from:"sumit\-bose"

[SSSD] Re: Client Support for Trusts

2024-02-27 Thread Sumit Bose

Am Tue, Feb 27, 2024 at 05:47:50PM +0200 schrieb Alexander Bokovoy:
> On Аўт, 27 лют 2024, David L wrote:
> > I'm looking for clarity about SSSD's *client-side* support for trusts.
> > 1.  Does SSSD support login for cross-domain (e.g., parent/child) trusts?
> > 2.  Does SSSD support login for users in trusted forests?
> > 2a.  If not, is there a workaround?
> > 3.  Does SSSD's group membership reporting include users from trusted 
> > forests?
> > 4.  Does SSSD's user information include groups in trusted forests?
> > 5.  Does SSSD require additional support from additional components to 
> > support login of users in trusted forests?
> > 6.  Does SSSD support two-way trusts?
> > 6a.  If not, is there a workaround?
> 
> A single answer: if there is a two-way trust between the domains SSSD
> machine in and users/groups are in, then SSSD will be able to resolve
> users/groups and be able to authenticate the users.
> 
> SSSD talks to AD DCs over LDAP and uses GSSAPI authentication by
> default. This works for your own domain where you are a domain member
> and it works for all domains where you can reach with a cross-realm
> Kerberos ticket issued by your own domain controller and intermediate
> domain controllers of the trusted domains.

Hi,

please note that the above currently only works for a single forest.
Even if there is a two-way trust between the forests and the Kerberos
ticket from the local forest would be valid in the remote forest as well
SSSD currently does not attempt to discover domains from the remote
forest. This is on the list already for some time but so far we didn't
had the capacity to implement and test this.

The workaround would be to add a second domain section in sssd.conf for
the remote forest but group-memberships are restricted in this setup to
the related forest and cross-forest group-memberships will not be
available.

bye,
Sumit

> 
> SSSD does not implement any of DCE RPC calls needed to relay such a
> request to a domain controller. Hence, any topology where a
> communication can only be done via use of DCE RPC calls will not work.
> Use winbindd for that.
> 
> 
> 
> 
> -- 
> / Alexander Bokovoy
> Sr. Principal Software Engineer
> Security / Identity Management Engineering
> Red Hat Limited, Finland
> --
> ___
> sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
> To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
> Do not reply to spam, report it: 
> https://pagure.io/fedora-infrastructure/new_issue
--
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[SSSD] Re: Basic Question: C Using SASL or SPNEGO

2024-02-08 Thread Sumit Bose

Am Thu, Feb 08, 2024 at 11:08:52PM - schrieb David L:
> I have a couple basic questions about using OpenLDAP with SSSD in a
> C/C++ program.  Since I think SSSD uses OpenLDAP to do this already
> within it's service, I thought y'all would be the ones to task.
> Pardon my ignorance.  If you know the answer in Python/native interop,
> that'll work to, I can translate.
> 
> 1.  On a domain joined machine that has any other needed
> configuration, how do I call and configure OpenLDAP so it will use the
> SSSD machine account to authenticate with the AD server?

Hi,

the first step does not involve OpenLDAP, a Kerberos ticket is needed
which can be requested with the help of the Kerberos keys stored
typically in /etc/krb5.keytab, which is typically created during the
join. What you have to do is the equivalent of

kinit -k 'CLIENT$@AD.REALM'

where 'CLIENT$@AD.REALM' is the typical AD host principal which can be
found by checking the `klist -k` output and looking for a principal with
a '$' before the '@'.

On the C level you can use libkrb5 or libgssapi to get the ticket, e.g.
for libkrb5 the actual call doing it is `krb5_get_init_creds_keytab()`.

> 2.  As above, but how do I specify OpenLDAP to authenticate using
> SPNEGO?

If you have a Kerberos ticket you can call one of OpenLDAP`s
`ldap_sasl_*_bind*()` calls were you put "GSS-SPNEGO" in the `mechanism`
argument.

HTH

bye,
Sumit

> --
> ___
> sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
> To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
> Do not reply to spam, report it: 
> https://pagure.io/fedora-infrastructure/new_issue
--
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[SSSD] Re: Optimize memberOf lookups openldap

2022-08-22 Thread Sumit Bose

Am Fri, Aug 19, 2022 at 02:02:00PM +0200 schrieb Erik de Waard:
> When openldap is configured to make use of the dynlist module it can update
> the member and memberOf population recursively for nested groups by just
> quering with a searchfilter memberOf for it.
> 
> This should eliminates the need for nested group searches because it
> returns all memberships

Hi,

would you mind to open this request as an RFE at
https://github.com/SSSD/sssd/issues/new?

I'm not familiar with the details of the dynlist module, but if I
understand it correctly everything happens on the server side and the
client just has to ask for the related attribute, i.e. memberOf. In this
case I wonder if setting

ldap_group_nesting_level = 0

in the [domain/...] section of sssd.conf would already be sufficient?

bye,
Sumit

> 
> Similar: issue: 2409
> 
> Can we have a setting to enable this like LDAP_MATCHING_RULE_IN_CHAIN for AD

> ___
> sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
> To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
> Do not reply to spam, report it: 
> https://pagure.io/fedora-infrastructure/new_issue
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[SSSD] [sssd PR#5955][opened] man: clarify ldap_idmap_range_max

2022-01-18 Thread sumit-bose

   URL: https://github.com/SSSD/sssd/pull/5955
Author: sumit-bose
 Title: #5955: man: clarify ldap_idmap_range_max
Action: opened

PR body:
"""
ldap_idmap_range_max is the first ID which cannot be used for mapping
anymore.

Resolves: https://github.com/SSSD/sssd/issues/5938
"""

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5955/head:pr5955
git checkout pr5955
From 34764d233a996e555f2f00ddbecbf2e52887524b Mon Sep 17 00:00:00 2001
From: Sumit Bose 
Date: Tue, 18 Jan 2022 13:12:22 +0100
Subject: [PATCH] man: clarify ldap_idmap_range_max

ldap_idmap_range_max is the first ID which cannot be used for mapping
anymore.

Resolves: https://github.com/SSSD/sssd/issues/5938
---
 src/man/include/ldap_id_mapping.xml | 13 +
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/src/man/include/ldap_id_mapping.xml b/src/man/include/ldap_id_mapping.xml
index 73c385dd98..01f109b52c 100644
--- a/src/man/include/ldap_id_mapping.xml
+++ b/src/man/include/ldap_id_mapping.xml
@@ -120,8 +120,10 @@ ldap_schema = ad
 ldap_idmap_range_min (integer)
 
 
-Specifies the lower bound of the range of POSIX IDs to
-use for mapping Active Directory user and group SIDs.
+Specifies the lower bound of the range of POSIX IDs
+to use for mapping Active Directory user and group
+SIDs. It is the first POSIX ID which can be used
+for the mapping.
 
 
 NOTE: This option is different from
@@ -142,8 +144,11 @@ ldap_schema = ad
 ldap_idmap_range_max (integer)
 
 
-Specifies the upper bound of the range of POSIX IDs to
-use for mapping Active Directory user and group SIDs.
+Specifies the upper bound of the range of POSIX IDs
+to use for mapping Active Directory user and group
+SIDs. It is the first POSIX ID which cannot be used
+for the mapping anymore, i.e. one larger than the
+last one which can be used for the mapping.
 
 
 NOTE: This option is different from
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5945][-Waiting for review] INTG: Restrict smartcard in sc auth tests

2022-01-18 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/5945
Title: #5945: INTG: Restrict smartcard in sc auth tests

Label: -Waiting for review
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5945][+Accepted] INTG: Restrict smartcard in sc auth tests

2022-01-18 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/5945
Title: #5945: INTG: Restrict smartcard in sc auth tests

Label: +Accepted
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5945][comment] INTG: Restrict smartcard in sc auth tests

2022-01-18 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/5945
Title: #5945: INTG: Restrict smartcard in sc auth tests

sumit-bose commented:
"""
Hi,

thank you. ACK.

bye,
Sumit
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5945#issuecomment-1015169276
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5945][comment] INTG: Restrict smartcard in sc auth tests

2022-01-17 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/5945
Title: #5945: INTG: Restrict smartcard in sc auth tests

sumit-bose commented:
"""
Hi,

thanks, I'm still fine with the patches. I'd just like to ask to split out the 
change to `pamsrv_p11.c` into an extra patch? The change is not only related to 
the tests.

bye,
Sumit
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5945#issuecomment-1014300022
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5945][+Accepted] INTG: Restrict smartcard in sc auth tests

2022-01-11 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/5945
Title: #5945: INTG: Restrict smartcard in sc auth tests

Label: +Accepted
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5945][comment] INTG: Restrict smartcard in sc auth tests

2022-01-11 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/5945
Title: #5945: INTG: Restrict smartcard in sc auth tests

sumit-bose commented:
"""
Hi,

thanks for the patch, it should make the Smartcard auth unit tests more 
resilient. ACK

bye,
Sumit
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5945#issuecomment-1009927412
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5928][comment] IPA: Add password expire warning

2022-01-11 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/5928
Title: #5928: IPA: Add password expire warning

sumit-bose commented:
"""
> @sumit-bose if there is a chance you can take a look at the code of this PR 
> and tell me if approach with hard coded options is OK in this case?

Hi,

using a hardcoded default is ok, but you only have to add 
`LDAP_ACCESS_EXPIRE_POLICY_WARN`. Nevertheless it would be good if the IPA 
provider can check `ldap_access_order` as well because I would expect that 
sooner or later someone will ask to not only warn but reject the user which 
would be `LDAP_ACCESS_EXPIRE_POLICY_DENY`.

Related to Alexey's question about #3635, currently the fix would be limited to 
IPA users where `ldap_pwd_policy = mit_kerberos` applies. For AD users we 
currently do not read or evaluate the `msDS-UserPasswordExpiryTimeComputed` 
attribute. So this attribute should be added to the list of user attributes and 
a new e.g. `ldap_pwd_policy = ad` should be added to evaluate it. For IPA an 
`ldap_pwd_policy = ipa` might be needed as well since we might have to check 
IPA and AD users.

bye,
Sumit 
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5928#issuecomment-1009843750
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5941][+Accepted] Minor updates in `IPA: get_object_from_cache()`

2022-01-04 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/5941
Title: #5941: Minor updates in `IPA: get_object_from_cache()`

Label: +Accepted
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5941][-Waiting for review] Minor updates in `IPA: get_object_from_cache()`

2022-01-04 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/5941
Title: #5941: Minor updates in `IPA: get_object_from_cache()`

Label: -Waiting for review
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5940][opened] ipa: fix reply socket of selinux_child

2022-01-04 Thread sumit-bose

   URL: https://github.com/SSSD/sssd/pull/5940
Author: sumit-bose
 Title: #5940: ipa: fix reply socket of selinux_child
Action: opened

PR body:
"""
Commit c92d39a30fa0162d4efdfbe5883c8ea9911a2249 accidentally switched
the reply socket of selinux_child from stdout to stderr while switching
from exec_child to exec_child_ex. This patch returns the original
behavior.

Resolves: https://github.com/SSSD/sssd/issues/5939
"""

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5940/head:pr5940
git checkout pr5940
From 52f80ca711f497b47ac3d7e1addead9026543146 Mon Sep 17 00:00:00 2001
From: Sumit Bose 
Date: Tue, 4 Jan 2022 10:11:49 +0100
Subject: [PATCH] ipa: fix reply socket of selinux_child

Commit c92d39a30fa0162d4efdfbe5883c8ea9911a2249 accidentally switched
the reply socket of selinux_child from stdout to stderr while switching
from exec_child to exec_child_ex. This patch returns the original
behavior.

Resolves: https://github.com/SSSD/sssd/issues/5939
---
 src/providers/ipa/ipa_selinux.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/providers/ipa/ipa_selinux.c b/src/providers/ipa/ipa_selinux.c
index 6f885c0fdb..2e0593dd76 100644
--- a/src/providers/ipa/ipa_selinux.c
+++ b/src/providers/ipa/ipa_selinux.c
@@ -714,7 +714,7 @@ static errno_t selinux_fork_child(struct selinux_child_state *state)
 if (pid == 0) { /* child */
 exec_child_ex(state, pipefd_to_child, pipefd_from_child,
   SELINUX_CHILD, SELINUX_CHILD_LOG_FILE, extra_args,
-  false, STDIN_FILENO, STDERR_FILENO);
+  false, STDIN_FILENO, STDOUT_FILENO);
 DEBUG(SSSDBG_CRIT_FAILURE, "Could not exec selinux_child: [%d][%s].\n",
   ret, sss_strerror(ret));
 return ret;
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5863][comment] Responder and Child process tevent chain id improvements

2021-12-17 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/5863
Title: #5863: Responder and Child process tevent chain id improvements

sumit-bose commented:
"""
Hi,

I agree with @alexey-tikhonov, it is better to just fail hard if chain ID 
support is missing.

bye,
Sumit
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5863#issuecomment-996858330
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5927][opened] ad: add required 'cn' attribute to subdomain object

2021-12-17 Thread sumit-bose

   URL: https://github.com/SSSD/sssd/pull/5927
Author: sumit-bose
 Title: #5927: ad: add required 'cn' attribute to subdomain object
Action: opened

PR body:
"""
If the forest root is not part of the return trusted domain objects
from the local domain controller we generate an object for further
processing. During this processing it is expected that the 'cn'
attribute is set and contains the name of the forest root. So far this
attribute was missing and it is now added by this patch.

Resolves: https://github.com/SSSD/sssd/issues/5926
"""

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5927/head:pr5927
git checkout pr5927
From d90e5fc1cb31c9b201b45c66a85c5cd570bba84d Mon Sep 17 00:00:00 2001
From: Sumit Bose 
Date: Thu, 16 Dec 2021 11:14:18 +0100
Subject: [PATCH] ad: add required 'cn' attribute to subdomain object

If the forest root is not part of the return trusted domain objects
from the local domain controller we generate an object for further
processing. During this processing it is expected that the 'cn'
attribute is set and contains the name of the forest root. So far this
attribute was missing and it is now added by this patch.

Resolves: https://github.com/SSSD/sssd/issues/5926
---
 src/providers/ad/ad_subdomains.c | 7 +++
 1 file changed, 7 insertions(+)

diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
index 0353de76f7..0c3f8ac314 100644
--- a/src/providers/ad/ad_subdomains.c
+++ b/src/providers/ad/ad_subdomains.c
@@ -1646,6 +1646,13 @@ static void ad_check_root_domain_done(struct tevent_req *subreq)
 goto done;
 }
 
+ret = sysdb_attrs_add_string(state->reply[0], AD_AT_DOMAIN_NAME,
+ state->forest);
+if (ret != EOK) {
+DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_string() failed.\n");
+goto done;
+}
+
 err = sss_idmap_sid_to_bin_sid(state->idmap_ctx->map, id,
&id_val.data, &id_val.length);
 if (err != IDMAP_SUCCESS) {
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5918][comment] Client ca validation error

2021-12-16 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/5918
Title: #5918: Client ca validation error

sumit-bose commented:
"""
Hi,

I'm fine with the patches, I would only recommend to use a higher value then 
`2` for the exit code since e.g. the monitor is already using `2` for other 
purposes.

@ikerexxe, have you checked with @martinpitt if the fix works for him?

It would be good if someone else can have a look as well since Iker and  I 
developed the idea for the fix together.

bye,
Sumit
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5918#issuecomment-995644563
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5863][+Accepted] Responder and Child process tevent chain id improvements

2021-12-15 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/5863
Title: #5863: Responder and Child process tevent chain id improvements

Label: +Accepted
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5863][-Changes requested] Responder and Child process tevent chain id improvements

2021-12-15 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/5863
Title: #5863: Responder and Child process tevent chain id improvements

Label: -Changes requested
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5863][comment] Responder and Child process tevent chain id improvements

2021-12-15 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/5863
Title: #5863: Responder and Child process tevent chain id improvements

sumit-bose commented:
"""
Hi,

thanks for the patch, it is working well in my (quite basic) tests for PAM and 
NSS.

I'm afraid I can't remember what we planned for the other responders, e.g. ssh. 
You added support in the responders already here but `sssctl analyze` currently 
has no options to select other responders. Nevertheless, this should not be 
added here but better with another patch on top of your patch with replaces 
python click. So, ACK.

bye,
Sumit
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5863#issuecomment-995106714
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5918][+Changes requested] Client ca validation error

2021-12-15 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/5918
Title: #5918: Client ca validation error

Label: +Changes requested
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5918][comment] Client ca validation error

2021-12-15 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/5918
Title: #5918: Client ca validation error

sumit-bose commented:
"""
Hi,

there is a pep8 issue:

```
Start: Wed Dec 15 08:53:56 UTC 2021
+ find . -path ./src/config -prune -o -name '*.py' -exec pycodestyle 
--ignore=E121,E123,E126,E226,E24,E704,W503,W504,W605,E722 '{}' +
./src/tests/intg/test_infopipe.py:809:80: E501 line too long (81 > 79 
characters)
End: Wed Dec 15 08:54:01 UTC 2021
```

bye,
Sumit
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5918#issuecomment-994744210
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5910][+Accepted] SPEC: avoid weak dependencies

2021-12-13 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/5910
Title: #5910: SPEC: avoid weak dependencies

Label: +Accepted
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5910][-Waiting for review] SPEC: avoid weak dependencies

2021-12-13 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/5910
Title: #5910: SPEC: avoid weak dependencies

Label: -Waiting for review
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5910][comment] SPEC: avoid weak dependencies

2021-12-13 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/5910
Title: #5910: SPEC: avoid weak dependencies

sumit-bose commented:
"""
Hi,

sure, ACK.

bye,
Sumit
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5910#issuecomment-992421744
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5910][comment] SPEC: avoid weak dependencies

2021-12-13 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/5910
Title: #5910: SPEC: avoid weak dependencies

sumit-bose commented:
"""
> > Please see my in-line comments.
> 
> Thank you. I updated the patch.
> 
> But what do you think about:
> 
> > I'm not sure what to do with:
> > ```
> > Recommends: bind-utils
> > Recommends: adcli
> > ```
> > 
> > 
> > 
> >   
> > 
> > 
> >   
> > 
> > 
> > 
> >   
> > bind-utils provides nsupdate used by IPA and AD backends, but SSSD can work 
> > without it. And adcli is used by AD backend to renew machine password.
> 
> ?

Hi,

since the related features are enabled in SSSD by default it would be good if 
the two packages will be installed together with `sssd-ad` or `sssd-ipa`. But 
since both features can be disabled a user might want to removed those packages 
if not needed. So `Recommends` would be best.

If I understood the original bugzilla ticket correctly we can keep 
`Recommends:` because neither `sssd-ad` nor `sssd-ipa` are in the `core` group 
(only `sssd-common` and `sssd-kcm` are).

HTH

bye,
Sumit


"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5910#issuecomment-992344439
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5910][comment] SPEC: avoid weak dependencies

2021-12-09 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/5910
Title: #5910: SPEC: avoid weak dependencies

sumit-bose commented:
"""
Hi,

thanks for the patch. The boolean dependencies seem to work as expected, at 
least on RHEL-8 where I tested them. Please see my in-line comments.

bye,
Sumit
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5910#issuecomment-990662858
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5902][+Accepted] SSS_CLIENT: fixed few covscan issues

2021-12-06 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/5902
Title: #5902: SSS_CLIENT: fixed few covscan issues

Label: +Accepted
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5902][comment] SSS_CLIENT: fixed few covscan issues

2021-12-06 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/5902
Title: #5902: SSS_CLIENT: fixed few covscan issues

sumit-bose commented:
"""
Hi,

thanks, ACK.

bye,
Sumit
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5902#issuecomment-987616210
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5901][+Accepted] utils: ignore systemd and sd-pam process in get_active_uid_linux()

2021-12-06 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/5901
Title: #5901: utils: ignore systemd and sd-pam process in get_active_uid_linux()

Label: +Accepted
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5901][comment] utils: ignore systemd and sd-pam process in get_active_uid_linux()

2021-12-06 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/5901
Title: #5901: utils: ignore systemd and sd-pam process in get_active_uid_linux()

sumit-bose commented:
"""
Hi,

thanks, I'm fine with the code. Since @alexey-tikhonov  approved the patch as 
well and it was tested internally by @sgoveas, ACK.

bye,
Sumit
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5901#issuecomment-987049218
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5909][opened] Various fixes related forest and site name discovery - 1-16

2021-12-06 Thread sumit-bose

   URL: https://github.com/SSSD/sssd/pull/5909
Author: sumit-bose
 Title: #5909: Various fixes related forest and site name discovery - 1-16
Action: opened

PR body:
"""
Resolves: https://github.com/SSSD/sssd/issues/5875
  https://github.com/SSSD/sssd/issues/5822
  https://github.com/SSSD/sssd/issues/5820
  https://github.com/SSSD/sssd/issues/5616
"""

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5909/head:pr5909
git checkout pr5909
From 95830ed1c0fcd1fb3e933d66e509cb3b3744fc61 Mon Sep 17 00:00:00 2001
From: Deepak Das 
Date: Thu, 20 May 2021 20:30:33 +0530
Subject: [PATCH 1/7] SSSD man: man_dns_resolver_parameter_modification

Adding parameter dns_resolver_server_timeout
and dns_resolver_op_timeout in sssd.conf

Resolves: https://github.com/SSSD/sssd/issues/5616

Reviewed-by: Iker Pedrosa 
Reviewed-by: Justin Stephenson 
(cherry picked from commit 43b9b0922aa24a03ea466c673646d5e3079403fe)
---
 src/man/sssd.conf.5.xml | 39 +++
 1 file changed, 39 insertions(+)

diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index 8adbb8de9d..a597828ca3 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -2809,6 +2809,45 @@ pam_p11_allowed_services = +my_pam_service, -login
 
 
 
+
+dns_resolver_server_timeout (integer)
+
+
+Defines the amount of time (in milliseconds)
+SSSD would try to talk to DNS server before
+trying next DNS server.
+
+
+Please see the section FAILOVER
+for more information about the service
+resolution.
+
+
+Default: 1000
+
+
+
+
+
+dns_resolver_op_timeout (integer)
+
+
+Defines the amount of time (in seconds) to
+wait to resolve single DNS query
+(e.g. resolution of a hostname or an SRV record)
+before try next hostname or DNS discovery.
+
+
+Please see the section FAILOVER
+for more information about the service
+resolution.
+
+
+Default: 3
+
+
+
+
 
 dns_resolver_timeout (integer)
 

From 51c30bde8e219b86609b673bd1d578a1f0c7563f Mon Sep 17 00:00:00 2001
From: Sumit Bose 
Date: Fri, 8 Oct 2021 12:44:37 +0200
Subject: [PATCH 2/7] ad: require name when looking up root domain
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

To properly identify the forest root domain the name of this domain is
needed. It is discovered with a cldap-ping requesting the netlogon
attribute. If the name is missing it does not make sense to proceed
further because there is currently no other way to determine the forest
root domain.

Resolves: https://github.com/SSSD/sssd/issues/5820

Reviewed-by: Pavel Březina 
(cherry picked from commit b37e2713a9b86936f5b82a17e47757562900b911)
---
 src/providers/ad/ad_subdomains.c | 7 ++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
index 6b98cdf1d6..5be7c20034 100644
--- a/src/providers/ad/ad_subdomains.c
+++ b/src/providers/ad/ad_subdomains.c
@@ -1431,7 +1431,12 @@ ad_get_root_domain_send(TALLOC_CTX *mem_ctx,
 return NULL;
 }
 
-if (forest != NULL && strcasecmp(domain, forest) == 0) {
+if (forest == NULL) {
+DEBUG(SSSDBG_OP_FAILURE, "Name of forest root domain not available, l"
+ "using cached data, if available.\n");
+ret = EINVAL;
+goto immediately;
+} else if (strcasecmp(domain, forest) == 0) {
 state->root_id_ctx = sd_ctx->ad_id_ctx;
 state->root_domain_attrs = NULL;
 ret = EOK;

From cb8d805136eeaa382e72011058cab073625b9c27 Mon Sep 17 00:00:00 2001
From: Sumit Bose 
Date: Fri, 8 Oct 2021 13:14:30 +0200
Subject: [PATCH 3/7] ad: move current site and forest name to a more global
 context
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Currently only during the DNS discovery steps the stored forest and site
name are reused to avoi

[SSSD] [sssd PR#5883][comment] Various fixes related forest and site name discovery

2021-12-06 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/5883
Title: #5883: Various fixes related forest and site name discovery

sumit-bose commented:
"""
Hi,

sure, I can include one of the patches in the backport.

I think the issue in #5645 is related to github. I checked the copies in the 
sssd-devel list and here the last versions send by Deepak correspond to what is 
committed. Also if you look at https://github.com/SSSD/sssd/pull/5645/commits 
there are the 2 patches show, together with the another version.

bye,
Sumit
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5883#issuecomment-986931803
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5883][comment] Various fixes related forest and site name discovery

2021-12-03 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/5883
Title: #5883: Various fixes related forest and site name discovery

sumit-bose commented:
"""
> Since this claims to fix https://bugzilla.redhat.com/show_bug.cgi?id=2006866 
> , this also need to be backported to 1-16 branch.
> 
> @sumit-bose, does this apply cleanly or is dedicated PR required?

Hi,

only the last patch fails because the man page entry for 
`dns_resolver_server_timeout`  is missing in 1-16, the option itself exists. So 
what would be the preferred solution, drop the hunk with the man page change or 
add a patch with the man page entries first? Funny enough, the entry was added 
twice in master 43b9b0922a and 7190f6b5d5, maybe one of the commits was meant 
for 1-16?

bye,
Sumit
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5883#issuecomment-985601568
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5863][+Accepted] Responder and Child process tevent chain id improvements

2021-11-22 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/5863
Title: #5863: Responder and Child process tevent chain id improvements

Label: +Accepted
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5863][-Waiting for review] Responder and Child process tevent chain id improvements

2021-11-22 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/5863
Title: #5863: Responder and Child process tevent chain id improvements

Label: -Waiting for review
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5863][comment] Responder and Child process tevent chain id improvements

2021-11-22 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/5863
Title: #5863: Responder and Child process tevent chain id improvements

sumit-bose commented:
"""
Hi,

thanks, remaining CI issues are not related, ACK.

bye,
Sumit
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5863#issuecomment-976215769
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5881][comment] SDAP: Do not fail ASQ search when parsing a referenced entry fails

2021-11-22 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/5881
Title: #5881: SDAP: Do not fail ASQ search when parsing a referenced entry fails

sumit-bose commented:
"""
Hi,

thanks, so the behavior is insistent, depending on the value of 
`ldap_deref_threshold`. I guess the reason is 
https://github.com/SSSD/sssd/blob/master/src/providers/ldap/sdap_async_nested_groups.c#L1576
 in the branch which is taken if `ldap_deref_threshold = 0`. So the new option 
should be evaluated here as well to make the behavior consistent.

I'm wondering what would be a good default? If we try to be secure by default 
we have to assume that the LDAP permissions are unintentional and SSSD should 
fail. But this would break existing setup which use `ldap_deref_threshold = 0` 
as a workaround. The latter would mean that we might want to wait with this 
change of behavior until 2.7. @pbrezina , @alexey-tikhonov what do you think?

bye,
Sumit
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5881#issuecomment-975573308
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5881][comment] SDAP: Do not fail ASQ search when parsing a referenced entry fails

2021-11-22 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/5881
Title: #5881: SDAP: Do not fail ASQ search when parsing a referenced entry fails

sumit-bose commented:
"""
Hi,

I think `ldap_ignore_unreadable_references` would be sufficient. Btw, what 
happens if the members are looked up individually, i.e. if 
`ldap_deref_threshold` is larger than `5` in your example?

bye,
Sumit
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5881#issuecomment-975297157
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5885][+Accepted] LDAP: expire accounts when today >= shadowExpire

2021-11-21 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/5885
Title: #5885: LDAP: expire accounts when today >= shadowExpire

Label: +Accepted
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5885][comment] LDAP: expire accounts when today >= shadowExpire

2021-11-21 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/5885
Title: #5885: LDAP: expire accounts when today >= shadowExpire

sumit-bose commented:
"""
Hi,

thank you for the patch, ACK.

bye,
Sumit
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5885#issuecomment-974842866
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5863][comment] Responder and Child process tevent chain id improvements

2021-11-20 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/5863
Title: #5863: Responder and Child process tevent chain id improvements

sumit-bose commented:
"""
Hi,

I'm sorry I didn't pull the latest version when running the tests. Since the 
chain_id option is now added unconditionally `test_set_extra_args` needs a 
change like:

```
diff --git a/src/tests/cmocka/test_krb5_common.c 
b/src/tests/cmocka/test_krb5_common.c
index c43d836ad..4bf3237a7 100644
--- a/src/tests/cmocka/test_krb5_common.c
+++ b/src/tests/cmocka/test_krb5_common.c
@@ -103,7 +103,8 @@ void test_set_extra_args(void **state)
 assert_int_equal(ret, EOK);
 assert_string_equal(krb5_child_extra_args[0], uid_opt);
 assert_string_equal(krb5_child_extra_args[1], gid_opt);
-assert_null(krb5_child_extra_args[2]);
+assert_string_equal(krb5_child_extra_args[2], "--chain-id=0");
+assert_null(krb5_child_extra_args[3]);
 talloc_free(krb5_child_extra_args);
 
 krb5_ctx->canonicalize = true;
@@ -113,7 +114,8 @@ void test_set_extra_args(void **state)
 assert_string_equal(krb5_child_extra_args[0], uid_opt);
 assert_string_equal(krb5_child_extra_args[1], gid_opt);
 assert_string_equal(krb5_child_extra_args[2], "--canonicalize");
-assert_null(krb5_child_extra_args[3]);
+assert_string_equal(krb5_child_extra_args[3], "--chain-id=0");
+assert_null(krb5_child_extra_args[4]);
 talloc_free(krb5_child_extra_args);
 
 krb5_ctx->realm = discard_const(TEST_REALM);
@@ -124,7 +126,8 @@ void test_set_extra_args(void **state)
 assert_string_equal(krb5_child_extra_args[1], gid_opt);
 assert_string_equal(krb5_child_extra_args[2], "--realm=" TEST_REALM);
 assert_string_equal(krb5_child_extra_args[3], "--canonicalize");
-assert_null(krb5_child_extra_args[4]);
+assert_string_equal(krb5_child_extra_args[4], "--chain-id=0");
+assert_null(krb5_child_extra_args[5]);
 talloc_free(krb5_child_extra_args);
 
 /* --fast-principal will be only set if FAST is used */
@@ -136,7 +139,8 @@ void test_set_extra_args(void **state)
 assert_string_equal(krb5_child_extra_args[1], gid_opt);
 assert_string_equal(krb5_child_extra_args[2], "--realm=" TEST_REALM);
 assert_string_equal(krb5_child_extra_args[3], "--canonicalize");
-assert_null(krb5_child_extra_args[4]);
+assert_string_equal(krb5_child_extra_args[4], "--chain-id=0");
+assert_null(krb5_child_extra_args[5]);
 talloc_free(krb5_child_extra_args);
 
 krb5_ctx->use_fast_str = discard_const(TEST_FAST_STR);
@@ -150,7 +154,8 @@ void test_set_extra_args(void **state)
 assert_string_equal(krb5_child_extra_args[4],
 "--fast-principal=" TEST_FAST_PRINC);
 assert_string_equal(krb5_child_extra_args[5], "--canonicalize");
-assert_null(krb5_child_extra_args[6]);
+assert_string_equal(krb5_child_extra_args[6], "--chain-id=0");
+assert_null(krb5_child_extra_args[7]);
 talloc_free(krb5_child_extra_args);
 
 krb5_ctx->lifetime_str = discard_const(TEST_LIFE_STR);
@@ -168,7 +173,8 @@ void test_set_extra_args(void **state)
 assert_string_equal(krb5_child_extra_args[6],
 "--fast-principal=" TEST_FAST_PRINC);
 assert_string_equal(krb5_child_extra_args[7], "--canonicalize");
-assert_null(krb5_child_extra_args[8]);
+assert_string_equal(krb5_child_extra_args[8], "--chain-id=0");
+assert_null(krb5_child_extra_args[9]);
 talloc_free(krb5_child_extra_args);
 
 talloc_free(krb5_ctx);
```
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5863#issuecomment-974616834
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5863][comment] Responder and Child process tevent chain id improvements

2021-11-19 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/5863
Title: #5863: Responder and Child process tevent chain id improvements

sumit-bose commented:
"""
Hi,

I'm fine with the patches and test are working locally for me. I restarted the 
CI task to hopefully get some CI results as well.

bye,
Sumit
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5863#issuecomment-974286264
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5872][+Accepted] p11_child: Fixes for authentication

2021-11-19 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/5872
Title: #5872: p11_child: Fixes for authentication

Label: +Accepted
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5872][comment] p11_child: Fixes for authentication

2021-11-19 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/5872
Title: #5872: p11_child: Fixes for authentication

sumit-bose commented:
"""
Hi,

thanks a lot for the patches. I agree with all the changes and have no further 
comments. I was thinking about how to add tests for the `--wait_for_card` 
option but this is clearly out of scope here. ACK.

bye,
Sumit
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5872#issuecomment-974261642
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5881][comment] SDAP: Do not fail ASQ search when parsing a referenced entry fails

2021-11-19 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/5881
Title: #5881: SDAP: Do not fail ASQ search when parsing a referenced entry fails

sumit-bose commented:
"""
Hi,

thanks for the patch. I think an option is needed to control this behavior 
because SSSD does not know if the denied LDAP access was intentional or not. If 
it is intentional then just ignoring the object which cannot be accessed is ok.

But if it is not intentional and the unreadable object is a group used in 
`simple_deny_groups` or in a `Deny*LogonRight` GPO in AD the user will be 
permitted to access the system although it was expected that access is denied 
by adding the user to this group.

What do you think about it?

bye,
Sumit
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5881#issuecomment-974022679
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5762][comment] krb5: add support for idp:oauth2 challenge

2021-11-15 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/5762
Title: #5762: krb5: add support for idp:oauth2 challenge

sumit-bose commented:
"""
Hi,

thanks for the update, if updates my 
[oidc_child](https://github.com/sumit-bose/sssd/tree/oidc_child) tree 
accordingly and all is still working fine.

What about directly generating the padata, shall I just call 
`sss_idp_oauth2_encode_padata()` directly and link `idp_utils.c` to 
`oidc_child` or shall I copy the relevant code so that you can drop it from 
`idp_utils.c`?

bye,
Sumit
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5762#issuecomment-968991818
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5863][comment] Responder and Child process tevent chain id improvements

2021-11-08 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/5863
Title: #5863: Responder and Child process tevent chain id improvements

sumit-bose commented:
"""
> Now that the RID # is passed to the child log files, `sssctl analyze request 
> show #` will check these child logs and print those RID # matches also. 
> Should this be default behavior, or only when an argument like `--child` is 
> provided to the request show subcommand?

Hi,

I tend to the latter. The idea of the  tool is to help to find issues. Adding 
the child logs by default might make this harder especially if the issue is not 
related to a child process. It might be even worth to be able to switch on only 
a single child, e.g. `--child=krb5_child`.

Is there a reason you mostly send the id together with other data via stdin and 
not with a command line option? Personally I would prefer a comand line option 
because it makes the child process more easy to use manually. E.g. currently 
you can run `p11_child` manually even in auth mode by calling

echo -n PIN | /usr/libexec/sssd/p11_child --auth .

Now additional 8 bytes are expected, which still would allow to call 
`p11_child` manually but it would be less obvious. The PIN has to be send via 
stdin, otherwise it would be visible on the command line and so visible for 
everyone calling `ps`.

bye,
Sumit
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5863#issuecomment-963103190
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5855][-Waiting for review] CKM_RSA_PKCS support.

2021-11-07 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/5855
Title: #5855: CKM_RSA_PKCS support.

Label: -Waiting for review
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5855][+Accepted] CKM_RSA_PKCS support.

2021-11-07 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/5855
Title: #5855: CKM_RSA_PKCS support.

Label: +Accepted
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5855][comment] CKM_RSA_PKCS support.

2021-11-05 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/5855
Title: #5855: CKM_RSA_PKCS support.

sumit-bose commented:
"""
Hi,

thanks, ACK. Looks like the tests were not run, not sure why?
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5855#issuecomment-962004216
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5847][+Accepted] pam_sss: Allow offline authentication against non-ipa-desktopprofiles aware DC

2021-11-04 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/5847
Title: #5847: pam_sss: Allow offline authentication against 
non-ipa-desktopprofiles aware DC

Label: +Accepted
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5847][comment] pam_sss: Allow offline authentication against non-ipa-desktopprofiles aware DC

2021-11-04 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/5847
Title: #5847: pam_sss: Allow offline authentication against 
non-ipa-desktopprofiles aware DC

sumit-bose commented:
"""
Hi,

thanks for the swift reply, then I'm fine with the patch, ACK.

bye,
Sumit
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5847#issuecomment-961156259
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5847][comment] pam_sss: Allow offline authentication against non-ipa-desktopprofiles aware DC

2021-11-04 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/5847
Title: #5847: pam_sss: Allow offline authentication against 
non-ipa-desktopprofiles aware DC

sumit-bose commented:
"""
Hi,

thank you for the analysis and the patch. There is a slight difference between 
the online and the offline case. When online we know that nothing was returned. 
When offline a missing entry can either mean that there is none on the server 
or that the server was not checked before. @abbra, do you think this 
distinction is important and we should somehow store in the cache that the 
server does not support desktop profiles or can we just proceed in either case?

bye,
Sumit
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5847#issuecomment-960922040
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5855][comment] CKM_RSA_PKCS support.

2021-11-04 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/5855
Title: #5855: CKM_RSA_PKCS support.

sumit-bose commented:
"""
Hi,

thank you for the patch. Code-wise I'm fine and my test were successful as well.

While talking about test, I think it would be good to have tests as well. 
SoftHSM2 allows to define the available mechanism with the `slots.mechanisms` 
option. I tested the patch by adding `slots.mechanisms = CKM_RSA_PKCS` to 
`softhsm2_one.conf` and run `pam-srv-tests`. I wonder if you can add some tests 
with different mechanisms (yes, I know, I should have added them when I added 
the additional mechanisms) or if you prefer if this should be moved to a 
different PR?

bye,
Sumit
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5855#issuecomment-960608478
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5860][+Accepted] [monitor] Fix untranslated string

2021-11-03 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/5860
Title: #5860: [monitor] Fix untranslated string

Label: +Accepted
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5860][comment] [monitor] Fix untranslated string

2021-11-03 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/5860
Title: #5860: [monitor] Fix untranslated string

sumit-bose commented:
"""
Hi,

thanks you for the new version, ACK.

bye,
Sumit
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5860#issuecomment-958695286
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5850][synchronized] ad: filter trusted domains

2021-11-01 Thread sumit-bose

   URL: https://github.com/SSSD/sssd/pull/5850
Author: sumit-bose
 Title: #5850: ad: filter trusted domains
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5850/head:pr5850
git checkout pr5850
From 8c6f443dae3885b4de9b6030c51ba54e0768f814 Mon Sep 17 00:00:00 2001
From: Sumit Bose 
Date: Wed, 6 Oct 2021 13:03:27 +0200
Subject: [PATCH] ad: filter trusted domains

The fix for https://github.com/SSSD/sssd/issues/5528 might discover
domains which are not trusted (one-way trust) or are from a different
forest (direct trust). Both should be ignored because they are not
trusted or can currently not be handled properly. This patch filters out
those domains.

Resolves: https://github.com/SSSD/sssd/issues/5819
---
 src/providers/ad/ad_subdomains.c | 104 +--
 1 file changed, 99 insertions(+), 5 deletions(-)

diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
index 3eb49c93f2..ac463026f8 100644
--- a/src/providers/ad/ad_subdomains.c
+++ b/src/providers/ad/ad_subdomains.c
@@ -46,6 +46,7 @@
 #define AD_AT_TRUST_PARTNER "trustPartner"
 #define AD_AT_TRUST_ATTRS   "trustAttributes"
 #define AD_AT_DOMAIN_NAME   "cn"
+#define AD_AT_TRUST_DIRECTION   "trustDirection"
 
 /* trustType=2 denotes uplevel (NT5 and later) trusted domains. See
  * http://msdn.microsoft.com/en-us/library/windows/desktop/ms680342%28v=vs.85%29.aspx
@@ -69,6 +70,12 @@
 /* do not refresh more often than every 5 seconds for now */
 #define AD_SUBDOMAIN_REFRESH_LIMIT 5
 
+/* Flags of trustAttributes attribute, see MS-ADTS 6.1.6.7.9 for details */
+#define TRUST_ATTRIBUTE_WITHIN_FOREST 0x0020
+
+/* Flags for trustDirection attribute, see MS-ADTS 6.1.6.7.12 for details */
+#define TRUST_DIRECTION_OUTBOUND 0x0002
+
 static void
 ad_disable_gc(struct ad_options *ad_options)
 {
@@ -646,6 +653,85 @@ ad_subdom_store(struct confdb_ctx *cdb,
 return ret;
 }
 
+/* When reading trusted domains from the local DC we are basically interested
+ * in domains from the local forest we are trusting, i.e. users from this
+ * domain can connect to us. To not unnecessarily bloat the list of domains
+ * and make multi-domain searches slow we filter domains from other forest and
+ * domains we do not trust.
+ * In future we might add config options to broaden the scope and allow more
+ * domains.
+ * If ad_filter_domains() returns successfully with EOK in input array is not
+ * valid anymore and should be freed by the caller. */
+static errno_t ad_filter_domains(TALLOC_CTX *mem_ctx,
+ struct sysdb_attrs **subdomains,
+ size_t num_subdomains,
+ struct sysdb_attrs ***_sd_out,
+ size_t *_num_sd_out)
+{
+int ret;
+size_t c;
+uint32_t tmp_uint32_t;
+const char *value;
+struct sysdb_attrs **sd_out;
+size_t num_sd_out = 0;
+
+sd_out = talloc_zero_array(mem_ctx, struct sysdb_attrs *,
+   num_subdomains + 1);
+if (sd_out == NULL) {
+DEBUG(SSSDBG_OP_FAILURE,
+  "Failed to allocate memory for sub-domain list.\n");
+return ENOMEM;
+}
+
+for (c = 0; c < num_subdomains; c++) {
+ret = sysdb_attrs_get_string(subdomains[c], AD_AT_TRUST_PARTNER,
+ &value);
+if (ret != EOK) {
+DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_string failed.\n");
+talloc_free(sd_out);
+return ret;
+}
+
+/* Ignore direct trusts to domains from other forests
+ * (TRUST_ATTRIBUTE_WITHIN_FOREST is not set) or domains we do not
+ * trust (TRUST_DIRECTION_OUTBOUND is not set) */
+
+tmp_uint32_t = 0;
+ret = sysdb_attrs_get_uint32_t(subdomains[c], AD_AT_TRUST_ATTRS,
+   &tmp_uint32_t);
+if (ret != EOK
+|| (tmp_uint32_t & TRUST_ATTRIBUTE_WITHIN_FOREST) == 0) {
+DEBUG(SSSDBG_FUNC_DATA,
+  "TRUST_ATTRIBUTE_WITHIN_FOREST not set for [%s].\n",
+  value);
+continue;
+}
+
+tmp_uint32_t = 0;
+ret = sysdb_attrs_get_uint32_t(subdomains[c], AD_AT_TRUST_DIRECTION,
+   &tmp_uint32_t);
+if (ret != EOK
+|| (tmp_uint32_t & TRUST_DIRECTION_OUTBOUND) == 0) {
+DEBUG(SSSDBG_FUNC_DATA,
+  "TRUST_DIRECTION_OUTBOUND not set for [%s].\n",
+  value);
+continue;
+}
+
+sd_out[num_sd_out] = subdomains[c];
+num_sd_out++;
+}
+
+for (c = 0; c < num_sd_out; c++) {
+sd_out[c] = talloc_steal(sd_out, sd_out[c]);
+}
+
+*_sd_out = sd_out;
+*_num_sd_out = num_sd_ou

[SSSD] [sssd PR#5850][comment] ad: filter trusted domains

2021-10-29 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/5850
Title: #5850: ad: filter trusted domains

sumit-bose commented:
"""
> Hi @sumit-bose,
> 
> does it apply to 1.16 branch or do we need a separate PR?

Hi,

yes, currently it applies cleanly to the 1.16 branch.

bye,
Sumit
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5850#issuecomment-954635124
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5850][opened] ad: filter trusted domains

2021-10-29 Thread sumit-bose

   URL: https://github.com/SSSD/sssd/pull/5850
Author: sumit-bose
 Title: #5850: ad: filter trusted domains
Action: opened

PR body:
"""
The fix for https://github.com/SSSD/sssd/issues/5528 might discover
domains which are not trusted (one-way trust) or are from a different
forest (direct trust). Both should be ignored because they are not
trusted or can currently not be handled properly. This patch filters out
those domains.

Resolves: https://github.com/SSSD/sssd/issues/5819
"""

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5850/head:pr5850
git checkout pr5850
From 05fbe968f6ed07efb50d938c8cb3e3f993a01e12 Mon Sep 17 00:00:00 2001
From: Sumit Bose 
Date: Wed, 6 Oct 2021 13:03:27 +0200
Subject: [PATCH] ad: filter trusted domains

The fix for https://github.com/SSSD/sssd/issues/5528 might discover
domains which are not trusted (one-way trust) or are from a different
forest (direct trust). Both should be ignored because they are not
trusted or can currently not be handled properly. This patch filters out
those domains.

Resolves: https://github.com/SSSD/sssd/issues/5819
---
 src/providers/ad/ad_subdomains.c | 98 ++--
 1 file changed, 93 insertions(+), 5 deletions(-)

diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
index 3eb49c93f2..25b9088985 100644
--- a/src/providers/ad/ad_subdomains.c
+++ b/src/providers/ad/ad_subdomains.c
@@ -46,6 +46,7 @@
 #define AD_AT_TRUST_PARTNER "trustPartner"
 #define AD_AT_TRUST_ATTRS   "trustAttributes"
 #define AD_AT_DOMAIN_NAME   "cn"
+#define AD_AT_TRUST_DIRECTION   "trustDirection"
 
 /* trustType=2 denotes uplevel (NT5 and later) trusted domains. See
  * http://msdn.microsoft.com/en-us/library/windows/desktop/ms680342%28v=vs.85%29.aspx
@@ -69,6 +70,12 @@
 /* do not refresh more often than every 5 seconds for now */
 #define AD_SUBDOMAIN_REFRESH_LIMIT 5
 
+/* Flags of trustAttributes attribute, see MS-ADTS 6.1.6.7.9 for details */
+#define TRUST_ATTRIBUTE_WITHIN_FOREST 0x0020
+
+/* Flags for trustDirection attribute, see MS-ADTS 6.1.6.7.12 for details */
+#define TRUST_DIRECTION_OUTBOUND 0x0002
+
 static void
 ad_disable_gc(struct ad_options *ad_options)
 {
@@ -646,6 +653,79 @@ ad_subdom_store(struct confdb_ctx *cdb,
 return ret;
 }
 
+/* When reading trusted domains from the local DC we are basically interested
+ * in domains from the local forest we are trusting, i.e. users from this
+ * domain can connect to us. To not unnecessarily bloat the list of domains
+ * and make multi-domain searches slow we filter domains from other forest and
+ * domains we do not trust.
+ * In future we might add config options to broaden the scope and allow more
+ * domains. */
+static errno_t ad_filter_domains(TALLOC_CTX *mem_ctx,
+ struct sysdb_attrs **subdomains,
+ size_t num_subdomains,
+ struct sysdb_attrs ***_sd_out,
+ size_t *_num_sd_out)
+{
+int ret;
+size_t c;
+uint32_t tmp_uint32_t;
+const char *value;
+struct sysdb_attrs **sd_out;
+size_t num_sd_out = 0;
+
+sd_out = talloc_zero_array(mem_ctx, struct sysdb_attrs *,
+   num_subdomains + 1);
+if (sd_out == NULL) {
+DEBUG(SSSDBG_OP_FAILURE,
+  "Failed to allocate memory for sub-domain list.\n");
+return ENOMEM;
+}
+
+for (c = 0; c < num_subdomains; c++) {
+ret = sysdb_attrs_get_string(subdomains[c], AD_AT_TRUST_PARTNER,
+ &value);
+if (ret != EOK) {
+DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_string failed.\n");
+talloc_free(sd_out);
+return ret;
+}
+
+/* Ignore direct trusts to domains from other forests
+ * (TRUST_ATTRIBUTE_WITHIN_FOREST is not set) or domains we do not
+ * trust (TRUST_DIRECTION_OUTBOUND is not set) */
+
+tmp_uint32_t = 0;
+ret = sysdb_attrs_get_uint32_t(subdomains[c], AD_AT_TRUST_ATTRS,
+   &tmp_uint32_t);
+if (ret != EOK
+|| (tmp_uint32_t & TRUST_ATTRIBUTE_WITHIN_FOREST) == 0) {
+DEBUG(SSSDBG_FUNC_DATA,
+  "TRUST_ATTRIBUTE_WITHIN_FOREST not set for [%s].\n",
+  value);
+continue;
+}
+
+tmp_uint32_t = 0;
+ret = sysdb_attrs_get_uint32_t(subdomains[c], AD_AT_TRUST_DIRECTION,
+   &tmp_uint32_t);
+if (ret != EOK
+|| (tmp_uint32_t & TRUST_DIRECTION_OUTBOUND) == 0) {
+DEBUG(SSSDBG_FUNC_DATA,
+  "TRUST_DIRECTION_OUTBOUND not set for [%s].\n",
+  value);
+co

[SSSD] [sssd PR#5826][-Waiting for review] DEBUG: fix missing "va_end"

2021-10-14 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/5826
Title: #5826: DEBUG: fix missing "va_end"

Label: -Waiting for review
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5826][+Accepted] DEBUG: fix missing "va_end"

2021-10-14 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/5826
Title: #5826: DEBUG: fix missing "va_end"

Label: +Accepted
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5826][comment] DEBUG: fix missing "va_end"

2021-10-14 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/5826
Title: #5826: DEBUG: fix missing "va_end"

sumit-bose commented:
"""
Hi,

thanks, ACK.

bye,
Sumit
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5826#issuecomment-944022983
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5825][comment] krb5: use hidden file when creating config snippets

2021-10-13 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/5825
Title: #5825: krb5: use hidden file when creating config snippets

sumit-bose commented:
"""
> There is `ding-libs/path_utils` that has relevant functions but I think it 
> doesn't make sense to pull it in...

Hi,

yes, there are the POSIX `basename()` and `dirname` calls as well, but those 
and the ding-libs versions are not aware of talloc, so I thought implementing 
it directly would be more efficient.

bye,
Sumit

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5825#issuecomment-942348678
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5825][synchronized] krb5: use hidden file when creating config snippets

2021-10-13 Thread sumit-bose

   URL: https://github.com/SSSD/sssd/pull/5825
Author: sumit-bose
 Title: #5825: krb5: use hidden file when creating config snippets
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5825/head:pr5825
git checkout pr5825
From 0af6545696d95c813708ad9ba0993dd63ee4f7e4 Mon Sep 17 00:00:00 2001
From: Sumit Bose 
Date: Wed, 13 Oct 2021 09:54:53 +0200
Subject: [PATCH] krb5: use hidden file when creating config snippets

When creating config snippets fir libkrb5 SSSD first creates a temporary
file with a random suffix and renames this file after all content is
written. If this temporary file is not properly removed or renamed dur
to an error it might confuse libkrb5.

To avoid this confusion with this patch the temporary files are created
as hidden files, the name will start with a '.', which are ignored by
libkrb5.

Resolves: https://github.com/SSSD/sssd/issues/5824
---
 src/tests/cmocka/test_utils.c | 21 +
 src/util/domain_info_utils.c  | 26 --
 src/util/util.h   |  2 ++
 3 files changed, 47 insertions(+), 2 deletions(-)

diff --git a/src/tests/cmocka/test_utils.c b/src/tests/cmocka/test_utils.c
index 536cee59f4..6661740087 100644
--- a/src/tests/cmocka/test_utils.c
+++ b/src/tests/cmocka/test_utils.c
@@ -1513,6 +1513,26 @@ void test_sss_write_krb5_conf_snippet(void **state)
 free(path);
 }
 
+void test_get_hidden_path(void **state)
+{
+char *s;
+
+assert_null(get_hidden_tmp_path(NULL, NULL));
+assert_null(get_hidden_tmp_path(NULL, "/"));
+assert_null(get_hidden_tmp_path(NULL, "/abc/"));
+
+s = get_hidden_tmp_path(NULL, "abc");
+assert_string_equal(s, ".abcXX");
+talloc_free(s);
+
+s = get_hidden_tmp_path(NULL, "/abc");
+assert_string_equal(s, "/.abcXX");
+talloc_free(s);
+
+s = get_hidden_tmp_path(NULL, "/xyz/xyz/xyz//abc");
+assert_string_equal(s, "/xyz/xyz/xyz//.abcXX");
+talloc_free(s);
+}
 
 struct unique_file_test_ctx {
 char *filename;
@@ -2127,6 +2147,7 @@ int main(int argc, const char *argv[])
 setup_leak_tests,
 teardown_leak_tests),
 cmocka_unit_test(test_sss_write_krb5_conf_snippet),
+cmocka_unit_test(test_get_hidden_path),
 cmocka_unit_test_setup_teardown(test_sss_unique_file,
 unique_file_test_setup,
 unique_file_test_teardown),
diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c
index c2e510ecf1..67f1c8d88a 100644
--- a/src/util/domain_info_utils.c
+++ b/src/util/domain_info_utils.c
@@ -471,7 +471,7 @@ sss_write_domain_mappings(struct sss_domain_info *domain)
 DEBUG(SSSDBG_FUNC_DATA, "Mapping file for domain [%s] is [%s]\n",
  domain->name, mapping_file);
 
-tmp_file = talloc_asprintf(tmp_ctx, "%sXX", mapping_file);
+tmp_file = get_hidden_tmp_path(tmp_ctx, mapping_file);
 if (tmp_file == NULL) {
 ret = ENOMEM;
 goto done;
@@ -631,6 +631,28 @@ errno_t get_dom_names(TALLOC_CTX *mem_ctx,
 return ret;
 }
 
+char *get_hidden_tmp_path(TALLOC_CTX *mem_ctx, const char *path)
+{
+const char *s;
+
+if (path == NULL) {
+return NULL;
+}
+
+s = strrchr(path, '/');
+if (s == NULL) {
+/* No path, just file name */
+return talloc_asprintf(mem_ctx, ".%sXX", path);
+} else if ( *(s + 1) == '\0') {
+/* '/' is the last character, there is no filename */
+DEBUG(SSSDBG_OP_FAILURE, "Missing file name in [%s].\n", path);
+return NULL;
+}
+
+return talloc_asprintf(mem_ctx, "%.*s.%sXX", (int)(s - path + 1),
+ path, s+1);
+}
+
 static errno_t sss_write_krb5_snippet_common(const char *file_name,
  const char *content)
 {
@@ -649,7 +671,7 @@ static errno_t sss_write_krb5_snippet_common(const char *file_name,
 return ENOMEM;
 }
 
-tmp_file = talloc_asprintf(tmp_ctx, "%sXX", file_name);
+tmp_file = get_hidden_tmp_path(tmp_ctx, file_name);
 if (tmp_file == NULL) {
 DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n");
 ret = ENOMEM;
diff --git a/src/util/util.h b/src/util/util.h
index bcbb9ac72f..e85cd12022 100644
--- a/src/util/util.h
+++ b/src/util/util.h
@@ -637,6 +637,8 @@ errno_t sss_get_domain_mappings_content(TALLOC_CTX *mem_ctx,
 
 errno_t sss_write_domain_mappings(struct sss_domain_info *domain);
 
+char *get_hidden_tmp_path(TALLOC_CTX *mem_ctx, const char *path);
+
 errno_t sss_write_krb5_conf_snippet(const char *path, bool canonica

[SSSD] [sssd PR#5825][opened] krb5: use hidden file when creating config snippets

2021-10-13 Thread sumit-bose

   URL: https://github.com/SSSD/sssd/pull/5825
Author: sumit-bose
 Title: #5825: krb5: use hidden file when creating config snippets
Action: opened

PR body:
"""
When creating config snippets fir libkrb5 SSSD first creates a temporary
file with a random suffix and renames this file after all content is
written. If this temporary file is not properly removed or renamed dur
to an error it might confuse libkrb5.

To avoid this confusion with this patch the temporary files are created
as hidden files, the name will start with a '.', which are ignored by
libkrb5.

Resolves: https://github.com/SSSD/sssd/issues/5824
"""

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5825/head:pr5825
git checkout pr5825
From ecb4a007571baf73f03ad08c23ab76b56659d4f1 Mon Sep 17 00:00:00 2001
From: Sumit Bose 
Date: Wed, 13 Oct 2021 09:54:53 +0200
Subject: [PATCH] krb5: use hidden file when creating config snippets

When creating config snippets fir libkrb5 SSSD first creates a temporary
file with a random suffix and renames this file after all content is
written. If this temporary file is not properly removed or renamed dur
to an error it might confuse libkrb5.

To avoid this confusion with this patch the temporary files are created
as hidden files, the name will start with a '.', which are ignored by
libkrb5.

Resolves: https://github.com/SSSD/sssd/issues/5824
---
 src/tests/cmocka/test_utils.c | 21 +
 src/util/domain_info_utils.c  | 26 --
 src/util/util.h   |  2 ++
 3 files changed, 47 insertions(+), 2 deletions(-)

diff --git a/src/tests/cmocka/test_utils.c b/src/tests/cmocka/test_utils.c
index 536cee59f4..6661740087 100644
--- a/src/tests/cmocka/test_utils.c
+++ b/src/tests/cmocka/test_utils.c
@@ -1513,6 +1513,26 @@ void test_sss_write_krb5_conf_snippet(void **state)
 free(path);
 }
 
+void test_get_hidden_path(void **state)
+{
+char *s;
+
+assert_null(get_hidden_tmp_path(NULL, NULL));
+assert_null(get_hidden_tmp_path(NULL, "/"));
+assert_null(get_hidden_tmp_path(NULL, "/abc/"));
+
+s = get_hidden_tmp_path(NULL, "abc");
+assert_string_equal(s, ".abcXX");
+talloc_free(s);
+
+s = get_hidden_tmp_path(NULL, "/abc");
+assert_string_equal(s, "/.abcXX");
+talloc_free(s);
+
+s = get_hidden_tmp_path(NULL, "/xyz/xyz/xyz//abc");
+assert_string_equal(s, "/xyz/xyz/xyz//.abcXX");
+talloc_free(s);
+}
 
 struct unique_file_test_ctx {
 char *filename;
@@ -2127,6 +2147,7 @@ int main(int argc, const char *argv[])
 setup_leak_tests,
 teardown_leak_tests),
 cmocka_unit_test(test_sss_write_krb5_conf_snippet),
+cmocka_unit_test(test_get_hidden_path),
 cmocka_unit_test_setup_teardown(test_sss_unique_file,
 unique_file_test_setup,
 unique_file_test_teardown),
diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c
index c2e510ecf1..0673930ee3 100644
--- a/src/util/domain_info_utils.c
+++ b/src/util/domain_info_utils.c
@@ -471,7 +471,7 @@ sss_write_domain_mappings(struct sss_domain_info *domain)
 DEBUG(SSSDBG_FUNC_DATA, "Mapping file for domain [%s] is [%s]\n",
  domain->name, mapping_file);
 
-tmp_file = talloc_asprintf(tmp_ctx, "%sXX", mapping_file);
+tmp_file = get_hidden_tmp_path(tmp_ctx, mapping_file);
 if (tmp_file == NULL) {
 ret = ENOMEM;
 goto done;
@@ -631,6 +631,28 @@ errno_t get_dom_names(TALLOC_CTX *mem_ctx,
 return ret;
 }
 
+char *get_hidden_tmp_path(TALLOC_CTX *mem_ctx, const char *path)
+{
+char *s;
+
+if (path == NULL) {
+return NULL;
+}
+
+s = strrchr(path, '/');
+if (s == NULL) {
+/* No path, just file name */
+return talloc_asprintf(mem_ctx, ".%sXX", path);
+} else if ( *(s + 1) == '\0') {
+/* '/' is the last character, there is no filename */
+DEBUG(SSSDBG_OP_FAILURE, "Missing file name in [%s].\n", path);
+return NULL;
+}
+
+return talloc_asprintf(mem_ctx, "%.*s.%sXX", (int)(s - path + 1),
+ path, s+1);
+}
+
 static errno_t sss_write_krb5_snippet_common(const char *file_name,
  const char *content)
 {
@@ -649,7 +671,7 @@ static errno_t sss_write_krb5_snippet_common(const char *file_name,
 return ENOMEM;
 }
 
-tmp_file = talloc_asprintf(tmp_ctx, "%sXX", file_name);
+tmp_file = get_hidden_tmp_path(tmp_ctx, file_name);
 if (tmp_file == NULL) {
 DEBUG(SSS

[SSSD] [sssd PR#5823][+Accepted] krb5_child: fixed incorrect checks on length value

2021-10-12 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/5823
Title: #5823: krb5_child: fixed incorrect checks on length value

Label: +Accepted
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5823][comment] krb5_child: fixed incorrect checks on length value

2021-10-12 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/5823
Title: #5823: krb5_child: fixed incorrect checks on length value

sumit-bose commented:
"""
Hi,

thanks for spotting this, ACK.

bye,
Sumit
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5823#issuecomment-941948504
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5802][+Accepted] MONITOR: reduce logs severity around signalling

2021-10-11 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/5802
Title: #5802: MONITOR: reduce logs severity around signalling

Label: +Accepted
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5802][-Waiting for review] MONITOR: reduce logs severity around signalling

2021-10-11 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/5802
Title: #5802: MONITOR: reduce logs severity around signalling

Label: -Waiting for review
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5802][comment] MONITOR: reduce logs severity around signalling

2021-10-11 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/5802
Title: #5802: MONITOR: reduce logs severity around signalling

sumit-bose commented:
"""
Hi,

thanks for the patch, I'm fine with the changes. ACK.

bye,
Sumit
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5802#issuecomment-940091869
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5784][comment] proxy: allow removing group members

2021-10-05 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/5784
Title: #5784: proxy: allow removing group members

sumit-bose commented:
"""
> @sumit-bose , can it happen (is it supported) two groups in different domains 
> have the same GID?

Hi,

if the two domains are managed separately it can of course happen that two 
groups have the same GID. For lookups by GID the group from the first domain 
listed in the `domains` option will win. A lookup by name, especially with a 
fully-qualified name, will most probably resolve both groups.

Given that the `id` command will do lookups by GID an `id` lookup for the user 
from the second domain which is a member of the group with the duplicated GID 
will return the wrong group name. In this sense I would say we do not support 
this kind of configuration.

Additionally, the filesystem is doing access control based with respect to 
groups with the help of the GID using the same GID in different domains might 
give users access to files of users from the other domain, which is typically 
not expected.

HTH

bye,
Sumit 

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5784#issuecomment-934479813
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5722][+Accepted] NSS client: avoid using NETDB_INTERNAL if daemon is not available

2021-10-04 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/5722
Title: #5722: NSS client: avoid using NETDB_INTERNAL if daemon is not available

Label: +Accepted
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5722][comment] NSS client: avoid using NETDB_INTERNAL if daemon is not available

2021-10-04 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/5722
Title: #5722: NSS client: avoid using NETDB_INTERNAL if daemon is not available

sumit-bose commented:
"""
> Hi @sumit-bose , did you have a chance to take a look at this?

Hi,

thanks for the reminder. I'm fine with the patch as it is. Imo `NETDB_INTERNAL` 
should still be used after calling `sss_nss_gethost_readrep()` because the most 
common issue would be `ERANGE` where the caller should increase the buffer 
immediately. There is `EBASMSG` as well, which mostly would indicate internal 
errors, like e.g. not enough data send by the nss responder. Here I think a 
hard error would be better instead of a fallback to other configured modules 
which would hide the issue. So, ACK.

bye,
Sumit
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5722#issuecomment-933294156
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5771][comment] sdap: always create sdap object for a forest root

2021-09-24 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/5771
Title: #5771: sdap: always create sdap object for a forest root

sumit-bose commented:
"""
> There is a typo in the commit message: `:fixes: Even is the forest` -> 
> `:fixes: Even IF the forest`

sorry, fixed in latest version
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5771#issuecomment-926570831
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5771][synchronized] sdap: always create sdap object for a forest root

2021-09-24 Thread sumit-bose

   URL: https://github.com/SSSD/sssd/pull/5771
Author: sumit-bose
 Title: #5771: sdap: always create sdap object for a forest root
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5771/head:pr5771
git checkout pr5771
From 36f0c7ec12ce26542adfc9c1b03176cb1b292ae2 Mon Sep 17 00:00:00 2001
From: Sumit Bose 
Date: Tue, 31 Aug 2021 12:59:15 +0200
Subject: [PATCH] sdap: always create sdap object for a forest root

Even if the forest root is disabled for user and group lookups a sdap
object is needed to lookup trusted domains.

This already works if the forest root is discovered for the first time
at runtime. But if SSSD is restarted only the domain object but not the
sdap object is created.

Resolves: https://github.com/SSSD/sssd/issues/5770

:fixes: Even if the forest root is disabled for lookups all required
  internal data is initialized to be able to refresh the list of trusted
  domains in the forest from a DC of the forest root.
---
 src/providers/ldap/sdap_domain.c | 12 ++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/src/providers/ldap/sdap_domain.c b/src/providers/ldap/sdap_domain.c
index d384b2e4a0..fa6e9340de 100644
--- a/src/providers/ldap/sdap_domain.c
+++ b/src/providers/ldap/sdap_domain.c
@@ -132,9 +132,17 @@ sdap_domain_subdom_add(struct sdap_id_ctx *sdap_id_ctx,
 struct sdap_domain *sdom, *sditer;
 errno_t ret;
 
-for (dom = get_next_domain(parent, SSS_GND_DESCEND);
+for (dom = get_next_domain(parent, SSS_GND_DESCEND|SSS_GND_INCLUDE_DISABLED);
  dom && IS_SUBDOMAIN(dom); /* if we get back to a parent, stop */
- dom = get_next_domain(dom, 0)) {
+ dom = get_next_domain(dom, SSS_GND_INCLUDE_DISABLED)) {
+
+/* Always create sdap domain object for the forest root, even if it is
+ * disabled so that we can connect later to discover trusted domains
+ * in the forest. */
+if (sss_domain_get_state(dom) == DOM_DISABLED
+&& !sss_domain_is_forest_root(dom)) {
+continue;
+}
 
 DLIST_FOR_EACH(sditer, sdom_list) {
 if (sditer->dom == dom) {
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5788][comment] debug: suppress backtrace if GetAccountDomain() is not supported

2021-09-24 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/5788
Title: #5788: debug: suppress backtrace if GetAccountDomain() is not supported

sumit-bose commented:
"""
> Patches look good to me.
> But strictly speaking commit message of a first patch isn't correct anymore: 
> backtrace is suppressed for all backend errors (not only 
> `ERR_GET_ACCT_DOM_NOT_SUPPORTED`), and debug level for 
> `ERR_GET_ACCT_DOM_NOT_SUPPORTED` is lowered.

Hi,

thanks for the hint, I updated the commit message.

bye,
Sumit
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5788#issuecomment-926501776
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5788][synchronized] debug: suppress backtrace if GetAccountDomain() is not supported

2021-09-24 Thread sumit-bose

   URL: https://github.com/SSSD/sssd/pull/5788
Author: sumit-bose
 Title: #5788: debug: suppress backtrace if GetAccountDomain() is not supported
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5788/head:pr5788
git checkout pr5788
From 22a2fbffe5116ee6c29c4f339b012108293f9486 Mon Sep 17 00:00:00 2001
From: Sumit Bose 
Date: Fri, 27 Aug 2021 11:04:04 +0200
Subject: [PATCH 1/2] debug: reduce logging of GetAccountDomain() in the
 frontends

The return code ERR_GET_ACCT_DOM_NOT_SUPPORTED is an expected return
code if the backend does not support the GetAccountDomain() request and
there is no need to have a log message for this on the default log level
or to trigger a backtrace in the logs in this case.

For all other error a log message at the default log level make sense to
indicate an issue in the backend but a backtrace in the frontend logs is
not needed as well.
---
 src/responder/common/responder_get_domains.c | 7 +--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/responder/common/responder_get_domains.c b/src/responder/common/responder_get_domains.c
index 68ea7c5b5d..b60f11a4d6 100644
--- a/src/responder/common/responder_get_domains.c
+++ b/src/responder/common/responder_get_domains.c
@@ -795,8 +795,11 @@ static void sss_dp_get_account_domain_done(struct tevent_req *subreq)
 }
 
 if (state->dp_error != DP_ERR_OK) {
-DEBUG(SSSDBG_OP_FAILURE, "Data Provider Error: %u, %u\n",
-  (unsigned int)state->dp_error, (unsigned int)state->error);
+DEBUG(state->error == ERR_GET_ACCT_DOM_NOT_SUPPORTED ? SSSDBG_TRACE_INTERNAL
+ : SSSDBG_IMPORTANT_INFO,
+  "Data Provider Error: %u, %u [%s]\n",
+  (unsigned int)state->dp_error, (unsigned int)state->error,
+  sss_strerror(state->error));
 tevent_req_error(req, state->error ? state->error : EIO);
 return;
 }

From 218a403225b277a941575792f6dce5e61645488e Mon Sep 17 00:00:00 2001
From: Sumit Bose 
Date: Mon, 30 Aug 2021 11:33:26 +0200
Subject: [PATCH 2/2] debug: suppress backtrace for backend errors

Only log a message in the frontend without a backtrace if the backend
returns an error.
---
 src/responder/common/cache_req/plugins/cache_req_common.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/responder/common/cache_req/plugins/cache_req_common.c b/src/responder/common/cache_req/plugins/cache_req_common.c
index 6f4d27cb60..2591dd1b73 100644
--- a/src/responder/common/cache_req/plugins/cache_req_common.c
+++ b/src/responder/common/cache_req/plugins/cache_req_common.c
@@ -140,7 +140,7 @@ cache_req_common_process_dp_reply(struct cache_req *cr,
 }
 
 if (err_maj) {
-CACHE_REQ_DEBUG(SSSDBG_OP_FAILURE, cr,
+CACHE_REQ_DEBUG(SSSDBG_IMPORTANT_INFO, cr,
 "Data Provider Error: %u, %u, %s\n",
 (unsigned int)err_maj, (unsigned int)err_min, err_msg);
 CACHE_REQ_DEBUG(SSSDBG_TRACE_FUNC, cr,
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5788][synchronized] debug: suppress backtrace if GetAccountDomain() is not supported

2021-09-23 Thread sumit-bose

   URL: https://github.com/SSSD/sssd/pull/5788
Author: sumit-bose
 Title: #5788: debug: suppress backtrace if GetAccountDomain() is not supported
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5788/head:pr5788
git checkout pr5788
From ddceb9fd7e865acbce4b5150c1508d36a022e039 Mon Sep 17 00:00:00 2001
From: Sumit Bose 
Date: Fri, 27 Aug 2021 11:04:04 +0200
Subject: [PATCH 1/2] debug: suppress backtrace if GetAccountDomain() is not
 supported

The return code ERR_GET_ACCT_DOM_NOT_SUPPORTED is an expected return
code if the backend does not support the GetAccountDomain() request and
there is no need to trigger a backtrace in the logs in this case.
---
 src/responder/common/responder_get_domains.c | 7 +--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/responder/common/responder_get_domains.c b/src/responder/common/responder_get_domains.c
index 68ea7c5b5d..b60f11a4d6 100644
--- a/src/responder/common/responder_get_domains.c
+++ b/src/responder/common/responder_get_domains.c
@@ -795,8 +795,11 @@ static void sss_dp_get_account_domain_done(struct tevent_req *subreq)
 }
 
 if (state->dp_error != DP_ERR_OK) {
-DEBUG(SSSDBG_OP_FAILURE, "Data Provider Error: %u, %u\n",
-  (unsigned int)state->dp_error, (unsigned int)state->error);
+DEBUG(state->error == ERR_GET_ACCT_DOM_NOT_SUPPORTED ? SSSDBG_TRACE_INTERNAL
+ : SSSDBG_IMPORTANT_INFO,
+  "Data Provider Error: %u, %u [%s]\n",
+  (unsigned int)state->dp_error, (unsigned int)state->error,
+  sss_strerror(state->error));
 tevent_req_error(req, state->error ? state->error : EIO);
 return;
 }

From 31d1364798f0108eb0c2dc89c7081a24c58aeffe Mon Sep 17 00:00:00 2001
From: Sumit Bose 
Date: Mon, 30 Aug 2021 11:33:26 +0200
Subject: [PATCH 2/2] debug: suppress backtrace for backend errors

Only log a message in the frontend without a backtrace if the backend
returns an error.
---
 src/responder/common/cache_req/plugins/cache_req_common.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/responder/common/cache_req/plugins/cache_req_common.c b/src/responder/common/cache_req/plugins/cache_req_common.c
index 6f4d27cb60..2591dd1b73 100644
--- a/src/responder/common/cache_req/plugins/cache_req_common.c
+++ b/src/responder/common/cache_req/plugins/cache_req_common.c
@@ -140,7 +140,7 @@ cache_req_common_process_dp_reply(struct cache_req *cr,
 }
 
 if (err_maj) {
-CACHE_REQ_DEBUG(SSSDBG_OP_FAILURE, cr,
+CACHE_REQ_DEBUG(SSSDBG_IMPORTANT_INFO, cr,
 "Data Provider Error: %u, %u, %s\n",
 (unsigned int)err_maj, (unsigned int)err_min, err_msg);
 CACHE_REQ_DEBUG(SSSDBG_TRACE_FUNC, cr,
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5771][comment] sdap: always create sdap object for a forest root

2021-09-21 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/5771
Title: #5771: sdap: always create sdap object for a forest root

sumit-bose commented:
"""
Hi Pavel,

thanks for the review, I added a `:fixes:`.

bye,
Sumit
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5771#issuecomment-923718143
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5771][synchronized] sdap: always create sdap object for a forest root

2021-09-21 Thread sumit-bose

   URL: https://github.com/SSSD/sssd/pull/5771
Author: sumit-bose
 Title: #5771: sdap: always create sdap object for a forest root
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5771/head:pr5771
git checkout pr5771
From 97f8b37d280b3dfce5a55f5821660c79d8ec5eac Mon Sep 17 00:00:00 2001
From: Sumit Bose 
Date: Tue, 31 Aug 2021 12:59:15 +0200
Subject: [PATCH] sdap: always create sdap object for a forest root

Even if the forest root is disabled for user and group lookups a sdap
object is needed to lookup trusted domains.

This already works if the forest root is discovered for the first time
at runtime. But if SSSD is restarted only the domain object but not the
sdap object is created.

Resolves: https://github.com/SSSD/sssd/issues/5770

:fixes: Even is the forest root is disabled for lookups all required
  internal data is initialized to be able to refresh the list of trusted
  domains in the forest from a DC of the forest root.
---
 src/providers/ldap/sdap_domain.c | 12 ++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/src/providers/ldap/sdap_domain.c b/src/providers/ldap/sdap_domain.c
index d384b2e4a0..fa6e9340de 100644
--- a/src/providers/ldap/sdap_domain.c
+++ b/src/providers/ldap/sdap_domain.c
@@ -132,9 +132,17 @@ sdap_domain_subdom_add(struct sdap_id_ctx *sdap_id_ctx,
 struct sdap_domain *sdom, *sditer;
 errno_t ret;
 
-for (dom = get_next_domain(parent, SSS_GND_DESCEND);
+for (dom = get_next_domain(parent, SSS_GND_DESCEND|SSS_GND_INCLUDE_DISABLED);
  dom && IS_SUBDOMAIN(dom); /* if we get back to a parent, stop */
- dom = get_next_domain(dom, 0)) {
+ dom = get_next_domain(dom, SSS_GND_INCLUDE_DISABLED)) {
+
+/* Always create sdap domain object for the forest root, even if it is
+ * disabled so that we can connect later to discover trusted domains
+ * in the forest. */
+if (sss_domain_get_state(dom) == DOM_DISABLED
+&& !sss_domain_is_forest_root(dom)) {
+continue;
+}
 
 DLIST_FOR_EACH(sditer, sdom_list) {
 if (sditer->dom == dom) {
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5791][comment] sysdb: more specific mpg search filter

2021-09-21 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/5791
Title: #5791: sysdb: more specific mpg search filter

sumit-bose commented:
"""
Hi Pavel,

thanks for the review, I've fixed the typo and added a `:fixes:`.

bye,
Sumit
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5791#issuecomment-923713149
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5791][synchronized] sysdb: more specific mpg search filter

2021-09-21 Thread sumit-bose

   URL: https://github.com/SSSD/sssd/pull/5791
Author: sumit-bose
 Title: #5791: sysdb: more specific mpg search filter
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5791/head:pr5791
git checkout pr5791
From f3ca267717a7544999077678538abee691ce6463 Mon Sep 17 00:00:00 2001
From: Sumit Bose 
Date: Mon, 2 Aug 2021 15:53:42 +0200
Subject: [PATCH] sysdb: more specific mpg search filter

Originally all user of an mpg domain had an automatically created
user-private group and as a result the ID space was unified in the sense
that a given ID either belongs to a group or to a user with a
user-private group.

With the introduction of id-overrides and the auto_private_groups option
this assumption is not true anymore and as a result the search filter
for GIDs must be more specific with respect to the user objects.

Resolves: https://github.com/SSSD/sssd/issues/5790

:fixes: Improve mpg search filter to be more reliable with id-overrides
  and the new auto_private_groups options.
---
 src/db/sysdb.h| 2 +-
 src/db/sysdb_search.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/db/sysdb.h b/src/db/sysdb.h
index 83e2f7c13e..596aff2862 100644
--- a/src/db/sysdb.h
+++ b/src/db/sysdb.h
@@ -222,7 +222,7 @@
 #define SYSDB_GRSID_FILTER "(&("SYSDB_GC")("SYSDB_SID_STR"=%s))"
 #define SYSDB_GRENT_FILTER "("SYSDB_GC")"
 #define SYSDB_GRNAM_MPG_FILTER "(&("SYSDB_MPGC")(|("SYSDB_NAME_ALIAS"=%s)("SYSDB_NAME_ALIAS"=%s)("SYSDB_NAME"=%s)))"
-#define SYSDB_GRGID_MPG_FILTER "(&("SYSDB_MPGC")("SYSDB_GIDNUM"=%lu))"
+#define SYSDB_GRGID_MPG_FILTER "(|(&("SYSDB_GC")("SYSDB_GIDNUM"=%lu))(&("SYSDB_UC")("SYSDB_GIDNUM"=%lu)("SYSDB_UIDNUM"=%lu)))"
 #define SYSDB_GRENT_MPG_FILTER "("SYSDB_MPGC")"
 
 #define SYSDB_INITGR_FILTER "(&("SYSDB_GC")("SYSDB_GIDNUM"=*))"
diff --git a/src/db/sysdb_search.c b/src/db/sysdb_search.c
index 0cd8321cb1..68745cb1a0 100644
--- a/src/db/sysdb_search.c
+++ b/src/db/sysdb_search.c
@@ -1355,7 +1355,7 @@ int sysdb_getgrgid_attrs(TALLOC_CTX *mem_ctx,
 }
 
 ret = ldb_search(domain->sysdb->ldb, tmp_ctx, &res, base_dn,
- LDB_SCOPE_SUBTREE, attrs, fmt_filter, ul_gid);
+ LDB_SCOPE_SUBTREE, attrs, fmt_filter, ul_gid, ul_gid, ul_gid);
 if (ret != EOK) {
 ret = sysdb_error_to_errno(ret);
 goto done;
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5791][opened] sysdb: more specific mpg search filter

2021-09-17 Thread sumit-bose

   URL: https://github.com/SSSD/sssd/pull/5791
Author: sumit-bose
 Title: #5791: sysdb: more specific mpg search filter
Action: opened

PR body:
"""
Originally all user of an mpg domain had an automatically created
user-private group and as a result the ID space was unified in the sense
that a given ID either belongs to a group to to a user with a
user-private group.

With the introduction of id-overrides and the auto_private_groups option
this assumption is not true anymore and as a result the search filter
for GIDs must be more specific with respect to the user objects.

Resolves: https://github.com/SSSD/sssd/issues/5790
"""

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5791/head:pr5791
git checkout pr5791
From 137afc4864924620b9260f738c29c378893fd606 Mon Sep 17 00:00:00 2001
From: Sumit Bose 
Date: Mon, 2 Aug 2021 15:53:42 +0200
Subject: [PATCH] sysdb: more specific mpg search filter

Originally all user of an mpg domain had an automatically created
user-private group and as a result the ID space was unified in the sense
that a given ID either belongs to a group to to a user with a
user-private group.

With the introduction of id-overrides and the auto_private_groups option
this assumption is not true anymore and as a result the search filter
for GIDs must be more specific with respect to the user objects.

Resolves: https://github.com/SSSD/sssd/issues/5790
---
 src/db/sysdb.h| 2 +-
 src/db/sysdb_search.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/db/sysdb.h b/src/db/sysdb.h
index 83e2f7c13e..596aff2862 100644
--- a/src/db/sysdb.h
+++ b/src/db/sysdb.h
@@ -222,7 +222,7 @@
 #define SYSDB_GRSID_FILTER "(&("SYSDB_GC")("SYSDB_SID_STR"=%s))"
 #define SYSDB_GRENT_FILTER "("SYSDB_GC")"
 #define SYSDB_GRNAM_MPG_FILTER "(&("SYSDB_MPGC")(|("SYSDB_NAME_ALIAS"=%s)("SYSDB_NAME_ALIAS"=%s)("SYSDB_NAME"=%s)))"
-#define SYSDB_GRGID_MPG_FILTER "(&("SYSDB_MPGC")("SYSDB_GIDNUM"=%lu))"
+#define SYSDB_GRGID_MPG_FILTER "(|(&("SYSDB_GC")("SYSDB_GIDNUM"=%lu))(&("SYSDB_UC")("SYSDB_GIDNUM"=%lu)("SYSDB_UIDNUM"=%lu)))"
 #define SYSDB_GRENT_MPG_FILTER "("SYSDB_MPGC")"
 
 #define SYSDB_INITGR_FILTER "(&("SYSDB_GC")("SYSDB_GIDNUM"=*))"
diff --git a/src/db/sysdb_search.c b/src/db/sysdb_search.c
index 0cd8321cb1..68745cb1a0 100644
--- a/src/db/sysdb_search.c
+++ b/src/db/sysdb_search.c
@@ -1355,7 +1355,7 @@ int sysdb_getgrgid_attrs(TALLOC_CTX *mem_ctx,
 }
 
 ret = ldb_search(domain->sysdb->ldb, tmp_ctx, &res, base_dn,
- LDB_SCOPE_SUBTREE, attrs, fmt_filter, ul_gid);
+ LDB_SCOPE_SUBTREE, attrs, fmt_filter, ul_gid, ul_gid, ul_gid);
 if (ret != EOK) {
 ret = sysdb_error_to_errno(ret);
 goto done;
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5788][opened] debug: suppress backtrace if GetAccountDomain() is not supported

2021-09-16 Thread sumit-bose

   URL: https://github.com/SSSD/sssd/pull/5788
Author: sumit-bose
 Title: #5788: debug: suppress backtrace if GetAccountDomain() is not supported
Action: opened

PR body:
"""
The return code ERR_GET_ACCT_DOM_NOT_SUPPORTED is an expected return code
if the backend does not support the GetAccountDomain() request and there is
no need to trigger a backtrace in the logs in this case.
"""

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5788/head:pr5788
git checkout pr5788
From d430b028f6c79c33ddc60ebb77aba894708360d7 Mon Sep 17 00:00:00 2001
From: Sumit Bose 
Date: Fri, 27 Aug 2021 11:04:04 +0200
Subject: [PATCH 1/2] debug: suppress backtrace if GetAccountDomain() is not
 supported

The return code ERR_GET_ACCT_DOM_NOT_SUPPORTED is an expected return
code if the backend does not support the GetAccountDomain() request and
there is no need to trigger a backtrace in the logs in this case.
---
 src/responder/common/responder_get_domains.c | 7 +--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/responder/common/responder_get_domains.c b/src/responder/common/responder_get_domains.c
index 68ea7c5b5d..1b2797c4d4 100644
--- a/src/responder/common/responder_get_domains.c
+++ b/src/responder/common/responder_get_domains.c
@@ -795,8 +795,11 @@ static void sss_dp_get_account_domain_done(struct tevent_req *subreq)
 }
 
 if (state->dp_error != DP_ERR_OK) {
-DEBUG(SSSDBG_OP_FAILURE, "Data Provider Error: %u, %u\n",
-  (unsigned int)state->dp_error, (unsigned int)state->error);
+DEBUG(state->error == ERR_GET_ACCT_DOM_NOT_SUPPORTED ? SSSDBG_TRACE_INTERNAL
+ : SSSDBG_OP_FAILURE,
+  "Data Provider Error: %u, %u [%s]\n",
+  (unsigned int)state->dp_error, (unsigned int)state->error,
+  sss_strerror(state->error));
 tevent_req_error(req, state->error ? state->error : EIO);
 return;
 }

From c56769c45bf94ad50a8ee307e8dcc7d8be4e56d6 Mon Sep 17 00:00:00 2001
From: Sumit Bose 
Date: Mon, 30 Aug 2021 11:33:26 +0200
Subject: [PATCH 2/2] debug: frontend backtrace for backend error?

Do we need a backtrace in the frontend if the backend returns an error?
---
 src/responder/common/cache_req/plugins/cache_req_common.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/responder/common/cache_req/plugins/cache_req_common.c b/src/responder/common/cache_req/plugins/cache_req_common.c
index 6f4d27cb60..b4fc07a308 100644
--- a/src/responder/common/cache_req/plugins/cache_req_common.c
+++ b/src/responder/common/cache_req/plugins/cache_req_common.c
@@ -140,6 +140,8 @@ cache_req_common_process_dp_reply(struct cache_req *cr,
 }
 
 if (err_maj) {
+/* does a backtrace make sense here or would the error message
+ * sufficient? */
 CACHE_REQ_DEBUG(SSSDBG_OP_FAILURE, cr,
 "Data Provider Error: %u, %u, %s\n",
 (unsigned int)err_maj, (unsigned int)err_min, err_msg);
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5712][+Accepted] Health and Support Analyzer - Add request log parsing utility

2021-09-16 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/5712
Title: #5712: Health and Support Analyzer - Add request log parsing utility

Label: +Accepted
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5712][-Waiting for review] Health and Support Analyzer - Add request log parsing utility

2021-09-16 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/5712
Title: #5712: Health and Support Analyzer - Add request log parsing utility

Label: -Waiting for review
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5712][comment] Health and Support Analyzer - Add request log parsing utility

2021-09-16 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/5712
Title: #5712: Health and Support Analyzer - Add request log parsing utility

sumit-bose commented:
"""
Hi,

thanks for checking the help message, as long as this is the default behavior 
of argparse I'm fine. I build and installed the latest version with the removed 
code and it is still working for me. ACK

Thanks for your patience.

bye,
Sumit
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5712#issuecomment-920768851
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5787][opened] krb5: fix ccache ownership for offline Smartcard authentication

2021-09-16 Thread sumit-bose

   URL: https://github.com/SSSD/sssd/pull/5787
Author: sumit-bose
 Title: #5787: krb5: fix ccache ownership for offline Smartcard authentication
Action: opened

PR body:
"""
During Smartcard authentication/PKINIT the krb5_child process is running
as privileged user for some time to make sure pcscd allows access to the
Smartcard. If SSSD is offline those privileges are currently not dropped
before creating an empty ccache and as a result file based ccaches might
have a wrong ownership. With the patch the privileges are dropped is
SSSD is offline and the ccache is created with the expected ownership.

Resolves: https://github.com/SSSD/sssd/issues/5785

:fixes: ccache files are created with the right ownership during offline
  Smartcard authentication
"""

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5787/head:pr5787
git checkout pr5787
From 9075925a362e77bebba895724312a0093d2997b5 Mon Sep 17 00:00:00 2001
From: Sumit Bose 
Date: Thu, 16 Sep 2021 11:38:47 +0200
Subject: [PATCH] krb5: fix ccache ownership for offline Smartcard
 authentication

During Smartcard authentication/PKINIT the krb5_child process is running
as privileged user for some time to make sure pcscd allows access to the
Smartcard. If SSSD is offline those privileges are currently not dropped
before creating an empty ccache and as a result file based ccaches might
have a wrong ownership. With the patch the privileges are dropped is
SSSD is offline and the ccache is created with the expected ownership.

Resolves: https://github.com/SSSD/sssd/issues/5785

:fixes: ccache files are created with the right ownership during offline
  Smartcard authentication
---
 src/providers/krb5/krb5_child.c | 7 +--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index 4e55d9a374..70e93e3198 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -3430,8 +3430,11 @@ int main(int argc, const char *argv[])
  * default and the 'sssd' user is allowed with the help of the
  * sssd-pcsc.rules policy-kit rule. So those IDs are a suitable choice. We
  * can only call switch_creds() because after the TGT is returned we have
- * to switch to the IDs of the user to store the TGT. */
-if (IS_SC_AUTHTOK(kr->pd->authtok)) {
+ * to switch to the IDs of the user to store the TGT.
+ * If we are offline we have to switch to the user's credentials directly
+ * to make sure the empty ccache is created with the expected
+ * ownership. */
+if (IS_SC_AUTHTOK(kr->pd->authtok) && !offline) {
 kerr = switch_creds(kr, kr->fast_uid, kr->fast_gid, 0, NULL,
 &kr->pcsc_saved_creds);
 } else {
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5712][comment] Health and Support Analyzer - Add request log parsing utility

2021-09-14 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/5712
Title: #5712: Health and Support Analyzer - Add request log parsing utility

sumit-bose commented:
"""
Hi,

thanks for the updates. I think from now on every enhancement should be done 
not in this PR but in a new one.

What I still find irritating is the repeated `request` in the help output:
```
# sssctl analyze
usage: sss_analyze [-h] [--source {files,journald}] [--logdir LOGDIR] {request} 
...

positional arguments:
  {request}
request Track requests across SSSD components

optional arguments:
  -h, --helpshow this help message and exit
  --source {files,journald}
  --logdir LOGDIR
```

I think the curly braces are ok on the first line, in case we will add other 
sub-commands in future, but I think the second occurrence is wrong.

In the `request` help putput it might be worth to put `--list` and `--cid CID` 
in curly braces like e.g. `{--list | --cid CID}' to indicate that one of the 
two must be used.

bye,
Sumit

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5712#issuecomment-919052966
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5760][+Accepted] p11_child: Fixes for init_p11_ctx() and do_card()

2021-09-03 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/5760
Title: #5760: p11_child: Fixes for init_p11_ctx() and do_card()

Label: +Accepted
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5760][-Waiting for review] p11_child: Fixes for init_p11_ctx() and do_card()

2021-09-03 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/5760
Title: #5760: p11_child: Fixes for init_p11_ctx() and do_card()

Label: -Waiting for review
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5760][comment] p11_child: Fixes for init_p11_ctx() and do_card()

2021-09-03 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/5760
Title: #5760: p11_child: Fixes for init_p11_ctx() and do_card()

sumit-bose commented:
"""
Hi,

thanks for the update, the CI failures are not related, ACK.

bye,
Sumit
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5760#issuecomment-912757562
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5760][comment] p11_child: Fixes for init_p11_ctx() and do_card()

2021-09-02 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/5760
Title: #5760: p11_child: Fixes for init_p11_ctx() and do_card()

sumit-bose commented:
"""
> > > As before p11_child can only wait on a single reader, in the old version 
> > > it was the first, now it is the last.
> > 
> > 
> > @spoore1 , can this ^^ affect tests?
> 
> That's a good question.
> 
> It's just a change in where p11_child waits for a reader to respond right?

Hi,

it is about required Smartcard authentication (p11_child is run with the 
--wait_for_card option) when multiple Smartcard readers are connected but no 
card inserted in any of the readers. Do you have such a test?

> 
> Could that change affect p11_child timeouts?

no

bye,
Sumit

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5760#issuecomment-911836329
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5760][comment] p11_child: Fixes for init_p11_ctx() and do_card()

2021-09-02 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/5760
Title: #5760: p11_child: Fixes for init_p11_ctx() and do_card()

sumit-bose commented:
"""
Hi,

my testing went well. Now wait_for_card is working with multiple empty readers 
again. As before p11_child can only wait on a single reader, in the old version 
it was the first, now it is the last. But since the user already had to guess 
which reader to use in this case I think it is ok.

I added an in-line comment about casting to int, it would be nice if you can 
fix this.

bye,
Sumit
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5760#issuecomment-911798286
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5771][opened] sdap: always create sdap object for a forest root

2021-09-02 Thread sumit-bose

   URL: https://github.com/SSSD/sssd/pull/5771
Author: sumit-bose
 Title: #5771: sdap: always create sdap object for a forest root
Action: opened

PR body:
"""
Even if the forest root is disabled for user and group lookups a sdap
object is needed to lookup trusted domains.

This already works if the forest root is discovered for the first time
at runtime. But if SSSD is restarted only the domain object but not the
sdap object is created.

Resolves: https://github.com/SSSD/sssd/issues/5770
"""

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5771/head:pr5771
git checkout pr5771
From 41df6527c8dae335250e7d39a2eb01f3faa7bb1a Mon Sep 17 00:00:00 2001
From: Sumit Bose 
Date: Tue, 31 Aug 2021 12:59:15 +0200
Subject: [PATCH] sdap: always create sdap object for a forest root

Even if the forest root is disabled for user and group lookups a sdap
object is needed to lookup trusted domains.

This already works if the forest root is discovered for the first time
at runtime. But if SSSD is restarted only the domain object but not the
sdap object is created.

Resolves: https://github.com/SSSD/sssd/issues/5770
---
 src/providers/ldap/sdap_domain.c | 12 ++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/src/providers/ldap/sdap_domain.c b/src/providers/ldap/sdap_domain.c
index d384b2e4a0..fa6e9340de 100644
--- a/src/providers/ldap/sdap_domain.c
+++ b/src/providers/ldap/sdap_domain.c
@@ -132,9 +132,17 @@ sdap_domain_subdom_add(struct sdap_id_ctx *sdap_id_ctx,
 struct sdap_domain *sdom, *sditer;
 errno_t ret;
 
-for (dom = get_next_domain(parent, SSS_GND_DESCEND);
+for (dom = get_next_domain(parent, SSS_GND_DESCEND|SSS_GND_INCLUDE_DISABLED);
  dom && IS_SUBDOMAIN(dom); /* if we get back to a parent, stop */
- dom = get_next_domain(dom, 0)) {
+ dom = get_next_domain(dom, SSS_GND_INCLUDE_DISABLED)) {
+
+/* Always create sdap domain object for the forest root, even if it is
+ * disabled so that we can connect later to discover trusted domains
+ * in the forest. */
+if (sss_domain_get_state(dom) == DOM_DISABLED
+&& !sss_domain_is_forest_root(dom)) {
+continue;
+}
 
 DLIST_FOR_EACH(sditer, sdom_list) {
 if (sditer->dom == dom) {
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5760][comment] p11_child: Fixes for init_p11_ctx() and do_card()

2021-08-27 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/5760
Title: #5760: p11_child: Fixes for init_p11_ctx() and do_card()

sumit-bose commented:
"""
Hi,

thank you for the update, code-wise I'm fine with the patches, I'd like to run 
some tests during the weekend and will give my final ACK early next week.

bye,
Sumit
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5760#issuecomment-907041154
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5746][comment] p11_child: do_card partially fix loop exit condition (redo of #5705)

2021-08-24 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/5746
Title: #5746: p11_child: do_card partially fix loop exit condition (redo of 
#5705)

sumit-bose commented:
"""
Hi,

thanks for the hint, I have to admit that I didn't test the patch with 
`wait_for_card`.

@assafmo, would you like to add a patch that fixes this?

bye,
Sumit
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5746#issuecomment-904439026
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5712][comment] Health and Support Analyzer - Add request log parsing utility

2021-08-18 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/5712
Title: #5712: Health and Support Analyzer - Add request log parsing utility

sumit-bose commented:
"""
Hi Justin,

thanks for the latest updates.

I think the log lines from `accept_fd_handler` e.g.

2021-08-18 10:36:34:610384): [nss] [accept_fd_handler] (0x0400): Client 
[CID #1][cmd su][0x55d181821070][27] connected!

or

(2021-08-18 10:36:34:703799): [pam] [accept_fd_handler] (0x0400): Client 
[CID #1][cmd su][0x55bc092703c0][24] connected to privileged pipe!

are missing in the parser output, can you add it?

Can you show the help output if the command line is incomplete? Currently it 
looks like:

```
# sssctl analyze
usage: sss_analyze [-h] [--source {files,journald}] [--logdir LOGDIR] {request} 
...
sss_analyze: error: the following arguments are required: subcommand
Command '/usr/lib/python3.9/site-packages/sssd/sss_analyze.py' failed with [2]

# sssctl analyze request
#
```
The first case it should not be as an error but the help output should be shown 
and since there is no `sss_analyze` which can be called it would be better to 
say `sssctl analyze`. The second case currently has no output, help output 
would be better here as well.

I would mention in the `--merge` help line that this currently only works 
properly with `debug_microseconds = True` for all components.



Another item for improvement in a new pull-request is to add the tevent id 
logic to the different responders. For the nss responder this won't change much 
since the main task here is done in the cache request code. But e.g. for the 
pam responder currently also only the cache request part of the logs is shown 
by the parser but here there are other useful log messages from the main pam 
responder code as well.

bye,
Sumit

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5712#issuecomment-901023962
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5712][comment] Health and Support Analyzer - Add request log parsing utility

2021-08-18 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/5712
Title: #5712: Health and Support Analyzer - Add request log parsing utility

sumit-bose commented:
"""
Hi Scott,

thanks for the latest updates.

I think the log lines from `accept_fd_handler` e.g.

2021-08-18 10:36:34:610384): [nss] [accept_fd_handler] (0x0400): Client 
[CID #1][cmd su][0x55d181821070][27] connected!

or

(2021-08-18 10:36:34:703799): [pam] [accept_fd_handler] (0x0400): Client 
[CID #1][cmd su][0x55bc092703c0][24] connected to privileged pipe!

are missing in the parser output, can you add it?

Can you show the help output if the command line is incomplete? Currently it 
looks like:

```
# sssctl analyze
usage: sss_analyze [-h] [--source {files,journald}] [--logdir LOGDIR] {request} 
...
sss_analyze: error: the following arguments are required: subcommand
Command '/usr/lib/python3.9/site-packages/sssd/sss_analyze.py' failed with [2]

# sssctl analyze request
#
```
The first case it should not be as an error but the help output should be shown 
and since there is no `sss_analyze` which can be called it would be better to 
say `sssctl analyze`. The second case currently has no output, help output 
would be better here as well.

I would mention in the `--merge` help line that this currently only works 
properly with `debug_microseconds = True` for all components.



Another item for improvement in a new pull-request is to add the tevent id 
logic to the different responders. For the nss responder this won't change much 
since the main task here is done in the cache request code. But e.g. for the 
pam responder currently also only the cache request part of the logs is shown 
by the parser but here there are other useful log messages from the main pam 
responder code as well.

bye,
Sumit

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5712#issuecomment-901023962
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

1 2 3 4 5 6 7 8 9 10 >

1 - 100 of 3711 matches

Mail list logo