[SSSD] [sssd PR#107][comment] WATCHDOG: Avoid non async-signal-safe from the signal_handler
URL: https://github.com/SSSD/sssd/pull/107 Title: #107: WATCHDOG: Avoid non async-signal-safe from the signal_handler jhrozek commented: """ On Mon, Dec 12, 2016 at 07:30:30AM -0800, Simo Sorce wrote: > well you could have a globalk variable for the watchdog and change it from a > custom signal handler, but the point of the watchdog is to go thorugh the > tevent handler instead so that we are sure the machinery is working and not > stuck somwhere. > Resetting directly from the singal handler would bypass all processing and > therefore render the watchdog useless I guess. The problem here (as I understand it, Pavel or Fabiano can correct me if I'm wrong) is that the watchdog increases the counter inside a POSIX signal handler, but resets the counter in a tevent timer (to make sure the mainloop is being processed). Now, if the time drifts, we still are receiving the monotonic SIGRT signals into the POSIX handlers, but because the tevent timer never gets invoked (it's set to be invoked in a time in the future, because the time drifted), we never reset the counter. We can detect the time has drifted in the POSIX SIGRT handler, the question I'm trying to answer is how should we restart the tevent timer when we receive the SIGRT signal, but we because we are in the POSIX handler, we are quite restriced in what we can do.. """ See the full comment at https://github.com/SSSD/sssd/pull/107#issuecomment-266462611 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#94][comment] Enable {socket,dbus}-activation for responders
URL: https://github.com/SSSD/sssd/pull/94 Title: #94: Enable {socket,dbus}-activation for responders jhrozek commented: """ On Fri, Jan 13, 2017 at 02:52:49AM -0800, fidencio wrote: > On Fri, Jan 13, 2017 at 11:42 AM, Jakub Hrozek <notificati...@github.com> > wrote: > > > *@jhrozek* commented on this pull request. > > -- > > > > In src/util/util.c > > <https://github.com/SSSD/sssd/pull/94#pullrequestreview-16544855>: > > > > > @@ -1277,3 +1279,12 @@ bool is_user_or_group_name(const char > > > *sudo_user_value) > > /* Now it's either a username or a groupname */ > > return true; > > } > > + > > +bool is_socket_activated(void) > > +{ > > +#ifdef HAVE_SYSTEMD > > +return !!socket_activated; > > > > Why the double negative here? is it converting int to bool? > > > > That's exactly the case. > I may be mistaken in the way I implemented it, but the value get from the > command line i stored as an int and on this function I'm just return > true/flase indicating wthether the service was socket-activated. > > I'm not sure if I can just store the command line option as a bool, but > I've seen it's not done with other bool command options (as debug-to-files, > per example). No, it looks like popt still only supports int. So this is probably OK, although I would personally use the tri-state operator, but meh :) """ See the full comment at https://github.com/SSSD/sssd/pull/94#issuecomment-272498301 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#110][synchronized] Add more DEBUG messages to help admins diagnose Kerberos login failures
URL: https://github.com/SSSD/sssd/pull/110 Author: jhrozek Title: #110: Add more DEBUG messages to help admins diagnose Kerberos login failures Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/110/head:pr110 git checkout pr110 From 12518d42f680572969dc1c3e26ca2274d0527048 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek <jhro...@redhat.com> Date: Thu, 15 Dec 2016 11:30:13 +0100 Subject: [PATCH] KRB5: Advise the user to inspect the krb5_child.log if the child fails with a System Error It's often not clear to admins where to look further if the krb5_child fails with a generic error. This patch just adds a DEBUG message advising the admin to look into the krb5_child.log for more information. Related: https://fedorahosted.org/sssd/ticket/2955 --- src/providers/krb5/krb5_auth.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c index a5ecb24..bdd8e24 100644 --- a/src/providers/krb5/krb5_auth.c +++ b/src/providers/krb5/krb5_auth.c @@ -1023,6 +1023,9 @@ static void krb5_auth_done(struct tevent_req *subreq) goto done; default: +DEBUG(SSSDBG_IMPORTANT_INFO, + "The krb5_child process returned an error. Please inspect the " + "krb5_child.log file or the journal for more information\n"); state->pam_status = PAM_SYSTEM_ERR; state->dp_err = DP_ERR_OK; ret = EOK; ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#113][comment] Adds an integration test for sssctl netgroup-show so that we don't regress again like we did in ticket #3267.
URL: https://github.com/SSSD/sssd/pull/113 Title: #113: Adds an integration test for sssctl netgroup-show so that we don't regress again like we did in ticket #3267. jhrozek commented: """ On Fri, Jan 06, 2017 at 02:10:02AM -0800, lslebodn wrote: > I think you can use prefix "test_sssctl" instead of tests. I'm sorry, I'm not sure which prefix do you mean here. > > At the same time you can also mention ticket in commit message > https://fedorahosted.org/sssd/ticket/3267. "Related to:" or "Test for:" Done. """ See the full comment at https://github.com/SSSD/sssd/pull/113#issuecomment-271400322 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#106][comment] Add a new "files" provider
URL: https://github.com/SSSD/sssd/pull/106 Title: #106: Add a new "files" provider jhrozek commented: """ All the python-related comments should be fixed and pep8 shouldn't report any more errors. """ See the full comment at https://github.com/SSSD/sssd/pull/106#issuecomment-271395952 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#106][comment] Add a new "files" provider
URL: https://github.com/SSSD/sssd/pull/106 Title: #106: Add a new "files" provider jhrozek commented: """ On Mon, Jan 09, 2017 at 03:17:24AM -0800, Pavel Březina wrote: > So far it looks good and I have only very few comments. I didn't read the > code thoroughly yet. > > *NSS: Skip disabled domains during requests* > Rename to cache_req: please, because the change is there and not in nss > responder. Done. > > *RESPONDER: A sbus interface to reset negatively cached users* > *DP: Add internal DP interface to enable and disable domains* > I will look how much work would it be to implement signals. I believe most of > the work has been done already so if we can finish it rather quickly, we > should do it right. Thank you > > *CONFDB: Make pwfield configurable per-domain* > Can you move 'nss_get_pwfield' into nss_util.c? It doesn't really have > anything common with protocol. That's what I tried to do initially, but nss_util.c doesn't have access to struct nss_ctx. I wasn't sure if it makes sense to include nss_private.h into nss_util.c. I'm fine both ways, but the current version of the patch tried to not include more headers than we already do. > > *CONFDB: The files domain defaults to "x" as pwfield* > Are we also able to authenticate with pam_sss without pam_unix? There is no auth_provider=files, but it should be possible to use auth_provider=proxy configured with pam_unix. > > *FILES: Add the files provider* > You say that a domain is disabled during enumeration and we fall back to nss > files. Do you expect the update to take a really long time? Wouldn't it be > better to jus wait until the enumeration is done? I was thinking about this for some time and it seemed safer to me to fall back. But just when I was thinking about this again today, I realized that at least the InfoPipe interface has nowhere to fall back to, so the behaviour must either differ on the cache_req level between the nss responder and the ifp responder or we should wait until the domain updates in both cases. Maybe we could even do something in-between, but I really wonder if it is an optimization or over-engineering: - when a domain is disabled, attach a request and wait - when a timeout passes, return a 'not found' error - the responder would be able to configure the timeout (not the user, this is really too low level) - the nss responder would select something quite small (half a second?) just to make sure we don't delay lookups too much and the ifp responder would select several second """ See the full comment at https://github.com/SSSD/sssd/pull/106#issuecomment-271395720 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#110][comment] Add more DEBUG messages to help admins diagnose Kerberos login failures
URL: https://github.com/SSSD/sssd/pull/110 Title: #110: Add more DEBUG messages to help admins diagnose Kerberos login failures jhrozek commented: """ Hmm, sorry, i thought I dropped the second patch some time ago already """ See the full comment at https://github.com/SSSD/sssd/pull/110#issuecomment-271400692 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#113][synchronized] Adds an integration test for sssctl netgroup-show so that we don't regress again like we did in ticket #3267.
URL: https://github.com/SSSD/sssd/pull/113 Author: jhrozek Title: #113: Adds an integration test for sssctl netgroup-show so that we don't regress again like we did in ticket #3267. Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/113/head:pr113 git checkout pr113 From d7fcc3aab28edc4177ade028e8647932a51102aa Mon Sep 17 00:00:00 2001 From: Jakub Hrozek <jhro...@redhat.com> Date: Wed, 21 Dec 2016 11:17:42 +0100 Subject: [PATCH] TESTS: Add an integration test for sssctl netgroup-show Related: https://fedorahosted.org/sssd/ticket/3267 --- src/tests/intg/test_sssctl.py | 27 +++ 1 file changed, 27 insertions(+) diff --git a/src/tests/intg/test_sssctl.py b/src/tests/intg/test_sssctl.py index 1c3b9c8..c485996 100644 --- a/src/tests/intg/test_sssctl.py +++ b/src/tests/intg/test_sssctl.py @@ -29,6 +29,7 @@ import ldap_ent import config from util import unindent +import sssd_netgroup LDAP_BASE_DN = "dc=example,dc=com" @@ -142,6 +143,7 @@ def sanity_rfc2307(request, ldap_conn): sudo_provider = ldap ldap_uri= {ldap_conn.ds_inst.ldap_url} ldap_search_base= {ldap_conn.ds_inst.base_dn} +ldap_netgroup_search_base = ou=Netgroups,{ldap_conn.ds_inst.base_dn} """).format(**locals()) create_conf_fixture(request, conf) create_sssd_fixture(request) @@ -359,3 +361,28 @@ def test_group_show_basic_fqname_insensitive(ldap_conn, output = get_call_output(["sssctl", "group-show", "camelcasegroup1@LDAP"]) assert output.find("Name: camelcasegroup1@LDAP") != -1 assert output.find("Cached in InfoPipe: No") != -1 + + +@pytest.fixture +def add_tripled_netgroup(request, ldap_conn): +ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + +ent_list.add_netgroup("tripled_netgroup", ["(host,user,domain)"]) + +create_ldap_fixture(request, ldap_conn, ent_list) +return None + + +def test_netgroup_show(ldap_conn, + sanity_rfc2307, + portable_LC_ALL, + add_tripled_netgroup): +output = get_call_output(["sssctl", "netgroup-show", "tripled_netgroup"]) +assert "Name: tripled_netgroup" not in output + +res, _, netgrps = sssd_netgroup.get_sssd_netgroups("tripled_netgroup") +assert res == sssd_netgroup.NssReturnCode.SUCCESS +assert netgrps == [("host", "user", "domain")] + +output = get_call_output(["sssctl", "netgroup-show", "tripled_netgroup"]) +assert "Name: tripled_netgroup" in output ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#113][-Changes requested] Adds an integration test for sssctl netgroup-show so that we don't regress again like we did in ticket #3267.
URL: https://github.com/SSSD/sssd/pull/113 Title: #113: Adds an integration test for sssctl netgroup-show so that we don't regress again like we did in ticket #3267. Label: -Changes requested ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#107][comment] WATCHDOG: Avoid non async-signal-safe from the signal_handler
URL: https://github.com/SSSD/sssd/pull/107 Title: #107: WATCHDOG: Avoid non async-signal-safe from the signal_handler jhrozek commented: """ To me as well. I tested again the watchdog restart and the timeshift and both cases work fine. """ See the full comment at https://github.com/SSSD/sssd/pull/107#issuecomment-272409701 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#107][+Accepted] WATCHDOG: Avoid non async-signal-safe from the signal_handler
URL: https://github.com/SSSD/sssd/pull/107 Title: #107: WATCHDOG: Avoid non async-signal-safe from the signal_handler Label: +Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#94][comment] Enable {socket,dbus}-activation for responders
URL: https://github.com/SSSD/sssd/pull/94 Title: #94: Enable {socket,dbus}-activation for responders jhrozek commented: """ oh, and just so that it's known what I tested, I removed the services line altogether, then went one-by-one through all the responders and tested them by enabling the socket, letting the responder go up, then (because a short timeout was used) letting them exit on idle. I also tried killing the services and watched systemd restart them. Of course I read the code :-) By the way, so far I really like this new way of service management and would suggest that in the next version we take a look at (optionally maybe for the first version?) socket-activate also the back ends. """ See the full comment at https://github.com/SSSD/sssd/pull/94#issuecomment-272691256 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#124][opened] Fix a segfault in IFP's GetUserAttr
URL: https://github.com/SSSD/sssd/pull/124 Author: jhrozek Title: #124: Fix a segfault in IFP's GetUserAttr Action: opened PR body: """ This PR fixes a crash in GetUserAttr. To reproduce, it's enough to: dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe org.freedesktop.sssd.infopipe.GetUserAttr string:admin array:string:name """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/124/head:pr124 git checkout pr124 From 9be0a2dd82ccde91e1bab19a5857c1481f30f078 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek <jhro...@redhat.com> Date: Sun, 15 Jan 2017 10:41:47 +0100 Subject: [PATCH] IFP: Fix GetUserAttr GetUserAttr used to segfault without this patch. --- src/responder/ifp/ifpsrv_cmd.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/responder/ifp/ifpsrv_cmd.c b/src/responder/ifp/ifpsrv_cmd.c index 3a1a177..23f410a 100644 --- a/src/responder/ifp/ifpsrv_cmd.c +++ b/src/responder/ifp/ifpsrv_cmd.c @@ -537,6 +537,7 @@ static void ifp_user_get_attr_done(struct tevent_req *subreq) } state->res = talloc_steal(state, result->ldb_result); +state->dom = result->domain; talloc_zfree(result); fqdn = sss_create_internal_fqname(state, state->inp_name, ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#93][comment] SSH: Use default_domain_suffix for users' authorized keys
URL: https://github.com/SSSD/sssd/pull/93 Title: #93: SSH: Use default_domain_suffix for users' authorized keys jhrozek commented: """ master: ed71fba97dfcf5b3f0f1834c06660c481b9ab3ce sssd-1-14: 2949fe58ac344c44d756ca309d4b2b7f3590cee3 """ See the full comment at https://github.com/SSSD/sssd/pull/93#issuecomment-265115833 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#93][comment] SSH: Use default_domain_suffix for users' authorized keys
URL: https://github.com/SSSD/sssd/pull/93 Title: #93: SSH: Use default_domain_suffix for users' authorized keys jhrozek commented: """ On Mon, Nov 28, 2016 at 05:06:54AM -0800, Pavel Březina wrote: > Can you also prepare a patch to handle this inside cache_req? Ideally on > top of nss patches so we can avoid collisions. > Yes, but since this patch had to be pushed for downstream's sake, I filed a ticket in the meantime: https://fedorahosted.org/sssd/ticket/3260 """ See the full comment at https://github.com/SSSD/sssd/pull/93#issuecomment-265116353 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#93][closed] SSH: Use default_domain_suffix for users' authorized keys
URL: https://github.com/SSSD/sssd/pull/93 Author: jhrozek Title: #93: SSH: Use default_domain_suffix for users' authorized keys Action: closed To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/93/head:pr93 git checkout pr93 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#93][+Pushed] SSH: Use default_domain_suffix for users' authorized keys
URL: https://github.com/SSSD/sssd/pull/93 Title: #93: SSH: Use default_domain_suffix for users' authorized keys Label: +Pushed ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#93][-Accepted] SSH: Use default_domain_suffix for users' authorized keys
URL: https://github.com/SSSD/sssd/pull/93 Title: #93: SSH: Use default_domain_suffix for users' authorized keys Label: -Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#117][+Accepted] Fix compilation with python3.6
URL: https://github.com/SSSD/sssd/pull/117 Title: #117: Fix compilation with python3.6 Label: +Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#117][comment] Fix compilation with python3.6
URL: https://github.com/SSSD/sssd/pull/117 Title: #117: Fix compilation with python3.6 jhrozek commented: """ ACK """ See the full comment at https://github.com/SSSD/sssd/pull/117#issuecomment-269948911 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#107][+Changes requested] WATCHDOG: Avoid non async-signal-safe from the signal_handler
URL: https://github.com/SSSD/sssd/pull/107 Title: #107: WATCHDOG: Avoid non async-signal-safe from the signal_handler Label: +Changes requested ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#107][comment] WATCHDOG: Avoid non async-signal-safe from the signal_handler
URL: https://github.com/SSSD/sssd/pull/107 Title: #107: WATCHDOG: Avoid non async-signal-safe from the signal_handler jhrozek commented: """ ACK """ See the full comment at https://github.com/SSSD/sssd/pull/107#issuecomment-270630387 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#107][+Accepted] WATCHDOG: Avoid non async-signal-safe from the signal_handler
URL: https://github.com/SSSD/sssd/pull/107 Title: #107: WATCHDOG: Avoid non async-signal-safe from the signal_handler Label: +Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#107][comment] WATCHDOG: Avoid non async-signal-safe from the signal_handler
URL: https://github.com/SSSD/sssd/pull/107 Title: #107: WATCHDOG: Avoid non async-signal-safe from the signal_handler jhrozek commented: """ hmm, it seems I was wrong and at least with systemd (is that the difference?) when we kill the whole process group also the nss and pam responders (that were started explicitly) are killed. So I was wrong. Can you please retest if you see the same? But in general I think we can stick to the previous version, sorry about guiding you down the wrong path. """ See the full comment at https://github.com/SSSD/sssd/pull/107#issuecomment-270622372 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#107][comment] WATCHDOG: Avoid non async-signal-safe from the signal_handler
URL: https://github.com/SSSD/sssd/pull/107 Title: #107: WATCHDOG: Avoid non async-signal-safe from the signal_handler jhrozek commented: """ btw now I'm wondering if the setpgrp should be a separate patch also for stable branches because I guess the bug was present in sssd for quite a long time? """ See the full comment at https://github.com/SSSD/sssd/pull/107#issuecomment-270637274 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#109][comment] SSSCTL: fix netgroup-show parsing
URL: https://github.com/SSSD/sssd/pull/109 Title: #109: SSSCTL: fix netgroup-show parsing jhrozek commented: """ > On 6 Jan 2017, at 16:29, lslebodn <notificati...@github.com> wrote: > > On (06/01/17 05:52), Jakub Hrozek wrote: > >This patch is OK, but only for sssd-1-14. In master, we already fall back to > >parsing the name string as short name if parsing the qualified name fails. > >I’m not thrilled about that, because it can conceal legitimate errors, but > >it’s needed atm to use cache_req everywhere. > > > >So yeah, ack to this patch for sssd-1-14 > > > Do you think that it would be a problem to backport > 7b293a5095ef3e63cd2e3f2ff01b7484bf6dcd38 into 1.14 > rather that this patch? > > Upstream integration tests passed with it. I haven't tried downstrem > tests. > That would also work. > LS > — > You are receiving this because you were mentioned. > Reply to this email directly, view it on GitHub > <https://github.com/SSSD/sssd/pull/109#issuecomment-270927695>, or mute the > thread > <https://github.com/notifications/unsubscribe-auth/AArrAjMI-4Ngp0iWszBelCCTnwc6bLh3ks5rPl3dgaJpZM4LMfe2>. > """ See the full comment at https://github.com/SSSD/sssd/pull/109#issuecomment-271093554 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#106][+Changes requested] Add a new "files" provider
URL: https://github.com/SSSD/sssd/pull/106 Title: #106: Add a new "files" provider Label: +Changes requested ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#106][comment] Add a new "files" provider
URL: https://github.com/SSSD/sssd/pull/106 Title: #106: Add a new "files" provider jhrozek commented: """ Yes, but as I said in the comment (in the part you quoted out), assert_passwd_by_name won't work, because it expects dir and uses dir in its control directory: ``` Traceback (most recent call last): File "/home/remote/jhrozek/devel/sssd/src/tests/intg/test_files_ops.py", line 55, in test_userdel ent.assert_passwd_by_name("user1", USER1) File "/home/remote/jhrozek/devel/sssd/src/tests/intg/ent.py", line 216, in assert_passwd_by_name d = _diff(ent, pattern) File "/home/remote/jhrozek/devel/sssd/src/tests/intg/ent.py", line 111, in _diff d = _diff(ent[key], value, item_map) KeyError: 'directory' ``` """ See the full comment at https://github.com/SSSD/sssd/pull/106#issuecomment-271338295 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#106][comment] Add a new "files" provider
URL: https://github.com/SSSD/sssd/pull/106 Title: #106: Add a new "files" provider jhrozek commented: """ so the solution would be to convert ent.py to not use dir internally either and I'm fine doing that if you think it would help """ See the full comment at https://github.com/SSSD/sssd/pull/106#issuecomment-271338530 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#89][comment] nss: rewrite nss responder so it uses cache_req
URL: https://github.com/SSSD/sssd/pull/89 Title: #89: nss: rewrite nss responder so it uses cache_req jhrozek commented: """ On Mon, Jan 02, 2017 at 01:53:23AM -0800, Pavel Březina wrote: > @jhrozek > * #1126 -- pam, ssh and pac (?) responders needs to be amended, but the > change there is not that huge. OK, then let's keep the ticket open. Do you plan on working on this one or would you prefer if someone else took a look? > * #2320 -- not sure if this is needed anywhere with cache req I agree if other responders start using cache_req, we don't need this anymore. """ See the full comment at https://github.com/SSSD/sssd/pull/89#issuecomment-270023513 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#106][comment] Add a new "files" provider
URL: https://github.com/SSSD/sssd/pull/106 Title: #106: Add a new "files" provider jhrozek commented: """ OK, ready for review, @pbrezina There is still a commit that generates the default configuration. We already have a PR #108 that reverts this functionality -- I guess it would be best to provide a configure-time option or even a runtime option that would disable the files domain. Otherwise, the files domain would be always enabled and always first. """ See the full comment at https://github.com/SSSD/sssd/pull/106#issuecomment-269988218 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#106][-Changes requested] Add a new "files" provider
URL: https://github.com/SSSD/sssd/pull/106 Title: #106: Add a new "files" provider Label: -Changes requested ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#116][comment] intg: Generate tmp dir with lowercase
URL: https://github.com/SSSD/sssd/pull/116 Title: #116: intg: Generate tmp dir with lowercase jhrozek commented: """ ACK. Can you file a ticket to remove this hack once we have a version of python-requests that works? """ See the full comment at https://github.com/SSSD/sssd/pull/116#issuecomment-269989323 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#116][+Accepted] intg: Generate tmp dir with lowercase
URL: https://github.com/SSSD/sssd/pull/116 Title: #116: intg: Generate tmp dir with lowercase Label: +Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#109][comment] SSSCTL: fix netgroup-show parsing
URL: https://github.com/SSSD/sssd/pull/109 Title: #109: SSSCTL: fix netgroup-show parsing jhrozek commented: """ This patch is OK, but only for sssd-1-14. In master, we already fall back to parsing the name string as short name if parsing the qualified name fails. I’m not thrilled about that, because it can conceal legitimate errors, but it’s needed atm to use cache_req everywhere. So yeah, ack to this patch for sssd-1-14 > On 6 Jan 2017, at 10:59, lslebodn <notificati...@github.com> wrote: > > @jhrozek <https://github.com/jhrozek> Have you already decided whether it > would be better to have this patch or 7b293a5 > <https://github.com/SSSD/sssd/commit/7b293a5095ef3e63cd2e3f2ff01b7484bf6dcd38>? > > — > You are receiving this because you were mentioned. > Reply to this email directly, view it on GitHub > <https://github.com/SSSD/sssd/pull/109#issuecomment-270870268>, or mute the > thread > <https://github.com/notifications/unsubscribe-auth/AArrAj2dX_wtSbPfE5pfLpRJ1ApbWU7wks5rPhCMgaJpZM4LMfe2>. > """ See the full comment at https://github.com/SSSD/sssd/pull/109#issuecomment-270906940 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#106][comment] Add a new "files" provider
URL: https://github.com/SSSD/sssd/pull/106 Title: #106: Add a new "files" provider jhrozek commented: """ I hope you noticed the earlier comment that says "I just set the Changes Requested label so that it's clear to reviewers new patch set is coming up.." """ See the full comment at https://github.com/SSSD/sssd/pull/106#issuecomment-268356995 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#113][opened] Adds an integration test for sssctl netgroup-show so that we don't regress again like we did in ticket #3267.
URL: https://github.com/SSSD/sssd/pull/113 Author: jhrozek Title: #113: Adds an integration test for sssctl netgroup-show so that we don't regress again like we did in ticket #3267. Action: opened PR body: """ None """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/113/head:pr113 git checkout pr113 From 4b2c0ff9c291f41b9009e5e888a51146f1f6384a Mon Sep 17 00:00:00 2001 From: Jakub Hrozek <jhro...@redhat.com> Date: Wed, 21 Dec 2016 11:17:42 +0100 Subject: [PATCH] TESTS: Add an integration test for sssctl netgroup-show --- src/tests/intg/test_sssctl.py | 27 +++ 1 file changed, 27 insertions(+) diff --git a/src/tests/intg/test_sssctl.py b/src/tests/intg/test_sssctl.py index 1c3b9c8..60e2e68 100644 --- a/src/tests/intg/test_sssctl.py +++ b/src/tests/intg/test_sssctl.py @@ -29,6 +29,7 @@ import ldap_ent import config from util import unindent +import sssd_netgroup LDAP_BASE_DN = "dc=example,dc=com" @@ -142,6 +143,7 @@ def sanity_rfc2307(request, ldap_conn): sudo_provider = ldap ldap_uri= {ldap_conn.ds_inst.ldap_url} ldap_search_base= {ldap_conn.ds_inst.base_dn} +ldap_netgroup_search_base = ou=Netgroups,{ldap_conn.ds_inst.base_dn} """).format(**locals()) create_conf_fixture(request, conf) create_sssd_fixture(request) @@ -359,3 +361,28 @@ def test_group_show_basic_fqname_insensitive(ldap_conn, output = get_call_output(["sssctl", "group-show", "camelcasegroup1@LDAP"]) assert output.find("Name: camelcasegroup1@LDAP") != -1 assert output.find("Cached in InfoPipe: No") != -1 + + +@pytest.fixture +def add_tripled_netgroup(request, ldap_conn): +ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + +ent_list.add_netgroup("tripled_netgroup", ["(host,user,domain)"]) + +ent_list.add_netgroup("adv_tripled_netgroup", ["(host1,user1,domain1)", + "(host2,user2,domain2)"]) + +create_ldap_fixture(request, ldap_conn, ent_list) +return None + + +def test_netgroup_show(ldap_conn, + sanity_rfc2307, + portable_LC_ALL, + add_tripled_netgroup): +res, _, netgrps = sssd_netgroup.get_sssd_netgroups("tripled_netgroup") +assert res == sssd_netgroup.NssReturnCode.SUCCESS +assert netgrps == [("host", "user", "domain")] + +output = get_call_output(["sssctl", "netgroup-show", "tripled_netgroup"]) +assert output.find("Name: tripled_netgroup") != -1 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#94][+Changes requested] Enable {socket, dbus}-activation for responders
URL: https://github.com/SSSD/sssd/pull/94 Title: #94: Enable {socket,dbus}-activation for responders Label: +Changes requested ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#110][-Changes requested] Add more DEBUG messages to help admins diagnose Kerberos login failures
URL: https://github.com/SSSD/sssd/pull/110 Title: #110: Add more DEBUG messages to help admins diagnose Kerberos login failures Label: -Changes requested ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#94][comment] Enable {socket,dbus}-activation for responders
URL: https://github.com/SSSD/sssd/pull/94 Title: #94: Enable {socket,dbus}-activation for responders jhrozek commented: """ Coverity seems to have detected a warning: Error: CHECKED_RETURN (CWE-252): sssd-1.14.90/src/responder/autofs/autofssrv_cmd.c:323: check_return: Calling "sss_cmd_empty_packet" without checking return value (as is done elsewhere 4 out of 5 times). sssd-1.14.90/src/responder/autofs/autofssrv_cmd.c:1401: example_assign: Example 1: Assigning: "ret" = return value from "sss_cmd_empty_packet(pctx->creq->out)". sssd-1.14.90/src/responder/autofs/autofssrv_cmd.c:1402: example_checked: Example 1 (cont.): "ret" has its value checked in "ret != 0". sssd-1.14.90/src/responder/autofs/autofssrv_cmd.c:1424: example_assign: Example 2: Assigning: "ret" = return value from "sss_cmd_empty_packet(pctx->creq->out)". sssd-1.14.90/src/responder/autofs/autofssrv_cmd.c:1425: example_checked: Example 2 (cont.): "ret" has its value checked in "ret != 0". sssd-1.14.90/src/responder/autofs/autofssrv_cmd.c:1097: example_assign: Example 3: Assigning: "ret" = return value from "sss_cmd_empty_packet(pctx->creq->out)". sssd-1.14.90/src/responder/autofs/autofssrv_cmd.c:1098: example_checked: Example 3 (cont.): "ret" has its value checked in "ret != 0". sssd-1.14.90/src/responder/common/responder_cmd.c:85: example_assign: Example 4: Assigning: "ret" = return value from "sss_cmd_empty_packet(pctx->creq->out)". sssd-1.14.90/src/responder/common/responder_cmd.c:86: example_checked: Example 4 (cont.): "ret" has its value checked in "ret != 0". # 321| DEBUG(SSSDBG_TRACE_FUNC, "setautomntent did not find requested map\n"); # 322| /* Notify the caller that this entry wasn't found */ # 323|-> sss_cmd_empty_packet(pctx->creq->out); # 324| } else { # 325| DEBUG(SSSDBG_TRACE_FUNC, "setautomntent found data\n"); I'm not sure if it's legit or if we just passed a threshold of checked/unchecked ratio, but it would be nice to not add any new warnings with new commits. Could you please add a more verbose comment to the commits that enable the responder socket activation (either the first one, autofs, or just copy to all) that explain why the BindsTo option was added and what the workflow is for socket-activated responders and starting and stopping the sssd service? Similarly, can you please explain in the commit message that adds the `--unprivileged-start` option that the log files are chowned by the unit file and the socket files created by sssd in the most common scenario of this option? I was even wondering if the option would be better named `--socket-activated-start` but I don't have strong feelings about it. There is a typo in the commit that changes the PAM responder `unprivileged_unprivileged_start`, which would be nice to fix in the commit where it was introduced, so that every commit can be compiled on its own and we can always use bisect. I have a bit of trouble reading `client_registration()` after ` MONITOR: Deal with socket-activated responders`. Could we please change `client_registration()` so that the ifdefs are a bit less interleaved with the non-systemd code? Even at the cost of a little code duplication, I think this: ``` #ifdef HAVE_SYSTEMD systemd_client_registration(args..) #else managed_client_registration(args..) #endif /* HAVE_SYSTEMD */ ``` Is IMO preferred over the ifdefs being sprinkled around in the code. About ` MAN: Mention that the services' list is optional`, are you sure just enabling the socket is all that is needed? Doesn't the admin also need to enable the service in addition to the socket? `MONITOR: Let the responder know whether it was socket-activated`: do you think this commit is needed? Could the responder learn that it's socket activated when it goes through `activate_unix_sockets()` or is that too late? Please note I'm not against this commit per se, I'm just trying to see if we can simplify the code. I'm not sure I understand the `time_t` pointer being added to the responder context. Shouldn't we only care about the requests from the client, like NSS or D-Bus? I mostly just read the code, but I'm afraid I'm still having issues with the socket-activated PAM responder. My sssd.conf is as follows: ``` [sssd] services = nss user = sssd domains = ipa.test ``` I enabled and started the sssd-pam responder socket, then tried to log in as an IPA user, but I'm getting: ``` Dec 21 09:57:04 client.ipa.test su[30415]: pam_sss(su-l:auth): Request to sssd failed. Public socket has wrong ownership or permissions ``` The socket was created as: ``` srw-rw-rw-. 1 sssd sssd 0 Dec 21 09:56 /var/lib/sss/pipes/pam ``` I built sssd
[SSSD] [sssd PR#109][comment] SSSCTL: fix netgroup-show parsing
URL: https://github.com/SSSD/sssd/pull/109 Title: #109: SSSCTL: fix netgroup-show parsing jhrozek commented: """ btw I also added a test in PR #113 so that we don't regress again """ See the full comment at https://github.com/SSSD/sssd/pull/109#issuecomment-268489241 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#107][+Changes requested] WATCHDOG: Avoid non async-signal-safe from the signal_handler
URL: https://github.com/SSSD/sssd/pull/107 Title: #107: WATCHDOG: Avoid non async-signal-safe from the signal_handler Label: +Changes requested ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#109][+Accepted] SSSCTL: fix netgroup-show parsing
URL: https://github.com/SSSD/sssd/pull/109 Title: #109: SSSCTL: fix netgroup-show parsing Label: +Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#109][comment] SSSCTL: fix netgroup-show parsing
URL: https://github.com/SSSD/sssd/pull/109 Title: #109: SSSCTL: fix netgroup-show parsing jhrozek commented: """ Thank you, the patch works well. Just please note that after 7b293a5095ef3e63cd2e3f2ff01b7484bf6dcd38 was commited, this patch would only apply for sssd-1-14. That said, I'm not sure if 7b293a5095ef3e63cd2e3f2ff01b7484bf6dcd38 is something we want, so for the time being (and because many developers are already out for the Christmas holidays), I'm just adding the accepted label now but would only push the commit later. """ See the full comment at https://github.com/SSSD/sssd/pull/109#issuecomment-268488768 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#112][comment] FAILOVER: Improve port status log messages
URL: https://github.com/SSSD/sssd/pull/112 Title: #112: FAILOVER: Improve port status log messages jhrozek commented: """ I have two comments: 1. The new debug message has "louder" debug level than the one that sets the port as non-working. I would suggest to also change the 'not working' debug message to MINOR_FAILURE 1. I'm not sure it's correct to say that there is 'no relationship' between the message and the networking status, but not a 'direct relationship' or '1:1 mapping' I'm not sure how to reword the message better though, do you think it would make sense to say something like 'even if the network port is reachable, the internal port can be marked as not working if sssd is not able to complete the full connection request' """ See the full comment at https://github.com/SSSD/sssd/pull/112#issuecomment-268471510 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#112][+Changes requested] FAILOVER: Improve port status log messages
URL: https://github.com/SSSD/sssd/pull/112 Title: #112: FAILOVER: Improve port status log messages Label: +Changes requested ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#112][comment] FAILOVER: Improve port status log messages
URL: https://github.com/SSSD/sssd/pull/112 Title: #112: FAILOVER: Improve port status log messages jhrozek commented: """ I wonder if @mzidek-rh has any more comments """ See the full comment at https://github.com/SSSD/sssd/pull/112#issuecomment-268471546 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#112][comment] FAILOVER: Improve port status log messages
URL: https://github.com/SSSD/sssd/pull/112 Title: #112: FAILOVER: Improve port status log messages jhrozek commented: """ ok to test """ See the full comment at https://github.com/SSSD/sssd/pull/112#issuecomment-268183489 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#109][-Changes requested] SSSCTL: fix netgroup-show parsing
URL: https://github.com/SSSD/sssd/pull/109 Title: #109: SSSCTL: fix netgroup-show parsing Label: -Changes requested ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#89][comment] nss: rewrite nss responder so it uses cache_req
URL: https://github.com/SSSD/sssd/pull/89 Title: #89: nss: rewrite nss responder so it uses cache_req jhrozek commented: """ @pbrezina @lslebodn is there any more work needed on https://fedorahosted.org/sssd/ticket/1126 or https://fedorahosted.org/sssd/ticket/2320 ? Do we anticipate to work on other responders? The end goal is to support https://fedorahosted.org/sssd/ticket/843 and https://fedorahosted.org/sssd/ticket/3001 """ See the full comment at https://github.com/SSSD/sssd/pull/89#issuecomment-268193885 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#109][comment] SSSCTL: fix netgroup-show parsing
URL: https://github.com/SSSD/sssd/pull/109 Title: #109: SSSCTL: fix netgroup-show parsing jhrozek commented: """ Ah, I didn't realize we don't read the objectclass attribute by default. The following hunk should fix it: ``` @@ -219,12 +233,14 @@ static const char **sssctl_build_attrs(TALLOC_CTX *mem_ctx, /* no op */ } -attrs = talloc_zero_array(mem_ctx, const char *, count + 1); +attrs = talloc_zero_array(mem_ctx, const char *, count + 2); if (attrs == NULL) { return NULL; } -for (i = 0; i < count; i++) { +attrs[0] = "objectclass"; + +for (i = 1; i < count; i++) { ``` One other nitpick is that you probably want to assign the original name to tmp_name by duplicating the memory to avoid a const-warning: `tmp_name = talloc_strdup(mem_ctx, orig_name);` Finally, please compare the value of the objectclass with strcmp, not pointer comparison: `if ((strcmp(class, SYSDB_USER_CLASS) == 0) || (strcmp(class, SYSDB_GROUP_CLASS) == 0)) {` (and split the line into two, so that it fits into the 80-chars limit) """ See the full comment at https://github.com/SSSD/sssd/pull/109#issuecomment-267568893 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#111][closed] BUILD: Find a host-prefixed krb5-config when cross-compiling
URL: https://github.com/SSSD/sssd/pull/111 Author: dm0- Title: #111: BUILD: Find a host-prefixed krb5-config when cross-compiling Action: closed To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/111/head:pr111 git checkout pr111 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#111][+Pushed] BUILD: Find a host-prefixed krb5-config when cross-compiling
URL: https://github.com/SSSD/sssd/pull/111 Title: #111: BUILD: Find a host-prefixed krb5-config when cross-compiling Label: +Pushed ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#111][comment] BUILD: Find a host-prefixed krb5-config when cross-compiling
URL: https://github.com/SSSD/sssd/pull/111 Title: #111: BUILD: Find a host-prefixed krb5-config when cross-compiling jhrozek commented: """ * master: baadb6080be0ec5cee2e351c3d5324d755f86f9c """ See the full comment at https://github.com/SSSD/sssd/pull/111#issuecomment-267571456 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#111][+Accepted] BUILD: Find a host-prefixed krb5-config when cross-compiling
URL: https://github.com/SSSD/sssd/pull/111 Title: #111: BUILD: Find a host-prefixed krb5-config when cross-compiling Label: +Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#111][comment] BUILD: Find a host-prefixed krb5-config when cross-compiling
URL: https://github.com/SSSD/sssd/pull/111 Title: #111: BUILD: Find a host-prefixed krb5-config when cross-compiling jhrozek commented: """ ACK, CI: http://sssd-ci.duckdns.org/logs/job/59/21/summary.html (the failure on rawhide is unrelated) """ See the full comment at https://github.com/SSSD/sssd/pull/111#issuecomment-267571038 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#67][+Accepted] UTIL: Unset O_NONBLOCK for ldap connection
URL: https://github.com/SSSD/sssd/pull/67 Title: #67: UTIL: Unset O_NONBLOCK for ldap connection Label: +Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#94][+Changes requested] Enable {socket, dbus}-activation for responders
URL: https://github.com/SSSD/sssd/pull/94 Title: #94: Enable {socket,dbus}-activation for responders Label: +Changes requested ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#94][comment] Enable {socket,dbus}-activation for responders
URL: https://github.com/SSSD/sssd/pull/94 Title: #94: Enable {socket,dbus}-activation for responders jhrozek commented: """ OK, I don't have any more comments than those inline. Thank you for the patches, really nice work. I'm just setting the Changes Requested label so that it's clear I'm done with my review. But since this patchset touches such low-level components I would prefer another SSSD developer to provide another review as well. """ See the full comment at https://github.com/SSSD/sssd/pull/94#issuecomment-272657182 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#197][comment] KCM responder
URL: https://github.com/SSSD/sssd/pull/197 Title: #197: KCM responder jhrozek commented: """ rebased on master """ See the full comment at https://github.com/SSSD/sssd/pull/197#issuecomment-288860242 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#192][comment] Add certificate mapping library
URL: https://github.com/SSSD/sssd/pull/192 Title: #192: Add certificate mapping library jhrozek commented: """ Thank you, the patches now look good to me. I'm only waiting for the CI run before the final ACK, but it should be noted again that the review was mostly based on reading the code and checking for regressions. I didn't do a very thorough review of the cert mapping library, but given that it requires knowledge I don't have, it's well tested and the API looks OK, then I think the review is sufficient. """ See the full comment at https://github.com/SSSD/sssd/pull/192#issuecomment-288650247 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#192][+Accepted] Add certificate mapping library
URL: https://github.com/SSSD/sssd/pull/192 Title: #192: Add certificate mapping library Label: +Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#197][comment] KCM responder
URL: https://github.com/SSSD/sssd/pull/197 Title: #197: KCM responder jhrozek commented: """ On Tue, Mar 21, 2017 at 10:31:10AM -0700, mzidek-rh wrote: > Nitpick: In the contrib/kcm_default_ccache it would be good to indicate (in > the comments) where the snippet belongs. Done. > It is written in the commit message, but if someone just opens the file > he/she The gender neutral pronoun is they :-P """ See the full comment at https://github.com/SSSD/sssd/pull/197#issuecomment-288195004 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#197][comment] KCM responder
URL: https://github.com/SSSD/sssd/pull/197 Title: #197: KCM responder jhrozek commented: """ CI on the rebased patches: http://sssd-ci.duckdns.org/logs/job/65/45/summary.html """ See the full comment at https://github.com/SSSD/sssd/pull/197#issuecomment-288949515 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#197][comment] KCM responder
URL: https://github.com/SSSD/sssd/pull/197 Title: #197: KCM responder jhrozek commented: """ @lslebodn I pushed a new patchset that should fix the warning in the kcm_queue test, can you verify if all warnings you saw are fixed? """ See the full comment at https://github.com/SSSD/sssd/pull/197#issuecomment-289021612 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#197][comment] KCM responder
URL: https://github.com/SSSD/sssd/pull/197 Title: #197: KCM responder jhrozek commented: """ OK, hopefully final CI run: http://sssd-ci.duckdns.org/logs/job/65/48/summary.html """ See the full comment at https://github.com/SSSD/sssd/pull/197#issuecomment-289083382 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#215][edited] Support for non-POSIX users and groups
URL: https://github.com/SSSD/sssd/pull/215 Author: jhrozek Title: #215: Support for non-POSIX users and groups Action: edited Changed field: body Original value: """ This PR implements https://pagure.io/SSSD/sssd/issue/3310 The goal is to enable application users through the Apache modules or directly through the IFP interface and the PAM interface to authenticate users. To reproduce, you can add users w/o POSIX information like this to LDAP: dn: uid=nonposix,cn=users,cn=accounts,dc=ipa,dc=test displayName: new user uid: nonposix krbCanonicalName: nonpo...@ipa.test objectClass: ipaobject objectClass: person objectClass: top objectClass: ipasshuser objectClass: inetorgperson objectClass: organizationalperson objectClass: krbticketpolicyaux objectClass: krbprincipalaux objectClass: inetuser objectClass: mepOriginEntry initials: nu sn: user mail: nonpo...@ipa.test krbPrincipalName: nonpo...@ipa.test givenName: new cn: new user And optionally add the user to groups, like this: dn: cn=npgr2,cn=groups,cn=accounts,dc=ipa,dc=test objectClass: ipaobject objectClass: top objectClass: ipausergroup objectClass: groupofnames objectClass: nestedgroup cn: npgr2 member: uid=nonposix,cn=users,cn=accounts,dc=ipa,dc=test Then, the D-Bus calls like GetUserAttrs should resolve extra attributes of the users, the groups the users are in should be resolvable as well. In addition, PAM authentication should work against application domains as long as the service invoking the PAM conversation is listed in the 'pam_app_services' option. """ ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#215][comment] Support for non-POSIX users and groups
URL: https://github.com/SSSD/sssd/pull/215 Title: #215: Support for non-POSIX users and groups jhrozek commented: """ CI: http://sssd-ci.duckdns.org/logs/job/65/97/summary.html """ See the full comment at https://github.com/SSSD/sssd/pull/215#issuecomment-289805144 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#213][+Accepted] intg: Remove bashism from intgcheck-prepare
URL: https://github.com/SSSD/sssd/pull/213 Title: #213: intg: Remove bashism from intgcheck-prepare Label: +Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#213][comment] intg: Remove bashism from intgcheck-prepare
URL: https://github.com/SSSD/sssd/pull/213 Title: #213: intg: Remove bashism from intgcheck-prepare jhrozek commented: """ retest this please """ See the full comment at https://github.com/SSSD/sssd/pull/213#issuecomment-289805740 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#197][closed] KCM responder
URL: https://github.com/SSSD/sssd/pull/197 Author: jhrozek Title: #197: KCM responder Action: closed To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/197/head:pr197 git checkout pr197 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#197][+Pushed] KCM responder
URL: https://github.com/SSSD/sssd/pull/197 Title: #197: KCM responder Label: +Pushed ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#197][comment] KCM responder
URL: https://github.com/SSSD/sssd/pull/197 Title: #197: KCM responder jhrozek commented: """ Pushed to master: * e89ba95737202d551db2c9524127e6c4cf308796 * 2b5518eeaacc6245cfa77ee4a7086f16208060fc * 35c9dfe9ba78d3a635cd1af0fb6349ba44344623 * cac0db2f8004ae88b9263dc3888a11a2d3d3d114 * c9db8b8b19827c3d492b8d2769aa77a37dbc12d3 * 60612b5fbdaaa62ebe6c7f4c27200316f08506d6 * 73ce539aa70f43ccd5302b3ef8a02ff028558b12 * 8bb2fcbce7c3fcfd986f1bc835fbcc43ac7cd9d1 * 0700118d8388c38b8cb28279510b206b76a3a411 * ba89271f594e5ed381b4dcb876a2d2787cf51902 * 1ec4198f38d34a1f82a2db55d8c9782a434fb55f * 70fe6e2bb398b8669ad1aebeaf0abcbffc307475 * bea0dc79faf609de8603cb42f190adae544bc8fb * 9dcdbf596e138df3eec202487549a67cd3b0091b * b9c563c29243291f40489bb0dcbf3946fca72d58 * 1dbf09404e20b6e30a24afe72b6d349734aee62f * 5f7f45a64bdb9353f15b945db4ad2564b4b28ab2 * 4f511a4c5f0084e22ce4c7613f1b279533c68cc5 * c194e8d7cad0184d710d9979e9f12d5cfe176f4a * 24889dc5e7eb7bc992ab0fa05edfdfa1d157131a * 3a4a88259ba90d3dc45c1adbbfd39bd7c0204a12 """ See the full comment at https://github.com/SSSD/sssd/pull/197#issuecomment-289382353 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#215][+Pushed] Support for non-POSIX users and groups
URL: https://github.com/SSSD/sssd/pull/215 Title: #215: Support for non-POSIX users and groups Label: +Pushed ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#215][comment] Support for non-POSIX users and groups
URL: https://github.com/SSSD/sssd/pull/215 Title: #215: Support for non-POSIX users and groups jhrozek commented: """ * master: * 861ab44e8148208425b67c4711bc8fade10fd3ed * 3e39806177e1cd383743ff596cb96df44a6ce8c9 * ed0cdfcacc44e4e13e1524e254efa744610a87c2 * 901396366075dc3e3fcc0894345af1b51052ac69 * 5f7f249f2a8a1c7284e991aa64dbf850d482b0aa * 3e789aa0bd6b7bb6e62f91458b76753498030fb5 * 57eeec5d735c7a3bbe58299fded97414626d85f1 * b010f24f4d96d15c5c85021bb4aa83db25cd3df5 * 35f0f5ff9dac790f6c947190fcdc00d01ae9077c * cee85e8fb9534ec997e5388fce59f392cf029573 * 825e8bf2f73a815c2eceb36ae805145fcbacf74d * 6324eaf1fb321c41ca9883966118df6d45259b7e """ See the full comment at https://github.com/SSSD/sssd/pull/215#issuecomment-290392226 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#215][comment] Support for non-POSIX users and groups
URL: https://github.com/SSSD/sssd/pull/215 Title: #215: Support for non-POSIX users and groups jhrozek commented: """ retest this please """ See the full comment at https://github.com/SSSD/sssd/pull/215#issuecomment-290113327 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#215][comment] Support for non-POSIX users and groups
URL: https://github.com/SSSD/sssd/pull/215 Title: #215: Support for non-POSIX users and groups jhrozek commented: """ I fixed the minor issues in comments and the man pages. I also fixed the issue in the Kerberos provider with the following hunk: ``` diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c index 0aa25ac..2faf18d 100644 --- a/src/providers/krb5/krb5_auth.c +++ b/src/providers/krb5/krb5_auth.c @@ -42,6 +42,8 @@ #include "providers/krb5/krb5_utils.h" #include "providers/krb5/krb5_ccache.h" +#define NON_POSIX_CCNAME_FMT "MEMORY:sssd_nonposix_dummy_%u" + static int krb5_mod_ccname(TALLOC_CTX *mem_ctx, struct sysdb_ctx *sysdb, struct sss_domain_info *domain, @@ -317,7 +319,12 @@ static errno_t krb5_auth_prepare_ccache_name(struct krb5child_req *kr, case DOM_TYPE_APPLICATION: DEBUG(SSSDBG_TRACE_FUNC, "Domain type application, will use in-memory ccache\n"); -kr->ccname = talloc_asprintf(kr, "MEMORY:%s", kr->pd->user); +/* We don't care about using cryptographic randomness, just + * a non-predictable ccname, so using rand() here is fine + */ +kr->ccname = talloc_asprintf(kr, + NON_POSIX_CCNAME_FMT, + rand() % UINT_MAX); if (kr->ccname == NULL) { DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n"); return ENOMEM; diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index e9fe185..cbbc892 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -1572,6 +1572,15 @@ static krb5_error_code get_and_save_tgt(struct krb5_req *kr, DEBUG(SSSDBG_CONF_SETTINGS, "TGT validation is disabled.\n"); } +/* In a non-POSIX environment, we only care about the return code from + * krb5_child, so let's not even attempt to create the ccache + */ +if (kr->posix_domain == false) { +DEBUG(SSSDBG_TRACE_LIBS, + "Finished authentication in a non-POSIX domain\n"); +goto done; +} + /* If kr->ccname is cache collection (DIR:/...), we want to work * directly with file ccache (DIR::/...), but cache collection * should be returned back to back end. @@ -1613,18 +1622,6 @@ static krb5_error_code get_and_save_tgt(struct krb5_req *kr, "add_ticket_times_and_upn_to_response failed.\n"); } -/* In a non-POSIX environment, we only care about the return code from - * krb5_child, so let's just destroy the credentials immediatelly - */ -if (kr->posix_domain == false) { -kerr = sss_krb5_cc_destroy(kr->ccname, kr->uid, kr->gid); -if (kerr != EOK) { -DEBUG(SSSDBG_OP_FAILURE, - "Failed to destroy the in-memory ccache\n"); -goto done; -} -} - kerr = 0; done: diff --git a/src/providers/krb5/krb5_init.c b/src/providers/krb5/krb5_init.c index 12c8dfc..66ae68f 100644 --- a/src/providers/krb5/krb5_init.c +++ b/src/providers/krb5/krb5_init.c @@ -136,6 +136,9 @@ errno_t sssm_krb5_init(TALLOC_CTX *mem_ctx, return ENOMEM; } +/* Only needed to generate random ccache names for non-POSIX domains */ +srand(time(NULL) * getpid()); + ret = sss_krb5_get_options(ctx, be_ctx->cdb, be_ctx->conf_path, >opts); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get krb5 options [%d]: %s\n", ``` I'm not sure if the srand and rand calls are nice, if you prefer I can just use some hardcoded name like you suggested.. And I also fixed the issue with the short boolean evaluations with the following hunk: ``` diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c index e51cf80..7400dc1 100644 --- a/src/providers/ldap/ldap_id.c +++ b/src/providers/ldap/ldap_id.c @@ -297,7 +297,7 @@ struct tevent_req *users_get_send(TALLOC_CTX *memctx, } } -if (state->non_posix == true) { +if (state->non_posix) { state->filter = talloc_asprintf(state, "(&%s(objectclass=%s)(%s=*))", user_filter, diff --git a/src/providers/ldap/sdap_async_enum.c b/src/providers/ldap/sdap_async_enum.c index 17f1cdf..91e481c 100644 --- a/src/providers/ldap/sdap_async_enum.c +++ b/src/providers/ldap/sdap_async_enum.c @@ -754,7 +754,7 @@ static struct tevent_req *enum_groups_send(TALLOC_CTX *memctx, goto fail; } -if (non_posix == false && use_mapping) { +if (!non_posix && use_mapping) { /* If we're ID-mapping, check for the objectSID as well */ state->filter = tallo
[SSSD] [sssd PR#208][comment] IFP: Filter with * in Users.ListByName method
URL: https://github.com/SSSD/sssd/pull/208 Title: #208: IFP: Filter with * in Users.ListByName method jhrozek commented: """ On Thu, Mar 30, 2017 at 03:46:20AM -0700, Pavel Březina wrote: > @jhrozek I agree there is a bug there. I just want to confirm one thing -- do > we want to allow filter without any character in it? Something tells me it > was a design decision that we won't allow "*" as filter since it basically > triggers enumeration which is not desirable. I'm not sure, does it work now with '*' ? """ See the full comment at https://github.com/SSSD/sssd/pull/208#issuecomment-290376593 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#215][comment] Support for non-POSIX users and groups
URL: https://github.com/SSSD/sssd/pull/215 Title: #215: Support for non-POSIX users and groups jhrozek commented: """ the new PR just amends the manpage description of the non-POSIX domains """ See the full comment at https://github.com/SSSD/sssd/pull/215#issuecomment-290368513 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#208][comment] IFP: Filter with * in Users.ListByName method
URL: https://github.com/SSSD/sssd/pull/208 Title: #208: IFP: Filter with * in Users.ListByName method jhrozek commented: """ On Thu, Mar 30, 2017 at 03:46:20AM -0700, Pavel Březina wrote: > @jhrozek I agree there is a bug there. I just want to confirm one thing -- do > we want to allow filter without any character in it? Something tells me it > was a design decision that we won't allow "*" as filter since it basically > triggers enumeration which is not desirable. Of course the wildcard is what the patch is about :) I don't think we specifically disallowed '*', but we introduced the limit to avoid full enumeration, see https://fedorahosted.org/sssd/wiki/DesignDocs/WildcardRefresh """ See the full comment at https://github.com/SSSD/sssd/pull/208#issuecomment-290376972 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#215][comment] Support for non-POSIX users and groups
URL: https://github.com/SSSD/sssd/pull/215 Title: #215: Support for non-POSIX users and groups jhrozek commented: """ On Thu, Mar 30, 2017 at 02:53:18AM -0700, sumit-bose wrote: > I tested the patches with a plain LDAP setup and with and AD. In general they > work as expected and since I think the current code is ok I would ACK the > patches so that the following observations can be fixed later. > > First I have a question about the usage of [application/...] domains. Is > it expected that [application/...] requires inherit_from and cannot be > configured explicitly? If I use [domain/] and domain_type = application > it work, but if I replace those two line by [application/...] SSSD won't > start. I didn't think about testing this, frankly. I tested a separate domain with the application type which might be useful if you want to e.g. use a different bind method but no this. I think it's a valid case that can be fixed later. > > 'sssctl config-check' does not like if [application/...] has other options > then inherit_from, even the example from the man page causes > '[rule/allowed_application_options]: Attribute 'ldap_user_extra_attrs' is not > allowed in section 'application/ad-app-2'. Check for typos.' Hmm, the regex uses (domain|application) in the rules, but I'm not sure if the regex supports the OR..apparently not.. > > When using [application/...] with the ad provider other domains than the one > the client is joined to are treated as POSIX domains even if only the > application domain is listed in in the domains option of sssd.conf. > > Given the last observation it might be useful to say in the man page that > currently the primary and mainly tested use-case is together with the ldap > provider and more complex use cases will be evaluated in upcoming releases? Yes, this is what we talked about with the ManageIQ developers. Since for now the use-case is a replacement for their LDAP connector, I think we should document this and check later. But with the autodiscovered domains, we also need to do some tricks to rename the autodiscovered domains to avoid clashes with subdomains from POSIX domains in a mixed setup. So if you agree, I will file three tickets for each of the cases and fix them later. I will just fix the manpage for now to make it clear only LDAP domains are supported now. """ See the full comment at https://github.com/SSSD/sssd/pull/215#issuecomment-290364050 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#215][comment] Support for non-POSIX users and groups
URL: https://github.com/SSSD/sssd/pull/215 Title: #215: Support for non-POSIX users and groups jhrozek commented: """ On Thu, Mar 30, 2017 at 01:59:20AM -0700, Pavel Březina wrote: > I got error in enumeration as well with my secrets patch (definitely not > related), but on debian and in different test: > http://sssd-ci.duckdns.org/logs/job/66/45/debian_testing/ci-build-debug/ci-make-intgcheck.log And this was with the non-POSIX patches applied as well? Should I look into the enumeration issues with non-POSIX or does it mean the enumeration tests are flaky? """ See the full comment at https://github.com/SSSD/sssd/pull/215#issuecomment-290353372 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#197][comment] KCM responder
URL: https://github.com/SSSD/sssd/pull/197 Title: #197: KCM responder jhrozek commented: """ Thank you for the testing and the review, I hope I addressed all comments. """ See the full comment at https://github.com/SSSD/sssd/pull/197#issuecomment-288486811 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#197][-Changes requested] KCM responder
URL: https://github.com/SSSD/sssd/pull/197 Title: #197: KCM responder Label: -Changes requested ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#197][comment] KCM responder
URL: https://github.com/SSSD/sssd/pull/197 Title: #197: KCM responder jhrozek commented: """ I pushed new patches. CI passed: http://sssd-ci.duckdns.org/logs/job/65/29/summary.html """ See the full comment at https://github.com/SSSD/sssd/pull/197#issuecomment-288756506 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#207][comment] nss-idmap: add sss_nss_getlistbycert()
URL: https://github.com/SSSD/sssd/pull/207 Title: #207: nss-idmap: add sss_nss_getlistbycert() jhrozek commented: """ CI passed: http://sssd-ci.duckdns.org/logs/job/65/30/summary.html Coverity is also clean """ See the full comment at https://github.com/SSSD/sssd/pull/207#issuecomment-288759704 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#192][+Accepted] Add certificate mapping library
URL: https://github.com/SSSD/sssd/pull/192 Title: #192: Add certificate mapping library Label: +Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#192][comment] Add certificate mapping library
URL: https://github.com/SSSD/sssd/pull/192 Title: #192: Add certificate mapping library jhrozek commented: """ * master: * c44728a02d5e2c9eaced11e74820a6ae6a985f61 * 49f8ec8e0a3723a748bdb043d6dc1fb2a3977a8a * b341ee51cffd98b642b9c68a417f8a7504e303a1 * 81c564a0692aa4b719af2219f52894e6cd4bdf9f * 70c0648f021ded3d31313eb962e1ad140f242673 * 3994e8779d16db3e9fb30f03e5ecf5e811095ac2 * 31a6661ff2a640fbcf97460df2415fd1bab309b5 * db36dca3d45e6eefbb30042ee65876566f1a6014 * 8b7548f65a0d812a47d26895671ec6f01b6813c1 * 843bc50c04afa6e4f4a4561d887bbbd5f7101ce1 """ See the full comment at https://github.com/SSSD/sssd/pull/192#issuecomment-288775134 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#192][closed] Add certificate mapping library
URL: https://github.com/SSSD/sssd/pull/192 Author: sumit-bose Title: #192: Add certificate mapping library Action: closed To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/192/head:pr192 git checkout pr192 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#203][comment] IPA: Enhance debug logging for ipa s2n operations
URL: https://github.com/SSSD/sssd/pull/203 Title: #203: IPA: Enhance debug logging for ipa s2n operations jhrozek commented: """ * master: * cd83aead3c9799ac05d8f8977dbb92bbd399c6d5 * a04bef313508c423ed06cc54805a3b8106ab90cd """ See the full comment at https://github.com/SSSD/sssd/pull/203#issuecomment-288776660 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#207][+Pushed] nss-idmap: add sss_nss_getlistbycert()
URL: https://github.com/SSSD/sssd/pull/207 Title: #207: nss-idmap: add sss_nss_getlistbycert() Label: +Pushed ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#203][closed] IPA: Enhance debug logging for ipa s2n operations
URL: https://github.com/SSSD/sssd/pull/203 Author: justin-stephenson Title: #203: IPA: Enhance debug logging for ipa s2n operations Action: closed To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/203/head:pr203 git checkout pr203 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#207][-Accepted] nss-idmap: add sss_nss_getlistbycert()
URL: https://github.com/SSSD/sssd/pull/207 Title: #207: nss-idmap: add sss_nss_getlistbycert() Label: -Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#203][+Pushed] IPA: Enhance debug logging for ipa s2n operations
URL: https://github.com/SSSD/sssd/pull/203 Title: #203: IPA: Enhance debug logging for ipa s2n operations Label: +Pushed ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#207][comment] nss-idmap: add sss_nss_getlistbycert()
URL: https://github.com/SSSD/sssd/pull/207 Title: #207: nss-idmap: add sss_nss_getlistbycert() jhrozek commented: """ The code works fine: ``` >>> print >>> pysss_nss_idmap.getlistbycert("MIIC8zCCAdugAwIBAgIJAPktuv1fxruLMA0GCSqGSIb3DQEBCwUAMBAxDjAMBgNVBAMMBXR1c2VyMB4XDTE3MDMwODEwMzU1MFoXDTE4MDMwODEwMzU1MFowEDEOMAwGA1UEAwwFdHVzZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCuqwIDSxK06tgeW5NKHAnpjElosrV4QkxA9XcG9JvLfVhZLPR2NZlzWRYUUGf/B1up7YbpPOLiFp6UsV/IziHQpvB+ENg6JyPJvgT+ylEKQpaKUqg3qPp5u7yw+h5RfhnqtzzsxdvYUfhBHb/D7/Rflm0aD/6GpOl/oEDC71rA7CV4nRisrJGuS9QUiuADvcf8ys7GddkphuNRp3r8J3TLv25YibrFHfvr455/EWztulrRP8pLBVwe7BYiy74Q01nbyw2bWDHa1kvJ97BEQMyYHi9jePKheuatIg00rIuw6z33HAQeXu9Eq259mvOTcsgHQY1x7T9QAZapvZWiJRNtAgMBAAGjUDBOMB0GA1UdDgQWBBQ/zxIB0eBccxbVa4ZAPFtFwEClbTAfBgNVHSMEGDAWgBQ/zxIB0eBccxbVa4ZAPFtFwEClbTAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAtJqzpVgxv8DnrwGUfImuMRv58hZRmmswniNu2AhSm4jnTKyUrBubDQRTyPOSs8lDSzgAARfxueQZ357t3+gLI+15pb5oAOos5uzOiRyBL81DUq8gKLpWIk4OnhsGR8cfzp8YQI7i4/8k00Gc+JmH6za2m67ddgWnfIOv4js+P+1OUgTP1HfD5eL6lRQMqgaScJB+PtkUznm7qzzRvw9FQ1fRe0FjGVoxRm2lhioRaasieQiCBKHKMWlVvLnMbTvov7foPPB5Rmj1p59M+xltrTJQSE6XORJCvOlvtWNrNmGjRZKAK5hpxifzIa6SWquT+PS/BIjzkNN8D7Tcnq7zk") {'MIIC8zCCAdugAwIBAgIJAPktuv1fxruLMA0GCSqGSIb3DQEBCwUAMBAxDjAMBgNVBAMMBXR1c2VyMB4XDTE3MDMwODEwMzU1MFoXDTE4MDMwODEwMzU1MFowEDEOMAwGA1UEAwwFdHVzZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCuqwIDSxK06tgeW5NKHAnpjElosrV4QkxA9XcG9JvLfVhZLPR2NZlzWRYUUGf/B1up7YbpPOLiFp6UsV/IziHQpvB+ENg6JyPJvgT+ylEKQpaKUqg3qPp5u7yw+h5RfhnqtzzsxdvYUfhBHb/D7/Rflm0aD/6GpOl/oEDC71rA7CV4nRisrJGuS9QUiuADvcf8ys7GddkphuNRp3r8J3TLv25YibrFHfvr455/EWztulrRP8pLBVwe7BYiy74Q01nbyw2bWDHa1kvJ97BEQMyYHi9jePKheuatIg00rIuw6z33HAQeXu9Eq259mvOTcsgHQY1x7T9QAZapvZWiJRNtAgMBAAGjUDBOMB0GA1UdDgQWBBQ/zxIB0eBccxbVa4ZAPFtFwEClbTAfBgNVHSMEGDAWgBQ/zxIB0eBccxbVa4ZAPFtFwEClbTAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAtJqzpVgxv8DnrwGUfImuMRv58hZRmmswniNu2AhSm4jnTKyUrBubDQRTyPOSs8lDSzgAARfxueQZ357t3+gLI+15pb5oAOos5uzOiRyBL81DUq8gKLpWIk4OnhsGR8cfzp8YQI7i4/8k00Gc+JmH6za2m67ddgWnfIOv4js+P+1OUgTP1HfD5eL6lRQMqgaScJB+PtkUznm7qzzRvw9FQ1fRe0FjGVoxRm2lhioRaasieQiCBKHKMWlVvLnMbTvov7foPPB5Rmj1p59M+xltrTJQSE6XORJCvOlvtWNrNmGjRZKAK5hpxifzIa6SWquT+PS/BIjzkNN8D7Tcnq7zk': [{'type': 1, 'name': u'anotheru...@ipa.test'}, {'type': 1, 'name': u'tu...@ipa.test'}]} ``` And also looks OK to me, ACK """ See the full comment at https://github.com/SSSD/sssd/pull/207#issuecomment-288771713 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#207][+Accepted] nss-idmap: add sss_nss_getlistbycert()
URL: https://github.com/SSSD/sssd/pull/207 Title: #207: nss-idmap: add sss_nss_getlistbycert() Label: +Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#192][-Accepted] Add certificate mapping library
URL: https://github.com/SSSD/sssd/pull/192 Title: #192: Add certificate mapping library Label: -Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#192][+Pushed] Add certificate mapping library
URL: https://github.com/SSSD/sssd/pull/192 Title: #192: Add certificate mapping library Label: +Pushed ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#207][closed] nss-idmap: add sss_nss_getlistbycert()
URL: https://github.com/SSSD/sssd/pull/207 Author: sumit-bose Title: #207: nss-idmap: add sss_nss_getlistbycert() Action: closed To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/207/head:pr207 git checkout pr207 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#207][comment] nss-idmap: add sss_nss_getlistbycert()
URL: https://github.com/SSSD/sssd/pull/207 Title: #207: nss-idmap: add sss_nss_getlistbycert() jhrozek commented: """ * master: * a0b1bfa76073d3ce3208e67e6d72bb92088edac5 * 440797cba931aa491bf418035f55935943e22b4b """ See the full comment at https://github.com/SSSD/sssd/pull/207#issuecomment-288776089 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org