[SSSD] question on private groups with AD domain

Hi All, Red Hat tend to configure users by default with uid=gid when a user is created. This means there is a corresponding private group with the same name as the user. It is not possible to do this in AD without a bit of trickery. Is there any way to configure sssd so it tries

Re: [SSSD] [PATCH] Every time return directory for krb5 cache collection.

On (24/06/13 22:06), Jakub Hrozek wrote: >On Sat, Jun 22, 2013 at 01:55:51PM +0200, Lukas Slebodnik wrote: >> On (21/06/13 20:45), Jakub Hrozek wrote: >> >On Thu, Jun 20, 2013 at 11:11:17AM +0200, Lukas Slebodnik wrote: >> >> Rewritten patches are attached. >> >> >> >> LS >> > >> >Two nitpicks: >>

Re: [SSSD] [PATCH] Every time return directory for krb5 cache collection.

On Sat, Jun 22, 2013 at 01:55:51PM +0200, Lukas Slebodnik wrote: > On (21/06/13 20:45), Jakub Hrozek wrote: > >On Thu, Jun 20, 2013 at 11:11:17AM +0200, Lukas Slebodnik wrote: > >> Rewritten patches are attached. > >> > >> LS > > > >Two nitpicks: > > > >> +static char * get_ccache_name_by_principa

Re: [SSSD] [PATCHES] Fix krb5 ticket renewal

On Mon, Jun 24, 2013 at 04:28:10PM +0100, David Woodhouse wrote: > On Mon, 2013-06-24 at 17:01 +0200, Jakub Hrozek wrote: > > On Mon, Jun 24, 2013 at 04:59:33PM +0200, Jakub Hrozek wrote: > > > On Mon, Jun 24, 2013 at 04:23:46PM +0200, Sumit Bose wrote: > > > > Hi, > > > > > > > > David Woodhouse

Re: [SSSD] [PATCHES] Fix krb5 ticket renewal

On Mon, 2013-06-24 at 16:47 +0100, David Woodhouse wrote: > My existing TGT is for dwood...@ger.corp.intel.com, so trying to renew > a TGT for david.woodhouse\@intel@ger.corp.intel.com doesn't work. My userPrincipalName in ldap really is 'david.woodho...@intel.com', which would appear to be wr

Re: [SSSD] [PATCHES] Fix krb5 ticket renewal

On Mon, 2013-06-24 at 16:28 +0100, David Woodhouse wrote: > Then it does actually seem to be *trying* to renew, but I get the > following: From krb5_child.log: (Mon Jun 24 16:15:32 2013) [[sssd[krb5_child[5790 [sss_child_krb5_trace_cb] (0x4000): [5790] 1372086932.966801: Retrieving david.wo

Re: [SSSD] [PATCHES] Fix krb5 ticket renewal

On Mon, 2013-06-24 at 17:01 +0200, Jakub Hrozek wrote: > On Mon, Jun 24, 2013 at 04:59:33PM +0200, Jakub Hrozek wrote: > > On Mon, Jun 24, 2013 at 04:23:46PM +0200, Sumit Bose wrote: > > > Hi, > > > > > > David Woodhouse identified an issue with Kerberos ticket renewal. > > > Attached two patches

[SSSD] [PATCH] KRB5_CHILD: Fix handling of get_password return code

While working on #1814 i noticed that there's a dead switch statement (with no case/default), attached patch fixes this issue. Ondra -- Ondrej Kos Associate Software Engineer Identity Management - SSSD Red Hat Czech From 4b622895d2873ce59f74178b82f3fdc1a51361a9 Mon Sep 17 00:00:00 2001 From: Ond

[SSSD] [PATCH] Do not try to set password when authtok_length is zero

The problem here wasn't in returned error code, but in faultly read DBUS message, due to condition in sss_authtok_set_string. When password is empty, it passes 0 as length, which is misinterpreted, and the function tries to determine the length of string by itself, reaching over boundaries of

Re: [SSSD] [PATCHES] Fix krb5 ticket renewal

On Mon, Jun 24, 2013 at 04:59:33PM +0200, Jakub Hrozek wrote: > On Mon, Jun 24, 2013 at 04:23:46PM +0200, Sumit Bose wrote: > > Hi, > > > > David Woodhouse identified an issue with Kerberos ticket renewal. > > Attached two patches fix two issues related to the authtok refactoring > > which make re

Re: [SSSD] [PATCHES] Fix krb5 ticket renewal

On Mon, Jun 24, 2013 at 04:23:46PM +0200, Sumit Bose wrote: > Hi, > > David Woodhouse identified an issue with Kerberos ticket renewal. > Attached two patches fix two issues related to the authtok refactoring > which make renewal for me working again. > > bye, > Sumit Works for me, too. Ack. ___

Re: [SSSD] [PATCH] IPA: Do not download or store the member attribute of host groups

On Mon, Jun 24, 2013 at 04:54:28PM +0200, Jakub Hrozek wrote: > On Mon, Jun 24, 2013 at 08:53:24AM -0400, Stephen Gallagher wrote: > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA1 > > > > On Mon 24 Jun 2013 08:48:57 AM EDT, Jakub Hrozek wrote: > > > On Mon, Jun 24, 2013 at 08:04:34AM -0400, S

Re: [SSSD] [PATCH] IPA: Do not download or store the member attribute of host groups

On Mon, Jun 24, 2013 at 08:53:24AM -0400, Stephen Gallagher wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On Mon 24 Jun 2013 08:48:57 AM EDT, Jakub Hrozek wrote: > > On Mon, Jun 24, 2013 at 08:04:34AM -0400, Stephen Gallagher wrote: > >> -BEGIN PGP SIGNED MESSAGE- Hash: SHA1

Re: [SSSD] [PATCH] LDAP: Retry SID search based on result of LDAP search, not the return code

On Mon, Jun 24, 2013 at 01:28:28PM +0200, Sumit Bose wrote: > On Mon, Jun 24, 2013 at 11:04:40AM +0200, Jakub Hrozek wrote: > > I think we didn't synchronize our changes with Sumit. The SID code > > doesn't retry correctly when looking up users-or-groups by SID. The > > attached patch fixes that. >

Re: [SSSD] [PATCH] PAC: do not delete originalDN if present

On Mon, Jun 24, 2013 at 03:14:38PM +0200, Jakub Hrozek wrote: > On Mon, Jun 24, 2013 at 02:01:32PM +0200, Sumit Bose wrote: > > Hi, > > > > this patch fixes an issue Jakub found when using IPA user and HBAC rules > > with current SSSD master tree. Please see commit message for details. > > > > I'

[SSSD] [PATCHES] Fix krb5 ticket renewal

Hi, David Woodhouse identified an issue with Kerberos ticket renewal. Attached two patches fix two issues related to the authtok refactoring which make renewal for me working again. bye, Sumit From 0f2fb036a9f3b7ef0a64fdfc17869b2d6b673334 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Mon, 24 J

Re: [SSSD] sysdb_delete_group - No such file or directory and other errors

On Jun 24, 2013, at 3:11 PM, Stephen Gallagher wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On 06/24/2013 09:08 AM, Steve Traylen wrote: >> >> On Jun 24, 2013, at 2:52 PM, Stephen Gallagher wrote: >> [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP >>>

Re: [SSSD] [PATCH] IPA: Do not download or store the member attribute of host groups

On Mon, 2013-06-24 at 14:57 +0200, Jakub Hrozek wrote: > On Mon, Jun 24, 2013 at 08:53:24AM -0400, Stephen Gallagher wrote: > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA1 > > > > On Mon 24 Jun 2013 08:48:57 AM EDT, Jakub Hrozek wrote: > > > On Mon, Jun 24, 2013 at 08:04:34AM -0400, Stephen

Re: [SSSD] [PATCH] IPA: Do not download or store the member attribute of host groups

On Mon, Jun 24, 2013 at 08:53:24AM -0400, Stephen Gallagher wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On Mon 24 Jun 2013 08:48:57 AM EDT, Jakub Hrozek wrote: > > On Mon, Jun 24, 2013 at 08:04:34AM -0400, Stephen Gallagher wrote: > >> -BEGIN PGP SIGNED MESSAGE- Hash: SHA1

Re: [SSSD] [PATCH] init script: source /etc/sysconfig/sssd

On Mon, Jun 24, 2013 at 03:34:19PM +0200, Pavel Březina wrote: > https://fedorahosted.org/sssd/ticket/1959 > > Is there anyway how to achieve this in systemd? Yes, see EnvironmentFile > Do we want the path > configurable? Yes, we do. ___ sssd-devel ma

[SSSD] [PATCH] init script: source /etc/sysconfig/sssd

https://fedorahosted.org/sssd/ticket/1959 Is there anyway how to achieve this in systemd? Do we want the path configurable? From 1f0af3a2f0d101cb1e80952a2fbe3968b5e6347c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= Date: Mon, 24 Jun 2013 15:30:04 +0200 Subject: [PATCH] init s

[SSSD] [PATCH] init script: source /etc/sysconfig/sssd

https://fedorahosted.org/sssd/ticket/1959 Is there anyway how to achieve this in systemd? Do we want the path configurable? From 1f0af3a2f0d101cb1e80952a2fbe3968b5e6347c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= Date: Mon, 24 Jun 2013 15:30:04 +0200 Subject: [PATCH] init s

Re: [SSSD] [PATCH] LDAP: Retry SID search based on result of LDAP search, not the return code

On Mon, Jun 24, 2013 at 01:41:44PM +0200, Sumit Bose wrote: > On Mon, Jun 24, 2013 at 11:12:33AM +0200, Jakub Hrozek wrote: > > On Mon, Jun 24, 2013 at 11:04:40AM +0200, Jakub Hrozek wrote: > > > I think we didn't synchronize our changes with Sumit. The SID code > > > doesn't retry correctly when l

Re: [SSSD] [PATCH] PAC: do not delete originalDN if present

On Mon, Jun 24, 2013 at 02:01:32PM +0200, Sumit Bose wrote: > Hi, > > this patch fixes an issue Jakub found when using IPA user and HBAC rules > with current SSSD master tree. Please see commit message for details. > > I've opened https://fedorahosted.org/sssd/ticket/1996 to improve the > update

Re: [SSSD] sysdb_delete_group - No such file or directory and other errors

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 06/24/2013 09:08 AM, Steve Traylen wrote: > > On Jun 24, 2013, at 2:52 PM, Stephen Gallagher wrote: > >>> >>> [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP >>> error code: 1 errno: 11 error message: Fast reply - offline >>> (Mon

Re: [SSSD] sysdb_delete_group - No such file or directory and other errors

On Jun 24, 2013, at 2:52 PM, Stephen Gallagher wrote: >> >> [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP >> error code: 1 errno: 11 error message: Fast reply - offline (Mon >> Jun 24 09:52:18 2013) [sssd[nss]] [nss_cmd_getpwnam_dp_callback] >> (0x0040): Unable to get informatio

[SSSD] [PATCH] fix dyndns crash on timeout

Unfortunately, the reported did not provide logs from the time of crash. The backtrace only says that it occurred in nsupdate_child_handler() but I'm very confident that the root cause was that the dyndns update reached timeout. The first patch fixes dyndns unit tests to actually reveal the cr

Re: [SSSD] [PATCH] IPA: Do not download or store the member attribute of host groups

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Mon 24 Jun 2013 08:48:57 AM EDT, Jakub Hrozek wrote: > On Mon, Jun 24, 2013 at 08:04:34AM -0400, Stephen Gallagher wrote: >> -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 >> >> On 06/23/2013 03:12 PM, Jakub Hrozek wrote: >>> The attached patch appl

Re: [SSSD] sysdb_delete_group - No such file or directory and other errors

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 06/24/2013 08:23 AM, Steve Traylen wrote: > > Hi > > sssd-1.9.2-82.7.el6_4 > > I've a few Error messages that I'd like to understand , if you have > some comments that would be great. > > > * sssd_CERN.log > > sssd[be[CERN]]] [sysdb_search_use

Re: [SSSD] [PATCH] IPA: Do not download or store the member attribute of host groups

On Mon, Jun 24, 2013 at 08:04:34AM -0400, Stephen Gallagher wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On 06/23/2013 03:12 PM, Jakub Hrozek wrote: > > The attached patch applies on both master and sssd-1-9 and fixes: > > https://fedorahosted.org/sssd/ticket/1806 > > > > The IPA

[SSSD] sysdb_delete_group - No such file or directory and other errors

Hi sssd-1.9.2-82.7.el6_4 I've a few Error messages that I'd like to understand , if you have some comments that would be great. * sssd_CERN.log sssd[be[CERN]]] [sysdb_search_user_by_uid] (0x0400): No such entry sssd[be[CERN]]] [sysdb_delete_group] (0x0400): Error: 2 (No such file or direct

Re: [SSSD] [PATCH] IPA: Do not download or store the member attribute of host groups

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 06/23/2013 03:12 PM, Jakub Hrozek wrote: > The attached patch applies on both master and sssd-1-9 and fixes: > https://fedorahosted.org/sssd/ticket/1806 > > The IPA provider attempted to store the original value of member > attribute to the cache.

[SSSD] [PATCH] PAC: do not delete originalDN if present

Hi, this patch fixes an issue Jakub found when using IPA user and HBAC rules with current SSSD master tree. Please see commit message for details. I've opened https://fedorahosted.org/sssd/ticket/1996 to improve the update scheme. bye, Sumit From afe1a01914ee5e3dd91d8f8c887cbaba19f17117 Mon Sep

Re: [SSSD] [PATCH] LDAP: Retry SID search based on result of LDAP search, not the return code

On Mon, Jun 24, 2013 at 11:12:33AM +0200, Jakub Hrozek wrote: > On Mon, Jun 24, 2013 at 11:04:40AM +0200, Jakub Hrozek wrote: > > I think we didn't synchronize our changes with Sumit. The SID code > > doesn't retry correctly when looking up users-or-groups by SID. The > > attached patch fixes that.

Re: [SSSD] [PATCH] LDAP: Retry SID search based on result of LDAP search, not the return code

On Mon, Jun 24, 2013 at 11:04:40AM +0200, Jakub Hrozek wrote: > I think we didn't synchronize our changes with Sumit. The SID code > doesn't retry correctly when looking up users-or-groups by SID. The > attached patch fixes that. ACK bye, Sumit ___ sssd

Re: [SSSD] [PATCH] LDAP: Retry SID search based on result of LDAP search, not the return code

On Mon, Jun 24, 2013 at 11:04:40AM +0200, Jakub Hrozek wrote: > I think we didn't synchronize our changes with Sumit. The SID code > doesn't retry correctly when looking up users-or-groups by SID. The > attached patch fixes that. btw I was wondering whether it would make change to reverse the orde

[SSSD] [PATCH] LDAP: Retry SID search based on result of LDAP search, not the return code

I think we didn't synchronize our changes with Sumit. The SID code doesn't retry correctly when looking up users-or-groups by SID. The attached patch fixes that. >From 5a28cf82146326cd45a63e57b0bbda2f4b2adfa9 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Mon, 24 Jun 2013 10:46:53 +0200 Subject