master) $ git am
../patch/0003-WATCHDOG-define-and-use-_MAX_TICKS-as-3.patch
Applying: WATCHDOG: define and use _MAX_TICKS as 3
error: patch failed: src/util/util_watchdog.c:38
error: src/util/util_watchdog.c: patch does not apply
Patch failed at 0001 WATCHDOG: define and use _MAX_TICKS as 3

Regards


Rebase was quite simple.
See the v2 attached (the only change in v2 was the rebase).


Thanks, Fabiano,

I pushed patches to CI so quickly I missed
that the 3rd patch is LGTM and almost ACK :-)

I would like to wait to CI anyway.


CI passed:
http://sssd-ci.duckdns.org/logs/job/52/73/summary.html

=> ACK

Regards

--
Petr^4 Čech
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org

[SSSD] Re: [SSSD} [PATCH] Remove no longer used code

[Petr Cech]

On 08/30/2016 08:28 AM, Fabiano Fidêncio wrote:

On Tue, Aug 30, 2016 at 8:23 AM, Petr Cech  wrote:

On 08/15/2016 02:58 PM, Fabiano Fidêncio wrote:


Those 3 patches are from Jakub and I've just done some minor
adjustments and add myself as co-author of the first 2 patches.

CI has passed: http://sssd-ci.duckdns.org/logs/job/51/55/summary.html

Best Regards,
--
Fabiano Fidêncio



Hello,

CI passed:
http://sssd-ci.duckdns.org/logs/job/52/71/summary.html


0001-MONITOR-Remove-the-no-longer-used-diag_cmd-command.patch


From aa6204816cde0a7d75b9303916d038ed06e467ba Mon Sep 17 00:00:00 2001
From: Jakub Hrozek 
Date: Sun, 8 May 2016 14:41:35 +0200
Subject: [PATCH 1/3] MONITOR: Remove the no longer used diag_cmd command
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

After introducing the watchdog, the diag_cmd is longer used and makes no
sense trying to make it usable by watchdog as the result of "pstack %p"
seems next to useless in this context.

Co-author: Fabiano Fidêncio 

Related:
https://fedorahosted.org/sssd/ticket/3051
---



ACK



0002-MONITOR-Remove-the-no-longer-used-kill_service-comma.patch


From 7954e0254752d0a830a0501f23a6a93d0345e5ce Mon Sep 17 00:00:00 2001
From: Jakub Hrozek 
Date: Sun, 8 May 2016 14:46:25 +0200
Subject: [PATCH 2/3] MONITOR: Remove the no longer used kill_service
command
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

After introducing the watchdog, the force_timeout option is no longer
used.

Co-author: Fabiano Fidêncio 

Resolves:
https://fedorahosted.org/sssd/ticket/3052
---



ACK



0003-WATCHDOG-define-and-use-_MAX_TICKS-as-3.patch


From 1302c5a95ac36dd674c8795cda0082b84d30978d Mon Sep 17 00:00:00 2001
From: Jakub Hrozek 
Date: Mon, 15 Aug 2016 12:54:20 +0200
Subject: [PATCH 3/3] WATCHDOG: define and use _MAX_TICKS as 3

Instead of using the number 3 directly, let's introduce and use
WATCHDOG_MAX_TICKS.
--



This patch is unfortunately inapplicable on top of master
(after two previous patches):

pcech@albireo ~/sssd: (master) $ git am
../patch/0003-WATCHDOG-define-and-use-_MAX_TICKS-as-3.patch
Applying: WATCHDOG: define and use _MAX_TICKS as 3
error: patch failed: src/util/util_watchdog.c:38
error: src/util/util_watchdog.c: patch does not apply
Patch failed at 0001 WATCHDOG: define and use _MAX_TICKS as 3

Regards


Rebase was quite simple.
See the v2 attached (the only change in v2 was the rebase).


Thanks, Fabiano,

I pushed patches to CI so quickly I missed
that the 3rd patch is LGTM and almost ACK :-)

I would like to wait to CI anyway.

Regards

--
Petr^4 Čech
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org

[SSSD] Re: MONITOR: Add disable_netlink sssd.conf option

[Petr Cech]

On 08/27/2016 06:54 PM, Justin Stephenson wrote:

Hello,

The attached patches resolve https://fedorahosted.org/sssd/ticket/3142

However, I am having difficult with the man page addition to
'src/man/sssd.conf.5.xml' for this new option. I have stared at the open
and close xml tags(for far too long) and it looks correct but when I
build sssd I never see the sssd.conf man page inclusion. Could anyone
tell me what I am missing here?

If you feel there is better wording for the description please let me know.

Kind regards,
Justin Stephenson


Hello Justin,

CI passed:
http://sssd-ci.duckdns.org/logs/job/52/72/summary.html

I have one little comment about coding style. See below.



0001-MONITOR-Remove-disable-netlink-command-line-option.patch


From 0552c199dd37c7e280304b9bc92ff44a8a1a6d57 Mon Sep 17 00:00:00 2001
From: Justin Stephenson 
Date: Fri, 26 Aug 2016 15:15:32 -0400
Subject: [PATCH 1/2] MONITOR: Remove --disable-netlink command-line option

Removing monitor command-line option, to be superceded by
sssd.conf option
---


ACK



0002-MONITOR-Add-disable_netlink-option.patch


From c52c0c1a520cdf8509bac00fa3c7bec0dd73 Mon Sep 17 00:00:00 2001
From: Justin Stephenson 
Date: Fri, 26 Aug 2016 17:43:25 -0400
Subject: [PATCH 2/2] MONITOR: Add disable_netlink option

Adding a new monitor boolean option to disable netlink support.
This will give users more control over sssd state changes without
having to modify systemd unit files.

Resolves:
https://fedorahosted.org/sssd/ticket/3142
---

[...]


 /* Set up the environment variable for the Kerberos Replay Cache */
@@ -2471,14 +2472,28 @@ static int monitor_process_init(struct mt_ctx *ctx,
 return ret;
 }

-ret = setup_netlink(ctx, ctx->ev, network_status_change_cb,
-ctx, &ctx->nlctx);
+ret = confdb_get_bool(ctx->cdb,
+  CONFDB_MONITOR_CONF_ENTRY,
+  CONFDB_MONITOR_DISABLE_NETLINK,
+  false, &disable_netlink);
+
 if (ret != EOK) {
 DEBUG(SSSDBG_OP_FAILURE,
-  "Cannot set up listening for network notifications\n");
+"Failed to read disable_netlink from confdb: [%d] %s\n",

 ^ --- this is right indentation

+ret, sss_strerror(ret));

 ^ --- this is right indentation

Please, fix this little nitpicking.

I am not native speaker, I am not able check
text in man page. (I guess you are.)

The first patch ACKed, the second needs
little work.

Regards

--
Petr^4 Čech
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org

[SSSD] Re: [SSSD} [PATCH] Remove no longer used code

[Petr Cech]

On 08/15/2016 02:58 PM, Fabiano Fidêncio wrote:

Those 3 patches are from Jakub and I've just done some minor
adjustments and add myself as co-author of the first 2 patches.

CI has passed: http://sssd-ci.duckdns.org/logs/job/51/55/summary.html

Best Regards,
--
Fabiano Fidêncio


Hello,

CI passed:
http://sssd-ci.duckdns.org/logs/job/52/71/summary.html


0001-MONITOR-Remove-the-no-longer-used-diag_cmd-command.patch


From aa6204816cde0a7d75b9303916d038ed06e467ba Mon Sep 17 00:00:00 2001
From: Jakub Hrozek 
Date: Sun, 8 May 2016 14:41:35 +0200
Subject: [PATCH 1/3] MONITOR: Remove the no longer used diag_cmd command
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

After introducing the watchdog, the diag_cmd is longer used and makes no
sense trying to make it usable by watchdog as the result of "pstack %p"
seems next to useless in this context.

Co-author: Fabiano Fidêncio 

Related:
https://fedorahosted.org/sssd/ticket/3051
---


ACK



0002-MONITOR-Remove-the-no-longer-used-kill_service-comma.patch


From 7954e0254752d0a830a0501f23a6a93d0345e5ce Mon Sep 17 00:00:00 2001
From: Jakub Hrozek 
Date: Sun, 8 May 2016 14:46:25 +0200
Subject: [PATCH 2/3] MONITOR: Remove the no longer used kill_service command
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

After introducing the watchdog, the force_timeout option is no longer
used.

Co-author: Fabiano Fidêncio 

Resolves:
https://fedorahosted.org/sssd/ticket/3052
---


ACK



0003-WATCHDOG-define-and-use-_MAX_TICKS-as-3.patch


From 1302c5a95ac36dd674c8795cda0082b84d30978d Mon Sep 17 00:00:00 2001
From: Jakub Hrozek 
Date: Mon, 15 Aug 2016 12:54:20 +0200
Subject: [PATCH 3/3] WATCHDOG: define and use _MAX_TICKS as 3

Instead of using the number 3 directly, let's introduce and use
WATCHDOG_MAX_TICKS.
--


This patch is unfortunately inapplicable on top of master
(after two previous patches):

pcech@albireo ~/sssd: (master) $ git am 
../patch/0003-WATCHDOG-define-and-use-_MAX_TICKS-as-3.patch

Applying: WATCHDOG: define and use _MAX_TICKS as 3
error: patch failed: src/util/util_watchdog.c:38
error: src/util/util_watchdog.c: patch does not apply
Patch failed at 0001 WATCHDOG: define and use _MAX_TICKS as 3

Regards

---
Petr^4 Čech
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org

[SSSD] Re: [SSSD} [PATCH] Remove no longer used code

[Petr Cech]

On 08/26/2016 04:59 PM, Jakub Hrozek wrote:

On Mon, Aug 15, 2016 at 02:58:50PM +0200, Fabiano Fidêncio wrote:

Those 3 patches are from Jakub and I've just done some minor
adjustments and add myself as co-author of the first 2 patches.

CI has passed: http://sssd-ci.duckdns.org/logs/job/51/55/summary.html

Best Regards,
--
Fabiano Fidêncio


bump, this is just a simple removal of code, but I can't review it
myself..


Hello Fabiano,

I will take a look. :-)

Regards

--
Petr^4 Čech
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org

[SSSD] Re: [PATCH SET] SYSDB: Adding message to inform about cache

[Petr Cech]

On 08/23/2016 10:58 AM, Petr Cech wrote:

Hello,

there is new patch number 3 which is a WIP.
I would like to ask you which version
of ldif printing do you prefer.

You can see [1] which shows the outputs.

Difference is that version A is step by step
reading of ldb messsage.

But, version B uses function
ldb_ldif_write(). This function needs
my_vprintf_fn() but the information isn't structured.

What do you prefer? :-)

[1] ldif.txt



There is new patch set attached.

Well, I choose version B because it is uses native ldb function
ldb_ldif_write().

I added new debug level. It is not only extra debug level which SSSD
has. But I didn't see any other extra in man pages. So I didn't add
this one too.


Bump.

Notes:

1) If you prefer merging of last 4 patches -- renaming of ldb_*(), 
please, tell me.


2) Those patches rename only ldb_*() in sysdb. But those functions are 
in other parts of code too. So if you prefer renaming in whole SSSD, 
please tell me.


Regards

--
Petr^4 Čech
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org

[SSSD] Re: [PATCH] PROXY: Adding proxy_max_children option

[Petr Cech]

On 08/24/2016 05:25 PM, Fabiano Fidêncio wrote:

Petr,

On Wed, Aug 24, 2016 at 4:22 PM, Petr Cech  wrote:

Hello,

I am fighting with adding new option to sssd.conf.
I slowly running out of breath.

I know proxy could be id, auth or chpass provider. I don't know
where is the right place for my option. And the second issue is
it breaks test for SSSD config. :-(

Is there anyone who would like to join to the fight? Please,
see attached patch.


I could spot 1 issue and one possible issue with your patch.
Let me paste the (possible) problematic parts here:


diff --git a/src/config/SSSDConfig/__init__.py.in 
b/src/config/SSSDConfig/__init__.py.in
index 
b3f04ac26309bb5b518fb87cd0dae2962e853179..50917322da74211a54db69fee05589bdddaebd33
 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -435,6 +435,7 @@ option_strings = {
 'proxy_fast_alias' : _('Whether to look up canonical group name from cache 
if possible'),

 # [provider/proxy/auth]
+'proxy_max_children' : _('The number of preforked proxy children.'),
 'proxy_pam_target' : _('PAM stack to use')
 }


As far as I understand from the ticket, proxy_max_children should be a
global option for proxy, so you should put it ander [provider/proxy]
and not under [provider/proxy/auth].


diff --git a/src/config/etc/sssd.api.d/sssd-proxy.conf 
b/src/config/etc/sssd.api.d/sssd-proxy.conf
index 89a6503..96e2d4a 100644
--- a/src/config/etc/sssd.api.d/sssd-proxy.conf
+++ b/src/config/etc/sssd.api.d/sssd-proxy.conf
@@ -1,11 +1,9 @@
-[provider/proxy]
-
 [provider/proxy/i
 proxy_lib_name = str, None, true
 proxy_fast_alias = bool, None, true

 [provider/proxy/auth]
  proxy_pam_target = str, None, true
+proxy_max_children = int, None, false

 [provider/proxy/chpass]
-


On this part I'm pretty sure you don't want to remove [provider/proxy]
neither the last line of the file.
And as far as I understand from the option you're trying to add, it
should be added under [provider/proxy].

With these 2 changes "make check" passes again and I guess it's enough
for what you're trying to achieve.

Here you can see my changes on top of your changes:
[ffidenci@cat x86_64]$ git diff
diff --git a/src/config/SSSDConfig/__init__.py.in
b/src/config/SSSDConfig/__init__.py.in
index 5091732..9076dd2 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -430,12 +430,14 @@ option_strings = {
 'default_shell' : _('Default shell, /bin/bash'),
 'base_directory' : _('Base for home directories'),

+# [provider/proxy]
+'proxy_max_children' : _('The number of preforked proxy children.'),
+
 # [provider/proxy/id]
 'proxy_lib_name' : _('The name of the NSS library to use'),
 'proxy_fast_alias' : _('Whether to look up canonical group name
from cache if possible'),

 # [provider/proxy/auth]
-'proxy_max_children' : _('The number of preforked proxy children.'),
 'proxy_pam_target' : _('PAM stack to use')
 }

diff --git a/src/config/etc/sssd.api.d/sssd-proxy.conf
b/src/config/etc/sssd.api.d/sssd-proxy.conf
index 96e2d4a..09bf82a 100644
--- a/src/config/etc/sssd.api.d/sssd-proxy.conf
+++ b/src/config/etc/sssd.api.d/sssd-proxy.conf
@@ -1,9 +1,12 @@
+[provider/proxy]
+proxy_max_children = int, None, false
+
 [provider/proxy/id]
 proxy_lib_name = str, None, true
 proxy_fast_alias = bool, None, true

 [provider/proxy/auth]
 proxy_pam_target = str, None, true
-proxy_max_children = int, None, false

 [provider/proxy/chpass]
+

I hope it helps!

Best Regards,
--
Fabiano Fidêncio


Hi Fabiano,

thank you for help. You was right with section
[provider/proxy].

And I hit little issue with last white line in file.
My IDE did some automagic.

The entry in man page is really short. Please, if you have any idea, 
share it.


Regards

--
Petr^4 Čech
>From b608fb4e3968758cc9f3aaa00cedba7561f33dbe Mon Sep 17 00:00:00 2001
From: Petr Cech 
Date: Wed, 24 Aug 2016 14:41:09 +0200
Subject: [PATCH] PROXY: Adding proxy_max_children option

The new option 'proxy_max_children' is applicable
in domain section. Default value is 10.

Resolves:
https://fedorahosted.org/sssd/ticket/3153
---
 src/confdb/confdb.h   |  1 +
 src/config/SSSDConfig/__init__.py.in  |  3 +++
 src/config/cfg_rules.ini  |  1 +
 src/config/etc/sssd.api.d/sssd-proxy.conf |  1 +
 src/man/sssd.conf.5.xml   | 12 
 src/providers/proxy/proxy_init.c  | 17 +++--
 6 files changed, 33 insertions(+), 2 deletions(-)

diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index 72adbd80ea534eb0becd3e517c00b0c26d00444c..dddf3e94fc4a083dfe23549c50c75b8fe1e47c9f 100644
--- a/src/confdb/confdb.h
+++ b/src/con

[SSSD] [PATCH] WIP: PROXY: Adding proxy_max_children option

[Petr Cech]

Hello,

I am fighting with adding new option to sssd.conf.
I slowly running out of breath.

I know proxy could be id, auth or chpass provider. I don't know
where is the right place for my option. And the second issue is
it breaks test for SSSD config. :-(

Is there anyone who would like to join to the fight? Please,
see attached patch.

Regards

--
Petr^4 Čech
>From 252b62b56d0079323dc6771907d76f4f883ffbe4 Mon Sep 17 00:00:00 2001
From: Petr Cech 
Date: Wed, 24 Aug 2016 14:41:09 +0200
Subject: [PATCH] WIP: PROXY: Adding proxy_max_children option

Resolves:
https://fedorahosted.org/sssd/ticket/3153
---
 src/confdb/confdb.h   |  1 +
 src/config/SSSDConfig/__init__.py.in  |  1 +
 src/config/cfg_rules.ini  |  1 +
 src/config/etc/sssd.api.d/sssd-proxy.conf |  4 +---
 src/man/sssd.conf.5.xml   | 12 
 src/providers/proxy/proxy_init.c  | 17 +++--
 6 files changed, 31 insertions(+), 5 deletions(-)

diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index 72adbd80ea534eb0becd3e517c00b0c26d00444c..dddf3e94fc4a083dfe23549c50c75b8fe1e47c9f 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -220,6 +220,7 @@
 #define CONFDB_PROXY_LIBNAME "proxy_lib_name"
 #define CONFDB_PROXY_PAM_TARGET "proxy_pam_target"
 #define CONFDB_PROXY_FAST_ALIAS "proxy_fast_alias"
+#define CONFDB_PROXY_MAX_CHILDREN "proxy_max_children"
 
 /* Secrets Service */
 #define CONFDB_SEC_CONF_ENTRY "config/secrets"
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index b3f04ac26309bb5b518fb87cd0dae2962e853179..50917322da74211a54db69fee05589bdddaebd33 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -435,6 +435,7 @@ option_strings = {
 'proxy_fast_alias' : _('Whether to look up canonical group name from cache if possible'),
 
 # [provider/proxy/auth]
+'proxy_max_children' : _('The number of preforked proxy children.'),
 'proxy_pam_target' : _('PAM stack to use')
 }
 
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index df10538dee4a547a1b1af62a4cfe37b89e236b18..1b3c840199d64fe1a9088147c9c5c836216b25eb 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -323,6 +323,7 @@ option = base_directory
 option = proxy_lib_name
 option = proxy_fast_alias
 option = proxy_pam_target
+option = proxy_max_children
 
 # simple access provider specific options
 option = simple_allow_users
diff --git a/src/config/etc/sssd.api.d/sssd-proxy.conf b/src/config/etc/sssd.api.d/sssd-proxy.conf
index 89a6503f9b84b7eab5fb3b0dd591dea905b43adb..96e2d4a8d101ff2f7769aaaf5f80af882bcd9b4d 100644
--- a/src/config/etc/sssd.api.d/sssd-proxy.conf
+++ b/src/config/etc/sssd.api.d/sssd-proxy.conf
@@ -1,11 +1,9 @@
-[provider/proxy]
-
 [provider/proxy/id]
 proxy_lib_name = str, None, true
 proxy_fast_alias = bool, None, true
 
 [provider/proxy/auth]
 proxy_pam_target = str, None, true
+proxy_max_children = int, None, false
 
 [provider/proxy/chpass]
-
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index e95a7e7e213e07c15e79185730d481e5afceb69c..bb44cf5f1d566b2b88fe6fbcd51c3973bd45ef8e 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -2497,6 +2497,18 @@ subdomain_inherit = ldap_purge_cache_timeout
 
 
 
+
+proxy_max_children (integer)
+
+
+The number of preforked proxy children.
+
+
+Default: 10
+
+
+
+
 
 
 
diff --git a/src/providers/proxy/proxy_init.c b/src/providers/proxy/proxy_init.c
index 1edf4fd64e54f4f0df7a78a9e56eb232a1d3e948..b000bde0bbd655b0f73fcc90c7f7910e8a410d35 100644
--- a/src/providers/proxy/proxy_init.c
+++ b/src/providers/proxy/proxy_init.c
@@ -220,6 +220,7 @@ static errno_t proxy_init_auth_ctx(TALLOC_CTX *mem_ctx,
 struct proxy_auth_ctx *auth_ctx;
 errno_t ret;
 int hret;
+int max_children;
 
 auth_ctx = talloc_zero(mem_ctx, struct proxy_auth_ctx);
 if (auth_ctx == NULL) {
@@ -241,8 +242,20 @@ static errno_t proxy_init_auth_ctx(TALLOC_CTX *mem_ctx,
 }
 
 /* Set up request hash table */
-/* FIXME: get max_children from configuration file */
-auth_ctx->max_children = 10;
+ret = confdb_get_int(be_ctx->cdb, be_ctx->conf_path,
+ CONFDB_PROXY_MAX_CHILDREN, 10,
+ &max_children);
+if (ret != EOK) {
+DEBUG(SSSDBG_CRIT_FAILURE, "Unable to read confdb [%d]: %s\n",
+   ret, sss_strerror(ret));
+goto done;
+}
+if (max_children 

[SSSD] Re: [PATCH] sssd_netgroup.py: Resolve nested netgroups

[Petr Cech]

On 08/24/2016 09:33 AM, Petr Cech wrote:

Hi Lukas,

I didn't run CI tests because your new code is not used yet.
But I run my tests for nested_group with your updated version.
Everything works how we expected.
Code LGTM.

=> ACK


CI passed with my patches:
http://sssd-ci.duckdns.org/logs/job/52/28/summary.html

Thanks Lukas.

--
Petr^4 Čech
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org

[SSSD] Re: [PATCH] LDAP: Fixing of removing netgroup from cache

[Petr Cech]

On 08/24/2016 09:15 AM, Lukas Slebodnik wrote:

On (22/08/16 16:39), Petr Cech wrote:

On 08/19/2016 05:18 PM, Lukas Slebodnik wrote:

Thank you for test but I would appraciate a little bit simpler solution.
"memberNisNetgroup"(SYSDB_NETGROUP_MEMBER)
Your patch will append "memberNisNetgroup"(SYSDB_NETGROUP_MEMBER) to missing
attributes if it is not in netgroup_attrs.

However "memberNisNetgroup" and "originalMemberNisNetgroup" are
tightly coupled attributes in sysdb.
* the sysdb attributes "originalMemberNisNetgroup" contain the original
  value from LDAP which can be name of netgroup of dn.
* the sysdb attributes "memberNisNetgroup" always contain shortname
  used by sssd.
They are even the same if memberNisNetgroup in LDAP does not contain dn.
One is generated from other.


And function list_missing_attrs already find that "originalMemberNisNetgroup"
is a missing attribute. Therefore if "originalMemberNisNetgroup"
is in missing attibutes list then we have to add there also
 "memberNisNetgroup".

e.g.
diff --git a/src/providers/ldap/sdap_async_netgroups.c 
b/src/providers/ldap/sdap_async_netgroups.c
index df233d9..1fe40f5 100644
--- a/src/providers/ldap/sdap_async_netgroups.c
+++ b/src/providers/ldap/sdap_async_netgroups.c
@@ -138,6 +138,14 @@ static errno_t sdap_save_netgroup(TALLOC_CTX *memctx,
 goto fail;
 }

+if (string_in_list(SYSDB_ORIG_NETGROUP_MEMBER, missing, false)) {
+ret = add_string_to_list(attrs, SYSDB_NETGROUP_MEMBER, &missing);
+if (ret != EOK) {
+DEBUG(SSSDBG_CRIT_FAILURE, "Failed to add string into list\n");
+goto fail;
+}
+}
+
 ret = sysdb_add_netgroup(dom, name, NULL, netgroup_attrs, missing,
  dom->netgroup_timeout, now);
 if (ret) goto fail;

+ some optional nice explanation/comment why :-)


Hi Lukas,

thanks. I tested your solution, it is valid. I have to agree it is simpler. I
fixed my patch in this way.



ret = sysdb_add_netgroup(dom, name, NULL, netgroup_attrs, missing,
 dom->netgroup_timeout, now);
if (ret) goto fail;
--
2.7.4



BTW the same bug is also ipa_save_netgroup in 
"src/providers/ipa/ipa_netgroups.c"
But sysdb_add_netgroup is called wit NULL for missing attrinbutes :-)

Anyway sdap_save_netgroup and ipa_save_netgroup do almost the same
They just use different maps. You touched the netgroup related code.
So it would be good to do small refactoring and reuse ldap
sdap_save_netgroup in ipa_save_netgroup. So it would be good
If you could fix ticket #3117 in recent future. Because you still remember
the netgroup related code in LDAP. (It's not a blocker for #2841)
It is just a recomendation :-)


Right, I will take a look.


Thank you in advance.


From 25be35537e0d91af6939c3400340fe01cfb32ea7 Mon Sep 17 00:00:00 2001
From: Petr Cech 
Date: Fri, 22 Jul 2016 14:28:54 +0200
Subject: [PATCH 1/3] LDAP: Fixing of removing netgroup from cache

There were problem with local key which wasn't properly removed.
This patch fixes it.

Resolves:
https://fedorahosted.org/sssd/ticket/2841
---
src/providers/ldap/sdap_async_netgroups.c | 12 
1 file changed, 12 insertions(+)

diff --git a/src/providers/ldap/sdap_async_netgroups.c 
b/src/providers/ldap/sdap_async_netgroups.c
index 
df233d956df70cfcb5f68bd2afc9e2a23c50c3bb..f36ea030414638ae2c778bc532fa09a0b69ed7de
 100644
--- a/src/providers/ldap/sdap_async_netgroups.c
+++ b/src/providers/ldap/sdap_async_netgroups.c
@@ -138,6 +138,18 @@ static errno_t sdap_save_netgroup(TALLOC_CTX *memctx,
goto fail;
}

+/* We can get SYSDB_ORIG_NETGROUP_MEMBER, but not SYSDB_NETGROUP_MEMBER
+ * from LDAP. Thus we add SYSDB_NETGROUP_MEMBER to missing
+ * if SYSDB_ORIG_NETGROUP_MEMBER is in.
+ */

SYSDB_ORIG_NETGROUP_MEMBER is originalMemberNisNetgroup
and SYSDB_NETGROUP_MEMBER is memberNisNetgroup

And we get memberNisNetgroup from LDAP but the vale us stored in
sysdb attribute originalMemberNisNetgroup. But it may contain
simple name or DN. That's the reason why we always translate/generate
simple name and store it in SYSDB_NETGROUP_MEMBER(memberNisNetgroup)
in sysdb which is internaly used for searching netgropus.

So the comment is a little bit confusing. Because we cannot get
originalMemberNisNetgroup from LDAP.



+if (string_in_list(SYSDB_ORIG_NETGROUP_MEMBER, missing, false)) {
+ret = add_string_to_list(attrs, SYSDB_NETGROUP_MEMBER, &missing);
+if (ret != EOK) {
+DEBUG(SSSDBG_CRIT_FAILURE, "Failed to add string into list\n");
+goto fail;
+}
+}
+
ret = sysdb_add_netgroup(dom, name, NULL, netgroup_attrs, missing,
     dom->netgroup_timeout, now);
if (ret) goto fail;
--
2.7.4




From 4ff31b600f01c810367756165500cfdb95f2be2b Mon Sep 17 0

[SSSD] Re: [PATCH] sssd_netgroup.py: Resolve nested netgroups

[Petr Cech]

On 08/24/2016 07:30 AM, Lukas Slebodnik wrote:

On (19/08/16 12:35), Petr Cech wrote:

On 08/19/2016 11:42 AM, Petr Cech wrote:

On 08/19/2016 11:24 AM, Lukas Slebodnik wrote:

On (19/08/16 08:55), Petr Cech wrote:

On 08/18/2016 12:22 PM, Petr Cech wrote:

On 08/18/2016 12:19 PM, Lukas Slebodnik wrote:

ehlo,

python wrapper for retrieving netgroups was push to early.
Attached patch fixes it.

LS


Thanks, Lukas. I will take a look
and I will try it with my tests :-)


Hi Lukas,

your patch works how we expected.

There are a few PEP8 issue:

$ pep8 src/tests/intg/sssd_netgroup.py
src/tests/intg/sssd_netgroup.py:131:80: E501 line too long
src/tests/intg/sssd_netgroup.py:150:80: E501 line too long
src/tests/intg/sssd_netgroup.py:151:80: E501 line too long

Please, fix them.


It's just a WIP version which should unblock your testing?
and there are missing comments + other thigs.


Great :-)


I could say LGTM, but... you know, I have issue with my nested netgroups
tests. I rather wait until I will resolve this one. And I will see
that this
your patch is final.


Do you need a help?

BTW I think you need to use ldapmodify and I did something similar
in test for fetching extra attibutes.

https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org/message/PBIETZ5DFZRQS53AXZWJHS2JLA3YURSN/attachment/3/0002-intg-Test-extra-attributes-duplicate.patch



Actually I work on ldapmodify now. I will take a look to your hint.
Issue is that I has removed whole netgroups but I only need remove it
from one which contains them.

So, it is different remove A or A from B :-)


I just resolved tests for deleting on nested netgroups.
I will send patch very soon.

Your patch looks good to me. I am looking forward
to next version.


Updated version is attached.

LS


Hi Lukas,

I didn't run CI tests because your new code is not used yet.
But I run my tests for nested_group with your updated version.
Everything works how we expected.
Code LGTM.

=> ACK

Regards

--
Petr^4 Čech
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org

[SSSD] Re: [PATCH SET] SYSDB: Adding message to inform about cache

[Petr Cech]

On 08/18/2016 01:01 PM, Petr Cech wrote:

On 08/16/2016 02:32 PM, Petr Cech wrote:

On 08/16/2016 01:22 PM, Petr Cech wrote:



On 08/16/2016 01:02 PM, Lukas Slebodnik wrote:

On (16/08/16 12:52), Petr Cech wrote:

On 08/16/2016 10:15 AM, Jakub Hrozek wrote:

On Tue, Aug 16, 2016 at 09:50:19AM +0200, Petr Cech wrote:

Hello list,

I am solving ticket [1] now. There are three
points mentioned. A have prepared patches for
the first two. I would like to ask anybody it
is right or if I miss something.

The third point is about full LDIFF in special
debug level. What does it mean 'special debug
level'? Is it new option, for example?


[1] https://fedorahosted.org/sssd/ticket/3060

Regards




Please no magic constants in SSSD code :)


Hello Jakub,

there is fixed version without magic :-)

--
Petr^4 'magician' Čech



From 2ca78a82c579c5244aebd9a58b56a9886f6bc4b5 Mon Sep 17 00:00:00 2001
From: Petr Cech 
Date: Tue, 16 Aug 2016 09:32:18 +0200
Subject: [PATCH 1/2] SYSDB: Adding message to inform which cache is
used

Resolves:
https://fedorahosted.org/sssd/ticket/3060
---
src/db/sysdb_ops.c | 32 
1 file changed, 32 insertions(+)

diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
index
44fb5b70e6d33fffbca5824f831a3229254ecb57..a81840b2515d09f91d1dfa783bcf08f0fad112b4


100644
--- a/src/db/sysdb_ops.c
+++ b/src/db/sysdb_ops.c
@@ -27,6 +27,12 @@
#include "util/cert.h"
#include 

+
+#define SSS_SYSDB_NO_CACHE 0x0
+#define SSS_SYSDB_CACHE 0x1
+#define SSS_SYSDB_TS_CACHE 0x2
+#define SSS_SYSDB_BOTH_CACHE (SSS_SYSDB_CACHE | SSS_SYSDB_TS_CACHE)
+
static uint32_t get_attr_as_uint32(struct ldb_message *msg, const
char *attr)
{
const struct ldb_val *v = ldb_msg_find_ldb_val(msg, attr);
@@ -1176,6 +1182,21 @@ done:
return ret;
}

+static const char *get_attr_storage(int state_mask)
+{
+const char *storage = "";
+
+if (state_mask == SSS_SYSDB_BOTH_CACHE ) {
+storage = "cache, ts_cache";
+} else if (state_mask == SSS_SYSDB_TS_CACHE) {
+storage = "ts_cache";
+} else if (state_mask == SSS_SYSDB_CACHE) {
+storage = "cache";
+}
+
+return storage;
+}
+
int sysdb_set_entry_attr(struct sysdb_ctx *sysdb,
 struct ldb_dn *entry_dn,
 struct sysdb_attrs *attrs,
@@ -1184,6 +1205,7 @@ int sysdb_set_entry_attr(struct sysdb_ctx
*sysdb,
bool sysdb_write = true;
errno_t ret = EOK;
errno_t tret = EOK;
+int state_mask = SSS_SYSDB_NO_CACHE;

sysdb_write = sysdb_entry_attrs_diff(sysdb, entry_dn, attrs,
mod_op);
if (sysdb_write == true) {
@@ -1192,6 +1214,8 @@ int sysdb_set_entry_attr(struct sysdb_ctx
*sysdb,
DEBUG(SSSDBG_MINOR_FAILURE,
  "Cannot set attrs for %s, %d [%s]\n",
  ldb_dn_get_linearized(entry_dn), ret,
sss_strerror(ret));
+} else {
+state_mask |= SSS_SYSDB_CACHE;
}
}

@@ -1201,9 +1225,17 @@ int sysdb_set_entry_attr(struct sysdb_ctx
*sysdb,
DEBUG(SSSDBG_MINOR_FAILURE,
"Cannot set ts attrs for %s\n",
ldb_dn_get_linearized(entry_dn));
/* Not fatal */
+} else {
+state_mask |= SSS_SYSDB_TS_CACHE;
}
}

+if (state_mask != SSS_SYSDB_NO_CACHE) {
+DEBUG(SSSDBG_FUNC_DATA, "Entry [%s] has set [%s] attrs.\n",
+ldb_dn_get_linearized(entry_dn),
+get_attr_storage(state_mask));
+}
+
return ret;
}

--
2.7.4




From 6e7143b26fb5696a9b684c0da96353a7d5d07700 Mon Sep 17 00:00:00 2001
From: Petr Cech 
Date: Tue, 16 Aug 2016 09:33:46 +0200
Subject: [PATCH 2/2] SYSDB: Adding message about reason why cache
changed

Resolves:
https://fedorahosted.org/sssd/ticket/3060
---
src/db/sysdb.c | 24 ++--
1 file changed, 22 insertions(+), 2 deletions(-)

diff --git a/src/db/sysdb.c b/src/db/sysdb.c
index
6f0b1b9e9b52bede68f03cb5674f65b91cc28c98..9d1abc2b3dd0ce5db626544673795eebfbc28bcd


100644
--- a/src/db/sysdb.c
+++ b/src/db/sysdb.c
@@ -1821,7 +1821,8 @@ bool sysdb_msg_attrs_modts_differs(struct
ldb_message *old_entry,
return true;
}

-static bool sysdb_ldb_msg_difference(struct ldb_message *db_msg,
+static bool sysdb_ldb_msg_difference(struct ldb_dn *entry_dn,
+ struct ldb_message *db_msg,
 struct ldb_message *mod_msg)
{
struct ldb_message_element *mod_msg_el;
@@ -1848,6 +1849,10 @@ static bool sysdb_ldb_msg_difference(struct
ldb_message *db_msg,
 */
if (mod_msg_el->num_values > 0) {
/* We can ignore additions of timestamp
attributes */
+DEBUG(SSSDBG_TRACE_FUNC, "Entry [%s] differs,
reason: " \
+ "attr [%s] is new.\n",
+
ldb

[SSSD] Re: [PATCH] LDAP: Fixing of removing netgroup from cache

[Petr Cech]

On 08/19/2016 05:18 PM, Lukas Slebodnik wrote:

On (19/08/16 13:35), Petr Cech wrote:

On 08/19/2016 01:00 PM, Petr Cech wrote:

On 08/18/2016 12:39 PM, Lukas Slebodnik wrote:

On (17/08/16 14:32), Petr Cech wrote:

Hello list,

there is attached patch set for intg. testing of ldap nested netgroups.

I used last version of Lukas patch 'sssd_netgroup.py: Resolve nested
netgroups'. I don't know if it is on list.

It is still WIP. It is in state that it is possible to run it.
But there are comments in code what is needed to fix.


If I remove some netgroups (in test), it is updated on LDAP and in
cache, but
sssd_netgroup.get_sssd_netgroups() returns nothing.


Yes, I was too strict regarding to failures in resolving nested
netgroups.
glibc(getent netgroup) does not fail if there is non-existing nested
netgroup.

There is bunch of pep8 warnings. Please fix them.
sh$ pep8 src/tests/intg/test_netgroup.py | wc -l
29


Date: Wed, 17 Aug 2016 13:58:30 +0200
Subject: [PATCH 2/2] WIP: INTG: Tests for ldap nested netgroups

This patch adds tests on reproducer of t2841.

Resolves:
https://fedorahosted.org/sssd/ticket/2841
---
src/tests/intg/Makefile.am  |   1 +
src/tests/intg/test_netgroup.py | 487

2 files changed, 488 insertions(+)
create mode 100644 src/tests/intg/test_netgroup.py

diff --git a/src/tests/intg/Makefile.am b/src/tests/intg/Makefile.am
index
b8cc5c006845f911d8518df815925455482e9f6d..b3c553539d9e74dae986fa6551041544dd687c11
100644
--- a/src/tests/intg/Makefile.am
+++ b/src/tests/intg/Makefile.am
@@ -14,6 +14,7 @@ dist_noinst_DATA = \
util.py \
test_memory_cache.py \
test_ts_cache.py \
+test_netgroup.py \
$(NULL)

config.py: config.py.m4
diff --git a/src/tests/intg/test_netgroup.py
b/src/tests/intg/test_netgroup.py
new file mode 100644
index
..4be2b1c7048f3d8dc4797557d6decf1367eea36d

--- /dev/null
+++ b/src/tests/intg/test_netgroup.py
@@ -0,0 +1,487 @@
+#
+# Netgroup integration test
+#
+# Copyright (c) 2016 Red Hat, Inc.
+# Author: Petr Cech 
+#
+# This is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 only
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+

//snip


+@pytest.fixture
+def reproducer_t2841(request, ldap_conn):
+ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn)
+
+ent_list.add_netgroup("t2841_netgroup1", ["(host1,user1,domain1)"])
+ent_list.add_netgroup("t2841_netgroup2", ["(host2,user2,domain2)"])
+ent_list.add_netgroup("t2841_netgroup3", [],
+ ["t2841_netgroup1", "t2841_netgroup2"])
+
+create_ldap_fixture(request, ldap_conn, ent_list)
+conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS, enum=True)
+create_conf_fixture(request, conf)
+create_sssd_fixture(request)
+return (ldap_conn, ent_list)
+
+
+def test_reproducer_t2841(reproducer_t2841):
+"""
+Adding two nested netgroup.
+"""
+
+ldap_conn = reproducer_t2841[0]
+ent_list = reproducer_t2841[1]
+
+res, errno, netgroups =
sssd_netgroup.get_sssd_netgroups("t2841_netgroup1")
+assert res == sssd_netgroup.NssReturnCode.SUCCESS
+assert netgroups ==  [('host1', 'user1', 'domain1')]
+
+res, errno, netgroups =
sssd_netgroup.get_sssd_netgroups("t2841_netgroup2")
+assert res == sssd_netgroup.NssReturnCode.SUCCESS
+assert netgroups ==  [('host2', 'user2', 'domain2')]
+
+res, errno, netgroups =
sssd_netgroup.get_sssd_netgroups("t2841_netgroup3")
+assert res == sssd_netgroup.NssReturnCode.SUCCESS
+assert netgroups ==  [('host2', 'user2', 'domain2'),
+  ('host1', 'user1', 'domain1')]
+
+# removing of t2841_netgroup1
+ldap_conn.delete_s(ent_list[0][0])
+ent_list.remove(ent_list[0])
+if subprocess.call(["sss_cache", "-N"]) != 0:
+raise Exception("sssd_cache failed")
+
+res, errno, netgroups =
sssd_netgroup.get_sssd_netgroups("t2841_netgroup1")
+assert res == sssd_netgroup.NssReturnCode.NOTFOUND
+assert netgroups ==  []
+
+res, errno, netgroups =
sssd_netgroup.get_sssd_netgroups("t2841_netgroup2")
+assert res == sssd_netgroup.NssReturnCode.SUCCESS
+assert netgroups ==  [('host

[SSSD] Re: [PATCH] LDAP: Fixing of removing netgroup from cache

[Petr Cech]

On 08/19/2016 01:26 PM, Jakub Hrozek wrote:

On Fri, Aug 19, 2016 at 12:54:07PM +0200, Petr Cech wrote:

On 08/17/2016 02:37 PM, Petr Cech wrote:

On 08/12/2016 09:17 AM, Petr Cech wrote:

On 08/11/2016 08:53 AM, Petr Cech wrote:

On 08/03/2016 12:34 PM, Michal Židek wrote:

Two nitpicks, see inline.

On 07/22/2016 02:34 PM, Petr Cech wrote:


+static errno_t add_to_missing_attrs (TALLOC_CTX * mem_ctx,
+ struct sysdb_attrs *attrs,
+ const char *ext_key,
+ char ***_missing)

   ^
Coding style. Remove the space between function name and "(".
Do not forget to align the parameters after that.


Addressed.


+{
+bool is_present = false;
+size_t size = 0;
+size_t ret;
+
+for (int i = 0; i < attrs->num; i++) {
+if (strcmp(ext_key, attrs->a[i].name) == 0) {
+is_present = true;
+}
+size++;
+}
+
+if (is_present == false) {
+ret = add_string_to_list(attrs, ext_key, _missing);
+if (ret != EOK) {
+goto fail;
+}
+}
+
+ret = EOK;
+
+fail:


Please change the label name to "done". According to
our new coding style, the code that follows label "fail"
is only executed when failure occurs. I know we do not
follow this everywhere,  but I would like to be consistent
in new code.


Addressed.


+return ret;
+}
+


Other than that it looks good to me.

Also it would be good to add a CI tests for this. I do
not want to postpone this patch before release, so you can
do it later as part of this ticket:
https://fedorahosted.org/sssd/ticket/3119

So either send a patch with CI test now or
assign the above ticket to yourself and do it
when there is more time.

Michal


Hello,

there is fixed patch attached.

I am working on CI test. I hope it will be ready soon.

Regards.


CI INTG tests will be solved in another mail thread. They are dependent
on Lukas patches.


Tests are solved in
[SSSD] [PATCH SET] WIP: INTG: Tests for ldap nested netgroups
mainling thread.


Hello,

whole patch set for
LDAP: Fixing of removing netgroup from cache
is in
[SSSD] [PATCH SET] WIP: INTG: Tests for ldap nested netgroups
mailing thread.


Can you change the thread subject then with the next response there? It's
a bit confusing that a fix is in WIP thread whose subject is tests..


Right, subject changed from
[SSSD] [PATCH SET] WIP: INTG: Tests for ldap nested netgroups
to
[SSSD] [PATCH] LDAP: Fixing of removing netgroup from cache


--
Petr^4 Čech
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org

[SSSD] [PATCH] LDAP: Fixing of removing netgroup from cache

[Petr Cech]

On 08/19/2016 01:00 PM, Petr Cech wrote:

On 08/18/2016 12:39 PM, Lukas Slebodnik wrote:

On (17/08/16 14:32), Petr Cech wrote:

Hello list,

there is attached patch set for intg. testing of ldap nested netgroups.

I used last version of Lukas patch 'sssd_netgroup.py: Resolve nested
netgroups'. I don't know if it is on list.

It is still WIP. It is in state that it is possible to run it.
But there are comments in code what is needed to fix.


If I remove some netgroups (in test), it is updated on LDAP and in
cache, but
sssd_netgroup.get_sssd_netgroups() returns nothing.


Yes, I was too strict regarding to failures in resolving nested
netgroups.
glibc(getent netgroup) does not fail if there is non-existing nested
netgroup.

There is bunch of pep8 warnings. Please fix them.
sh$ pep8 src/tests/intg/test_netgroup.py | wc -l
29


Date: Wed, 17 Aug 2016 13:58:30 +0200
Subject: [PATCH 2/2] WIP: INTG: Tests for ldap nested netgroups

This patch adds tests on reproducer of t2841.

Resolves:
https://fedorahosted.org/sssd/ticket/2841
---
src/tests/intg/Makefile.am  |   1 +
src/tests/intg/test_netgroup.py | 487

2 files changed, 488 insertions(+)
create mode 100644 src/tests/intg/test_netgroup.py

diff --git a/src/tests/intg/Makefile.am b/src/tests/intg/Makefile.am
index
b8cc5c006845f911d8518df815925455482e9f6d..b3c553539d9e74dae986fa6551041544dd687c11
100644
--- a/src/tests/intg/Makefile.am
+++ b/src/tests/intg/Makefile.am
@@ -14,6 +14,7 @@ dist_noinst_DATA = \
util.py \
test_memory_cache.py \
test_ts_cache.py \
+test_netgroup.py \
$(NULL)

config.py: config.py.m4
diff --git a/src/tests/intg/test_netgroup.py
b/src/tests/intg/test_netgroup.py
new file mode 100644
index
..4be2b1c7048f3d8dc4797557d6decf1367eea36d

--- /dev/null
+++ b/src/tests/intg/test_netgroup.py
@@ -0,0 +1,487 @@
+#
+# Netgroup integration test
+#
+# Copyright (c) 2016 Red Hat, Inc.
+# Author: Petr Cech 
+#
+# This is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 only
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+

//snip


+@pytest.fixture
+def reproducer_t2841(request, ldap_conn):
+ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn)
+
+ent_list.add_netgroup("t2841_netgroup1", ["(host1,user1,domain1)"])
+ent_list.add_netgroup("t2841_netgroup2", ["(host2,user2,domain2)"])
+ent_list.add_netgroup("t2841_netgroup3", [],
+ ["t2841_netgroup1", "t2841_netgroup2"])
+
+create_ldap_fixture(request, ldap_conn, ent_list)
+conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS, enum=True)
+create_conf_fixture(request, conf)
+create_sssd_fixture(request)
+return (ldap_conn, ent_list)
+
+
+def test_reproducer_t2841(reproducer_t2841):
+"""
+Adding two nested netgroup.
+"""
+
+ldap_conn = reproducer_t2841[0]
+ent_list = reproducer_t2841[1]
+
+res, errno, netgroups =
sssd_netgroup.get_sssd_netgroups("t2841_netgroup1")
+assert res == sssd_netgroup.NssReturnCode.SUCCESS
+assert netgroups ==  [('host1', 'user1', 'domain1')]
+
+res, errno, netgroups =
sssd_netgroup.get_sssd_netgroups("t2841_netgroup2")
+assert res == sssd_netgroup.NssReturnCode.SUCCESS
+assert netgroups ==  [('host2', 'user2', 'domain2')]
+
+res, errno, netgroups =
sssd_netgroup.get_sssd_netgroups("t2841_netgroup3")
+assert res == sssd_netgroup.NssReturnCode.SUCCESS
+assert netgroups ==  [('host2', 'user2', 'domain2'),
+  ('host1', 'user1', 'domain1')]
+
+# removing of t2841_netgroup1
+ldap_conn.delete_s(ent_list[0][0])
+ent_list.remove(ent_list[0])
+if subprocess.call(["sss_cache", "-N"]) != 0:
+raise Exception("sssd_cache failed")
+
+res, errno, netgroups =
sssd_netgroup.get_sssd_netgroups("t2841_netgroup1")
+assert res == sssd_netgroup.NssReturnCode.NOTFOUND
+assert netgroups ==  []
+
+res, errno, netgroups =
sssd_netgroup.get_sssd_netgroups("t2841_netgroup2")
+assert res == sssd_netgroup.NssReturnCode.SUCCESS
+assert netgroups ==  [('host2', 'user2', 'domain2')]
+
+# FIX: This should be S

[SSSD] Re: [PATCH SET] WIP: INTG: Tests for ldap nested netgroups

[Petr Cech]

On 08/18/2016 12:39 PM, Lukas Slebodnik wrote:

On (17/08/16 14:32), Petr Cech wrote:

Hello list,

there is attached patch set for intg. testing of ldap nested netgroups.

I used last version of Lukas patch 'sssd_netgroup.py: Resolve nested
netgroups'. I don't know if it is on list.

It is still WIP. It is in state that it is possible to run it.
But there are comments in code what is needed to fix.


If I remove some netgroups (in test), it is updated on LDAP and in cache, but
sssd_netgroup.get_sssd_netgroups() returns nothing.


Yes, I was too strict regarding to failures in resolving nested netgroups.
glibc(getent netgroup) does not fail if there is non-existing nested netgroup.

There is bunch of pep8 warnings. Please fix them.
sh$ pep8 src/tests/intg/test_netgroup.py | wc -l
29


Date: Wed, 17 Aug 2016 13:58:30 +0200
Subject: [PATCH 2/2] WIP: INTG: Tests for ldap nested netgroups

This patch adds tests on reproducer of t2841.

Resolves:
https://fedorahosted.org/sssd/ticket/2841
---
src/tests/intg/Makefile.am  |   1 +
src/tests/intg/test_netgroup.py | 487 
2 files changed, 488 insertions(+)
create mode 100644 src/tests/intg/test_netgroup.py

diff --git a/src/tests/intg/Makefile.am b/src/tests/intg/Makefile.am
index 
b8cc5c006845f911d8518df815925455482e9f6d..b3c553539d9e74dae986fa6551041544dd687c11
 100644
--- a/src/tests/intg/Makefile.am
+++ b/src/tests/intg/Makefile.am
@@ -14,6 +14,7 @@ dist_noinst_DATA = \
util.py \
test_memory_cache.py \
test_ts_cache.py \
+test_netgroup.py \
$(NULL)

config.py: config.py.m4
diff --git a/src/tests/intg/test_netgroup.py b/src/tests/intg/test_netgroup.py
new file mode 100644
index 
..4be2b1c7048f3d8dc4797557d6decf1367eea36d
--- /dev/null
+++ b/src/tests/intg/test_netgroup.py
@@ -0,0 +1,487 @@
+#
+# Netgroup integration test
+#
+# Copyright (c) 2016 Red Hat, Inc.
+# Author: Petr Cech 
+#
+# This is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 only
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+

//snip


+@pytest.fixture
+def reproducer_t2841(request, ldap_conn):
+ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn)
+
+ent_list.add_netgroup("t2841_netgroup1", ["(host1,user1,domain1)"])
+ent_list.add_netgroup("t2841_netgroup2", ["(host2,user2,domain2)"])
+ent_list.add_netgroup("t2841_netgroup3", [],
+ ["t2841_netgroup1", "t2841_netgroup2"])
+
+create_ldap_fixture(request, ldap_conn, ent_list)
+conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS, enum=True)
+create_conf_fixture(request, conf)
+create_sssd_fixture(request)
+return (ldap_conn, ent_list)
+
+
+def test_reproducer_t2841(reproducer_t2841):
+"""
+Adding two nested netgroup.
+"""
+
+ldap_conn = reproducer_t2841[0]
+ent_list = reproducer_t2841[1]
+
+res, errno, netgroups = sssd_netgroup.get_sssd_netgroups("t2841_netgroup1")
+assert res == sssd_netgroup.NssReturnCode.SUCCESS
+assert netgroups ==  [('host1', 'user1', 'domain1')]
+
+res, errno, netgroups = sssd_netgroup.get_sssd_netgroups("t2841_netgroup2")
+assert res == sssd_netgroup.NssReturnCode.SUCCESS
+assert netgroups ==  [('host2', 'user2', 'domain2')]
+
+res, errno, netgroups = sssd_netgroup.get_sssd_netgroups("t2841_netgroup3")
+assert res == sssd_netgroup.NssReturnCode.SUCCESS
+assert netgroups ==  [('host2', 'user2', 'domain2'),
+  ('host1', 'user1', 'domain1')]
+
+# removing of t2841_netgroup1
+ldap_conn.delete_s(ent_list[0][0])
+ent_list.remove(ent_list[0])
+if subprocess.call(["sss_cache", "-N"]) != 0:
+raise Exception("sssd_cache failed")
+
+res, errno, netgroups = sssd_netgroup.get_sssd_netgroups("t2841_netgroup1")
+assert res == sssd_netgroup.NssReturnCode.NOTFOUND
+assert netgroups ==  []
+
+res, errno, netgroups = sssd_netgroup.get_sssd_netgroups("t2841_netgroup2")
+assert res == sssd_netgroup.NssReturnCode.SUCCESS
+assert netgroups ==  [('host2', 'user2', 'domain2')]
+
+# FIX: This should be SUCCES
+res, errno, netgroups = sssd_

[SSSD] Re: [PATCH] LDAP: Fixing of removing netgroup from cache

[Petr Cech]

On 08/17/2016 02:37 PM, Petr Cech wrote:

On 08/12/2016 09:17 AM, Petr Cech wrote:

On 08/11/2016 08:53 AM, Petr Cech wrote:

On 08/03/2016 12:34 PM, Michal Židek wrote:

Two nitpicks, see inline.

On 07/22/2016 02:34 PM, Petr Cech wrote:


+static errno_t add_to_missing_attrs (TALLOC_CTX * mem_ctx,
+ struct sysdb_attrs *attrs,
+ const char *ext_key,
+ char ***_missing)

   ^
Coding style. Remove the space between function name and "(".
Do not forget to align the parameters after that.


Addressed.


+{
+bool is_present = false;
+size_t size = 0;
+size_t ret;
+
+for (int i = 0; i < attrs->num; i++) {
+if (strcmp(ext_key, attrs->a[i].name) == 0) {
+is_present = true;
+}
+size++;
+}
+
+if (is_present == false) {
+ret = add_string_to_list(attrs, ext_key, _missing);
+if (ret != EOK) {
+goto fail;
+}
+}
+
+ret = EOK;
+
+fail:


Please change the label name to "done". According to
our new coding style, the code that follows label "fail"
is only executed when failure occurs. I know we do not
follow this everywhere,  but I would like to be consistent
in new code.


Addressed.


+return ret;
+}
+


Other than that it looks good to me.

Also it would be good to add a CI tests for this. I do
not want to postpone this patch before release, so you can
do it later as part of this ticket:
https://fedorahosted.org/sssd/ticket/3119

So either send a patch with CI test now or
assign the above ticket to yourself and do it
when there is more time.

Michal


Hello,

there is fixed patch attached.

I am working on CI test. I hope it will be ready soon.

Regards.


CI INTG tests will be solved in another mail thread. They are dependent
on Lukas patches.


Tests are solved in
[SSSD] [PATCH SET] WIP: INTG: Tests for ldap nested netgroups
mainling thread.


Hello,

whole patch set for
LDAP: Fixing of removing netgroup from cache
is in
[SSSD] [PATCH SET] WIP: INTG: Tests for ldap nested netgroups
mailing thread.

--
Petr^4 Čech
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org

[SSSD] Re: [PATCH] sssd_netgroup.py: Resolve nested netgroups

[Petr Cech]

On 08/19/2016 11:42 AM, Petr Cech wrote:

On 08/19/2016 11:24 AM, Lukas Slebodnik wrote:

On (19/08/16 08:55), Petr Cech wrote:

On 08/18/2016 12:22 PM, Petr Cech wrote:

On 08/18/2016 12:19 PM, Lukas Slebodnik wrote:

ehlo,

python wrapper for retrieving netgroups was push to early.
Attached patch fixes it.

LS


Thanks, Lukas. I will take a look
and I will try it with my tests :-)


Hi Lukas,

your patch works how we expected.

There are a few PEP8 issue:

$ pep8 src/tests/intg/sssd_netgroup.py
src/tests/intg/sssd_netgroup.py:131:80: E501 line too long
src/tests/intg/sssd_netgroup.py:150:80: E501 line too long
src/tests/intg/sssd_netgroup.py:151:80: E501 line too long

Please, fix them.


It's just a WIP version which should unblock your testing?
and there are missing comments + other thigs.


Great :-)


I could say LGTM, but... you know, I have issue with my nested netgroups
tests. I rather wait until I will resolve this one. And I will see
that this
your patch is final.


Do you need a help?

BTW I think you need to use ldapmodify and I did something similar
in test for fetching extra attibutes.

https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org/message/PBIETZ5DFZRQS53AXZWJHS2JLA3YURSN/attachment/3/0002-intg-Test-extra-attributes-duplicate.patch



Actually I work on ldapmodify now. I will take a look to your hint.
Issue is that I has removed whole netgroups but I only need remove it
from one which contains them.

So, it is different remove A or A from B :-)


I just resolved tests for deleting on nested netgroups.
I will send patch very soon.

Your patch looks good to me. I am looking forward
to next version.

Regards

--
Petr^4 Čech
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org

[SSSD] Re: [PATCH] sssd_netgroup.py: Resolve nested netgroups

[Petr Cech]

On 08/19/2016 11:24 AM, Lukas Slebodnik wrote:

On (19/08/16 08:55), Petr Cech wrote:

On 08/18/2016 12:22 PM, Petr Cech wrote:

On 08/18/2016 12:19 PM, Lukas Slebodnik wrote:

ehlo,

python wrapper for retrieving netgroups was push to early.
Attached patch fixes it.

LS


Thanks, Lukas. I will take a look
and I will try it with my tests :-)


Hi Lukas,

your patch works how we expected.

There are a few PEP8 issue:

$ pep8 src/tests/intg/sssd_netgroup.py
src/tests/intg/sssd_netgroup.py:131:80: E501 line too long
src/tests/intg/sssd_netgroup.py:150:80: E501 line too long
src/tests/intg/sssd_netgroup.py:151:80: E501 line too long

Please, fix them.


It's just a WIP version which should unblock your testing?
and there are missing comments + other thigs.


Great :-)


I could say LGTM, but... you know, I have issue with my nested netgroups
tests. I rather wait until I will resolve this one. And I will see that this
your patch is final.


Do you need a help?

BTW I think you need to use ldapmodify and I did something similar
in test for fetching extra attibutes.

https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org/message/PBIETZ5DFZRQS53AXZWJHS2JLA3YURSN/attachment/3/0002-intg-Test-extra-attributes-duplicate.patch


Actually I work on ldapmodify now. I will take a look to your hint.
Issue is that I has removed whole netgroups but I only need remove it 
from one which contains them.


So, it is different remove A or A from B :-)

Regards

--
Petr^4 Čech
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org

[SSSD] Re: [PATCH] sssd_netgroup.py: Resolve nested netgroups

[Petr Cech]

On 08/18/2016 12:22 PM, Petr Cech wrote:

On 08/18/2016 12:19 PM, Lukas Slebodnik wrote:

ehlo,

python wrapper for retrieving netgroups was push to early.
Attached patch fixes it.

LS


Thanks, Lukas. I will take a look
and I will try it with my tests :-)


Hi Lukas,

your patch works how we expected.

There are a few PEP8 issue:

$ pep8 src/tests/intg/sssd_netgroup.py
src/tests/intg/sssd_netgroup.py:131:80: E501 line too long
src/tests/intg/sssd_netgroup.py:150:80: E501 line too long
src/tests/intg/sssd_netgroup.py:151:80: E501 line too long

Please, fix them.

I could say LGTM, but... you know, I have issue with my nested netgroups 
tests. I rather wait until I will resolve this one. And I will see that 
this your patch is final.


Thanks for your work, Lukas.

Regards

--
Petr^4 Čech
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org

[SSSD] Re: [PATCH SET] SYSDB: Adding message to inform about cache

[Petr Cech]

On 08/16/2016 02:32 PM, Petr Cech wrote:

On 08/16/2016 01:22 PM, Petr Cech wrote:



On 08/16/2016 01:02 PM, Lukas Slebodnik wrote:

On (16/08/16 12:52), Petr Cech wrote:

On 08/16/2016 10:15 AM, Jakub Hrozek wrote:

On Tue, Aug 16, 2016 at 09:50:19AM +0200, Petr Cech wrote:

Hello list,

I am solving ticket [1] now. There are three
points mentioned. A have prepared patches for
the first two. I would like to ask anybody it
is right or if I miss something.

The third point is about full LDIFF in special
debug level. What does it mean 'special debug
level'? Is it new option, for example?


[1] https://fedorahosted.org/sssd/ticket/3060

Regards




Please no magic constants in SSSD code :)


Hello Jakub,

there is fixed version without magic :-)

--
Petr^4 'magician' Čech



From 2ca78a82c579c5244aebd9a58b56a9886f6bc4b5 Mon Sep 17 00:00:00 2001
From: Petr Cech 
Date: Tue, 16 Aug 2016 09:32:18 +0200
Subject: [PATCH 1/2] SYSDB: Adding message to inform which cache is
used

Resolves:
https://fedorahosted.org/sssd/ticket/3060
---
src/db/sysdb_ops.c | 32 
1 file changed, 32 insertions(+)

diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
index
44fb5b70e6d33fffbca5824f831a3229254ecb57..a81840b2515d09f91d1dfa783bcf08f0fad112b4

100644
--- a/src/db/sysdb_ops.c
+++ b/src/db/sysdb_ops.c
@@ -27,6 +27,12 @@
#include "util/cert.h"
#include 

+
+#define SSS_SYSDB_NO_CACHE 0x0
+#define SSS_SYSDB_CACHE 0x1
+#define SSS_SYSDB_TS_CACHE 0x2
+#define SSS_SYSDB_BOTH_CACHE (SSS_SYSDB_CACHE | SSS_SYSDB_TS_CACHE)
+
static uint32_t get_attr_as_uint32(struct ldb_message *msg, const
char *attr)
{
const struct ldb_val *v = ldb_msg_find_ldb_val(msg, attr);
@@ -1176,6 +1182,21 @@ done:
return ret;
}

+static const char *get_attr_storage(int state_mask)
+{
+const char *storage = "";
+
+if (state_mask == SSS_SYSDB_BOTH_CACHE ) {
+storage = "cache, ts_cache";
+} else if (state_mask == SSS_SYSDB_TS_CACHE) {
+storage = "ts_cache";
+} else if (state_mask == SSS_SYSDB_CACHE) {
+storage = "cache";
+}
+
+return storage;
+}
+
int sysdb_set_entry_attr(struct sysdb_ctx *sysdb,
 struct ldb_dn *entry_dn,
 struct sysdb_attrs *attrs,
@@ -1184,6 +1205,7 @@ int sysdb_set_entry_attr(struct sysdb_ctx *sysdb,
bool sysdb_write = true;
errno_t ret = EOK;
errno_t tret = EOK;
+int state_mask = SSS_SYSDB_NO_CACHE;

sysdb_write = sysdb_entry_attrs_diff(sysdb, entry_dn, attrs,
mod_op);
if (sysdb_write == true) {
@@ -1192,6 +1214,8 @@ int sysdb_set_entry_attr(struct sysdb_ctx *sysdb,
DEBUG(SSSDBG_MINOR_FAILURE,
  "Cannot set attrs for %s, %d [%s]\n",
  ldb_dn_get_linearized(entry_dn), ret,
sss_strerror(ret));
+} else {
+state_mask |= SSS_SYSDB_CACHE;
}
}

@@ -1201,9 +1225,17 @@ int sysdb_set_entry_attr(struct sysdb_ctx
*sysdb,
DEBUG(SSSDBG_MINOR_FAILURE,
"Cannot set ts attrs for %s\n",
ldb_dn_get_linearized(entry_dn));
/* Not fatal */
+} else {
+state_mask |= SSS_SYSDB_TS_CACHE;
}
}

+if (state_mask != SSS_SYSDB_NO_CACHE) {
+DEBUG(SSSDBG_FUNC_DATA, "Entry [%s] has set [%s] attrs.\n",
+ldb_dn_get_linearized(entry_dn),
+get_attr_storage(state_mask));
+}
+
return ret;
}

--
2.7.4




From 6e7143b26fb5696a9b684c0da96353a7d5d07700 Mon Sep 17 00:00:00 2001
From: Petr Cech 
Date: Tue, 16 Aug 2016 09:33:46 +0200
Subject: [PATCH 2/2] SYSDB: Adding message about reason why cache
changed

Resolves:
https://fedorahosted.org/sssd/ticket/3060
---
src/db/sysdb.c | 24 ++--
1 file changed, 22 insertions(+), 2 deletions(-)

diff --git a/src/db/sysdb.c b/src/db/sysdb.c
index
6f0b1b9e9b52bede68f03cb5674f65b91cc28c98..9d1abc2b3dd0ce5db626544673795eebfbc28bcd

100644
--- a/src/db/sysdb.c
+++ b/src/db/sysdb.c
@@ -1821,7 +1821,8 @@ bool sysdb_msg_attrs_modts_differs(struct
ldb_message *old_entry,
return true;
}

-static bool sysdb_ldb_msg_difference(struct ldb_message *db_msg,
+static bool sysdb_ldb_msg_difference(struct ldb_dn *entry_dn,
+ struct ldb_message *db_msg,
 struct ldb_message *mod_msg)
{
struct ldb_message_element *mod_msg_el;
@@ -1848,6 +1849,10 @@ static bool sysdb_ldb_msg_difference(struct
ldb_message *db_msg,
 */
if (mod_msg_el->num_values > 0) {
/* We can ignore additions of timestamp
attributes */
+DEBUG(SSSDBG_TRACE_FUNC, "Entry [%s] differs,
reason: " \
+ "attr [%s] is new.\n",
+
ldb_dn_get_linearized(entry_dn),
+   

[SSSD] Re: [PATCH] sssd_netgroup.py: Resolve nested netgroups

[Petr Cech]

On 08/18/2016 12:19 PM, Lukas Slebodnik wrote:

ehlo,

python wrapper for retrieving netgroups was push to early.
Attached patch fixes it.

LS


Thanks, Lukas. I will take a look
and I will try it with my tests :-)

Reards

--
Petr^4 Čech
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org

[SSSD] Re: [PATCH] Better error message if sssctl is ran w/o activating the IFP responder

[Petr Cech]

On 08/17/2016 04:23 PM, Justin Stephenson wrote:

On 08/17/2016 04:26 AM, Pavel Březina wrote:

On 08/16/2016 05:33 PM, Jakub Hrozek wrote:

On Tue, Aug 16, 2016 at 04:16:08PM +0200, Petr Cech wrote:

On 08/16/2016 04:06 PM, Justin Stephenson wrote:

Updated patch attached.

Kind regards,
Justin Stephenson


Thanks, Justin.

Obviously ACK.


Umm..I'm by no means a UI designer, but does HINT in ALL CAPS look
awkward to anyone else?


Yes. How about:

Check that SSSD is running and that the InfoPipe responder is enabled.
Make sure "ifp" is listed in "services" option in sssd.conf.

Agreed, please see updated patch.


ACK obviously.

--
Petr^4 Čech
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org

[SSSD] Re: [PATCH] LDAP: Fixing of removing netgroup from cache

[Petr Cech]

On 08/12/2016 09:17 AM, Petr Cech wrote:

On 08/11/2016 08:53 AM, Petr Cech wrote:

On 08/03/2016 12:34 PM, Michal Židek wrote:

Two nitpicks, see inline.

On 07/22/2016 02:34 PM, Petr Cech wrote:


+static errno_t add_to_missing_attrs (TALLOC_CTX * mem_ctx,
+ struct sysdb_attrs *attrs,
+ const char *ext_key,
+ char ***_missing)

   ^
Coding style. Remove the space between function name and "(".
Do not forget to align the parameters after that.


Addressed.


+{
+bool is_present = false;
+size_t size = 0;
+size_t ret;
+
+for (int i = 0; i < attrs->num; i++) {
+if (strcmp(ext_key, attrs->a[i].name) == 0) {
+is_present = true;
+}
+size++;
+}
+
+if (is_present == false) {
+ret = add_string_to_list(attrs, ext_key, _missing);
+if (ret != EOK) {
+goto fail;
+}
+}
+
+ret = EOK;
+
+fail:


Please change the label name to "done". According to
our new coding style, the code that follows label "fail"
is only executed when failure occurs. I know we do not
follow this everywhere,  but I would like to be consistent
in new code.


Addressed.


+return ret;
+}
+


Other than that it looks good to me.

Also it would be good to add a CI tests for this. I do
not want to postpone this patch before release, so you can
do it later as part of this ticket:
https://fedorahosted.org/sssd/ticket/3119

So either send a patch with CI test now or
assign the above ticket to yourself and do it
when there is more time.

Michal


Hello,

there is fixed patch attached.

I am working on CI test. I hope it will be ready soon.

Regards.


CI INTG tests will be solved in another mail thread. They are dependent
on Lukas patches.


Tests are solved in
[SSSD] [PATCH SET] WIP: INTG: Tests for ldap nested netgroups
mainling thread.

--
Petr^4 Čech
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org

[SSSD] [PATCH SET] WIP: INTG: Tests for ldap nested netgroups

[Petr Cech]

Hello list,

there is attached patch set for intg. testing of ldap nested netgroups.

I used last version of Lukas patch 'sssd_netgroup.py: Resolve nested 
netgroups'. I don't know if it is on list.


It is still WIP. It is in state that it is possible to run it.
But there are comments in code what is needed to fix.


If I remove some netgroups (in test), it is updated on LDAP and in 
cache, but sssd_netgroup.get_sssd_netgroups() returns nothing.


Please, see test_reproducer_t2841() in the second patch
for more details. I debug it with run_shell() and there are some
notes from LDAP server and LDB cache attached [1].


[1] ldap_ldb_content.txt


Regards

--
Petr^4 Čech
>From 66ba2a7b1ed2cf5d255f92f66f74200cd1ccdd3f Mon Sep 17 00:00:00 2001
From: Petr Cech 
Date: Wed, 17 Aug 2016 14:01:09 +0200
Subject: [PATCH 1/2] INTG: Adding support for netgroups to ldap_ent

Resolves:
https://fedorahosted.org/sssd/ticket/2841
---
 src/tests/intg/ldap_ent.py | 20 
 1 file changed, 20 insertions(+)

diff --git a/src/tests/intg/ldap_ent.py b/src/tests/intg/ldap_ent.py
index f8f2f7fe6977aec6fd704ad1c78a476a163a16f1..f7835a5a9c0a0f50a91c0085f02964cfafcfeebf 100644
--- a/src/tests/intg/ldap_ent.py
+++ b/src/tests/intg/ldap_ent.py
@@ -87,6 +87,21 @@ def group_bis(base_dn, cn, gidNumber, member_uids=[], member_gids=[]):
 return ("cn=" + cn + ",ou=Groups," + base_dn, attr_list)
 
 
+def netgroup(base_dn, cn, triples=[], members=[]):
+"""
+Generate an RFC2307bis netgroup add-modlist for passing to ldap.add*.
+"""
+attr_list = [
+('objectClass', ['top', 'nisNetgroup'])
+]
+member_list = []
+if len(triples) > 0:
+attr_list.append(('nisNetgroupTriple', triples))
+if len(members) > 0:
+attr_list.append(('memberNisNetgroup', members))
+return ("cn=" + cn + ",ou=Netgroups," + base_dn, attr_list)
+
+
 class List(list):
 """LDAP add-modlist list"""
 
@@ -124,3 +139,8 @@ class List(list):
 self.append(group_bis(base_dn or self.base_dn,
   cn, gidNumber,
   member_uids, member_gids))
+
+def add_netgroup(self, cn, triples=[], members=[], base_dn=None):
+"""Add an RFC2307bis netgroup add-modlist."""
+    self.append(netgroup(base_dn or self.base_dn,
+ cn, triples, members))
-- 
2.7.4

>From 52b9fea07dad715794a9413844b16b5a0f5a787e Mon Sep 17 00:00:00 2001
From: Petr Cech 
Date: Wed, 17 Aug 2016 13:58:30 +0200
Subject: [PATCH 2/2] WIP: INTG: Tests for ldap nested netgroups

This patch adds tests on reproducer of t2841.

Resolves:
https://fedorahosted.org/sssd/ticket/2841
---
 src/tests/intg/Makefile.am  |   1 +
 src/tests/intg/test_netgroup.py | 487 
 2 files changed, 488 insertions(+)
 create mode 100644 src/tests/intg/test_netgroup.py

diff --git a/src/tests/intg/Makefile.am b/src/tests/intg/Makefile.am
index b8cc5c006845f911d8518df815925455482e9f6d..b3c553539d9e74dae986fa6551041544dd687c11 100644
--- a/src/tests/intg/Makefile.am
+++ b/src/tests/intg/Makefile.am
@@ -14,6 +14,7 @@ dist_noinst_DATA = \
 util.py \
 test_memory_cache.py \
 test_ts_cache.py \
+test_netgroup.py \
 $(NULL)
 
 config.py: config.py.m4
diff --git a/src/tests/intg/test_netgroup.py b/src/tests/intg/test_netgroup.py
new file mode 100644
index 0000..4be2b1c7048f3d8dc4797557d6decf1367eea36d
--- /dev/null
+++ b/src/tests/intg/test_netgroup.py
@@ -0,0 +1,487 @@
+#
+# Netgroup integration test
+#
+# Copyright (c) 2016 Red Hat, Inc.
+# Author: Petr Cech 
+#
+# This is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 only
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+import os
+import sys
+import stat
+import pwd
+import grp
+import ent
+import config
+import signal
+import subprocess
+import time
+import ldap
+import pytest
+import ds_openldap
+import ldap_ent
+import sssd_netgroup
+from util import *
+
+
+LDAP_BASE_DN = "dc=example,dc=com"
+INTERACTIVE_TIMEOUT = 4
+
+
+@pytest.fixture(scope="module")
+def ds_inst(request):
+"""LDAP server instance fixture"""
+ds_inst = ds_openldap.DSOpenLDAP(
+config.PREFIX, 10389, LDAP_BASE_DN,
+&qu

[SSSD] Re: [PATCH 1/2] LDAP: Adding support for SIGTERM signal

[Petr Cech]

On 08/17/2016 01:10 PM, Pavel Březina wrote:

On 08/15/2016 01:27 PM, Petr Cech wrote:

On 08/15/2016 09:59 AM, Jakub Hrozek wrote:

On Mon, Aug 15, 2016 at 09:47:27AM +0200, Petr Cech wrote:

On 08/12/2016 04:13 PM, Jakub Hrozek wrote:

On Fri, Aug 12, 2016 at 03:41:26PM +0200, Petr Cech wrote:

On 08/12/2016 03:07 PM, Jakub Hrozek wrote:

Logs now look like:


[root@albireo sssd]# grep 'child' sssd_ipa.cygnus.dev.log
[child_handler_setup] (0x2000): Setting up signal handler up for
pid [18835]
[child_handler_setup] (0x2000): Signal handler set up for pid
[18835]
[set_tgt_child_timeout] (0x0400): Setting 6 seconds timeout for
tgt child

(6 seconds later)

[get_tgt_timeout_handler] (0x4000): timeout for sending SIGTERM
to tgt child
[18835] reached.
[get_tgt_timeout_handler] (0x0400): Setting 2 seconds timeout
for sending
SIGKILL to tgt child
[sdap_get_tgt_recv] (0x0020): Cannot parse child response:
[22][Invalid
argument]
[sdap_kinit_done] (0x0020): child failed (22 [Invalid argument])
[child_sig_handler] (0x1000): Waiting for child [18835].
[child_sig_handler] (0x0020): child [18835] failed with status
[7].
[child_callback] (0x0020): LDAP child was terminated due to
timeout

I'm sorry, but these patches still don't fix the issue I was seeing.
Before the patches, when I timed out the child process, I saw:
(Fri Aug 12 14:54:24 2016) [[sssd[ldap_child[31721
[ldap_child_get_tgt_sync] (0x0100): Principal name is:
[host/client.ipa.t...@ipa.test]
(Fri Aug 12 14:54:24 2016) [[sssd[ldap_child[31721
[ldap_child_get_tgt_sync] (0x0100): Using keytab
[MEMORY:/etc/krb5.keytab]
(Fri Aug 12 14:54:30 2016) [sssd[be[ipaldap]]]
[get_tgt_timeout_handler] (0x4000): timeout for tgt child [31721]
reached.
(Fri Aug 12 14:54:30 2016) [sssd[be[ipaldap]]] [sdap_kinit_done]
(0x0080): Communication with KDC timed out, trying the next one
(Fri Aug 12 14:54:30 2016) [sssd[be[ipaldap]]]
[_be_fo_set_port_status] (0x8000): Setting status:
PORT_NOT_WORKING. Called from:
/sssd/src/providers/ldap/sdap_async_connection.c: sdap_kinit_done:
1207
(Fri Aug 12 14:54:30 2016) [sssd[be[ipaldap]]]
[fo_set_port_status] (0x0100): Marking port 0 of server
'unidirect.ipa.test' as 'not working'
(Fri Aug 12 14:54:30 2016) [sssd[be[ipaldap]]]
[fo_set_port_status] (0x0400): Marking port 0 of duplicate server
'unidirect.ipa.test' as 'not working'
(Fri Aug 12 14:54:30 2016) [sssd[be[ipaldap]]]
[sdap_kinit_next_kdc] (0x1000): Resolving next KDC for service
KERBEROS
(Fri Aug 12 14:54:30 2016) [sssd[be[ipaldap]]]
[fo_resolve_service_send] (0x0100): Trying to resolve service
'KERBEROS'
(Fri Aug 12 14:54:30 2016) [sssd[be[ipaldap]]] [get_server_status]
(0x1000): Status of server 'unidirect.ipa.test' is 'name resolved'
(Fri Aug 12 14:54:30 2016) [sssd[be[ipaldap]]] [get_port_status]
(0x1000): Port status of port 0 for server 'unidirect.ipa.test' is
'not working'
(Fri Aug 12 14:54:30 2016) [sssd[be[ipaldap]]]
[fo_resolve_service_send] (0x0020): No available servers for
service 'KERBEROS'
(Fri Aug 12 14:54:30 2016) [sssd[be[ipaldap]]]
[be_resolve_server_done] (0x1000): Server resolution failed: [5]:
Input/output error
(Fri Aug 12 14:54:30 2016) [sssd[be[ipaldap]]]
[sdap_cli_kinit_done] (0x0400): Cannot get a TGT: ret
[1432158228](Network I/O Error)
(Fri Aug 12 14:54:30 2016) [sssd[be[ipaldap]]]
[sdap_cli_connect_recv] (0x0040): Unable to establish connection
[13]: Permission denied
(Fri Aug 12 14:54:30 2016) [sssd[be[ipaldap]]]
[_be_fo_set_port_status] (0x8000): Setting status:
PORT_NOT_WORKING. Called from:
/sssd/src/providers/ldap/sdap_async_connection.c:
sdap_cli_connect_recv: 2048

After the patch, I see:
(Fri Aug 12 15:01:05 2016) [sssd[be[ipaldap]]]
[get_tgt_timeout_handler] (0x4000): timeout for sending SIGTERM to
tgt child [17291] reached.
(Fri Aug 12 15:01:05 2016) [sssd[be[ipaldap]]]
[get_tgt_timeout_handler] (0x0400): Setting 2 seconds timeout for
sending SIGKILL to tgt child
(Fri Aug 12 15:01:05 2016) [[sssd[ldap_child[17291
[sig_term_handler] (0x0010): Received signal [Terminated] [15],
shutting down
(Fri Aug 12 15:01:05 2016) [sssd[be[ipaldap]]] [read_pipe_handler]
(0x0400): EOF received, client finished
(Fri Aug 12 15:01:05 2016) [sssd[be[ipaldap]]] [sdap_get_tgt_recv]
(0x0020): Cannot parse child response: [22][Invalid argument]
here ---^

This is the part I don't like, we try to read the response from
the child's
pipe and fail with a bad error message. I thought this was because
with
the preivous patch, we exit the child with zero, but I guess this
was not
the case.. Anyway, we still should fix this, the message would be
really
confusing to admins.


Hi Jakub,

I know I had the same
'Cannot parse child response: [22][Invalid argument]'
in my logs too, see my last mail above.

Some lines after it I have new message
'[child_callback] (0x0020): LDAP child was terminated due to timeout'

I under

[SSSD] Re: [PATCH SET] AD_PROVIDER: ad_enabled_domains

[Petr Cech]

On 08/17/2016 10:40 AM, Lukas Slebodnik wrote:

On (17/08/16 09:54), Lukas Slebodnik wrote:

On (16/08/16 16:29), Petr Cech wrote:

On 08/16/2016 03:58 PM, Stephen Gallagher wrote:

On 08/16/2016 09:26 AM, Jakub Hrozek wrote:

On Tue, Aug 16, 2016 at 03:17:19PM +0200, Petr Cech wrote:

From 24d32d0eb12ddc433e64ffd6411e9e13f0067b35 Mon Sep 17 00:00:00 2001
From: Petr Cech 
Date: Fri, 13 May 2016 05:21:07 -0400
Subject: [PATCH 1/5] AD_PROVIDER: Add ad_enabled_domains option

Resolves:
https://fedorahosted.org/sssd/ticket/2828


Did you already have the manpage hunk checked by some native English
speaker?


No native speaker have seen it.


OK, can you please ask Dan or Stephen to help us word the manpage piece
better?


Proposed man page change:



ad_enabled_domains (string)
   A comma-separated list of enabled Active Directory domains.
   If provided, SSSD will ignore any domains not listed in this
   option. If left unset, all domains from the AD forest will
   be available.

   For proper operation, this option must be specified in all
   lower-case and as the fully qualified domain name of the
   Active Directory domain. For example:

   ad_enabled_domains = sales.example.com, eng.example.com

   The short domain name (also known as the NetBIOS or the flat
   name) will be autodetected by SSSD.

   Default: Not set


Thanks Stephen for review.
Fixed patch set is attached.

Regards

--
Petr^4 Čech


>From b5420a5710d649c2b8324822bbb55ae53eb1e1f2 Mon Sep 17 00:00:00 2001

From: Petr Cech 
Date: Tue, 21 Jun 2016 08:34:15 +0200
Subject: [PATCH 2/5] AD_PROVIDER: Initializing of ad_enabled_domains

We add ad_enabled_domains into ad_subdomains_ctx.

Resolves:
https://fedorahosted.org/sssd/ticket/2828
---
src/providers/ad/ad_subdomains.c | 82 
1 file changed, 82 insertions(+)


src/providers/ad/ad_subdomains.c: In function ‘ad_subdomains_init’:
src/providers/ad/ad_subdomains.c:1447:34: error: passing argument 4 of 
‘ad_get_enabled_domains’ from incompatible pointer type 
[-Werror=incompatible-pointer-types]
 &ad_enabled_domains);
 ^
src/providers/ad/ad_subdomains.c:60:16: note: expected ‘const char ***’ but 
argument is of type ‘char ***’
static errno_t ad_get_enabled_domains(TALLOC_CTX *mem_ctx,
   ^~
src/providers/ad/ad_subdomains.c:1460:32: error: assignment from incompatible 
pointer type [-Werror=incompatible-pointer-types]
sd_ctx->ad_enabled_domains = ad_enabled_domains;
   ^
cc1: all warnings being treated as errors

It's fixed in 4th patch but I would appreciate to fix it
in this patch.


Addresed.


>From a9f43343ce46bf130ff8bd64d8c4fea207f9ce05 Mon Sep 17 00:00:00 2001

From: Petr Cech 
Date: Mon, 27 Jun 2016 11:53:19 +0200
Subject: [PATCH 5/5] TESTS: Adding tests for ad_enabled_domains option

There is special logic around ad_enabled_domains option:
* option is disabled by default
* master domain is always added to enabled domains

Resolves:
https://fedorahosted.org/sssd/ticket/2828
---
Makefile.am   |  23 +++
src/tests/cmocka/test_ad_subdomains.c | 328 ++
2 files changed, 351 insertions(+)
create mode 100644 src/tests/cmocka/test_ad_subdomains.c

diff --git a/Makefile.am b/Makefile.am
index 
5d1d671096f986d9387e6199112c017e9bf30e1b..59f69f8d242dad9268ef3341647c0c20aa5d8cc0
 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -257,6 +257,7 @@ if HAVE_CMOCKA
test_sbus_opath \
test_fo_srv \
pam-srv-tests \
+test_ad_subdom \
test_ipa_subdom_util \
test_tools_colondb \
test_krb5_wait_queue \
@@ -2797,6 +2798,28 @@ test_fo_srv_LDADD = \
libsss_test_common.la \
$(NULL)

+test_ad_subdom_SOURCES = \
+src/tests/cmocka/test_ad_subdomains.c \
+$(NULL)
+test_ad_subdom_CFLAGS = \
+$(AM_CFLAGS) \
+$(NDR_NBT_CFLAGS) \
+$(NDR_KRB5PAC_CFLAGS) \
+$(NULL)
+test_ad_subdom_LDADD = \
+$(CMOCKA_LIBS) \
+$(POPT_LIBS) \
+$(TALLOC_LIBS) \
+$(LDB_LIBS) \
+$(NDR_NBT_LIBS) \
+$(NDR_KRB5PAC_LIBS) \
+$(SSSD_INTERNAL_LTLIBS) \
+libsss_ldap_common.la \
+libsss_ad_tests.la \
+libsss_test_common.la \
+libdlopen_test_providers.la \
+$(NULL)
+


Attached diff fixes build on debian and removes unused parts.

diff --git a/Makefile.am b/Makefile.am
index 5a8112d..edab5ac 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -2808,19 +2808,15 @@ test_ad_subdom_SOURCES = \
$(NULL)
test_ad_subdom_CFLAGS = \
$(AM_CFLAGS) \
-$(NDR_NBT_CFLAGS) \

Actually, NDR_NBT_CFLAGS needs to be there
other wise there is an error


Addresed.



CC   src/providers/ipa/test_ipa_subdom_util-ipa_subdomains_utils.o
  In file included from ../sssd/src/tests/cmocka/test_ad_subdomains.c:39:0:
  ../sssd/src/providers/ad/ad_subdomains.c:35:17: fatal error: ndr.h: No such
  file or director

[SSSD] Re: [PATCH SET] AD_PROVIDER: ad_enabled_domains

[Petr Cech]

After reading Lukas mail:

self-NACK for this version.


On 08/17/2016 09:57 AM, Petr Cech wrote:

On 08/16/2016 08:30 PM, Jakub Hrozek wrote:

On Tue, Aug 16, 2016 at 04:29:43PM +0200, Petr Cech wrote:

On 08/16/2016 03:58 PM, Stephen Gallagher wrote:

On 08/16/2016 09:26 AM, Jakub Hrozek wrote:

On Tue, Aug 16, 2016 at 03:17:19PM +0200, Petr Cech wrote:

From 24d32d0eb12ddc433e64ffd6411e9e13f0067b35 Mon Sep 17
00:00:00 2001
From: Petr Cech 
Date: Fri, 13 May 2016 05:21:07 -0400
Subject: [PATCH 1/5] AD_PROVIDER: Add ad_enabled_domains option

Resolves:
https://fedorahosted.org/sssd/ticket/2828


Did you already have the manpage hunk checked by some native
English
speaker?


No native speaker have seen it.


OK, can you please ask Dan or Stephen to help us word the manpage
piece
better?


Proposed man page change:



ad_enabled_domains (string)
   A comma-separated list of enabled Active Directory domains.
   If provided, SSSD will ignore any domains not listed in this
   option. If left unset, all domains from the AD forest will
   be available.

   For proper operation, this option must be specified in all
   lower-case and as the fully qualified domain name of the
   Active Directory domain. For example:

   ad_enabled_domains = sales.example.com, eng.example.com

   The short domain name (also known as the NetBIOS or the flat
   name) will be autodetected by SSSD.

   Default: Not set


Thanks Stephen for review.
Fixed patch set is attached.

Regards

--
Petr^4 Čech


New issue: the tests don't build on Debian..

/libsss_test_common.a -ltevent -ltalloc -lldb -Wl,-rpath
-Wl,/usr/local/lib/sssd
/usr/bin/ld: src/tests/cmocka/test_ad_subdom-test_ad_subdomains.o:
undefined reference to symbol 'idmap_error_string@@SSS_IDMAP_0.4'
//var/lib/jenkins/workspace/ci/label/debian_testing/ci-build-debug/.libs/libsss_idmap.so.0:
error adding symbols: DSO missing from command line
collect2: error: ld returned 1 exit status
Makefile:11971: recipe for target 'test_ad_subdom' failed


Hi Jakub,
thanks for notice. I fixed Makefile and CI passed:
http://sssd-ci.duckdns.org/logs/job/51/80/summary.html

I rebased the patch set, it is attached.

Oh and I see new mail from Lukas, I will take a look on it. :-)



Regards

--
Petr^4 Čech
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org

[SSSD] Re: [PATCH SET] AD_PROVIDER: ad_enabled_domains

[Petr Cech]

On 08/16/2016 08:30 PM, Jakub Hrozek wrote:

On Tue, Aug 16, 2016 at 04:29:43PM +0200, Petr Cech wrote:

On 08/16/2016 03:58 PM, Stephen Gallagher wrote:

On 08/16/2016 09:26 AM, Jakub Hrozek wrote:

On Tue, Aug 16, 2016 at 03:17:19PM +0200, Petr Cech wrote:

From 24d32d0eb12ddc433e64ffd6411e9e13f0067b35 Mon Sep 17 00:00:00 2001
From: Petr Cech 
Date: Fri, 13 May 2016 05:21:07 -0400
Subject: [PATCH 1/5] AD_PROVIDER: Add ad_enabled_domains option

Resolves:
https://fedorahosted.org/sssd/ticket/2828


Did you already have the manpage hunk checked by some native English
speaker?


No native speaker have seen it.


OK, can you please ask Dan or Stephen to help us word the manpage piece
better?


Proposed man page change:



ad_enabled_domains (string)
   A comma-separated list of enabled Active Directory domains.
   If provided, SSSD will ignore any domains not listed in this
   option. If left unset, all domains from the AD forest will
   be available.

   For proper operation, this option must be specified in all
   lower-case and as the fully qualified domain name of the
   Active Directory domain. For example:

   ad_enabled_domains = sales.example.com, eng.example.com

   The short domain name (also known as the NetBIOS or the flat
   name) will be autodetected by SSSD.

   Default: Not set


Thanks Stephen for review.
Fixed patch set is attached.

Regards

--
Petr^4 Čech


New issue: the tests don't build on Debian..

/libsss_test_common.a -ltevent -ltalloc -lldb -Wl,-rpath -Wl,/usr/local/lib/sssd
/usr/bin/ld: src/tests/cmocka/test_ad_subdom-test_ad_subdomains.o: undefined 
reference to symbol 'idmap_error_string@@SSS_IDMAP_0.4'
//var/lib/jenkins/workspace/ci/label/debian_testing/ci-build-debug/.libs/libsss_idmap.so.0:
 error adding symbols: DSO missing from command line
collect2: error: ld returned 1 exit status
Makefile:11971: recipe for target 'test_ad_subdom' failed


Hi Jakub,
thanks for notice. I fixed Makefile and CI passed:
http://sssd-ci.duckdns.org/logs/job/51/80/summary.html

I rebased the patch set, it is attached.

Oh and I see new mail from Lukas, I will take a look on it. :-)

Regards

--
Petr^4 Čech
>From 474512b3601917f7d76054f3eb566a7f4384ae8b Mon Sep 17 00:00:00 2001
From: Petr Cech 
Date: Fri, 13 May 2016 05:21:07 -0400
Subject: [PATCH 1/5] AD_PROVIDER: Add ad_enabled_domains option

Resolves:
https://fedorahosted.org/sssd/ticket/2828
---
 src/config/SSSDConfig/__init__.py.in   |  1 +
 src/config/cfg_rules.ini   |  1 +
 src/config/etc/sssd.api.d/sssd-ad.conf |  1 +
 src/man/sssd-ad.5.xml  | 27 +++
 src/providers/ad/ad_common.h   |  1 +
 src/providers/ad/ad_opts.c |  1 +
 6 files changed, 32 insertions(+)

diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index ac538788b9878dc2613cb48b7483d392cca41d47..1718a9babf390b95710ec356f25f09ea679bdd73 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -192,6 +192,7 @@ option_strings = {
 
 # [provider/ad]
 'ad_domain' : _('Active Directory domain'),
+'ad_enabled_domains' : _('Enabled Active Directory domains'),
 'ad_server' : _('Active Directory server address'),
 'ad_backup_server' : _('Active Directory backup server address'),
 'ad_hostname' : _('Active Directory client hostname'),
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index bd0116f334e2605e7671a208225761421511a75a..ef6435b08aee416e377fe854e6768f3fa4fd9650 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -335,6 +335,7 @@ option = ad_access_filter
 option = ad_backup_server
 option = ad_domain
 option = ad_enable_dns_sites
+option = ad_enabled_domains
 option = ad_enable_gc
 option = ad_gpo_access_control
 option = ad_gpo_cache_timeout
diff --git a/src/config/etc/sssd.api.d/sssd-ad.conf b/src/config/etc/sssd.api.d/sssd-ad.conf
index 87a74f4af0770874c71baaea02d2313721db78bf..8d97a416c8c97bff096042b0b70a3b2c18183710 100644
--- a/src/config/etc/sssd.api.d/sssd-ad.conf
+++ b/src/config/etc/sssd.api.d/sssd-ad.conf
@@ -1,5 +1,6 @@
 [provider/ad]
 ad_domain = str, None, false
+ad_enabled_domains = str, None, false
 ad_server = str, None, false
 ad_backup_server = str, None, false
 ad_hostname = str, None, false
diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml
index ef27976dd62e164cfb91359efc69bd54e1aa9711..8a2f4ade9387f0d5723b7056bdce9e83363cf035 100644
--- a/src/man/sssd-ad.5.xml
+++ b/src/man/sssd-ad.5.xml
@@ -114,6 +114,33 @@ ldap_id_mapping = False
 
 
 
+ad_enabled_domains (string)
+
+
+A comma-separated list of enabled Active Directory domains.
+If provided, SSSD wi

[SSSD] Re: [PATCH] LDAP: Log autofs rfc2307 config changes only with enabled responder

[Petr Cech]

On 08/16/2016 03:48 PM, Petr Cech wrote:

On 08/16/2016 01:41 PM, Lukas Slebodnik wrote:

ehlo,

attached patch should fix annoying message
with disabled autofs responder.

LS


Hi Lukas,

LGTM, I am waiting for CI.


CI tests passed:
http://sssd-ci.duckdns.org/logs/job/51/72/summary.html

=> ACK

--
Petr^4 Čech
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org

[SSSD] Re: [PATCH SET] AD_PROVIDER: ad_enabled_domains

[Petr Cech]

On 08/16/2016 03:58 PM, Stephen Gallagher wrote:

On 08/16/2016 09:26 AM, Jakub Hrozek wrote:

> On Tue, Aug 16, 2016 at 03:17:19PM +0200, Petr Cech wrote:

>>>> From 24d32d0eb12ddc433e64ffd6411e9e13f0067b35 Mon Sep 17 00:00:00 2001
>>>> From: Petr Cech 
>>>> Date: Fri, 13 May 2016 05:21:07 -0400
>>>> Subject: [PATCH 1/5] AD_PROVIDER: Add ad_enabled_domains option
>>>>
>>>> Resolves:
>>>> https://fedorahosted.org/sssd/ticket/2828

>>>
>>> Did you already have the manpage hunk checked by some native English
>>> speaker?

>>
>> No native speaker have seen it.

>
> OK, can you please ask Dan or Stephen to help us word the manpage piece
> better?


Proposed man page change:



ad_enabled_domains (string)
   A comma-separated list of enabled Active Directory domains.
   If provided, SSSD will ignore any domains not listed in this
   option. If left unset, all domains from the AD forest will
   be available.

   For proper operation, this option must be specified in all
   lower-case and as the fully qualified domain name of the
   Active Directory domain. For example:

   ad_enabled_domains = sales.example.com, eng.example.com

   The short domain name (also known as the NetBIOS or the flat
   name) will be autodetected by SSSD.

   Default: Not set


Thanks Stephen for review.
Fixed patch set is attached.

Regards

--
Petr^4 Čech
>From 891eb02a828ba6c5402aacd8bdb33a10844bc7ba Mon Sep 17 00:00:00 2001
From: Petr Cech 
Date: Fri, 13 May 2016 05:21:07 -0400
Subject: [PATCH 1/5] AD_PROVIDER: Add ad_enabled_domains option

Resolves:
https://fedorahosted.org/sssd/ticket/2828
---
 src/config/SSSDConfig/__init__.py.in   |  1 +
 src/config/cfg_rules.ini   |  1 +
 src/config/etc/sssd.api.d/sssd-ad.conf |  1 +
 src/man/sssd-ad.5.xml  | 27 +++
 src/providers/ad/ad_common.h   |  1 +
 src/providers/ad/ad_opts.c |  1 +
 6 files changed, 32 insertions(+)

diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index ac538788b9878dc2613cb48b7483d392cca41d47..1718a9babf390b95710ec356f25f09ea679bdd73 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -192,6 +192,7 @@ option_strings = {
 
 # [provider/ad]
 'ad_domain' : _('Active Directory domain'),
+'ad_enabled_domains' : _('Enabled Active Directory domains'),
 'ad_server' : _('Active Directory server address'),
 'ad_backup_server' : _('Active Directory backup server address'),
 'ad_hostname' : _('Active Directory client hostname'),
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index bd0116f334e2605e7671a208225761421511a75a..ef6435b08aee416e377fe854e6768f3fa4fd9650 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -335,6 +335,7 @@ option = ad_access_filter
 option = ad_backup_server
 option = ad_domain
 option = ad_enable_dns_sites
+option = ad_enabled_domains
 option = ad_enable_gc
 option = ad_gpo_access_control
 option = ad_gpo_cache_timeout
diff --git a/src/config/etc/sssd.api.d/sssd-ad.conf b/src/config/etc/sssd.api.d/sssd-ad.conf
index 87a74f4af0770874c71baaea02d2313721db78bf..8d97a416c8c97bff096042b0b70a3b2c18183710 100644
--- a/src/config/etc/sssd.api.d/sssd-ad.conf
+++ b/src/config/etc/sssd.api.d/sssd-ad.conf
@@ -1,5 +1,6 @@
 [provider/ad]
 ad_domain = str, None, false
+ad_enabled_domains = str, None, false
 ad_server = str, None, false
 ad_backup_server = str, None, false
 ad_hostname = str, None, false
diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml
index ef27976dd62e164cfb91359efc69bd54e1aa9711..8a2f4ade9387f0d5723b7056bdce9e83363cf035 100644
--- a/src/man/sssd-ad.5.xml
+++ b/src/man/sssd-ad.5.xml
@@ -114,6 +114,33 @@ ldap_id_mapping = False
 
 
 
+ad_enabled_domains (string)
+
+
+A comma-separated list of enabled Active Directory domains.
+If provided, SSSD will ignore any domains not listed in this
+option. If left unset, all domains from the AD forest will
+be available.
+
+
+For proper operation, this option must be specified in all
+lower-case and as the fully qualified domain name of the
+Active Directory domain. For example:
+
+ad_enabled_domains = sales.example.com, eng.example.com
+
+
+
+ 

[SSSD] Re: [PATCH] Better error message if sssctl is ran w/o activating the IFP responder

[Petr Cech]

On 08/16/2016 04:06 PM, Justin Stephenson wrote:

Updated patch attached.

Kind regards,
Justin Stephenson


Thanks, Justin.

Obviously ACK.



On 08/16/2016 02:05 AM, Lukas Slebodnik wrote:

On (12/08/16 12:24), Justin Stephenson wrote:

Simple error message patch, resolves
https://fedorahosted.org/sssd/ticket/3130

Kind regards,

Justin Stephenson


>From 080f9639e120329d069d4f0ba5edcc776e0179c2 Mon Sep 17 00:00:00 2001

From: Justin Stephenson 
Date: Fri, 12 Aug 2016 12:12:57 -0400
Subject: [PATCH] SSSCTL: More helpful error message when InfoPipe is
disabled

Resolves:
https://fedorahosted.org/sssd/ticket/3130
---
src/tools/sssctl/sssctl_sifp.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/tools/sssctl/sssctl_sifp.c
b/src/tools/sssctl/sssctl_sifp.c
index
e541c4b27ba38e50b209b0957c8b38f03afc891a..d61754c095366d07bae812c38a24a88f07c197f5
100644
--- a/src/tools/sssctl/sssctl_sifp.c
+++ b/src/tools/sssctl/sssctl_sifp.c
@@ -25,8 +25,8 @@
#include "util/util.h"
#include "tools/sssctl/sssctl.h"

-#define ERR_SSSD _("Check that SSSD is running and " \
-   "the InfoPipe responder is enabled.\n")
+#define ERR_SSSD _("IFP Disabled: Please add the ifp service to the
service" \
+   "list in sssd.conf and restart the service.\n")

Here is a comment from the author of previous message.
05:26 < lslebodn> pbrezina: Do you have any coment to the patch
"SSSCTL: More helpful error message when
InfoPipe is disabled" ?
05:26 < lslebodn> becuase I plan to push it :-)
05:28 < pbrezina> lslebodn, I still think that the original message
   is more accurate, but I don't oppose.

I tent to agree.
I would reserve the original message and wrote a "HINT" in next line.
Any objection for such compromise?

LS



0001-SSSCTL-More-helpful-error-message-when-InfoPipe-is-d-v2.patch


From 49fd8ff5100f38dbee9b873120b703d2499d09d2 Mon Sep 17 00:00:00 2001
From: Justin Stephenson 
Date: Fri, 12 Aug 2016 12:12:57 -0400
Subject: [PATCH] SSSCTL: More helpful error message when InfoPipe is
 disabled

Resolves:
https://fedorahosted.org/sssd/ticket/3130
---
 src/tools/sssctl/sssctl_sifp.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/tools/sssctl/sssctl_sifp.c b/src/tools/sssctl/sssctl_sifp.c
index 
e541c4b27ba38e50b209b0957c8b38f03afc891a..33ba6404e7d0b8116aa3df6bfefa37a3dd3c
 100644
--- a/src/tools/sssctl/sssctl_sifp.c
+++ b/src/tools/sssctl/sssctl_sifp.c
@@ -26,7 +26,9 @@
 #include "tools/sssctl/sssctl.h"

 #define ERR_SSSD _("Check that SSSD is running and " \
-   "the InfoPipe responder is enabled.\n")
+   "the InfoPipe responder is enabled.\n" \
+   "HINT: Add ifp to the services list " \
+   "in sssd.conf and restart sssd.\n")

 struct sssctl_sifp_data {
 sss_sifp_ctx *sifp;
-- 2.7.4


--
Petr^4 Čech
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org

[SSSD] Re: [PATCH] LDAP: Log autofs rfc2307 config changes only with enabled responder

[Petr Cech]

On 08/16/2016 01:41 PM, Lukas Slebodnik wrote:

ehlo,

attached patch should fix annoying message
with disabled autofs responder.

LS


Hi Lukas,

LGTM, I am waiting for CI.

Regards

--
Petr^4 Čech
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org

[SSSD] Re: [PATCH SET] AD_PROVIDER: ad_enabled_domains

[Petr Cech]

On 08/16/2016 02:52 PM, Jakub Hrozek wrote:

On Mon, Aug 15, 2016 at 04:03:17PM +0200, Petr Cech wrote:

On 08/12/2016 04:05 PM, Petr Cech wrote:

On 08/12/2016 03:36 PM, Jakub Hrozek wrote:

On Fri, Aug 12, 2016 at 02:51:21PM +0200, Petr Cech wrote:

On 08/12/2016 11:27 AM, Jakub Hrozek wrote:

On Wed, Aug 10, 2016 at 08:54:25AM +0200, Petr Cech wrote:

Sorry, I experienced some issue with mailing list.
So I send it again.

 Forwarded Message 
Subject: Re: [SSSD] Re: [PATCH SET] AD_PROVIDER: ad_enabled_domains
Date: Tue, 9 Aug 2016 17:29:38 +0200
From: Petr Cech 
To: sssd-devel@lists.fedorahosted.org

On 08/09/2016 11:07 AM, Jakub Hrozek wrote:

On Mon, Jul 25, 2016 at 06:18:28PM +0200, Petr Cech wrote:

Hello,

there is fixed patch set attached.

Segmentation fault was caused by wrong pointer :-(, sorry.

This new patch set has new debug message. I am open to dissccus the
debug_level and content of message. Any improving idea?

I hit one issue during testing -- sometimes if I am connected to
subdomain
and I enable only sibling subdomain (the master is added
automaticaly) and
forest root is not enabled -- I see only master and sibling not.
But if I
added sleep for cycle (for using dbg) to function
ad_subdomains_init()
everythink is OK.
Any idea?

Can you test that case with valgrind? This sounds like some
uninitilized
variable condition.



I didn't run valgrind but I have new information.

If you clear the cache and reset sssd, first attempt to obtain
information
about user from sibling domain fails. The second and the other
attempts runs
correctly.

I see that the sibling domain is enabled. But if I look more
carefully there
is message in log (gamma.domain.bootes is sibling domain):

[sssd[be[beta.domain.bootes]]] [dp_req_new] (0x0020): Unknown domain:
gamma.domain.bootes

First attempt should works too but you should wait nearly exactly 6
seconds
after restart sssd.

New patch set is attached.


I can't start SSSD with these patches:
(Fri Aug 12 11:25:38 2016) [sssd[be[win.trust.test]]]
[dp_target_run_constructor] (0x0010): Target [subdomains]
constructor failed [22]: Invalid argument
(Fri Aug 12 11:25:38 2016) [sssd[be[win.trust.test]]]
[dp_load_targets] (0x0020): Unable to load target [subdomains] [22]:
Invalid argument.
(Fri Aug 12 11:25:38 2016) [sssd[be[win.trust.test]]] [dp_init]
(0x0020): Unable to initialize DP targets [1432158209]: Internal Error
(Fri Aug 12 11:25:38 2016) [sssd[be[win.trust.test]]]
[dp_terminate_active_requests] (0x0400): Terminating active data
provider requests

I have:
$ git log --oneline origin/master..HEAD
3b2f910 TESTS: Adding tests for ad_enabled_domains option
7ac9517 AD_PROVIDER: ad_enabled_domains - other then master
fdbbd30 AD_PROVIDER: ad_enabled_domains - only master
ebaa14d AD_PROVIDER: Initializing of ad_enabled_domains
38989af AD_PROVIDER: Add ad_enabled_domains option

$ git rev-list origin/master..HEAD
3b2f9106c2c5bea1681cf1f752fc5f3256a04300
7ac9517f78dc4dcde4c4c613ec450a3f3fc8f644
fdbbd30adf9da7a3c2510029c2e8c3789a3083a0
ebaa14dd1dd0e4f55a2bc4e647ce848e36970dd2
38989afa14bfc89712808867b80e667d34e068b3


Hello Jakub,

I wasn't able to reproduce your bug. Is it true that I use F23 for
testing
this patch for historical reasons. I should try it with F24 too.

I sent whole patch set to CI,
http://sssd-ci.duckdns.org/logs/job/51/45/summary.html
but I think it is not conclusive because out tests don't contain AD
server.

I will look at it again. But now I would like finish tests for
netgroups.


I don't think it has to do with Fedora version. Maybe my sssd.conf would
help:

[domain/win.trust.test]
ad_domain = win.trust.test
krb5_realm = WIN.TRUST.TEST
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
ad_enable_gc = false
debug_level = 10

access_provider = simple

#ad_enabled_domains = win.trust.test, siblingdom.win.trust.test
#debug_level = 7

dyndns_update = false


Thanks,

I see now where's the problem. I didn't try to comment
ad_enabled_domains in config for long time. If this option missing it
will crash.

[dp_target_run_constructor] (0x0010): Target [subdomains] constructor
failed [22]: Invalid argument

I hope it will be easy to fix it.


Hello,

I fixed little bug (wrong return code for missing option)
in ad_get_enabled_domains().

New patch set is attached.

There is still one strange behaviour:

If you clear the cache and reset sssd, first attempt to obtain
information about user from sibling domain fails. The second and the other
attempts runs correctly.

I see that the sibling domain is enabled. But if I look more
carefully there is message in log (gamma.domain.bootes is sibling
domain):

[sssd[be[beta.domain.bootes]]] [dp_req_new] (0x0020): Unknown domain:
gamma.domain.bootes

First attempt should works too b

[SSSD] Re: [PATCH SET] SYSDB: Adding message to inform about cache

[Petr Cech]

On 08/16/2016 01:22 PM, Petr Cech wrote:



On 08/16/2016 01:02 PM, Lukas Slebodnik wrote:

On (16/08/16 12:52), Petr Cech wrote:

On 08/16/2016 10:15 AM, Jakub Hrozek wrote:

On Tue, Aug 16, 2016 at 09:50:19AM +0200, Petr Cech wrote:

Hello list,

I am solving ticket [1] now. There are three
points mentioned. A have prepared patches for
the first two. I would like to ask anybody it
is right or if I miss something.

The third point is about full LDIFF in special
debug level. What does it mean 'special debug
level'? Is it new option, for example?


[1] https://fedorahosted.org/sssd/ticket/3060

Regards




Please no magic constants in SSSD code :)


Hello Jakub,

there is fixed version without magic :-)

--
Petr^4 'magician' Čech



From 2ca78a82c579c5244aebd9a58b56a9886f6bc4b5 Mon Sep 17 00:00:00 2001
From: Petr Cech 
Date: Tue, 16 Aug 2016 09:32:18 +0200
Subject: [PATCH 1/2] SYSDB: Adding message to inform which cache is used

Resolves:
https://fedorahosted.org/sssd/ticket/3060
---
src/db/sysdb_ops.c | 32 
1 file changed, 32 insertions(+)

diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
index
44fb5b70e6d33fffbca5824f831a3229254ecb57..a81840b2515d09f91d1dfa783bcf08f0fad112b4
100644
--- a/src/db/sysdb_ops.c
+++ b/src/db/sysdb_ops.c
@@ -27,6 +27,12 @@
#include "util/cert.h"
#include 

+
+#define SSS_SYSDB_NO_CACHE 0x0
+#define SSS_SYSDB_CACHE 0x1
+#define SSS_SYSDB_TS_CACHE 0x2
+#define SSS_SYSDB_BOTH_CACHE (SSS_SYSDB_CACHE | SSS_SYSDB_TS_CACHE)
+
static uint32_t get_attr_as_uint32(struct ldb_message *msg, const
char *attr)
{
const struct ldb_val *v = ldb_msg_find_ldb_val(msg, attr);
@@ -1176,6 +1182,21 @@ done:
return ret;
}

+static const char *get_attr_storage(int state_mask)
+{
+const char *storage = "";
+
+if (state_mask == SSS_SYSDB_BOTH_CACHE ) {
+storage = "cache, ts_cache";
+} else if (state_mask == SSS_SYSDB_TS_CACHE) {
+storage = "ts_cache";
+} else if (state_mask == SSS_SYSDB_CACHE) {
+storage = "cache";
+}
+
+return storage;
+}
+
int sysdb_set_entry_attr(struct sysdb_ctx *sysdb,
 struct ldb_dn *entry_dn,
 struct sysdb_attrs *attrs,
@@ -1184,6 +1205,7 @@ int sysdb_set_entry_attr(struct sysdb_ctx *sysdb,
bool sysdb_write = true;
errno_t ret = EOK;
errno_t tret = EOK;
+int state_mask = SSS_SYSDB_NO_CACHE;

sysdb_write = sysdb_entry_attrs_diff(sysdb, entry_dn, attrs,
mod_op);
if (sysdb_write == true) {
@@ -1192,6 +1214,8 @@ int sysdb_set_entry_attr(struct sysdb_ctx *sysdb,
DEBUG(SSSDBG_MINOR_FAILURE,
  "Cannot set attrs for %s, %d [%s]\n",
  ldb_dn_get_linearized(entry_dn), ret,
sss_strerror(ret));
+} else {
+state_mask |= SSS_SYSDB_CACHE;
}
}

@@ -1201,9 +1225,17 @@ int sysdb_set_entry_attr(struct sysdb_ctx *sysdb,
DEBUG(SSSDBG_MINOR_FAILURE,
"Cannot set ts attrs for %s\n",
ldb_dn_get_linearized(entry_dn));
/* Not fatal */
+} else {
+state_mask |= SSS_SYSDB_TS_CACHE;
}
}

+if (state_mask != SSS_SYSDB_NO_CACHE) {
+DEBUG(SSSDBG_FUNC_DATA, "Entry [%s] has set [%s] attrs.\n",
+ldb_dn_get_linearized(entry_dn),
+get_attr_storage(state_mask));
+}
+
return ret;
}

--
2.7.4




From 6e7143b26fb5696a9b684c0da96353a7d5d07700 Mon Sep 17 00:00:00 2001
From: Petr Cech 
Date: Tue, 16 Aug 2016 09:33:46 +0200
Subject: [PATCH 2/2] SYSDB: Adding message about reason why cache
changed

Resolves:
https://fedorahosted.org/sssd/ticket/3060
---
src/db/sysdb.c | 24 ++--
1 file changed, 22 insertions(+), 2 deletions(-)

diff --git a/src/db/sysdb.c b/src/db/sysdb.c
index
6f0b1b9e9b52bede68f03cb5674f65b91cc28c98..9d1abc2b3dd0ce5db626544673795eebfbc28bcd
100644
--- a/src/db/sysdb.c
+++ b/src/db/sysdb.c
@@ -1821,7 +1821,8 @@ bool sysdb_msg_attrs_modts_differs(struct
ldb_message *old_entry,
return true;
}

-static bool sysdb_ldb_msg_difference(struct ldb_message *db_msg,
+static bool sysdb_ldb_msg_difference(struct ldb_dn *entry_dn,
+ struct ldb_message *db_msg,
 struct ldb_message *mod_msg)
{
struct ldb_message_element *mod_msg_el;
@@ -1848,6 +1849,10 @@ static bool sysdb_ldb_msg_difference(struct
ldb_message *db_msg,
 */
if (mod_msg_el->num_values > 0) {
/* We can ignore additions of timestamp
attributes */
+DEBUG(SSSDBG_TRACE_FUNC, "Entry [%s] differs,
reason: " \
+ "attr [%s] is new.\n",
+
ldb_dn_get_linearized(entry_dn),
+ mod_msg_el->name);

[SSSD] Re: [PATCH SET] SYSDB: Adding message to inform about cache

[Petr Cech]

On 08/16/2016 01:02 PM, Lukas Slebodnik wrote:

On (16/08/16 12:52), Petr Cech wrote:

On 08/16/2016 10:15 AM, Jakub Hrozek wrote:

On Tue, Aug 16, 2016 at 09:50:19AM +0200, Petr Cech wrote:

Hello list,

I am solving ticket [1] now. There are three
points mentioned. A have prepared patches for
the first two. I would like to ask anybody it
is right or if I miss something.

The third point is about full LDIFF in special
debug level. What does it mean 'special debug
level'? Is it new option, for example?


[1] https://fedorahosted.org/sssd/ticket/3060

Regards




Please no magic constants in SSSD code :)


Hello Jakub,

there is fixed version without magic :-)

--
Petr^4 'magician' Čech



From 2ca78a82c579c5244aebd9a58b56a9886f6bc4b5 Mon Sep 17 00:00:00 2001
From: Petr Cech 
Date: Tue, 16 Aug 2016 09:32:18 +0200
Subject: [PATCH 1/2] SYSDB: Adding message to inform which cache is used

Resolves:
https://fedorahosted.org/sssd/ticket/3060
---
src/db/sysdb_ops.c | 32 
1 file changed, 32 insertions(+)

diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
index 
44fb5b70e6d33fffbca5824f831a3229254ecb57..a81840b2515d09f91d1dfa783bcf08f0fad112b4
 100644
--- a/src/db/sysdb_ops.c
+++ b/src/db/sysdb_ops.c
@@ -27,6 +27,12 @@
#include "util/cert.h"
#include 

+
+#define SSS_SYSDB_NO_CACHE 0x0
+#define SSS_SYSDB_CACHE 0x1
+#define SSS_SYSDB_TS_CACHE 0x2
+#define SSS_SYSDB_BOTH_CACHE (SSS_SYSDB_CACHE | SSS_SYSDB_TS_CACHE)
+
static uint32_t get_attr_as_uint32(struct ldb_message *msg, const char *attr)
{
const struct ldb_val *v = ldb_msg_find_ldb_val(msg, attr);
@@ -1176,6 +1182,21 @@ done:
return ret;
}

+static const char *get_attr_storage(int state_mask)
+{
+const char *storage = "";
+
+if (state_mask == SSS_SYSDB_BOTH_CACHE ) {
+storage = "cache, ts_cache";
+} else if (state_mask == SSS_SYSDB_TS_CACHE) {
+storage = "ts_cache";
+} else if (state_mask == SSS_SYSDB_CACHE) {
+storage = "cache";
+}
+
+return storage;
+}
+
int sysdb_set_entry_attr(struct sysdb_ctx *sysdb,
 struct ldb_dn *entry_dn,
 struct sysdb_attrs *attrs,
@@ -1184,6 +1205,7 @@ int sysdb_set_entry_attr(struct sysdb_ctx *sysdb,
bool sysdb_write = true;
errno_t ret = EOK;
errno_t tret = EOK;
+int state_mask = SSS_SYSDB_NO_CACHE;

sysdb_write = sysdb_entry_attrs_diff(sysdb, entry_dn, attrs, mod_op);
if (sysdb_write == true) {
@@ -1192,6 +1214,8 @@ int sysdb_set_entry_attr(struct sysdb_ctx *sysdb,
DEBUG(SSSDBG_MINOR_FAILURE,
  "Cannot set attrs for %s, %d [%s]\n",
  ldb_dn_get_linearized(entry_dn), ret, sss_strerror(ret));
+} else {
+state_mask |= SSS_SYSDB_CACHE;
}
}

@@ -1201,9 +1225,17 @@ int sysdb_set_entry_attr(struct sysdb_ctx *sysdb,
DEBUG(SSSDBG_MINOR_FAILURE,
"Cannot set ts attrs for %s\n", 
ldb_dn_get_linearized(entry_dn));
/* Not fatal */
+} else {
+state_mask |= SSS_SYSDB_TS_CACHE;
}
}

+if (state_mask != SSS_SYSDB_NO_CACHE) {
+DEBUG(SSSDBG_FUNC_DATA, "Entry [%s] has set [%s] attrs.\n",
+ldb_dn_get_linearized(entry_dn),
+get_attr_storage(state_mask));
+}
+
return ret;
}

--
2.7.4




From 6e7143b26fb5696a9b684c0da96353a7d5d07700 Mon Sep 17 00:00:00 2001
From: Petr Cech 
Date: Tue, 16 Aug 2016 09:33:46 +0200
Subject: [PATCH 2/2] SYSDB: Adding message about reason why cache changed

Resolves:
https://fedorahosted.org/sssd/ticket/3060
---
src/db/sysdb.c | 24 ++--
1 file changed, 22 insertions(+), 2 deletions(-)

diff --git a/src/db/sysdb.c b/src/db/sysdb.c
index 
6f0b1b9e9b52bede68f03cb5674f65b91cc28c98..9d1abc2b3dd0ce5db626544673795eebfbc28bcd
 100644
--- a/src/db/sysdb.c
+++ b/src/db/sysdb.c
@@ -1821,7 +1821,8 @@ bool sysdb_msg_attrs_modts_differs(struct ldb_message 
*old_entry,
return true;
}

-static bool sysdb_ldb_msg_difference(struct ldb_message *db_msg,
+static bool sysdb_ldb_msg_difference(struct ldb_dn *entry_dn,
+ struct ldb_message *db_msg,
 struct ldb_message *mod_msg)
{
struct ldb_message_element *mod_msg_el;
@@ -1848,6 +1849,10 @@ static bool sysdb_ldb_msg_difference(struct ldb_message 
*db_msg,
 */
if (mod_msg_el->num_values > 0) {
/* We can ignore additions of timestamp attributes */
+DEBUG(SSSDBG_TRACE_FUNC, "Entry [%s] differs, reason: " \
+ "attr [%s] is new.\n",
+ ldb_dn_get_linearized(entry_dn),
+ m

[SSSD] Re: [PATCH SET] SYSDB: Adding message to inform about cache

[Petr Cech]

On 08/16/2016 10:15 AM, Jakub Hrozek wrote:

On Tue, Aug 16, 2016 at 09:50:19AM +0200, Petr Cech wrote:

Hello list,

I am solving ticket [1] now. There are three
points mentioned. A have prepared patches for
the first two. I would like to ask anybody it
is right or if I miss something.

The third point is about full LDIFF in special
debug level. What does it mean 'special debug
level'? Is it new option, for example?


[1] https://fedorahosted.org/sssd/ticket/3060

Regards




Please no magic constants in SSSD code :)


Hello Jakub,

there is fixed version without magic :-)

--
Petr^4 'magician' Čech
>From 2ca78a82c579c5244aebd9a58b56a9886f6bc4b5 Mon Sep 17 00:00:00 2001
From: Petr Cech 
Date: Tue, 16 Aug 2016 09:32:18 +0200
Subject: [PATCH 1/2] SYSDB: Adding message to inform which cache is used

Resolves:
https://fedorahosted.org/sssd/ticket/3060
---
 src/db/sysdb_ops.c | 32 
 1 file changed, 32 insertions(+)

diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
index 44fb5b70e6d33fffbca5824f831a3229254ecb57..a81840b2515d09f91d1dfa783bcf08f0fad112b4 100644
--- a/src/db/sysdb_ops.c
+++ b/src/db/sysdb_ops.c
@@ -27,6 +27,12 @@
 #include "util/cert.h"
 #include 
 
+
+#define SSS_SYSDB_NO_CACHE 0x0
+#define SSS_SYSDB_CACHE 0x1
+#define SSS_SYSDB_TS_CACHE 0x2
+#define SSS_SYSDB_BOTH_CACHE (SSS_SYSDB_CACHE | SSS_SYSDB_TS_CACHE)
+
 static uint32_t get_attr_as_uint32(struct ldb_message *msg, const char *attr)
 {
 const struct ldb_val *v = ldb_msg_find_ldb_val(msg, attr);
@@ -1176,6 +1182,21 @@ done:
 return ret;
 }
 
+static const char *get_attr_storage(int state_mask)
+{
+const char *storage = "";
+
+if (state_mask == SSS_SYSDB_BOTH_CACHE ) {
+storage = "cache, ts_cache";
+} else if (state_mask == SSS_SYSDB_TS_CACHE) {
+storage = "ts_cache";
+} else if (state_mask == SSS_SYSDB_CACHE) {
+storage = "cache";
+}
+
+return storage;
+}
+
 int sysdb_set_entry_attr(struct sysdb_ctx *sysdb,
  struct ldb_dn *entry_dn,
  struct sysdb_attrs *attrs,
@@ -1184,6 +1205,7 @@ int sysdb_set_entry_attr(struct sysdb_ctx *sysdb,
 bool sysdb_write = true;
 errno_t ret = EOK;
 errno_t tret = EOK;
+int state_mask = SSS_SYSDB_NO_CACHE;
 
 sysdb_write = sysdb_entry_attrs_diff(sysdb, entry_dn, attrs, mod_op);
 if (sysdb_write == true) {
@@ -1192,6 +1214,8 @@ int sysdb_set_entry_attr(struct sysdb_ctx *sysdb,
 DEBUG(SSSDBG_MINOR_FAILURE,
   "Cannot set attrs for %s, %d [%s]\n",
   ldb_dn_get_linearized(entry_dn), ret, sss_strerror(ret));
+} else {
+state_mask |= SSS_SYSDB_CACHE;
 }
 }
 
@@ -1201,9 +1225,17 @@ int sysdb_set_entry_attr(struct sysdb_ctx *sysdb,
 DEBUG(SSSDBG_MINOR_FAILURE,
 "Cannot set ts attrs for %s\n", ldb_dn_get_linearized(entry_dn));
 /* Not fatal */
+} else {
+state_mask |= SSS_SYSDB_TS_CACHE;
 }
 }
 
+if (state_mask != SSS_SYSDB_NO_CACHE) {
+DEBUG(SSSDBG_FUNC_DATA, "Entry [%s] has set [%s] attrs.\n",
+ldb_dn_get_linearized(entry_dn),
+get_attr_storage(state_mask));
+}
+
 return ret;
 }
 
-- 
2.7.4

>From 6e7143b26fb5696a9b684c0da96353a7d5d07700 Mon Sep 17 00:00:00 2001
From: Petr Cech 
Date: Tue, 16 Aug 2016 09:33:46 +0200
Subject: [PATCH 2/2] SYSDB: Adding message about reason why cache changed

Resolves:
https://fedorahosted.org/sssd/ticket/3060
---
 src/db/sysdb.c | 24 ++--
 1 file changed, 22 insertions(+), 2 deletions(-)

diff --git a/src/db/sysdb.c b/src/db/sysdb.c
index 6f0b1b9e9b52bede68f03cb5674f65b91cc28c98..9d1abc2b3dd0ce5db626544673795eebfbc28bcd 100644
--- a/src/db/sysdb.c
+++ b/src/db/sysdb.c
@@ -1821,7 +1821,8 @@ bool sysdb_msg_attrs_modts_differs(struct ldb_message *old_entry,
 return true;
 }
 
-static bool sysdb_ldb_msg_difference(struct ldb_message *db_msg,
+static bool sysdb_ldb_msg_difference(struct ldb_dn *entry_dn,
+ struct ldb_message *db_msg,
  struct ldb_message *mod_msg)
 {
 struct ldb_message_element *mod_msg_el;
@@ -1848,6 +1849,10 @@ static bool sysdb_ldb_msg_difference(struct ldb_message *db_msg,
  */
 if (mod_msg_el->num_values > 0) {
 /* We can ignore additions of timestamp attributes */
+DEBUG(SSSDBG_TRACE_FUNC, "Entry [%s] differs, reason: " \
+ "attr [%s] is new.\n",
+ ldb_dn_get_linearized(entry_dn),
+ mod_msg_el->name);
 return 

[SSSD] Re: [PATCH] DP: Add log message for get account info

[Petr Cech]

On 08/16/2016 09:20 AM, Petr Cech wrote:

On 08/16/2016 09:17 AM, Lukas Slebodnik wrote:

ehlo,

Petr improved debug messages in
https://git.fedorahosted.org/cgit/sssd.git/commit/?id=376eaf187c13c2a1eaea0ffbdd970b6b563ab74c

but it was removed as part of DP refactoring.

LS


Hi Lukas,

thanks. It is nice to see that my code will alive.
LGTM, after CI I will say more :-)


CI passed:
http://sssd-ci.duckdns.org/logs/job/51/57/summary.html

=> ACK

--
Petr^4 Čech
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org

[SSSD] [PATCH SET] SYSDB: Adding message to inform about cache

[Petr Cech]

Hello list,

I am solving ticket [1] now. There are three
points mentioned. A have prepared patches for
the first two. I would like to ask anybody it
is right or if I miss something.

The third point is about full LDIFF in special
debug level. What does it mean 'special debug
level'? Is it new option, for example?


[1] https://fedorahosted.org/sssd/ticket/3060

Regards

--
Petr^4 Čech
>From 6ac105b6a3ad9e424c5053f05aa1eefd55cafb71 Mon Sep 17 00:00:00 2001
From: Petr Cech 
Date: Tue, 16 Aug 2016 09:32:18 +0200
Subject: [PATCH 1/2] SYSDB: Adding message to inform which cache is used

Resolves:
https://fedorahosted.org/sssd/ticket/3060
---
 src/db/sysdb_ops.c | 36 
 1 file changed, 36 insertions(+)

diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
index 44fb5b70e6d33fffbca5824f831a3229254ecb57..e199bd946d5d58be2acd3dfda7050c112688d20d 100644
--- a/src/db/sysdb_ops.c
+++ b/src/db/sysdb_ops.c
@@ -1176,6 +1176,31 @@ done:
 return ret;
 }
 
+static const char *get_attr_storage(int state)
+{
+const char *storage;
+
+switch (state) {
+case 0:
+storage = "";
+break;
+case 1:
+storage = "cache";
+break;
+case 2:
+storage = "ts_cache";
+break;
+case 3:
+storage = "cache, ts_cache";
+break;
+default:
+storage = "";
+break;
+}
+
+return storage;
+}
+
 int sysdb_set_entry_attr(struct sysdb_ctx *sysdb,
  struct ldb_dn *entry_dn,
  struct sysdb_attrs *attrs,
@@ -1184,6 +1209,7 @@ int sysdb_set_entry_attr(struct sysdb_ctx *sysdb,
 bool sysdb_write = true;
 errno_t ret = EOK;
 errno_t tret = EOK;
+int state = 0;
 
 sysdb_write = sysdb_entry_attrs_diff(sysdb, entry_dn, attrs, mod_op);
 if (sysdb_write == true) {
@@ -1192,6 +1218,8 @@ int sysdb_set_entry_attr(struct sysdb_ctx *sysdb,
 DEBUG(SSSDBG_MINOR_FAILURE,
   "Cannot set attrs for %s, %d [%s]\n",
   ldb_dn_get_linearized(entry_dn), ret, sss_strerror(ret));
+} else {
+state += 1;
 }
 }
 
@@ -1201,9 +1229,17 @@ int sysdb_set_entry_attr(struct sysdb_ctx *sysdb,
 DEBUG(SSSDBG_MINOR_FAILURE,
 "Cannot set ts attrs for %s\n", ldb_dn_get_linearized(entry_dn));
 /* Not fatal */
+} else {
+state += 2;
 }
 }
 
+if (state % 4) {
+DEBUG(SSSDBG_FUNC_DATA, "Entry [%s] has set [%s] attrs.\n",
+ldb_dn_get_linearized(entry_dn),
+get_attr_storage(state));
+}
+
 return ret;
 }
 
-- 
2.7.4

>From b24b8dfac99fcee7410ee8f189dd28d8c7c2bd2b Mon Sep 17 00:00:00 2001
From: Petr Cech 
Date: Tue, 16 Aug 2016 09:33:46 +0200
Subject: [PATCH 2/2] SYSDB: Adding message about reason why cache changed

Resolves:
https://fedorahosted.org/sssd/ticket/3060
---
 src/db/sysdb.c | 24 ++--
 1 file changed, 22 insertions(+), 2 deletions(-)

diff --git a/src/db/sysdb.c b/src/db/sysdb.c
index 6f0b1b9e9b52bede68f03cb5674f65b91cc28c98..9d1abc2b3dd0ce5db626544673795eebfbc28bcd 100644
--- a/src/db/sysdb.c
+++ b/src/db/sysdb.c
@@ -1821,7 +1821,8 @@ bool sysdb_msg_attrs_modts_differs(struct ldb_message *old_entry,
 return true;
 }
 
-static bool sysdb_ldb_msg_difference(struct ldb_message *db_msg,
+static bool sysdb_ldb_msg_difference(struct ldb_dn *entry_dn,
+ struct ldb_message *db_msg,
  struct ldb_message *mod_msg)
 {
 struct ldb_message_element *mod_msg_el;
@@ -1848,6 +1849,10 @@ static bool sysdb_ldb_msg_difference(struct ldb_message *db_msg,
  */
 if (mod_msg_el->num_values > 0) {
 /* We can ignore additions of timestamp attributes */
+DEBUG(SSSDBG_TRACE_FUNC, "Entry [%s] differs, reason: " \
+ "attr [%s] is new.\n",
+ ldb_dn_get_linearized(entry_dn),
+ mod_msg_el->name);
 return true;
 }
 break;
@@ -1861,6 +1866,11 @@ static bool sysdb_ldb_msg_difference(struct ldb_message *db_msg,
  */
 if (is_ts_cache_attr(mod_msg_el->name) == false) {
 /* We can ignore changes to timestamp attributes */
+DEBUG(SSSDBG_TRACE_FUNC, "Entry [%s] differs, reason: " \
+ "attr [%s] is replaced " \
+ "or extended.\n",
+ ldb_dn_get_linearized(entry_dn),
+

[SSSD] Re: [PATCH] DP: Add log message for get account info

[Petr Cech]

On 08/16/2016 09:17 AM, Lukas Slebodnik wrote:

ehlo,

Petr improved debug messages in
https://git.fedorahosted.org/cgit/sssd.git/commit/?id=376eaf187c13c2a1eaea0ffbdd970b6b563ab74c
but it was removed as part of DP refactoring.

LS


Hi Lukas,

thanks. It is nice to see that my code will alive.
LGTM, after CI I will say more :-)

Regards

--
Petr^4 Čech
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org

[SSSD] Re: [PATCH] Better error message if sssctl is ran w/o activating the IFP responder

[Petr Cech]

On 08/16/2016 08:05 AM, Lukas Slebodnik wrote:

On (12/08/16 12:24), Justin Stephenson wrote:

Simple error message patch, resolves
https://fedorahosted.org/sssd/ticket/3130

Kind regards,

Justin Stephenson




From 080f9639e120329d069d4f0ba5edcc776e0179c2 Mon Sep 17 00:00:00 2001
From: Justin Stephenson 
Date: Fri, 12 Aug 2016 12:12:57 -0400
Subject: [PATCH] SSSCTL: More helpful error message when InfoPipe is
disabled

   Resolves:
   https://fedorahosted.org/sssd/ticket/3130
---
src/tools/sssctl/sssctl_sifp.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/tools/sssctl/sssctl_sifp.c b/src/tools/sssctl/sssctl_sifp.c
index 
e541c4b27ba38e50b209b0957c8b38f03afc891a..d61754c095366d07bae812c38a24a88f07c197f5
 100644
--- a/src/tools/sssctl/sssctl_sifp.c
+++ b/src/tools/sssctl/sssctl_sifp.c
@@ -25,8 +25,8 @@
#include "util/util.h"
#include "tools/sssctl/sssctl.h"

-#define ERR_SSSD _("Check that SSSD is running and " \
-   "the InfoPipe responder is enabled.\n")
+#define ERR_SSSD _("IFP Disabled: Please add the ifp service to the service" \
+   "list in sssd.conf and restart the service.\n")

Here is a comment from the author of previous message.
05:26 < lslebodn> pbrezina: Do you have any coment to the patch
   "SSSCTL: More helpful error message when
   InfoPipe is disabled" ?
05:26 < lslebodn> becuase I plan to push it :-)
05:28 < pbrezina> lslebodn, I still think that the original message
  is more accurate, but I don't oppose.

I tent to agree.
I would reserve the original message and wrote a "HINT" in next line.

+1


Any objection for such compromise?

LS


--
Petr^4 Čech
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org

[SSSD] Re: [PATCH SET] AD_PROVIDER: ad_enabled_domains

[Petr Cech]

On 08/12/2016 04:05 PM, Petr Cech wrote:

On 08/12/2016 03:36 PM, Jakub Hrozek wrote:

On Fri, Aug 12, 2016 at 02:51:21PM +0200, Petr Cech wrote:

On 08/12/2016 11:27 AM, Jakub Hrozek wrote:

On Wed, Aug 10, 2016 at 08:54:25AM +0200, Petr Cech wrote:

Sorry, I experienced some issue with mailing list.
So I send it again.

 Forwarded Message 
Subject: Re: [SSSD] Re: [PATCH SET] AD_PROVIDER: ad_enabled_domains
Date: Tue, 9 Aug 2016 17:29:38 +0200
From: Petr Cech 
To: sssd-devel@lists.fedorahosted.org

On 08/09/2016 11:07 AM, Jakub Hrozek wrote:

On Mon, Jul 25, 2016 at 06:18:28PM +0200, Petr Cech wrote:

Hello,

there is fixed patch set attached.

Segmentation fault was caused by wrong pointer :-(, sorry.

This new patch set has new debug message. I am open to dissccus the
debug_level and content of message. Any improving idea?

I hit one issue during testing -- sometimes if I am connected to
subdomain
and I enable only sibling subdomain (the master is added
automaticaly) and
forest root is not enabled -- I see only master and sibling not.
But if I
added sleep for cycle (for using dbg) to function
ad_subdomains_init()
everythink is OK.
Any idea?

Can you test that case with valgrind? This sounds like some
uninitilized
variable condition.



I didn't run valgrind but I have new information.

If you clear the cache and reset sssd, first attempt to obtain
information
about user from sibling domain fails. The second and the other
attempts runs
correctly.

I see that the sibling domain is enabled. But if I look more
carefully there
is message in log (gamma.domain.bootes is sibling domain):

[sssd[be[beta.domain.bootes]]] [dp_req_new] (0x0020): Unknown domain:
gamma.domain.bootes

First attempt should works too but you should wait nearly exactly 6
seconds
after restart sssd.

New patch set is attached.


I can't start SSSD with these patches:
(Fri Aug 12 11:25:38 2016) [sssd[be[win.trust.test]]]
[dp_target_run_constructor] (0x0010): Target [subdomains]
constructor failed [22]: Invalid argument
(Fri Aug 12 11:25:38 2016) [sssd[be[win.trust.test]]]
[dp_load_targets] (0x0020): Unable to load target [subdomains] [22]:
Invalid argument.
(Fri Aug 12 11:25:38 2016) [sssd[be[win.trust.test]]] [dp_init]
(0x0020): Unable to initialize DP targets [1432158209]: Internal Error
(Fri Aug 12 11:25:38 2016) [sssd[be[win.trust.test]]]
[dp_terminate_active_requests] (0x0400): Terminating active data
provider requests

I have:
$ git log --oneline origin/master..HEAD
3b2f910 TESTS: Adding tests for ad_enabled_domains option
7ac9517 AD_PROVIDER: ad_enabled_domains - other then master
fdbbd30 AD_PROVIDER: ad_enabled_domains - only master
ebaa14d AD_PROVIDER: Initializing of ad_enabled_domains
38989af AD_PROVIDER: Add ad_enabled_domains option

$ git rev-list origin/master..HEAD
3b2f9106c2c5bea1681cf1f752fc5f3256a04300
7ac9517f78dc4dcde4c4c613ec450a3f3fc8f644
fdbbd30adf9da7a3c2510029c2e8c3789a3083a0
ebaa14dd1dd0e4f55a2bc4e647ce848e36970dd2
38989afa14bfc89712808867b80e667d34e068b3


Hello Jakub,

I wasn't able to reproduce your bug. Is it true that I use F23 for
testing
this patch for historical reasons. I should try it with F24 too.

I sent whole patch set to CI,
http://sssd-ci.duckdns.org/logs/job/51/45/summary.html
but I think it is not conclusive because out tests don't contain AD
server.

I will look at it again. But now I would like finish tests for
netgroups.


I don't think it has to do with Fedora version. Maybe my sssd.conf would
help:

[domain/win.trust.test]
ad_domain = win.trust.test
krb5_realm = WIN.TRUST.TEST
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
ad_enable_gc = false
debug_level = 10

access_provider = simple

#ad_enabled_domains = win.trust.test, siblingdom.win.trust.test
#debug_level = 7

dyndns_update = false


Thanks,

I see now where's the problem. I didn't try to comment
ad_enabled_domains in config for long time. If this option missing it
will crash.

[dp_target_run_constructor] (0x0010): Target [subdomains] constructor
failed [22]: Invalid argument

I hope it will be easy to fix it.


Hello,

I fixed little bug (wrong return code for missing option)
in ad_get_enabled_domains().

New patch set is attached.

There is still one strange behaviour:

If you clear the cache and reset sssd, first attempt to obtain
information about user from sibling domain fails. The second and the 
other attempts runs correctly.


I see that the sibling domain is enabled. But if I look more
carefully there is message in log (gamma.domain.bootes is sibling
domain):

[sssd[be[beta.domain.bootes]]] [dp_req_new] (0x0020): Unknown domain:
gamma.domain.bootes

First attempt should works too but you should wait nearly exactly 6
seconds after restart sssd.


I think it is connected to mecha

[SSSD] Re: [PATCH 1/2] LDAP: Adding support for SIGTERM signal

[Petr Cech]

On 08/15/2016 09:59 AM, Jakub Hrozek wrote:

On Mon, Aug 15, 2016 at 09:47:27AM +0200, Petr Cech wrote:

On 08/12/2016 04:13 PM, Jakub Hrozek wrote:

On Fri, Aug 12, 2016 at 03:41:26PM +0200, Petr Cech wrote:

On 08/12/2016 03:07 PM, Jakub Hrozek wrote:

Logs now look like:


[root@albireo sssd]# grep 'child' sssd_ipa.cygnus.dev.log
[child_handler_setup] (0x2000): Setting up signal handler up for pid [18835]
[child_handler_setup] (0x2000): Signal handler set up for pid [18835]
[set_tgt_child_timeout] (0x0400): Setting 6 seconds timeout for tgt child

(6 seconds later)

[get_tgt_timeout_handler] (0x4000): timeout for sending SIGTERM to tgt child
[18835] reached.
[get_tgt_timeout_handler] (0x0400): Setting 2 seconds timeout for sending
SIGKILL to tgt child
[sdap_get_tgt_recv] (0x0020): Cannot parse child response: [22][Invalid
argument]
[sdap_kinit_done] (0x0020): child failed (22 [Invalid argument])
[child_sig_handler] (0x1000): Waiting for child [18835].
[child_sig_handler] (0x0020): child [18835] failed with status [7].
[child_callback] (0x0020): LDAP child was terminated due to timeout

I'm sorry, but these patches still don't fix the issue I was seeing.
Before the patches, when I timed out the child process, I saw:
(Fri Aug 12 14:54:24 2016) [[sssd[ldap_child[31721 
[ldap_child_get_tgt_sync] (0x0100): Principal name is: 
[host/client.ipa.t...@ipa.test]
(Fri Aug 12 14:54:24 2016) [[sssd[ldap_child[31721 
[ldap_child_get_tgt_sync] (0x0100): Using keytab [MEMORY:/etc/krb5.keytab]
(Fri Aug 12 14:54:30 2016) [sssd[be[ipaldap]]] [get_tgt_timeout_handler] 
(0x4000): timeout for tgt child [31721] reached.
(Fri Aug 12 14:54:30 2016) [sssd[be[ipaldap]]] [sdap_kinit_done] (0x0080): 
Communication with KDC timed out, trying the next one
(Fri Aug 12 14:54:30 2016) [sssd[be[ipaldap]]] [_be_fo_set_port_status] 
(0x8000): Setting status: PORT_NOT_WORKING. Called from: 
/sssd/src/providers/ldap/sdap_async_connection.c: sdap_kinit_done: 1207
(Fri Aug 12 14:54:30 2016) [sssd[be[ipaldap]]] [fo_set_port_status] (0x0100): 
Marking port 0 of server 'unidirect.ipa.test' as 'not working'
(Fri Aug 12 14:54:30 2016) [sssd[be[ipaldap]]] [fo_set_port_status] (0x0400): 
Marking port 0 of duplicate server 'unidirect.ipa.test' as 'not working'
(Fri Aug 12 14:54:30 2016) [sssd[be[ipaldap]]] [sdap_kinit_next_kdc] (0x1000): 
Resolving next KDC for service KERBEROS
(Fri Aug 12 14:54:30 2016) [sssd[be[ipaldap]]] [fo_resolve_service_send] 
(0x0100): Trying to resolve service 'KERBEROS'
(Fri Aug 12 14:54:30 2016) [sssd[be[ipaldap]]] [get_server_status] (0x1000): 
Status of server 'unidirect.ipa.test' is 'name resolved'
(Fri Aug 12 14:54:30 2016) [sssd[be[ipaldap]]] [get_port_status] (0x1000): Port 
status of port 0 for server 'unidirect.ipa.test' is 'not working'
(Fri Aug 12 14:54:30 2016) [sssd[be[ipaldap]]] [fo_resolve_service_send] 
(0x0020): No available servers for service 'KERBEROS'
(Fri Aug 12 14:54:30 2016) [sssd[be[ipaldap]]] [be_resolve_server_done] 
(0x1000): Server resolution failed: [5]: Input/output error
(Fri Aug 12 14:54:30 2016) [sssd[be[ipaldap]]] [sdap_cli_kinit_done] (0x0400): 
Cannot get a TGT: ret [1432158228](Network I/O Error)
(Fri Aug 12 14:54:30 2016) [sssd[be[ipaldap]]] [sdap_cli_connect_recv] 
(0x0040): Unable to establish connection [13]: Permission denied
(Fri Aug 12 14:54:30 2016) [sssd[be[ipaldap]]] [_be_fo_set_port_status] 
(0x8000): Setting status: PORT_NOT_WORKING. Called from: 
/sssd/src/providers/ldap/sdap_async_connection.c: sdap_cli_connect_recv: 2048

After the patch, I see:
(Fri Aug 12 15:01:05 2016) [sssd[be[ipaldap]]] [get_tgt_timeout_handler] 
(0x4000): timeout for sending SIGTERM to tgt child [17291] reached.
(Fri Aug 12 15:01:05 2016) [sssd[be[ipaldap]]] [get_tgt_timeout_handler] 
(0x0400): Setting 2 seconds timeout for sending SIGKILL to tgt child
(Fri Aug 12 15:01:05 2016) [[sssd[ldap_child[17291 [sig_term_handler] 
(0x0010): Received signal [Terminated] [15], shutting down
(Fri Aug 12 15:01:05 2016) [sssd[be[ipaldap]]] [read_pipe_handler] (0x0400): 
EOF received, client finished
(Fri Aug 12 15:01:05 2016) [sssd[be[ipaldap]]] [sdap_get_tgt_recv] (0x0020): 
Cannot parse child response: [22][Invalid argument]
here ---^

This is the part I don't like, we try to read the response from the child's
pipe and fail with a bad error message. I thought this was because with
the preivous patch, we exit the child with zero, but I guess this was not
the case.. Anyway, we still should fix this, the message would be really
confusing to admins.


Hi Jakub,

I know I had the same
'Cannot parse child response: [22][Invalid argument]'
in my logs too, see my last mail above.

Some lines after it I have new message
'[child_callback] (0x0020): LDAP child was terminated due to timeout'

I understand that it is not satisfying. The main purpose of this

[SSSD] Re: [PATCH 1/2] LDAP: Adding support for SIGTERM signal

[Petr Cech]

On 08/12/2016 04:13 PM, Jakub Hrozek wrote:

On Fri, Aug 12, 2016 at 03:41:26PM +0200, Petr Cech wrote:

On 08/12/2016 03:07 PM, Jakub Hrozek wrote:

Logs now look like:


[root@albireo sssd]# grep 'child' sssd_ipa.cygnus.dev.log
[child_handler_setup] (0x2000): Setting up signal handler up for pid [18835]
[child_handler_setup] (0x2000): Signal handler set up for pid [18835]
[set_tgt_child_timeout] (0x0400): Setting 6 seconds timeout for tgt child

(6 seconds later)

[get_tgt_timeout_handler] (0x4000): timeout for sending SIGTERM to tgt child
[18835] reached.
[get_tgt_timeout_handler] (0x0400): Setting 2 seconds timeout for sending
SIGKILL to tgt child
[sdap_get_tgt_recv] (0x0020): Cannot parse child response: [22][Invalid
argument]
[sdap_kinit_done] (0x0020): child failed (22 [Invalid argument])
[child_sig_handler] (0x1000): Waiting for child [18835].
[child_sig_handler] (0x0020): child [18835] failed with status [7].
[child_callback] (0x0020): LDAP child was terminated due to timeout

I'm sorry, but these patches still don't fix the issue I was seeing.
Before the patches, when I timed out the child process, I saw:
(Fri Aug 12 14:54:24 2016) [[sssd[ldap_child[31721 
[ldap_child_get_tgt_sync] (0x0100): Principal name is: 
[host/client.ipa.t...@ipa.test]
(Fri Aug 12 14:54:24 2016) [[sssd[ldap_child[31721 
[ldap_child_get_tgt_sync] (0x0100): Using keytab [MEMORY:/etc/krb5.keytab]
(Fri Aug 12 14:54:30 2016) [sssd[be[ipaldap]]] [get_tgt_timeout_handler] 
(0x4000): timeout for tgt child [31721] reached.
(Fri Aug 12 14:54:30 2016) [sssd[be[ipaldap]]] [sdap_kinit_done] (0x0080): 
Communication with KDC timed out, trying the next one
(Fri Aug 12 14:54:30 2016) [sssd[be[ipaldap]]] [_be_fo_set_port_status] 
(0x8000): Setting status: PORT_NOT_WORKING. Called from: 
/sssd/src/providers/ldap/sdap_async_connection.c: sdap_kinit_done: 1207
(Fri Aug 12 14:54:30 2016) [sssd[be[ipaldap]]] [fo_set_port_status] (0x0100): 
Marking port 0 of server 'unidirect.ipa.test' as 'not working'
(Fri Aug 12 14:54:30 2016) [sssd[be[ipaldap]]] [fo_set_port_status] (0x0400): 
Marking port 0 of duplicate server 'unidirect.ipa.test' as 'not working'
(Fri Aug 12 14:54:30 2016) [sssd[be[ipaldap]]] [sdap_kinit_next_kdc] (0x1000): 
Resolving next KDC for service KERBEROS
(Fri Aug 12 14:54:30 2016) [sssd[be[ipaldap]]] [fo_resolve_service_send] 
(0x0100): Trying to resolve service 'KERBEROS'
(Fri Aug 12 14:54:30 2016) [sssd[be[ipaldap]]] [get_server_status] (0x1000): 
Status of server 'unidirect.ipa.test' is 'name resolved'
(Fri Aug 12 14:54:30 2016) [sssd[be[ipaldap]]] [get_port_status] (0x1000): Port 
status of port 0 for server 'unidirect.ipa.test' is 'not working'
(Fri Aug 12 14:54:30 2016) [sssd[be[ipaldap]]] [fo_resolve_service_send] 
(0x0020): No available servers for service 'KERBEROS'
(Fri Aug 12 14:54:30 2016) [sssd[be[ipaldap]]] [be_resolve_server_done] 
(0x1000): Server resolution failed: [5]: Input/output error
(Fri Aug 12 14:54:30 2016) [sssd[be[ipaldap]]] [sdap_cli_kinit_done] (0x0400): 
Cannot get a TGT: ret [1432158228](Network I/O Error)
(Fri Aug 12 14:54:30 2016) [sssd[be[ipaldap]]] [sdap_cli_connect_recv] 
(0x0040): Unable to establish connection [13]: Permission denied
(Fri Aug 12 14:54:30 2016) [sssd[be[ipaldap]]] [_be_fo_set_port_status] 
(0x8000): Setting status: PORT_NOT_WORKING. Called from: 
/sssd/src/providers/ldap/sdap_async_connection.c: sdap_cli_connect_recv: 2048

After the patch, I see:
(Fri Aug 12 15:01:05 2016) [sssd[be[ipaldap]]] [get_tgt_timeout_handler] 
(0x4000): timeout for sending SIGTERM to tgt child [17291] reached.
(Fri Aug 12 15:01:05 2016) [sssd[be[ipaldap]]] [get_tgt_timeout_handler] 
(0x0400): Setting 2 seconds timeout for sending SIGKILL to tgt child
(Fri Aug 12 15:01:05 2016) [[sssd[ldap_child[17291 [sig_term_handler] 
(0x0010): Received signal [Terminated] [15], shutting down
(Fri Aug 12 15:01:05 2016) [sssd[be[ipaldap]]] [read_pipe_handler] (0x0400): 
EOF received, client finished
(Fri Aug 12 15:01:05 2016) [sssd[be[ipaldap]]] [sdap_get_tgt_recv] (0x0020): 
Cannot parse child response: [22][Invalid argument]
here ---^

This is the part I don't like, we try to read the response from the child's
pipe and fail with a bad error message. I thought this was because with
the preivous patch, we exit the child with zero, but I guess this was not
the case.. Anyway, we still should fix this, the message would be really
confusing to admins.


Hi Jakub,

I know I had the same
'Cannot parse child response: [22][Invalid argument]'
in my logs too, see my last mail above.

Some lines after it I have new message
'[child_callback] (0x0020): LDAP child was terminated due to timeout'

I understand that it is not satisfying. The main purpose of this patch was
deleting temporary files if timeout reached. And this is IMO solved I think.
It is true that we have 

[SSSD] Re: [PATCH] Better error message if sssctl is ran w/o activating the IFP responder

[Petr Cech]

On 08/15/2016 07:58 AM, Petr Cech wrote:

On 08/12/2016 06:24 PM, Justin Stephenson wrote:

Simple error message patch, resolves
https://fedorahosted.org/sssd/ticket/3130

Kind regards,

Justin Stephenson


0001-SSSCTL-More-helpful-error-message-when-InfoPipe-is-d.patch


From 080f9639e120329d069d4f0ba5edcc776e0179c2 Mon Sep 17 00:00:00 2001
From: Justin Stephenson 
Date: Fri, 12 Aug 2016 12:12:57 -0400
Subject: [PATCH] SSSCTL: More helpful error message when InfoPipe is
 disabled

Resolves:
https://fedorahosted.org/sssd/ticket/3130
---
 src/tools/sssctl/sssctl_sifp.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/tools/sssctl/sssctl_sifp.c
b/src/tools/sssctl/sssctl_sifp.c
index
e541c4b27ba38e50b209b0957c8b38f03afc891a..d61754c095366d07bae812c38a24a88f07c197f5
100644
--- a/src/tools/sssctl/sssctl_sifp.c
+++ b/src/tools/sssctl/sssctl_sifp.c
@@ -25,8 +25,8 @@
 #include "util/util.h"
 #include "tools/sssctl/sssctl.h"

-#define ERR_SSSD _("Check that SSSD is running and " \
-   "the InfoPipe responder is enabled.\n")
+#define ERR_SSSD _("IFP Disabled: Please add the ifp service to the
service" \
+   "list in sssd.conf and restart the service.\n")

 struct sssctl_sifp_data {
 sss_sifp_ctx *sifp;


Hello Justin,

thanks for patch. New message is understandable for me.
I will try to compile it and then I will ACK to the patch.


CI locally passed.

=> ACK

--
Petr^4 Čech
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org

[SSSD] Re: [PATCH] Better error message if sssctl is ran w/o activating the IFP responder

[Petr Cech]

On 08/12/2016 06:24 PM, Justin Stephenson wrote:

Simple error message patch, resolves
https://fedorahosted.org/sssd/ticket/3130

Kind regards,

Justin Stephenson


0001-SSSCTL-More-helpful-error-message-when-InfoPipe-is-d.patch


From 080f9639e120329d069d4f0ba5edcc776e0179c2 Mon Sep 17 00:00:00 2001
From: Justin Stephenson 
Date: Fri, 12 Aug 2016 12:12:57 -0400
Subject: [PATCH] SSSCTL: More helpful error message when InfoPipe is
 disabled

Resolves:
https://fedorahosted.org/sssd/ticket/3130
---
 src/tools/sssctl/sssctl_sifp.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/tools/sssctl/sssctl_sifp.c b/src/tools/sssctl/sssctl_sifp.c
index 
e541c4b27ba38e50b209b0957c8b38f03afc891a..d61754c095366d07bae812c38a24a88f07c197f5
 100644
--- a/src/tools/sssctl/sssctl_sifp.c
+++ b/src/tools/sssctl/sssctl_sifp.c
@@ -25,8 +25,8 @@
 #include "util/util.h"
 #include "tools/sssctl/sssctl.h"

-#define ERR_SSSD _("Check that SSSD is running and " \
-   "the InfoPipe responder is enabled.\n")
+#define ERR_SSSD _("IFP Disabled: Please add the ifp service to the service" \
+   "list in sssd.conf and restart the service.\n")

 struct sssctl_sifp_data {
 sss_sifp_ctx *sifp;


Hello Justin,

thanks for patch. New message is understandable for me.
I will try to compile it and then I will ACK to the patch.

Regards

--
Petr^4 Čech
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org