[SSSD] [sssd PR#733][comment] providers/ldap: abort unsecure authentication requests
URL: https://github.com/SSSD/sssd/pull/733 Title: #733: providers/ldap: abort unsecure authentication requests jhrozek commented: """ * master: * a04d088d99f953c7b98c16cf23eedff62e9483bf * 53cc1187daee486bf4ba80dc3475944995ef4df6 * 49c13e9aa84f1889cd2b50397b6a4f74c9dfba57 """ See the full comment at https://github.com/SSSD/sssd/pull/733#issuecomment-459507008 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#733][+Pushed] providers/ldap: abort unsecure authentication requests
URL: https://github.com/SSSD/sssd/pull/733 Title: #733: providers/ldap: abort unsecure authentication requests Label: +Pushed ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#738][opened] MAN: Add sssd-files(5) to the See Also section
URL: https://github.com/SSSD/sssd/pull/738 Author: jhrozek Title: #738: MAN: Add sssd-files(5) to the See Also section Action: opened PR body: """ Resolves: https://pagure.io/SSSD/sssd/issue/3936 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/738/head:pr738 git checkout pr738 From 4dc2a5d6228fd390a34e0082e03557a10d742134 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Thu, 31 Jan 2019 09:54:31 +0100 Subject: [PATCH] MAN: Add sssd-files(5) to the See Also section Resolves: https://pagure.io/SSSD/sssd/issue/3936 --- src/man/include/seealso.xml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/man/include/seealso.xml b/src/man/include/seealso.xml index f324b66371..ebb2448177 100644 --- a/src/man/include/seealso.xml +++ b/src/man/include/seealso.xml @@ -22,6 +22,9 @@ sssd-ad5 , + +sssd-files5 +, sssd-sudo ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#733][+Accepted] providers/ldap: abort unsecure authentication requests
URL: https://github.com/SSSD/sssd/pull/733 Title: #733: providers/ldap: abort unsecure authentication requests Label: +Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#733][comment] providers/ldap: abort unsecure authentication requests
URL: https://github.com/SSSD/sssd/pull/733 Title: #733: providers/ldap: abort unsecure authentication requests jhrozek commented: """ Coverity came clean, CI passes here and I tested a patch by returning 0 from the function from within a gdb session. -> ACK """ See the full comment at https://github.com/SSSD/sssd/pull/733#issuecomment-458908197 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#705][synchronized] KCM: Add configurable quotas
URL: https://github.com/SSSD/sssd/pull/705
Author: jhrozek
Title: #705: KCM: Add configurable quotas
Action: synchronized
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/705/head:pr705
git checkout pr705
From e2b8f44bc0418bc531c7e372306f057b275ef9df Mon Sep 17 00:00:00 2001
From: Jakub Hrozek
Date: Fri, 5 Oct 2018 13:17:14 +0200
Subject: [PATCH 1/8] MAN: Get rid of sssd-secrets reference
Related:
https://pagure.io/SSSD/sssd/issue/3685
There were some stray references to the secrets responder in the
sssd-kcm manual page.
---
src/man/sssd-kcm.8.xml | 8 +++-
1 file changed, 3 insertions(+), 5 deletions(-)
diff --git a/src/man/sssd-kcm.8.xml b/src/man/sssd-kcm.8.xml
index fff8b0a16d..90b9ad09c2 100644
--- a/src/man/sssd-kcm.8.xml
+++ b/src/man/sssd-kcm.8.xml
@@ -58,11 +58,9 @@
-the SSSD implementation stores the ccaches in the SSSD
-
-sssd-secrets5
-
-secrets store, allowing the ccaches to survive KCM server restarts or machine reboots.
+the SSSD implementation stores the ccaches in a database,
+typically located at /var/lib/sss/secrets
+allowing the ccaches to survive KCM server restarts or machine reboots.
From 1161664d427f34a2428a8cb86f8494aac9472da3 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek
Date: Fri, 30 Nov 2018 13:15:58 +0100
Subject: [PATCH 2/8] MAN: Document that it is enough to systemctl restart
sssd-kcm.service lately
Related:
https://pagure.io/SSSD/sssd/issue/3862
We forgot to amend the man page after implementing the sssd-kcm service
reload.
---
src/man/sssd-kcm.8.xml | 17 +++--
1 file changed, 11 insertions(+), 6 deletions(-)
diff --git a/src/man/sssd-kcm.8.xml b/src/man/sssd-kcm.8.xml
index 90b9ad09c2..4e4aaa38ea 100644
--- a/src/man/sssd-kcm.8.xml
+++ b/src/man/sssd-kcm.8.xml
@@ -162,12 +162,17 @@ systemctl restart sssd-kcm.service
CONFIGURATION OPTIONS
The KCM service is configured in the kcm
-section of the sssd.conf file. Please note that currently,
-is it not sufficient to restart the sssd-kcm service, because
-the sssd configuration is only parsed and read to an internal
-configuration database by the sssd service. Therefore you
-must restart the sssd service if you change anything in the
-kcm section of sssd.conf.
+section of the sssd.conf file. Please note that because
+the KCM service is typically socket-activated, it is
+enough to just restart the sssd-kcm service
+after changing options in the kcm section
+of sssd.conf:
+
+systemctl restart sssd-kcm.service
+
+
+
+The KCM service is configured in the kcm
For a detailed syntax reference, refer to the FILE FORMAT section of the
sssd.conf
From 7294fd022eb397e22dc345846a6cbb067d3a27bc Mon Sep 17 00:00:00 2001
From: Jakub Hrozek
Date: Mon, 26 Nov 2018 13:44:08 +0100
Subject: [PATCH 3/8] SECRETS: Use different option names from secrets and KCM
for quota options
Related:
https://pagure.io/SSSD/sssd/issue/3386
With the separate secrets responder, the quotas for the /secrets and
/kcm hives were configurable in a sub-section of the [secrets] sssd.conf
section using the same option -- the /secrets vs. /kcm distinction was
made using the subsection name.
With the standalone KCM responder writing directly to the database, it
makes sense to have options with more descriptive names better suitable
for the KCM usage. For that we need the options for secrets quotas and
kcm quotas to be named differently.
For now, the patch only passes the option name to sss_sec_get_quota()
and sss_sec_get_hive_config() together with the default value in an
instance of a new structure sss_sec_quota_opt. The secrets responder
still uses the same option names for backwards compatibility.
---
src/responder/secrets/secsrv.c | 70 ++
src/util/secrets/config.c | 40 +--
src/util/secrets/secrets.h | 21 ++
3 files changed, 88 insertions(+), 43 deletions(-)
diff --git a/src/responder/secrets/secsrv.c b/src/responder/secrets/secsrv.c
index 2de93dedc5..e783e231d3 100644
--- a/src/responder/secrets/secsrv.c
+++ b/src/responder/secrets/secsrv.c
@@ -47,6 +47,39 @@ static void adjust_global_quota(struct sec_ctx *sctx,
static int sec_get_config(struct sec_ctx *sctx)
{
int ret;
+struct sss_sec_quota_opt dfl_sec_nest_level = {
+.opt_name = CONFDB_SEC_CONTAINERS_NEST_LEVEL,
+.default_value = DEFAULT_SEC_CONTAINERS_NEST_LEVEL
[SSSD] [sssd PR#705][comment] KCM: Add configurable quotas
URL: https://github.com/SSSD/sssd/pull/705 Title: #705: KCM: Add configurable quotas jhrozek commented: """ rebased """ See the full comment at https://github.com/SSSD/sssd/pull/705#issuecomment-458698402 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#734][closed] sss_client: minor fixes
URL: https://github.com/SSSD/sssd/pull/734 Author: alexey-tikhonov Title: #734: sss_client: minor fixes Action: closed To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/734/head:pr734 git checkout pr734 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#734][comment] sss_client: minor fixes
URL: https://github.com/SSSD/sssd/pull/734 Title: #734: sss_client: minor fixes jhrozek commented: """ * master: 0d96e175a4dc177d372cd56a25f155d80f369121 08d5dabc50341034a41150018f8efd83555003c7 6e2df759de3b018c186900bde668da53ac675e10 bc92d36c96b4404353d991f42568b58cdf0a2d5a """ See the full comment at https://github.com/SSSD/sssd/pull/734#issuecomment-458296155 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#734][+Pushed] sss_client: minor fixes
URL: https://github.com/SSSD/sssd/pull/734 Title: #734: sss_client: minor fixes Label: +Pushed ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#732][+Pushed] sss_client/common.c: fix Coverity issue (issue 3841)
URL: https://github.com/SSSD/sssd/pull/732 Title: #732: sss_client/common.c: fix Coverity issue (issue 3841) Label: +Pushed ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#732][comment] sss_client/common.c: fix Coverity issue (issue 3841)
URL: https://github.com/SSSD/sssd/pull/732 Title: #732: sss_client/common.c: fix Coverity issue (issue 3841) jhrozek commented: """ * master: * 9959fbe70f8314a2b5ecf52a2e92bcd6a38bfefe * 484b48ff40d638af042f3b4d4a00f87a8a58a76c """ See the full comment at https://github.com/SSSD/sssd/pull/732#issuecomment-458294996 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#732][closed] sss_client/common.c: fix Coverity issue (issue 3841)
URL: https://github.com/SSSD/sssd/pull/732 Author: alexey-tikhonov Title: #732: sss_client/common.c: fix Coverity issue (issue 3841) Action: closed To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/732/head:pr732 git checkout pr732 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#721][comment] AD/IPA: Reset subdomain service name, not domain name
URL: https://github.com/SSSD/sssd/pull/721 Title: #721: AD/IPA: Reset subdomain service name, not domain name jhrozek commented: """ * master: * 9a3e836e7b7af1ff0fc5058feef120a8 * b3285f9f8a5eac3e4e70ed3bd6b74c15ad806e9e """ See the full comment at https://github.com/SSSD/sssd/pull/721#issuecomment-458293781 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#721][+Pushed] AD/IPA: Reset subdomain service name, not domain name
URL: https://github.com/SSSD/sssd/pull/721 Title: #721: AD/IPA: Reset subdomain service name, not domain name Label: +Pushed ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#721][closed] AD/IPA: Reset subdomain service name, not domain name
URL: https://github.com/SSSD/sssd/pull/721 Author: jhrozek Title: #721: AD/IPA: Reset subdomain service name, not domain name Action: closed To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/721/head:pr721 git checkout pr721 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#558][comment] WIP: Add a test for sss_nss_getgrouplist_timeout and fix invalidating the initgroups cache
URL: https://github.com/SSSD/sssd/pull/558 Title: #558: WIP: Add a test for sss_nss_getgrouplist_timeout and fix invalidating the initgroups cache jhrozek commented: """ Just to explain why I pushed a new version: I didn't actually do anything new in this branch, but yesterday for some reason I don't understand all my partitions switched to read-only mode while on the train so I force-pushed my local git repo to github to have the most current snapshot in case my disk was about to die...and I didn't realize this would also propagate to the PRs. """ See the full comment at https://github.com/SSSD/sssd/pull/558#issuecomment-456144794 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#705][synchronized] KCM: Add configurable quotas
URL: https://github.com/SSSD/sssd/pull/705
Author: jhrozek
Title: #705: KCM: Add configurable quotas
Action: synchronized
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/705/head:pr705
git checkout pr705
From dc7f085c6e81f431f313593e565b05400e45819d Mon Sep 17 00:00:00 2001
From: Jakub Hrozek
Date: Fri, 5 Oct 2018 13:17:14 +0200
Subject: [PATCH 1/8] MAN: Get rid of sssd-secrets reference
Related:
https://pagure.io/SSSD/sssd/issue/3685
There were some stray references to the secrets responder in the
sssd-kcm manual page.
---
src/man/sssd-kcm.8.xml | 8 +++-
1 file changed, 3 insertions(+), 5 deletions(-)
diff --git a/src/man/sssd-kcm.8.xml b/src/man/sssd-kcm.8.xml
index fff8b0a16d..90b9ad09c2 100644
--- a/src/man/sssd-kcm.8.xml
+++ b/src/man/sssd-kcm.8.xml
@@ -58,11 +58,9 @@
-the SSSD implementation stores the ccaches in the SSSD
-
-sssd-secrets5
-
-secrets store, allowing the ccaches to survive KCM server restarts or machine reboots.
+the SSSD implementation stores the ccaches in a database,
+typically located at /var/lib/sss/secrets
+allowing the ccaches to survive KCM server restarts or machine reboots.
From 51a66363814b79139a94184147d6a7a9dc6e377e Mon Sep 17 00:00:00 2001
From: Jakub Hrozek
Date: Fri, 30 Nov 2018 13:15:58 +0100
Subject: [PATCH 2/8] MAN: Document that it is enough to systemctl restart
sssd-kcm.service lately
Related:
https://pagure.io/SSSD/sssd/issue/3862
We forgot to amend the man page after implementing the sssd-kcm service
reload.
---
src/man/sssd-kcm.8.xml | 17 +++--
1 file changed, 11 insertions(+), 6 deletions(-)
diff --git a/src/man/sssd-kcm.8.xml b/src/man/sssd-kcm.8.xml
index 90b9ad09c2..4e4aaa38ea 100644
--- a/src/man/sssd-kcm.8.xml
+++ b/src/man/sssd-kcm.8.xml
@@ -162,12 +162,17 @@ systemctl restart sssd-kcm.service
CONFIGURATION OPTIONS
The KCM service is configured in the kcm
-section of the sssd.conf file. Please note that currently,
-is it not sufficient to restart the sssd-kcm service, because
-the sssd configuration is only parsed and read to an internal
-configuration database by the sssd service. Therefore you
-must restart the sssd service if you change anything in the
-kcm section of sssd.conf.
+section of the sssd.conf file. Please note that because
+the KCM service is typically socket-activated, it is
+enough to just restart the sssd-kcm service
+after changing options in the kcm section
+of sssd.conf:
+
+systemctl restart sssd-kcm.service
+
+
+
+The KCM service is configured in the kcm
For a detailed syntax reference, refer to the FILE FORMAT section of the
sssd.conf
From b9704244a03974611cb6799e674769af932c311e Mon Sep 17 00:00:00 2001
From: Jakub Hrozek
Date: Mon, 26 Nov 2018 13:44:08 +0100
Subject: [PATCH 3/8] SECRETS: Use different option names from secrets and KCM
for quota options
Related:
https://pagure.io/SSSD/sssd/issue/3386
With the separate secrets responder, the quotas for the /secrets and
/kcm hives were configurable in a sub-section of the [secrets] sssd.conf
section using the same option -- the /secrets vs. /kcm distinction was
made using the subsection name.
With the standalone KCM responder writing directly to the database, it
makes sense to have options with more descriptive names better suitable
for the KCM usage. For that we need the options for secrets quotas and
kcm quotas to be named differently.
For now, the patch only passes the option name to sss_sec_get_quota()
and sss_sec_get_hive_config() together with the default value in an
instance of a new structure sss_sec_quota_opt. The secrets responder
still uses the same option names for backwards compatibility.
---
src/responder/secrets/secsrv.c | 70 ++
src/util/secrets/config.c | 40 +--
src/util/secrets/secrets.h | 21 ++
3 files changed, 88 insertions(+), 43 deletions(-)
diff --git a/src/responder/secrets/secsrv.c b/src/responder/secrets/secsrv.c
index 2de93dedc5..e783e231d3 100644
--- a/src/responder/secrets/secsrv.c
+++ b/src/responder/secrets/secsrv.c
@@ -47,6 +47,39 @@ static void adjust_global_quota(struct sec_ctx *sctx,
static int sec_get_config(struct sec_ctx *sctx)
{
int ret;
+struct sss_sec_quota_opt dfl_sec_nest_level = {
+.opt_name = CONFDB_SEC_CONTAINERS_NEST_LEVEL,
+.default_value = DEFAULT_SEC_CONTAINERS_NEST_LEVEL
[SSSD] [sssd PR#693][synchronized] SYSDB: Fall back to the MPG result of getgrgid search if the non-MPG search for override doesn't match anything
URL: https://github.com/SSSD/sssd/pull/693
Author: jhrozek
Title: #693: SYSDB: Fall back to the MPG result of getgrgid search if the
non-MPG search for override doesn't match anything
Action: synchronized
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/693/head:pr693
git checkout pr693
From 33aa422e4a88dd3d0297479d8832d3dfdffd4b87 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek
Date: Wed, 7 Nov 2018 13:26:59 +0100
Subject: [PATCH] SYSDB: Fall back to the MPG result of getgrgid search if the
non-MPG search for override doesn't match anything
---
src/db/sysdb_search.c | 14 ++
1 file changed, 14 insertions(+)
diff --git a/src/db/sysdb_search.c b/src/db/sysdb_search.c
index 43341d4462..26f3b018e7 100644
--- a/src/db/sysdb_search.c
+++ b/src/db/sysdb_search.c
@@ -1088,6 +1088,7 @@ int sysdb_getgrgid_attrs(TALLOC_CTX *mem_ctx,
const char *fmt_filter;
struct ldb_dn *base_dn;
struct ldb_result *res = NULL;
+struct ldb_result *mpg_res = NULL;
int ret;
static const char *default_attrs[] = SYSDB_GRSRC_ATTRS;
const char **attrs = NULL;
@@ -1116,6 +1117,10 @@ int sysdb_getgrgid_attrs(TALLOC_CTX *mem_ctx,
* In case those are not the same, we're dealing with an
* override and in order to return the proper overridden group
* we must use the very same search used by a non-mpg domain
+ * to make sure that if the GID points to a group, it will
+ * be resolved. But we must also make sure to fall back
+ * to using the MPG result if the GID does not resolve
+ * to a group
*/
fmt_filter = SYSDB_GRGID_MPG_FILTER;
base_dn = sysdb_domain_dn(tmp_ctx, domain);
@@ -1138,6 +1143,7 @@ int sysdb_getgrgid_attrs(TALLOC_CTX *mem_ctx,
if (ul_originalad_gid != 0 && ul_originalad_gid != ul_gid) {
fmt_filter = SYSDB_GRGID_FILTER;
base_dn = sysdb_group_base_dn(tmp_ctx, domain);
+mpg_res = res;
res = NULL;
}
}
@@ -1162,6 +1168,14 @@ int sysdb_getgrgid_attrs(TALLOC_CTX *mem_ctx,
}
}
+if (mpg_res != NULL && mpg_res->count > 0
+&& (res == NULL || res->count == 0)) {
+/* The overriden group does not resolve to a proper group object,
+ * just use it as a result
+ */
+res = mpg_res;
+}
+
ret = mpg_res_convert(res);
if (ret) {
goto done;
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#736][synchronized] KCM: Allow representing ccaches with a NULL principal
URL: https://github.com/SSSD/sssd/pull/736
Author: jhrozek
Title: #736: KCM: Allow representing ccaches with a NULL principal
Action: synchronized
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/736/head:pr736
git checkout pr736
From 40595a21d03d2c433665a5e3118627d30fffdc33 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek
Date: Wed, 16 Jan 2019 13:06:10 +0100
Subject: [PATCH 1/3] KCM: Return a valid tevent error code if a request cannot
be created
Previously we were returning whatever was in 'ret' which is wrong,
typically it would have been EOK as returned from a previous successfull
call or even an uninitialized value.
---
src/responder/kcm/kcmsrv_ops.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/responder/kcm/kcmsrv_ops.c b/src/responder/kcm/kcmsrv_ops.c
index 9352909f4c..60b5677e93 100644
--- a/src/responder/kcm/kcmsrv_ops.c
+++ b/src/responder/kcm/kcmsrv_ops.c
@@ -527,7 +527,7 @@ static void kcm_op_initialize_create_step(struct tevent_req *req)
state->op_ctx->client,
state->new_cc);
if (subreq == NULL) {
-tevent_req_error(req, ret);
+tevent_req_error(req, ENOMEM);
return;
}
tevent_req_set_callback(subreq, kcm_op_initialize_cc_create_done, req);
From e8d4d4da59e454d09ff34af73d3ac53e69da822c Mon Sep 17 00:00:00 2001
From: Jakub Hrozek
Date: Wed, 16 Jan 2019 13:02:01 +0100
Subject: [PATCH 2/3] KCM: Allow representing ccaches with a NULL principal
Related:
https://pagure.io/SSSD/sssd/issue/3873
We need to make it possible to create an internal ccache representation
without passing in a principal. The principal is only assigned to the
ccache with krb5_cc_initialize(), but some programs like openssh use the
following sequence of calls:
krb5_cc_new_unique
krb5_cc_switch
krb5_cc_initialize
---
src/responder/kcm/kcmsrv_ccache.c| 18 +++--
src/responder/kcm/kcmsrv_ccache_json.c | 79 ---
src/tests/cmocka/test_kcm_json_marshalling.c | 83 ++--
3 files changed, 153 insertions(+), 27 deletions(-)
diff --git a/src/responder/kcm/kcmsrv_ccache.c b/src/responder/kcm/kcmsrv_ccache.c
index af2bcf8bb5..e7800662ac 100644
--- a/src/responder/kcm/kcmsrv_ccache.c
+++ b/src/responder/kcm/kcmsrv_ccache.c
@@ -68,14 +68,16 @@ errno_t kcm_cc_new(TALLOC_CTX *mem_ctx,
uuid_generate(cc->uuid);
-kret = krb5_copy_principal(k5c, princ, >client);
-if (kret != 0) {
-const char *err_msg = sss_krb5_get_error_message(k5c, kret);
-DEBUG(SSSDBG_OP_FAILURE,
- "krb5_copy_principal failed: [%d][%s]\n", kret, err_msg);
-sss_krb5_free_error_message(k5c, err_msg);
-ret = ERR_INTERNAL;
-goto done;
+if (princ) {
+kret = krb5_copy_principal(k5c, princ, >client);
+if (kret != 0) {
+const char *err_msg = sss_krb5_get_error_message(k5c, kret);
+DEBUG(SSSDBG_OP_FAILURE,
+"krb5_copy_principal failed: [%d][%s]\n", kret, err_msg);
+sss_krb5_free_error_message(k5c, err_msg);
+ret = ERR_INTERNAL;
+goto done;
+}
}
cc->owner.uid = cli_creds_get_uid(owner);
diff --git a/src/responder/kcm/kcmsrv_ccache_json.c b/src/responder/kcm/kcmsrv_ccache_json.c
index 6341530ee5..72e24c4304 100644
--- a/src/responder/kcm/kcmsrv_ccache_json.c
+++ b/src/responder/kcm/kcmsrv_ccache_json.c
@@ -229,6 +229,20 @@ static json_t *princ_to_json(TALLOC_CTX *mem_ctx,
json_error_t error;
char *str_realm_data;
+if (princ == NULL) {
+jprinc = json_pack_ex(,
+ JSON_STRICT,
+ "{}");
+if (jprinc == NULL) {
+DEBUG(SSSDBG_CRIT_FAILURE,
+ "Failed to pack JSON princ structure on line %d: %s\n",
+ error.line, error.text);
+return NULL;
+}
+
+return jprinc;
+}
+
components = princ_data_to_json(mem_ctx, princ);
if (components == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE,
@@ -587,13 +601,12 @@ static errno_t json_array_to_krb5_data(TALLOC_CTX *mem_ctx,
return EOK;
}
-static errno_t json_to_princ(TALLOC_CTX *mem_ctx,
- json_t *js_princ,
- krb5_principal *_princ)
+static errno_t json_to_nonempty_princ(TALLOC_CTX *mem_ctx,
+ json_t *js_princ,
+ krb5_principal *_princ)
{
errno_t ret;
json_t *components = NULL;
-int ok;
krb5_principal princ = NULL;
TALLOC_CTX *tmp_ctx = NULL;
char *realm_str;
@@ -601,13 +614,6 @@ static errno_t json_to_princ(TALLOC_CTX *mem_ctx,
size_t comp_count;
json_error_t error;
-ok = json_is_object(js_princ);
-i
[SSSD] [sssd PR#558][synchronized] WIP: Add a test for sss_nss_getgrouplist_timeout and fix invalidating the initgroups cache
URL: https://github.com/SSSD/sssd/pull/558
Author: jhrozek
Title: #558: WIP: Add a test for sss_nss_getgrouplist_timeout and fix
invalidating the initgroups cache
Action: synchronized
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/558/head:pr558
git checkout pr558
From 2da0f4a08eb72a924b9c2b9a00f0caeadc352d93 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek
Date: Tue, 24 Apr 2018 16:31:38 +0200
Subject: [PATCH 1/2] NSS: Fix deleting named entries from the initgroup memory
cache
---
src/responder/nss/nss_cmd.c| 8 ++--
src/responder/nss/nss_get_object.c | 17 +++--
2 files changed, 17 insertions(+), 8 deletions(-)
diff --git a/src/responder/nss/nss_cmd.c b/src/responder/nss/nss_cmd.c
index 9ee6ca805e..ef4c75fc4a 100644
--- a/src/responder/nss/nss_cmd.c
+++ b/src/responder/nss/nss_cmd.c
@@ -493,12 +493,16 @@ static errno_t invalidate_cache(struct nss_cmd_ctx *cmd_ctx,
return ret;
}
-memcache_delete_entry(cmd_ctx->nss_ctx, cmd_ctx->nss_ctx->rctx, NULL,
- output_name, 0, memcache_type);
if (memcache_type == SSS_MC_INITGROUPS) {
+memcache_delete_entry(cmd_ctx->nss_ctx, cmd_ctx->nss_ctx->rctx, NULL,
+ result->lookup_name, 0, memcache_type);
+
/* Invalidate the passwd data as well */
memcache_delete_entry(cmd_ctx->nss_ctx, cmd_ctx->nss_ctx->rctx,
result->domain, output_name, 0, SSS_MC_PASSWD);
+} else {
+memcache_delete_entry(cmd_ctx->nss_ctx, cmd_ctx->nss_ctx->rctx, NULL,
+ output_name, 0, memcache_type);
}
talloc_free(output_name);
diff --git a/src/responder/nss/nss_get_object.c b/src/responder/nss/nss_get_object.c
index 15faced006..bab817ab4a 100644
--- a/src/responder/nss/nss_get_object.c
+++ b/src/responder/nss/nss_get_object.c
@@ -109,12 +109,17 @@ memcache_delete_entry(struct nss_ctx *nss_ctx,
}
if (name != NULL) {
-ret = sized_output_name(NULL, rctx, name, dom, _name);
-if (ret != EOK) {
-DEBUG(SSSDBG_OP_FAILURE,
- "Unable to create sized name [%d]: %s\n",
- ret, sss_strerror(ret));
-return ret;
+if (type == SSS_MC_INITGROUPS) {
+sized_name = talloc_zero(NULL, struct sized_string);
+to_sized_string(sized_name, name);
+} else {
+ret = sized_output_name(NULL, rctx, name, dom, _name);
+if (ret != EOK) {
+DEBUG(SSSDBG_OP_FAILURE,
+"Unable to create sized name [%d]: %s\n",
+ret, sss_strerror(ret));
+return ret;
+}
}
ret = memcache_delete_entry_by_name(nss_ctx, sized_name, type);
From e9f7d71d169ed8aa81644b4db79b2bb2bbd1dee0 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek
Date: Mon, 23 Apr 2018 21:33:49 +0200
Subject: [PATCH 2/2] TESTS: Add tests for the sss_nss_getgrouplist_timeout
function
---
src/tests/intg/Makefile.am| 2 +
src/tests/intg/sssd_nss_ex.py | 86 +++
src/tests/intg/test_nss_ex.py | 261 ++
3 files changed, 349 insertions(+)
create mode 100644 src/tests/intg/sssd_nss_ex.py
create mode 100644 src/tests/intg/test_nss_ex.py
diff --git a/src/tests/intg/Makefile.am b/src/tests/intg/Makefile.am
index 9c53382613..028fe8ed3c 100644
--- a/src/tests/intg/Makefile.am
+++ b/src/tests/intg/Makefile.am
@@ -3,6 +3,7 @@ dist_noinst_DATA = \
config.py.m4 \
util.py \
sssd_nss.py \
+sssd_nss_ex.py \
sssd_id.py \
sssd_ldb.py \
sssd_netgroup.py \
@@ -36,6 +37,7 @@ dist_noinst_DATA = \
data/ad_schema.ldif \
test_pysss_nss_idmap.py \
test_infopipe.py \
+test_nss_ex.py \
$(NULL)
EXTRA_DIST = data/cwrap-dbus-system.conf.in
diff --git a/src/tests/intg/sssd_nss_ex.py b/src/tests/intg/sssd_nss_ex.py
new file mode 100644
index 00..381f3cae34
--- /dev/null
+++ b/src/tests/intg/sssd_nss_ex.py
@@ -0,0 +1,86 @@
+#
+# Shared module for integration tests that need to access the sssd_nss_ex
+# interface directly
+#
+# Copyright (c) 2018 Red Hat, Inc.
+#
+# This is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 only
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+import con
[SSSD] [sssd PR#734][+Accepted] sss_client: minor fixes
URL: https://github.com/SSSD/sssd/pull/734 Title: #734: sss_client: minor fixes Label: +Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#732][+Accepted] sss_client/common.c: fix Coverity issue (issue 3841)
URL: https://github.com/SSSD/sssd/pull/732 Title: #732: sss_client/common.c: fix Coverity issue (issue 3841) Label: +Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#732][comment] sss_client/common.c: fix Coverity issue (issue 3841)
URL: https://github.com/SSSD/sssd/pull/732 Title: #732: sss_client/common.c: fix Coverity issue (issue 3841) jhrozek commented: """ Coverity said 'BUFFER_SIZE_WARNING -1', so ACK """ See the full comment at https://github.com/SSSD/sssd/pull/732#issuecomment-40095 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#734][comment] sss_client: minor fixes
URL: https://github.com/SSSD/sssd/pull/734 Title: #734: sss_client: minor fixes jhrozek commented: """ Thank you, this was so much easier to review. """ See the full comment at https://github.com/SSSD/sssd/pull/734#issuecomment-455352466 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#736][comment] KCM: Allow representing ccaches with a NULL principal
URL: https://github.com/SSSD/sssd/pull/736 Title: #736: KCM: Allow representing ccaches with a NULL principal jhrozek commented: """ For anyone who wishes to reproduce the bug, this is probably the simplest use-case: - kinit $user - ssh -K -l $user hostname - klist Prior to the patch, klist on the target host would not print anything, after the patch, you should see credentials on the target host. """ See the full comment at https://github.com/SSSD/sssd/pull/736#issuecomment-455328606 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#735][comment] sbus: do not use signature when copying dictionary entry
URL: https://github.com/SSSD/sssd/pull/735 Title: #735: sbus: do not use signature when copying dictionary entry jhrozek commented: """ I opened upstream issue #3921 just so we track the fix somewhere (also downstream) and pushed the patch as bc1e8ffd5cca74aa8408c1c6bce0a3cf42a0974b """ See the full comment at https://github.com/SSSD/sssd/pull/735#issuecomment-455326698 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#735][closed] sbus: do not use signature when copying dictionary entry
URL: https://github.com/SSSD/sssd/pull/735 Author: pbrezina Title: #735: sbus: do not use signature when copying dictionary entry Action: closed To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/735/head:pr735 git checkout pr735 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#735][+Pushed] sbus: do not use signature when copying dictionary entry
URL: https://github.com/SSSD/sssd/pull/735 Title: #735: sbus: do not use signature when copying dictionary entry Label: +Pushed ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#736][opened] KCM: Allow representing ccaches with a NULL principal
URL: https://github.com/SSSD/sssd/pull/736
Author: jhrozek
Title: #736: KCM: Allow representing ccaches with a NULL principal
Action: opened
PR body:
"""
Related: https://pagure.io/SSSD/sssd/issue/3873
We need to make it possible to create an internal ccache representation
without passing in a principal. The principal is only assigned to the
ccache with krb5_cc_initialize(), but some programs like openssh use the
following sequence of calls:
krb5_cc_new_unique
krb5_cc_switch
krb5_cc_initialize
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/736/head:pr736
git checkout pr736
From d4f0a4b3cf303f6d2f509d137673108cb0ac24bc Mon Sep 17 00:00:00 2001
From: Jakub Hrozek
Date: Wed, 16 Jan 2019 13:06:10 +0100
Subject: [PATCH 1/3] KCM: Return a valid tevent error code if a request cannot
be created
Previously we were returning whatever was in 'ret' which is wrong,
typically it would have been EOK as returned from a previous successfull
call or even an uninitialized value.
---
src/responder/kcm/kcmsrv_ops.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/responder/kcm/kcmsrv_ops.c b/src/responder/kcm/kcmsrv_ops.c
index 9352909f4c..60b5677e93 100644
--- a/src/responder/kcm/kcmsrv_ops.c
+++ b/src/responder/kcm/kcmsrv_ops.c
@@ -527,7 +527,7 @@ static void kcm_op_initialize_create_step(struct tevent_req *req)
state->op_ctx->client,
state->new_cc);
if (subreq == NULL) {
-tevent_req_error(req, ret);
+tevent_req_error(req, ENOMEM);
return;
}
tevent_req_set_callback(subreq, kcm_op_initialize_cc_create_done, req);
From d8bb375b81cdcdc2db9fca0dc1fdf3baf905022f Mon Sep 17 00:00:00 2001
From: Jakub Hrozek
Date: Wed, 16 Jan 2019 13:02:01 +0100
Subject: [PATCH 2/3] KCM: Allow representing ccaches with a NULL principal
Related:
https://pagure.io/SSSD/sssd/issue/3873
We need to make it possible to create an internal ccache representation
without passing in a principal. The principal is only assigned to the
ccache with krb5_cc_initialize(), but some programs like openssh use the
following sequence of calls:
krb5_cc_new_unique
krb5_cc_switch
krb5_cc_initialize
---
src/responder/kcm/kcmsrv_ccache.c| 18 +++--
src/responder/kcm/kcmsrv_ccache_json.c | 79 ---
src/tests/cmocka/test_kcm_json_marshalling.c | 83 ++--
3 files changed, 153 insertions(+), 27 deletions(-)
diff --git a/src/responder/kcm/kcmsrv_ccache.c b/src/responder/kcm/kcmsrv_ccache.c
index af2bcf8bb5..e7800662ac 100644
--- a/src/responder/kcm/kcmsrv_ccache.c
+++ b/src/responder/kcm/kcmsrv_ccache.c
@@ -68,14 +68,16 @@ errno_t kcm_cc_new(TALLOC_CTX *mem_ctx,
uuid_generate(cc->uuid);
-kret = krb5_copy_principal(k5c, princ, >client);
-if (kret != 0) {
-const char *err_msg = sss_krb5_get_error_message(k5c, kret);
-DEBUG(SSSDBG_OP_FAILURE,
- "krb5_copy_principal failed: [%d][%s]\n", kret, err_msg);
-sss_krb5_free_error_message(k5c, err_msg);
-ret = ERR_INTERNAL;
-goto done;
+if (princ) {
+kret = krb5_copy_principal(k5c, princ, >client);
+if (kret != 0) {
+const char *err_msg = sss_krb5_get_error_message(k5c, kret);
+DEBUG(SSSDBG_OP_FAILURE,
+"krb5_copy_principal failed: [%d][%s]\n", kret, err_msg);
+sss_krb5_free_error_message(k5c, err_msg);
+ret = ERR_INTERNAL;
+goto done;
+}
}
cc->owner.uid = cli_creds_get_uid(owner);
diff --git a/src/responder/kcm/kcmsrv_ccache_json.c b/src/responder/kcm/kcmsrv_ccache_json.c
index 6341530ee5..72e24c4304 100644
--- a/src/responder/kcm/kcmsrv_ccache_json.c
+++ b/src/responder/kcm/kcmsrv_ccache_json.c
@@ -229,6 +229,20 @@ static json_t *princ_to_json(TALLOC_CTX *mem_ctx,
json_error_t error;
char *str_realm_data;
+if (princ == NULL) {
+jprinc = json_pack_ex(,
+ JSON_STRICT,
+ "{}");
+if (jprinc == NULL) {
+DEBUG(SSSDBG_CRIT_FAILURE,
+ "Failed to pack JSON princ structure on line %d: %s\n",
+ error.line, error.text);
+return NULL;
+}
+
+return jprinc;
+}
+
components = princ_data_to_json(mem_ctx, princ);
if (components == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE,
@@ -587,13 +601,12 @@ static errno_t json_array_to_krb5_data(TALLOC_CTX *mem_ctx,
return EOK;
}
-static errno_t json_to_princ(TALLOC_CTX *mem_ctx,
- json_t *js_princ,
- krb5_principal *_princ)
+static errno_t json_to_nonempty_princ(TALLOC_CTX *mem_ctx,
+
[SSSD] [sssd PR#734][comment] sss_client: minor fixes
URL: https://github.com/SSSD/sssd/pull/734 Title: #734: sss_client: minor fixes jhrozek commented: """ I have a generic comment: each change, however cosmetic, *especially* in the client code should be in its separate patch. There are two reasons for this: 1) you can write a commit message for each change and 2) it's easier to review. Doing git reset --mixed HEAD~1 and then adding each change with either git add -e or git add -i makes it possible to add each change separately. """ See the full comment at https://github.com/SSSD/sssd/pull/734#issuecomment-454731023 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#712][comment] SSSCTL: user-checks does not show custom attributes
URL: https://github.com/SSSD/sssd/pull/712 Title: #712: SSSCTL: user-checks does not show custom attributes jhrozek commented: """ Thanks, yes, this is how I reproduced the bug as well. But while I agree the issue is not related to the patch per se, I don't know if I can test the patch without this crash being fixed? """ See the full comment at https://github.com/SSSD/sssd/pull/712#issuecomment-454557376 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#731][+Pushed] idmap_sss: improve man page
URL: https://github.com/SSSD/sssd/pull/731 Title: #731: idmap_sss: improve man page Label: +Pushed ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#731][closed] idmap_sss: improve man page
URL: https://github.com/SSSD/sssd/pull/731 Author: sumit-bose Title: #731: idmap_sss: improve man page Action: closed To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/731/head:pr731 git checkout pr731 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#731][comment] idmap_sss: improve man page
URL: https://github.com/SSSD/sssd/pull/731 Title: #731: idmap_sss: improve man page jhrozek commented: """ * master: ea7ada6c0629df45348f699e30acc44194550801 """ See the full comment at https://github.com/SSSD/sssd/pull/731#issuecomment-453264365 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#729][comment] SSSD does not work when no sssd.conf is present
URL: https://github.com/SSSD/sssd/pull/729 Title: #729: SSSD does not work when no sssd.conf is present jhrozek commented: """ I fixed the whitespace and pushed the commits to master: b66f8dc3bd4e89c424bef5953aeb70742f9656dd 8a3517c5466c107f4d4e0970a1c33b51d6c762f8 """ See the full comment at https://github.com/SSSD/sssd/pull/729#issuecomment-453263994 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#729][closed] SSSD does not work when no sssd.conf is present
URL: https://github.com/SSSD/sssd/pull/729 Author: mzidek-rh Title: #729: SSSD does not work when no sssd.conf is present Action: closed To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/729/head:pr729 git checkout pr729 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#728][closed] ci: add Fedora 29
URL: https://github.com/SSSD/sssd/pull/728 Author: pbrezina Title: #728: ci: add Fedora 29 Action: closed To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/728/head:pr728 git checkout pr728 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#728][comment] ci: add Fedora 29
URL: https://github.com/SSSD/sssd/pull/728 Title: #728: ci: add Fedora 29 jhrozek commented: """ * master: bf248a3971b2794e0c82324081ac182dd74e2e9e """ See the full comment at https://github.com/SSSD/sssd/pull/728#issuecomment-453261249 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#728][+Pushed] ci: add Fedora 29
URL: https://github.com/SSSD/sssd/pull/728 Title: #728: ci: add Fedora 29 Label: +Pushed ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#727][comment] CONFIG: validator rules & test
URL: https://github.com/SSSD/sssd/pull/727 Title: #727: CONFIG: validator rules & test jhrozek commented: """ * master: 8e9e8011ce17860bec67a572e4c11a9178c03b8e """ See the full comment at https://github.com/SSSD/sssd/pull/727#issuecomment-453259978 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#727][closed] CONFIG: validator rules & test
URL: https://github.com/SSSD/sssd/pull/727 Author: alexey-tikhonov Title: #727: CONFIG: validator rules & test Action: closed To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/727/head:pr727 git checkout pr727 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#727][+Pushed] CONFIG: validator rules & test
URL: https://github.com/SSSD/sssd/pull/727 Title: #727: CONFIG: validator rules & test Label: +Pushed ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#731][+Accepted] idmap_sss: improve man page
URL: https://github.com/SSSD/sssd/pull/731 Title: #731: idmap_sss: improve man page Label: +Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#729][+Accepted] SSSD does not work when no sssd.conf is present
URL: https://github.com/SSSD/sssd/pull/729 Title: #729: SSSD does not work when no sssd.conf is present Label: +Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#726][-Blocked] TESTS: Add a simple integration test for retrieving the extraAttributes property
URL: https://github.com/SSSD/sssd/pull/726 Title: #726: TESTS: Add a simple integration test for retrieving the extraAttributes property Label: -Blocked ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#726][comment] TESTS: Add a simple integration test for retrieving the extraAttributes property
URL: https://github.com/SSSD/sssd/pull/726 Title: #726: TESTS: Add a simple integration test for retrieving the extraAttributes property jhrozek commented: """ Ah, sorry, there were some pep8 errors in the test. Should work now. """ See the full comment at https://github.com/SSSD/sssd/pull/726#issuecomment-452305308 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#726][synchronized] TESTS: Add a simple integration test for retrieving the extraAttributes property
URL: https://github.com/SSSD/sssd/pull/726
Author: jhrozek
Title: #726: TESTS: Add a simple integration test for retrieving the
extraAttributes property
Action: synchronized
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/726/head:pr726
git checkout pr726
From c02dd62ed79d10008193ff91cec03ac2928aee15 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek
Date: Fri, 4 Jan 2019 15:26:02 +0100
Subject: [PATCH] TESTS: Add a simple integration test for retrieving the
extraAttributes property
Related:
https://pagure.io/SSSD/sssd/issue/3906
---
src/tests/intg/test_infopipe.py | 31 +++
src/tests/multihost/basic/test_ifp.py | 28
2 files changed, 59 insertions(+)
create mode 100644 src/tests/multihost/basic/test_ifp.py
diff --git a/src/tests/intg/test_infopipe.py b/src/tests/intg/test_infopipe.py
index 6c316628b..9d575e675 100644
--- a/src/tests/intg/test_infopipe.py
+++ b/src/tests/intg/test_infopipe.py
@@ -207,12 +207,14 @@ def format_basic_conf(ldap_conn, schema):
# problem with "ifp" + client regristration in monitor
# There is not such problem in 1st test. Just in following tests.
command = {ifp_command} --uid 0 --gid 0 --debug-to-files
+user_attributes = +extraName
[domain/LDAP]
{schema_conf}
id_provider = ldap
ldap_uri= {ldap_conn.ds_inst.ldap_url}
ldap_search_base= {ldap_conn.ds_inst.base_dn}
+ldap_user_extra_attrs = extraName:uid
[application/app]
inherit_from = LDAP
@@ -534,6 +536,35 @@ def test_get_user_groups(dbus_system_bus, ldap_conn, sanity_rfc2307):
assert sorted(res) == ['single_user_group', 'two_user_group']
+def get_user_property(dbus_system_bus, username, prop_name):
+users_obj = dbus_system_bus.get_object(
+'org.freedesktop.sssd.infopipe',
+'/org/freedesktop/sssd/infopipe/Users')
+
+users_iface = dbus.Interface(users_obj,
+ "org.freedesktop.sssd.infopipe.Users")
+
+user_path = users_iface.FindByName(username)
+user_object = dbus_system_bus.get_object('org.freedesktop.sssd.infopipe',
+ user_path)
+
+prop_iface = dbus.Interface(user_object, 'org.freedesktop.DBus.Properties')
+return prop_iface.Get('org.freedesktop.sssd.infopipe.Users.User',
+ prop_name)
+
+
+def test_get_extra_attributes_empty(dbus_system_bus,
+ldap_conn,
+sanity_rfc2307):
+"""
+Make sure the extraAttributes property can be retrieved
+"""
+extra_attrs = get_user_property(dbus_system_bus,
+'user1',
+'extraAttributes')
+assert extra_attrs['extraName'][0] == 'user1'
+
+
def test_sssctl_domain_list_app_domain(dbus_system_bus,
ldap_conn,
sanity_rfc2307):
diff --git a/src/tests/multihost/basic/test_ifp.py b/src/tests/multihost/basic/test_ifp.py
new file mode 100644
index 0..108169de2
--- /dev/null
+++ b/src/tests/multihost/basic/test_ifp.py
@@ -0,0 +1,28 @@
+"""
+InfoPipe test cases
+"""
+
+import pytest
+from sssd.testlib.common.utils import SSHClient
+
+
+class TestInfoPipe(object):
+"""
+Test the InfoPipe responder
+"""
+def test_ifp_extra_attributes_property(self, multihost):
+"""
+Test requesting the extraAttributes property works at all,
+see e.g. https://pagure.io/SSSD/sssd/issue/3906
+"""
+dbus_send_cmd = \
+"""
+dbus-send --print-reply --system \
+--dest=org.freedesktop.sssd.infopipe \
+/org/freedesktop/sssd/infopipe/Users/LDAP_2eTEST/123 \
+org.freedesktop.DBus.Properties.Get \
+string:"org.freedesktop.sssd.infopipe.Users.User" \
+string:"extraAttributes"
+"""
+cmd = multihost.master[0].run_command(dbus_send_cmd)
+assert cmd.returncode == 0
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#728][comment] ci: add Fedora 29
URL: https://github.com/SSSD/sssd/pull/728 Title: #728: ci: add Fedora 29 jhrozek commented: """ scan.coverity.com uses an invalid certificate. It's issued for misc.synopsys.com and a couple of other strange sites using the subjectAltName, but none of them matches scan.coverity.com I suggest we disable the travisCI coverity integration for the time being. We can also use incecure checks, but.. """ See the full comment at https://github.com/SSSD/sssd/pull/728#issuecomment-452288921 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#716][comment] CACHE: SSSD doesn't clear cache entries
URL: https://github.com/SSSD/sssd/pull/716 Title: #716: CACHE: SSSD doesn't clear cache entries jhrozek commented: """ I think this commit is mostly good. I'll just leave some very minor nitpics inline using the github review tool. """ See the full comment at https://github.com/SSSD/sssd/pull/716#issuecomment-452284643 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#712][comment] SSSCTL: user-checks does not show custom attributes
URL: https://github.com/SSSD/sssd/pull/712 Title: #712: SSSCTL: user-checks does not show custom attributes jhrozek commented: """ I'm getting a crash when testing this code: ``` #0 0x7fdfcaefaeab in raise () from /lib64/libc.so.6 #1 0x7fdfcaee55b9 in abort () from /lib64/libc.so.6 #2 0x7fdfcb5a9aad in _dbus_abort.cold.0 () from /lib64/libdbus-1.so.3 #3 0x7fdfcb5cbef0 in _dbus_warn_check_failed () from /lib64/libdbus-1.so.3 #4 0x7fdfcb5bd7ef in dbus_message_iter_open_container () from /lib64/libdbus-1.so.3 #5 0x7fdfcbe38f47 in sbus_copy_iterator_container (from=0x7ffc535c9490, to=0x7ffc535c94e0, type=101) at /sssd/src/sbus/interface/sbus_properties.c:190 #6 0x7fdfcbe390e1 in sbus_copy_iterator_value (from=0x7ffc535c9490, to=0x7ffc535c94e0) at /sssd/src/sbus/interface/sbus_properties.c:264 #7 0x7fdfcbe38f76 in sbus_copy_iterator_container (from=0x7ffc535c95b0, to=0x7ffc535c9600, type=97) at /sssd/src/sbus/interface/sbus_properties.c:195 #8 0x7fdfcbe390e1 in sbus_copy_iterator_value (from=0x7ffc535c95b0, to=0x7ffc535c9600) at /sssd/src/sbus/interface/sbus_properties.c:264 #9 0x7fdfcbe38f76 in sbus_copy_iterator_container (from=0x7ffc535c9720, to=0x7ffc535c96d0, type=118) at /sssd/src/sbus/interface/sbus_properties.c:195 #10 0x7fdfcbe390e1 in sbus_copy_iterator_value (from=0x7ffc535c9720, to=0x7ffc535c96d0) at /sssd/src/sbus/interface/sbus_properties.c:264 #11 0x7fdfcbe3923a in sbus_copy_message_to_dictionary (name=0x7fdfcc2981db "extraAttributes", msg=0x1822c90, to=0x1831828) at /sssd/src/sbus/interface/sbus_properties.c:308 #12 0x7fdfcbe39e82 in sbus_properties_getall_done (subreq=0x0) at /sssd/src/sbus/interface/sbus_properties.c:658 #13 0x7fdfcbe398ea in sbus_properties_get_done (subreq=0x0) at /sssd/src/sbus/interface/sbus_properties.c:489 #14 0x7fdfcc2896fe in _sbus_ifp_invoke_in__out_ifp_extra_step (ev=0x17f3900, te=0x182a5f0, tv=..., private_data=0x182a3b0) at /sssd/src/responder/ifp/ifp_iface/sbus_ifp_invokers.c:852 #15 0x7fdfcba0a785 in tevent_common_loop_timer_delay (ev=ev@entry=0x17f3900) at ../tevent_timed.c:369 #16 0x7fdfcba0b87b in epoll_event_loop_once (ev=0x17f3900, location=) at ../tevent_epoll.c:915 #17 0x7fdfcba09dab in std_event_loop_once (ev=0x17f3900, location=0x7fdfceb9c3bd "/sssd/src/util/server.c:724") at ../tevent_standard.c:114 #18 0x7fdfcba06098 in _tevent_loop_once (ev=ev@entry=0x17f3900, location=location@entry=0x7fdfceb9c3bd "/sssd/src/util/server.c:724") at ../tevent.c:725 #19 0x7fdfcba062eb in tevent_common_loop_wait (ev=0x17f3900, ---Type to continue, or q to quit--- location=0x7fdfceb9c3bd "/sssd/src/util/server.c:724") at ../tevent.c:848 #20 0x7fdfcba09d3b in std_event_loop_wait (ev=0x17f3900, location=0x7fdfceb9c3bd "/sssd/src/util/server.c:724") at ../tevent_standard.c:145 #21 0x7fdfceb72593 in server_loop (main_ctx=0x17f4d90) at /sssd/src/util/server.c:724 #22 0x00408d59 in main (argc=6, argv=0x7ffc535c9d18) at /sssd/src/responder/ifp/ifpsrv.c:361 ``` But this looks like I haven't gotten to your codepath yet. Did you see the error locally as well? """ See the full comment at https://github.com/SSSD/sssd/pull/712#issuecomment-452282273 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#723][synchronized] MAN: Explicitly state that not all generic domain options are supported for the files provider
URL: https://github.com/SSSD/sssd/pull/723 Author: jhrozek Title: #723: MAN: Explicitly state that not all generic domain options are supported for the files provider Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/723/head:pr723 git checkout pr723 From 91f8237e8fbbc5f098c2f29261ca70751e9de279 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Thu, 3 Jan 2019 15:32:26 +0100 Subject: [PATCH] MAN: Explicitly state that not all generic domain options are supported for the files provider Resolves: https://pagure.io/SSSD/sssd/issue/3882 --- src/man/sssd-files.5.xml | 8 +++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/man/sssd-files.5.xml b/src/man/sssd-files.5.xml index 067e21949..34b107965 100644 --- a/src/man/sssd-files.5.xml +++ b/src/man/sssd-files.5.xml @@ -84,7 +84,13 @@ sssd.conf 5 manual page for details on the configuration -of an SSSD domain. +of an SSSD domain. But the purpose of the files provider is +to expose the same data as the UNIX files, just through the +SSSD interfaces. Therefore not all generic domain options are +supported. Likewise, some global options, such as overriding +the shell in the nss section for all domains +has no effect on the files domain unless explicitly specified +per-domain. passwd_files (string) ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#723][-Changes requested] MAN: Explicitly state that not all generic domain options are supported for the files provider
URL: https://github.com/SSSD/sssd/pull/723 Title: #723: MAN: Explicitly state that not all generic domain options are supported for the files provider Label: -Changes requested ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#715][+Pushed] Use 120 second default timeout for dbus (#1654537)
URL: https://github.com/SSSD/sssd/pull/715 Title: #715: Use 120 second default timeout for dbus (#1654537) Label: +Pushed ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#715][comment] Use 120 second default timeout for dbus (#1654537)
URL: https://github.com/SSSD/sssd/pull/715 Title: #715: Use 120 second default timeout for dbus (#1654537) jhrozek commented: """ Oops, this was pushed already, I just forgot to close the PR. Master: e4469fbdb3d5c53294c6514280ac75b847b3c61c """ See the full comment at https://github.com/SSSD/sssd/pull/715#issuecomment-452252594 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#715][closed] Use 120 second default timeout for dbus (#1654537)
URL: https://github.com/SSSD/sssd/pull/715 Author: AdamWill Title: #715: Use 120 second default timeout for dbus (#1654537) Action: closed To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/715/head:pr715 git checkout pr715 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#726][comment] TESTS: Add a simple integration test for retrieving the extraAttributes property
URL: https://github.com/SSSD/sssd/pull/726 Title: #726: TESTS: Add a simple integration test for retrieving the extraAttributes property jhrozek commented: """ retest this please """ See the full comment at https://github.com/SSSD/sssd/pull/726#issuecomment-452213696 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#719][closed] ifp: extraAttributes is UnknownProperty
URL: https://github.com/SSSD/sssd/pull/719 Author: thalman Title: #719: ifp: extraAttributes is UnknownProperty Action: closed To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/719/head:pr719 git checkout pr719 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#719][+Pushed] ifp: extraAttributes is UnknownProperty
URL: https://github.com/SSSD/sssd/pull/719 Title: #719: ifp: extraAttributes is UnknownProperty Label: +Pushed ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#719][comment] ifp: extraAttributes is UnknownProperty
URL: https://github.com/SSSD/sssd/pull/719 Title: #719: ifp: extraAttributes is UnknownProperty jhrozek commented: """ * master: 814889a7f4691a135b617058c3ae876b54d5b226 """ See the full comment at https://github.com/SSSD/sssd/pull/719#issuecomment-451766830 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#724][closed] COMPONENT: util/tev_curl
URL: https://github.com/SSSD/sssd/pull/724 Author: alexey-tikhonov Title: #724: COMPONENT: util/tev_curl Action: closed To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/724/head:pr724 git checkout pr724 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#724][comment] COMPONENT: util/tev_curl
URL: https://github.com/SSSD/sssd/pull/724 Title: #724: COMPONENT: util/tev_curl jhrozek commented: """ I used your nice explanation to improve the commit message and pushed the fix to master: * 15bde7dab466fc4f2719ce709de9dac7e1e10de8 """ See the full comment at https://github.com/SSSD/sssd/pull/724#issuecomment-451766724 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#724][+Pushed] COMPONENT: util/tev_curl
URL: https://github.com/SSSD/sssd/pull/724 Title: #724: COMPONENT: util/tev_curl Label: +Pushed ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#719][comment] ifp: extraAttributes is UnknownProperty
URL: https://github.com/SSSD/sssd/pull/719 Title: #719: ifp: extraAttributes is UnknownProperty jhrozek commented: """ Ack, an integration test was submitted in PR #726 """ See the full comment at https://github.com/SSSD/sssd/pull/719#issuecomment-451461413 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#726][comment] TESTS: Add a simple integration test for retrieving the extraAttributes property
URL: https://github.com/SSSD/sssd/pull/726 Title: #726: TESTS: Add a simple integration test for retrieving the extraAttributes property jhrozek commented: """ This is a test for PR #719 It is expected that it will fail until that PR is merged. """ See the full comment at https://github.com/SSSD/sssd/pull/726#issuecomment-451461254 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#719][+Accepted] ifp: extraAttributes is UnknownProperty
URL: https://github.com/SSSD/sssd/pull/719 Title: #719: ifp: extraAttributes is UnknownProperty Label: +Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#726][+Blocked] TESTS: Add a simple integration test for retrieving the extraAttributes property
URL: https://github.com/SSSD/sssd/pull/726 Title: #726: TESTS: Add a simple integration test for retrieving the extraAttributes property Label: +Blocked ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#726][opened] TESTS: Add a simple integration test for retrieving the extraAttributes property
URL: https://github.com/SSSD/sssd/pull/726
Author: jhrozek
Title: #726: TESTS: Add a simple integration test for retrieving the
extraAttributes property
Action: opened
PR body:
"""
Related: https://pagure.io/SSSD/sssd/issue/3906
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/726/head:pr726
git checkout pr726
From 8a78a096148baf96b0e801f3948b5af22512d8b6 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek
Date: Fri, 4 Jan 2019 15:26:02 +0100
Subject: [PATCH] TESTS: Add a simple integration test for retrieving the
extraAttributes property
Related:
https://pagure.io/SSSD/sssd/issue/3906
---
src/tests/intg/test_infopipe.py | 31 +++
src/tests/multihost/basic/test_ifp.py | 26 ++
2 files changed, 57 insertions(+)
create mode 100644 src/tests/multihost/basic/test_ifp.py
diff --git a/src/tests/intg/test_infopipe.py b/src/tests/intg/test_infopipe.py
index 6c316628b..9d575e675 100644
--- a/src/tests/intg/test_infopipe.py
+++ b/src/tests/intg/test_infopipe.py
@@ -207,12 +207,14 @@ def format_basic_conf(ldap_conn, schema):
# problem with "ifp" + client regristration in monitor
# There is not such problem in 1st test. Just in following tests.
command = {ifp_command} --uid 0 --gid 0 --debug-to-files
+user_attributes = +extraName
[domain/LDAP]
{schema_conf}
id_provider = ldap
ldap_uri= {ldap_conn.ds_inst.ldap_url}
ldap_search_base= {ldap_conn.ds_inst.base_dn}
+ldap_user_extra_attrs = extraName:uid
[application/app]
inherit_from = LDAP
@@ -534,6 +536,35 @@ def test_get_user_groups(dbus_system_bus, ldap_conn, sanity_rfc2307):
assert sorted(res) == ['single_user_group', 'two_user_group']
+def get_user_property(dbus_system_bus, username, prop_name):
+users_obj = dbus_system_bus.get_object(
+'org.freedesktop.sssd.infopipe',
+'/org/freedesktop/sssd/infopipe/Users')
+
+users_iface = dbus.Interface(users_obj,
+ "org.freedesktop.sssd.infopipe.Users")
+
+user_path = users_iface.FindByName(username)
+user_object = dbus_system_bus.get_object('org.freedesktop.sssd.infopipe',
+ user_path)
+
+prop_iface = dbus.Interface(user_object, 'org.freedesktop.DBus.Properties')
+return prop_iface.Get('org.freedesktop.sssd.infopipe.Users.User',
+ prop_name)
+
+
+def test_get_extra_attributes_empty(dbus_system_bus,
+ldap_conn,
+sanity_rfc2307):
+"""
+Make sure the extraAttributes property can be retrieved
+"""
+extra_attrs = get_user_property(dbus_system_bus,
+'user1',
+'extraAttributes')
+assert extra_attrs['extraName'][0] == 'user1'
+
+
def test_sssctl_domain_list_app_domain(dbus_system_bus,
ldap_conn,
sanity_rfc2307):
diff --git a/src/tests/multihost/basic/test_ifp.py b/src/tests/multihost/basic/test_ifp.py
new file mode 100644
index 0..b1d218f5c
--- /dev/null
+++ b/src/tests/multihost/basic/test_ifp.py
@@ -0,0 +1,26 @@
+"""
+InfoPipe test cases
+"""
+
+import pytest
+from sssd.testlib.common.utils import SSHClient
+
+class TestInfoPipe(object):
+"""
+Test the InfoPipe responder
+"""
+def test_ifp_extra_attributes_property(self, multihost):
+"""
+Test requesting the extraAttributes property works at all,
+see e.g. https://pagure.io/SSSD/sssd/issue/3906
+"""
+dbus_send_cmd = \
+"""
+dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe \
+/org/freedesktop/sssd/infopipe/Users/LDAP_2eTEST/123 \
+org.freedesktop.DBus.Properties.Get \
+string:"org.freedesktop.sssd.infopipe.Users.User" \
+string:"extraAttributes"
+"""
+cmd = multihost.master[0].run_command(dbus_send_cmd)
+assert cmd.returncode == 0
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#725][opened] MULTIHOST: Do not use the deprecated namespace
URL: https://github.com/SSSD/sssd/pull/725
Author: jhrozek
Title: #725: MULTIHOST: Do not use the deprecated namespace
Action: opened
PR body:
"""
This issue was causing warnings with the current pytest versions as
installed from pip.
See: https://docs.pytest.org/en/latest/deprecations.html#pytest-namespace
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/725/head:pr725
git checkout pr725
From 3b8d4b8baa4901be91a9c7ecfb62a556f260b6ae Mon Sep 17 00:00:00 2001
From: Jakub Hrozek
Date: Tue, 27 Nov 2018 11:39:18 +0100
Subject: [PATCH] MULTIHOST: Do not use the deprecated namespace
This issue was causing warnings with the current pytest versions as
installed from pip.
See:
https://docs.pytest.org/en/latest/deprecations.html#pytest-namespace
---
src/tests/multihost/basic/conftest.py | 14 +++---
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/src/tests/multihost/basic/conftest.py b/src/tests/multihost/basic/conftest.py
index 65e2d641b..a9e9cf0a6 100644
--- a/src/tests/multihost/basic/conftest.py
+++ b/src/tests/multihost/basic/conftest.py
@@ -17,13 +17,13 @@
import ldap
-def pytest_namespace():
-return {'num_masters': 1,
-'num_ad': 0,
-'num_atomic': 0,
-'num_replicas': 0,
-'num_clients': 0,
-'num_others': 0}
+def pytest_configure():
+pytest.num_masters = 1
+pytest.num_ad = 0
+pytest.num_atomic = 0
+pytest.num_replicas = 0
+pytest.num_clients = 0
+pytest.num_others = 0
@pytest.fixture(scope="class")
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#724][comment] COMPONENT: util/tev_curl
URL: https://github.com/SSSD/sssd/pull/724 Title: #724: COMPONENT: util/tev_curl jhrozek commented: """ Hi Alexey, thank you very much for the patch and especially for diving into the code. I admit that I don't remember the details about the tcurl module anymore. Could you please explain the double-free in more detail? Looking at tevent docs, they say that the tevent timer is freed automatically and looking at the code, the `schedule_fd_processing` function is only ever called from `tcurl_init` which should be a one-time operation. So currently I'm not sure how could the function delete a timer that was already executed? """ See the full comment at https://github.com/SSSD/sssd/pull/724#issuecomment-451290588 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#715][+Accepted] Use 120 second default timeout for dbus (#1654537)
URL: https://github.com/SSSD/sssd/pull/715 Title: #715: Use 120 second default timeout for dbus (#1654537) Label: +Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#715][comment] Use 120 second default timeout for dbus (#1654537)
URL: https://github.com/SSSD/sssd/pull/715 Title: #715: Use 120 second default timeout for dbus (#1654537) jhrozek commented: """ Thank you very much Adam, looks good to me. """ See the full comment at https://github.com/SSSD/sssd/pull/715#issuecomment-451253485 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#723][comment] MAN: Explicitly state that not all generic domain options are supported for the files provider
URL: https://github.com/SSSD/sssd/pull/723 Title: #723: MAN: Explicitly state that not all generic domain options are supported for the files provider jhrozek commented: """ Honestly I had no idea how to formulate the change better. Ideas or competing PRs are very much welcome. """ See the full comment at https://github.com/SSSD/sssd/pull/723#issuecomment-451160500 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#723][opened] MAN: Explicitly state that not all generic domain options are supported for the files provider
URL: https://github.com/SSSD/sssd/pull/723 Author: jhrozek Title: #723: MAN: Explicitly state that not all generic domain options are supported for the files provider Action: opened PR body: """ Resolves: https://pagure.io/SSSD/sssd/issue/3882 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/723/head:pr723 git checkout pr723 From 254d480ace24d0a13d28b9d976d7f42aadd67920 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Thu, 3 Jan 2019 15:32:26 +0100 Subject: [PATCH] MAN: Explicitly state that not all generic domain options are supported for the files provider Resolves: https://pagure.io/SSSD/sssd/issue/3882 --- src/man/sssd-files.5.xml | 8 +++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/man/sssd-files.5.xml b/src/man/sssd-files.5.xml index 067e21949..78d9e2832 100644 --- a/src/man/sssd-files.5.xml +++ b/src/man/sssd-files.5.xml @@ -84,7 +84,13 @@ sssd.conf 5 manual page for details on the configuration -of an SSSD domain. +of an SSSD domain. But please note that because the purpose of +the files provider is to provide the same data as the UNIX +files, just through the SSSD interfaces, not all generic domain +options are supported. Likewise, some global options, such as +overriding the shell in the nss section for all +domains has no effect on the files domain unless explicitly +specified per-domain. passwd_files (string) ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#722][comment] KCM: Deleting a non-existent ccache should not yield an error
URL: https://github.com/SSSD/sssd/pull/722 Title: #722: KCM: Deleting a non-existent ccache should not yield an error jhrozek commented: """ I just split the patches into the fix and the patch to make it easier to backport the patch to branches that don't have all the tests yet. """ See the full comment at https://github.com/SSSD/sssd/pull/722#issuecomment-451153087 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#722][synchronized] KCM: Deleting a non-existent ccache should not yield an error
URL: https://github.com/SSSD/sssd/pull/722
Author: jhrozek
Title: #722: KCM: Deleting a non-existent ccache should not yield an error
Action: synchronized
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/722/head:pr722
git checkout pr722
From 902cbbb071d8549473d131d21b18043311ccd5c4 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek
Date: Thu, 3 Jan 2019 15:07:59 +0100
Subject: [PATCH 1/2] KCM: Deleting a non-existent ccache should not yield an
error
Resolves:
https://pagure.io/SSSD/sssd/issue/3910
When the KCM destroy operation is called, it receives a name as an input. If
the name cannot be found, we would currently return KRB5_CC_NOTFOUND. But
other ccache types return KRB5_FCC_NOFILE in that case and e.g. utilities
like kdestroy special case KRB5_FCC_NOFILE to be non-fatal.
---
src/responder/kcm/kcmsrv_ops.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/responder/kcm/kcmsrv_ops.c b/src/responder/kcm/kcmsrv_ops.c
index 1e229adc4..9352909f4 100644
--- a/src/responder/kcm/kcmsrv_ops.c
+++ b/src/responder/kcm/kcmsrv_ops.c
@@ -698,9 +698,10 @@ static void kcm_op_destroy_getbyname_done(struct tevent_req *subreq)
ret = kcm_ccdb_uuid_by_name_recv(subreq, state, uuid);
talloc_zfree(subreq);
if (ret != EOK) {
-DEBUG(SSSDBG_OP_FAILURE,
+DEBUG(SSSDBG_MINOR_FAILURE,
"Cannot get matching ccache [%d]: %s\n",
ret, sss_strerror(ret));
+ret = ERR_NO_MATCHING_CREDS;
tevent_req_error(req, ret);
return;
}
From 825e19c77cbe021853b9c160c6aac9417dc51fee Mon Sep 17 00:00:00 2001
From: Jakub Hrozek
Date: Thu, 3 Jan 2019 15:08:28 +0100
Subject: [PATCH 2/2] TESTS: Add a test for deleting a non-existent ccache with
KCM
---
src/tests/multihost/basic/test_kcm.py | 17 +
1 file changed, 17 insertions(+)
diff --git a/src/tests/multihost/basic/test_kcm.py b/src/tests/multihost/basic/test_kcm.py
index 87e325bd7..7202dcb4a 100644
--- a/src/tests/multihost/basic/test_kcm.py
+++ b/src/tests/multihost/basic/test_kcm.py
@@ -122,3 +122,20 @@ def test_kcm_debug_level_set(self, multihost, enable_kcm):
log_lines_debug = self._kcm_log_length(multihost)
assert log_lines_debug > log_lines_pre + 100
+
+def test_kdestroy_retval(self, multihost, enable_kcm):
+"""
+Test that destroying an empty cache does not return a non-zero
+return code.
+"""
+ssh = SSHClient(multihost.master[0].sys_hostname,
+username='foo3', password='Secret123')
+
+(_, _, exit_status) = ssh.execute_cmd('kdestroy')
+assert exit_status == 0
+# Run the command again in case there was something in the ccache
+# previously
+(_, _, exit_status) = ssh.execute_cmd('kdestroy')
+assert exit_status == 0
+
+ssh.close()
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#722][comment] KCM: Deleting a non-existent ccache should not yield an error
URL: https://github.com/SSSD/sssd/pull/722 Title: #722: KCM: Deleting a non-existent ccache should not yield an error jhrozek commented: """ To test, just run kdestroy twice in a row, the second run is to make sure kdestroy will be asked to delete the default cache which will not exist at that point. The second run should return a non-zero return code and say something like 'cache NOT destroyed' """ See the full comment at https://github.com/SSSD/sssd/pull/722#issuecomment-451152524 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#722][opened] KCM: Deleting a non-existent ccache should not yield an error
URL: https://github.com/SSSD/sssd/pull/722
Author: jhrozek
Title: #722: KCM: Deleting a non-existent ccache should not yield an error
Action: opened
PR body:
"""
Resolves: https://pagure.io/SSSD/sssd/issue/3910
When the KCM destroy operation is called, it receives a name as an input.
If the name cannot be found, we would currently return KRB5_CC_NOTFOUND.
But other ccache types return KRB5_FCC_NOFILE in that case and e.g.
utilities like kdestroy special case KRB5_FCC_NOFILE to be non-fatal.
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/722/head:pr722
git checkout pr722
From 095ec3c62c199f299d005b766a042ef03c9d6702 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek
Date: Thu, 20 Dec 2018 14:54:53 +0100
Subject: [PATCH] KCM: Deleting a non-existent ccache should not yield an error
Resolves:
https://pagure.io/SSSD/sssd/issue/3910
When the KCM destroy operation is called, it receives a name as an input. If
the name cannot be found, we would currently return KRB5_CC_NOTFOUND. But
other ccache types return KRB5_FCC_NOFILE in that case and e.g. utilities
like kdestroy special case KRB5_FCC_NOFILE to be non-fatal.
---
src/responder/kcm/kcmsrv_ops.c| 3 ++-
src/tests/multihost/basic/test_kcm.py | 17 +
2 files changed, 19 insertions(+), 1 deletion(-)
diff --git a/src/responder/kcm/kcmsrv_ops.c b/src/responder/kcm/kcmsrv_ops.c
index 1e229adc4..9352909f4 100644
--- a/src/responder/kcm/kcmsrv_ops.c
+++ b/src/responder/kcm/kcmsrv_ops.c
@@ -698,9 +698,10 @@ static void kcm_op_destroy_getbyname_done(struct tevent_req *subreq)
ret = kcm_ccdb_uuid_by_name_recv(subreq, state, uuid);
talloc_zfree(subreq);
if (ret != EOK) {
-DEBUG(SSSDBG_OP_FAILURE,
+DEBUG(SSSDBG_MINOR_FAILURE,
"Cannot get matching ccache [%d]: %s\n",
ret, sss_strerror(ret));
+ret = ERR_NO_MATCHING_CREDS;
tevent_req_error(req, ret);
return;
}
diff --git a/src/tests/multihost/basic/test_kcm.py b/src/tests/multihost/basic/test_kcm.py
index 87e325bd7..7202dcb4a 100644
--- a/src/tests/multihost/basic/test_kcm.py
+++ b/src/tests/multihost/basic/test_kcm.py
@@ -122,3 +122,20 @@ def test_kcm_debug_level_set(self, multihost, enable_kcm):
log_lines_debug = self._kcm_log_length(multihost)
assert log_lines_debug > log_lines_pre + 100
+
+def test_kdestroy_retval(self, multihost, enable_kcm):
+"""
+Test that destroying an empty cache does not return a non-zero
+return code.
+"""
+ssh = SSHClient(multihost.master[0].sys_hostname,
+username='foo3', password='Secret123')
+
+(_, _, exit_status) = ssh.execute_cmd('kdestroy')
+assert exit_status == 0
+# Run the command again in case there was something in the ccache
+# previously
+(_, _, exit_status) = ssh.execute_cmd('kdestroy')
+assert exit_status == 0
+
+ssh.close()
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#715][comment] Use 120 second default timeout for dbus (#1654537)
URL: https://github.com/SSSD/sssd/pull/715 Title: #715: Use 120 second default timeout for dbus (#1654537) jhrozek commented: """ Two notes: 1) I think the patch is correct, it obviously helps the problem Adam saw. The only reason I ask @pbrezina for review is that he knows the sbus IPC much better than anyone else, so he might be able to spot e.g. if we need to tune the timeout somewhere else as well. 2) I filed an upstream ticket https://pagure.io/SSSD/sssd/issue/3909 so it might be a good idea to include it in the commit message when pushing the patch """ See the full comment at https://github.com/SSSD/sssd/pull/715#issuecomment-448950272 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#720][comment] contrib/ci/deps.sh: added missing dependency
URL: https://github.com/SSSD/sssd/pull/720 Title: #720: contrib/ci/deps.sh: added missing dependency jhrozek commented: """ @sumit-bose do you have an opinion? """ See the full comment at https://github.com/SSSD/sssd/pull/720#issuecomment-448606952 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#716][+Changes requested] CACHE: SSSD doesn't clear cache entries
URL: https://github.com/SSSD/sssd/pull/716 Title: #716: CACHE: SSSD doesn't clear cache entries Label: +Changes requested ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#719][comment] ifp: extraAttributes is UnknownProperty
URL: https://github.com/SSSD/sssd/pull/719 Title: #719: ifp: extraAttributes is UnknownProperty jhrozek commented: """ Can you also amend the ifp-test unit test? ``` ./ifp_tests [==] Running 4 test(s). [ RUN ] test_el_to_dict [ OK ] test_el_to_dict [ RUN ] test_attr_acl [ ERROR ] --- s2[i] [ LINE ] --- /home/jhrozek/devel/sssd/src/tests/cmocka/test_ifp.c:117: error: Failure! [ FAILED ] test_attr_acl [ RUN ] test_attr_acl_ex [ OK ] test_attr_acl_ex [ RUN ] test_attr_allowed [ OK ] test_attr_allowed [==] 4 test(s) run. [ PASSED ] 3 test(s). [ FAILED ] 1 test(s), listed below: [ FAILED ] test_attr_acl 1 FAILED TEST(S) ``` I think the extraAttributes piece should be just added to the list.. """ See the full comment at https://github.com/SSSD/sssd/pull/719#issuecomment-448352926 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#719][+Changes requested] ifp: extraAttributes is UnknownProperty
URL: https://github.com/SSSD/sssd/pull/719 Title: #719: ifp: extraAttributes is UnknownProperty Label: +Changes requested ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#715][comment] Use 120 second default timeout for dbus (#1654537)
URL: https://github.com/SSSD/sssd/pull/715 Title: #715: Use 120 second default timeout for dbus (#1654537) jhrozek commented: """ @pbrezina can you review? """ See the full comment at https://github.com/SSSD/sssd/pull/715#issuecomment-448222137 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#718][opened] NSS: Avoid changing the memory cache ownership away from the sssd user (sssd-1-16 backport)
URL: https://github.com/SSSD/sssd/pull/718
Author: jhrozek
Title: #718: NSS: Avoid changing the memory cache ownership away from the sssd
user (sssd-1-16 backport)
Action: opened
PR body:
"""
Resolves:
https://pagure.io/SSSD/sssd/issue/3890
In case SSSD is compiled --with-sssd-user but run as root (which is the
default on RHEL and derivatives), then the memory cache will be owned by
the user that sssd_nss runs as, so root.
This conflicts with the packaging which specifies sssd.sssd as the owner. And
in turn, this means that users can't reliably assess the package integrity
using rpm -V.
This patch makes sure that the memory cache files are chowned to sssd.sssd
even if the nss responder runs as root.
Also, this patch changes the sssd_nss responder so that is becomes a member
of the supplementary sssd group. Even though in traditional UNIX sense,
a process running as root could write to a file owned by sssd:sssd, with
SELinux enforcing mode this becomes problematic as SELinux emits an error
such as:
type=AVC msg=audit(1543524888.125:1495): avc: denied { fsetid } for
pid=7706 comm="sssd_nss" capability=4 scontext=system_u:system_r:sssd_t:s0
tcontext=system_u:system_r:sssd_t:s0 tclass=capability
To make it possible for the sssd_nss process to write to the files, the
files are also made group-writable. The 'others' permission is still set
to read only.
Reviewed-by: Michal Židek
(cherry picked from commit 61e4ba58934b20a950255e05797aca25aadc1242)
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/718/head:pr718
git checkout pr718
From 1088f96fb3893d3b86ff1595073a525d0749a93a Mon Sep 17 00:00:00 2001
From: Jakub Hrozek
Date: Fri, 30 Nov 2018 13:06:13 +0100
Subject: [PATCH] NSS: Avoid changing the memory cache ownership away from the
sssd user
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Resolves:
https://pagure.io/SSSD/sssd/issue/3890
In case SSSD is compiled --with-sssd-user but run as root (which is the
default on RHEL and derivatives), then the memory cache will be owned by
the user that sssd_nss runs as, so root.
This conflicts with the packaging which specifies sssd.sssd as the owner. And
in turn, this means that users can't reliably assess the package integrity
using rpm -V.
This patch makes sure that the memory cache files are chowned to sssd.sssd
even if the nss responder runs as root.
Also, this patch changes the sssd_nss responder so that is becomes a member
of the supplementary sssd group. Even though in traditional UNIX sense,
a process running as root could write to a file owned by sssd:sssd, with
SELinux enforcing mode this becomes problematic as SELinux emits an error
such as:
type=AVC msg=audit(1543524888.125:1495): avc: denied { fsetid } for
pid=7706 comm="sssd_nss" capability=4 scontext=system_u:system_r:sssd_t:s0
tcontext=system_u:system_r:sssd_t:s0 tclass=capability
To make it possible for the sssd_nss process to write to the files, the
files are also made group-writable. The 'others' permission is still set
to read only.
Reviewed-by: Michal Židek
(cherry picked from commit 61e4ba58934b20a950255e05797aca25aadc1242)
---
contrib/sssd.spec.in | 8 +-
src/responder/nss/nss_private.h | 2 +
src/responder/nss/nsssrv.c| 106 --
src/responder/nss/nsssrv_mmap_cache.c | 51 -
src/responder/nss/nsssrv_mmap_cache.h | 5 +-
5 files changed, 158 insertions(+), 14 deletions(-)
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
index 89e4d7509..cd5f7a714 100644
--- a/contrib/sssd.spec.in
+++ b/contrib/sssd.spec.in
@@ -1025,11 +1025,11 @@ done
%dir %{sssdstatedir}
%dir %{_localstatedir}/cache/krb5rcache
%attr(700,sssd,sssd) %dir %{dbpath}
-%attr(755,sssd,sssd) %dir %{mcpath}
+%attr(775,sssd,sssd) %dir %{mcpath}
%attr(751,sssd,sssd) %dir %{deskprofilepath}
-%ghost %attr(0644,sssd,sssd) %verify(not md5 size mtime) %{mcpath}/passwd
-%ghost %attr(0644,sssd,sssd) %verify(not md5 size mtime) %{mcpath}/group
-%ghost %attr(0644,sssd,sssd) %verify(not md5 size mtime) %{mcpath}/initgroups
+%ghost %attr(0664,sssd,sssd) %verify(not md5 size mtime) %{mcpath}/passwd
+%ghost %attr(0664,sssd,sssd) %verify(not md5 size mtime) %{mcpath}/group
+%ghost %attr(0664,sssd,sssd) %verify(not md5 size mtime) %{mcpath}/initgroups
%attr(755,sssd,sssd) %dir %{pipepath}
%attr(750,sssd,root) %dir %{pipepath}/private
%attr(755,sssd,sssd) %dir %{pubconfpath}
diff --git a/src/responder/nss/nss_private.h b/src/responder/nss/nss_private.h
index cd0d35517..bae5fe074 100644
--- a/src/responder/nss/nss_private.h
+++ b/src/responder/nss/nss_private.h
@@ -87,6 +87,8 @@ struct nss_ctx {
struct sss_mc_ctx *pwd_mc_ctx;
struct sss_mc_ctx *grp_mc_ctx;
struct sss_mc_ctx *initgr_mc_ctx;
+uid_t mc_uid;
+gid_t mc_gid;
};
struct sss_cmd_table *get_nss_cmds(vo
[SSSD] [sssd PR#717][closed] NSS: Avoid changing the memory cache ownership away from the sssd user (sssd-1-16 backport)
URL: https://github.com/SSSD/sssd/pull/717 Author: jhrozek Title: #717: NSS: Avoid changing the memory cache ownership away from the sssd user (sssd-1-16 backport) Action: closed To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/717/head:pr717 git checkout pr717 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#717][comment] NSS: Avoid changing the memory cache ownership away from the sssd user (sssd-1-16 backport)
URL: https://github.com/SSSD/sssd/pull/717 Title: #717: NSS: Avoid changing the memory cache ownership away from the sssd user (sssd-1-16 backport) jhrozek commented: """ hmm, this is supposed to be merged to sssd-1-16.. """ See the full comment at https://github.com/SSSD/sssd/pull/717#issuecomment-447866098 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#717][opened] NSS: Avoid changing the memory cache ownership away from the sssd user (sssd-1-16 backport)
URL: https://github.com/SSSD/sssd/pull/717
Author: jhrozek
Title: #717: NSS: Avoid changing the memory cache ownership away from the sssd
user (sssd-1-16 backport)
Action: opened
PR body:
"""
Resolves: https://pagure.io/SSSD/sssd/issue/3890
In case SSSD is compiled --with-sssd-user but run as root (which is the
default on RHEL and derivatives), then the memory cache will be owned by
the user that sssd_nss runs as, so root.
This conflicts with the packaging which specifies sssd.sssd as the owner.
And in turn, this means that users can't reliably assess the package
integrity using rpm -V.
This patch makes sure that the memory cache files are chowned to sssd.sssd
even if the nss responder runs as root.
Also, this patch changes the sssd_nss responder so that is becomes a member
of the supplementary sssd group. Even though in traditional UNIX sense, a
process running as root could write to a file owned by sssd:sssd, with
SELinux enforcing mode this becomes problematic as SELinux emits an error
such as:
type=AVC msg=audit(1543524888.125:1495): avc: denied { fsetid } for
pid=7706 comm="sssd_nss" capability=4 scontext=system_u:system_r:sssd_t:s0
tcontext=system_u:system_r:sssd_t:s0 tclass=capability
To make it possible for the sssd_nss process to write to the files, the
files are also made group-writable. The 'others' permission is still set to
read only.
Reviewed-by: Michal Židek
(cherry picked from commit 61e4ba58934b20a950255e05797aca25aadc1242)
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/717/head:pr717
git checkout pr717
From e7e942ceb1f8402d00f5f14a9e065d3fc434b711 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek
Date: Thu, 23 Aug 2018 13:55:51 +0200
Subject: [PATCH 01/19] SELINUX: Always add SELinux user to the semanage
database if it doesn't exist
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Previously, we tried to optimize too much and only set the SELinux user
to Linux user mapping in case the SELinux user was different from the
system default. But this doesn't work for the case where the Linux user
has a non-standard home directory, because then SELinux would not have
any idea that this user's home directory should be labeled as a home
directory.
This patch relaxes the optimization in the sense that on the first
login, the SELinux context is saved regardless of whether it is the same
as the default or different.
Resolves:
https://pagure.io/SSSD/sssd/issue/3819
Reviewed-by: Michal Židek
(cherry picked from commit 945865ae16120ffade267227ca48cefd58822fd2)
---
src/providers/ipa/selinux_child.c | 10 --
src/util/sss_semanage.c | 30 ++
src/util/util.h | 1 +
src/util/util_errors.c| 1 +
src/util/util_errors.h| 1 +
5 files changed, 41 insertions(+), 2 deletions(-)
diff --git a/src/providers/ipa/selinux_child.c b/src/providers/ipa/selinux_child.c
index d061417a5..925591ec9 100644
--- a/src/providers/ipa/selinux_child.c
+++ b/src/providers/ipa/selinux_child.c
@@ -176,13 +176,16 @@ static bool seuser_needs_update(const char *username,
ret = sss_get_seuser(username, _seuser, _mls_range);
DEBUG(SSSDBG_TRACE_INTERNAL,
- "getseuserbyname: ret: %d seuser: %s mls: %s\n",
+ "sss_get_seuser: ret: %d seuser: %s mls: %s\n",
ret, db_seuser ? db_seuser : "unknown",
db_mls_range ? db_mls_range : "unknown");
if (ret == EOK && db_seuser && db_mls_range &&
strcmp(db_seuser, seuser) == 0 &&
strcmp(db_mls_range, mls_range) == 0) {
-needs_update = false;
+ret = sss_seuser_exists(username);
+if (ret == EOK) {
+needs_update = false;
+}
}
/* OR */
if (ret == ERR_SELINUX_NOT_MANAGED) {
@@ -191,6 +194,9 @@ static bool seuser_needs_update(const char *username,
free(db_seuser);
free(db_mls_range);
+DEBUG(SSSDBG_TRACE_FUNC,
+ "The SELinux user does %sneed an update\n",
+ needs_update ? "" : "not ");
return needs_update;
}
diff --git a/src/util/sss_semanage.c b/src/util/sss_semanage.c
index bcce57b60..aea03852a 100644
--- a/src/util/sss_semanage.c
+++ b/src/util/sss_semanage.c
@@ -248,6 +248,36 @@ static int sss_semanage_user_mod(semanage_handle_t *handle,
return ret;
}
+int sss_seuser_exists(const char *linuxuser)
+{
+int ret;
+int exists;
+semanage_seuser_key_t *sm_key = NULL;
+semanage_handle_t *sm_handle = NULL;
+
+ret = sss_semanage_init(_handle);
+if (ret != EOK) {
+return ret;
+}
+
+ret = semanage_seuser_key_create(sm_handle, linuxuser, _key);
+if (ret < 0) {
+sss_semanage_close(sm_handle);
+return EIO;
+}
+
+
[SSSD] [sssd PR#710][+Pushed] data_provider_fo: fix error in hostname retrieval
URL: https://github.com/SSSD/sssd/pull/710 Title: #710: data_provider_fo: fix error in hostname retrieval Label: +Pushed ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#710][comment] data_provider_fo: fix error in hostname retrieval
URL: https://github.com/SSSD/sssd/pull/710 Title: #710: data_provider_fo: fix error in hostname retrieval jhrozek commented: """ * master: 170625872a7d53c182ef095b4e5cba29f632c0c4 """ See the full comment at https://github.com/SSSD/sssd/pull/710#issuecomment-446933164 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#710][closed] data_provider_fo: fix error in hostname retrieval
URL: https://github.com/SSSD/sssd/pull/710 Author: alexey-tikhonov Title: #710: data_provider_fo: fix error in hostname retrieval Action: closed To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/710/head:pr710 git checkout pr710 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#702][comment] NSS: Avoid changing the memory cache ownership away from the SSSD user
URL: https://github.com/SSSD/sssd/pull/702 Title: #702: NSS: Avoid changing the memory cache ownership away from the SSSD user jhrozek commented: """ * master: 61e4ba58934b20a950255e05797aca25aadc1242 I'll submit a 1-16 backport separately """ See the full comment at https://github.com/SSSD/sssd/pull/702#issuecomment-446932330 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#702][closed] NSS: Avoid changing the memory cache ownership away from the SSSD user
URL: https://github.com/SSSD/sssd/pull/702 Author: jhrozek Title: #702: NSS: Avoid changing the memory cache ownership away from the SSSD user Action: closed To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/702/head:pr702 git checkout pr702 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#713][closed] krb5_child: fix permissions during SC auth
URL: https://github.com/SSSD/sssd/pull/713 Author: sumit-bose Title: #713: krb5_child: fix permissions during SC auth Action: closed To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/713/head:pr713 git checkout pr713 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#713][comment] krb5_child: fix permissions during SC auth
URL: https://github.com/SSSD/sssd/pull/713 Title: #713: krb5_child: fix permissions during SC auth jhrozek commented: """ * master: e49e9f727e4960c8a0a2ed50488dac6e51ddf284 """ See the full comment at https://github.com/SSSD/sssd/pull/713#issuecomment-446930695 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#713][+Pushed] krb5_child: fix permissions during SC auth
URL: https://github.com/SSSD/sssd/pull/713 Title: #713: krb5_child: fix permissions during SC auth Label: +Pushed ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#714][closed] p11_child(openssl): do not free static memory
URL: https://github.com/SSSD/sssd/pull/714 Author: sumit-bose Title: #714: p11_child(openssl): do not free static memory Action: closed To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/714/head:pr714 git checkout pr714 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#714][comment] p11_child(openssl): do not free static memory
URL: https://github.com/SSSD/sssd/pull/714 Title: #714: p11_child(openssl): do not free static memory jhrozek commented: """ * master: d33eaac8761001af6ae7836c177bbdd6ac79fce9 """ See the full comment at https://github.com/SSSD/sssd/pull/714#issuecomment-446930356 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#710][+Accepted] data_provider_fo: fix error in hostname retrieval
URL: https://github.com/SSSD/sssd/pull/710 Title: #710: data_provider_fo: fix error in hostname retrieval Label: +Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#713][+Accepted] krb5_child: fix permissions during SC auth
URL: https://github.com/SSSD/sssd/pull/713 Title: #713: krb5_child: fix permissions during SC auth Label: +Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
