[SSSD] Re: Client Support for Trusts
Am Tue, Feb 27, 2024 at 05:47:50PM +0200 schrieb Alexander Bokovoy: > On Аўт, 27 лют 2024, David L wrote: > > I'm looking for clarity about SSSD's *client-side* support for trusts. > > 1. Does SSSD support login for cross-domain (e.g., parent/child) trusts? > > 2. Does SSSD support login for users in trusted forests? > > 2a. If not, is there a workaround? > > 3. Does SSSD's group membership reporting include users from trusted > > forests? > > 4. Does SSSD's user information include groups in trusted forests? > > 5. Does SSSD require additional support from additional components to > > support login of users in trusted forests? > > 6. Does SSSD support two-way trusts? > > 6a. If not, is there a workaround? > > A single answer: if there is a two-way trust between the domains SSSD > machine in and users/groups are in, then SSSD will be able to resolve > users/groups and be able to authenticate the users. > > SSSD talks to AD DCs over LDAP and uses GSSAPI authentication by > default. This works for your own domain where you are a domain member > and it works for all domains where you can reach with a cross-realm > Kerberos ticket issued by your own domain controller and intermediate > domain controllers of the trusted domains. Hi, please note that the above currently only works for a single forest. Even if there is a two-way trust between the forests and the Kerberos ticket from the local forest would be valid in the remote forest as well SSSD currently does not attempt to discover domains from the remote forest. This is on the list already for some time but so far we didn't had the capacity to implement and test this. The workaround would be to add a second domain section in sssd.conf for the remote forest but group-memberships are restricted in this setup to the related forest and cross-forest group-memberships will not be available. bye, Sumit > > SSSD does not implement any of DCE RPC calls needed to relay such a > request to a domain controller. Hence, any topology where a > communication can only be done via use of DCE RPC calls will not work. > Use winbindd for that. > > > > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland > -- > ___ > sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org > To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue -- ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[SSSD] Re: Basic Question: C Using SASL or SPNEGO
Am Thu, Feb 08, 2024 at 11:08:52PM - schrieb David L: > I have a couple basic questions about using OpenLDAP with SSSD in a > C/C++ program. Since I think SSSD uses OpenLDAP to do this already > within it's service, I thought y'all would be the ones to task. > Pardon my ignorance. If you know the answer in Python/native interop, > that'll work to, I can translate. > > 1. On a domain joined machine that has any other needed > configuration, how do I call and configure OpenLDAP so it will use the > SSSD machine account to authenticate with the AD server? Hi, the first step does not involve OpenLDAP, a Kerberos ticket is needed which can be requested with the help of the Kerberos keys stored typically in /etc/krb5.keytab, which is typically created during the join. What you have to do is the equivalent of kinit -k 'CLIENT$@AD.REALM' where 'CLIENT$@AD.REALM' is the typical AD host principal which can be found by checking the `klist -k` output and looking for a principal with a '$' before the '@'. On the C level you can use libkrb5 or libgssapi to get the ticket, e.g. for libkrb5 the actual call doing it is `krb5_get_init_creds_keytab()`. > 2. As above, but how do I specify OpenLDAP to authenticate using > SPNEGO? If you have a Kerberos ticket you can call one of OpenLDAP`s `ldap_sasl_*_bind*()` calls were you put "GSS-SPNEGO" in the `mechanism` argument. HTH bye, Sumit > -- > ___ > sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org > To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue -- ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[SSSD] Re: Optimize memberOf lookups openldap
Am Fri, Aug 19, 2022 at 02:02:00PM +0200 schrieb Erik de Waard: > When openldap is configured to make use of the dynlist module it can update > the member and memberOf population recursively for nested groups by just > quering with a searchfilter memberOf for it. > > This should eliminates the need for nested group searches because it > returns all memberships Hi, would you mind to open this request as an RFE at https://github.com/SSSD/sssd/issues/new? I'm not familiar with the details of the dynlist module, but if I understand it correctly everything happens on the server side and the client just has to ask for the related attribute, i.e. memberOf. In this case I wonder if setting ldap_group_nesting_level = 0 in the [domain/...] section of sssd.conf would already be sufficient? bye, Sumit > > Similar: issue: 2409 > > Can we have a setting to enable this like LDAP_MATCHING_RULE_IN_CHAIN for AD > ___ > sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org > To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[SSSD] [sssd PR#5955][opened] man: clarify ldap_idmap_range_max
URL: https://github.com/SSSD/sssd/pull/5955 Author: sumit-bose Title: #5955: man: clarify ldap_idmap_range_max Action: opened PR body: """ ldap_idmap_range_max is the first ID which cannot be used for mapping anymore. Resolves: https://github.com/SSSD/sssd/issues/5938 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5955/head:pr5955 git checkout pr5955 From 34764d233a996e555f2f00ddbecbf2e52887524b Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Tue, 18 Jan 2022 13:12:22 +0100 Subject: [PATCH] man: clarify ldap_idmap_range_max ldap_idmap_range_max is the first ID which cannot be used for mapping anymore. Resolves: https://github.com/SSSD/sssd/issues/5938 --- src/man/include/ldap_id_mapping.xml | 13 + 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/src/man/include/ldap_id_mapping.xml b/src/man/include/ldap_id_mapping.xml index 73c385dd98..01f109b52c 100644 --- a/src/man/include/ldap_id_mapping.xml +++ b/src/man/include/ldap_id_mapping.xml @@ -120,8 +120,10 @@ ldap_schema = ad ldap_idmap_range_min (integer) -Specifies the lower bound of the range of POSIX IDs to -use for mapping Active Directory user and group SIDs. +Specifies the lower bound of the range of POSIX IDs +to use for mapping Active Directory user and group +SIDs. It is the first POSIX ID which can be used +for the mapping. NOTE: This option is different from @@ -142,8 +144,11 @@ ldap_schema = ad ldap_idmap_range_max (integer) -Specifies the upper bound of the range of POSIX IDs to -use for mapping Active Directory user and group SIDs. +Specifies the upper bound of the range of POSIX IDs +to use for mapping Active Directory user and group +SIDs. It is the first POSIX ID which cannot be used +for the mapping anymore, i.e. one larger than the +last one which can be used for the mapping. NOTE: This option is different from ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5945][-Waiting for review] INTG: Restrict smartcard in sc auth tests
URL: https://github.com/SSSD/sssd/pull/5945 Title: #5945: INTG: Restrict smartcard in sc auth tests Label: -Waiting for review ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5945][+Accepted] INTG: Restrict smartcard in sc auth tests
URL: https://github.com/SSSD/sssd/pull/5945 Title: #5945: INTG: Restrict smartcard in sc auth tests Label: +Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5945][comment] INTG: Restrict smartcard in sc auth tests
URL: https://github.com/SSSD/sssd/pull/5945 Title: #5945: INTG: Restrict smartcard in sc auth tests sumit-bose commented: """ Hi, thank you. ACK. bye, Sumit """ See the full comment at https://github.com/SSSD/sssd/pull/5945#issuecomment-1015169276 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5945][comment] INTG: Restrict smartcard in sc auth tests
URL: https://github.com/SSSD/sssd/pull/5945 Title: #5945: INTG: Restrict smartcard in sc auth tests sumit-bose commented: """ Hi, thanks, I'm still fine with the patches. I'd just like to ask to split out the change to `pamsrv_p11.c` into an extra patch? The change is not only related to the tests. bye, Sumit """ See the full comment at https://github.com/SSSD/sssd/pull/5945#issuecomment-1014300022 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5945][+Accepted] INTG: Restrict smartcard in sc auth tests
URL: https://github.com/SSSD/sssd/pull/5945 Title: #5945: INTG: Restrict smartcard in sc auth tests Label: +Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5945][comment] INTG: Restrict smartcard in sc auth tests
URL: https://github.com/SSSD/sssd/pull/5945 Title: #5945: INTG: Restrict smartcard in sc auth tests sumit-bose commented: """ Hi, thanks for the patch, it should make the Smartcard auth unit tests more resilient. ACK bye, Sumit """ See the full comment at https://github.com/SSSD/sssd/pull/5945#issuecomment-1009927412 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5928][comment] IPA: Add password expire warning
URL: https://github.com/SSSD/sssd/pull/5928 Title: #5928: IPA: Add password expire warning sumit-bose commented: """ > @sumit-bose if there is a chance you can take a look at the code of this PR > and tell me if approach with hard coded options is OK in this case? Hi, using a hardcoded default is ok, but you only have to add `LDAP_ACCESS_EXPIRE_POLICY_WARN`. Nevertheless it would be good if the IPA provider can check `ldap_access_order` as well because I would expect that sooner or later someone will ask to not only warn but reject the user which would be `LDAP_ACCESS_EXPIRE_POLICY_DENY`. Related to Alexey's question about #3635, currently the fix would be limited to IPA users where `ldap_pwd_policy = mit_kerberos` applies. For AD users we currently do not read or evaluate the `msDS-UserPasswordExpiryTimeComputed` attribute. So this attribute should be added to the list of user attributes and a new e.g. `ldap_pwd_policy = ad` should be added to evaluate it. For IPA an `ldap_pwd_policy = ipa` might be needed as well since we might have to check IPA and AD users. bye, Sumit """ See the full comment at https://github.com/SSSD/sssd/pull/5928#issuecomment-1009843750 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5941][+Accepted] Minor updates in `IPA: get_object_from_cache()`
URL: https://github.com/SSSD/sssd/pull/5941 Title: #5941: Minor updates in `IPA: get_object_from_cache()` Label: +Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5941][-Waiting for review] Minor updates in `IPA: get_object_from_cache()`
URL: https://github.com/SSSD/sssd/pull/5941 Title: #5941: Minor updates in `IPA: get_object_from_cache()` Label: -Waiting for review ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5940][opened] ipa: fix reply socket of selinux_child
URL: https://github.com/SSSD/sssd/pull/5940 Author: sumit-bose Title: #5940: ipa: fix reply socket of selinux_child Action: opened PR body: """ Commit c92d39a30fa0162d4efdfbe5883c8ea9911a2249 accidentally switched the reply socket of selinux_child from stdout to stderr while switching from exec_child to exec_child_ex. This patch returns the original behavior. Resolves: https://github.com/SSSD/sssd/issues/5939 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5940/head:pr5940 git checkout pr5940 From 52f80ca711f497b47ac3d7e1addead9026543146 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Tue, 4 Jan 2022 10:11:49 +0100 Subject: [PATCH] ipa: fix reply socket of selinux_child Commit c92d39a30fa0162d4efdfbe5883c8ea9911a2249 accidentally switched the reply socket of selinux_child from stdout to stderr while switching from exec_child to exec_child_ex. This patch returns the original behavior. Resolves: https://github.com/SSSD/sssd/issues/5939 --- src/providers/ipa/ipa_selinux.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/providers/ipa/ipa_selinux.c b/src/providers/ipa/ipa_selinux.c index 6f885c0fdb..2e0593dd76 100644 --- a/src/providers/ipa/ipa_selinux.c +++ b/src/providers/ipa/ipa_selinux.c @@ -714,7 +714,7 @@ static errno_t selinux_fork_child(struct selinux_child_state *state) if (pid == 0) { /* child */ exec_child_ex(state, pipefd_to_child, pipefd_from_child, SELINUX_CHILD, SELINUX_CHILD_LOG_FILE, extra_args, - false, STDIN_FILENO, STDERR_FILENO); + false, STDIN_FILENO, STDOUT_FILENO); DEBUG(SSSDBG_CRIT_FAILURE, "Could not exec selinux_child: [%d][%s].\n", ret, sss_strerror(ret)); return ret; ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5863][comment] Responder and Child process tevent chain id improvements
URL: https://github.com/SSSD/sssd/pull/5863 Title: #5863: Responder and Child process tevent chain id improvements sumit-bose commented: """ Hi, I agree with @alexey-tikhonov, it is better to just fail hard if chain ID support is missing. bye, Sumit """ See the full comment at https://github.com/SSSD/sssd/pull/5863#issuecomment-996858330 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5927][opened] ad: add required 'cn' attribute to subdomain object
URL: https://github.com/SSSD/sssd/pull/5927 Author: sumit-bose Title: #5927: ad: add required 'cn' attribute to subdomain object Action: opened PR body: """ If the forest root is not part of the return trusted domain objects from the local domain controller we generate an object for further processing. During this processing it is expected that the 'cn' attribute is set and contains the name of the forest root. So far this attribute was missing and it is now added by this patch. Resolves: https://github.com/SSSD/sssd/issues/5926 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5927/head:pr5927 git checkout pr5927 From d90e5fc1cb31c9b201b45c66a85c5cd570bba84d Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Thu, 16 Dec 2021 11:14:18 +0100 Subject: [PATCH] ad: add required 'cn' attribute to subdomain object If the forest root is not part of the return trusted domain objects from the local domain controller we generate an object for further processing. During this processing it is expected that the 'cn' attribute is set and contains the name of the forest root. So far this attribute was missing and it is now added by this patch. Resolves: https://github.com/SSSD/sssd/issues/5926 --- src/providers/ad/ad_subdomains.c | 7 +++ 1 file changed, 7 insertions(+) diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c index 0353de76f7..0c3f8ac314 100644 --- a/src/providers/ad/ad_subdomains.c +++ b/src/providers/ad/ad_subdomains.c @@ -1646,6 +1646,13 @@ static void ad_check_root_domain_done(struct tevent_req *subreq) goto done; } +ret = sysdb_attrs_add_string(state->reply[0], AD_AT_DOMAIN_NAME, + state->forest); +if (ret != EOK) { +DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_string() failed.\n"); +goto done; +} + err = sss_idmap_sid_to_bin_sid(state->idmap_ctx->map, id, &id_val.data, &id_val.length); if (err != IDMAP_SUCCESS) { ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5918][comment] Client ca validation error
URL: https://github.com/SSSD/sssd/pull/5918 Title: #5918: Client ca validation error sumit-bose commented: """ Hi, I'm fine with the patches, I would only recommend to use a higher value then `2` for the exit code since e.g. the monitor is already using `2` for other purposes. @ikerexxe, have you checked with @martinpitt if the fix works for him? It would be good if someone else can have a look as well since Iker and I developed the idea for the fix together. bye, Sumit """ See the full comment at https://github.com/SSSD/sssd/pull/5918#issuecomment-995644563 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5863][+Accepted] Responder and Child process tevent chain id improvements
URL: https://github.com/SSSD/sssd/pull/5863 Title: #5863: Responder and Child process tevent chain id improvements Label: +Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5863][-Changes requested] Responder and Child process tevent chain id improvements
URL: https://github.com/SSSD/sssd/pull/5863 Title: #5863: Responder and Child process tevent chain id improvements Label: -Changes requested ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5863][comment] Responder and Child process tevent chain id improvements
URL: https://github.com/SSSD/sssd/pull/5863 Title: #5863: Responder and Child process tevent chain id improvements sumit-bose commented: """ Hi, thanks for the patch, it is working well in my (quite basic) tests for PAM and NSS. I'm afraid I can't remember what we planned for the other responders, e.g. ssh. You added support in the responders already here but `sssctl analyze` currently has no options to select other responders. Nevertheless, this should not be added here but better with another patch on top of your patch with replaces python click. So, ACK. bye, Sumit """ See the full comment at https://github.com/SSSD/sssd/pull/5863#issuecomment-995106714 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5918][+Changes requested] Client ca validation error
URL: https://github.com/SSSD/sssd/pull/5918 Title: #5918: Client ca validation error Label: +Changes requested ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5918][comment] Client ca validation error
URL: https://github.com/SSSD/sssd/pull/5918 Title: #5918: Client ca validation error sumit-bose commented: """ Hi, there is a pep8 issue: ``` Start: Wed Dec 15 08:53:56 UTC 2021 + find . -path ./src/config -prune -o -name '*.py' -exec pycodestyle --ignore=E121,E123,E126,E226,E24,E704,W503,W504,W605,E722 '{}' + ./src/tests/intg/test_infopipe.py:809:80: E501 line too long (81 > 79 characters) End: Wed Dec 15 08:54:01 UTC 2021 ``` bye, Sumit """ See the full comment at https://github.com/SSSD/sssd/pull/5918#issuecomment-994744210 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5910][+Accepted] SPEC: avoid weak dependencies
URL: https://github.com/SSSD/sssd/pull/5910 Title: #5910: SPEC: avoid weak dependencies Label: +Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5910][-Waiting for review] SPEC: avoid weak dependencies
URL: https://github.com/SSSD/sssd/pull/5910 Title: #5910: SPEC: avoid weak dependencies Label: -Waiting for review ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5910][comment] SPEC: avoid weak dependencies
URL: https://github.com/SSSD/sssd/pull/5910 Title: #5910: SPEC: avoid weak dependencies sumit-bose commented: """ Hi, sure, ACK. bye, Sumit """ See the full comment at https://github.com/SSSD/sssd/pull/5910#issuecomment-992421744 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5910][comment] SPEC: avoid weak dependencies
URL: https://github.com/SSSD/sssd/pull/5910 Title: #5910: SPEC: avoid weak dependencies sumit-bose commented: """ > > Please see my in-line comments. > > Thank you. I updated the patch. > > But what do you think about: > > > I'm not sure what to do with: > > ``` > > Recommends: bind-utils > > Recommends: adcli > > ``` > > > > > > > > > > > > > > > > > > > > > > > > bind-utils provides nsupdate used by IPA and AD backends, but SSSD can work > > without it. And adcli is used by AD backend to renew machine password. > > ? Hi, since the related features are enabled in SSSD by default it would be good if the two packages will be installed together with `sssd-ad` or `sssd-ipa`. But since both features can be disabled a user might want to removed those packages if not needed. So `Recommends` would be best. If I understood the original bugzilla ticket correctly we can keep `Recommends:` because neither `sssd-ad` nor `sssd-ipa` are in the `core` group (only `sssd-common` and `sssd-kcm` are). HTH bye, Sumit """ See the full comment at https://github.com/SSSD/sssd/pull/5910#issuecomment-992344439 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5910][comment] SPEC: avoid weak dependencies
URL: https://github.com/SSSD/sssd/pull/5910 Title: #5910: SPEC: avoid weak dependencies sumit-bose commented: """ Hi, thanks for the patch. The boolean dependencies seem to work as expected, at least on RHEL-8 where I tested them. Please see my in-line comments. bye, Sumit """ See the full comment at https://github.com/SSSD/sssd/pull/5910#issuecomment-990662858 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5902][+Accepted] SSS_CLIENT: fixed few covscan issues
URL: https://github.com/SSSD/sssd/pull/5902 Title: #5902: SSS_CLIENT: fixed few covscan issues Label: +Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5902][comment] SSS_CLIENT: fixed few covscan issues
URL: https://github.com/SSSD/sssd/pull/5902 Title: #5902: SSS_CLIENT: fixed few covscan issues sumit-bose commented: """ Hi, thanks, ACK. bye, Sumit """ See the full comment at https://github.com/SSSD/sssd/pull/5902#issuecomment-987616210 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5901][+Accepted] utils: ignore systemd and sd-pam process in get_active_uid_linux()
URL: https://github.com/SSSD/sssd/pull/5901 Title: #5901: utils: ignore systemd and sd-pam process in get_active_uid_linux() Label: +Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5901][comment] utils: ignore systemd and sd-pam process in get_active_uid_linux()
URL: https://github.com/SSSD/sssd/pull/5901 Title: #5901: utils: ignore systemd and sd-pam process in get_active_uid_linux() sumit-bose commented: """ Hi, thanks, I'm fine with the code. Since @alexey-tikhonov approved the patch as well and it was tested internally by @sgoveas, ACK. bye, Sumit """ See the full comment at https://github.com/SSSD/sssd/pull/5901#issuecomment-987049218 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5909][opened] Various fixes related forest and site name discovery - 1-16
URL: https://github.com/SSSD/sssd/pull/5909 Author: sumit-bose Title: #5909: Various fixes related forest and site name discovery - 1-16 Action: opened PR body: """ Resolves: https://github.com/SSSD/sssd/issues/5875 https://github.com/SSSD/sssd/issues/5822 https://github.com/SSSD/sssd/issues/5820 https://github.com/SSSD/sssd/issues/5616 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5909/head:pr5909 git checkout pr5909 From 95830ed1c0fcd1fb3e933d66e509cb3b3744fc61 Mon Sep 17 00:00:00 2001 From: Deepak Das Date: Thu, 20 May 2021 20:30:33 +0530 Subject: [PATCH 1/7] SSSD man: man_dns_resolver_parameter_modification Adding parameter dns_resolver_server_timeout and dns_resolver_op_timeout in sssd.conf Resolves: https://github.com/SSSD/sssd/issues/5616 Reviewed-by: Iker Pedrosa Reviewed-by: Justin Stephenson (cherry picked from commit 43b9b0922aa24a03ea466c673646d5e3079403fe) --- src/man/sssd.conf.5.xml | 39 +++ 1 file changed, 39 insertions(+) diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml index 8adbb8de9d..a597828ca3 100644 --- a/src/man/sssd.conf.5.xml +++ b/src/man/sssd.conf.5.xml @@ -2809,6 +2809,45 @@ pam_p11_allowed_services = +my_pam_service, -login + +dns_resolver_server_timeout (integer) + + +Defines the amount of time (in milliseconds) +SSSD would try to talk to DNS server before +trying next DNS server. + + +Please see the section FAILOVER +for more information about the service +resolution. + + +Default: 1000 + + + + + +dns_resolver_op_timeout (integer) + + +Defines the amount of time (in seconds) to +wait to resolve single DNS query +(e.g. resolution of a hostname or an SRV record) +before try next hostname or DNS discovery. + + +Please see the section FAILOVER +for more information about the service +resolution. + + +Default: 3 + + + + dns_resolver_timeout (integer) From 51c30bde8e219b86609b673bd1d578a1f0c7563f Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Fri, 8 Oct 2021 12:44:37 +0200 Subject: [PATCH 2/7] ad: require name when looking up root domain MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit To properly identify the forest root domain the name of this domain is needed. It is discovered with a cldap-ping requesting the netlogon attribute. If the name is missing it does not make sense to proceed further because there is currently no other way to determine the forest root domain. Resolves: https://github.com/SSSD/sssd/issues/5820 Reviewed-by: Pavel Březina (cherry picked from commit b37e2713a9b86936f5b82a17e47757562900b911) --- src/providers/ad/ad_subdomains.c | 7 ++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c index 6b98cdf1d6..5be7c20034 100644 --- a/src/providers/ad/ad_subdomains.c +++ b/src/providers/ad/ad_subdomains.c @@ -1431,7 +1431,12 @@ ad_get_root_domain_send(TALLOC_CTX *mem_ctx, return NULL; } -if (forest != NULL && strcasecmp(domain, forest) == 0) { +if (forest == NULL) { +DEBUG(SSSDBG_OP_FAILURE, "Name of forest root domain not available, l" + "using cached data, if available.\n"); +ret = EINVAL; +goto immediately; +} else if (strcasecmp(domain, forest) == 0) { state->root_id_ctx = sd_ctx->ad_id_ctx; state->root_domain_attrs = NULL; ret = EOK; From cb8d805136eeaa382e72011058cab073625b9c27 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Fri, 8 Oct 2021 13:14:30 +0200 Subject: [PATCH 3/7] ad: move current site and forest name to a more global context MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Currently only during the DNS discovery steps the stored forest and site name are reused to avoi
[SSSD] [sssd PR#5883][comment] Various fixes related forest and site name discovery
URL: https://github.com/SSSD/sssd/pull/5883 Title: #5883: Various fixes related forest and site name discovery sumit-bose commented: """ Hi, sure, I can include one of the patches in the backport. I think the issue in #5645 is related to github. I checked the copies in the sssd-devel list and here the last versions send by Deepak correspond to what is committed. Also if you look at https://github.com/SSSD/sssd/pull/5645/commits there are the 2 patches show, together with the another version. bye, Sumit """ See the full comment at https://github.com/SSSD/sssd/pull/5883#issuecomment-986931803 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5883][comment] Various fixes related forest and site name discovery
URL: https://github.com/SSSD/sssd/pull/5883 Title: #5883: Various fixes related forest and site name discovery sumit-bose commented: """ > Since this claims to fix https://bugzilla.redhat.com/show_bug.cgi?id=2006866 > , this also need to be backported to 1-16 branch. > > @sumit-bose, does this apply cleanly or is dedicated PR required? Hi, only the last patch fails because the man page entry for `dns_resolver_server_timeout` is missing in 1-16, the option itself exists. So what would be the preferred solution, drop the hunk with the man page change or add a patch with the man page entries first? Funny enough, the entry was added twice in master 43b9b0922a and 7190f6b5d5, maybe one of the commits was meant for 1-16? bye, Sumit """ See the full comment at https://github.com/SSSD/sssd/pull/5883#issuecomment-985601568 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5863][+Accepted] Responder and Child process tevent chain id improvements
URL: https://github.com/SSSD/sssd/pull/5863 Title: #5863: Responder and Child process tevent chain id improvements Label: +Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5863][-Waiting for review] Responder and Child process tevent chain id improvements
URL: https://github.com/SSSD/sssd/pull/5863 Title: #5863: Responder and Child process tevent chain id improvements Label: -Waiting for review ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5863][comment] Responder and Child process tevent chain id improvements
URL: https://github.com/SSSD/sssd/pull/5863 Title: #5863: Responder and Child process tevent chain id improvements sumit-bose commented: """ Hi, thanks, remaining CI issues are not related, ACK. bye, Sumit """ See the full comment at https://github.com/SSSD/sssd/pull/5863#issuecomment-976215769 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5881][comment] SDAP: Do not fail ASQ search when parsing a referenced entry fails
URL: https://github.com/SSSD/sssd/pull/5881 Title: #5881: SDAP: Do not fail ASQ search when parsing a referenced entry fails sumit-bose commented: """ Hi, thanks, so the behavior is insistent, depending on the value of `ldap_deref_threshold`. I guess the reason is https://github.com/SSSD/sssd/blob/master/src/providers/ldap/sdap_async_nested_groups.c#L1576 in the branch which is taken if `ldap_deref_threshold = 0`. So the new option should be evaluated here as well to make the behavior consistent. I'm wondering what would be a good default? If we try to be secure by default we have to assume that the LDAP permissions are unintentional and SSSD should fail. But this would break existing setup which use `ldap_deref_threshold = 0` as a workaround. The latter would mean that we might want to wait with this change of behavior until 2.7. @pbrezina , @alexey-tikhonov what do you think? bye, Sumit """ See the full comment at https://github.com/SSSD/sssd/pull/5881#issuecomment-975573308 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5881][comment] SDAP: Do not fail ASQ search when parsing a referenced entry fails
URL: https://github.com/SSSD/sssd/pull/5881 Title: #5881: SDAP: Do not fail ASQ search when parsing a referenced entry fails sumit-bose commented: """ Hi, I think `ldap_ignore_unreadable_references` would be sufficient. Btw, what happens if the members are looked up individually, i.e. if `ldap_deref_threshold` is larger than `5` in your example? bye, Sumit """ See the full comment at https://github.com/SSSD/sssd/pull/5881#issuecomment-975297157 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5885][+Accepted] LDAP: expire accounts when today >= shadowExpire
URL: https://github.com/SSSD/sssd/pull/5885 Title: #5885: LDAP: expire accounts when today >= shadowExpire Label: +Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5885][comment] LDAP: expire accounts when today >= shadowExpire
URL: https://github.com/SSSD/sssd/pull/5885 Title: #5885: LDAP: expire accounts when today >= shadowExpire sumit-bose commented: """ Hi, thank you for the patch, ACK. bye, Sumit """ See the full comment at https://github.com/SSSD/sssd/pull/5885#issuecomment-974842866 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5863][comment] Responder and Child process tevent chain id improvements
URL: https://github.com/SSSD/sssd/pull/5863 Title: #5863: Responder and Child process tevent chain id improvements sumit-bose commented: """ Hi, I'm sorry I didn't pull the latest version when running the tests. Since the chain_id option is now added unconditionally `test_set_extra_args` needs a change like: ``` diff --git a/src/tests/cmocka/test_krb5_common.c b/src/tests/cmocka/test_krb5_common.c index c43d836ad..4bf3237a7 100644 --- a/src/tests/cmocka/test_krb5_common.c +++ b/src/tests/cmocka/test_krb5_common.c @@ -103,7 +103,8 @@ void test_set_extra_args(void **state) assert_int_equal(ret, EOK); assert_string_equal(krb5_child_extra_args[0], uid_opt); assert_string_equal(krb5_child_extra_args[1], gid_opt); -assert_null(krb5_child_extra_args[2]); +assert_string_equal(krb5_child_extra_args[2], "--chain-id=0"); +assert_null(krb5_child_extra_args[3]); talloc_free(krb5_child_extra_args); krb5_ctx->canonicalize = true; @@ -113,7 +114,8 @@ void test_set_extra_args(void **state) assert_string_equal(krb5_child_extra_args[0], uid_opt); assert_string_equal(krb5_child_extra_args[1], gid_opt); assert_string_equal(krb5_child_extra_args[2], "--canonicalize"); -assert_null(krb5_child_extra_args[3]); +assert_string_equal(krb5_child_extra_args[3], "--chain-id=0"); +assert_null(krb5_child_extra_args[4]); talloc_free(krb5_child_extra_args); krb5_ctx->realm = discard_const(TEST_REALM); @@ -124,7 +126,8 @@ void test_set_extra_args(void **state) assert_string_equal(krb5_child_extra_args[1], gid_opt); assert_string_equal(krb5_child_extra_args[2], "--realm=" TEST_REALM); assert_string_equal(krb5_child_extra_args[3], "--canonicalize"); -assert_null(krb5_child_extra_args[4]); +assert_string_equal(krb5_child_extra_args[4], "--chain-id=0"); +assert_null(krb5_child_extra_args[5]); talloc_free(krb5_child_extra_args); /* --fast-principal will be only set if FAST is used */ @@ -136,7 +139,8 @@ void test_set_extra_args(void **state) assert_string_equal(krb5_child_extra_args[1], gid_opt); assert_string_equal(krb5_child_extra_args[2], "--realm=" TEST_REALM); assert_string_equal(krb5_child_extra_args[3], "--canonicalize"); -assert_null(krb5_child_extra_args[4]); +assert_string_equal(krb5_child_extra_args[4], "--chain-id=0"); +assert_null(krb5_child_extra_args[5]); talloc_free(krb5_child_extra_args); krb5_ctx->use_fast_str = discard_const(TEST_FAST_STR); @@ -150,7 +154,8 @@ void test_set_extra_args(void **state) assert_string_equal(krb5_child_extra_args[4], "--fast-principal=" TEST_FAST_PRINC); assert_string_equal(krb5_child_extra_args[5], "--canonicalize"); -assert_null(krb5_child_extra_args[6]); +assert_string_equal(krb5_child_extra_args[6], "--chain-id=0"); +assert_null(krb5_child_extra_args[7]); talloc_free(krb5_child_extra_args); krb5_ctx->lifetime_str = discard_const(TEST_LIFE_STR); @@ -168,7 +173,8 @@ void test_set_extra_args(void **state) assert_string_equal(krb5_child_extra_args[6], "--fast-principal=" TEST_FAST_PRINC); assert_string_equal(krb5_child_extra_args[7], "--canonicalize"); -assert_null(krb5_child_extra_args[8]); +assert_string_equal(krb5_child_extra_args[8], "--chain-id=0"); +assert_null(krb5_child_extra_args[9]); talloc_free(krb5_child_extra_args); talloc_free(krb5_ctx); ``` """ See the full comment at https://github.com/SSSD/sssd/pull/5863#issuecomment-974616834 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5863][comment] Responder and Child process tevent chain id improvements
URL: https://github.com/SSSD/sssd/pull/5863 Title: #5863: Responder and Child process tevent chain id improvements sumit-bose commented: """ Hi, I'm fine with the patches and test are working locally for me. I restarted the CI task to hopefully get some CI results as well. bye, Sumit """ See the full comment at https://github.com/SSSD/sssd/pull/5863#issuecomment-974286264 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5872][+Accepted] p11_child: Fixes for authentication
URL: https://github.com/SSSD/sssd/pull/5872 Title: #5872: p11_child: Fixes for authentication Label: +Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5872][comment] p11_child: Fixes for authentication
URL: https://github.com/SSSD/sssd/pull/5872 Title: #5872: p11_child: Fixes for authentication sumit-bose commented: """ Hi, thanks a lot for the patches. I agree with all the changes and have no further comments. I was thinking about how to add tests for the `--wait_for_card` option but this is clearly out of scope here. ACK. bye, Sumit """ See the full comment at https://github.com/SSSD/sssd/pull/5872#issuecomment-974261642 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5881][comment] SDAP: Do not fail ASQ search when parsing a referenced entry fails
URL: https://github.com/SSSD/sssd/pull/5881 Title: #5881: SDAP: Do not fail ASQ search when parsing a referenced entry fails sumit-bose commented: """ Hi, thanks for the patch. I think an option is needed to control this behavior because SSSD does not know if the denied LDAP access was intentional or not. If it is intentional then just ignoring the object which cannot be accessed is ok. But if it is not intentional and the unreadable object is a group used in `simple_deny_groups` or in a `Deny*LogonRight` GPO in AD the user will be permitted to access the system although it was expected that access is denied by adding the user to this group. What do you think about it? bye, Sumit """ See the full comment at https://github.com/SSSD/sssd/pull/5881#issuecomment-974022679 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5762][comment] krb5: add support for idp:oauth2 challenge
URL: https://github.com/SSSD/sssd/pull/5762 Title: #5762: krb5: add support for idp:oauth2 challenge sumit-bose commented: """ Hi, thanks for the update, if updates my [oidc_child](https://github.com/sumit-bose/sssd/tree/oidc_child) tree accordingly and all is still working fine. What about directly generating the padata, shall I just call `sss_idp_oauth2_encode_padata()` directly and link `idp_utils.c` to `oidc_child` or shall I copy the relevant code so that you can drop it from `idp_utils.c`? bye, Sumit """ See the full comment at https://github.com/SSSD/sssd/pull/5762#issuecomment-968991818 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5863][comment] Responder and Child process tevent chain id improvements
URL: https://github.com/SSSD/sssd/pull/5863 Title: #5863: Responder and Child process tevent chain id improvements sumit-bose commented: """ > Now that the RID # is passed to the child log files, `sssctl analyze request > show #` will check these child logs and print those RID # matches also. > Should this be default behavior, or only when an argument like `--child` is > provided to the request show subcommand? Hi, I tend to the latter. The idea of the tool is to help to find issues. Adding the child logs by default might make this harder especially if the issue is not related to a child process. It might be even worth to be able to switch on only a single child, e.g. `--child=krb5_child`. Is there a reason you mostly send the id together with other data via stdin and not with a command line option? Personally I would prefer a comand line option because it makes the child process more easy to use manually. E.g. currently you can run `p11_child` manually even in auth mode by calling echo -n PIN | /usr/libexec/sssd/p11_child --auth . Now additional 8 bytes are expected, which still would allow to call `p11_child` manually but it would be less obvious. The PIN has to be send via stdin, otherwise it would be visible on the command line and so visible for everyone calling `ps`. bye, Sumit """ See the full comment at https://github.com/SSSD/sssd/pull/5863#issuecomment-963103190 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5855][-Waiting for review] CKM_RSA_PKCS support.
URL: https://github.com/SSSD/sssd/pull/5855 Title: #5855: CKM_RSA_PKCS support. Label: -Waiting for review ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5855][+Accepted] CKM_RSA_PKCS support.
URL: https://github.com/SSSD/sssd/pull/5855 Title: #5855: CKM_RSA_PKCS support. Label: +Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5855][comment] CKM_RSA_PKCS support.
URL: https://github.com/SSSD/sssd/pull/5855 Title: #5855: CKM_RSA_PKCS support. sumit-bose commented: """ Hi, thanks, ACK. Looks like the tests were not run, not sure why? """ See the full comment at https://github.com/SSSD/sssd/pull/5855#issuecomment-962004216 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5847][+Accepted] pam_sss: Allow offline authentication against non-ipa-desktopprofiles aware DC
URL: https://github.com/SSSD/sssd/pull/5847 Title: #5847: pam_sss: Allow offline authentication against non-ipa-desktopprofiles aware DC Label: +Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5847][comment] pam_sss: Allow offline authentication against non-ipa-desktopprofiles aware DC
URL: https://github.com/SSSD/sssd/pull/5847 Title: #5847: pam_sss: Allow offline authentication against non-ipa-desktopprofiles aware DC sumit-bose commented: """ Hi, thanks for the swift reply, then I'm fine with the patch, ACK. bye, Sumit """ See the full comment at https://github.com/SSSD/sssd/pull/5847#issuecomment-961156259 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5847][comment] pam_sss: Allow offline authentication against non-ipa-desktopprofiles aware DC
URL: https://github.com/SSSD/sssd/pull/5847 Title: #5847: pam_sss: Allow offline authentication against non-ipa-desktopprofiles aware DC sumit-bose commented: """ Hi, thank you for the analysis and the patch. There is a slight difference between the online and the offline case. When online we know that nothing was returned. When offline a missing entry can either mean that there is none on the server or that the server was not checked before. @abbra, do you think this distinction is important and we should somehow store in the cache that the server does not support desktop profiles or can we just proceed in either case? bye, Sumit """ See the full comment at https://github.com/SSSD/sssd/pull/5847#issuecomment-960922040 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5855][comment] CKM_RSA_PKCS support.
URL: https://github.com/SSSD/sssd/pull/5855 Title: #5855: CKM_RSA_PKCS support. sumit-bose commented: """ Hi, thank you for the patch. Code-wise I'm fine and my test were successful as well. While talking about test, I think it would be good to have tests as well. SoftHSM2 allows to define the available mechanism with the `slots.mechanisms` option. I tested the patch by adding `slots.mechanisms = CKM_RSA_PKCS` to `softhsm2_one.conf` and run `pam-srv-tests`. I wonder if you can add some tests with different mechanisms (yes, I know, I should have added them when I added the additional mechanisms) or if you prefer if this should be moved to a different PR? bye, Sumit """ See the full comment at https://github.com/SSSD/sssd/pull/5855#issuecomment-960608478 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5860][+Accepted] [monitor] Fix untranslated string
URL: https://github.com/SSSD/sssd/pull/5860 Title: #5860: [monitor] Fix untranslated string Label: +Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5860][comment] [monitor] Fix untranslated string
URL: https://github.com/SSSD/sssd/pull/5860 Title: #5860: [monitor] Fix untranslated string sumit-bose commented: """ Hi, thanks you for the new version, ACK. bye, Sumit """ See the full comment at https://github.com/SSSD/sssd/pull/5860#issuecomment-958695286 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5850][synchronized] ad: filter trusted domains
URL: https://github.com/SSSD/sssd/pull/5850 Author: sumit-bose Title: #5850: ad: filter trusted domains Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5850/head:pr5850 git checkout pr5850 From 8c6f443dae3885b4de9b6030c51ba54e0768f814 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Wed, 6 Oct 2021 13:03:27 +0200 Subject: [PATCH] ad: filter trusted domains The fix for https://github.com/SSSD/sssd/issues/5528 might discover domains which are not trusted (one-way trust) or are from a different forest (direct trust). Both should be ignored because they are not trusted or can currently not be handled properly. This patch filters out those domains. Resolves: https://github.com/SSSD/sssd/issues/5819 --- src/providers/ad/ad_subdomains.c | 104 +-- 1 file changed, 99 insertions(+), 5 deletions(-) diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c index 3eb49c93f2..ac463026f8 100644 --- a/src/providers/ad/ad_subdomains.c +++ b/src/providers/ad/ad_subdomains.c @@ -46,6 +46,7 @@ #define AD_AT_TRUST_PARTNER "trustPartner" #define AD_AT_TRUST_ATTRS "trustAttributes" #define AD_AT_DOMAIN_NAME "cn" +#define AD_AT_TRUST_DIRECTION "trustDirection" /* trustType=2 denotes uplevel (NT5 and later) trusted domains. See * http://msdn.microsoft.com/en-us/library/windows/desktop/ms680342%28v=vs.85%29.aspx @@ -69,6 +70,12 @@ /* do not refresh more often than every 5 seconds for now */ #define AD_SUBDOMAIN_REFRESH_LIMIT 5 +/* Flags of trustAttributes attribute, see MS-ADTS 6.1.6.7.9 for details */ +#define TRUST_ATTRIBUTE_WITHIN_FOREST 0x0020 + +/* Flags for trustDirection attribute, see MS-ADTS 6.1.6.7.12 for details */ +#define TRUST_DIRECTION_OUTBOUND 0x0002 + static void ad_disable_gc(struct ad_options *ad_options) { @@ -646,6 +653,85 @@ ad_subdom_store(struct confdb_ctx *cdb, return ret; } +/* When reading trusted domains from the local DC we are basically interested + * in domains from the local forest we are trusting, i.e. users from this + * domain can connect to us. To not unnecessarily bloat the list of domains + * and make multi-domain searches slow we filter domains from other forest and + * domains we do not trust. + * In future we might add config options to broaden the scope and allow more + * domains. + * If ad_filter_domains() returns successfully with EOK in input array is not + * valid anymore and should be freed by the caller. */ +static errno_t ad_filter_domains(TALLOC_CTX *mem_ctx, + struct sysdb_attrs **subdomains, + size_t num_subdomains, + struct sysdb_attrs ***_sd_out, + size_t *_num_sd_out) +{ +int ret; +size_t c; +uint32_t tmp_uint32_t; +const char *value; +struct sysdb_attrs **sd_out; +size_t num_sd_out = 0; + +sd_out = talloc_zero_array(mem_ctx, struct sysdb_attrs *, + num_subdomains + 1); +if (sd_out == NULL) { +DEBUG(SSSDBG_OP_FAILURE, + "Failed to allocate memory for sub-domain list.\n"); +return ENOMEM; +} + +for (c = 0; c < num_subdomains; c++) { +ret = sysdb_attrs_get_string(subdomains[c], AD_AT_TRUST_PARTNER, + &value); +if (ret != EOK) { +DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_string failed.\n"); +talloc_free(sd_out); +return ret; +} + +/* Ignore direct trusts to domains from other forests + * (TRUST_ATTRIBUTE_WITHIN_FOREST is not set) or domains we do not + * trust (TRUST_DIRECTION_OUTBOUND is not set) */ + +tmp_uint32_t = 0; +ret = sysdb_attrs_get_uint32_t(subdomains[c], AD_AT_TRUST_ATTRS, + &tmp_uint32_t); +if (ret != EOK +|| (tmp_uint32_t & TRUST_ATTRIBUTE_WITHIN_FOREST) == 0) { +DEBUG(SSSDBG_FUNC_DATA, + "TRUST_ATTRIBUTE_WITHIN_FOREST not set for [%s].\n", + value); +continue; +} + +tmp_uint32_t = 0; +ret = sysdb_attrs_get_uint32_t(subdomains[c], AD_AT_TRUST_DIRECTION, + &tmp_uint32_t); +if (ret != EOK +|| (tmp_uint32_t & TRUST_DIRECTION_OUTBOUND) == 0) { +DEBUG(SSSDBG_FUNC_DATA, + "TRUST_DIRECTION_OUTBOUND not set for [%s].\n", + value); +continue; +} + +sd_out[num_sd_out] = subdomains[c]; +num_sd_out++; +} + +for (c = 0; c < num_sd_out; c++) { +sd_out[c] = talloc_steal(sd_out, sd_out[c]); +} + +*_sd_out = sd_out; +*_num_sd_out = num_sd_ou
[SSSD] [sssd PR#5850][comment] ad: filter trusted domains
URL: https://github.com/SSSD/sssd/pull/5850 Title: #5850: ad: filter trusted domains sumit-bose commented: """ > Hi @sumit-bose, > > does it apply to 1.16 branch or do we need a separate PR? Hi, yes, currently it applies cleanly to the 1.16 branch. bye, Sumit """ See the full comment at https://github.com/SSSD/sssd/pull/5850#issuecomment-954635124 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5850][opened] ad: filter trusted domains
URL: https://github.com/SSSD/sssd/pull/5850 Author: sumit-bose Title: #5850: ad: filter trusted domains Action: opened PR body: """ The fix for https://github.com/SSSD/sssd/issues/5528 might discover domains which are not trusted (one-way trust) or are from a different forest (direct trust). Both should be ignored because they are not trusted or can currently not be handled properly. This patch filters out those domains. Resolves: https://github.com/SSSD/sssd/issues/5819 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5850/head:pr5850 git checkout pr5850 From 05fbe968f6ed07efb50d938c8cb3e3f993a01e12 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Wed, 6 Oct 2021 13:03:27 +0200 Subject: [PATCH] ad: filter trusted domains The fix for https://github.com/SSSD/sssd/issues/5528 might discover domains which are not trusted (one-way trust) or are from a different forest (direct trust). Both should be ignored because they are not trusted or can currently not be handled properly. This patch filters out those domains. Resolves: https://github.com/SSSD/sssd/issues/5819 --- src/providers/ad/ad_subdomains.c | 98 ++-- 1 file changed, 93 insertions(+), 5 deletions(-) diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c index 3eb49c93f2..25b9088985 100644 --- a/src/providers/ad/ad_subdomains.c +++ b/src/providers/ad/ad_subdomains.c @@ -46,6 +46,7 @@ #define AD_AT_TRUST_PARTNER "trustPartner" #define AD_AT_TRUST_ATTRS "trustAttributes" #define AD_AT_DOMAIN_NAME "cn" +#define AD_AT_TRUST_DIRECTION "trustDirection" /* trustType=2 denotes uplevel (NT5 and later) trusted domains. See * http://msdn.microsoft.com/en-us/library/windows/desktop/ms680342%28v=vs.85%29.aspx @@ -69,6 +70,12 @@ /* do not refresh more often than every 5 seconds for now */ #define AD_SUBDOMAIN_REFRESH_LIMIT 5 +/* Flags of trustAttributes attribute, see MS-ADTS 6.1.6.7.9 for details */ +#define TRUST_ATTRIBUTE_WITHIN_FOREST 0x0020 + +/* Flags for trustDirection attribute, see MS-ADTS 6.1.6.7.12 for details */ +#define TRUST_DIRECTION_OUTBOUND 0x0002 + static void ad_disable_gc(struct ad_options *ad_options) { @@ -646,6 +653,79 @@ ad_subdom_store(struct confdb_ctx *cdb, return ret; } +/* When reading trusted domains from the local DC we are basically interested + * in domains from the local forest we are trusting, i.e. users from this + * domain can connect to us. To not unnecessarily bloat the list of domains + * and make multi-domain searches slow we filter domains from other forest and + * domains we do not trust. + * In future we might add config options to broaden the scope and allow more + * domains. */ +static errno_t ad_filter_domains(TALLOC_CTX *mem_ctx, + struct sysdb_attrs **subdomains, + size_t num_subdomains, + struct sysdb_attrs ***_sd_out, + size_t *_num_sd_out) +{ +int ret; +size_t c; +uint32_t tmp_uint32_t; +const char *value; +struct sysdb_attrs **sd_out; +size_t num_sd_out = 0; + +sd_out = talloc_zero_array(mem_ctx, struct sysdb_attrs *, + num_subdomains + 1); +if (sd_out == NULL) { +DEBUG(SSSDBG_OP_FAILURE, + "Failed to allocate memory for sub-domain list.\n"); +return ENOMEM; +} + +for (c = 0; c < num_subdomains; c++) { +ret = sysdb_attrs_get_string(subdomains[c], AD_AT_TRUST_PARTNER, + &value); +if (ret != EOK) { +DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_string failed.\n"); +talloc_free(sd_out); +return ret; +} + +/* Ignore direct trusts to domains from other forests + * (TRUST_ATTRIBUTE_WITHIN_FOREST is not set) or domains we do not + * trust (TRUST_DIRECTION_OUTBOUND is not set) */ + +tmp_uint32_t = 0; +ret = sysdb_attrs_get_uint32_t(subdomains[c], AD_AT_TRUST_ATTRS, + &tmp_uint32_t); +if (ret != EOK +|| (tmp_uint32_t & TRUST_ATTRIBUTE_WITHIN_FOREST) == 0) { +DEBUG(SSSDBG_FUNC_DATA, + "TRUST_ATTRIBUTE_WITHIN_FOREST not set for [%s].\n", + value); +continue; +} + +tmp_uint32_t = 0; +ret = sysdb_attrs_get_uint32_t(subdomains[c], AD_AT_TRUST_DIRECTION, + &tmp_uint32_t); +if (ret != EOK +|| (tmp_uint32_t & TRUST_DIRECTION_OUTBOUND) == 0) { +DEBUG(SSSDBG_FUNC_DATA, + "TRUST_DIRECTION_OUTBOUND not set for [%s].\n", + value); +co
[SSSD] [sssd PR#5826][-Waiting for review] DEBUG: fix missing "va_end"
URL: https://github.com/SSSD/sssd/pull/5826 Title: #5826: DEBUG: fix missing "va_end" Label: -Waiting for review ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5826][+Accepted] DEBUG: fix missing "va_end"
URL: https://github.com/SSSD/sssd/pull/5826 Title: #5826: DEBUG: fix missing "va_end" Label: +Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5826][comment] DEBUG: fix missing "va_end"
URL: https://github.com/SSSD/sssd/pull/5826 Title: #5826: DEBUG: fix missing "va_end" sumit-bose commented: """ Hi, thanks, ACK. bye, Sumit """ See the full comment at https://github.com/SSSD/sssd/pull/5826#issuecomment-944022983 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5825][comment] krb5: use hidden file when creating config snippets
URL: https://github.com/SSSD/sssd/pull/5825 Title: #5825: krb5: use hidden file when creating config snippets sumit-bose commented: """ > There is `ding-libs/path_utils` that has relevant functions but I think it > doesn't make sense to pull it in... Hi, yes, there are the POSIX `basename()` and `dirname` calls as well, but those and the ding-libs versions are not aware of talloc, so I thought implementing it directly would be more efficient. bye, Sumit """ See the full comment at https://github.com/SSSD/sssd/pull/5825#issuecomment-942348678 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5825][synchronized] krb5: use hidden file when creating config snippets
URL: https://github.com/SSSD/sssd/pull/5825 Author: sumit-bose Title: #5825: krb5: use hidden file when creating config snippets Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5825/head:pr5825 git checkout pr5825 From 0af6545696d95c813708ad9ba0993dd63ee4f7e4 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Wed, 13 Oct 2021 09:54:53 +0200 Subject: [PATCH] krb5: use hidden file when creating config snippets When creating config snippets fir libkrb5 SSSD first creates a temporary file with a random suffix and renames this file after all content is written. If this temporary file is not properly removed or renamed dur to an error it might confuse libkrb5. To avoid this confusion with this patch the temporary files are created as hidden files, the name will start with a '.', which are ignored by libkrb5. Resolves: https://github.com/SSSD/sssd/issues/5824 --- src/tests/cmocka/test_utils.c | 21 + src/util/domain_info_utils.c | 26 -- src/util/util.h | 2 ++ 3 files changed, 47 insertions(+), 2 deletions(-) diff --git a/src/tests/cmocka/test_utils.c b/src/tests/cmocka/test_utils.c index 536cee59f4..6661740087 100644 --- a/src/tests/cmocka/test_utils.c +++ b/src/tests/cmocka/test_utils.c @@ -1513,6 +1513,26 @@ void test_sss_write_krb5_conf_snippet(void **state) free(path); } +void test_get_hidden_path(void **state) +{ +char *s; + +assert_null(get_hidden_tmp_path(NULL, NULL)); +assert_null(get_hidden_tmp_path(NULL, "/")); +assert_null(get_hidden_tmp_path(NULL, "/abc/")); + +s = get_hidden_tmp_path(NULL, "abc"); +assert_string_equal(s, ".abcXX"); +talloc_free(s); + +s = get_hidden_tmp_path(NULL, "/abc"); +assert_string_equal(s, "/.abcXX"); +talloc_free(s); + +s = get_hidden_tmp_path(NULL, "/xyz/xyz/xyz//abc"); +assert_string_equal(s, "/xyz/xyz/xyz//.abcXX"); +talloc_free(s); +} struct unique_file_test_ctx { char *filename; @@ -2127,6 +2147,7 @@ int main(int argc, const char *argv[]) setup_leak_tests, teardown_leak_tests), cmocka_unit_test(test_sss_write_krb5_conf_snippet), +cmocka_unit_test(test_get_hidden_path), cmocka_unit_test_setup_teardown(test_sss_unique_file, unique_file_test_setup, unique_file_test_teardown), diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c index c2e510ecf1..67f1c8d88a 100644 --- a/src/util/domain_info_utils.c +++ b/src/util/domain_info_utils.c @@ -471,7 +471,7 @@ sss_write_domain_mappings(struct sss_domain_info *domain) DEBUG(SSSDBG_FUNC_DATA, "Mapping file for domain [%s] is [%s]\n", domain->name, mapping_file); -tmp_file = talloc_asprintf(tmp_ctx, "%sXX", mapping_file); +tmp_file = get_hidden_tmp_path(tmp_ctx, mapping_file); if (tmp_file == NULL) { ret = ENOMEM; goto done; @@ -631,6 +631,28 @@ errno_t get_dom_names(TALLOC_CTX *mem_ctx, return ret; } +char *get_hidden_tmp_path(TALLOC_CTX *mem_ctx, const char *path) +{ +const char *s; + +if (path == NULL) { +return NULL; +} + +s = strrchr(path, '/'); +if (s == NULL) { +/* No path, just file name */ +return talloc_asprintf(mem_ctx, ".%sXX", path); +} else if ( *(s + 1) == '\0') { +/* '/' is the last character, there is no filename */ +DEBUG(SSSDBG_OP_FAILURE, "Missing file name in [%s].\n", path); +return NULL; +} + +return talloc_asprintf(mem_ctx, "%.*s.%sXX", (int)(s - path + 1), + path, s+1); +} + static errno_t sss_write_krb5_snippet_common(const char *file_name, const char *content) { @@ -649,7 +671,7 @@ static errno_t sss_write_krb5_snippet_common(const char *file_name, return ENOMEM; } -tmp_file = talloc_asprintf(tmp_ctx, "%sXX", file_name); +tmp_file = get_hidden_tmp_path(tmp_ctx, file_name); if (tmp_file == NULL) { DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n"); ret = ENOMEM; diff --git a/src/util/util.h b/src/util/util.h index bcbb9ac72f..e85cd12022 100644 --- a/src/util/util.h +++ b/src/util/util.h @@ -637,6 +637,8 @@ errno_t sss_get_domain_mappings_content(TALLOC_CTX *mem_ctx, errno_t sss_write_domain_mappings(struct sss_domain_info *domain); +char *get_hidden_tmp_path(TALLOC_CTX *mem_ctx, const char *path); + errno_t sss_write_krb5_conf_snippet(const char *path, bool canonica
[SSSD] [sssd PR#5825][opened] krb5: use hidden file when creating config snippets
URL: https://github.com/SSSD/sssd/pull/5825 Author: sumit-bose Title: #5825: krb5: use hidden file when creating config snippets Action: opened PR body: """ When creating config snippets fir libkrb5 SSSD first creates a temporary file with a random suffix and renames this file after all content is written. If this temporary file is not properly removed or renamed dur to an error it might confuse libkrb5. To avoid this confusion with this patch the temporary files are created as hidden files, the name will start with a '.', which are ignored by libkrb5. Resolves: https://github.com/SSSD/sssd/issues/5824 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5825/head:pr5825 git checkout pr5825 From ecb4a007571baf73f03ad08c23ab76b56659d4f1 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Wed, 13 Oct 2021 09:54:53 +0200 Subject: [PATCH] krb5: use hidden file when creating config snippets When creating config snippets fir libkrb5 SSSD first creates a temporary file with a random suffix and renames this file after all content is written. If this temporary file is not properly removed or renamed dur to an error it might confuse libkrb5. To avoid this confusion with this patch the temporary files are created as hidden files, the name will start with a '.', which are ignored by libkrb5. Resolves: https://github.com/SSSD/sssd/issues/5824 --- src/tests/cmocka/test_utils.c | 21 + src/util/domain_info_utils.c | 26 -- src/util/util.h | 2 ++ 3 files changed, 47 insertions(+), 2 deletions(-) diff --git a/src/tests/cmocka/test_utils.c b/src/tests/cmocka/test_utils.c index 536cee59f4..6661740087 100644 --- a/src/tests/cmocka/test_utils.c +++ b/src/tests/cmocka/test_utils.c @@ -1513,6 +1513,26 @@ void test_sss_write_krb5_conf_snippet(void **state) free(path); } +void test_get_hidden_path(void **state) +{ +char *s; + +assert_null(get_hidden_tmp_path(NULL, NULL)); +assert_null(get_hidden_tmp_path(NULL, "/")); +assert_null(get_hidden_tmp_path(NULL, "/abc/")); + +s = get_hidden_tmp_path(NULL, "abc"); +assert_string_equal(s, ".abcXX"); +talloc_free(s); + +s = get_hidden_tmp_path(NULL, "/abc"); +assert_string_equal(s, "/.abcXX"); +talloc_free(s); + +s = get_hidden_tmp_path(NULL, "/xyz/xyz/xyz//abc"); +assert_string_equal(s, "/xyz/xyz/xyz//.abcXX"); +talloc_free(s); +} struct unique_file_test_ctx { char *filename; @@ -2127,6 +2147,7 @@ int main(int argc, const char *argv[]) setup_leak_tests, teardown_leak_tests), cmocka_unit_test(test_sss_write_krb5_conf_snippet), +cmocka_unit_test(test_get_hidden_path), cmocka_unit_test_setup_teardown(test_sss_unique_file, unique_file_test_setup, unique_file_test_teardown), diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c index c2e510ecf1..0673930ee3 100644 --- a/src/util/domain_info_utils.c +++ b/src/util/domain_info_utils.c @@ -471,7 +471,7 @@ sss_write_domain_mappings(struct sss_domain_info *domain) DEBUG(SSSDBG_FUNC_DATA, "Mapping file for domain [%s] is [%s]\n", domain->name, mapping_file); -tmp_file = talloc_asprintf(tmp_ctx, "%sXX", mapping_file); +tmp_file = get_hidden_tmp_path(tmp_ctx, mapping_file); if (tmp_file == NULL) { ret = ENOMEM; goto done; @@ -631,6 +631,28 @@ errno_t get_dom_names(TALLOC_CTX *mem_ctx, return ret; } +char *get_hidden_tmp_path(TALLOC_CTX *mem_ctx, const char *path) +{ +char *s; + +if (path == NULL) { +return NULL; +} + +s = strrchr(path, '/'); +if (s == NULL) { +/* No path, just file name */ +return talloc_asprintf(mem_ctx, ".%sXX", path); +} else if ( *(s + 1) == '\0') { +/* '/' is the last character, there is no filename */ +DEBUG(SSSDBG_OP_FAILURE, "Missing file name in [%s].\n", path); +return NULL; +} + +return talloc_asprintf(mem_ctx, "%.*s.%sXX", (int)(s - path + 1), + path, s+1); +} + static errno_t sss_write_krb5_snippet_common(const char *file_name, const char *content) { @@ -649,7 +671,7 @@ static errno_t sss_write_krb5_snippet_common(const char *file_name, return ENOMEM; } -tmp_file = talloc_asprintf(tmp_ctx, "%sXX", file_name); +tmp_file = get_hidden_tmp_path(tmp_ctx, file_name); if (tmp_file == NULL) { DEBUG(SSS
[SSSD] [sssd PR#5823][+Accepted] krb5_child: fixed incorrect checks on length value
URL: https://github.com/SSSD/sssd/pull/5823 Title: #5823: krb5_child: fixed incorrect checks on length value Label: +Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5823][comment] krb5_child: fixed incorrect checks on length value
URL: https://github.com/SSSD/sssd/pull/5823 Title: #5823: krb5_child: fixed incorrect checks on length value sumit-bose commented: """ Hi, thanks for spotting this, ACK. bye, Sumit """ See the full comment at https://github.com/SSSD/sssd/pull/5823#issuecomment-941948504 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5802][+Accepted] MONITOR: reduce logs severity around signalling
URL: https://github.com/SSSD/sssd/pull/5802 Title: #5802: MONITOR: reduce logs severity around signalling Label: +Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5802][-Waiting for review] MONITOR: reduce logs severity around signalling
URL: https://github.com/SSSD/sssd/pull/5802 Title: #5802: MONITOR: reduce logs severity around signalling Label: -Waiting for review ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5802][comment] MONITOR: reduce logs severity around signalling
URL: https://github.com/SSSD/sssd/pull/5802 Title: #5802: MONITOR: reduce logs severity around signalling sumit-bose commented: """ Hi, thanks for the patch, I'm fine with the changes. ACK. bye, Sumit """ See the full comment at https://github.com/SSSD/sssd/pull/5802#issuecomment-940091869 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5784][comment] proxy: allow removing group members
URL: https://github.com/SSSD/sssd/pull/5784 Title: #5784: proxy: allow removing group members sumit-bose commented: """ > @sumit-bose , can it happen (is it supported) two groups in different domains > have the same GID? Hi, if the two domains are managed separately it can of course happen that two groups have the same GID. For lookups by GID the group from the first domain listed in the `domains` option will win. A lookup by name, especially with a fully-qualified name, will most probably resolve both groups. Given that the `id` command will do lookups by GID an `id` lookup for the user from the second domain which is a member of the group with the duplicated GID will return the wrong group name. In this sense I would say we do not support this kind of configuration. Additionally, the filesystem is doing access control based with respect to groups with the help of the GID using the same GID in different domains might give users access to files of users from the other domain, which is typically not expected. HTH bye, Sumit """ See the full comment at https://github.com/SSSD/sssd/pull/5784#issuecomment-934479813 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5722][+Accepted] NSS client: avoid using NETDB_INTERNAL if daemon is not available
URL: https://github.com/SSSD/sssd/pull/5722 Title: #5722: NSS client: avoid using NETDB_INTERNAL if daemon is not available Label: +Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5722][comment] NSS client: avoid using NETDB_INTERNAL if daemon is not available
URL: https://github.com/SSSD/sssd/pull/5722 Title: #5722: NSS client: avoid using NETDB_INTERNAL if daemon is not available sumit-bose commented: """ > Hi @sumit-bose , did you have a chance to take a look at this? Hi, thanks for the reminder. I'm fine with the patch as it is. Imo `NETDB_INTERNAL` should still be used after calling `sss_nss_gethost_readrep()` because the most common issue would be `ERANGE` where the caller should increase the buffer immediately. There is `EBASMSG` as well, which mostly would indicate internal errors, like e.g. not enough data send by the nss responder. Here I think a hard error would be better instead of a fallback to other configured modules which would hide the issue. So, ACK. bye, Sumit """ See the full comment at https://github.com/SSSD/sssd/pull/5722#issuecomment-933294156 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5771][comment] sdap: always create sdap object for a forest root
URL: https://github.com/SSSD/sssd/pull/5771 Title: #5771: sdap: always create sdap object for a forest root sumit-bose commented: """ > There is a typo in the commit message: `:fixes: Even is the forest` -> > `:fixes: Even IF the forest` sorry, fixed in latest version """ See the full comment at https://github.com/SSSD/sssd/pull/5771#issuecomment-926570831 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5771][synchronized] sdap: always create sdap object for a forest root
URL: https://github.com/SSSD/sssd/pull/5771 Author: sumit-bose Title: #5771: sdap: always create sdap object for a forest root Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5771/head:pr5771 git checkout pr5771 From 36f0c7ec12ce26542adfc9c1b03176cb1b292ae2 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Tue, 31 Aug 2021 12:59:15 +0200 Subject: [PATCH] sdap: always create sdap object for a forest root Even if the forest root is disabled for user and group lookups a sdap object is needed to lookup trusted domains. This already works if the forest root is discovered for the first time at runtime. But if SSSD is restarted only the domain object but not the sdap object is created. Resolves: https://github.com/SSSD/sssd/issues/5770 :fixes: Even if the forest root is disabled for lookups all required internal data is initialized to be able to refresh the list of trusted domains in the forest from a DC of the forest root. --- src/providers/ldap/sdap_domain.c | 12 ++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/src/providers/ldap/sdap_domain.c b/src/providers/ldap/sdap_domain.c index d384b2e4a0..fa6e9340de 100644 --- a/src/providers/ldap/sdap_domain.c +++ b/src/providers/ldap/sdap_domain.c @@ -132,9 +132,17 @@ sdap_domain_subdom_add(struct sdap_id_ctx *sdap_id_ctx, struct sdap_domain *sdom, *sditer; errno_t ret; -for (dom = get_next_domain(parent, SSS_GND_DESCEND); +for (dom = get_next_domain(parent, SSS_GND_DESCEND|SSS_GND_INCLUDE_DISABLED); dom && IS_SUBDOMAIN(dom); /* if we get back to a parent, stop */ - dom = get_next_domain(dom, 0)) { + dom = get_next_domain(dom, SSS_GND_INCLUDE_DISABLED)) { + +/* Always create sdap domain object for the forest root, even if it is + * disabled so that we can connect later to discover trusted domains + * in the forest. */ +if (sss_domain_get_state(dom) == DOM_DISABLED +&& !sss_domain_is_forest_root(dom)) { +continue; +} DLIST_FOR_EACH(sditer, sdom_list) { if (sditer->dom == dom) { ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5788][comment] debug: suppress backtrace if GetAccountDomain() is not supported
URL: https://github.com/SSSD/sssd/pull/5788 Title: #5788: debug: suppress backtrace if GetAccountDomain() is not supported sumit-bose commented: """ > Patches look good to me. > But strictly speaking commit message of a first patch isn't correct anymore: > backtrace is suppressed for all backend errors (not only > `ERR_GET_ACCT_DOM_NOT_SUPPORTED`), and debug level for > `ERR_GET_ACCT_DOM_NOT_SUPPORTED` is lowered. Hi, thanks for the hint, I updated the commit message. bye, Sumit """ See the full comment at https://github.com/SSSD/sssd/pull/5788#issuecomment-926501776 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5788][synchronized] debug: suppress backtrace if GetAccountDomain() is not supported
URL: https://github.com/SSSD/sssd/pull/5788 Author: sumit-bose Title: #5788: debug: suppress backtrace if GetAccountDomain() is not supported Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5788/head:pr5788 git checkout pr5788 From 22a2fbffe5116ee6c29c4f339b012108293f9486 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Fri, 27 Aug 2021 11:04:04 +0200 Subject: [PATCH 1/2] debug: reduce logging of GetAccountDomain() in the frontends The return code ERR_GET_ACCT_DOM_NOT_SUPPORTED is an expected return code if the backend does not support the GetAccountDomain() request and there is no need to have a log message for this on the default log level or to trigger a backtrace in the logs in this case. For all other error a log message at the default log level make sense to indicate an issue in the backend but a backtrace in the frontend logs is not needed as well. --- src/responder/common/responder_get_domains.c | 7 +-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/responder/common/responder_get_domains.c b/src/responder/common/responder_get_domains.c index 68ea7c5b5d..b60f11a4d6 100644 --- a/src/responder/common/responder_get_domains.c +++ b/src/responder/common/responder_get_domains.c @@ -795,8 +795,11 @@ static void sss_dp_get_account_domain_done(struct tevent_req *subreq) } if (state->dp_error != DP_ERR_OK) { -DEBUG(SSSDBG_OP_FAILURE, "Data Provider Error: %u, %u\n", - (unsigned int)state->dp_error, (unsigned int)state->error); +DEBUG(state->error == ERR_GET_ACCT_DOM_NOT_SUPPORTED ? SSSDBG_TRACE_INTERNAL + : SSSDBG_IMPORTANT_INFO, + "Data Provider Error: %u, %u [%s]\n", + (unsigned int)state->dp_error, (unsigned int)state->error, + sss_strerror(state->error)); tevent_req_error(req, state->error ? state->error : EIO); return; } From 218a403225b277a941575792f6dce5e61645488e Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Mon, 30 Aug 2021 11:33:26 +0200 Subject: [PATCH 2/2] debug: suppress backtrace for backend errors Only log a message in the frontend without a backtrace if the backend returns an error. --- src/responder/common/cache_req/plugins/cache_req_common.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/responder/common/cache_req/plugins/cache_req_common.c b/src/responder/common/cache_req/plugins/cache_req_common.c index 6f4d27cb60..2591dd1b73 100644 --- a/src/responder/common/cache_req/plugins/cache_req_common.c +++ b/src/responder/common/cache_req/plugins/cache_req_common.c @@ -140,7 +140,7 @@ cache_req_common_process_dp_reply(struct cache_req *cr, } if (err_maj) { -CACHE_REQ_DEBUG(SSSDBG_OP_FAILURE, cr, +CACHE_REQ_DEBUG(SSSDBG_IMPORTANT_INFO, cr, "Data Provider Error: %u, %u, %s\n", (unsigned int)err_maj, (unsigned int)err_min, err_msg); CACHE_REQ_DEBUG(SSSDBG_TRACE_FUNC, cr, ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5788][synchronized] debug: suppress backtrace if GetAccountDomain() is not supported
URL: https://github.com/SSSD/sssd/pull/5788 Author: sumit-bose Title: #5788: debug: suppress backtrace if GetAccountDomain() is not supported Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5788/head:pr5788 git checkout pr5788 From ddceb9fd7e865acbce4b5150c1508d36a022e039 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Fri, 27 Aug 2021 11:04:04 +0200 Subject: [PATCH 1/2] debug: suppress backtrace if GetAccountDomain() is not supported The return code ERR_GET_ACCT_DOM_NOT_SUPPORTED is an expected return code if the backend does not support the GetAccountDomain() request and there is no need to trigger a backtrace in the logs in this case. --- src/responder/common/responder_get_domains.c | 7 +-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/responder/common/responder_get_domains.c b/src/responder/common/responder_get_domains.c index 68ea7c5b5d..b60f11a4d6 100644 --- a/src/responder/common/responder_get_domains.c +++ b/src/responder/common/responder_get_domains.c @@ -795,8 +795,11 @@ static void sss_dp_get_account_domain_done(struct tevent_req *subreq) } if (state->dp_error != DP_ERR_OK) { -DEBUG(SSSDBG_OP_FAILURE, "Data Provider Error: %u, %u\n", - (unsigned int)state->dp_error, (unsigned int)state->error); +DEBUG(state->error == ERR_GET_ACCT_DOM_NOT_SUPPORTED ? SSSDBG_TRACE_INTERNAL + : SSSDBG_IMPORTANT_INFO, + "Data Provider Error: %u, %u [%s]\n", + (unsigned int)state->dp_error, (unsigned int)state->error, + sss_strerror(state->error)); tevent_req_error(req, state->error ? state->error : EIO); return; } From 31d1364798f0108eb0c2dc89c7081a24c58aeffe Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Mon, 30 Aug 2021 11:33:26 +0200 Subject: [PATCH 2/2] debug: suppress backtrace for backend errors Only log a message in the frontend without a backtrace if the backend returns an error. --- src/responder/common/cache_req/plugins/cache_req_common.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/responder/common/cache_req/plugins/cache_req_common.c b/src/responder/common/cache_req/plugins/cache_req_common.c index 6f4d27cb60..2591dd1b73 100644 --- a/src/responder/common/cache_req/plugins/cache_req_common.c +++ b/src/responder/common/cache_req/plugins/cache_req_common.c @@ -140,7 +140,7 @@ cache_req_common_process_dp_reply(struct cache_req *cr, } if (err_maj) { -CACHE_REQ_DEBUG(SSSDBG_OP_FAILURE, cr, +CACHE_REQ_DEBUG(SSSDBG_IMPORTANT_INFO, cr, "Data Provider Error: %u, %u, %s\n", (unsigned int)err_maj, (unsigned int)err_min, err_msg); CACHE_REQ_DEBUG(SSSDBG_TRACE_FUNC, cr, ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5771][comment] sdap: always create sdap object for a forest root
URL: https://github.com/SSSD/sssd/pull/5771 Title: #5771: sdap: always create sdap object for a forest root sumit-bose commented: """ Hi Pavel, thanks for the review, I added a `:fixes:`. bye, Sumit """ See the full comment at https://github.com/SSSD/sssd/pull/5771#issuecomment-923718143 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5771][synchronized] sdap: always create sdap object for a forest root
URL: https://github.com/SSSD/sssd/pull/5771 Author: sumit-bose Title: #5771: sdap: always create sdap object for a forest root Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5771/head:pr5771 git checkout pr5771 From 97f8b37d280b3dfce5a55f5821660c79d8ec5eac Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Tue, 31 Aug 2021 12:59:15 +0200 Subject: [PATCH] sdap: always create sdap object for a forest root Even if the forest root is disabled for user and group lookups a sdap object is needed to lookup trusted domains. This already works if the forest root is discovered for the first time at runtime. But if SSSD is restarted only the domain object but not the sdap object is created. Resolves: https://github.com/SSSD/sssd/issues/5770 :fixes: Even is the forest root is disabled for lookups all required internal data is initialized to be able to refresh the list of trusted domains in the forest from a DC of the forest root. --- src/providers/ldap/sdap_domain.c | 12 ++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/src/providers/ldap/sdap_domain.c b/src/providers/ldap/sdap_domain.c index d384b2e4a0..fa6e9340de 100644 --- a/src/providers/ldap/sdap_domain.c +++ b/src/providers/ldap/sdap_domain.c @@ -132,9 +132,17 @@ sdap_domain_subdom_add(struct sdap_id_ctx *sdap_id_ctx, struct sdap_domain *sdom, *sditer; errno_t ret; -for (dom = get_next_domain(parent, SSS_GND_DESCEND); +for (dom = get_next_domain(parent, SSS_GND_DESCEND|SSS_GND_INCLUDE_DISABLED); dom && IS_SUBDOMAIN(dom); /* if we get back to a parent, stop */ - dom = get_next_domain(dom, 0)) { + dom = get_next_domain(dom, SSS_GND_INCLUDE_DISABLED)) { + +/* Always create sdap domain object for the forest root, even if it is + * disabled so that we can connect later to discover trusted domains + * in the forest. */ +if (sss_domain_get_state(dom) == DOM_DISABLED +&& !sss_domain_is_forest_root(dom)) { +continue; +} DLIST_FOR_EACH(sditer, sdom_list) { if (sditer->dom == dom) { ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5791][comment] sysdb: more specific mpg search filter
URL: https://github.com/SSSD/sssd/pull/5791 Title: #5791: sysdb: more specific mpg search filter sumit-bose commented: """ Hi Pavel, thanks for the review, I've fixed the typo and added a `:fixes:`. bye, Sumit """ See the full comment at https://github.com/SSSD/sssd/pull/5791#issuecomment-923713149 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5791][synchronized] sysdb: more specific mpg search filter
URL: https://github.com/SSSD/sssd/pull/5791 Author: sumit-bose Title: #5791: sysdb: more specific mpg search filter Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5791/head:pr5791 git checkout pr5791 From f3ca267717a7544999077678538abee691ce6463 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Mon, 2 Aug 2021 15:53:42 +0200 Subject: [PATCH] sysdb: more specific mpg search filter Originally all user of an mpg domain had an automatically created user-private group and as a result the ID space was unified in the sense that a given ID either belongs to a group or to a user with a user-private group. With the introduction of id-overrides and the auto_private_groups option this assumption is not true anymore and as a result the search filter for GIDs must be more specific with respect to the user objects. Resolves: https://github.com/SSSD/sssd/issues/5790 :fixes: Improve mpg search filter to be more reliable with id-overrides and the new auto_private_groups options. --- src/db/sysdb.h| 2 +- src/db/sysdb_search.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/db/sysdb.h b/src/db/sysdb.h index 83e2f7c13e..596aff2862 100644 --- a/src/db/sysdb.h +++ b/src/db/sysdb.h @@ -222,7 +222,7 @@ #define SYSDB_GRSID_FILTER "(&("SYSDB_GC")("SYSDB_SID_STR"=%s))" #define SYSDB_GRENT_FILTER "("SYSDB_GC")" #define SYSDB_GRNAM_MPG_FILTER "(&("SYSDB_MPGC")(|("SYSDB_NAME_ALIAS"=%s)("SYSDB_NAME_ALIAS"=%s)("SYSDB_NAME"=%s)))" -#define SYSDB_GRGID_MPG_FILTER "(&("SYSDB_MPGC")("SYSDB_GIDNUM"=%lu))" +#define SYSDB_GRGID_MPG_FILTER "(|(&("SYSDB_GC")("SYSDB_GIDNUM"=%lu))(&("SYSDB_UC")("SYSDB_GIDNUM"=%lu)("SYSDB_UIDNUM"=%lu)))" #define SYSDB_GRENT_MPG_FILTER "("SYSDB_MPGC")" #define SYSDB_INITGR_FILTER "(&("SYSDB_GC")("SYSDB_GIDNUM"=*))" diff --git a/src/db/sysdb_search.c b/src/db/sysdb_search.c index 0cd8321cb1..68745cb1a0 100644 --- a/src/db/sysdb_search.c +++ b/src/db/sysdb_search.c @@ -1355,7 +1355,7 @@ int sysdb_getgrgid_attrs(TALLOC_CTX *mem_ctx, } ret = ldb_search(domain->sysdb->ldb, tmp_ctx, &res, base_dn, - LDB_SCOPE_SUBTREE, attrs, fmt_filter, ul_gid); + LDB_SCOPE_SUBTREE, attrs, fmt_filter, ul_gid, ul_gid, ul_gid); if (ret != EOK) { ret = sysdb_error_to_errno(ret); goto done; ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5791][opened] sysdb: more specific mpg search filter
URL: https://github.com/SSSD/sssd/pull/5791 Author: sumit-bose Title: #5791: sysdb: more specific mpg search filter Action: opened PR body: """ Originally all user of an mpg domain had an automatically created user-private group and as a result the ID space was unified in the sense that a given ID either belongs to a group to to a user with a user-private group. With the introduction of id-overrides and the auto_private_groups option this assumption is not true anymore and as a result the search filter for GIDs must be more specific with respect to the user objects. Resolves: https://github.com/SSSD/sssd/issues/5790 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5791/head:pr5791 git checkout pr5791 From 137afc4864924620b9260f738c29c378893fd606 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Mon, 2 Aug 2021 15:53:42 +0200 Subject: [PATCH] sysdb: more specific mpg search filter Originally all user of an mpg domain had an automatically created user-private group and as a result the ID space was unified in the sense that a given ID either belongs to a group to to a user with a user-private group. With the introduction of id-overrides and the auto_private_groups option this assumption is not true anymore and as a result the search filter for GIDs must be more specific with respect to the user objects. Resolves: https://github.com/SSSD/sssd/issues/5790 --- src/db/sysdb.h| 2 +- src/db/sysdb_search.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/db/sysdb.h b/src/db/sysdb.h index 83e2f7c13e..596aff2862 100644 --- a/src/db/sysdb.h +++ b/src/db/sysdb.h @@ -222,7 +222,7 @@ #define SYSDB_GRSID_FILTER "(&("SYSDB_GC")("SYSDB_SID_STR"=%s))" #define SYSDB_GRENT_FILTER "("SYSDB_GC")" #define SYSDB_GRNAM_MPG_FILTER "(&("SYSDB_MPGC")(|("SYSDB_NAME_ALIAS"=%s)("SYSDB_NAME_ALIAS"=%s)("SYSDB_NAME"=%s)))" -#define SYSDB_GRGID_MPG_FILTER "(&("SYSDB_MPGC")("SYSDB_GIDNUM"=%lu))" +#define SYSDB_GRGID_MPG_FILTER "(|(&("SYSDB_GC")("SYSDB_GIDNUM"=%lu))(&("SYSDB_UC")("SYSDB_GIDNUM"=%lu)("SYSDB_UIDNUM"=%lu)))" #define SYSDB_GRENT_MPG_FILTER "("SYSDB_MPGC")" #define SYSDB_INITGR_FILTER "(&("SYSDB_GC")("SYSDB_GIDNUM"=*))" diff --git a/src/db/sysdb_search.c b/src/db/sysdb_search.c index 0cd8321cb1..68745cb1a0 100644 --- a/src/db/sysdb_search.c +++ b/src/db/sysdb_search.c @@ -1355,7 +1355,7 @@ int sysdb_getgrgid_attrs(TALLOC_CTX *mem_ctx, } ret = ldb_search(domain->sysdb->ldb, tmp_ctx, &res, base_dn, - LDB_SCOPE_SUBTREE, attrs, fmt_filter, ul_gid); + LDB_SCOPE_SUBTREE, attrs, fmt_filter, ul_gid, ul_gid, ul_gid); if (ret != EOK) { ret = sysdb_error_to_errno(ret); goto done; ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5788][opened] debug: suppress backtrace if GetAccountDomain() is not supported
URL: https://github.com/SSSD/sssd/pull/5788 Author: sumit-bose Title: #5788: debug: suppress backtrace if GetAccountDomain() is not supported Action: opened PR body: """ The return code ERR_GET_ACCT_DOM_NOT_SUPPORTED is an expected return code if the backend does not support the GetAccountDomain() request and there is no need to trigger a backtrace in the logs in this case. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5788/head:pr5788 git checkout pr5788 From d430b028f6c79c33ddc60ebb77aba894708360d7 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Fri, 27 Aug 2021 11:04:04 +0200 Subject: [PATCH 1/2] debug: suppress backtrace if GetAccountDomain() is not supported The return code ERR_GET_ACCT_DOM_NOT_SUPPORTED is an expected return code if the backend does not support the GetAccountDomain() request and there is no need to trigger a backtrace in the logs in this case. --- src/responder/common/responder_get_domains.c | 7 +-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/responder/common/responder_get_domains.c b/src/responder/common/responder_get_domains.c index 68ea7c5b5d..1b2797c4d4 100644 --- a/src/responder/common/responder_get_domains.c +++ b/src/responder/common/responder_get_domains.c @@ -795,8 +795,11 @@ static void sss_dp_get_account_domain_done(struct tevent_req *subreq) } if (state->dp_error != DP_ERR_OK) { -DEBUG(SSSDBG_OP_FAILURE, "Data Provider Error: %u, %u\n", - (unsigned int)state->dp_error, (unsigned int)state->error); +DEBUG(state->error == ERR_GET_ACCT_DOM_NOT_SUPPORTED ? SSSDBG_TRACE_INTERNAL + : SSSDBG_OP_FAILURE, + "Data Provider Error: %u, %u [%s]\n", + (unsigned int)state->dp_error, (unsigned int)state->error, + sss_strerror(state->error)); tevent_req_error(req, state->error ? state->error : EIO); return; } From c56769c45bf94ad50a8ee307e8dcc7d8be4e56d6 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Mon, 30 Aug 2021 11:33:26 +0200 Subject: [PATCH 2/2] debug: frontend backtrace for backend error? Do we need a backtrace in the frontend if the backend returns an error? --- src/responder/common/cache_req/plugins/cache_req_common.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/responder/common/cache_req/plugins/cache_req_common.c b/src/responder/common/cache_req/plugins/cache_req_common.c index 6f4d27cb60..b4fc07a308 100644 --- a/src/responder/common/cache_req/plugins/cache_req_common.c +++ b/src/responder/common/cache_req/plugins/cache_req_common.c @@ -140,6 +140,8 @@ cache_req_common_process_dp_reply(struct cache_req *cr, } if (err_maj) { +/* does a backtrace make sense here or would the error message + * sufficient? */ CACHE_REQ_DEBUG(SSSDBG_OP_FAILURE, cr, "Data Provider Error: %u, %u, %s\n", (unsigned int)err_maj, (unsigned int)err_min, err_msg); ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5712][+Accepted] Health and Support Analyzer - Add request log parsing utility
URL: https://github.com/SSSD/sssd/pull/5712 Title: #5712: Health and Support Analyzer - Add request log parsing utility Label: +Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5712][-Waiting for review] Health and Support Analyzer - Add request log parsing utility
URL: https://github.com/SSSD/sssd/pull/5712 Title: #5712: Health and Support Analyzer - Add request log parsing utility Label: -Waiting for review ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5712][comment] Health and Support Analyzer - Add request log parsing utility
URL: https://github.com/SSSD/sssd/pull/5712 Title: #5712: Health and Support Analyzer - Add request log parsing utility sumit-bose commented: """ Hi, thanks for checking the help message, as long as this is the default behavior of argparse I'm fine. I build and installed the latest version with the removed code and it is still working for me. ACK Thanks for your patience. bye, Sumit """ See the full comment at https://github.com/SSSD/sssd/pull/5712#issuecomment-920768851 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5787][opened] krb5: fix ccache ownership for offline Smartcard authentication
URL: https://github.com/SSSD/sssd/pull/5787 Author: sumit-bose Title: #5787: krb5: fix ccache ownership for offline Smartcard authentication Action: opened PR body: """ During Smartcard authentication/PKINIT the krb5_child process is running as privileged user for some time to make sure pcscd allows access to the Smartcard. If SSSD is offline those privileges are currently not dropped before creating an empty ccache and as a result file based ccaches might have a wrong ownership. With the patch the privileges are dropped is SSSD is offline and the ccache is created with the expected ownership. Resolves: https://github.com/SSSD/sssd/issues/5785 :fixes: ccache files are created with the right ownership during offline Smartcard authentication """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5787/head:pr5787 git checkout pr5787 From 9075925a362e77bebba895724312a0093d2997b5 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Thu, 16 Sep 2021 11:38:47 +0200 Subject: [PATCH] krb5: fix ccache ownership for offline Smartcard authentication During Smartcard authentication/PKINIT the krb5_child process is running as privileged user for some time to make sure pcscd allows access to the Smartcard. If SSSD is offline those privileges are currently not dropped before creating an empty ccache and as a result file based ccaches might have a wrong ownership. With the patch the privileges are dropped is SSSD is offline and the ccache is created with the expected ownership. Resolves: https://github.com/SSSD/sssd/issues/5785 :fixes: ccache files are created with the right ownership during offline Smartcard authentication --- src/providers/krb5/krb5_child.c | 7 +-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index 4e55d9a374..70e93e3198 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -3430,8 +3430,11 @@ int main(int argc, const char *argv[]) * default and the 'sssd' user is allowed with the help of the * sssd-pcsc.rules policy-kit rule. So those IDs are a suitable choice. We * can only call switch_creds() because after the TGT is returned we have - * to switch to the IDs of the user to store the TGT. */ -if (IS_SC_AUTHTOK(kr->pd->authtok)) { + * to switch to the IDs of the user to store the TGT. + * If we are offline we have to switch to the user's credentials directly + * to make sure the empty ccache is created with the expected + * ownership. */ +if (IS_SC_AUTHTOK(kr->pd->authtok) && !offline) { kerr = switch_creds(kr, kr->fast_uid, kr->fast_gid, 0, NULL, &kr->pcsc_saved_creds); } else { ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5712][comment] Health and Support Analyzer - Add request log parsing utility
URL: https://github.com/SSSD/sssd/pull/5712 Title: #5712: Health and Support Analyzer - Add request log parsing utility sumit-bose commented: """ Hi, thanks for the updates. I think from now on every enhancement should be done not in this PR but in a new one. What I still find irritating is the repeated `request` in the help output: ``` # sssctl analyze usage: sss_analyze [-h] [--source {files,journald}] [--logdir LOGDIR] {request} ... positional arguments: {request} request Track requests across SSSD components optional arguments: -h, --helpshow this help message and exit --source {files,journald} --logdir LOGDIR ``` I think the curly braces are ok on the first line, in case we will add other sub-commands in future, but I think the second occurrence is wrong. In the `request` help putput it might be worth to put `--list` and `--cid CID` in curly braces like e.g. `{--list | --cid CID}' to indicate that one of the two must be used. bye, Sumit """ See the full comment at https://github.com/SSSD/sssd/pull/5712#issuecomment-919052966 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5760][+Accepted] p11_child: Fixes for init_p11_ctx() and do_card()
URL: https://github.com/SSSD/sssd/pull/5760 Title: #5760: p11_child: Fixes for init_p11_ctx() and do_card() Label: +Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5760][-Waiting for review] p11_child: Fixes for init_p11_ctx() and do_card()
URL: https://github.com/SSSD/sssd/pull/5760 Title: #5760: p11_child: Fixes for init_p11_ctx() and do_card() Label: -Waiting for review ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5760][comment] p11_child: Fixes for init_p11_ctx() and do_card()
URL: https://github.com/SSSD/sssd/pull/5760 Title: #5760: p11_child: Fixes for init_p11_ctx() and do_card() sumit-bose commented: """ Hi, thanks for the update, the CI failures are not related, ACK. bye, Sumit """ See the full comment at https://github.com/SSSD/sssd/pull/5760#issuecomment-912757562 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5760][comment] p11_child: Fixes for init_p11_ctx() and do_card()
URL: https://github.com/SSSD/sssd/pull/5760 Title: #5760: p11_child: Fixes for init_p11_ctx() and do_card() sumit-bose commented: """ > > > As before p11_child can only wait on a single reader, in the old version > > > it was the first, now it is the last. > > > > > > @spoore1 , can this ^^ affect tests? > > That's a good question. > > It's just a change in where p11_child waits for a reader to respond right? Hi, it is about required Smartcard authentication (p11_child is run with the --wait_for_card option) when multiple Smartcard readers are connected but no card inserted in any of the readers. Do you have such a test? > > Could that change affect p11_child timeouts? no bye, Sumit """ See the full comment at https://github.com/SSSD/sssd/pull/5760#issuecomment-911836329 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5760][comment] p11_child: Fixes for init_p11_ctx() and do_card()
URL: https://github.com/SSSD/sssd/pull/5760 Title: #5760: p11_child: Fixes for init_p11_ctx() and do_card() sumit-bose commented: """ Hi, my testing went well. Now wait_for_card is working with multiple empty readers again. As before p11_child can only wait on a single reader, in the old version it was the first, now it is the last. But since the user already had to guess which reader to use in this case I think it is ok. I added an in-line comment about casting to int, it would be nice if you can fix this. bye, Sumit """ See the full comment at https://github.com/SSSD/sssd/pull/5760#issuecomment-911798286 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5771][opened] sdap: always create sdap object for a forest root
URL: https://github.com/SSSD/sssd/pull/5771 Author: sumit-bose Title: #5771: sdap: always create sdap object for a forest root Action: opened PR body: """ Even if the forest root is disabled for user and group lookups a sdap object is needed to lookup trusted domains. This already works if the forest root is discovered for the first time at runtime. But if SSSD is restarted only the domain object but not the sdap object is created. Resolves: https://github.com/SSSD/sssd/issues/5770 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5771/head:pr5771 git checkout pr5771 From 41df6527c8dae335250e7d39a2eb01f3faa7bb1a Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Tue, 31 Aug 2021 12:59:15 +0200 Subject: [PATCH] sdap: always create sdap object for a forest root Even if the forest root is disabled for user and group lookups a sdap object is needed to lookup trusted domains. This already works if the forest root is discovered for the first time at runtime. But if SSSD is restarted only the domain object but not the sdap object is created. Resolves: https://github.com/SSSD/sssd/issues/5770 --- src/providers/ldap/sdap_domain.c | 12 ++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/src/providers/ldap/sdap_domain.c b/src/providers/ldap/sdap_domain.c index d384b2e4a0..fa6e9340de 100644 --- a/src/providers/ldap/sdap_domain.c +++ b/src/providers/ldap/sdap_domain.c @@ -132,9 +132,17 @@ sdap_domain_subdom_add(struct sdap_id_ctx *sdap_id_ctx, struct sdap_domain *sdom, *sditer; errno_t ret; -for (dom = get_next_domain(parent, SSS_GND_DESCEND); +for (dom = get_next_domain(parent, SSS_GND_DESCEND|SSS_GND_INCLUDE_DISABLED); dom && IS_SUBDOMAIN(dom); /* if we get back to a parent, stop */ - dom = get_next_domain(dom, 0)) { + dom = get_next_domain(dom, SSS_GND_INCLUDE_DISABLED)) { + +/* Always create sdap domain object for the forest root, even if it is + * disabled so that we can connect later to discover trusted domains + * in the forest. */ +if (sss_domain_get_state(dom) == DOM_DISABLED +&& !sss_domain_is_forest_root(dom)) { +continue; +} DLIST_FOR_EACH(sditer, sdom_list) { if (sditer->dom == dom) { ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5760][comment] p11_child: Fixes for init_p11_ctx() and do_card()
URL: https://github.com/SSSD/sssd/pull/5760 Title: #5760: p11_child: Fixes for init_p11_ctx() and do_card() sumit-bose commented: """ Hi, thank you for the update, code-wise I'm fine with the patches, I'd like to run some tests during the weekend and will give my final ACK early next week. bye, Sumit """ See the full comment at https://github.com/SSSD/sssd/pull/5760#issuecomment-907041154 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5746][comment] p11_child: do_card partially fix loop exit condition (redo of #5705)
URL: https://github.com/SSSD/sssd/pull/5746 Title: #5746: p11_child: do_card partially fix loop exit condition (redo of #5705) sumit-bose commented: """ Hi, thanks for the hint, I have to admit that I didn't test the patch with `wait_for_card`. @assafmo, would you like to add a patch that fixes this? bye, Sumit """ See the full comment at https://github.com/SSSD/sssd/pull/5746#issuecomment-904439026 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5712][comment] Health and Support Analyzer - Add request log parsing utility
URL: https://github.com/SSSD/sssd/pull/5712 Title: #5712: Health and Support Analyzer - Add request log parsing utility sumit-bose commented: """ Hi Justin, thanks for the latest updates. I think the log lines from `accept_fd_handler` e.g. 2021-08-18 10:36:34:610384): [nss] [accept_fd_handler] (0x0400): Client [CID #1][cmd su][0x55d181821070][27] connected! or (2021-08-18 10:36:34:703799): [pam] [accept_fd_handler] (0x0400): Client [CID #1][cmd su][0x55bc092703c0][24] connected to privileged pipe! are missing in the parser output, can you add it? Can you show the help output if the command line is incomplete? Currently it looks like: ``` # sssctl analyze usage: sss_analyze [-h] [--source {files,journald}] [--logdir LOGDIR] {request} ... sss_analyze: error: the following arguments are required: subcommand Command '/usr/lib/python3.9/site-packages/sssd/sss_analyze.py' failed with [2] # sssctl analyze request # ``` The first case it should not be as an error but the help output should be shown and since there is no `sss_analyze` which can be called it would be better to say `sssctl analyze`. The second case currently has no output, help output would be better here as well. I would mention in the `--merge` help line that this currently only works properly with `debug_microseconds = True` for all components. Another item for improvement in a new pull-request is to add the tevent id logic to the different responders. For the nss responder this won't change much since the main task here is done in the cache request code. But e.g. for the pam responder currently also only the cache request part of the logs is shown by the parser but here there are other useful log messages from the main pam responder code as well. bye, Sumit """ See the full comment at https://github.com/SSSD/sssd/pull/5712#issuecomment-901023962 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5712][comment] Health and Support Analyzer - Add request log parsing utility
URL: https://github.com/SSSD/sssd/pull/5712 Title: #5712: Health and Support Analyzer - Add request log parsing utility sumit-bose commented: """ Hi Scott, thanks for the latest updates. I think the log lines from `accept_fd_handler` e.g. 2021-08-18 10:36:34:610384): [nss] [accept_fd_handler] (0x0400): Client [CID #1][cmd su][0x55d181821070][27] connected! or (2021-08-18 10:36:34:703799): [pam] [accept_fd_handler] (0x0400): Client [CID #1][cmd su][0x55bc092703c0][24] connected to privileged pipe! are missing in the parser output, can you add it? Can you show the help output if the command line is incomplete? Currently it looks like: ``` # sssctl analyze usage: sss_analyze [-h] [--source {files,journald}] [--logdir LOGDIR] {request} ... sss_analyze: error: the following arguments are required: subcommand Command '/usr/lib/python3.9/site-packages/sssd/sss_analyze.py' failed with [2] # sssctl analyze request # ``` The first case it should not be as an error but the help output should be shown and since there is no `sss_analyze` which can be called it would be better to say `sssctl analyze`. The second case currently has no output, help output would be better here as well. I would mention in the `--merge` help line that this currently only works properly with `debug_microseconds = True` for all components. Another item for improvement in a new pull-request is to add the tevent id logic to the different responders. For the nss responder this won't change much since the main task here is done in the cache request code. But e.g. for the pam responder currently also only the cache request part of the logs is shown by the parser but here there are other useful log messages from the main pam responder code as well. bye, Sumit """ See the full comment at https://github.com/SSSD/sssd/pull/5712#issuecomment-901023962 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure