[SSSD] [sssd PR#820][comment] ad: delete domains disabled through ad_enabled_domains from cache

2019-08-23 Thread sumit-bose
  URL: https://github.com/SSSD/sssd/pull/820
Title: #820: ad: delete domains disabled through ad_enabled_domains from cache

sumit-bose commented:
"""
sssd-1-16:
 - 0b6f144084ec3ed96eb2c60bed7bea5d6c15f15c
 - 5605fa5f8adf79fa60286f5427aa2f989e663de0
 - 3c6c9d4d939bb2f1f629421e347285bea9a59341
 - b2cd4a74e231611f7862a8bb39a655c5194a035a
 - 800d24dccbf655b2c65521727256c4e6c4a540d5
 - 0e16ec74c380b35fc201ded15434184d88413dc7
 - c9c2b60128b7faa29615123de79ed206491396a9

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/820#issuecomment-524361036
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org


[SSSD] [sssd PR#820][comment] ad: delete domains disabled through ad_enabled_domains from cache

2019-08-23 Thread sumit-bose
  URL: https://github.com/SSSD/sssd/pull/820
Title: #820: ad: delete domains disabled through ad_enabled_domains from cache

sumit-bose commented:
"""
sssd-1-16:
 -0b6f144084ec3ed96eb2c60bed7bea5d6c15f15c
 - 5605fa5f8adf79fa60286f5427aa2f989e663de0
 - 3c6c9d4d939bb2f1f629421e347285bea9a59341
 - b2cd4a74e231611f7862a8bb39a655c5194a035a
 - 800d24dccbf655b2c65521727256c4e6c4a540d5
 - 0e16ec74c380b35fc201ded15434184d88413dc7
 - c9c2b60128b7faa29615123de79ed206491396a9

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/820#issuecomment-524361036
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org


[SSSD] [sssd PR#820][comment] ad: delete domains disabled through ad_enabled_domains from cache

2019-08-23 Thread sumit-bose
  URL: https://github.com/SSSD/sssd/pull/820
Title: #820: ad: delete domains disabled through ad_enabled_domains from cache

sumit-bose commented:
"""
Master:
 - b3c3542188e50770b431942c0b603e6f2733cb33
 - d0bdaabbc95bc9ee3253e1376d849e6a8bd6c6f0
 - c7e6530d642f746982c5306cf3455608d1980d1f
 - d278704d85fea74c229b67e6a63b650b0d776c88
 - 6882bc5f5c8805abff3511d55c0ed60cad84faab
 - 7a03e99890806257df1ed8a126673d6a032fee6a
 - 815957cd10a82aca6742b0bd56c7e7f199596cd4
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/820#issuecomment-524355419
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org


[SSSD] [sssd PR#820][comment] ad: delete domains disabled through ad_enabled_domains from cache

2019-08-16 Thread sumit-bose
  URL: https://github.com/SSSD/sssd/pull/820
Title: #820: ad: delete domains disabled through ad_enabled_domains from cache

sumit-bose commented:
"""
Hi,

this version now works well in my tests and Coverity didn't find an issue. ACK.

bye,
Sumit
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/820#issuecomment-522070347
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org


[SSSD] [sssd PR#820][comment] ad: delete domains disabled through ad_enabled_domains from cache

2019-08-16 Thread pbrezina
  URL: https://github.com/SSSD/sssd/pull/820
Title: #820: ad: delete domains disabled through ad_enabled_domains from cache

pbrezina commented:
"""
Thank you. I just pushed to correct version.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/820#issuecomment-521941787
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org


[SSSD] [sssd PR#820][comment] ad: delete domains disabled through ad_enabled_domains from cache

2019-08-15 Thread sumit-bose
  URL: https://github.com/SSSD/sssd/pull/820
Title: #820: ad: delete domains disabled through ad_enabled_domains from cache

sumit-bose commented:
"""
Hi Pavel,

please check if all patches are added there. It looks like 'sysdb: add 
sysdb_list_subdomains()' and 'ad: remove all subdomains if only master domain 
is enabled' are missing.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/820#issuecomment-521662619
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org


[SSSD] [sssd PR#820][comment] ad: delete domains disabled through ad_enabled_domains from cache

2019-08-09 Thread sumit-bose
  URL: https://github.com/SSSD/sssd/pull/820
Title: #820: ad: delete domains disabled through ad_enabled_domains from cache

sumit-bose commented:
"""
> Perhaps `ad_subdomains.c:193`? All other interactions with the list that I 
> foud is case insensitive.
> 
> ```c
> is_ad_in_domains = false;
> for (int i = 0; i < count; i++) {
> is_ad_in_domains += strcmp(ad_domain, domains[i]) == 0 ? true : false;
> }
> ```
> 
> I don't have a test environment handy, would you mind trying it out?

Yes, that did the trick, good catch. Can you include this into your patchset?

bye,
Sumit
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/820#issuecomment-519996331
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org


[SSSD] [sssd PR#820][comment] ad: delete domains disabled through ad_enabled_domains from cache

2019-08-09 Thread pbrezina
  URL: https://github.com/SSSD/sssd/pull/820
Title: #820: ad: delete domains disabled through ad_enabled_domains from cache

pbrezina commented:
"""
Perhaps `ad_subdomains.c:193`? All other interactions with the list that I foud 
is case insensitive.

```c
is_ad_in_domains = false;
for (int i = 0; i < count; i++) {
is_ad_in_domains += strcmp(ad_domain, domains[i]) == 0 ? true : false;
}
```
I don't have a test environment handy, would you mind trying it out?
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/820#issuecomment-519833290
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org


[SSSD] [sssd PR#820][comment] ad: delete domains disabled through ad_enabled_domains from cache

2019-08-08 Thread sumit-bose
  URL: https://github.com/SSSD/sssd/pull/820
Title: #820: ad: delete domains disabled through ad_enabled_domains from cache

sumit-bose commented:
"""
Hi Pavel,

sorry for not being clear but your 3 points are exactly what I meant.

My tests went well. I had one issue where I'm not sure if should be fixed or 
not and if this is an issue in your patches or with 'ad_enabled_domains' in 
general. I have an AD domain with a mixed case name 'ChIlD.ad.devel' and if I 
add

ad_enabled_domains = child.ad.devel

(lower case is recommended by the man page), it does not work after the first 
restart only after the second I guess because the subdomains were re-discovered 
during the first restart and the domain was disabled here.

But if I add

ad_enabled_domains = ChIlD.ad.devel

it already works after the first restart. Do you have an idea where a strcmp() 
should be replaced with a strcasecmp()?

bye,
Sumit

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/820#issuecomment-519468024
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org


[SSSD] [sssd PR#820][comment] ad: delete domains disabled through ad_enabled_domains from cache

2019-06-11 Thread pbrezina
  URL: https://github.com/SSSD/sssd/pull/820
Title: #820: ad: delete domains disabled through ad_enabled_domains from cache

pbrezina commented:
"""
Thank you Sumit. Your answer was not clear so I chose to delete all subdomains 
from cache in case when only master domain is enabled.

Now:
* If only master domain is enabled: all subdomains are removed.
* If non-root subdomain is disabled: it is removed from cache.
* If root subdomain is disabled: it is marked as disabled in cache.

Patches are ready for review.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/820#issuecomment-500781109
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org


[SSSD] [sssd PR#820][comment] ad: delete domains disabled through ad_enabled_domains from cache

2019-06-07 Thread sumit-bose
  URL: https://github.com/SSSD/sssd/pull/820
Title: #820: ad: delete domains disabled through ad_enabled_domains from cache

sumit-bose commented:
"""
> Ok, I managed to setup trust with the child domain (it was necessary to 
> change client's hostname because it was already enrolled to the root domain) 
> and it works correctly.
> 
> There is one corner case when the master domain is the only enabled domain, 
> we hit `ad_subdomains.c:1837` and the subdomains are not refresh. @sumit-bose 
> Is it OK to recursively delete all cached subdomains (including the root 
> domian) here? Or should it be only disabled?

Hi,

I think it would be more elegant to just set the disable flag for the domain 
object in the cache. But iirc when starting with an empty cache we do not 
create a domain object if the domain is not listed in ad_enabled_domains, only 
for the forest root and I guess for the domain we are joined to as well. In 
this case it might be more consistent to just remove the domain and only set 
disable flag for the forest root and the domain we are joined to.

bye,
Sumit
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/820#issuecomment-499856160
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org


[SSSD] [sssd PR#820][comment] ad: delete domains disabled through ad_enabled_domains from cache

2019-06-07 Thread pbrezina
  URL: https://github.com/SSSD/sssd/pull/820
Title: #820: ad: delete domains disabled through ad_enabled_domains from cache

pbrezina commented:
"""
Ok, I managed to setup trust with the child domain (it was necessary to change 
client's hostname because it was already enrolled to the root domain) and it 
works correctly.

There is one corner case when the master domain is the only enabled domain, we 
hit `ad_subdomains.c:1837` and the subdomains are not refresh. @sumit-bose Is 
it OK to recursively delete all cached subdomains (including the root domian) 
here? Or should it be only disabled?
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/820#issuecomment-499843260
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org


[SSSD] [sssd PR#820][comment] ad: delete domains disabled through ad_enabled_domains from cache

2019-05-30 Thread pbrezina
  URL: https://github.com/SSSD/sssd/pull/820
Title: #820: ad: delete domains disabled through ad_enabled_domains from cache

pbrezina commented:
"""
Pull request:
https://github.com/SSSD/sssd/pull/820
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/820#issuecomment-497295105
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org


[SSSD] [sssd PR#820][comment] ad: delete domains disabled through ad_enabled_domains from cache

2019-05-30 Thread pbrezina
  URL: https://github.com/SSSD/sssd/pull/820
Title: #820: ad: delete domains disabled through ad_enabled_domains from cache

pbrezina commented:
"""
I did not test the "root" domain case because I was not able to establish trust 
with a non-root domain so far. But the pull request is straightforward, so it 
does not necessarily blocks review.

```
[r...@master.client.vm /home/vagrant]# realm join child.ad.vm
Password for Administrator:
See: journalctl REALMD_OPERATION=r1521.5100
realm: Couldn't join realm: Insufficient permissions to join the domain
[r...@master.client.vm /home/vagrant]# journalctl REALMD_OPERATION=r1521.5100
-- Logs begin at Sun 2019-05-26 19:54:19 UTC, end at Thu 2019-05-30 09:40:15 
UTC. --
May 30 09:40:13 master.client.vm realmd[5103]:  * Resolving: 
_ldap._tcp.child.ad.vm
May 30 09:40:13 master.client.vm realmd[5103]:  * Performing LDAP DSE lookup 
on: 192.168.100.120
May 30 09:40:13 master.client.vm realmd[5103]:  * Performing LDAP DSE lookup 
on: 192.168.121.248
May 30 09:40:13 master.client.vm realmd[5103]:  * Successfully discovered: 
child.ad.vm
May 30 09:40:15 master.client.vm realmd[5103]:  * Required files: 
/usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, 
/usr/sbin/adcli
May 30 09:40:15 master.client.vm realmd[5103]:  * LANG=C /usr/sbin/adcli join 
--verbose --domain child.ad.vm --domain-realm CHILD.AD.VM --domain-controller 
192.168.100.120 --login-type user --login-user Administrator --stdin-password
May 30 09:40:15 master.client.vm realmd[5103]:  * Using domain name: child.ad.vm
May 30 09:40:15 master.client.vm realmd[5103]:  * Calculated computer account 
name from fqdn: MASTER
May 30 09:40:15 master.client.vm realmd[5103]:  * Using domain realm: 
child.ad.vm
May 30 09:40:15 master.client.vm realmd[5103]:  * Sending netlogon pings to 
domain controller: cldap://192.168.100.120
May 30 09:40:15 master.client.vm realmd[5103]:  * Received NetLogon info from: 
child-dc.child.ad.vm
May 30 09:40:15 master.client.vm realmd[5103]:  * Wrote out krb5.conf snippet 
to /var/cache/realmd/adcli-krb5-uxaCvi/krb5.d/adcli-krb5-conf-iAtYIJ
May 30 09:40:15 master.client.vm realmd[5103]:  * Authenticated as user: 
administra...@child.ad.vm
May 30 09:40:15 master.client.vm realmd[5103]:  * Looked up short domain name: 
ADCHILD
May 30 09:40:15 master.client.vm realmd[5103]:  * Looked up domain SID: 
S-1-5-21-2624477844-534582034-2536808417
May 30 09:40:15 master.client.vm realmd[5103]:  * Using fully qualified name: 
master.client.vm
May 30 09:40:15 master.client.vm realmd[5103]:  * Using domain name: child.ad.vm
May 30 09:40:15 master.client.vm realmd[5103]:  * Using computer account name: 
MASTER
May 30 09:40:15 master.client.vm realmd[5103]:  * Using domain realm: 
child.ad.vm
May 30 09:40:15 master.client.vm realmd[5103]:  * Calculated computer account 
name from fqdn: MASTER
May 30 09:40:15 master.client.vm realmd[5103]:  * Generated 120 character 
computer password
May 30 09:40:15 master.client.vm realmd[5103]:  * Using keytab: 
FILE:/etc/krb5.keytab
May 30 09:40:15 master.client.vm realmd[5103]:  * Computer account for MASTER$ 
does not exist
May 30 09:40:15 master.client.vm realmd[5103]:  * Found well known computer 
container at: CN=Computers,DC=child,DC=ad,DC=vm
May 30 09:40:15 master.client.vm realmd[5103]:  * Calculated computer account: 
CN=MASTER,CN=Computers,DC=child,DC=ad,DC=vm
May 30 09:40:15 master.client.vm realmd[5103]:  ! Insufficient permissions to 
modify computer account: CN=MASTER,CN=Computers,DC=child,DC=ad,DC=vm: 21C7: 
AtrErr: DSID-03200BBC, #1:
May 30 09:40:15 master.client.vm realmd[5103]: 0: 21C7: 
DSID-03200BBC, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 90303 
(servicePrincipalName)
May 30 09:40:15 master.client.vm realmd[5103]:
May 30 09:40:15 master.client.vm realmd[5103]: adcli: joining domain 
child.ad.vm failed: Insufficient permissions to modify computer account: 
CN=MASTER,CN=Computers,DC=child,DC=ad,DC=vm: 21C7: AtrErr: DSID-03200BBC, 
#1:
May 30 09:40:15 master.client.vm realmd[5103]: 0: 21C7: 
DSID-03200BBC, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 90303 
(servicePrincipalName)
May 30 09:40:15 master.client.vm realmd[5103]:
May 30 09:40:15 master.client.vm realmd[5103]:  ! Insufficient permissions to 
join the domain
``` 
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/820#issuecomment-497294985
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org