[SSSD] [sssd PR#107][comment] WATCHDOG: Avoid non async-signal-safe from the signal_handler

2016-12-12 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/107
Title: #107: WATCHDOG: Avoid non async-signal-safe from the signal_handler

jhrozek commented:
"""
On Mon, Dec 12, 2016 at 07:30:30AM -0800, Simo Sorce wrote:
> well you could have a globalk variable for the watchdog and change it from a 
> custom signal handler, but the point of the watchdog is to go thorugh the 
> tevent handler instead so that we are sure the machinery is working and not 
> stuck somwhere.
> Resetting directly from the singal handler would bypass all processing and 
> therefore render the watchdog useless I guess.

The problem here (as I understand it, Pavel or Fabiano can correct me if
I'm wrong) is that the watchdog increases the counter inside a POSIX
signal handler, but resets the counter in a tevent timer (to make sure
the mainloop is being processed).

Now, if the time drifts, we still are receiving the monotonic SIGRT
signals into the POSIX handlers, but because the tevent timer never
gets invoked (it's set to be invoked in a time in the future, because
the time drifted), we never reset the counter.

We can detect the time has drifted in the POSIX SIGRT handler, the
question I'm trying to answer is how should we restart the tevent timer
when we receive the SIGRT signal, but we because we are in the POSIX
handler, we are quite restriced in what we can do..

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/107#issuecomment-266462611
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#94][comment] Enable {socket,dbus}-activation for responders

2017-01-13 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/94
Title: #94: Enable {socket,dbus}-activation for responders

jhrozek commented:
"""
On Fri, Jan 13, 2017 at 02:52:49AM -0800, fidencio wrote:
> On Fri, Jan 13, 2017 at 11:42 AM, Jakub Hrozek <notificati...@github.com>
> wrote:
> 
> > *@jhrozek* commented on this pull request.
> > --
> >
> > In src/util/util.c
> > <https://github.com/SSSD/sssd/pull/94#pullrequestreview-16544855>:
> >
> > > @@ -1277,3 +1279,12 @@ bool is_user_or_group_name(const char 
> > > *sudo_user_value)
> >  /* Now it's either a username or a groupname */
> >  return true;
> >  }
> > +
> > +bool is_socket_activated(void)
> > +{
> > +#ifdef HAVE_SYSTEMD
> > +return !!socket_activated;
> >
> > Why the double negative here? is it converting int to bool?
> >
> 
> That's exactly the case.
> I may be mistaken in the way I implemented it, but the value get from the
> command line i stored as an int  and on this function I'm just return
> true/flase indicating wthether the service was socket-activated.
> 
> I'm not sure if I can just store the command line option as a bool, but
> I've seen it's not done with other bool command options (as debug-to-files,
> per example).

No, it looks like popt still only supports int. So this is probably OK,
although I would personally use the tri-state operator, but meh :)

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/94#issuecomment-272498301
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#110][synchronized] Add more DEBUG messages to help admins diagnose Kerberos login failures

2017-01-09 Thread jhrozek 
   URL: https://github.com/SSSD/sssd/pull/110
Author: jhrozek
 Title: #110: Add more DEBUG messages to help admins diagnose Kerberos login 
failures
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/110/head:pr110
git checkout pr110
From 12518d42f680572969dc1c3e26ca2274d0527048 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhro...@redhat.com>
Date: Thu, 15 Dec 2016 11:30:13 +0100
Subject: [PATCH] KRB5: Advise the user to inspect the krb5_child.log if the
 child fails with a System Error

It's often not clear to admins where to look further if the krb5_child
fails with a generic error. This patch just adds a DEBUG message
advising the admin to look into the krb5_child.log for more information.

Related:
https://fedorahosted.org/sssd/ticket/2955
---
 src/providers/krb5/krb5_auth.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
index a5ecb24..bdd8e24 100644
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -1023,6 +1023,9 @@ static void krb5_auth_done(struct tevent_req *subreq)
 goto done;
 
 default:
+DEBUG(SSSDBG_IMPORTANT_INFO,
+  "The krb5_child process returned an error. Please inspect the "
+  "krb5_child.log file or the journal for more information\n");
 state->pam_status = PAM_SYSTEM_ERR;
 state->dp_err = DP_ERR_OK;
 ret = EOK;
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#113][comment] Adds an integration test for sssctl netgroup-show so that we don't regress again like we did in ticket #3267.

2017-01-09 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/113
Title: #113: Adds an integration test for sssctl netgroup-show so that we don't 
regress again like we did in ticket #3267.

jhrozek commented:
"""
On Fri, Jan 06, 2017 at 02:10:02AM -0800, lslebodn wrote:
> I think you can use prefix "test_sssctl"  instead of tests.

I'm sorry, I'm not sure which prefix do you mean here.

> 
> At the same time you can also mention ticket in commit message 
> https://fedorahosted.org/sssd/ticket/3267. "Related to:" or "Test for:"

Done.

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/113#issuecomment-271400322
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#106][comment] Add a new "files" provider

2017-01-09 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/106
Title: #106: Add a new "files" provider

jhrozek commented:
"""
All the python-related comments should be fixed and pep8 shouldn't report any 
more errors.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/106#issuecomment-271395952
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#106][comment] Add a new "files" provider

2017-01-09 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/106
Title: #106: Add a new "files" provider

jhrozek commented:
"""
On Mon, Jan 09, 2017 at 03:17:24AM -0800, Pavel Březina wrote:
> So far it looks good and I have only very few comments. I didn't read the 
> code thoroughly yet.
> 
> *NSS: Skip disabled domains during requests*
> Rename to cache_req: please, because the change is there and not in nss 
> responder.

Done.

> 
> *RESPONDER: A sbus interface to reset negatively cached users*
> *DP: Add internal DP interface to enable and disable domains*
> I will look how much work would it be to implement signals. I believe most of 
> the work has been done already so if we can finish it rather quickly, we 
> should do it right.

Thank you

> 
> *CONFDB: Make pwfield configurable per-domain*
> Can you move 'nss_get_pwfield' into nss_util.c? It doesn't really have 
> anything common with protocol.

That's what I tried to do initially, but nss_util.c doesn't have access
to struct nss_ctx. I wasn't sure if it makes sense to include
nss_private.h into nss_util.c. I'm fine both ways, but the current
version of the patch tried to not include more headers than we already
do.

> 
> *CONFDB: The files domain defaults to "x" as pwfield*
> Are we also able to authenticate with pam_sss without pam_unix?

There is no auth_provider=files, but it should be possible to use
auth_provider=proxy configured with pam_unix.

> 
> *FILES: Add the files provider*
> You say that a domain is disabled during enumeration and we fall back to nss 
> files. Do you expect the update to take a really long time? Wouldn't it be 
> better to jus wait until the enumeration is done?

I was thinking about this for some time and it seemed safer to me to
fall back. But just when I was thinking about this again today, I
realized that at least the InfoPipe interface has nowhere to fall back
to, so the behaviour must either differ on the cache_req level between
the nss responder and the ifp responder or we should wait until the
domain updates in both cases.

Maybe we could even do something in-between, but I really wonder if it
is an optimization or over-engineering:
- when a domain is disabled, attach a request and wait
- when a timeout passes, return a 'not found' error
- the responder would be able to configure the timeout (not the
  user, this is really too low level)
- the nss responder would select something quite small (half a
  second?) just to make sure we don't delay lookups too much and the
  ifp responder would select several second

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/106#issuecomment-271395720
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#110][comment] Add more DEBUG messages to help admins diagnose Kerberos login failures

2017-01-09 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/110
Title: #110: Add more DEBUG messages to help admins diagnose Kerberos login 
failures

jhrozek commented:
"""
Hmm, sorry, i thought I dropped the second patch some time ago already
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/110#issuecomment-271400692
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#113][synchronized] Adds an integration test for sssctl netgroup-show so that we don't regress again like we did in ticket #3267.

2017-01-09 Thread jhrozek 
   URL: https://github.com/SSSD/sssd/pull/113
Author: jhrozek
 Title: #113: Adds an integration test for sssctl netgroup-show so that we 
don't regress again like we did in ticket #3267.
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/113/head:pr113
git checkout pr113
From d7fcc3aab28edc4177ade028e8647932a51102aa Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhro...@redhat.com>
Date: Wed, 21 Dec 2016 11:17:42 +0100
Subject: [PATCH] TESTS: Add an integration test for sssctl netgroup-show

Related: https://fedorahosted.org/sssd/ticket/3267
---
 src/tests/intg/test_sssctl.py | 27 +++
 1 file changed, 27 insertions(+)

diff --git a/src/tests/intg/test_sssctl.py b/src/tests/intg/test_sssctl.py
index 1c3b9c8..c485996 100644
--- a/src/tests/intg/test_sssctl.py
+++ b/src/tests/intg/test_sssctl.py
@@ -29,6 +29,7 @@
 import ldap_ent
 import config
 from util import unindent
+import sssd_netgroup
 
 LDAP_BASE_DN = "dc=example,dc=com"
 
@@ -142,6 +143,7 @@ def sanity_rfc2307(request, ldap_conn):
 sudo_provider   = ldap
 ldap_uri= {ldap_conn.ds_inst.ldap_url}
 ldap_search_base= {ldap_conn.ds_inst.base_dn}
+ldap_netgroup_search_base = ou=Netgroups,{ldap_conn.ds_inst.base_dn}
 """).format(**locals())
 create_conf_fixture(request, conf)
 create_sssd_fixture(request)
@@ -359,3 +361,28 @@ def test_group_show_basic_fqname_insensitive(ldap_conn,
 output = get_call_output(["sssctl", "group-show", "camelcasegroup1@LDAP"])
 assert output.find("Name: camelcasegroup1@LDAP") != -1
 assert output.find("Cached in InfoPipe: No") != -1
+
+
+@pytest.fixture
+def add_tripled_netgroup(request, ldap_conn):
+ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn)
+
+ent_list.add_netgroup("tripled_netgroup", ["(host,user,domain)"])
+
+create_ldap_fixture(request, ldap_conn, ent_list)
+return None
+
+
+def test_netgroup_show(ldap_conn,
+   sanity_rfc2307,
+   portable_LC_ALL,
+   add_tripled_netgroup):
+output = get_call_output(["sssctl", "netgroup-show", "tripled_netgroup"])
+assert "Name: tripled_netgroup" not in output
+
+res, _, netgrps = sssd_netgroup.get_sssd_netgroups("tripled_netgroup")
+assert res == sssd_netgroup.NssReturnCode.SUCCESS
+assert netgrps == [("host", "user", "domain")]
+
+output = get_call_output(["sssctl", "netgroup-show", "tripled_netgroup"])
+assert "Name: tripled_netgroup" in output
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#113][-Changes requested] Adds an integration test for sssctl netgroup-show so that we don't regress again like we did in ticket #3267.

2017-01-09 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/113
Title: #113: Adds an integration test for sssctl netgroup-show so that we don't 
regress again like we did in ticket #3267.

Label: -Changes requested
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#107][comment] WATCHDOG: Avoid non async-signal-safe from the signal_handler

2017-01-13 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/107
Title: #107: WATCHDOG: Avoid non async-signal-safe from the signal_handler

jhrozek commented:
"""
To me as well. I tested again the watchdog restart and the timeshift and both 
cases work fine.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/107#issuecomment-272409701
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#107][+Accepted] WATCHDOG: Avoid non async-signal-safe from the signal_handler

2017-01-13 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/107
Title: #107: WATCHDOG: Avoid non async-signal-safe from the signal_handler

Label: +Accepted
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#94][comment] Enable {socket,dbus}-activation for responders

2017-01-15 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/94
Title: #94: Enable {socket,dbus}-activation for responders

jhrozek commented:
"""
oh, and just so that it's known what I tested, I removed the services line 
altogether, then went one-by-one through all the responders and tested them by 
enabling the socket, letting the responder go up, then (because a short timeout 
was used) letting them exit on idle. I also tried killing the services and 
watched systemd restart them.

Of course I read the code :-)

By the way, so far I really like this new way of service management and would 
suggest that in the next version we take a look at (optionally maybe for the 
first version?) socket-activate also the back ends.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/94#issuecomment-272691256
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#124][opened] Fix a segfault in IFP's GetUserAttr

2017-01-15 Thread jhrozek 
   URL: https://github.com/SSSD/sssd/pull/124
Author: jhrozek
 Title: #124: Fix a segfault in IFP's GetUserAttr
Action: opened

PR body:
"""
This PR fixes a crash in GetUserAttr. To reproduce, it's enough to:
dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe 
/org/freedesktop/sssd/infopipe org.freedesktop.sssd.infopipe.GetUserAttr 
string:admin array:string:name
"""

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/124/head:pr124
git checkout pr124
From 9be0a2dd82ccde91e1bab19a5857c1481f30f078 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhro...@redhat.com>
Date: Sun, 15 Jan 2017 10:41:47 +0100
Subject: [PATCH] IFP: Fix GetUserAttr

GetUserAttr used to segfault without this patch.
---
 src/responder/ifp/ifpsrv_cmd.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/responder/ifp/ifpsrv_cmd.c b/src/responder/ifp/ifpsrv_cmd.c
index 3a1a177..23f410a 100644
--- a/src/responder/ifp/ifpsrv_cmd.c
+++ b/src/responder/ifp/ifpsrv_cmd.c
@@ -537,6 +537,7 @@ static void ifp_user_get_attr_done(struct tevent_req *subreq)
 }
 
 state->res = talloc_steal(state, result->ldb_result);
+state->dom = result->domain;
 talloc_zfree(result);
 
 fqdn = sss_create_internal_fqname(state, state->inp_name,
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#93][comment] SSH: Use default_domain_suffix for users' authorized keys

2016-12-06 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/93
Title: #93: SSH: Use default_domain_suffix for users' authorized keys

jhrozek commented:
"""
master: ed71fba97dfcf5b3f0f1834c06660c481b9ab3ce
sssd-1-14: 2949fe58ac344c44d756ca309d4b2b7f3590cee3 


"""

See the full comment at 
https://github.com/SSSD/sssd/pull/93#issuecomment-265115833
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#93][comment] SSH: Use default_domain_suffix for users' authorized keys

2016-12-06 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/93
Title: #93: SSH: Use default_domain_suffix for users' authorized keys

jhrozek commented:
"""
On Mon, Nov 28, 2016 at 05:06:54AM -0800, Pavel Březina wrote:
> Can you also prepare a patch to handle this inside cache_req? Ideally on 
> top of nss patches so we can avoid collisions.
> 

Yes, but since this patch had to be pushed for downstream's sake, I
filed a ticket in the meantime:
https://fedorahosted.org/sssd/ticket/3260

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/93#issuecomment-265116353
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#93][closed] SSH: Use default_domain_suffix for users' authorized keys

2016-12-06 Thread jhrozek 
   URL: https://github.com/SSSD/sssd/pull/93
Author: jhrozek
 Title: #93: SSH: Use default_domain_suffix for users' authorized keys
Action: closed

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/93/head:pr93
git checkout pr93
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#93][+Pushed] SSH: Use default_domain_suffix for users' authorized keys

2016-12-06 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/93
Title: #93: SSH: Use default_domain_suffix for users' authorized keys

Label: +Pushed
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#93][-Accepted] SSH: Use default_domain_suffix for users' authorized keys

2016-12-06 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/93
Title: #93: SSH: Use default_domain_suffix for users' authorized keys

Label: -Accepted
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#117][+Accepted] Fix compilation with python3.6

2017-01-02 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/117
Title: #117: Fix compilation with python3.6

Label: +Accepted
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#117][comment] Fix compilation with python3.6

2017-01-02 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/117
Title: #117: Fix compilation with python3.6

jhrozek commented:
"""
ACK
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/117#issuecomment-269948911
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#107][+Changes requested] WATCHDOG: Avoid non async-signal-safe from the signal_handler

2017-01-03 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/107
Title: #107: WATCHDOG: Avoid non async-signal-safe from the signal_handler

Label: +Changes requested
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#107][comment] WATCHDOG: Avoid non async-signal-safe from the signal_handler

2017-01-05 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/107
Title: #107: WATCHDOG: Avoid non async-signal-safe from the signal_handler

jhrozek commented:
"""
ACK
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/107#issuecomment-270630387
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#107][+Accepted] WATCHDOG: Avoid non async-signal-safe from the signal_handler

2017-01-05 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/107
Title: #107: WATCHDOG: Avoid non async-signal-safe from the signal_handler

Label: +Accepted
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#107][comment] WATCHDOG: Avoid non async-signal-safe from the signal_handler

2017-01-05 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/107
Title: #107: WATCHDOG: Avoid non async-signal-safe from the signal_handler

jhrozek commented:
"""
hmm, it seems I was wrong and at least with systemd (is that the difference?) 
when we kill the whole process group also the nss and pam responders (that were 
started explicitly) are killed.

So I was wrong. Can you please retest if you see the same? But in general I 
think we can stick to the previous version, sorry about guiding you down the 
wrong path.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/107#issuecomment-270622372
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#107][comment] WATCHDOG: Avoid non async-signal-safe from the signal_handler

2017-01-05 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/107
Title: #107: WATCHDOG: Avoid non async-signal-safe from the signal_handler

jhrozek commented:
"""
btw now I'm wondering if the setpgrp should be a separate patch also for stable 
branches because I guess the bug was present in sssd for quite a long time?
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/107#issuecomment-270637274
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#109][comment] SSSCTL: fix netgroup-show parsing

2017-01-07 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/109
Title: #109: SSSCTL: fix netgroup-show parsing

jhrozek commented:
"""

> On 6 Jan 2017, at 16:29, lslebodn <notificati...@github.com> wrote:
> 
> On (06/01/17 05:52), Jakub Hrozek wrote:
> >This patch is OK, but only for sssd-1-14. In master, we already fall back to 
> >parsing the name string as short name if parsing the qualified name fails. 
> >I’m not thrilled about that, because it can conceal legitimate errors, but 
> >it’s needed atm to use cache_req everywhere.
> >
> >So yeah, ack to this patch for sssd-1-14
> >
> Do you think that it would be a problem to backport
> 7b293a5095ef3e63cd2e3f2ff01b7484bf6dcd38 into 1.14
> rather that this patch?
> 
> Upstream integration tests passed with it. I haven't tried downstrem
> tests.
> 

That would also work.

> LS
> —
> You are receiving this because you were mentioned.
> Reply to this email directly, view it on GitHub 
> <https://github.com/SSSD/sssd/pull/109#issuecomment-270927695>, or mute the 
> thread 
> <https://github.com/notifications/unsubscribe-auth/AArrAjMI-4Ngp0iWszBelCCTnwc6bLh3ks5rPl3dgaJpZM4LMfe2>.
> 


"""

See the full comment at 
https://github.com/SSSD/sssd/pull/109#issuecomment-271093554
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#106][+Changes requested] Add a new "files" provider

2017-01-09 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/106
Title: #106: Add a new "files" provider

Label: +Changes requested
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#106][comment] Add a new "files" provider

2017-01-09 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/106
Title: #106: Add a new "files" provider

jhrozek commented:
"""
Yes, but as I said in the comment (in the part you quoted out), 
assert_passwd_by_name won't work, because it expects dir and uses dir in its 
control directory:
```
Traceback (most recent call last):
  File "/home/remote/jhrozek/devel/sssd/src/tests/intg/test_files_ops.py", line 
55, in test_userdel
ent.assert_passwd_by_name("user1", USER1)
  File "/home/remote/jhrozek/devel/sssd/src/tests/intg/ent.py", line 216, in 
assert_passwd_by_name
    d = _diff(ent, pattern)
  File "/home/remote/jhrozek/devel/sssd/src/tests/intg/ent.py", line 111, in 
_diff
d = _diff(ent[key], value, item_map)
KeyError: 'directory'
```

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/106#issuecomment-271338295
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#106][comment] Add a new "files" provider

2017-01-09 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/106
Title: #106: Add a new "files" provider

jhrozek commented:
"""
so the solution would be to convert ent.py to not use dir internally either and 
I'm fine doing that if you think it would help
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/106#issuecomment-271338530
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#89][comment] nss: rewrite nss responder so it uses cache_req

2017-01-02 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/89
Title: #89: nss: rewrite nss responder so it uses cache_req

jhrozek commented:
"""
On Mon, Jan 02, 2017 at 01:53:23AM -0800, Pavel Březina wrote:
> @jhrozek
> * #1126 -- pam, ssh and pac (?) responders needs to be amended, but the 
> change there is not that huge.

OK, then let's keep the ticket open. Do you plan on working on this one
or would you prefer if someone else took a look?

> * #2320 -- not sure if this is needed anywhere with cache req

I agree if other responders start using cache_req, we don't need this
anymore.

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/89#issuecomment-270023513
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#106][comment] Add a new "files" provider

2017-01-02 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/106
Title: #106: Add a new "files" provider

jhrozek commented:
"""
OK, ready for review, @pbrezina 

There is still a commit that generates the default configuration. We already 
have a PR #108 that reverts this functionality -- I guess it would be best to 
provide a configure-time option or even a runtime option that would disable the 
files domain. Otherwise, the files domain would be always enabled and always 
first.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/106#issuecomment-269988218
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#106][-Changes requested] Add a new "files" provider

2017-01-02 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/106
Title: #106: Add a new "files" provider

Label: -Changes requested
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#116][comment] intg: Generate tmp dir with lowercase

2017-01-02 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/116
Title: #116: intg: Generate tmp dir with lowercase

jhrozek commented:
"""
ACK. Can you file a ticket to remove this hack once we have a version of 
python-requests that works?
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/116#issuecomment-269989323
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#116][+Accepted] intg: Generate tmp dir with lowercase

2017-01-02 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/116
Title: #116: intg: Generate tmp dir with lowercase

Label: +Accepted
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#109][comment] SSSCTL: fix netgroup-show parsing

2017-01-06 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/109
Title: #109: SSSCTL: fix netgroup-show parsing

jhrozek commented:
"""
This patch is OK, but only for sssd-1-14. In master, we already fall back to 
parsing the name string as short name if parsing the qualified name fails. I’m 
not thrilled about that, because it can conceal legitimate errors, but it’s 
needed atm to use cache_req everywhere.

So yeah, ack to this patch for sssd-1-14

> On 6 Jan 2017, at 10:59, lslebodn <notificati...@github.com> wrote:
> 
> @jhrozek <https://github.com/jhrozek> Have you already decided whether it 
> would be better to have this patch or 7b293a5 
> <https://github.com/SSSD/sssd/commit/7b293a5095ef3e63cd2e3f2ff01b7484bf6dcd38>?
> 
> —
> You are receiving this because you were mentioned.
> Reply to this email directly, view it on GitHub 
> <https://github.com/SSSD/sssd/pull/109#issuecomment-270870268>, or mute the 
> thread 
> <https://github.com/notifications/unsubscribe-auth/AArrAj2dX_wtSbPfE5pfLpRJ1ApbWU7wks5rPhCMgaJpZM4LMfe2>.
> 


"""

See the full comment at 
https://github.com/SSSD/sssd/pull/109#issuecomment-270906940
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#106][comment] Add a new "files" provider

2016-12-20 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/106
Title: #106: Add a new "files" provider

jhrozek commented:
"""
I hope you noticed the earlier comment that says "I just set the Changes 
Requested label so that it's clear to reviewers new patch set is coming up.."
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/106#issuecomment-268356995
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#113][opened] Adds an integration test for sssctl netgroup-show so that we don't regress again like we did in ticket #3267.

2016-12-21 Thread jhrozek 
   URL: https://github.com/SSSD/sssd/pull/113
Author: jhrozek
 Title: #113: Adds an integration test for sssctl netgroup-show so that we 
don't regress again like we did in ticket #3267.
Action: opened

PR body:
"""
None
"""

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/113/head:pr113
git checkout pr113
From 4b2c0ff9c291f41b9009e5e888a51146f1f6384a Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhro...@redhat.com>
Date: Wed, 21 Dec 2016 11:17:42 +0100
Subject: [PATCH] TESTS: Add an integration test for sssctl netgroup-show

---
 src/tests/intg/test_sssctl.py | 27 +++
 1 file changed, 27 insertions(+)

diff --git a/src/tests/intg/test_sssctl.py b/src/tests/intg/test_sssctl.py
index 1c3b9c8..60e2e68 100644
--- a/src/tests/intg/test_sssctl.py
+++ b/src/tests/intg/test_sssctl.py
@@ -29,6 +29,7 @@
 import ldap_ent
 import config
 from util import unindent
+import sssd_netgroup
 
 LDAP_BASE_DN = "dc=example,dc=com"
 
@@ -142,6 +143,7 @@ def sanity_rfc2307(request, ldap_conn):
 sudo_provider   = ldap
 ldap_uri= {ldap_conn.ds_inst.ldap_url}
 ldap_search_base= {ldap_conn.ds_inst.base_dn}
+ldap_netgroup_search_base = ou=Netgroups,{ldap_conn.ds_inst.base_dn}
 """).format(**locals())
 create_conf_fixture(request, conf)
 create_sssd_fixture(request)
@@ -359,3 +361,28 @@ def test_group_show_basic_fqname_insensitive(ldap_conn,
 output = get_call_output(["sssctl", "group-show", "camelcasegroup1@LDAP"])
 assert output.find("Name: camelcasegroup1@LDAP") != -1
 assert output.find("Cached in InfoPipe: No") != -1
+
+
+@pytest.fixture
+def add_tripled_netgroup(request, ldap_conn):
+ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn)
+
+ent_list.add_netgroup("tripled_netgroup", ["(host,user,domain)"])
+
+ent_list.add_netgroup("adv_tripled_netgroup", ["(host1,user1,domain1)",
+   "(host2,user2,domain2)"])
+
+create_ldap_fixture(request, ldap_conn, ent_list)
+return None
+
+
+def test_netgroup_show(ldap_conn,
+   sanity_rfc2307,
+   portable_LC_ALL,
+   add_tripled_netgroup):
+res, _, netgrps = sssd_netgroup.get_sssd_netgroups("tripled_netgroup")
+assert res == sssd_netgroup.NssReturnCode.SUCCESS
+assert netgrps == [("host", "user", "domain")]
+
+output = get_call_output(["sssctl", "netgroup-show", "tripled_netgroup"])
+assert output.find("Name: tripled_netgroup") != -1
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#94][+Changes requested] Enable {socket, dbus}-activation for responders

2016-12-21 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/94
Title: #94: Enable {socket,dbus}-activation for responders

Label: +Changes requested
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#110][-Changes requested] Add more DEBUG messages to help admins diagnose Kerberos login failures

2016-12-21 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/110
Title: #110: Add more DEBUG messages to help admins diagnose Kerberos login 
failures

Label: -Changes requested
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#94][comment] Enable {socket,dbus}-activation for responders

2016-12-21 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/94
Title: #94: Enable {socket,dbus}-activation for responders

jhrozek commented:
"""
Coverity seems to have detected a warning:

Error: CHECKED_RETURN (CWE-252):
sssd-1.14.90/src/responder/autofs/autofssrv_cmd.c:323: check_return: Calling 
"sss_cmd_empty_packet" without checking return value (as is done elsewhere 4 
out of 5 times).
sssd-1.14.90/src/responder/autofs/autofssrv_cmd.c:1401: example_assign: Example 
1: Assigning: "ret" = return value from "sss_cmd_empty_packet(pctx->creq->out)".
sssd-1.14.90/src/responder/autofs/autofssrv_cmd.c:1402: example_checked: 
Example 1 (cont.): "ret" has its value checked in "ret != 0".
sssd-1.14.90/src/responder/autofs/autofssrv_cmd.c:1424: example_assign: Example 
2: Assigning: "ret" = return value from "sss_cmd_empty_packet(pctx->creq->out)".
sssd-1.14.90/src/responder/autofs/autofssrv_cmd.c:1425: example_checked: 
Example 2 (cont.): "ret" has its value checked in "ret != 0".
sssd-1.14.90/src/responder/autofs/autofssrv_cmd.c:1097: example_assign: Example 
3: Assigning: "ret" = return value from "sss_cmd_empty_packet(pctx->creq->out)".
sssd-1.14.90/src/responder/autofs/autofssrv_cmd.c:1098: example_checked: 
Example 3 (cont.): "ret" has its value checked in "ret != 0".
sssd-1.14.90/src/responder/common/responder_cmd.c:85: example_assign: Example 
4: Assigning: "ret" = return value from "sss_cmd_empty_packet(pctx->creq->out)".
sssd-1.14.90/src/responder/common/responder_cmd.c:86: example_checked: Example 
4 (cont.): "ret" has its value checked in "ret != 0".
#  321|   DEBUG(SSSDBG_TRACE_FUNC, "setautomntent did not find 
requested map\n");
#  322|   /* Notify the caller that this entry wasn't found */
#  323|-> sss_cmd_empty_packet(pctx->creq->out);
#  324|   } else {
#  325|   DEBUG(SSSDBG_TRACE_FUNC, "setautomntent found data\n");

I'm not sure if it's legit or if we just passed a threshold of 
checked/unchecked ratio, but it would be nice to not add any new warnings with 
new commits.

Could you please add a more verbose comment to the commits that enable the 
responder socket activation (either the first one, autofs, or just copy to all) 
that explain why the BindsTo option was added and what the workflow is for 
socket-activated responders and starting and stopping the sssd service?

Similarly, can you please explain in the commit message that adds the 
`--unprivileged-start` option that the log files are chowned by the unit file 
and the socket files created by sssd in the most common scenario of this 
option? I was even wondering if the option would be better named 
`--socket-activated-start` but I don't have strong feelings about it.

There is a typo in the commit that changes the PAM responder 
`unprivileged_unprivileged_start`, which would be nice to fix in the commit 
where it was introduced, so that every commit can be compiled on its own and we 
can always use bisect.

I have a bit of trouble reading `client_registration()` after ` MONITOR: Deal 
with socket-activated responders`. Could we please change 
`client_registration()` so that the ifdefs are a bit less interleaved with the 
non-systemd code? Even at the cost of a little code duplication, I think this:
```
#ifdef HAVE_SYSTEMD
systemd_client_registration(args..)
#else
managed_client_registration(args..)
#endif /* HAVE_SYSTEMD */
```
Is IMO preferred over the ifdefs being sprinkled around in the code.

About ` MAN: Mention that the services' list is optional`, are you sure just 
enabling the socket is all that is needed? Doesn't the admin also need to 
enable the service in addition to the socket?

`MONITOR: Let the responder know whether it was socket-activated`: do you think 
this commit is needed? Could the responder learn that it's socket activated 
when it goes through `activate_unix_sockets()` or is that too late? Please note 
I'm not against this commit per se, I'm just trying to see if we can simplify 
the code.

I'm not sure I understand the `time_t` pointer being added to the responder 
context. Shouldn't we only care about the requests from the client, like NSS or 
D-Bus?

I mostly just read the code, but I'm afraid I'm still having issues with the 
socket-activated PAM responder. My sssd.conf is as follows:
```
[sssd]
services = nss
user = sssd

domains = ipa.test
```

I enabled and started the sssd-pam responder socket, then tried to log in as an 
IPA user, but I'm getting:
```
Dec 21 09:57:04 client.ipa.test su[30415]: pam_sss(su-l:auth): Request to sssd 
failed. Public socket has wrong ownership or permissions
```

The socket was created as:
```
srw-rw-rw-. 1 sssd sssd 0 Dec 21 09:56 /var/lib/sss/pipes/pam
```

I built sssd

[SSSD] [sssd PR#109][comment] SSSCTL: fix netgroup-show parsing

2016-12-21 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/109
Title: #109: SSSCTL: fix netgroup-show parsing

jhrozek commented:
"""
btw I also added a test in PR #113 so that we don't regress again
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/109#issuecomment-268489241
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#107][+Changes requested] WATCHDOG: Avoid non async-signal-safe from the signal_handler

2016-12-21 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/107
Title: #107: WATCHDOG: Avoid non async-signal-safe from the signal_handler

Label: +Changes requested
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#109][+Accepted] SSSCTL: fix netgroup-show parsing

2016-12-21 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/109
Title: #109: SSSCTL: fix netgroup-show parsing

Label: +Accepted
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#109][comment] SSSCTL: fix netgroup-show parsing

2016-12-21 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/109
Title: #109: SSSCTL: fix netgroup-show parsing

jhrozek commented:
"""
Thank you, the patch works well. Just please note that after 
7b293a5095ef3e63cd2e3f2ff01b7484bf6dcd38 was commited, this patch would only 
apply for sssd-1-14.

That said, I'm not sure if 7b293a5095ef3e63cd2e3f2ff01b7484bf6dcd38 is 
something we want, so for the time being (and because many developers are 
already out for the Christmas holidays), I'm just adding the accepted label now 
but would only push the commit later.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/109#issuecomment-268488768
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#112][comment] FAILOVER: Improve port status log messages

2016-12-21 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/112
Title: #112: FAILOVER: Improve port status log messages

jhrozek commented:
"""
I have two comments:
1. The new debug message has "louder" debug level than the one that sets the 
port as non-working. I would suggest to also change the 'not working' debug 
message to MINOR_FAILURE
1. I'm not sure it's correct to say that there is 'no relationship' between the 
message and the networking status, but not a 'direct relationship' or '1:1 
mapping' I'm not sure how to reword the message better though, do you think it 
would make sense to say something like 'even if the network port is reachable, 
the internal port can be marked as not working if sssd is not able to complete 
the full connection request'
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/112#issuecomment-268471510
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#112][+Changes requested] FAILOVER: Improve port status log messages

2016-12-21 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/112
Title: #112: FAILOVER: Improve port status log messages

Label: +Changes requested
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#112][comment] FAILOVER: Improve port status log messages

2016-12-21 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/112
Title: #112: FAILOVER: Improve port status log messages

jhrozek commented:
"""
I wonder if @mzidek-rh has any more comments
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/112#issuecomment-268471546
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#112][comment] FAILOVER: Improve port status log messages

2016-12-20 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/112
Title: #112: FAILOVER: Improve port status log messages

jhrozek commented:
"""
ok to test
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/112#issuecomment-268183489
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#109][-Changes requested] SSSCTL: fix netgroup-show parsing

2016-12-20 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/109
Title: #109: SSSCTL: fix netgroup-show parsing

Label: -Changes requested
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#89][comment] nss: rewrite nss responder so it uses cache_req

2016-12-20 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/89
Title: #89: nss: rewrite nss responder so it uses cache_req

jhrozek commented:
"""
@pbrezina @lslebodn is there any more work needed on 
https://fedorahosted.org/sssd/ticket/1126 or 
https://fedorahosted.org/sssd/ticket/2320 ? Do we anticipate to work on other 
responders?

The end goal is to support https://fedorahosted.org/sssd/ticket/843 and 
https://fedorahosted.org/sssd/ticket/3001
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/89#issuecomment-268193885
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#109][comment] SSSCTL: fix netgroup-show parsing

2016-12-16 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/109
Title: #109: SSSCTL: fix netgroup-show parsing

jhrozek commented:
"""
Ah, I didn't realize we don't read the objectclass attribute by default. The 
following hunk should fix it:
```
@@ -219,12 +233,14 @@ static const char **sssctl_build_attrs(TALLOC_CTX 
*mem_ctx,
 /* no op */
 }
 
-attrs = talloc_zero_array(mem_ctx, const char *, count + 1);
+attrs = talloc_zero_array(mem_ctx, const char *, count + 2);
 if (attrs == NULL) {
 return NULL;
 }
 
-for (i = 0; i < count; i++) {
+attrs[0] = "objectclass";
+
+for (i = 1; i < count; i++) {
```
One other nitpick is that you probably want to assign the original name to 
tmp_name by duplicating the memory to avoid a const-warning:
`tmp_name = talloc_strdup(mem_ctx, orig_name);`

Finally, please compare the value of the objectclass with strcmp, not pointer 
comparison:
`if ((strcmp(class, SYSDB_USER_CLASS) == 0) || (strcmp(class, 
SYSDB_GROUP_CLASS) == 0)) {`
(and split the line into two, so that it fits into the 80-chars limit)
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/109#issuecomment-267568893
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#111][closed] BUILD: Find a host-prefixed krb5-config when cross-compiling

2016-12-16 Thread jhrozek 
   URL: https://github.com/SSSD/sssd/pull/111
Author: dm0-
 Title: #111: BUILD: Find a host-prefixed krb5-config when cross-compiling
Action: closed

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/111/head:pr111
git checkout pr111
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#111][+Pushed] BUILD: Find a host-prefixed krb5-config when cross-compiling

2016-12-16 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/111
Title: #111: BUILD: Find a host-prefixed krb5-config when cross-compiling

Label: +Pushed
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#111][comment] BUILD: Find a host-prefixed krb5-config when cross-compiling

2016-12-16 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/111
Title: #111: BUILD: Find a host-prefixed krb5-config when cross-compiling

jhrozek commented:
"""
* master: baadb6080be0ec5cee2e351c3d5324d755f86f9c
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/111#issuecomment-267571456
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#111][+Accepted] BUILD: Find a host-prefixed krb5-config when cross-compiling

2016-12-16 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/111
Title: #111: BUILD: Find a host-prefixed krb5-config when cross-compiling

Label: +Accepted
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#111][comment] BUILD: Find a host-prefixed krb5-config when cross-compiling

2016-12-16 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/111
Title: #111: BUILD: Find a host-prefixed krb5-config when cross-compiling

jhrozek commented:
"""
ACK, CI: http://sssd-ci.duckdns.org/logs/job/59/21/summary.html

(the failure on rawhide is unrelated)
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/111#issuecomment-267571038
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#67][+Accepted] UTIL: Unset O_NONBLOCK for ldap connection

2017-01-14 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/67
Title: #67: UTIL: Unset O_NONBLOCK for ldap connection

Label: +Accepted
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#94][+Changes requested] Enable {socket, dbus}-activation for responders

2017-01-14 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/94
Title: #94: Enable {socket,dbus}-activation for responders

Label: +Changes requested
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#94][comment] Enable {socket,dbus}-activation for responders

2017-01-14 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/94
Title: #94: Enable {socket,dbus}-activation for responders

jhrozek commented:
"""
OK, I don't have any more comments than those inline. Thank you for the 
patches, really nice work. I'm just setting the Changes Requested label so that 
it's clear I'm done with my review.

But since this patchset touches such low-level components I would prefer 
another SSSD developer to provide another review as well.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/94#issuecomment-272657182
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#197][comment] KCM responder

2017-03-23 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/197
Title: #197: KCM responder

jhrozek commented:
"""
rebased on master
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/197#issuecomment-288860242
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#192][comment] Add certificate mapping library

2017-03-23 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/192
Title: #192: Add certificate mapping library

jhrozek commented:
"""
Thank you, the patches now look good to me. I'm only waiting for the CI run 
before the final ACK, but it should be noted again that the review was mostly 
based on reading the code and checking for regressions. I didn't do a very 
thorough review of the cert mapping library, but given that it requires 
knowledge I don't have, it's well tested and the API looks OK, then I think the 
review is sufficient.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/192#issuecomment-288650247
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#192][+Accepted] Add certificate mapping library

2017-03-23 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/192
Title: #192: Add certificate mapping library

Label: +Accepted
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#197][comment] KCM responder

2017-03-21 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/197
Title: #197: KCM responder

jhrozek commented:
"""
On Tue, Mar 21, 2017 at 10:31:10AM -0700, mzidek-rh wrote:
> Nitpick: In the contrib/kcm_default_ccache it would be good to indicate (in 
> the comments) where the snippet belongs.

Done.

> It is written in the commit message, but if someone just opens the file
> he/she

The gender neutral pronoun is they :-P

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/197#issuecomment-288195004
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#197][comment] KCM responder

2017-03-24 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/197
Title: #197: KCM responder

jhrozek commented:
"""
CI on the rebased patches: 
http://sssd-ci.duckdns.org/logs/job/65/45/summary.html
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/197#issuecomment-288949515
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#197][comment] KCM responder

2017-03-24 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/197
Title: #197: KCM responder

jhrozek commented:
"""
@lslebodn I pushed a new patchset that should fix the warning in the kcm_queue 
test, can you verify if all warnings you saw are fixed?
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/197#issuecomment-289021612
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#197][comment] KCM responder

2017-03-24 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/197
Title: #197: KCM responder

jhrozek commented:
"""
OK, hopefully final CI run: 
http://sssd-ci.duckdns.org/logs/job/65/48/summary.html
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/197#issuecomment-289083382
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#215][edited] Support for non-POSIX users and groups

2017-03-28 Thread jhrozek 
   URL: https://github.com/SSSD/sssd/pull/215
Author: jhrozek
 Title: #215: Support for non-POSIX users and groups
Action: edited

 Changed field: body
Original value:
"""
This PR implements https://pagure.io/SSSD/sssd/issue/3310

The goal is to enable application users through the Apache modules or
directly through the IFP interface and the PAM interface to authenticate
users.

To reproduce, you can add users w/o POSIX information like this to LDAP:

dn: uid=nonposix,cn=users,cn=accounts,dc=ipa,dc=test
displayName: new user
uid: nonposix
krbCanonicalName: nonpo...@ipa.test
objectClass: ipaobject
objectClass: person
objectClass: top
objectClass: ipasshuser
objectClass: inetorgperson
objectClass: organizationalperson
objectClass: krbticketpolicyaux
objectClass: krbprincipalaux
objectClass: inetuser
objectClass: mepOriginEntry
initials: nu
sn: user
mail: nonpo...@ipa.test
krbPrincipalName: nonpo...@ipa.test
givenName: new
cn: new user

And optionally add the user to groups, like this:
dn: cn=npgr2,cn=groups,cn=accounts,dc=ipa,dc=test
objectClass: ipaobject
objectClass: top
objectClass: ipausergroup
objectClass: groupofnames
objectClass: nestedgroup
cn: npgr2
member: uid=nonposix,cn=users,cn=accounts,dc=ipa,dc=test

Then, the D-Bus calls like GetUserAttrs should resolve extra attributes
of the users, the groups the users are in should be resolvable as well.

In addition, PAM authentication should work against application domains
as long as the service invoking the PAM conversation is listed in the
'pam_app_services' option.
"""

___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#215][comment] Support for non-POSIX users and groups

2017-03-28 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/215
Title: #215: Support for non-POSIX users and groups

jhrozek commented:
"""
CI: http://sssd-ci.duckdns.org/logs/job/65/97/summary.html
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/215#issuecomment-289805144
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#213][+Accepted] intg: Remove bashism from intgcheck-prepare

2017-03-28 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/213
Title: #213: intg: Remove bashism from intgcheck-prepare

Label: +Accepted
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#213][comment] intg: Remove bashism from intgcheck-prepare

2017-03-28 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/213
Title: #213: intg: Remove bashism from intgcheck-prepare

jhrozek commented:
"""
retest this please

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/213#issuecomment-289805740
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#197][closed] KCM responder

2017-03-27 Thread jhrozek 
   URL: https://github.com/SSSD/sssd/pull/197
Author: jhrozek
 Title: #197: KCM responder
Action: closed

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/197/head:pr197
git checkout pr197
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#197][+Pushed] KCM responder

2017-03-27 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/197
Title: #197: KCM responder

Label: +Pushed
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#197][comment] KCM responder

2017-03-27 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/197
Title: #197: KCM responder

jhrozek commented:
"""
Pushed to master:
 * e89ba95737202d551db2c9524127e6c4cf308796
 * 2b5518eeaacc6245cfa77ee4a7086f16208060fc
 * 35c9dfe9ba78d3a635cd1af0fb6349ba44344623
 * cac0db2f8004ae88b9263dc3888a11a2d3d3d114
 * c9db8b8b19827c3d492b8d2769aa77a37dbc12d3
 * 60612b5fbdaaa62ebe6c7f4c27200316f08506d6
 * 73ce539aa70f43ccd5302b3ef8a02ff028558b12
 * 8bb2fcbce7c3fcfd986f1bc835fbcc43ac7cd9d1
 * 0700118d8388c38b8cb28279510b206b76a3a411
 * ba89271f594e5ed381b4dcb876a2d2787cf51902
 * 1ec4198f38d34a1f82a2db55d8c9782a434fb55f
 * 70fe6e2bb398b8669ad1aebeaf0abcbffc307475
 * bea0dc79faf609de8603cb42f190adae544bc8fb
 * 9dcdbf596e138df3eec202487549a67cd3b0091b
 * b9c563c29243291f40489bb0dcbf3946fca72d58
 * 1dbf09404e20b6e30a24afe72b6d349734aee62f
 * 5f7f45a64bdb9353f15b945db4ad2564b4b28ab2
 * 4f511a4c5f0084e22ce4c7613f1b279533c68cc5
 * c194e8d7cad0184d710d9979e9f12d5cfe176f4a
 * 24889dc5e7eb7bc992ab0fa05edfdfa1d157131a
 * 3a4a88259ba90d3dc45c1adbbfd39bd7c0204a12

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/197#issuecomment-289382353
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#215][+Pushed] Support for non-POSIX users and groups

2017-03-30 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/215
Title: #215: Support for non-POSIX users and groups

Label: +Pushed
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#215][comment] Support for non-POSIX users and groups

2017-03-30 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/215
Title: #215: Support for non-POSIX users and groups

jhrozek commented:
"""
* master:
* 861ab44e8148208425b67c4711bc8fade10fd3ed
* 3e39806177e1cd383743ff596cb96df44a6ce8c9
* ed0cdfcacc44e4e13e1524e254efa744610a87c2
* 901396366075dc3e3fcc0894345af1b51052ac69
* 5f7f249f2a8a1c7284e991aa64dbf850d482b0aa
* 3e789aa0bd6b7bb6e62f91458b76753498030fb5
* 57eeec5d735c7a3bbe58299fded97414626d85f1
* b010f24f4d96d15c5c85021bb4aa83db25cd3df5
* 35f0f5ff9dac790f6c947190fcdc00d01ae9077c
* cee85e8fb9534ec997e5388fce59f392cf029573
* 825e8bf2f73a815c2eceb36ae805145fcbacf74d
* 6324eaf1fb321c41ca9883966118df6d45259b7e
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/215#issuecomment-290392226
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#215][comment] Support for non-POSIX users and groups

2017-03-29 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/215
Title: #215: Support for non-POSIX users and groups

jhrozek commented:
"""
retest this please
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/215#issuecomment-290113327
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#215][comment] Support for non-POSIX users and groups

2017-03-29 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/215
Title: #215: Support for non-POSIX users and groups

jhrozek commented:
"""
I fixed the minor issues in comments and the man pages. I also fixed the issue 
in the Kerberos provider with the following hunk:
```
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
index 0aa25ac..2faf18d 100644
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -42,6 +42,8 @@
 #include "providers/krb5/krb5_utils.h"
 #include "providers/krb5/krb5_ccache.h"
 
+#define  NON_POSIX_CCNAME_FMT   "MEMORY:sssd_nonposix_dummy_%u"
+
 static int krb5_mod_ccname(TALLOC_CTX *mem_ctx,
struct sysdb_ctx *sysdb,
struct sss_domain_info *domain,
@@ -317,7 +319,12 @@ static errno_t krb5_auth_prepare_ccache_name(struct 
krb5child_req *kr,
 case DOM_TYPE_APPLICATION:
 DEBUG(SSSDBG_TRACE_FUNC,
"Domain type application, will use in-memory ccache\n");
-kr->ccname = talloc_asprintf(kr, "MEMORY:%s", kr->pd->user);
+/* We don't care about using cryptographic randomness, just
+ * a non-predictable ccname, so using rand() here is fine
+ */
+kr->ccname = talloc_asprintf(kr,
+ NON_POSIX_CCNAME_FMT,
+ rand() % UINT_MAX);
 if (kr->ccname == NULL) {
 DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
 return ENOMEM;
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index e9fe185..cbbc892 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -1572,6 +1572,15 @@ static krb5_error_code get_and_save_tgt(struct krb5_req 
*kr,
 DEBUG(SSSDBG_CONF_SETTINGS, "TGT validation is disabled.\n");
 }
 
+/* In a non-POSIX environment, we only care about the return code from
+ * krb5_child, so let's not even attempt to create the ccache
+ */
+if (kr->posix_domain == false) {
+DEBUG(SSSDBG_TRACE_LIBS,
+  "Finished authentication in a non-POSIX domain\n");
+goto done;
+}
+
 /* If kr->ccname is cache collection (DIR:/...), we want to work
  * directly with file ccache (DIR::/...), but cache collection
  * should be returned back to back end.
@@ -1613,18 +1622,6 @@ static krb5_error_code get_and_save_tgt(struct krb5_req 
*kr,
   "add_ticket_times_and_upn_to_response failed.\n");
 }
 
-/* In a non-POSIX environment, we only care about the return code from
- * krb5_child, so let's just destroy the credentials immediatelly
- */
-if (kr->posix_domain == false) {
-kerr = sss_krb5_cc_destroy(kr->ccname, kr->uid, kr->gid);
-if (kerr != EOK) {
-DEBUG(SSSDBG_OP_FAILURE,
-  "Failed to destroy the in-memory ccache\n");
-goto done;
-}
-}
-
 kerr = 0;
 
 done:
diff --git a/src/providers/krb5/krb5_init.c b/src/providers/krb5/krb5_init.c
index 12c8dfc..66ae68f 100644
--- a/src/providers/krb5/krb5_init.c
+++ b/src/providers/krb5/krb5_init.c
@@ -136,6 +136,9 @@ errno_t sssm_krb5_init(TALLOC_CTX *mem_ctx,
 return ENOMEM;
 }
 
+/* Only needed to generate random ccache names for non-POSIX domains */
+srand(time(NULL) * getpid());
+
 ret = sss_krb5_get_options(ctx, be_ctx->cdb, be_ctx->conf_path, 
>opts);
 if (ret != EOK) {
 DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get krb5 options [%d]: %s\n",
```

I'm not sure if the srand and rand calls are nice, if you prefer I can just use 
some hardcoded name like you suggested..

And I also fixed the issue with the short boolean evaluations with the 
following hunk:
```
diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c
index e51cf80..7400dc1 100644
--- a/src/providers/ldap/ldap_id.c
+++ b/src/providers/ldap/ldap_id.c
@@ -297,7 +297,7 @@ struct tevent_req *users_get_send(TALLOC_CTX *memctx,
 }
 }
 
-if (state->non_posix == true) {
+if (state->non_posix) {
 state->filter = talloc_asprintf(state,
 "(&%s(objectclass=%s)(%s=*))",
 user_filter,
diff --git a/src/providers/ldap/sdap_async_enum.c 
b/src/providers/ldap/sdap_async_enum.c
index 17f1cdf..91e481c 100644
--- a/src/providers/ldap/sdap_async_enum.c
+++ b/src/providers/ldap/sdap_async_enum.c
@@ -754,7 +754,7 @@ static struct tevent_req *enum_groups_send(TALLOC_CTX 
*memctx,
 goto fail;
 }
 
-if (non_posix == false && use_mapping) {
+if (!non_posix && use_mapping) {
 /* If we're ID-mapping, check for the objectSID as well */
 state->filter = tallo

[SSSD] [sssd PR#208][comment] IFP: Filter with * in Users.ListByName method

2017-03-30 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/208
Title: #208: IFP: Filter with * in Users.ListByName method

jhrozek commented:
"""
On Thu, Mar 30, 2017 at 03:46:20AM -0700, Pavel Březina wrote:
> @jhrozek I agree there is a bug there. I just want to confirm one thing -- do 
> we want to allow filter without any character in it? Something tells me it 
> was a design decision that we won't allow "*" as filter since it basically 
> triggers enumeration which is not desirable.

I'm not sure, does it work now with '*' ?

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/208#issuecomment-290376593
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#215][comment] Support for non-POSIX users and groups

2017-03-30 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/215
Title: #215: Support for non-POSIX users and groups

jhrozek commented:
"""
the new PR just amends the manpage description of the non-POSIX domains
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/215#issuecomment-290368513
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#208][comment] IFP: Filter with * in Users.ListByName method

2017-03-30 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/208
Title: #208: IFP: Filter with * in Users.ListByName method

jhrozek commented:
"""
On Thu, Mar 30, 2017 at 03:46:20AM -0700, Pavel Březina wrote:
> @jhrozek I agree there is a bug there. I just want to confirm one thing -- do 
> we want to allow filter without any character in it? Something tells me it 
> was a design decision that we won't allow "*" as filter since it basically 
> triggers enumeration which is not desirable.

Of course the wildcard is what the patch is about :)

I don't think we specifically disallowed '*', but we introduced the
limit to avoid full enumeration, see
https://fedorahosted.org/sssd/wiki/DesignDocs/WildcardRefresh

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/208#issuecomment-290376972
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#215][comment] Support for non-POSIX users and groups

2017-03-30 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/215
Title: #215: Support for non-POSIX users and groups

jhrozek commented:
"""
On Thu, Mar 30, 2017 at 02:53:18AM -0700, sumit-bose wrote:
> I tested the patches with a plain LDAP setup and with and AD. In general they 
> work as expected and since I think the current code is ok I would ACK the 
> patches so that the following observations can be fixed later.
> 
> First I have a question about the usage of [application/...] domains. Is
> it expected that [application/...] requires inherit_from and cannot be
> configured explicitly? If I use [domain/] and domain_type = application
> it work, but if I replace those two line by [application/...] SSSD won't
> start.

I didn't think about testing this, frankly. I tested a separate domain
with the application type which might be useful if you want to e.g. use
a different bind method but no this. I think it's a valid case that can
be fixed later.

> 
> 'sssctl config-check' does not like if [application/...] has other options 
> then inherit_from, even the example from the man page causes 
> '[rule/allowed_application_options]: Attribute 'ldap_user_extra_attrs' is not 
> allowed in section 'application/ad-app-2'. Check for typos.'

Hmm, the regex uses (domain|application) in the rules, but I'm not sure
if the regex supports the OR..apparently not..

> 
> When using [application/...] with the ad provider other domains than the one 
> the client is joined to are treated as POSIX domains even if only the 
> application domain is listed in in the domains option of sssd.conf.
> 
> Given the last observation it might be useful to say in the man page that 
> currently the primary and mainly tested use-case is together with the ldap 
> provider and more complex use cases will be evaluated in upcoming releases?

Yes, this is what we talked about with the ManageIQ developers. Since
for now the use-case is a replacement for their LDAP connector, I think
we should document this and check later. But with the autodiscovered
domains, we also need to do some tricks to rename the autodiscovered
domains to avoid clashes with subdomains from POSIX domains in a mixed
setup.

So if you agree, I will file three tickets for each of the cases and fix
them later. I will just fix the manpage for now to make it clear only
LDAP domains are supported now.

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/215#issuecomment-290364050
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#215][comment] Support for non-POSIX users and groups

2017-03-30 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/215
Title: #215: Support for non-POSIX users and groups

jhrozek commented:
"""
On Thu, Mar 30, 2017 at 01:59:20AM -0700, Pavel Březina wrote:
> I got error in enumeration as well with my secrets patch (definitely not 
> related), but on debian and in different test:
> http://sssd-ci.duckdns.org/logs/job/66/45/debian_testing/ci-build-debug/ci-make-intgcheck.log

And this was with the non-POSIX patches applied as well? Should I look
into the enumeration issues with non-POSIX or does it mean the
enumeration tests are flaky?

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/215#issuecomment-290353372
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#197][comment] KCM responder

2017-03-22 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/197
Title: #197: KCM responder

jhrozek commented:
"""
Thank you for the testing and the review, I hope I addressed all comments.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/197#issuecomment-288486811
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#197][-Changes requested] KCM responder

2017-03-22 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/197
Title: #197: KCM responder

Label: -Changes requested
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#197][comment] KCM responder

2017-03-23 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/197
Title: #197: KCM responder

jhrozek commented:
"""
I pushed new patches. CI passed: 
http://sssd-ci.duckdns.org/logs/job/65/29/summary.html
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/197#issuecomment-288756506
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#207][comment] nss-idmap: add sss_nss_getlistbycert()

2017-03-23 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/207
Title: #207: nss-idmap: add sss_nss_getlistbycert()

jhrozek commented:
"""
CI passed: http://sssd-ci.duckdns.org/logs/job/65/30/summary.html

Coverity is also clean
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/207#issuecomment-288759704
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#192][+Accepted] Add certificate mapping library

2017-03-23 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/192
Title: #192: Add certificate mapping library

Label: +Accepted
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#192][comment] Add certificate mapping library

2017-03-23 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/192
Title: #192: Add certificate mapping library

jhrozek commented:
"""
* master:
 * c44728a02d5e2c9eaced11e74820a6ae6a985f61
 * 49f8ec8e0a3723a748bdb043d6dc1fb2a3977a8a
 * b341ee51cffd98b642b9c68a417f8a7504e303a1
 * 81c564a0692aa4b719af2219f52894e6cd4bdf9f
 * 70c0648f021ded3d31313eb962e1ad140f242673
 * 3994e8779d16db3e9fb30f03e5ecf5e811095ac2
 * 31a6661ff2a640fbcf97460df2415fd1bab309b5
 * db36dca3d45e6eefbb30042ee65876566f1a6014
 * 8b7548f65a0d812a47d26895671ec6f01b6813c1
 * 843bc50c04afa6e4f4a4561d887bbbd5f7101ce1

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/192#issuecomment-288775134
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#192][closed] Add certificate mapping library

2017-03-23 Thread jhrozek 
   URL: https://github.com/SSSD/sssd/pull/192
Author: sumit-bose
 Title: #192: Add certificate mapping library
Action: closed

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/192/head:pr192
git checkout pr192
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#203][comment] IPA: Enhance debug logging for ipa s2n operations

2017-03-23 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/203
Title: #203: IPA: Enhance debug logging for ipa s2n operations

jhrozek commented:
"""
* master:
 * cd83aead3c9799ac05d8f8977dbb92bbd399c6d5
 * a04bef313508c423ed06cc54805a3b8106ab90cd
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/203#issuecomment-288776660
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#207][+Pushed] nss-idmap: add sss_nss_getlistbycert()

2017-03-23 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/207
Title: #207: nss-idmap: add sss_nss_getlistbycert()

Label: +Pushed
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#203][closed] IPA: Enhance debug logging for ipa s2n operations

2017-03-23 Thread jhrozek 
   URL: https://github.com/SSSD/sssd/pull/203
Author: justin-stephenson
 Title: #203: IPA: Enhance debug logging for ipa s2n operations
Action: closed

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/203/head:pr203
git checkout pr203
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#207][-Accepted] nss-idmap: add sss_nss_getlistbycert()

2017-03-23 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/207
Title: #207: nss-idmap: add sss_nss_getlistbycert()

Label: -Accepted
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#203][+Pushed] IPA: Enhance debug logging for ipa s2n operations

2017-03-23 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/203
Title: #203: IPA: Enhance debug logging for ipa s2n operations

Label: +Pushed
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#207][comment] nss-idmap: add sss_nss_getlistbycert()

2017-03-23 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/207
Title: #207: nss-idmap: add sss_nss_getlistbycert()

jhrozek commented:
"""
The code works fine:
```
>>> print 
>>> pysss_nss_idmap.getlistbycert("MIIC8zCCAdugAwIBAgIJAPktuv1fxruLMA0GCSqGSIb3DQEBCwUAMBAxDjAMBgNVBAMMBXR1c2VyMB4XDTE3MDMwODEwMzU1MFoXDTE4MDMwODEwMzU1MFowEDEOMAwGA1UEAwwFdHVzZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCuqwIDSxK06tgeW5NKHAnpjElosrV4QkxA9XcG9JvLfVhZLPR2NZlzWRYUUGf/B1up7YbpPOLiFp6UsV/IziHQpvB+ENg6JyPJvgT+ylEKQpaKUqg3qPp5u7yw+h5RfhnqtzzsxdvYUfhBHb/D7/Rflm0aD/6GpOl/oEDC71rA7CV4nRisrJGuS9QUiuADvcf8ys7GddkphuNRp3r8J3TLv25YibrFHfvr455/EWztulrRP8pLBVwe7BYiy74Q01nbyw2bWDHa1kvJ97BEQMyYHi9jePKheuatIg00rIuw6z33HAQeXu9Eq259mvOTcsgHQY1x7T9QAZapvZWiJRNtAgMBAAGjUDBOMB0GA1UdDgQWBBQ/zxIB0eBccxbVa4ZAPFtFwEClbTAfBgNVHSMEGDAWgBQ/zxIB0eBccxbVa4ZAPFtFwEClbTAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAtJqzpVgxv8DnrwGUfImuMRv58hZRmmswniNu2AhSm4jnTKyUrBubDQRTyPOSs8lDSzgAARfxueQZ357t3+gLI+15pb5oAOos5uzOiRyBL81DUq8gKLpWIk4OnhsGR8cfzp8YQI7i4/8k00Gc+JmH6za2m67ddgWnfIOv4js+P+1OUgTP1HfD5eL6lRQMqgaScJB+PtkUznm7qzzRvw9FQ1fRe0FjGVoxRm2lhioRaasieQiCBKHKMWlVvLnMbTvov7foPPB5Rmj1p59M+xltrTJQSE6XORJCvOlvtWNrNmGjRZKAK5hpxifzIa6SWquT+PS/BIjzkNN8D7Tcnq7zk")
{'MIIC8zCCAdugAwIBAgIJAPktuv1fxruLMA0GCSqGSIb3DQEBCwUAMBAxDjAMBgNVBAMMBXR1c2VyMB4XDTE3MDMwODEwMzU1MFoXDTE4MDMwODEwMzU1MFowEDEOMAwGA1UEAwwFdHVzZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCuqwIDSxK06tgeW5NKHAnpjElosrV4QkxA9XcG9JvLfVhZLPR2NZlzWRYUUGf/B1up7YbpPOLiFp6UsV/IziHQpvB+ENg6JyPJvgT+ylEKQpaKUqg3qPp5u7yw+h5RfhnqtzzsxdvYUfhBHb/D7/Rflm0aD/6GpOl/oEDC71rA7CV4nRisrJGuS9QUiuADvcf8ys7GddkphuNRp3r8J3TLv25YibrFHfvr455/EWztulrRP8pLBVwe7BYiy74Q01nbyw2bWDHa1kvJ97BEQMyYHi9jePKheuatIg00rIuw6z33HAQeXu9Eq259mvOTcsgHQY1x7T9QAZapvZWiJRNtAgMBAAGjUDBOMB0GA1UdDgQWBBQ/zxIB0eBccxbVa4ZAPFtFwEClbTAfBgNVHSMEGDAWgBQ/zxIB0eBccxbVa4ZAPFtFwEClbTAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAtJqzpVgxv8DnrwGUfImuMRv58hZRmmswniNu2AhSm4jnTKyUrBubDQRTyPOSs8lDSzgAARfxueQZ357t3+gLI+15pb5oAOos5uzOiRyBL81DUq8gKLpWIk4OnhsGR8cfzp8YQI7i4/8k00Gc+JmH6za2m67ddgWnfIOv4js+P+1OUgTP1HfD5eL6lRQMqgaScJB+PtkUznm7qzzRvw9FQ1fRe0FjGVoxRm2lhioRaasieQiCBKHKMWlVvLnMbTvov7foPPB5Rmj1p59M+xltrTJQSE6XORJCvOlvtWNrNmGjRZKAK5hpxifzIa6SWquT+PS/BIjzkNN8D7Tcnq7zk':
 [{'type': 1, 'name': u'anotheru...@ipa.test'}, {'type': 1, 'name': 
u'tu...@ipa.test'}]}
```

And also looks OK to me, ACK
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/207#issuecomment-288771713
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#207][+Accepted] nss-idmap: add sss_nss_getlistbycert()

2017-03-23 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/207
Title: #207: nss-idmap: add sss_nss_getlistbycert()

Label: +Accepted
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#192][-Accepted] Add certificate mapping library

2017-03-23 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/192
Title: #192: Add certificate mapping library

Label: -Accepted
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#192][+Pushed] Add certificate mapping library

2017-03-23 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/192
Title: #192: Add certificate mapping library

Label: +Pushed
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#207][closed] nss-idmap: add sss_nss_getlistbycert()

2017-03-23 Thread jhrozek 
   URL: https://github.com/SSSD/sssd/pull/207
Author: sumit-bose
 Title: #207: nss-idmap: add sss_nss_getlistbycert()
Action: closed

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/207/head:pr207
git checkout pr207
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#207][comment] nss-idmap: add sss_nss_getlistbycert()

2017-03-23 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/207
Title: #207: nss-idmap: add sss_nss_getlistbycert()

jhrozek commented:
"""
* master:
 * a0b1bfa76073d3ce3208e67e6d72bb92088edac5
 * 440797cba931aa491bf418035f55935943e22b4b

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/207#issuecomment-288776089
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

<    3   4   5   6   7   8   9   10   11   12   >