[SSSD] [sssd PR#715][comment] Use 120 second default timeout for dbus (#1654537)
URL: https://github.com/SSSD/sssd/pull/715 Title: #715: Use 120 second default timeout for dbus (#1654537) jhrozek commented: """ ok to test """ See the full comment at https://github.com/SSSD/sssd/pull/715#issuecomment-446878401 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#713][comment] krb5_child: fix permissions during SC auth
URL: https://github.com/SSSD/sssd/pull/713 Title: #713: krb5_child: fix permissions during SC auth jhrozek commented: """ Thank you. As discussed on IRC, I filed a separate ticket https://pagure.io/SSSD/sssd/issue/3903 as the issue is a bit different from the generic 'can't access ccache as root' tracked in #3376. I can just fix the ticket link before pushing -- please shout if that's not OK with you. """ See the full comment at https://github.com/SSSD/sssd/pull/713#issuecomment-446759931 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#713][+Changes requested] krb5_child: fix permissions during SC auth
URL: https://github.com/SSSD/sssd/pull/713 Title: #713: krb5_child: fix permissions during SC auth Label: +Changes requested ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#714][comment] p11_child(openssl): do not free static memory
URL: https://github.com/SSSD/sssd/pull/714 Title: #714: p11_child(openssl): do not free static memory jhrozek commented: """ For some reason, coverity didn't see the defect as fixed, but OTOH it also didn't find any new defects :-) """ See the full comment at https://github.com/SSSD/sssd/pull/714#issuecomment-446560457 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#713][comment] krb5_child: fix permissions during SC auth
URL: https://github.com/SSSD/sssd/pull/713 Title: #713: krb5_child: fix permissions during SC auth jhrozek commented: """ In general this looks good, but please fix this clang warning: ``` Error: CLANG_WARNING: sssd-2.0.99/src/providers/krb5/krb5_child.c:1759:13: warning: Value stored to 'ret' is never read #ret = EFAULT; #^ ~~ sssd-2.0.99/src/providers/krb5/krb5_child.c:1759:13: note: Value stored to 'ret' is never read #ret = EFAULT; #^ ~~ # 1757| if (kerr != 0) { # 1758| DEBUG(SSSDBG_CRIT_FAILURE, "become_user failed.\n"); # 1759|-> ret = EFAULT; # 1760| goto done; # 1761| } (The function returns the value of kerr, not ret) ``` """ See the full comment at https://github.com/SSSD/sssd/pull/713#issuecomment-446533287 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#703][closed] nss: sssd returns '/' for emtpy home directories
URL: https://github.com/SSSD/sssd/pull/703 Author: thalman Title: #703: nss: sssd returns '/' for emtpy home directories Action: closed To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/703/head:pr703 git checkout pr703 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#703][comment] nss: sssd returns '/' for emtpy home directories
URL: https://github.com/SSSD/sssd/pull/703 Title: #703: nss: sssd returns '/' for emtpy home directories jhrozek commented: """ * sssd-1-16: 28792523a01a7d21bcc8931794164f253e691a68 """ See the full comment at https://github.com/SSSD/sssd/pull/703#issuecomment-446378330 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#703][+Pushed] nss: sssd returns '/' for emtpy home directories
URL: https://github.com/SSSD/sssd/pull/703 Title: #703: nss: sssd returns '/' for emtpy home directories Label: +Pushed ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#703][comment] nss: sssd returns '/' for emtpy home directories
URL: https://github.com/SSSD/sssd/pull/703 Title: #703: nss: sssd returns '/' for emtpy home directories jhrozek commented: """ * master: 90f32399b4100ce39cf665649fde82d215e5eb49 """ See the full comment at https://github.com/SSSD/sssd/pull/703#issuecomment-446378006 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#711][comment] ipa: use only the global catalog service of the forest root
URL: https://github.com/SSSD/sssd/pull/711 Title: #711: ipa: use only the global catalog service of the forest root jhrozek commented: """ * sssd-1-16: * 74568bdde833f752187cb1a38b39715556c91279 * d33ec64423087261fcc14acb5922793fadb83342 """ See the full comment at https://github.com/SSSD/sssd/pull/711#issuecomment-446371448 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#711][+Pushed] ipa: use only the global catalog service of the forest root
URL: https://github.com/SSSD/sssd/pull/711 Title: #711: ipa: use only the global catalog service of the forest root Label: +Pushed ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#711][closed] ipa: use only the global catalog service of the forest root
URL: https://github.com/SSSD/sssd/pull/711 Author: sumit-bose Title: #711: ipa: use only the global catalog service of the forest root Action: closed To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/711/head:pr711 git checkout pr711 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#711][comment] ipa: use only the global catalog service of the forest root
URL: https://github.com/SSSD/sssd/pull/711 Title: #711: ipa: use only the global catalog service of the forest root jhrozek commented: """ * master: * 62d671b874a66101c0f4bff39fc6d7f49cb8fca6 * 9096fc01cca8fcaeb19c36a27f3a9fa09d60772a """ See the full comment at https://github.com/SSSD/sssd/pull/711#issuecomment-446370333 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#677][comment] pcre: port to pcre2
URL: https://github.com/SSSD/sssd/pull/677 Title: #677: pcre: port to pcre2 jhrozek commented: """ I'm sorry to keep beating the error code from *sss_regexp_new...but why not just return int from that function, which would be EOK on success, in which case a **self pointer would also be returned and if there is an error, just return an error code. The extended error message from pcre can be just printed with a debug message and then thrown away. Currently it seems like the code tries too hard to emulate pcre exactly while also having the embedded self.. btw what strikes me as odd in particular is this: ``` 159 ctx->illegal_path_re = sss_regexp_new(ctx, ILLEGAL_PATH_PATTERN, 0, 160 , , ); 161 if (errval != 0) { ``` ...returning a pointer but not checing its value, but checking errval instead.. """ See the full comment at https://github.com/SSSD/sssd/pull/677#issuecomment-446365550 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#705][-Changes requested] KCM: Add configurable quotas
URL: https://github.com/SSSD/sssd/pull/705 Title: #705: KCM: Add configurable quotas Label: -Changes requested ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#705][synchronized] KCM: Add configurable quotas
URL: https://github.com/SSSD/sssd/pull/705 Author: jhrozek Title: #705: KCM: Add configurable quotas Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/705/head:pr705 git checkout pr705 From aeaa27423ee1b5a70f556a937bc45068e2ef48e0 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Fri, 5 Oct 2018 13:17:14 +0200 Subject: [PATCH 1/8] MAN: Get rid of sssd-secrets reference Related: https://pagure.io/SSSD/sssd/issue/3685 There were some stray references to the secrets responder in the sssd-kcm manual page. --- src/man/sssd-kcm.8.xml | 8 +++- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/src/man/sssd-kcm.8.xml b/src/man/sssd-kcm.8.xml index fff8b0a16..90b9ad09c 100644 --- a/src/man/sssd-kcm.8.xml +++ b/src/man/sssd-kcm.8.xml @@ -58,11 +58,9 @@ -the SSSD implementation stores the ccaches in the SSSD - -sssd-secrets5 - -secrets store, allowing the ccaches to survive KCM server restarts or machine reboots. +the SSSD implementation stores the ccaches in a database, +typically located at /var/lib/sss/secrets +allowing the ccaches to survive KCM server restarts or machine reboots. From fd731ed430cd406a5419b059c97f34c5b63c637a Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Fri, 30 Nov 2018 13:15:58 +0100 Subject: [PATCH 2/8] MAN: Document that it is enough to systemctl restart sssd-kcm.service lately Related: https://pagure.io/SSSD/sssd/issue/3862 We forgot to amend the man page after implementing the sssd-kcm service reload. --- src/man/sssd-kcm.8.xml | 17 +++-- 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/src/man/sssd-kcm.8.xml b/src/man/sssd-kcm.8.xml index 90b9ad09c..4e4aaa38e 100644 --- a/src/man/sssd-kcm.8.xml +++ b/src/man/sssd-kcm.8.xml @@ -162,12 +162,17 @@ systemctl restart sssd-kcm.service CONFIGURATION OPTIONS The KCM service is configured in the kcm -section of the sssd.conf file. Please note that currently, -is it not sufficient to restart the sssd-kcm service, because -the sssd configuration is only parsed and read to an internal -configuration database by the sssd service. Therefore you -must restart the sssd service if you change anything in the -kcm section of sssd.conf. +section of the sssd.conf file. Please note that because +the KCM service is typically socket-activated, it is +enough to just restart the sssd-kcm service +after changing options in the kcm section +of sssd.conf: + +systemctl restart sssd-kcm.service + + + +The KCM service is configured in the kcm For a detailed syntax reference, refer to the FILE FORMAT section of the sssd.conf From bf41cfe654d0f7c1421d05759d71b04c872c8567 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Mon, 26 Nov 2018 13:44:08 +0100 Subject: [PATCH 3/8] SECRETS: Use different option names from secrets and KCM for quota options Related: https://pagure.io/SSSD/sssd/issue/3386 With the separate secrets responder, the quotas for the /secrets and /kcm hives were configurable in a sub-section of the [secrets] sssd.conf section using the same option -- the /secrets vs. /kcm distinction was made using the subsection name. With the standalone KCM responder writing directly to the database, it makes sense to have options with more descriptive names better suitable for the KCM usage. For that we need the options for secrets quotas and kcm quotas to be named differently. For now, the patch only passes the option name to sss_sec_get_quota() and sss_sec_get_hive_config() together with the default value in an instance of a new structure sss_sec_quota_opt. The secrets responder still uses the same option names for backwards compatibility. --- src/responder/secrets/secsrv.c | 70 ++ src/util/secrets/config.c | 40 +-- src/util/secrets/secrets.h | 21 ++ 3 files changed, 88 insertions(+), 43 deletions(-) diff --git a/src/responder/secrets/secsrv.c b/src/responder/secrets/secsrv.c index 2de93dedc..e783e231d 100644 --- a/src/responder/secrets/secsrv.c +++ b/src/responder/secrets/secsrv.c @@ -47,6 +47,39 @@ static void adjust_global_quota(struct sec_ctx *sctx, static int sec_get_config(struct sec_ctx *sctx) { int ret; +struct sss_sec_quota_opt dfl_sec_nest_level = { +.opt_name = CONFDB_SEC_CONTAINERS_NEST_LEVEL, +.default_value = DEFAULT_SEC_CONTAINERS_NEST_LEVEL, +}; +struct
[SSSD] [sssd PR#705][comment] KCM: Add configurable quotas
URL: https://github.com/SSSD/sssd/pull/705 Title: #705: KCM: Add configurable quotas jhrozek commented: """ OK, I'll squash this diff: ``` diff --git a/src/responder/secrets/secsrv.c b/src/responder/secrets/secsrv.c index b18bbfd19..e783e231d 100644 --- a/src/responder/secrets/secsrv.c +++ b/src/responder/secrets/secsrv.c @@ -98,9 +98,6 @@ static int sec_get_config(struct sec_ctx *sctx) sctx->max_payload_size = 1; /* Read the global quota first -- this should be removed in a future release */ -/* Note that this sets the defaults for the sec_config quota to be used - * in sec_get_hive_config() - */ ret = sss_sec_get_quota(sctx->rctx->cdb, sctx->rctx->confdb_service_path, _sec_nest_level, @@ -114,6 +111,16 @@ static int sec_get_config(struct sec_ctx *sctx) goto fail; } +/* Use the global quota values as defaults for the secrets/secrets section */ +dfl_sec_nest_level.default_value = \ +sctx->sec_config.quota.containers_nest_level; +dfl_sec_max_secrets.default_value = \ +sctx->sec_config.quota.max_secrets; +dfl_sec_max_uid_secrets.default_value = \ +sctx->sec_config.quota.max_uid_secrets; +dfl_sec_max_payload_size.default_value = \ +sctx->sec_config.quota.max_payload_size; + /* Read the per-hive configuration */ ret = sss_sec_get_hive_config(sctx->rctx->cdb, "secrets", ``` Into "SECRETS: Use different option names from secrets and KCM for quota options". The previous code never used the (deprecated) quotas from the global [secrets] question. (The removed comment also gives a nice hint at what the previous code did) """ See the full comment at https://github.com/SSSD/sssd/pull/705#issuecomment-446359085 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#711][+Accepted] ipa: use only the global catalog service of the forest root
URL: https://github.com/SSSD/sssd/pull/711 Title: #711: ipa: use only the global catalog service of the forest root Label: +Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#705][+Changes requested] KCM: Add configurable quotas
URL: https://github.com/SSSD/sssd/pull/705 Title: #705: KCM: Add configurable quotas Label: +Changes requested ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#705][comment] KCM: Add configurable quotas
URL: https://github.com/SSSD/sssd/pull/705 Title: #705: KCM: Add configurable quotas jhrozek commented: """ I'm adding changes requested, but since the issue is 'only' in tests, I would still appreciate a review """ See the full comment at https://github.com/SSSD/sssd/pull/705#issuecomment-446216805 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#705][comment] KCM: Add configurable quotas
URL: https://github.com/SSSD/sssd/pull/705 Title: #705: KCM: Add configurable quotas jhrozek commented: """ I still need to amend the tests: ``` === short test summary info FAIL test_kcm.py::test_kcm_secrets_quota FAIL test_secrets.py::test_global_quota === FAILURES === test_kcm_secrets_quota Traceback (most recent call last): File "/var/lib/jenkins/workspace/ci/label/fedora28/src/tests/intg/test_kcm.py", line 555, in test_kcm_secrets_quota cli.set_secret(str(MAX_SECRETS), sec_value) File "/usr/lib/python2.7/site-packages/_pytest/python_api.py", line 627, in __exit__ fail(self.message) File "/usr/lib/python2.7/site-packages/_pytest/outcomes.py", line 92, in fail raise Failed(msg=msg, pytrace=pytrace) Failed: DID NOT RAISE __ test_global_quota ___ Traceback (most recent call last): File "/var/lib/jenkins/workspace/ci/label/fedora28/src/tests/intg/test_secrets.py", line 480, in test_global_quota run_quota_test(cli, 10, 2) File "/var/lib/jenkins/workspace/ci/label/fedora28/src/tests/intg/test_secrets.py", line 429, in run_quota_test cli.set_secret(str(max_secrets), sec_value) File "/usr/lib/python2.7/site-packages/_pytest/python_api.py", line 627, in __exit__ fail(self.message) File "/usr/lib/python2.7/site-packages/_pytest/outcomes.py", line 92, in fail raise Failed(msg=msg, pytrace=pytrace) Failed: DID NOT RAISE ``` I have no idea why didn't the sssd-ci tests catch this...maybe somethng for @pbrezina to look at? """ See the full comment at https://github.com/SSSD/sssd/pull/705#issuecomment-446215481 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#703][comment] nss: sssd returns '/' for emtpy home directories
URL: https://github.com/SSSD/sssd/pull/703 Title: #703: nss: sssd returns '/' for emtpy home directories jhrozek commented: """ The patch does change the behaviour, but it's also just a fallback, so whatever you had defined in AD LDAP is still used. Let me give an example: - before the patch: - user with no homedir: "/" - user with homedir: the homedir is used - after the patch: - user with no homedir: /home/domain/username - user with homedir: the homedir is used """ See the full comment at https://github.com/SSSD/sssd/pull/703#issuecomment-446200551 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#705][comment] KCM: Add configurable quotas
URL: https://github.com/SSSD/sssd/pull/705 Title: #705: KCM: Add configurable quotas jhrozek commented: """ retest this please """ See the full comment at https://github.com/SSSD/sssd/pull/705#issuecomment-446184702 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#703][+Accepted] nss: sssd returns '/' for emtpy home directories
URL: https://github.com/SSSD/sssd/pull/703 Title: #703: nss: sssd returns '/' for emtpy home directories Label: +Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#703][comment] nss: sssd returns '/' for emtpy home directories
URL: https://github.com/SSSD/sssd/pull/703 Title: #703: nss: sssd returns '/' for emtpy home directories jhrozek commented: """ Seems to work fine, by default I get /home/domain/username for all admins, when I set fallback_homedir=%o then the unixHomeDirectory attribute is used instead. """ See the full comment at https://github.com/SSSD/sssd/pull/703#issuecomment-446140500 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#696][closed] DYNDNS: SSSD does not batch DDNS update requests
URL: https://github.com/SSSD/sssd/pull/696 Author: thalman Title: #696: DYNDNS: SSSD does not batch DDNS update requests Action: closed To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/696/head:pr696 git checkout pr696 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#696][comment] DYNDNS: SSSD does not batch DDNS update requests
URL: https://github.com/SSSD/sssd/pull/696 Title: #696: DYNDNS: SSSD does not batch DDNS update requests jhrozek commented: """ * master: 5565dd365e704f6ded4f95db5bfbefd5dffc888b """ See the full comment at https://github.com/SSSD/sssd/pull/696#issuecomment-445996712 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#696][+Pushed] DYNDNS: SSSD does not batch DDNS update requests
URL: https://github.com/SSSD/sssd/pull/696 Title: #696: DYNDNS: SSSD does not batch DDNS update requests Label: +Pushed ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#707][comment] build: remove hardcoded samba include path
URL: https://github.com/SSSD/sssd/pull/707 Title: #707: build: remove hardcoded samba include path jhrozek commented: """ * master: 7354e59e010197ab5be3440a0e2c24302298a237 Please let me know if you'd like to have the patch backported to sssd-1-16 as well -- on one hand I'd be fine with it, OTOH I don't want to push anything that is not required by someone to the stable branch. And thank you for your contribution! """ See the full comment at https://github.com/SSSD/sssd/pull/707#issuecomment-445996359 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#707][closed] build: remove hardcoded samba include path
URL: https://github.com/SSSD/sssd/pull/707 Author: gmccollister Title: #707: build: remove hardcoded samba include path Action: closed To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/707/head:pr707 git checkout pr707 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#707][+Pushed] build: remove hardcoded samba include path
URL: https://github.com/SSSD/sssd/pull/707 Title: #707: build: remove hardcoded samba include path Label: +Pushed ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#705][comment] KCM: Add configurable quotas
URL: https://github.com/SSSD/sssd/pull/705 Title: #705: KCM: Add configurable quotas jhrozek commented: """ The test failed because of pep8 failures in the test. Now it will hopefully come back clean. Still looking for a reviewer.. """ See the full comment at https://github.com/SSSD/sssd/pull/705#issuecomment-445982591 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#705][synchronized] KCM: Add configurable quotas
URL: https://github.com/SSSD/sssd/pull/705 Author: jhrozek Title: #705: KCM: Add configurable quotas Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/705/head:pr705 git checkout pr705 From 09afbc4433c4a478cf9fdf17097e7e9af67f0590 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Fri, 5 Oct 2018 13:17:14 +0200 Subject: [PATCH 1/8] MAN: Get rid of sssd-secrets reference Related: https://pagure.io/SSSD/sssd/issue/3685 There were some stray references to the secrets responder in the sssd-kcm manual page. --- src/man/sssd-kcm.8.xml | 8 +++- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/src/man/sssd-kcm.8.xml b/src/man/sssd-kcm.8.xml index fff8b0a16..90b9ad09c 100644 --- a/src/man/sssd-kcm.8.xml +++ b/src/man/sssd-kcm.8.xml @@ -58,11 +58,9 @@ -the SSSD implementation stores the ccaches in the SSSD - -sssd-secrets5 - -secrets store, allowing the ccaches to survive KCM server restarts or machine reboots. +the SSSD implementation stores the ccaches in a database, +typically located at /var/lib/sss/secrets +allowing the ccaches to survive KCM server restarts or machine reboots. From 7c3a5a7e6871c308edcf5a2a5d53ea16cd48f528 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Fri, 30 Nov 2018 13:15:58 +0100 Subject: [PATCH 2/8] MAN: Document that it is enough to systemctl restart sssd-kcm.service lately Related: https://pagure.io/SSSD/sssd/issue/3862 We forgot to amend the man page after implementing the sssd-kcm service reload. --- src/man/sssd-kcm.8.xml | 17 +++-- 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/src/man/sssd-kcm.8.xml b/src/man/sssd-kcm.8.xml index 90b9ad09c..4e4aaa38e 100644 --- a/src/man/sssd-kcm.8.xml +++ b/src/man/sssd-kcm.8.xml @@ -162,12 +162,17 @@ systemctl restart sssd-kcm.service CONFIGURATION OPTIONS The KCM service is configured in the kcm -section of the sssd.conf file. Please note that currently, -is it not sufficient to restart the sssd-kcm service, because -the sssd configuration is only parsed and read to an internal -configuration database by the sssd service. Therefore you -must restart the sssd service if you change anything in the -kcm section of sssd.conf. +section of the sssd.conf file. Please note that because +the KCM service is typically socket-activated, it is +enough to just restart the sssd-kcm service +after changing options in the kcm section +of sssd.conf: + +systemctl restart sssd-kcm.service + + + +The KCM service is configured in the kcm For a detailed syntax reference, refer to the FILE FORMAT section of the sssd.conf From e5082fcb7cec5b64154eda63d5f1d33c79ad290d Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Mon, 26 Nov 2018 13:44:08 +0100 Subject: [PATCH 3/8] SECRETS: Use different option names from secrets and KCM for quota options Related: https://pagure.io/SSSD/sssd/issue/3386 With the separate secrets responder, the quotas for the /secrets and /kcm hives were configurable in a sub-section of the [secrets] sssd.conf section using the same option -- the /secrets vs. /kcm distinction was made using the subsection name. With the standalone KCM responder writing directly to the database, it makes sense to have options with more descriptive names better suitable for the KCM usage. For that we need the options for secrets quotas and kcm quotas to be named differently. For now, the patch only passes the option name to sss_sec_get_quota() and sss_sec_get_hive_config() together with the default value in an instance of a new structure sss_sec_quota_opt. The secrets responder still uses the same option names for backwards compatibility. --- src/responder/secrets/secsrv.c | 57 +++--- src/util/secrets/config.c | 40 src/util/secrets/secrets.h | 21 - 3 files changed, 78 insertions(+), 40 deletions(-) diff --git a/src/responder/secrets/secsrv.c b/src/responder/secrets/secsrv.c index 2de93dedc..b18bbfd19 100644 --- a/src/responder/secrets/secsrv.c +++ b/src/responder/secrets/secsrv.c @@ -47,6 +47,39 @@ static void adjust_global_quota(struct sec_ctx *sctx, static int sec_get_config(struct sec_ctx *sctx) { int ret; +struct sss_sec_quota_opt dfl_sec_nest_level = { +.opt_name = CONFDB_SEC_CONTAINERS_NEST_LEVEL, +.default_value = DEFAULT_SEC_CONTAINERS_NEST_LEVEL
[SSSD] [sssd PR#702][-Changes requested] NSS: Avoid changing the memory cache ownership away from the SSSD user
URL: https://github.com/SSSD/sssd/pull/702 Title: #702: NSS: Avoid changing the memory cache ownership away from the SSSD user Label: -Changes requested ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#702][comment] NSS: Avoid changing the memory cache ownership away from the SSSD user
URL: https://github.com/SSSD/sssd/pull/702 Title: #702: NSS: Avoid changing the memory cache ownership away from the SSSD user jhrozek commented: """ OK, the comment is there. I also did some more changes, because the integration tests started failing intermittently. This was beause each invalidation of each cache ran getpwnam(sssd), which slowed things down a lot, so there was a race between calling sss_cache and the cache being really recreated. So in the end, I saved the uid and gid of the sssd user into the nss_ctx and just pass it on. I hope it's OK. """ See the full comment at https://github.com/SSSD/sssd/pull/702#issuecomment-445980795 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#702][synchronized] NSS: Avoid changing the memory cache ownership away from the SSSD user
URL: https://github.com/SSSD/sssd/pull/702 Author: jhrozek Title: #702: NSS: Avoid changing the memory cache ownership away from the SSSD user Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/702/head:pr702 git checkout pr702 From 95390a689632f5d83aeb4664d528a3f167dec0ed Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Fri, 30 Nov 2018 13:06:13 +0100 Subject: [PATCH] NSS: Avoid changing the memory cache ownership away from the sssd user Resolves: https://pagure.io/SSSD/sssd/issue/3890 In case SSSD is compiled --with-sssd-user but run as root (which is the default on RHEL and derivatives), then the memory cache will be owned by the user that sssd_nss runs as, so root. This conflicts with the packaging which specifies sssd.sssd as the owner. And in turn, this means that users can't reliably assess the package integrity using rpm -V. This patch makes sure that the memory cache files are chowned to sssd.sssd even if the nss responder runs as root. Also, this patch changes the sssd_nss responder so that is becomes a member of the supplementary sssd group. Even though in traditional UNIX sense, a process running as root could write to a file owned by sssd:sssd, with SELinux enforcing mode this becomes problematic as SELinux emits an error such as: type=AVC msg=audit(1543524888.125:1495): avc: denied { fsetid } for pid=7706 comm="sssd_nss" capability=4 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=capability To make it possible for the sssd_nss process to write to the files, the files are also made group-writable. The 'others' permission is still set to read only. --- contrib/sssd.spec.in | 8 +- src/responder/nss/nss_private.h | 2 + src/responder/nss/nsssrv.c| 106 -- src/responder/nss/nsssrv_mmap_cache.c | 51 - src/responder/nss/nsssrv_mmap_cache.h | 5 +- 5 files changed, 158 insertions(+), 14 deletions(-) diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in index 26fae6d68..22a1063b2 100644 --- a/contrib/sssd.spec.in +++ b/contrib/sssd.spec.in @@ -1039,11 +1039,11 @@ done %dir %{sssdstatedir} %dir %{_localstatedir}/cache/krb5rcache %attr(700,sssd,sssd) %dir %{dbpath} -%attr(755,sssd,sssd) %dir %{mcpath} +%attr(775,sssd,sssd) %dir %{mcpath} %attr(751,sssd,sssd) %dir %{deskprofilepath} -%ghost %attr(0644,sssd,sssd) %verify(not md5 size mtime) %{mcpath}/passwd -%ghost %attr(0644,sssd,sssd) %verify(not md5 size mtime) %{mcpath}/group -%ghost %attr(0644,sssd,sssd) %verify(not md5 size mtime) %{mcpath}/initgroups +%ghost %attr(0664,sssd,sssd) %verify(not md5 size mtime) %{mcpath}/passwd +%ghost %attr(0664,sssd,sssd) %verify(not md5 size mtime) %{mcpath}/group +%ghost %attr(0664,sssd,sssd) %verify(not md5 size mtime) %{mcpath}/initgroups %attr(755,sssd,sssd) %dir %{pipepath} %attr(750,sssd,root) %dir %{pipepath}/private %attr(755,sssd,sssd) %dir %{pubconfpath} diff --git a/src/responder/nss/nss_private.h b/src/responder/nss/nss_private.h index cd0d35517..bae5fe074 100644 --- a/src/responder/nss/nss_private.h +++ b/src/responder/nss/nss_private.h @@ -87,6 +87,8 @@ struct nss_ctx { struct sss_mc_ctx *pwd_mc_ctx; struct sss_mc_ctx *grp_mc_ctx; struct sss_mc_ctx *initgr_mc_ctx; +uid_t mc_uid; +gid_t mc_gid; }; struct sss_cmd_table *get_nss_cmds(void); diff --git a/src/responder/nss/nsssrv.c b/src/responder/nss/nsssrv.c index fb7326a02..daaf3c06c 100644 --- a/src/responder/nss/nsssrv.c +++ b/src/responder/nss/nsssrv.c @@ -85,7 +85,8 @@ nss_clear_memcache(TALLOC_CTX *mem_ctx, /* TODO: read cache sizes from configuration */ DEBUG(SSSDBG_TRACE_FUNC, "Clearing memory caches.\n"); -ret = sss_mmap_cache_reinit(nctx, SSS_MC_CACHE_ELEMENTS, +ret = sss_mmap_cache_reinit(nctx, nctx->mc_uid, nctx->mc_gid, +SSS_MC_CACHE_ELEMENTS, (time_t) memcache_timeout, >pwd_mc_ctx); if (ret != EOK) { @@ -94,7 +95,8 @@ nss_clear_memcache(TALLOC_CTX *mem_ctx, return ret; } -ret = sss_mmap_cache_reinit(nctx, SSS_MC_CACHE_ELEMENTS, +ret = sss_mmap_cache_reinit(nctx, nctx->mc_uid, nctx->mc_gid, +SSS_MC_CACHE_ELEMENTS, (time_t) memcache_timeout, >grp_mc_ctx); if (ret != EOK) { @@ -103,7 +105,8 @@ nss_clear_memcache(TALLOC_CTX *mem_ctx, return ret; } -ret = sss_mmap_cache_reinit(nctx, SSS_MC_CACHE_ELEMENTS, +ret = sss_mmap_cache_reinit(nctx, nctx->mc_uid, nctx->mc_gid, +SSS_MC_CACHE_ELEMENTS, (time_t)memcache_timeout, >initgr_mc_ctx); if (ret != EOK) { @@ -237,21 +240,27 @@
[SSSD] [sssd PR#708][+Changes requested] TESTS: ldb-tools are required for multihost tests
URL: https://github.com/SSSD/sssd/pull/708 Title: #708: TESTS: ldb-tools are required for multihost tests Label: +Changes requested ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#707][+Accepted] build: remove hardcoded samba include path
URL: https://github.com/SSSD/sssd/pull/707 Title: #707: build: remove hardcoded samba include path Label: +Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#708][comment] TESTS: ldb-tools are required for multihost tests
URL: https://github.com/SSSD/sssd/pull/708 Title: #708: TESTS: ldb-tools are required for multihost tests jhrozek commented: """ Well I do test on Fedora, so I care about the patch. The elif RHEL branch is just a bug, we need to fix the dependency detection better, but for now I would prefer to upstream the patch BUT please also add sssd-tools to the list (see a recent in rhpkg git..) """ See the full comment at https://github.com/SSSD/sssd/pull/708#issuecomment-445774981 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#710][comment] data_provider_fo: fix error in hostname retrieval
URL: https://github.com/SSSD/sssd/pull/710 Title: #710: data_provider_fo: fix error in hostname retrieval jhrozek commented: """ I think this would fix the error, but I have two more questions: 1) Do you agree it would be nice to fix all gethostname() calls in a similar manner? 2) I like the sizeof(arr)/sizeof(elem) approach you took. I also now noticed, with the help of some git grep that we have this already defined as a macro called `N_ELEMENTS`, but only in the test code. Do you think it would make sense to move the macro to e.g. utils.h and reuse it outside the test code? """ See the full comment at https://github.com/SSSD/sssd/pull/710#issuecomment-445773513 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#710][comment] data_provider_fo: fix error in hostname retrieval
URL: https://github.com/SSSD/sssd/pull/710 Title: #710: data_provider_fo: fix error in hostname retrieval jhrozek commented: """ add to whitelist """ See the full comment at https://github.com/SSSD/sssd/pull/710#issuecomment-445745812 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#710][comment] data_provider_fo: fix error in hostname retrieval
URL: https://github.com/SSSD/sssd/pull/710 Title: #710: data_provider_fo: fix error in hostname retrieval jhrozek commented: """ (Your patches should no longer by gated by centos CI) """ See the full comment at https://github.com/SSSD/sssd/pull/710#issuecomment-445745904 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#709][comment] Regex fails if there's a whitespace before option name
URL: https://github.com/SSSD/sssd/pull/709 Title: #709: Regex fails if there's a whitespace before option name jhrozek commented: """ @mzidek-rh do you have some opinion on the patch? """ See the full comment at https://github.com/SSSD/sssd/pull/709#issuecomment-445157860 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#709][comment] Regex fails if there's a whitespace before option name
URL: https://github.com/SSSD/sssd/pull/709 Title: #709: Regex fails if there's a whitespace before option name jhrozek commented: """ ok to test """ See the full comment at https://github.com/SSSD/sssd/pull/709#issuecomment-445157651 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#707][comment] build: remove hardcoded samba include path
URL: https://github.com/SSSD/sssd/pull/707 Title: #707: build: remove hardcoded samba include path jhrozek commented: """ OK, so the CI 'passed', meaning we have ran into a totally unrelated issue. """ See the full comment at https://github.com/SSSD/sssd/pull/707#issuecomment-444776957 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#707][comment] build: remove hardcoded samba include path
URL: https://github.com/SSSD/sssd/pull/707 Title: #707: build: remove hardcoded samba include path jhrozek commented: """ thanks, submitted to our internal CI (that also runs different RHEL releases and Debian), will ack if the build comes through """ See the full comment at https://github.com/SSSD/sssd/pull/707#issuecomment-444628394 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#704][+Pushed] PROXY: Copy the response to the caller
URL: https://github.com/SSSD/sssd/pull/704 Title: #704: PROXY: Copy the response to the caller Label: +Pushed ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#704][closed] PROXY: Copy the response to the caller
URL: https://github.com/SSSD/sssd/pull/704 Author: jhrozek Title: #704: PROXY: Copy the response to the caller Action: closed To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/704/head:pr704 git checkout pr704 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#704][comment] PROXY: Copy the response to the caller
URL: https://github.com/SSSD/sssd/pull/704 Title: #704: PROXY: Copy the response to the caller jhrozek commented: """ * master: 807bbce25ffedb6f0d2d61831b5d5133e11aa84a """ See the full comment at https://github.com/SSSD/sssd/pull/704#issuecomment-444626994 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#701][comment] ci: add ability to run tests in jenkins
URL: https://github.com/SSSD/sssd/pull/701 Title: #701: ci: add ability to run tests in jenkins jhrozek commented: """ * master: 36255b893a8a55588309a7c5729560c48a30018d """ See the full comment at https://github.com/SSSD/sssd/pull/701#issuecomment-444625732 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#701][closed] ci: add ability to run tests in jenkins
URL: https://github.com/SSSD/sssd/pull/701 Author: pbrezina Title: #701: ci: add ability to run tests in jenkins Action: closed To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/701/head:pr701 git checkout pr701 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#701][+Pushed] ci: add ability to run tests in jenkins
URL: https://github.com/SSSD/sssd/pull/701 Title: #701: ci: add ability to run tests in jenkins Label: +Pushed ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#695][comment] sss_iface: prevent from using invalid names that start with digits
URL: https://github.com/SSSD/sssd/pull/695 Title: #695: sss_iface: prevent from using invalid names that start with digits jhrozek commented: """ * master: f47940356462a3f477fe462e71d7680c959300db """ See the full comment at https://github.com/SSSD/sssd/pull/695#issuecomment-444621900 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#695][+Pushed] sss_iface: prevent from using invalid names that start with digits
URL: https://github.com/SSSD/sssd/pull/695 Title: #695: sss_iface: prevent from using invalid names that start with digits Label: +Pushed ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#695][closed] sss_iface: prevent from using invalid names that start with digits
URL: https://github.com/SSSD/sssd/pull/695 Author: pbrezina Title: #695: sss_iface: prevent from using invalid names that start with digits Action: closed To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/695/head:pr695 git checkout pr695 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#690][closed] DYNDNS: Convert dyndns timer to be_ptask
URL: https://github.com/SSSD/sssd/pull/690 Author: thalman Title: #690: DYNDNS: Convert dyndns timer to be_ptask Action: closed To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/690/head:pr690 git checkout pr690 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#690][comment] DYNDNS: Convert dyndns timer to be_ptask
URL: https://github.com/SSSD/sssd/pull/690 Title: #690: DYNDNS: Convert dyndns timer to be_ptask jhrozek commented: """ * master: df9e4802c060fc21d38f238265805092352e5c95 """ See the full comment at https://github.com/SSSD/sssd/pull/690#issuecomment-444620631 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#690][+Pushed] DYNDNS: Convert dyndns timer to be_ptask
URL: https://github.com/SSSD/sssd/pull/690 Title: #690: DYNDNS: Convert dyndns timer to be_ptask Label: +Pushed ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#701][+Accepted] ci: add ability to run tests in jenkins
URL: https://github.com/SSSD/sssd/pull/701 Title: #701: ci: add ability to run tests in jenkins Label: +Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#701][comment] ci: add ability to run tests in jenkins
URL: https://github.com/SSSD/sssd/pull/701 Title: #701: ci: add ability to run tests in jenkins jhrozek commented: """ I'll push the patch if the builds succeed here. What we need next is some documentation.. """ See the full comment at https://github.com/SSSD/sssd/pull/701#issuecomment-65354 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#702][+Changes requested] NSS: Avoid changing the memory cache ownership away from the SSSD user
URL: https://github.com/SSSD/sssd/pull/702 Title: #702: NSS: Avoid changing the memory cache ownership away from the SSSD user Label: +Changes requested ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#703][comment] nss: sssd returns '/' for emtpy home directories
URL: https://github.com/SSSD/sssd/pull/703 Title: #703: nss: sssd returns '/' for emtpy home directories jhrozek commented: """ I also had a follow-up discussion with simo on IRC, let me paste rephrasing: - the AD provider should have an AD specific internal option that generates the homedir. This option doesn't have to be exposed as a generic config option to avoid having yet another configuration knob - if fallback_homedir is set, this option is ignored - the option should be ideally set to what winbind uses I hope I haven't forgotten or mangled anything. """ See the full comment at https://github.com/SSSD/sssd/pull/703#issuecomment-444132698 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#707][comment] build: remove hardcoded samba include path
URL: https://github.com/SSSD/sssd/pull/707 Title: #707: build: remove hardcoded samba include path jhrozek commented: """ ok to test """ See the full comment at https://github.com/SSSD/sssd/pull/707#issuecomment-444129009 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#706][opened] KCM: Fall back to using the first ccache if the default does not exist
URL: https://github.com/SSSD/sssd/pull/706 Author: jhrozek Title: #706: KCM: Fall back to using the first ccache if the default does not exist Action: opened PR body: """ Resolves: https://pagure.io/SSSD/sssd/issue/3838 KCM stores the default ccache in a separate DB entry. If the DB entry contains a UUID that cannot be found in the DB for whatever reason, we should just use the first ccache as the default. (This is what we already do if there is no default) """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/706/head:pr706 git checkout pr706 From 6b41485c14be328eab02be7167e3875aecd1b0c9 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Fri, 28 Sep 2018 17:29:10 +0200 Subject: [PATCH] KCM: Fall back to using the first ccache if the default does not exist Resolves: https://pagure.io/SSSD/sssd/issue/3838 KCM stores the default ccache in a separate DB entry. If the DB entry contains a UUID that cannot be found in the DB for whatever reason, we should just use the first ccache as the default. (This is what we already do if there is no default) --- src/responder/kcm/kcmsrv_ops.c | 12 +++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/src/responder/kcm/kcmsrv_ops.c b/src/responder/kcm/kcmsrv_ops.c index 1e229adc4..5c4ece79e 100644 --- a/src/responder/kcm/kcmsrv_ops.c +++ b/src/responder/kcm/kcmsrv_ops.c @@ -1509,7 +1509,17 @@ static void kcm_op_get_default_ccache_byuuid_done(struct tevent_req *subreq) DEBUG(SSSDBG_OP_FAILURE, "Cannot get ccahe by UUID [%d]: %s\n", ret, sss_strerror(ret)); -tevent_req_error(req, ret); +/* Instead of failing the whole operation, return the first + * ccache as a fallback + */ +subreq = kcm_ccdb_list_send(state, state->ev, +state->op_ctx->kcm_data->db, +state->op_ctx->client); +if (subreq == NULL) { +tevent_req_error(req, ENOMEM); +return; +} +tevent_req_set_callback(subreq, kcm_op_get_default_ccache_list_done, req); return; } ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#703][comment] nss: sssd returns '/' for emtpy home directories
URL: https://github.com/SSSD/sssd/pull/703 Title: #703: nss: sssd returns '/' for emtpy home directories jhrozek commented: """ I thought that fallback_homedir = "" would work but it doesn't, not even with escaping quotes. An empty attribute is silently ignored. About whether we care about this use-case..I don't know, currently I don't think so. """ See the full comment at https://github.com/SSSD/sssd/pull/703#issuecomment-444114458 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#703][comment] nss: sssd returns '/' for emtpy home directories
URL: https://github.com/SSSD/sssd/pull/703 Title: #703: nss: sssd returns '/' for emtpy home directories jhrozek commented: """ > On Tue, 2018-12-04 at 04:51 -0800, Jakub Hrozek wrote: Thanks, this passes > the test. And of course the patch is correct, but after some more testing, I > wonder if we should at least for one release default to > fallback_homedir=$something at least for the AD provider. Because now with > the completely minimal AD provider configuration (no POSIX attrs, ID mapping > only) I can't log in with an AD user: ``` $ getent passwd ***@***.*** > ***@***.***:*:215000500:215000513:Administrator::/bi n/bash $ su - > ***@***.*** su: user ***@***.*** does not exist ``` Note that this is minimal > config, realmd already adds fallback_homedir. > Why this fails? Because of the missing homedir ? Yes, su checks the homedir: ``` »···su->pwd = xgetpwnam(su->new_user, >pwdbuf); »···if (!su->pwd »···|| !su->pwd->pw_passwd »···|| !su->pwd->pw_name || !*su->pwd->pw_name »···|| !su->pwd->pw_dir || !*su->pwd->pw_dir) »···»···errx(EXIT_FAILURE, _("user %s does not exist"), su->new_user) ``` ssh is more permissive and places you at `/` > Or at least we should IMO add some backwards compatible handling when this > patch makes it to fedora or RHEL otherwise admins might not be happy. From > purely upstream point of view this change is probably OK with me. > I think the AD provider should synthetize an home dir by default, without any > specific option being set, it's what is considered normal also in winbind > land, in fact I would look closely at what winbind does and do the same for > AD users by default. If fallback_homedir is set, skip the default and use > what that setting specifies. Then why not set a default value for fallback homedir? :-) """ See the full comment at https://github.com/SSSD/sssd/pull/703#issuecomment-444106317 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#705][comment] KCM: Add configurable quotas
URL: https://github.com/SSSD/sssd/pull/705 Title: #705: KCM: Add configurable quotas jhrozek commented: """ retest this please """ See the full comment at https://github.com/SSSD/sssd/pull/705#issuecomment-444096360 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#702][comment] NSS: Avoid changing the memory cache ownership away from the SSSD user
URL: https://github.com/SSSD/sssd/pull/702 Title: #702: NSS: Avoid changing the memory cache ownership away from the SSSD user jhrozek commented: """ retest this please """ See the full comment at https://github.com/SSSD/sssd/pull/702#issuecomment-444096255 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#703][comment] nss: sssd returns '/' for emtpy home directories
URL: https://github.com/SSSD/sssd/pull/703 Title: #703: nss: sssd returns '/' for emtpy home directories jhrozek commented: """ Thanks, this passes the test. And of course the patch is correct, but after some more testing, I wonder if we should at least for one release default to fallback_homedir=$something at least for the AD provider. Because now with the completely minimal AD provider configuration (no POSIX attrs, ID mapping only) I can't log in with an AD user: ``` $ getent passwd administra...@win.trust.test administra...@win.trust.test:*:215000500:215000513:Administrator::/bin/bash $ su - administra...@win.trust.test su: user administra...@win.trust.test does not exist ``` Note that this is minimal config, realmd already adds fallback_homedir. Or at least we should IMO add some backwards compatible handling when this patch makes it to fedora or RHEL otherwise admins might not be happy. From purely upstream point of view this change is probably OK with me. """ See the full comment at https://github.com/SSSD/sssd/pull/703#issuecomment-444089136 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#703][comment] nss: sssd returns '/' for emtpy home directories
URL: https://github.com/SSSD/sssd/pull/703 Title: #703: nss: sssd returns '/' for emtpy home directories jhrozek commented: """ You also need to amend `test_user_no_dir` in `src/tests/intg/test_files_provider.py` """ See the full comment at https://github.com/SSSD/sssd/pull/703#issuecomment-444081640 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#705][opened] KCM: Add configurable quotas
URL: https://github.com/SSSD/sssd/pull/705 Author: jhrozek Title: #705: KCM: Add configurable quotas Action: opened PR body: """ This PR adds several patches that let the user configure quotas to store their ccaches. Please see the commit messages, I hope they are verbose enough. One thing that should be pointed out is that the global number of ccaches is explicitly unlimited. Does anyone see an issue with just enforcing the per-UID limits? An upcoming PR(s) would implement warning when the quota is being exceeded and a sssctl command to let the administrator display the quota taken. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/705/head:pr705 git checkout pr705 From 763fb7a5ef58834ab6d5fb02a7ecf7c9f719e8c8 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Fri, 5 Oct 2018 13:17:14 +0200 Subject: [PATCH 1/8] MAN: Get rid of sssd-secrets reference Related: https://pagure.io/SSSD/sssd/issue/3685 There were some stray references to the secrets responder in the sssd-kcm manual page. --- src/man/sssd-kcm.8.xml | 8 +++- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/src/man/sssd-kcm.8.xml b/src/man/sssd-kcm.8.xml index fff8b0a16..90b9ad09c 100644 --- a/src/man/sssd-kcm.8.xml +++ b/src/man/sssd-kcm.8.xml @@ -58,11 +58,9 @@ -the SSSD implementation stores the ccaches in the SSSD - -sssd-secrets5 - -secrets store, allowing the ccaches to survive KCM server restarts or machine reboots. +the SSSD implementation stores the ccaches in a database, +typically located at /var/lib/sss/secrets +allowing the ccaches to survive KCM server restarts or machine reboots. From a3171af55e7fa88bae586d84d53ddb8f8c5d13a8 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Fri, 30 Nov 2018 13:15:58 +0100 Subject: [PATCH 2/8] MAN: Document that it is enough to systemctl restart sssd-kcm.service lately Related: https://pagure.io/SSSD/sssd/issue/3862 We forgot to amend the man page after implementing the sssd-kcm service reload. --- src/man/sssd-kcm.8.xml | 17 +++-- 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/src/man/sssd-kcm.8.xml b/src/man/sssd-kcm.8.xml index 90b9ad09c..4e4aaa38e 100644 --- a/src/man/sssd-kcm.8.xml +++ b/src/man/sssd-kcm.8.xml @@ -162,12 +162,17 @@ systemctl restart sssd-kcm.service CONFIGURATION OPTIONS The KCM service is configured in the kcm -section of the sssd.conf file. Please note that currently, -is it not sufficient to restart the sssd-kcm service, because -the sssd configuration is only parsed and read to an internal -configuration database by the sssd service. Therefore you -must restart the sssd service if you change anything in the -kcm section of sssd.conf. +section of the sssd.conf file. Please note that because +the KCM service is typically socket-activated, it is +enough to just restart the sssd-kcm service +after changing options in the kcm section +of sssd.conf: + +systemctl restart sssd-kcm.service + + + +The KCM service is configured in the kcm For a detailed syntax reference, refer to the FILE FORMAT section of the sssd.conf From 9f5455a41271694ac987677df9fdffe3ebb8edb8 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Mon, 26 Nov 2018 13:44:08 +0100 Subject: [PATCH 3/8] SECRETS: Use different option names from secrets and KCM for quota options Related: https://pagure.io/SSSD/sssd/issue/3386 With the separate secrets responder, the quotas for the /secrets and /kcm hives were configurable in a sub-section of the [secrets] sssd.conf section using the same option -- the /secrets vs. /kcm distinction was made using the subsection name. With the standalone KCM responder writing directly to the database, it makes sense to have options with more descriptive names better suitable for the KCM usage. For that we need the options for secrets quotas and kcm quotas to be named differently. For now, the patch only passes the option name to sss_sec_get_quota() and sss_sec_get_hive_config() together with the default value in an instance of a new structure sss_sec_quota_opt. The secrets responder still uses the same option names for backwards compatibility. --- src/responder/secrets/secsrv.c | 57 +++--- src/util/secrets/config.c | 40 src/util/secrets/secrets.h | 21 - 3 files changed, 78 insertions(+), 40 deletions(
[SSSD] [sssd PR#695][+Accepted] sss_iface: prevent from using invalid names that start with digits
URL: https://github.com/SSSD/sssd/pull/695 Title: #695: sss_iface: prevent from using invalid names that start with digits Label: +Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#704][opened] PROXY: Copy the response to the caller
URL: https://github.com/SSSD/sssd/pull/704 Author: jhrozek Title: #704: PROXY: Copy the response to the caller Action: opened PR body: """ Resolves: https://pagure.io/SSSD/sssd/issue/3892 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/704/head:pr704 git checkout pr704 From cc132194faef976a2599b545853e3455537d09c8 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Mon, 3 Dec 2018 23:26:46 +0100 Subject: [PATCH] PROXY: Copy the response to the caller Resolves: https://pagure.io/SSSD/sssd/issue/3892 --- src/providers/proxy/proxy_auth.c | 16 ++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/src/providers/proxy/proxy_auth.c b/src/providers/proxy/proxy_auth.c index 3c5affeb5..926ce98f4 100644 --- a/src/providers/proxy/proxy_auth.c +++ b/src/providers/proxy/proxy_auth.c @@ -570,6 +570,7 @@ static struct tevent_req *proxy_pam_conv_send(TALLOC_CTX *mem_ctx, static void proxy_pam_conv_done(struct tevent_req *subreq) { struct pam_data *response; +struct response_data *resp; struct proxy_conv_ctx *state; struct tevent_req *req; errno_t ret; @@ -583,8 +584,6 @@ static void proxy_pam_conv_done(struct tevent_req *subreq) /* Kill the child */ kill(state->pid, SIGKILL); -// TODO copy response to pd - if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get reply from child [%d]: %s\n", ret, sss_strerror(ret)); @@ -593,6 +592,19 @@ static void proxy_pam_conv_done(struct tevent_req *subreq) return; } +state->pd->pam_status = response->pam_status; +state->pd->account_locked = response->account_locked; + +for (resp = response->resp_list; resp != NULL; resp = resp->next) { +talloc_steal(state->pd, resp); + +if (resp->next == NULL) { +resp->next = state->pd->resp_list; +state->pd->resp_list = response->resp_list; +break; +} +} + DEBUG(SSSDBG_CONF_SETTINGS, "received: [%d][%s]\n", state->pd->pam_status, state->pd->domain); ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#702][opened] NSS: Avoid changing the memory cache ownership away from the SSSD user
URL: https://github.com/SSSD/sssd/pull/702 Author: jhrozek Title: #702: NSS: Avoid changing the memory cache ownership away from the SSSD user Action: opened PR body: """ Resolves: https://pagure.io/SSSD/sssd/issue/3890 In case SSSD is compiled --with-sssd-user but run as root (which is the default on RHEL and derivatives), then the memory cache will be owned by the user that sssd_nss runs as, so root. This conflicts with the packaging which specifies sssd.sssd as the owner. And in turn, this means that users can't reliably assess the package integrity using rpm -V. This patch makes sure that the memory cache files are chowned to sssd.sssd even if the nss responder runs as root. Also, this patch changes the sssd_nss responder so that is becomes a member of the supplementary sssd group. Even though in traditional UNIX sense, a process running as root could write to a file owned by sssd:sssd, with SELinux enforcing mode this becomes problematic as SELinux emits an error such as: type=AVC msg=audit(1543524888.125:1495): avc: denied { fsetid } for pid=7706 comm="sssd_nss" capability=4 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=capability To make it possible for the sssd_nss process to write to the files, the files are also made group-writable. The 'others' permission is still set to read only. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/702/head:pr702 git checkout pr702 From ed33e33df552ed53130135a925678c8e25f2e0d2 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Thu, 29 Nov 2018 09:18:32 +0100 Subject: [PATCH] NSS: Avoid changing the memory cache ownership away from the SSSD user Resolves: https://pagure.io/SSSD/sssd/issue/3890 In case SSSD is compiled --with-sssd-user but run as root (which is the default on RHEL and derivatives), then the memory cache will be owned by the user that sssd_nss runs as, so root. This conflicts with the packaging which specifies sssd.sssd as the owner. And in turn, this means that users can't reliably assess the package integrity using rpm -V. This patch makes sure that the memory cache files are chowned to sssd.sssd even if the nss responder runs as root. Also, this patch changes the sssd_nss responder so that is becomes a member of the supplementary sssd group. Even though in traditional UNIX sense, a process running as root could write to a file owned by sssd:sssd, with SELinux enforcing mode this becomes problematic as SELinux emits an error such as: type=AVC msg=audit(1543524888.125:1495): avc: denied { fsetid } for pid=7706 comm="sssd_nss" capability=4 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=capability To make it possible for the sssd_nss process to write to the files, the files are also made group-writable. The 'others' permission is still set to read only. --- contrib/sssd.spec.in | 8 +- src/responder/nss/nsssrv.c| 111 +- src/responder/nss/nsssrv_mmap_cache.c | 43 +- src/responder/nss/nsssrv_mmap_cache.h | 1 + 4 files changed, 155 insertions(+), 8 deletions(-) diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in index 26fae6d68..22a1063b2 100644 --- a/contrib/sssd.spec.in +++ b/contrib/sssd.spec.in @@ -1039,11 +1039,11 @@ done %dir %{sssdstatedir} %dir %{_localstatedir}/cache/krb5rcache %attr(700,sssd,sssd) %dir %{dbpath} -%attr(755,sssd,sssd) %dir %{mcpath} +%attr(775,sssd,sssd) %dir %{mcpath} %attr(751,sssd,sssd) %dir %{deskprofilepath} -%ghost %attr(0644,sssd,sssd) %verify(not md5 size mtime) %{mcpath}/passwd -%ghost %attr(0644,sssd,sssd) %verify(not md5 size mtime) %{mcpath}/group -%ghost %attr(0644,sssd,sssd) %verify(not md5 size mtime) %{mcpath}/initgroups +%ghost %attr(0664,sssd,sssd) %verify(not md5 size mtime) %{mcpath}/passwd +%ghost %attr(0664,sssd,sssd) %verify(not md5 size mtime) %{mcpath}/group +%ghost %attr(0664,sssd,sssd) %verify(not md5 size mtime) %{mcpath}/initgroups %attr(755,sssd,sssd) %dir %{pipepath} %attr(750,sssd,root) %dir %{pipepath}/private %attr(755,sssd,sssd) %dir %{pubconfpath} diff --git a/src/responder/nss/nsssrv.c b/src/responder/nss/nsssrv.c index fb7326a02..808b96108 100644 --- a/src/responder/nss/nsssrv.c +++ b/src/responder/nss/nsssrv.c @@ -209,6 +209,8 @@ static int setup_memcaches(struct nss_ctx *nctx) { int ret; int memcache_timeout; +uid_t sssd_uid; +gid_t sssd_gid; /* Remove the CLEAR_MC_FLAG file if exists. */ ret = unlink(SSS_NSS_MCACHE_DIR"/"CLEAR_MC_FLAG); @@ -236,22 +238,40 @@ static int setup_memcaches(struct nss_ctx *nctx) return EOK; } +/* + * We explicitly read the IDs of the SSSD user even though the server + * receives --uid and --gid by parameters to account for the case where + * the SSSD is compiled --with-sssd-user=sssd but the defaul
[SSSD] [sssd PR#700][comment] LDAP: Only authenticate the auth connection if we need to look up user information
URL: https://github.com/SSSD/sssd/pull/700 Title: #700: LDAP: Only authenticate the auth connection if we need to look up user information jhrozek commented: """ btw I opened https://pagure.io/SSSD/sssd/issue/3889 to track the additional hardening. Maybe it would be a nice task for one of the new people on the team.. """ See the full comment at https://github.com/SSSD/sssd/pull/700#issuecomment-441795553 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#700][comment] LDAP: Only authenticate the auth connection if we need to look up user information
URL: https://github.com/SSSD/sssd/pull/700 Title: #700: LDAP: Only authenticate the auth connection if we need to look up user information jhrozek commented: """ * sssd-1-16: 1a7c6ab6efce3720d27def426aad49ee99eb339d 7eb18ab68762d1b1ddbcbdc32dbcbd0df183d4f1 876f1cb87d1649d0681bf6475ab589287f15babb """ See the full comment at https://github.com/SSSD/sssd/pull/700#issuecomment-441791236 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#700][comment] LDAP: Only authenticate the auth connection if we need to look up user information
URL: https://github.com/SSSD/sssd/pull/700 Title: #700: LDAP: Only authenticate the auth connection if we need to look up user information jhrozek commented: """ * master: * 6f113c7ddeaa5c82558e10118b499d22bf7a2b14 * 57fc60c9dc77698cf824813c36eb0f90d767b315 * 09091b4b60456a989ecc8c3b6f76661a14c108ba """ See the full comment at https://github.com/SSSD/sssd/pull/700#issuecomment-441790753 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#700][+Pushed] LDAP: Only authenticate the auth connection if we need to look up user information
URL: https://github.com/SSSD/sssd/pull/700 Title: #700: LDAP: Only authenticate the auth connection if we need to look up user information Label: +Pushed ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#700][closed] LDAP: Only authenticate the auth connection if we need to look up user information
URL: https://github.com/SSSD/sssd/pull/700 Author: jhrozek Title: #700: LDAP: Only authenticate the auth connection if we need to look up user information Action: closed To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/700/head:pr700 git checkout pr700 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#700][synchronized] LDAP: Only authenticate the auth connection if we need to look up user information
URL: https://github.com/SSSD/sssd/pull/700 Author: jhrozek Title: #700: LDAP: Only authenticate the auth connection if we need to look up user information Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/700/head:pr700 git checkout pr700 From f95292ef7f487fb5f9c388f9abaa90a2f3c0e846 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Thu, 22 Nov 2018 12:51:14 +0100 Subject: [PATCH 1/3] LDAP: minor refactoring in auth_send() to conform to our coding style Related: https://pagure.io/SSSD/sssd/issue/3451 A tevent _send() function should only return NULL on ENOMEM, otherwise it should mark the request as failed but return the req pointer. This was not much of an issue, before, but the next patch will add another function call to the auth_send call which would make error handling awkward. --- src/providers/ldap/ldap_auth.c | 17 +++-- 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c index d40bc9414..c409353d9 100644 --- a/src/providers/ldap/ldap_auth.c +++ b/src/providers/ldap/ldap_auth.c @@ -636,6 +636,7 @@ static struct tevent_req *auth_send(TALLOC_CTX *memctx, { struct tevent_req *req; struct auth_state *state; +errno_t ret; req = tevent_req_create(memctx, , struct auth_state); if (!req) return NULL; @@ -645,11 +646,11 @@ static struct tevent_req *auth_send(TALLOC_CTX *memctx, if (sss_authtok_get_type(authtok) == SSS_AUTHTOK_TYPE_SC_PIN || sss_authtok_get_type(authtok) == SSS_AUTHTOK_TYPE_SC_KEYPAD) { /* Tell frontend that we do not support Smartcard authentication */ -tevent_req_error(req, ERR_SC_AUTH_NOT_SUPPORTED); +ret = ERR_SC_AUTH_NOT_SUPPORTED; } else { -tevent_req_error(req, ERR_AUTH_FAILED); +ret = ERR_AUTH_FAILED; } -return tevent_req_post(req, ev); +goto fail; } state->ev = ev; @@ -663,13 +664,17 @@ static struct tevent_req *auth_send(TALLOC_CTX *memctx, state->sdap_service = ctx->service; } -if (!auth_connect_send(req)) goto fail; +if (auth_connect_send(req) == NULL) { +ret = ENOMEM; +goto fail; +} return req; fail: -talloc_zfree(req); -return NULL; +tevent_req_error(req, ret); +tevent_req_post(req, ev); +return req; } static struct tevent_req *auth_connect_send(struct tevent_req *req) From 9c7065286fdf8b7020949ac15757ae67ee25315e Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Thu, 22 Nov 2018 12:17:51 +0100 Subject: [PATCH 2/3] LDAP: Only authenticate the auth connection if we need to look up user information Related: https://pagure.io/SSSD/sssd/issue/3451 Commit add72860c7a7a2c418f4d8b6790b5caeaf7dfb7b initially addressed #3451 by using the full sdap_cli_connect() request during LDAP authentication. This was a good idea as it addressed the case where the authentication connection must also look up some user information (typically with id_provider=proxy where you don't know the DN to bind as during authentication), but this approach also broke the use-case of id_provider=ldap and auth_provider=ldap with ldap_sasl_auth=gssapi. This is because (for reason I don't know) AD doesn't like if you use both GSSAPI and startTLS on the same connection. But the code would force TLS during the authentication as a general measure to not transmit passwords in the clear, but then, the connection would also see that ldap_sasl_auth=gssapi is set and also bind with GSSAPI. This patch checks if the user DN is already known and if yes, then doesn't authenticate the connection as the connection will then only be used for the user simple bind. --- src/providers/ldap/ldap_auth.c | 53 +++--- 1 file changed, 42 insertions(+), 11 deletions(-) diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c index c409353d9..b4d045a65 100644 --- a/src/providers/ldap/ldap_auth.c +++ b/src/providers/ldap/ldap_auth.c @@ -664,6 +664,18 @@ static struct tevent_req *auth_send(TALLOC_CTX *memctx, state->sdap_service = ctx->service; } +ret = get_user_dn(state, state->ctx->be->domain, + state->ctx->opts, state->username, >dn, + >pw_expire_type, >pw_expire_data); +if (ret == EAGAIN) { +DEBUG(SSSDBG_TRACE_FUNC, + "Need to look up the DN of %s later\n", state->username); +} else if (ret != EOK) { +DEBUG(SSSDBG_OP_FAILURE, + "Cannot get user DN [%d]: %s\n", ret, sss_strerror(ret)); +goto fail; +} + if (auth_connect_send(req) == NULL) { ret = ENOMEM; goto fail; @@ -683,6 +695,8 @@ static struct tevent_req *auth_connect_send(struct tev
[SSSD] [sssd PR#700][comment] LDAP: Only authenticate the auth connection if we need to look up user information
URL: https://github.com/SSSD/sssd/pull/700 Title: #700: LDAP: Only authenticate the auth connection if we need to look up user information jhrozek commented: """ thanks, I added your newest patch version to this PR """ See the full comment at https://github.com/SSSD/sssd/pull/700#issuecomment-441610109 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#700][comment] LDAP: Only authenticate the auth connection if we need to look up user information
URL: https://github.com/SSSD/sssd/pull/700 Title: #700: LDAP: Only authenticate the auth connection if we need to look up user information jhrozek commented: """ Thank you, this is nice. I added your patch to the PR, fixed one typo and one minor style issue. If you're OK with the fixes, I will squash the last patch into yours and push them all once CI finishes. If we want to do additional hardening, we can even save the value of the SDAP_DISABLE_AUTH_TLS variable and unless it is set to TRUE, we can even abort the authentication if no encryption is selected. btw during testing, I even listened to the traffic with tcpdump and then checked the pcap files to make sure the traffic is encrypted, so at least for the cases that were tested I know we are fine. But the patch is very nice to have for sure. """ See the full comment at https://github.com/SSSD/sssd/pull/700#issuecomment-441581678 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#700][synchronized] LDAP: Only authenticate the auth connection if we need to look up user information
URL: https://github.com/SSSD/sssd/pull/700 Author: jhrozek Title: #700: LDAP: Only authenticate the auth connection if we need to look up user information Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/700/head:pr700 git checkout pr700 From f95292ef7f487fb5f9c388f9abaa90a2f3c0e846 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Thu, 22 Nov 2018 12:51:14 +0100 Subject: [PATCH 1/4] LDAP: minor refactoring in auth_send() to conform to our coding style Related: https://pagure.io/SSSD/sssd/issue/3451 A tevent _send() function should only return NULL on ENOMEM, otherwise it should mark the request as failed but return the req pointer. This was not much of an issue, before, but the next patch will add another function call to the auth_send call which would make error handling awkward. --- src/providers/ldap/ldap_auth.c | 17 +++-- 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c index d40bc9414..c409353d9 100644 --- a/src/providers/ldap/ldap_auth.c +++ b/src/providers/ldap/ldap_auth.c @@ -636,6 +636,7 @@ static struct tevent_req *auth_send(TALLOC_CTX *memctx, { struct tevent_req *req; struct auth_state *state; +errno_t ret; req = tevent_req_create(memctx, , struct auth_state); if (!req) return NULL; @@ -645,11 +646,11 @@ static struct tevent_req *auth_send(TALLOC_CTX *memctx, if (sss_authtok_get_type(authtok) == SSS_AUTHTOK_TYPE_SC_PIN || sss_authtok_get_type(authtok) == SSS_AUTHTOK_TYPE_SC_KEYPAD) { /* Tell frontend that we do not support Smartcard authentication */ -tevent_req_error(req, ERR_SC_AUTH_NOT_SUPPORTED); +ret = ERR_SC_AUTH_NOT_SUPPORTED; } else { -tevent_req_error(req, ERR_AUTH_FAILED); +ret = ERR_AUTH_FAILED; } -return tevent_req_post(req, ev); +goto fail; } state->ev = ev; @@ -663,13 +664,17 @@ static struct tevent_req *auth_send(TALLOC_CTX *memctx, state->sdap_service = ctx->service; } -if (!auth_connect_send(req)) goto fail; +if (auth_connect_send(req) == NULL) { +ret = ENOMEM; +goto fail; +} return req; fail: -talloc_zfree(req); -return NULL; +tevent_req_error(req, ret); +tevent_req_post(req, ev); +return req; } static struct tevent_req *auth_connect_send(struct tevent_req *req) From 9c7065286fdf8b7020949ac15757ae67ee25315e Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Thu, 22 Nov 2018 12:17:51 +0100 Subject: [PATCH 2/4] LDAP: Only authenticate the auth connection if we need to look up user information Related: https://pagure.io/SSSD/sssd/issue/3451 Commit add72860c7a7a2c418f4d8b6790b5caeaf7dfb7b initially addressed #3451 by using the full sdap_cli_connect() request during LDAP authentication. This was a good idea as it addressed the case where the authentication connection must also look up some user information (typically with id_provider=proxy where you don't know the DN to bind as during authentication), but this approach also broke the use-case of id_provider=ldap and auth_provider=ldap with ldap_sasl_auth=gssapi. This is because (for reason I don't know) AD doesn't like if you use both GSSAPI and startTLS on the same connection. But the code would force TLS during the authentication as a general measure to not transmit passwords in the clear, but then, the connection would also see that ldap_sasl_auth=gssapi is set and also bind with GSSAPI. This patch checks if the user DN is already known and if yes, then doesn't authenticate the connection as the connection will then only be used for the user simple bind. --- src/providers/ldap/ldap_auth.c | 53 +++--- 1 file changed, 42 insertions(+), 11 deletions(-) diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c index c409353d9..b4d045a65 100644 --- a/src/providers/ldap/ldap_auth.c +++ b/src/providers/ldap/ldap_auth.c @@ -664,6 +664,18 @@ static struct tevent_req *auth_send(TALLOC_CTX *memctx, state->sdap_service = ctx->service; } +ret = get_user_dn(state, state->ctx->be->domain, + state->ctx->opts, state->username, >dn, + >pw_expire_type, >pw_expire_data); +if (ret == EAGAIN) { +DEBUG(SSSDBG_TRACE_FUNC, + "Need to look up the DN of %s later\n", state->username); +} else if (ret != EOK) { +DEBUG(SSSDBG_OP_FAILURE, + "Cannot get user DN [%d]: %s\n", ret, sss_strerror(ret)); +goto fail; +} + if (auth_connect_send(req) == NULL) { ret = ENOMEM; goto fail; @@ -683,6 +695,8 @@ static struct tevent_req *auth_connect_send(struct tev
[SSSD] [sssd PR#699][closed] Fixes for MIT Kerberos 1.17 and valgind CI runs
URL: https://github.com/SSSD/sssd/pull/699 Author: sumit-bose Title: #699: Fixes for MIT Kerberos 1.17 and valgind CI runs Action: closed To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/699/head:pr699 git checkout pr699 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#699][+Pushed] Fixes for MIT Kerberos 1.17 and valgind CI runs
URL: https://github.com/SSSD/sssd/pull/699 Title: #699: Fixes for MIT Kerberos 1.17 and valgind CI runs Label: +Pushed ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#700][-Changes requested] LDAP: Only authenticate the auth connection if we need to look up user information
URL: https://github.com/SSSD/sssd/pull/700 Title: #700: LDAP: Only authenticate the auth connection if we need to look up user information Label: -Changes requested ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#700][synchronized] LDAP: Only authenticate the auth connection if we need to look up user information
URL: https://github.com/SSSD/sssd/pull/700 Author: jhrozek Title: #700: LDAP: Only authenticate the auth connection if we need to look up user information Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/700/head:pr700 git checkout pr700 From 5b98855ead418b047fff794fdcf89a06f2ca39b0 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Thu, 22 Nov 2018 12:51:14 +0100 Subject: [PATCH 1/2] LDAP: minor refactoring in auth_send() to conform to our coding style Related: https://pagure.io/SSSD/sssd/issue/3451 A tevent _send() function should only return NULL on ENOMEM, otherwise it should mark the request as failed but return the req pointer. This was not much of an issue, before, but the next patch will add another function call to the auth_send call which would make error handling awkward. --- src/providers/ldap/ldap_auth.c | 17 +++-- 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c index d40bc9414..c409353d9 100644 --- a/src/providers/ldap/ldap_auth.c +++ b/src/providers/ldap/ldap_auth.c @@ -636,6 +636,7 @@ static struct tevent_req *auth_send(TALLOC_CTX *memctx, { struct tevent_req *req; struct auth_state *state; +errno_t ret; req = tevent_req_create(memctx, , struct auth_state); if (!req) return NULL; @@ -645,11 +646,11 @@ static struct tevent_req *auth_send(TALLOC_CTX *memctx, if (sss_authtok_get_type(authtok) == SSS_AUTHTOK_TYPE_SC_PIN || sss_authtok_get_type(authtok) == SSS_AUTHTOK_TYPE_SC_KEYPAD) { /* Tell frontend that we do not support Smartcard authentication */ -tevent_req_error(req, ERR_SC_AUTH_NOT_SUPPORTED); +ret = ERR_SC_AUTH_NOT_SUPPORTED; } else { -tevent_req_error(req, ERR_AUTH_FAILED); +ret = ERR_AUTH_FAILED; } -return tevent_req_post(req, ev); +goto fail; } state->ev = ev; @@ -663,13 +664,17 @@ static struct tevent_req *auth_send(TALLOC_CTX *memctx, state->sdap_service = ctx->service; } -if (!auth_connect_send(req)) goto fail; +if (auth_connect_send(req) == NULL) { +ret = ENOMEM; +goto fail; +} return req; fail: -talloc_zfree(req); -return NULL; +tevent_req_error(req, ret); +tevent_req_post(req, ev); +return req; } static struct tevent_req *auth_connect_send(struct tevent_req *req) From f740246f882155d32db50b6e7483bf355395577c Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Thu, 22 Nov 2018 12:17:51 +0100 Subject: [PATCH 2/2] LDAP: Only authenticate the auth connection if we need to look up user information Related: https://pagure.io/SSSD/sssd/issue/3451 Commit add72860c7a7a2c418f4d8b6790b5caeaf7dfb7b initially addressed #3451 by using the full sdap_cli_connect() request during LDAP authentication. This was a good idea as it addressed the case where the authentication connection must also look up some user information (typically with id_provider=proxy where you don't know the DN to bind as during authentication), but this approach also broke the use-case of id_provider=ldap and auth_provider=ldap with ldap_sasl_auth=gssapi. This is because (for reason I don't know) AD doesn't like if you use both GSSAPI and startTLS on the same connection. But the code would force TLS during the authentication as a general measure to not transmit passwords in the clear, but then, the connection would also see that ldap_sasl_auth=gssapi is set and also bind with GSSAPI. This patch checks if the user DN is already known and if yes, then doesn't authenticate the connection as the connection will then only be used for the user simple bind. --- src/providers/ldap/ldap_auth.c | 53 +++--- 1 file changed, 42 insertions(+), 11 deletions(-) diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c index c409353d9..b4d045a65 100644 --- a/src/providers/ldap/ldap_auth.c +++ b/src/providers/ldap/ldap_auth.c @@ -664,6 +664,18 @@ static struct tevent_req *auth_send(TALLOC_CTX *memctx, state->sdap_service = ctx->service; } +ret = get_user_dn(state, state->ctx->be->domain, + state->ctx->opts, state->username, >dn, + >pw_expire_type, >pw_expire_data); +if (ret == EAGAIN) { +DEBUG(SSSDBG_TRACE_FUNC, + "Need to look up the DN of %s later\n", state->username); +} else if (ret != EOK) { +DEBUG(SSSDBG_OP_FAILURE, + "Cannot get user DN [%d]: %s\n", ret, sss_strerror(ret)); +goto fail; +} + if (auth_connect_send(req) == NULL) { ret = ENOMEM; goto fail; @@ -683,6 +695,8 @@ static struct tevent_req *auth_connect_send(struct tev
[SSSD] [sssd PR#699][comment] Fixes for MIT Kerberos 1.17 and valgind CI runs
URL: https://github.com/SSSD/sssd/pull/699 Title: #699: Fixes for MIT Kerberos 1.17 and valgind CI runs jhrozek commented: """ CI passed completely: http://vm-031.$ABC/logs/job/94/94/summary.html """ See the full comment at https://github.com/SSSD/sssd/pull/699#issuecomment-441171503 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#699][+Accepted] Fixes for MIT Kerberos 1.17 and valgind CI runs
URL: https://github.com/SSSD/sssd/pull/699 Title: #699: Fixes for MIT Kerberos 1.17 and valgind CI runs Label: +Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#644][closed] When multiple UIDs exist, use the username provided by the user as the first lookup
URL: https://github.com/SSSD/sssd/pull/644 Author: joeFischetti Title: #644: When multiple UIDs exist, use the username provided by the user as the first lookup Action: closed To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/644/head:pr644 git checkout pr644 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#644][+Rejected] When multiple UIDs exist, use the username provided by the user as the first lookup
URL: https://github.com/SSSD/sssd/pull/644 Title: #644: When multiple UIDs exist, use the username provided by the user as the first lookup Label: +Rejected ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#698][comment] Add support for EC keys
URL: https://github.com/SSSD/sssd/pull/698 Title: #698: Add support for EC keys jhrozek commented: """ * master: 3906e5f41a00063127e07f5ca696a25eea2e8bb7 4e627add38af409ec6a5023212677956babca1e7 41c4661b6fd237b156606bfd0d8ca3edd5a16795 ad3356d105835718f57edb7844e1fed911770610 d64d9cfbe9dc44db04b253aa08c05e645e10708a a7421b5260cd2edd07ec5c0fefd240e76c5a0f03 a0cdc3bdf0e7f8ef15997f269b6f1ca5cab85825 ef631f9e61e7a0e168cce9071470839a4c04114c 6286f8120ac9986b418f4f08f26d6808cf028a9b """ See the full comment at https://github.com/SSSD/sssd/pull/698#issuecomment-441124986 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#698][closed] Add support for EC keys
URL: https://github.com/SSSD/sssd/pull/698 Author: sumit-bose Title: #698: Add support for EC keys Action: closed To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/698/head:pr698 git checkout pr698 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#698][+Pushed] Add support for EC keys
URL: https://github.com/SSSD/sssd/pull/698 Title: #698: Add support for EC keys Label: +Pushed ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#697][comment] RESPONDER: Log failures from bind() and listen()
URL: https://github.com/SSSD/sssd/pull/697 Title: #697: RESPONDER: Log failures from bind() and listen() jhrozek commented: """ * master: 75696ddc84ab08c8c885dacc7796ebc8afc429ec """ See the full comment at https://github.com/SSSD/sssd/pull/697#issuecomment-441124522 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#697][closed] RESPONDER: Log failures from bind() and listen()
URL: https://github.com/SSSD/sssd/pull/697 Author: jhrozek Title: #697: RESPONDER: Log failures from bind() and listen() Action: closed To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/697/head:pr697 git checkout pr697 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#697][+Pushed] RESPONDER: Log failures from bind() and listen()
URL: https://github.com/SSSD/sssd/pull/697 Title: #697: RESPONDER: Log failures from bind() and listen() Label: +Pushed ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#694][comment] SSSCTL: user-show says that user is expired
URL: https://github.com/SSSD/sssd/pull/694 Title: #694: SSSCTL: user-show says that user is expired jhrozek commented: """ * master: 291071cb3c04eda7606d62bbff123a0a125c7d60 """ See the full comment at https://github.com/SSSD/sssd/pull/694#issuecomment-441124198 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#694][+Pushed] SSSCTL: user-show says that user is expired
URL: https://github.com/SSSD/sssd/pull/694 Title: #694: SSSCTL: user-show says that user is expired Label: +Pushed ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#694][closed] SSSCTL: user-show says that user is expired
URL: https://github.com/SSSD/sssd/pull/694 Author: thalman Title: #694: SSSCTL: user-show says that user is expired Action: closed To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/694/head:pr694 git checkout pr694 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org