subject:"\[SSSD\] \[sssd PR#136\]\[comment\] Tlog integration"

[SSSD] [sssd PR#136][comment] Tlog integration

2017-07-27 Thread spbnick

  URL: https://github.com/SSSD/sssd/pull/136
Title: #136: Tlog integration

spbnick commented:
"""
Woo-hoo :D! Thanks a lot for all the work, Pavel, Lukas and Jakub :)!
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/136#issuecomment-318342564
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#136][comment] Tlog integration

2017-07-27 Thread jhrozek

  URL: https://github.com/SSSD/sssd/pull/136
Title: #136: Tlog integration

jhrozek commented:
"""
Since we released 1.15.3 (finally!) ealier this week, I merged the patches:
 * 27c30eb5f046d6c43276b139706110906cdacb9b
 * 53a4219e2f51cd0443931aa931505bf0b4bf5a45
 * 49d24ba630544632e29ed397627c97352523165d
 * 836dae913497e150bd0ec11eee1e256e4fcc0bb7
 * 382a972a80ac571cdbf70d88571f6de49fe1cd23
 * 24b3a7b91a54b5b55cfddb52b3d5ac565afdcff1
 * 200787df74510f6edc9387cf9c33f133ccfc0ae3
 * bac0c0df377de4469c8f9310179eef04c7b091fa
 * 90fb7d3e61423ff1375e9f552f4b58e5173ad3d1
 * 5ea60d18ddb8eaff25d274c22c7db7df57b6ec4d
 * 29dd456102dc995aa59a56483363087071bb84d6
 * 99b96048b79b0228c3f7c431ea12010f7bd5b362
 * d802eba25e7c1304e5036684261bcf41540532d8
 * 555f43b491f40e0237b8677565a748b929092bee
 * 9759333b3dd404c6787ef0186984c5d4256eb5bb
 * c31065ecc0793e836066035d0c692b050b5f6f55
 * cb89693cf5ccdedf69fa304c6d43d618a7bc18b2

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/136#issuecomment-318342201
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#136][comment] Tlog integration

2017-07-26 Thread jhrozek

  URL: https://github.com/SSSD/sssd/pull/136
Title: #136: Tlog integration

jhrozek commented:
"""
I've just fired one more CI run (because there were so many patches since 
pbrezina's ACK) and when that arrives, I'll push.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/136#issuecomment-318165730
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#136][comment] Tlog integration

2017-07-26 Thread fidencio

  URL: https://github.com/SSSD/sssd/pull/136
Title: #136: Tlog integration

fidencio commented:
"""
As 1.15.3 was released and per @pbrezina's ACK, I'm adding the "Accepted" label 
to this patch set.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/136#issuecomment-318153855
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#136][comment] Tlog integration

2017-06-01 Thread pbrezina

  URL: https://github.com/SSSD/sssd/pull/136
Title: #136: Tlog integration

pbrezina commented:
"""
Ack. Thank you.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/136#issuecomment-305426853
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#136][comment] Tlog integration

2017-05-31 Thread spbnick

  URL: https://github.com/SSSD/sssd/pull/136
Title: #136: Tlog integration

spbnick commented:
"""
CI result: 
http://sssd-ci.duckdns.org/logs/commit/17/e2bb8c81901721fc35f7807f8c000aea950c27/7063/summary.html
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/136#issuecomment-305196182
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#136][comment] Tlog integration

2017-05-31 Thread spbnick

  URL: https://github.com/SSSD/sssd/pull/136
Title: #136: Tlog integration

spbnick commented:
"""
Rebased, and swapped `cache_req_process_result` and `cache_req_done`, as 
requested.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/136#issuecomment-305174143
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#136][comment] Tlog integration

2017-05-31 Thread spbnick

  URL: https://github.com/SSSD/sssd/pull/136
Title: #136: Tlog integration

spbnick commented:
"""
I'm on it, thanks for review @pbrezina!

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/136#issuecomment-305148541
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#136][comment] Tlog integration

2017-05-31 Thread pbrezina

  URL: https://github.com/SSSD/sssd/pull/136
Title: #136: Tlog integration

pbrezina commented:
"""
Hi Nick, thank your for the changes. One last nitpick and I will ack those 
patches. Please, switch order of `cache_req_process_result` and 
`cache_req_done` so it reads:
```c
cache_req_process_result()
cache_req_done()
```
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/136#issuecomment-305137103
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#136][comment] Tlog integration

2017-05-22 Thread pbrezina

  URL: https://github.com/SSSD/sssd/pull/136
Title: #136: Tlog integration

pbrezina commented:
"""
Thank you. I will look into it during this week.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/136#issuecomment-303039439
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#136][comment] Tlog integration

2017-05-19 Thread spbnick

  URL: https://github.com/SSSD/sssd/pull/136
Title: #136: Tlog integration

spbnick commented:
"""
This update rebases on latest master and also changes "tlog-rec" to 
"tlog-rec-session", as the latter is now supposed to be used as the login shell 
in upstream tlog.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/136#issuecomment-302695875
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#136][comment] Tlog integration

2017-05-12 Thread spbnick

  URL: https://github.com/SSSD/sssd/pull/136
Title: #136: Tlog integration

spbnick commented:
"""
CI results: http://sssd-ci.duckdns.org/logs/job/69/46/summary.html
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/136#issuecomment-301045414
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#136][comment] Tlog integration

2017-05-12 Thread spbnick

  URL: https://github.com/SSSD/sssd/pull/136
Title: #136: Tlog integration

spbnick commented:
"""
@pbrezina, here is a rebased patchset, with the changes you requested. I 
dropped the --without-session-recording configure option as agreed with 
@jhrozek and @lslebodn. Please review. Thank you!
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/136#issuecomment-301030273
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#136][comment] Tlog integration

2017-05-03 Thread spbnick

  URL: https://github.com/SSSD/sssd/pull/136
Title: #136: Tlog integration

spbnick commented:
"""
Alright, here is another version of the patchset. Changes include:

* abort SSSD startup if session recording is enabled, but session recording 
shell is not present, or not executable
* add configure option disabling session recording 
(`--without-session-recording`);
* fix the `--with-session-recording-shell` configure option;
* rename `pam_reply_export_shell` to `pam_reply_sr_export_shell` as it deals 
with session recording exclusively.

If we decide we don't need the `--without-session-recording` configure option, 
we can just drop the last patch.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/136#issuecomment-298836574
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#136][comment] Tlog integration

2017-05-02 Thread lslebodn

  URL: https://github.com/SSSD/sssd/pull/136
Title: #136: Tlog integration

lslebodn commented:
"""
On (02/05/17 06:03), Nikolai Kondrashov wrote:
>Yes, that's what I meant. Only perhaps we can just use 
>`--with-session-recording-shell=/bin/false` and not have any scripts.
>

I glad there is not misunderstanding

BTW it does not matter which binary will be passed to
--with-session-recording-shell. It can be even `/usr/bin/getent` :-)
But it should not be standard shell e.g. `/sbin/nologin`

LS

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/136#issuecomment-298637807
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#136][comment] Tlog integration

2017-05-02 Thread spbnick

  URL: https://github.com/SSSD/sssd/pull/136
Title: #136: Tlog integration

spbnick commented:
"""
Yes, that's what I meant. Only perhaps we can just use 
`--with-session-recording-shell=/bin/false` and not have any scripts.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/136#issuecomment-298629188
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#136][comment] Tlog integration

2017-05-02 Thread lslebodn

  URL: https://github.com/SSSD/sssd/pull/136
Title: #136: Tlog integration

lslebodn commented:
"""
Actually, it need to be available otherwise sssd would not start :-)
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/136#issuecomment-298623501
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#136][comment] Tlog integration

2017-05-02 Thread lslebodn

  URL: https://github.com/SSSD/sssd/pull/136
Title: #136: Tlog integration

lslebodn commented:
"""
On (02/05/17 04:43), Nikolai Kondrashov wrote:
>Integration tests don't actually need tlog to verify that SSSD's job is done 
>properly.
In that case, we needn't skip tests but
Cwrap integration testes can be called with
`--with-session-recording-shell="$$prefix"/bin/tlog-rec`

and `"$$prefix"/bin/tlog-rec` can a shell script
or it needn't be present at all if it is not required for testing

LS

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/136#issuecomment-298623373
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#136][comment] Tlog integration

2017-05-02 Thread spbnick

  URL: https://github.com/SSSD/sssd/pull/136
Title: #136: Tlog integration

spbnick commented:
"""
Integration tests don't actually need tlog to verify that SSSD's job is done 
properly. Also, tlog is not going to be officially present for a while yet on 
most distros we test. OTOH, nothing prevents users installing it there 
themselves and so SSSD functionality needs to be verified.

Ignoring absence of tlog would not be a security issue, but only a 
functionality issue, because recorded users simply won't be able to login.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/136#issuecomment-298612435
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#136][comment] Tlog integration

2017-05-02 Thread pbrezina

  URL: https://github.com/SSSD/sssd/pull/136
Title: #136: Tlog integration

pbrezina commented:
"""
Integration tests can be skipped if tlog is not present. We already do this for 
secrets responder that is skipped if sssd_secrets does not exist.

I agree that we should fail to start as ignoring session recording 
configuration may be considered as security issue (administrator wants audit 
but no audit is done).
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/136#issuecomment-298610282
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#136][comment] Tlog integration

2017-05-02 Thread spbnick

  URL: https://github.com/SSSD/sssd/pull/136
Title: #136: Tlog integration

spbnick commented:
"""
There is one other problem: integration tests. If we make SSSD fail on startup 
when it doesn't find tlog-rec, then we can't run SSSD as is in integration 
tests. That is without requiring tlog-rec be installed for integration testing, 
which is hassle, as tlog is only present in Fedora so far.

So, either we make it a warning, which will be harder to notice for users, or 
perhaps add a configure option to make the session recording shell something 
that we know always exists, like `/bin/true`.

I don't like the complications of the latter, but I think it might be better 
for user.

Pavel, Lukas?
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/136#issuecomment-298608203
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#136][comment] Tlog integration

2017-04-28 Thread spbnick

  URL: https://github.com/SSSD/sssd/pull/136
Title: #136: Tlog integration

spbnick commented:
"""
Yeah, perhaps not starting SSSD can help.

Still, there is the issue of tlog not being available for RHEL at all, at least 
not from official channels.
Should SSSD have session recording documented and supported then?
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/136#issuecomment-298063944
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#136][comment] Tlog integration

2017-04-28 Thread lslebodn

  URL: https://github.com/SSSD/sssd/pull/136
Title: #136: Tlog integration

lslebodn commented:
"""
On (28/04/17 08:11), Nikolai Kondrashov wrote:
>Sure, a weak dependency sounds right.
>
>I would not like disabling SSSD or session recording in case tlog is missing.

It is not disabling SSSD; because SSSD will not even start any responder or
back-end :-). And sssd can fail to start even due to other misconfiguration
e.g. wrong permissions on /etc/sssd/sssd.conf ...

>If it can be fixed by just installing tlog, then we shouldn't break SSSD, and 
>let users fix the situation with as little fuss as possible. I.e. without the 
>need to restart SSSD.
>

* sssd won't start and log message to syslog that session recording is enabled
(scope != none) and tlog is missing.
* user will try to find a reason why sssd failed to start; check log files
  and find out that there is missing binary for tlog shell
* user will install tlog
* start sssd and everything works like a magic :-)

It is just an idea how to simply solve this case. But feel free to use other
way.

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/136#issuecomment-298048544
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#136][comment] Tlog integration

2017-04-28 Thread spbnick

  URL: https://github.com/SSSD/sssd/pull/136
Title: #136: Tlog integration

spbnick commented:
"""
Sure, a weak dependency sounds right.

I would not like disabling SSSD or session recording in case tlog is missing. 
If it can be fixed by just installing tlog, then we shouldn't break SSSD, and 
we should let users fix the situation with as little fuss as possible. I.e. 
without the need to restart SSSD.

I wouldn't say it's a misconfiguration of SSSD, it's a system misconfiguration, 
and it's not SSSD's business to abort because of that. As far as SSSD is 
concerned its configuration is valid. However, I think SSSD can shout in the 
log that tlog is missing. The question is at which point. Maybe on PAM session 
setup?
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/136#issuecomment-298024703
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#136][comment] Tlog integration

2017-04-28 Thread spbnick

  URL: https://github.com/SSSD/sssd/pull/136
Title: #136: Tlog integration

spbnick commented:
"""
Sure, a weak dependency sounds right.

I would not like disabling SSSD or session recording in case tlog is missing. 
If it can be fixed by just installing tlog, then we shouldn't break SSSD, and 
let users fix the situation with as little fuss as possible. I.e. without the 
need to restart SSSD.

I wouldn't say it's a misconfiguration of SSSD, it's a system misconfiguration, 
and it's not SSSD's business to abort because of that. As far as SSSD is 
concerned its configuration is valid. However, I think SSSD can shout in the 
log that tlog is missing. The question is at which point. Maybe on PAM session 
setup?
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/136#issuecomment-298024703
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#136][comment] Tlog integration

2017-04-28 Thread spbnick

  URL: https://github.com/SSSD/sssd/pull/136
Title: #136: Tlog integration

spbnick commented:
"""
Sure, a weak dependency sounds right.

I would not like disabling SSSD or session recording in case tlog is missing. 
If it can be fixed by just installing tlog, then we shouldn't break SSSD, and 
let users fix the situation with as little fuss as possible. I.e. without the 
need to restart SSSD.

I wouldn't say it's a misconfiguration of SSSD, it's a system misconfiguration, 
and it's not SSSD's business to abort because of that. As far as SSSD is 
concerned its configuration is valid. However, I think SSSD can shout in the 
log that tlog is missing. The question is at which point. Maybe on PAM session 
setup?
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/136#issuecomment-298024703
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#136][comment] Tlog integration

2017-04-28 Thread lslebodn

  URL: https://github.com/SSSD/sssd/pull/136
Title: #136: Tlog integration

lslebodn commented:
"""
>The only problem is the users won't be able to login if session recording is 
>enabled for them and tlog is not installed.

That sounds like misconfiguration. In fedora, I would prefer to have weak 
dependency[1] on tlog in sssd. With "recommends" it would be installed by 
default but users would be able remove tlog package. Therefore we cannot rely 
on existing binary on system. But we can detect that after starting sssd that 
session recording is enabled and there is missing tlog shell(missing execute 
bit ...). Then we have two options:
1. fail due to misconfiguration;
2. scream to syslog + disable session recording and continue as it was not 
enabled.

[1] http://rpm.org/user_doc/dependencies.html#weak-dependencies

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/136#issuecomment-298012520
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#136][comment] Tlog integration

2017-04-28 Thread spbnick

  URL: https://github.com/SSSD/sssd/pull/136
Title: #136: Tlog integration

spbnick commented:
"""
Ah, I see. I understand what you meant regarding enable-files-domain. I'll try 
to explain what we're trying to do with tlog.

First of all, session recording should always be disabled by default. No matter 
if tlog is present or not.
Next, SSSD will function perfectly, also no matter if tlog is present or not, 
even if session recording is enabled and configured. The only problem is the 
users won't be able to login if session recording is enabled for them and tlog 
is not installed.

A little recap on how session recording setup works in SSSD: you get to choose 
if session recording is disabled for all, enabled for all, or enabled for some 
users/groups. In the latter case you get to choose which users/groups have it 
enabled. For enabled users SSSD makes NSS report their shell as tlog, and puts 
the original shell into an environment variable when PAM sets up the session, 
so tlog can start the original shell. So if tlog is not installed, users simply 
get non-existing shell.

I was thinking we could just have session recording support built and 
documented in manpages unconditionally, and only add it to SSSD dependencies on 
distros where tlog is present. However, I worry that RHEL customers will then 
be misled, because I expect tlog is not going to be available for RHEL for a 
while.

So the question is do we build/document session recording conditionally, 
selected at configure time, or not. Also, do we add tlog to dependencies if we 
have session recording support built.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/136#issuecomment-297999419
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#136][comment] Tlog integration

2017-04-28 Thread spbnick

  URL: https://github.com/SSSD/sssd/pull/136
Title: #136: Tlog integration

spbnick commented:
"""
Ah, I see. I understand what you meant regarding enable-files-domain. I'll try 
to explain what we're trying to do with tlog.

First of all, session recording should always be disabled by default. No matter 
if tlog is present or not.
Next, SSSD will function perfectly, also no matter if tlog is present or not, 
even if session recording is enabled and configured. The only problem is the 
users won't be able to login if session recording is enabled for them and tlog 
is not installed.

A little recap on how session recording setup works in SSSD: you get to choose 
if session recording is disabled for all, enabled for all, or enabled for some 
users/groups. In the latter case you get to choose which users/groups have it 
enabled. For enabled users SSSD makes NSS report their shell as tlog, and puts 
the original shell into an environment variable when PAM sets up the session, 
so tlog can start the original shell. So if tlog is not installed, users simply 
get non-existing shell.

I was thinking we could just have session recording support built and 
documented in manpages unconditionally, and only add it to SSSD dependencies on 
distros where tlog is present. However, I worry that RHEL customers will then 
be misled, because I expect tlog is not going to be available for RHEL for a 
while.

So the question is do we build/document session recording conditionally, 
selected at configure time, or not. Also, do we add tlog to dependencies if we 
have session recording support built.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/136#issuecomment-297999419
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#136][comment] Tlog integration

2017-04-28 Thread lslebodn

  URL: https://github.com/SSSD/sssd/pull/136
Title: #136: Tlog integration

lslebodn commented:
"""
> I'm sorry I don't quite understand. 

And I do not understand what do you want to achieve with tlog :-) 

> Also what part of enable_files_domain we can reuse?

I meant the approach as with `enable_files_domain` might help with tlog. But I 
am not sure what do you want to achieve.

man sssd.conf says:
```
   enable_files_domain (boolean)
   When this option is enabled, SSSD prepends an implicit domain with
   “id_provider=files” before any explicitly configured domains.
```

The default value depends on the configure time option `--enable-files-domain`
and xml for an page contains:
```

Default: false


Default: true

```

By default implicit files domain is not enabled and in f26+ spec file 
explicitly use  `--enable-files-domain`

Hope it helps.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/136#issuecomment-297987874
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#136][comment] Tlog integration

2017-04-28 Thread spbnick

  URL: https://github.com/SSSD/sssd/pull/136
Title: #136: Tlog integration

spbnick commented:
"""
Hi Lukas,

I'm sorry I don't quite understand. I agree that SSSD would have a runtime 
dependency on tlog to use this feature, i.e. tlog would need to be installed to 
work. However, how does this come from SSSD needing to compile on el7? Also 
what part of enable_files_domain we can reuse?

Pavel, perhaps you understand and can explain?

Thank you.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/136#issuecomment-297973256
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#136][comment] Tlog integration

2017-04-28 Thread lslebodn

  URL: https://github.com/SSSD/sssd/pull/136
Title: #136: Tlog integration

lslebodn commented:
"""
>Hmm. There is no code dependency so SSSD can be built fine even without tlog 
>rpms, only when >enabled the tlog shell won't exist. @lslebodn how do you want 
>to package this?

IIUC it is a runtime dependency because sssd need to compile on el7 :-)
We can do similar think as with the option `enable_files_domain`. Default is 
`false` and there is configure time option `--enable-files-domain` to change 
default value.

https://pagure.io/SSSD/sssd/blob/master/f/src/confdb/confdb.c#_1833

Does this answer the question?
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/136#issuecomment-297939607
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#136][comment] Tlog integration

2017-04-27 Thread spbnick

  URL: https://github.com/SSSD/sssd/pull/136
Title: #136: Tlog integration

spbnick commented:
"""
Pavel, I tried to address your latest comments. I had a difficulty with the 
last one, though, the comment regarding "CACHE_REQ: Pull sessionRecording attrs 
from initgr". I think I fixed the order, but I'm not sure if you wanted me to 
change any names, and if so, to what. Please explain what you need me do, if I 
did it wrong.

I made the draft manpage updates too, please take a look. I think perhaps we 
shouldn't do any conditional building of tlog support, but I worry what RHEL 
customers will say when they know tlog is not available in RHEL yet. Perhaps we 
can get it in EPEL?

Another thing: I'll likely replace `tlog-rec` with something else, perhaps 
something called `tlog-session`, because I want to have `tlog-rec` purely for 
recording and not track user sessions. Just a heads-up. If you'd like details, 
see Scribery/tlog#92.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/136#issuecomment-297766450
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#136][comment] Tlog integration

2017-04-27 Thread spbnick

  URL: https://github.com/SSSD/sssd/pull/136
Title: #136: Tlog integration

spbnick commented:
"""
Perhaps we shouldn't do *any* conditional building. Just note in the manpages 
that the tlog package must be installed for this to work.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/136#issuecomment-297738135
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#136][comment] Tlog integration

2017-04-27 Thread pbrezina

  URL: https://github.com/SSSD/sssd/pull/136
Title: #136: Tlog integration

pbrezina commented:
"""
Hmm. There is no code dependency so SSSD can be built fine even without tlog 
rpms, only when enabled the tlog shell won't exist. @lslebodn how do you want 
to package this?

I don't think we have to have the code conditionally built, maybe is sufficient 
to hide manual pages.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/136#issuecomment-297678575
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#136][comment] Tlog integration

2017-04-26 Thread spbnick

  URL: https://github.com/SSSD/sssd/pull/136
Title: #136: Tlog integration

spbnick commented:
"""
Alright, I'll work on the manpages as well.

Another thing: should we also make a configure option for enabling session 
recording, so that we can have this enabled and have an RPM dependency in 
Fedora, where tlog is already available, and disabled in RHEL and everywhere 
else, until it is available there?
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/136#issuecomment-297404214
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#136][comment] Tlog integration

2017-04-26 Thread pbrezina

  URL: https://github.com/SSSD/sssd/pull/136
Title: #136: Tlog integration

pbrezina commented:
"""
Yes, that is a good idea. And although the configuration itself is rather 
simple, it may be a good thing to also create sssd-tlog or 
sssd-session-recording manpage with few paragraphs describing the future and 
how to use it in more details just to promote it.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/136#issuecomment-297309335
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#136][comment] Tlog integration

2017-04-25 Thread spbnick

  URL: https://github.com/SSSD/sssd/pull/136
Title: #136: Tlog integration

spbnick commented:
"""
BTW, should I perhaps include an update to the sssd.conf man page?
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/136#issuecomment-297017382
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#136][comment] Tlog integration

2017-04-25 Thread spbnick

  URL: https://github.com/SSSD/sssd/pull/136
Title: #136: Tlog integration

spbnick commented:
"""
Hi Pavel, thank you for your review! I'll be addressing your comments soon, but 
for now here is how to test this.

The patches add support for a new section in sssd.conf: `session_recording`. 
The section can have up to three options: `scope`, `users`, and `groups`. The 
`scope` option accepts one of three values: `none`, `all`, and `some`. They 
mean "no users will be recorded", "all users will be recorded", and "some 
(specified) users and/or groups will be recorded", respectively.

If `scope` is set to `some`, then the `users` option accepts a 
whitespace-separated list of users to have session recording enabled, same goes 
for `groups` option, but only for groups.

Enabling session recording for a user should result in SSSD reporting user 
shell as `/usr/bin/tlog-rec` through NSS, and exporting `TLOG_REC_SHELL` 
environment variable during PAM session setup. That variable should contain the 
actual user shell.

Testing for those should be sufficient, but if you'd like, you can get tlog 
here: https://github.com/Scribery/tlog

You can either build and install it yourself, or use an RPM from the latest 
release:
https://github.com/Scribery/tlog/releases/tag/v3

You can also take a look at the tests in 
`src/tests/intg/test_session_recording.py` for configuration examples.

Please let me know if you needed some other information.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/136#issuecomment-297016412
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#136][comment] Tlog integration

2017-04-25 Thread pbrezina

  URL: https://github.com/SSSD/sssd/pull/136
Title: #136: Tlog integration

pbrezina commented:
"""
Hi, here are some comments. Mostly nitpicks.

Can you also share some link how to enable tlog and test this code?

* **CACHE_REQ: Rename search_domains_done to search_domains_next_done```**
As far as tevent coding style goes `cache_req_search_domains_done` is correct 
since the request name is `cache_req_search_domains`. Name 
`cache_req_search_domains_next_done` is incorrect in this context where it 
serves as the last callback.

The tevent coding style should keep the following form:
```
struct tevent_req *request_name_send(...)
errno_t request_name_$step(...)
void request_name_$stepdone(...)
void request_name_done(...)
errno_t request_name_recv(..)
```
Where `$step` and  `$stepdone` is something that describes this intermediate 
step. `$stepdone` may be simply `$step_done` where it works or any other string 
if it works better. But the last callback name must be `request_name_done`. 
Please, discard this patch.

* **CACHE_REQ: Rename done to search_domains_done**
Here is the same problem now. But in addtion, you are messing up with the order 
of the functions where the last callback called is place before another 
callback. So I propose the following order and name changes:

```
!. cache_req_send
2. cache_req_process_input
3. cache_req_input_parsed
4. cache_req_select_domains
5. cache_req_search_domains
6. cache_req_search_domains_done => cache_req_process_result
7. cache_req_sr_overlay_done => cache_req_done
```
So just change those names and switch order of these two functions. Please, 
discard this patch and do this change in commit where you create 
`cache_req_sr_overlay_done`.

* **DP: Overlay sessionRecording attribute on initgr**
Please remove unneeded parameters instead of silencing the compilator with 
`(void)req_name; (void)reply;`. Also remove unused `reply` from 
`dp_req_initgr_pp_nss_notify`. 

* **CACHE_REQ: Pull sessionRecording attrs from initgr**
See previous tevent comment and also please read [this 
comment](https://github.com/SSSD/sssd/pull/154#issuecomment-284717277) where I 
explained tevent coding style to Fabiano and I would like to obey it in 
`cache_req_sr_overlay.c`. The style is mostly about keeping order and proper 
names of function. This code should read as:
```
cache_req_sr_overlay_send
cache_req_sr_overlay_match_users
cache_req_sr_overlay_match_all
cache_req_sr_overlay_done
cache_req_sr_overlay_recv
```
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/136#issuecomment-297006120
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#136][comment] Tlog integration

2017-04-24 Thread spbnick

  URL: https://github.com/SSSD/sssd/pull/136
Title: #136: Tlog integration

spbnick commented:
"""
Pavel, I tried to address all your comments, and also added the fix you made to 
data provider initialization regarding overrides. I also improved the tests. 
This is ready for another review.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/136#issuecomment-296623885
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#136][comment] Tlog integration

2017-04-20 Thread spbnick

  URL: https://github.com/SSSD/sssd/pull/136
Title: #136: Tlog integration

spbnick commented:
"""
Pavel, after your suggestion on IRC I replaced `sysdb_initgroups` with 
`sysdb_initgroups_with_views` in the data provider, and also switched to using 
`sss_view_ldb_msg_find_attr_as_uint64` and `sysdb_getgrgid_with_views` for 
retrieving the primary group, but the result is the same.

All the test_session_recording_some_groups_overridden* tests fail, there is no 
trace of group overrides being in effect. I suspect I'm missing something 
basic. Do you have any suggestions? Thank you.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/136#issuecomment-295768680
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#136][comment] Tlog integration

2017-04-20 Thread spbnick

  URL: https://github.com/SSSD/sssd/pull/136
Title: #136: Tlog integration

spbnick commented:
"""
Pavel, after your suggestion on IRC I replaced `sysdb_initgroups` with 
`sysdb_initgroups_with_views` in the data provider, and also switched to using 
`sss_view_ldb_msg_find_attr_as_uint64` and `sysdb_getgrgid_with_views` for 
retrieving the primary group, but the result is the same.

All the test_session_recording_some_groups_overridden* tests fail, there is no 
trace of group overrides being in effect. I suspect I'm missing something 
basic. Do you have any suggestions? Thank you.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/136#issuecomment-295768680
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#136][comment] Tlog integration

2017-04-18 Thread spbnick

  URL: https://github.com/SSSD/sssd/pull/136
Title: #136: Tlog integration

spbnick commented:
"""
Thank you. Yes, I think it answers my question. I'll do another 
sysdb_initgroups in the postprocess function.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/136#issuecomment-294827141
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#136][comment] Tlog integration

2017-04-18 Thread pbrezina

  URL: https://github.com/SSSD/sssd/pull/136
Title: #136: Tlog integration

pbrezina commented:
"""
So the question is why we first search the cache then do the request?

The current code is to notify nss responder about changes:
1. Call `sysdb_initgroups` and remember the groups that are cached at the 
moment.
2. Update the cache with the content from LDAP.
3. Send original groups to NSS responder so it can decide if anything has 
changed. If so, it invalidates in-memory cache for initgroups.

Thinking about it, this is something that can be moved to NSS responder now. 
Anyway...

What you want to achieve is:
1. Update the cache
2. Call `sysdb_initgroups` to fetch the groups
3. Match the groups.

I didn't realize it during the review that you are not doing it in this way, 
sorry about that. So you don't have really that much in common with the NSS 
request, you just want to hook into the postprocess function which is called 
when the request is finished, before the result is send to the responder.

Does this answer your question?
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/136#issuecomment-294822182
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#136][comment] Tlog integration

2017-04-13 Thread spbnick

  URL: https://github.com/SSSD/sssd/pull/136
Title: #136: Tlog integration

spbnick commented:
"""
Thanks, Pavel.

I'm still confused, though. At the moment we invoke `create_initgr_ctx` with
an `ldb_result` returned from `sysdb_initgroups`. If `sysdb_initgroups`
returned `ENOENT`, or produced `res->count == 0`, we will have nothing to
supply `create_initgr_ctx` with, and even if it worked,
`dp_req_initgr_pp_sr_overlay` would have nothing to match against.

I guess I don't understand the whole mechanism: first we get the result from
the cache, then we do the request. Doesn't make sense to me. Could you please
explain what's going on here?

Thank you

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/136#issuecomment-293816585
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#136][comment] Tlog integration

2017-04-12 Thread pbrezina

  URL: https://github.com/SSSD/sssd/pull/136
Title: #136: Tlog integration

pbrezina commented:
"""
Hmm, good question. In theory, yes. If user is cached and group object with 
this gid exists in LDAP then the primary group is in cache as well. However, 
the primary group object doesn't have to exists in LDAP and in this case sssd 
doesn't create a mock object so it won't be in cache. I'm not really sure from 
the top of my head though, please, try it.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/136#issuecomment-293524535
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#136][comment] Tlog integration

2017-04-12 Thread spbnick

  URL: https://github.com/SSSD/sssd/pull/136
Title: #136: Tlog integration

spbnick commented:
"""
Thanks, Pavel!
Is it ensured that the primary group name will always be in sysdb at that point?
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/136#issuecomment-293521162
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#136][comment] Tlog integration

2017-04-12 Thread pbrezina

  URL: https://github.com/SSSD/sssd/pull/136
Title: #136: Tlog integration

pbrezina commented:
"""
You can obtain name of the primary group by calling `sysdb_getgrgid` on 
`SYSDB_GIDNUMBER` attribute of the user. You can introduce new function to 
sysdb that will do this, e.g. `sysdb_get_primary_group`.

If we hit the branch that returns EAGAIN, we issue the request without 
post-process function in the caller:
```
dp_get_account_info_handler:
if ((data->entry_type & BE_REQ_TYPE_MASK) == BE_REQ_INITGROUPS) {
ret = dp_initgroups(sbus_req, dp_cli, key, dp_flags, data);
if (ret != EAGAIN) {
goto done;
}
}

dp_req_with_reply(dp_cli, domain, "Account", key,
  sbus_req, DPT_ID, DPM_ACCOUNT_HANDLER, dp_flags, data,
  dp_req_reply_std, struct dp_reply_std);
```
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/136#issuecomment-293520669
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#136][comment] Tlog integration

2017-04-12 Thread pbrezina

  URL: https://github.com/SSSD/sssd/pull/136
Title: #136: Tlog integration

pbrezina commented:
"""
You can obtain name of the primary group by calling `sysdb_getgrgid` on 
`SYSDB_GIDNUMBER` attribute of the user. You can introduce new function to 
sysdb that will do this, e.g. `sysdb_get_primary_group`.

If we hit the branch that returns EAGAIN, we issue the request without 
post-process function in the caller:
```
dp_get_account_info_handler:
if ((data->entry_type & BE_REQ_TYPE_MASK) == BE_REQ_INITGROUPS) {
ret = dp_initgroups(sbus_req, dp_cli, key, dp_flags, data);
if (ret != EAGAIN) {
goto done;
}
}

dp_req_with_reply(dp_cli, domain, "Account", key,
  sbus_req, DPT_ID, DPM_ACCOUNT_HANDLER, dp_flags, data,
  dp_req_reply_std, struct dp_reply_std);
```
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/136#issuecomment-293520669
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#136][comment] Tlog integration

2017-04-11 Thread spbnick

  URL: https://github.com/SSSD/sssd/pull/136
Title: #136: Tlog integration

spbnick commented:
"""
Pavel, another question: aren't we skipping the request altogether in 
dp_initgroups, instead of just the post-processing callback here:
```C
ret = sysdb_initgroups(sbus_req, domain, data->filter_value, &res);
if (ret == ENOENT || (ret == EOK && res->count == 0)) {
/* There is no point in contacting NSS responder. Proceed as usual. */
return EAGAIN;
} else if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get initgroups [%d]: %s\n",
  ret, sss_strerror(ret));
goto done; 
}   
```
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/136#issuecomment-293271093
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#136][comment] Tlog integration

2017-04-11 Thread spbnick

  URL: https://github.com/SSSD/sssd/pull/136
Title: #136: Tlog integration

spbnick commented:
"""
Pavel, another question: aren't we skipping the request altogether in 
dp_initgroups, instead of just the post-processing callback here:
```C
ret = sysdb_initgroups(sbus_req, domain, data->filter_value, &res);
if (ret == ENOENT || (ret == EOK && res->count == 0)) {
/* There is no point in contacting NSS responder. Proceed as usual. */
return EAGAIN;
} else if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get initgroups [%d]: %s\n",
  ret, sss_strerror(ret));
goto done; 
}   
```
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/136#issuecomment-293271093
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#136][comment] Tlog integration

2017-04-11 Thread spbnick

  URL: https://github.com/SSSD/sssd/pull/136
Title: #136: Tlog integration

spbnick commented:
"""
> Primary group is specified with gidNumber and suplementary groups are 
> specified with memberUid/memberOf. Primary group may or may not be part of 
> suplementary groups so yes, you need to special case it here.

Pavel, how can we get the primary group name here, in case it is not in the 
supplementary groups?
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/136#issuecomment-293244825
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#136][comment] Tlog integration

2017-04-11 Thread spbnick

  URL: https://github.com/SSSD/sssd/pull/136
Title: #136: Tlog integration

spbnick commented:
"""
Pardon for the review request, Pavel. Trying to figure out how they work on 
GitHub. Please ignore.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/136#issuecomment-293225994
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#136][comment] Tlog integration

2017-04-06 Thread spbnick

  URL: https://github.com/SSSD/sssd/pull/136
Title: #136: Tlog integration

spbnick commented:
"""
Hi Pavel, thanks a lot for a thorough review and for your kind words!
I'll be fixing the code according to your comments and will answer your 
question below.

> I would welcome a little bit shorter enum values for scope, e.g. 
> SESSION_RECORDING_SCOPE_NONE. Or do you think that the CONF word is important?

Not really, I can rename the module to just "session_recording.c" and remove 
"_CONF" from the names. It's an artifact from the time there were more 
"session_recording" modules in the same directory, and, anyway, SSSD is not 
adhering to "module name is the symbol name prefix" policy anyway.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/136#issuecomment-292191969
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#136][comment] Tlog integration

2017-04-06 Thread pbrezina

  URL: https://github.com/SSSD/sssd/pull/136
Title: #136: Tlog integration

pbrezina commented:
"""
Hi Nick,
thank you for the patches. The changes are not big, they are well structured 
and commented. Thank you for that. You put a good work into it!

Here is the review. Please, do not be alarmed, it is only lots of quotation but 
required changes are small and there isn't many of them.

* **CONFIG: Add session_recording section**
  - options needs to go also into cfg_rules.ini for the validator
* **UTIL: Add session recording conf management module**
  - `session_recording_conf_load()` -- please, check that the conf pointet is 
not `NULL`
  - I would welcome a little bit shorter `enum` values for scope, e.g. 
`SESSION_RECORDING_SCOPE_NONE`. Or do you think that the `CONF` word is 
important?
* **DP: Overlay sessionRecording attribute on initgr**
  - Few minor styling issues:
```c
ctx->gids[ctx->gnum] = ldb_msg_find_attr_as_uint(res->msgs[i],
   SYSDB_GIDNUM, 0);
 ^ we wrap to 
parenthesis, i.e.:
 SYSDB_GIDNUM, 0);
```
```c
groupname = (ctx->gnum == 0)
? NULL
: sss_nss_get_name_from_msg(ctx->domain_info,
res->msgs[i]);

It is not shorter and does not improve readibility, please use if/else
```
  - Logic issues
```c
 /* FIXME Do we need to/can we retrieve the primary group name? */
```
  - Primary group is specified with `gidNumber` and suplementary groups are 
specified with `memberUid`/`memberOf`. Primary group may or may not be part of 
suplementary groups so yes, you need to special case it here.
```c
static errno_t dp_initgroups(struct sbus_request *sbus_req,
 struct dp_client *dp_cli,
 const char *key,
 uint32_t dp_flags,
 struct dp_id_data *data)
{
[...]

ret = sysdb_initgroups(sbus_req, domain, data->filter_value, &res);
if (ret == ENOENT || (ret == EOK && res->count == 0)) {
/* There is no point in concacting NSS responder. Proceed as usual. */
return EAGAIN;


^^^ we shortcut here and run request without postprocess function

} else if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get initgroups [%d]: %s\n",
  ret, sss_strerror(ret));
goto done;
}

ctx = create_initgr_ctx(sbus_req, data->domain, domain, res);
if (ctx == NULL) {
ret = ENOMEM;
goto done;
}

dp_req_with_reply_pp(dp_cli, data->domain, "Initgroups", key,
  sbus_req, DPT_ID, DPM_ACCOUNT_HANDLER, dp_flags, data,
  dp_req_initgr_pp, ctx, struct dp_initgr_ctx,
  dp_req_reply_std, struct dp_reply_std);

ret = EOK;

done:
talloc_free(res);
return ret;
}
```
  - If initgroups was not yet performed for this user, we do not run the 
postprocess function a proceed without it. I believe you want to set the 
`sessionRecording` attribute even in this case so the postprocess function must 
always be executed.

* **CACHE_REQ: Pull sessionRecording attrs from initgr**
```c
static errno_t cache_req_sr_overlay(struct tevent_req *req)
{
[...]

/* If we have group names to match against */
if (rctx->sr_conf.groups != NULL && *rctx->sr_conf.groups != NULL) {

^^^ please, use rctx->sr_conf.groups[0] != NULL so the intention is clearer
}

static errno_t cache_req_sr_overlay_match_users(struct tevent_req *req)
{
[...]

/* Create per-message talloc context */
tmp_ctx = talloc_new(NULL);
if (tmp_ctx == NULL) {
CACHE_REQ_DEBUG(SSSDBG_CRIT_FAILURE, cr,
"Failed creating temporary talloc context\n");
ret = ENOMEM;
goto done;
}

You can create one `tmp_ctx` for the whole function and then free only its 
children in each cycle with `talloc_free_children()`. It will save some 
allocations.
}
```
  - Also please take this `cache_req_sr_overlay()` and move it into seperate 
`cache_req_session_recording.c` (or similar) module and convert it to an 
independent tevent request. This way, you are calling `tevent_req_done` inside 
`cache_req_sr_overlay_match_all_step_done()` which is not very clean. So the 
code in `cache_req.c` will change to something like this:

```c
static errno_t
cache_req_search_domains(struct tevent_req *req,
 struct cache_req_domain *cr_domain,
 bool check_next,
 bool bypass_cache,
 bool bypass_dp)
{
[...]

subreq = cache_req_search_domains_send(state, state->ev, state->cr,
   cr_domain, check_next,
   bypass_cache,

[SSSD] [sssd PR#136][comment] Tlog integration

2017-03-29 Thread spbnick

  URL: https://github.com/SSSD/sssd/pull/136
Title: #136: Tlog integration

spbnick commented:
"""
A better CI result: http://sssd-ci.duckdns.org/logs/job/66/48/summary.html
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/136#issuecomment-290197456
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#136][comment] Tlog integration

2017-03-29 Thread spbnick

  URL: https://github.com/SSSD/sssd/pull/136
Title: #136: Tlog integration

spbnick commented:
"""
Alright, this one includes PAM exporting the original shell as well. One thing 
that bothers me about the implementation is that now all responders are reading 
the shell settings from the NSS section.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/136#issuecomment-290127604
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#136][comment] Tlog integration

2017-03-27 Thread spbnick

  URL: https://github.com/SSSD/sssd/pull/136
Title: #136: Tlog integration

spbnick commented:
"""
Alright. Aside from `dp_req_initgr_pp` not letting us report a failure, I think 
this is close to what we need, and is ready for a proper review.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/136#issuecomment-289480431
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#136][comment] Tlog integration WIP

2017-03-26 Thread spbnick

  URL: https://github.com/SSSD/sssd/pull/136
Title: #136: Tlog integration WIP

spbnick commented:
"""
@sumit-bose, @pbrezina, could you please take a look? I don't need a detailed 
review yet, just feedback on approach. Thanks!
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/136#issuecomment-289364772
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#136][comment] Tlog integration WIP

2017-03-24 Thread spbnick

  URL: https://github.com/SSSD/sssd/pull/136
Title: #136: Tlog integration WIP

spbnick commented:
"""
Alright, this version loads override_space, and only does initgr request if 
there are groups to match. I think I'll maybe add checking for 
SYSDB_INITGR_EXPIRE to avoid firing initgr for entries which haven't expired 
yet.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/136#issuecomment-289055189
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#136][comment] Tlog integration WIP

2017-03-22 Thread spbnick

  URL: https://github.com/SSSD/sssd/pull/136
Title: #136: Tlog integration WIP

spbnick commented:
"""
One thing bothering me is that `dp_req_initgr_pp` doesn't seem well suited for 
what we're doing. I.e. nothing cares if it fails. Can we do something about it? 
Change the interface, put that code somewhere else?
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/136#issuecomment-288413469
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#136][comment] Tlog integration WIP

2017-03-22 Thread spbnick

  URL: https://github.com/SSSD/sssd/pull/136
Title: #136: Tlog integration WIP

spbnick commented:
"""
I've pushed a draft rewrite using cache_req and data provider. The
functionality is very basic and is mostly a proof-of-concept with no intent to
be efficient.

For each entry returned for a request for user information in cache_req, it
fires off an initgr request. On the data provider side, that initgr request is
post-processed to include a "sessionRecording" attribute, if selective session
recording is enabled. That attribute specifies if the user name, or names of
the groups it's member of, match any of the user or group names in the session
recording configuration. Back in cache_req, that attribute is copied over the
returned entry.

Once the entries get to NSS, if unconditional session recording is enabled
(scope = all), or if selective session recording is enabled (scope = some) and
the entry has sessionRecording attribute set to true, the user shell is
replaced with the session recording shell.

Things still to do:

* retrieve and use override_space instead of hardcoding
* make sure initgr is fired only if there are groups to match against and
  SYSDB_INITGR_EXPIRE has expired
* things I missed (please tell!)

Regarding the second item, isn't cache_req already ensuring that initgr
request is only sent when SYSDB_INITGR_EXPIRE is sent, so we don't have to do
anything about that?

I'd be glad to hear @pbrezina and @sumit-bose opinions on this so far. Thanks!

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/136#issuecomment-288411475
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

63 matches

Mail list logo