Re: [SSSD] [PATCH] LDAP: disable the cleanup task by default

On Mon, 2015-05-11 at 19:15 +0200, Jakub Hrozek wrote: > On Mon, May 11, 2015 at 03:18:55PM +0200, Lukas Slebodnik wrote: > > On (11/05/15 12:51), Jakub Hrozek wrote: > > > On Mon, May 11, 2015 at 11:15:29AM +0200, Lukas Slebodnik wrote: > > > > Please document in man pages that it is not possible

Re: [SSSD] [PATCH] IPA: do not fail if view name lookup failed on older versions

On Mon, May 11, 2015 at 07:13:17PM +0200, Jakub Hrozek wrote: > On Mon, May 11, 2015 at 12:01:52PM +0200, Sumit Bose wrote: > > On Mon, May 11, 2015 at 12:01:12PM +0200, Sumit Bose wrote: > > > Hi, > > > > and now with patch ... > > > > > > > > this patch fixes an issue seen when newer idview-aw

Re: [SSSD] [PATCH] LDAP: warn about lockout option being deprecated

On Mon, May 11, 2015 at 02:35:35PM +0200, Pavel Reichl wrote: > On 05/11/2015 12:24 PM, Jakub Hrozek wrote: > >On Wed, Mar 25, 2015 at 10:19:39AM +0100, Pavel Reichl wrote: > >>Hello, > >> > >>attached patch deprecates lockout option in 1-12 branch. > >> > >>This was discussed in thread: SDAP: Lock

Re: [SSSD] [PATCH] SDAP: use DN to update entry

On Mon, May 11, 2015 at 03:01:12PM +0200, Jakub Hrozek wrote: > On Mon, May 11, 2015 at 01:17:23PM +0200, Jakub Hrozek wrote: > > On Wed, May 06, 2015 at 10:16:15AM +0200, Sumit Bose wrote: > > > Hi, > > > > > > I found this while inspecting log files from > > > https://fedorahosted.org/sssd/ticke

Re: [SSSD] [PATCH] LDAP: disable the cleanup task by default

On Mon, May 11, 2015 at 03:18:55PM +0200, Lukas Slebodnik wrote: > On (11/05/15 12:51), Jakub Hrozek wrote: > >On Mon, May 11, 2015 at 11:15:29AM +0200, Lukas Slebodnik wrote: > >> Please document in man pages that it is not possible to turn off clean-up > >> task > >> with enabled enumeration and

Re: [SSSD] [PATCH] IPA: do not fail if view name lookup failed on older versions

On Mon, May 11, 2015 at 12:01:52PM +0200, Sumit Bose wrote: > On Mon, May 11, 2015 at 12:01:12PM +0200, Sumit Bose wrote: > > Hi, > > and now with patch ... > > > > > this patch fixes an issue seen when newer idview-aware SSSD clients try > > to connect to older IPA server. As mentioned in the c

Re: [SSSD] [PATCH] libwbclient-sssd: update interface to version 0.12

On (11/05/15 18:26), Sumit Bose wrote: >On Mon, May 11, 2015 at 09:12:38AM +0200, Lukas Slebodnik wrote: >> On (06/05/15 16:25), Sumit Bose wrote: >> >Hi, >> > >> >with Samba-4.2.x libwbclient has a new interface version because new >> >calls were added which have an opaque context as an argument t

Re: [SSSD] [PATCHES] PAM: refactor pam_reply

On (11/05/15 17:36), Pavel Reichl wrote: >Rebased patch set is attached. Code coverage of function pam_reply was quite high but it covered just part which was necessary for Sumit's work. I thought you would increase code coverage to all case you will change. and not just rebase. I would prefer t

Re: [SSSD] [PATCH] libwbclient-sssd: update interface to version 0.12

On Mon, May 11, 2015 at 09:12:38AM +0200, Lukas Slebodnik wrote: > On (06/05/15 16:25), Sumit Bose wrote: > >Hi, > > > >with Samba-4.2.x libwbclient has a new interface version because new > >calls were added which have an opaque context as an argument to allow > >threaded applications to send mult

Re: [SSSD] [PRELIMINARY][PATCH] ifp users and groups

Thanks for the patches. They work quite well! One bug I found is that if you query a nonexistant object path with GetAll, then all subsequent queries block. Maybe we don't finish some request on error? This is what I tried: [jhrozek@client] sssd $ [(review)] dbus-send --print-reply --system --de

Re: [SSSD] [PATCHES] PAM: refactor pam_reply

On 04/10/2015 10:47 AM, Lukas Slebodnik wrote: On (10/04/15 10:36), Pavel Reichl wrote: Hello, please see attached patch set which contains some refactoring which is in my opinion quite safe. It doesn't touch the recursive call of pam_reply() as I think that changing that would be more risky ch

Re: [SSSD] [PATCH] LDAP: disable the cleanup task by default

On (11/05/15 12:51), Jakub Hrozek wrote: >On Mon, May 11, 2015 at 11:15:29AM +0200, Lukas Slebodnik wrote: >> Please document in man pages that it is not possible to turn off clean-up >> task >> with enabled enumeration and that default value is 10800 in that case. > >OK, see the attached patch.

Re: [SSSD] [PATCH] SDAP: use DN to update entry

On Mon, May 11, 2015 at 01:17:23PM +0200, Jakub Hrozek wrote: > On Wed, May 06, 2015 at 10:16:15AM +0200, Sumit Bose wrote: > > Hi, > > > > I found this while inspecting log files from > > https://fedorahosted.org/sssd/ticket/2591 . My hope is that it fixes the > > issue described in the ticket co

Re: [SSSD] [PATCH] LDAP: warn about lockout option being deprecated

On 05/11/2015 12:24 PM, Jakub Hrozek wrote: On Wed, Mar 25, 2015 at 10:19:39AM +0100, Pavel Reichl wrote: Hello, attached patch deprecates lockout option in 1-12 branch. This was discussed in thread: SDAP: Lock out ssh keys when account naturally expires This patch implements point number 2.

Re: [SSSD] [PATCHES] krb5: new option krb5_map_user

On Thu, Apr 30, 2015 at 01:45:01PM +0200, Pavel Reichl wrote: Hi, it seems this patch review stalled. I'll try to restart it.. > From 2c7239f5466acb4a0989c4843b0b13e85f1d40b3 Mon Sep 17 00:00:00 2001 > From: Pavel Reichl > Date: Thu, 30 Apr 2015 06:40:43 -0400 > Subject: [PATCH 1/3] utils: new f

Re: [SSSD] [PATCH] AD GPO: Change default to "enforcing"

On Mon, May 11, 2015 at 12:41:12PM +0200, Jakub Hrozek wrote: > On Mon, Apr 20, 2015 at 11:48:00AM -0400, Stephen Gallagher wrote: > > When a user enrolls a system against Active Directory, the expectation > > is that the client will honor the centrally-managed settings. In the > > past, we avoided

Re: [SSSD] [PATCH] SDAP: use DN to update entry

On Wed, May 06, 2015 at 10:16:15AM +0200, Sumit Bose wrote: > Hi, > > I found this while inspecting log files from > https://fedorahosted.org/sssd/ticket/2591 . My hope is that it fixes the > issue described in the ticket completely but since I cannot reproduce the > specific issue I cannot say th

Re: [SSSD] [PATCH] LDAP: disable the cleanup task by default

On Mon, May 11, 2015 at 11:15:29AM +0200, Lukas Slebodnik wrote: > Please document in man pages that it is not possible to turn off clean-up task > with enabled enumeration and that default value is 10800 in that case. OK, see the attached patch. >From 049fe229e1e6ae1550cf26fe1ccd289340f10118 Mon

Re: [SSSD] [PATCH] AD GPO: Change default to "enforcing"

On Mon, Apr 20, 2015 at 11:48:00AM -0400, Stephen Gallagher wrote: > When a user enrolls a system against Active Directory, the expectation > is that the client will honor the centrally-managed settings. In the > past, we avoided changing the default (and left it in permissive mode, > to warn admin

Re: [SSSD] [PATCH] Retain group members in setups where id_provider=ad and ignore_group_members=True

On Mon, May 11, 2015 at 12:12:00PM +0200, Jakub Hrozek wrote: > On Mon, May 11, 2015 at 11:31:43AM +0200, Sumit Bose wrote: > > On Fri, May 08, 2015 at 03:24:29PM +0200, Jakub Hrozek wrote: > > > Hi, > > > > > > the attached patch fixes https://fedorahosted.org/sssd/ticket/2646. See > > > the > >

Re: [SSSD] [PATCH] LDAP: warn about lockout option being deprecated

On Wed, Mar 25, 2015 at 10:19:39AM +0100, Pavel Reichl wrote: > Hello, > > attached patch deprecates lockout option in 1-12 branch. > > This was discussed in thread: SDAP: Lock out ssh keys when account naturally > expires > This patch implements point number 2. > > >>I would prefer if we didn'

Re: [SSSD] [PATCH] Retain group members in setups where id_provider=ad and ignore_group_members=True

On Mon, May 11, 2015 at 11:31:43AM +0200, Sumit Bose wrote: > On Fri, May 08, 2015 at 03:24:29PM +0200, Jakub Hrozek wrote: > > Hi, > > > > the attached patch fixes https://fedorahosted.org/sssd/ticket/2646. See the > > commit message for the problem description. The bug was found by Lukas > > (th

Re: [SSSD] [PATCH] IPA: do not fail if view name lookup failed on older versions

On Mon, May 11, 2015 at 12:01:12PM +0200, Sumit Bose wrote: > Hi, and now with patch ... > > this patch fixes an issue seen when newer idview-aware SSSD clients try > to connect to older IPA server. As mentioned in the commit message it is > due to different error codes returned by different ver

[SSSD] [PATCH] IPA: do not fail if view name lookup failed on older versions

Hi, this patch fixes an issue seen when newer idview-aware SSSD clients try to connect to older IPA server. As mentioned in the commit message it is due to different error codes returned by different versions of 389ds. This issue only becomes important when the old IPA server has a trust to AD bec

Re: [SSSD] [PATCH] Retain group members in setups where id_provider=ad and ignore_group_members=True

On Fri, May 08, 2015 at 03:24:29PM +0200, Jakub Hrozek wrote: > Hi, > > the attached patch fixes https://fedorahosted.org/sssd/ticket/2646. See the > commit message for the problem description. The bug was found by Lukas > (thanks!), I just wrote the patch. Hi Jakub, thank you for the patch, I h

Re: [SSSD] [PATCH] sbus: sbus_opath_hash_add_iface free tmp talloc ctx

On Wed, May 06, 2015 at 01:43:03PM +0200, Pavel Březina wrote: > On 05/06/2015 11:34 AM, Pavel Reichl wrote: > >Hello, > > > >please see this simple patch. The bug was found by Paul Wayper. > > > >Thanks! > > > > Ack. * master: 6170f00ee24ce38af656683e0ab8915abbf93bad

Re: [SSSD] [PATCH] LDAP: return after tevent_req_error

On Mon, May 11, 2015 at 10:53:35AM +0200, Lukas Slebodnik wrote: > On (11/05/15 10:00), Lukas Slebodnik wrote: > >On (11/05/15 09:53), Jakub Hrozek wrote: > >>Hi, > >> > >>please review this trivial attached patch. > > > >>From 7fdd592a2630d57d0ba5102bca1b85d8418bf912 Mon Sep 17 00:00:00 2001 > >>F

Re: [SSSD] [PATCH] LDAP: disable the cleanup task by default

On (11/05/15 10:48), Jakub Hrozek wrote: >Hi, > >the attached patch fixes https://fedorahosted.org/sssd/ticket/2627, >please review. >From edb8e6dc65ff3ad707e40df2d4c5eea55dc1e412 Mon Sep 17 00:00:00 2001 >From: Jakub Hrozek >Date: Tue, 28 Apr 2015 13:16:51 +0200 >Subject: [PATCH] LDAP: disable t

Re: [SSSD] [PATCH] LDAP: return after tevent_req_error

On (11/05/15 10:00), Lukas Slebodnik wrote: >On (11/05/15 09:53), Jakub Hrozek wrote: >>Hi, >> >>please review this trivial attached patch. > >>From 7fdd592a2630d57d0ba5102bca1b85d8418bf912 Mon Sep 17 00:00:00 2001 >>From: Jakub Hrozek >>Date: Tue, 21 Apr 2015 09:34:24 +0200 >>Subject: [PATCH] LDA

[SSSD] [PATCH] LDAP: disable the cleanup task by default

Hi, the attached patch fixes https://fedorahosted.org/sssd/ticket/2627, please review. >From edb8e6dc65ff3ad707e40df2d4c5eea55dc1e412 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Tue, 28 Apr 2015 13:16:51 +0200 Subject: [PATCH] LDAP: disable the cleanup task by default Resolves: https:/

[SSSD] [PATCH] Make it possible to inherit ignore_group_members, ldap_purge_cache_timeout and ldap_use_tokengroups into subdomains

Hi, the attached patches are a short-term fix until subdomains can be configured separately in the config file. They add a new option subdomain_inherit and make it possible to inherit three options we learned our users care about for subdomains - ignore_group_members, ldap_purge_cache_timeout and

Re: [SSSD] [PATCH] Do not segfault selinux_child if semanage_connect fails

On Mon, May 11, 2015 at 09:34:01AM +0200, Lukas Slebodnik wrote: > On (07/05/15 12:01), Jakub Hrozek wrote: > >Hi, > > > >the attached patch fixes https://fedorahosted.org/sssd/ticket/2649. > > > >I couldn't reproduce the bug with regular testing, but only by overriding the > >return value from sem

Re: [SSSD] [PATCH] LDAP: return after tevent_req_error

On (11/05/15 09:53), Jakub Hrozek wrote: >Hi, > >please review this trivial attached patch. >From 7fdd592a2630d57d0ba5102bca1b85d8418bf912 Mon Sep 17 00:00:00 2001 >From: Jakub Hrozek >Date: Tue, 21 Apr 2015 09:34:24 +0200 >Subject: [PATCH] LDAP: return after tevent_req_error > >--- > src/provide

[SSSD] [PATCH] LDAP: return after tevent_req_error

Hi, please review this trivial attached patch. >From 7fdd592a2630d57d0ba5102bca1b85d8418bf912 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Tue, 21 Apr 2015 09:34:24 +0200 Subject: [PATCH] LDAP: return after tevent_req_error --- src/providers/ldap/sdap_async_connection.c | 1 + 1 file chang

[SSSD] [PATCH] Amend the man page for refresh_expired_interval

Hi, while triaging a performance-related issue, I realized our manpage doesn't say also users and groups are now supported by the background refresh. The attached patch fixes that. >From 8287e6c003202db410bdfc42b905b1b7d4ec4e81 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Fri, 8 May 2015 13:

Re: [SSSD] [PATCH] Do not segfault selinux_child if semanage_connect fails

On (07/05/15 12:01), Jakub Hrozek wrote: >Hi, > >the attached patch fixes https://fedorahosted.org/sssd/ticket/2649. > >I couldn't reproduce the bug with regular testing, but only by overriding the >return value from semanage_connect() >From 4116f54398994ed15a5506b7927f24ffdca3d19c Mon Sep 17 00:0

Re: [SSSD] [PATCH] libwbclient-sssd: update interface to version 0.12

On (06/05/15 16:25), Sumit Bose wrote: >Hi, > >with Samba-4.2.x libwbclient has a new interface version because new >calls were added which have an opaque context as an argument to allow >threaded applications to send multiple requests to winbind in parallel. > >This patch adds the new interface bu